1

I am getting the following error while trying to connect to LDAP Server. Is there a way to Ignore SSL Security Certificate. I am able to connect to the server outside of JMeter using other tools.

Thread Name: Thread Group 1-1
Sample Start: 2018-09-23 12:16:48 EDT
Load time: 154
Connect Time: 0
Latency: 0
Size in bytes: 555
Sent bytes:0
Headers size in bytes: 0
Body size in bytes: 555
Sample Count: 1
Error Count: 1
Data type ("text"|"bin"|""): text
Response code: 800
Response message: javax.naming.CommunicationException: x.x.x.x:1636 
[Root exception is javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find valid certification path to requested target]

Response headers:


SampleResult fields:
ContentType: text/xml
DataEncoding: UTF-8
Arpan Solanki
  • 817
  • 1
  • 17
  • 28

2 Answers2

0

the best (and most common) way to solve this is to trust the LDAPS server, i.e. add the server's certificate to JRE's cacerts file using keytool. There is already an s-o answer on how to do this (here: Is there a java setting for disabling certificate validation?) - the gist is (taken from there)

cd %JRE_HOME%
keytool -alias REPLACE_TO_ANY_UNIQ_NAME -import -keystore ..\lib\security\cacerts -file your.crt

When you don't have the public key (certificate file) yet, you can e.g. get it by connecting to the LDAPS server with Apache Directory Studio (https://directory.apache.org/studio/) which stores all public keys of LDAPS servers you trust. The exact routine was described on the mailing list already (here: http://mail-archives.apache.org/mod_mbox/directory-users/201004.mbox/%3C4BBF6471.6040900@apache.org%3E), so I'm just giving the gist (again largely taken from there)

find ~/.ApacheDirectoryStudio -name \*.jks # gives you the keystores managed by DirectoryStudio
keytool -list -keystore path/to/permanent.jks
keytool -exportcert -alias <aliasname> -keystore path/to/permanent.jks -file your.crt
Sebastian Rothbucher
  • 1,423
  • 10
  • 8
  • Thank you for the reply. So the first command that i ran keytool -list -keystore path/to/permanent.jks asked for password and i entered changeit as per one of the answers in some forum but the second command is also asking for a password and i am not sure what to enter there and what will be the aliasname? Thanks – Arpan Solanki Sep 23 '18 at 18:38
  • as long as you don't do anything about it, all keystore passwords are 'changeit'. The alias is what the first run of keytool gives you: the ```list``` provides a list of certificates with alias, date, type, fingerprint - you need the first part (alias) – Sebastian Rothbucher Sep 23 '18 at 18:47
  • So i was able to execute the second command now but JMeter is still not able to connect and gives me same error? What could be missing? also i am not sure what is your.crt . I excluded that part since it was not the link of the mail archives post. – Arpan Solanki Sep 23 '18 at 18:58
  • you have to export from Directory studio (or get the cert from somewhere else) and then import the cert into cacerts of the JRE you run JMeter with... – Sebastian Rothbucher Sep 23 '18 at 19:07
0

Most probably it indicates the issue with your LDAP server SSL setup, i.e. one of certificates in chain cannot be checked against authority. I would recommend double-checking the certificate chain using i.e.

  • OpenSSL tool like: openssl s_client -showcerts -connect yourhost:yourport
  • SSLPoke tool like: java -Djavax.net.debug=ssl SSLPoke yourhost yourport

You have 2 ways:

  1. Add the certificate into the JVM truststore like:

    keytool -import -file your_ldap_certificate -alias certificate -keystore trustStore.keystore

  2. Create a custom class which will be trusting all the certificates and set java.naming.ldap.factory.socket system property to point to that class (the class must be in the JMeter Classpath)

Just in case if you need more information on LDAP servers performance testing with JMeter check out How to Load Test LDAP with Apache JMeter™ article.

Dmitri T
  • 159,985
  • 5
  • 83
  • 133