To configure SOAtest to work with Web services deployed using HTTPS (HTTP via the SSL), you need to identify and register the certificate being used for the HTTPS connection from the server:
Close SOAtest if it is currently open.
- Identify the location of the server certificate used for the HTTPS connection.
- Ensure that this certificate’s COMMON NAME parameter contains both the server’s machine name and the subdomain (for example,
machine.company.com
). Copy the certificate to the following location:
<soatest_install_dir>/plugins/com.parasoft.ptest.libs.web_<soatest_version_number>/root/lib
This directory should contain a cacerts file in which the trusted certificates are stored.
Execute a command of the following format:
keytool -import -alias <certificate_alias> -file <certificate_file> -keystore cacerts
For example, if your certificate file is named test.cert, you would execute the following command from the<INSTALL_DIR>/plugins/com.parasoft.ptest.libs.web_<VERSION>/root/lib
directory:keytool -import -alias serverTrustCert -file test.cert -keystore cacerts
This will import the certificate into the cacerts file with the alias "serverTrustCert
".Info icon false title keytool path must be set Before executing
keytool
commands, you must first set your path to include Java'skeytool
executable. You can use the version of the Java binaries that ship with SOAtest. To add the included Java binaries to your path, open a command line prompt and enter the following before referencing the keytool:PATH =%PATH%; <INSTALL>\plugins\com.parasoft.ptest.jdk.eclipse.core.web.<OS>.<ARCH>_<VERSION>\jdk\bin
- When prompted to enter a keystore password, enter
changeit
. - When asked whether you want to trust this certificate, enter
yes
. You will then see a message indicating that the certificate has been added to the keystore. - (Optional) Verify that the certificate has been added to the keystore by entering the following command, then checking the file that opens:
keytool -list -keystore cacerts
Launch SOAtest and try to access the service again.
If you experience issues working with services deployed over HTTS, verify the following:
- Your server is running.
- You used the full name of the machine when trying to communicate with this HTTPS.
- The server certificate was created with the full name.
- The name on the certificate is identical to the name the client tried to access it with.
If you cannot satisfy the above requirements (for example, if you don’t have necessary permissions):
- Go to Parasoft > Preferences to open the Preferences dialog.
- Choose Parasoft > Security and enable Trust all certificates.
- Click OK or Apply to apply this change.
SOAtest will then try to access any WSDL you specify, regardless of any problems with the certificate. However, SOAtest will still try use the certificate while trying to send SOAP messages because it is required to do so.
Note | ||
---|---|---|
| ||
You must add certificates to cacerts files on load test slave machines as well as on the master machine. Otherwise, SSL connections will not work when running a load test with slave machines. |
If none of these procedures solve your problem, contact Parasoft in one of the ways described in カスタマーサポート.
Debugging SSL Issues
SOAtest runs on a standard JVM. To show the SSL/TLS handshake details and help identify causes of SSL connection problems, enable JVM network and SSL debugging:
- Open a command line console and navigate to the SOAtest installation directory.
- Start the executable with the arguments:
-J-Dssl.debug=true -J-Djavax.net.debug=all -consolelog
SOAtest will start normally, but whenever SSL connections are made, debugging output will be printed on the console.
If you wish to save the trace output to a file (for example, output.txt
), you may append the following to the end of the command:
> output.txt
Note |
---|
The redirection operator does not work when using soatest.exe on Windows. In this case, you will need to copy the text from the console window. |
- Windows: http://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html
- Linux, Mac: https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
Troubleshooting Client Authentication
If you are sending a request using client-side SSL (two-way) and the connections fails or the server returns a 401 (unauthorized) or 403 (forbidden) HTTP response, then the SSL debug log may contain the following:
No Format |
---|
*** ServerHelloDone [read] MD5 and SHA1 hashes: len = 4 0000: 0E 00 00 00 .... Warning: no suitable certificate found - continuing without client authentication |
Check the CertificateRequest
message, which should be printed earlier in the output, to determine why the client's certificate was considered unsuitable. This message contains details about the request received from the server:
No Format |
---|
*** CertificateRequest Cert Types: RSA, ... Supported Signature Algorithms: SHA512withRSA, SHA256withRSA, SHA384withRSA, SHA1withRSA, ... Cert Authorities: <CN=GeoTrust ... <CN=VeriSign ... <CN=Go Daddy ... ... |
The CertificateRequest
message declares requirements for selecting a client certificate based on the values specified in the Cert Types
, Supported Signature Algorithms
, and Cert Authorities
fields. If the client certificate that was configured in the client's HTTP transport settings (under Parasoft > Preferences > Security > Client side SSL) does not match all of the requirements in the CertificateRequest
message, then the client's certificate will not actually be used and the connection will continue without client authentication.
In some cases, the client's certificate matches one of the requested Cert Types
and Supported Signature Algorithms
, but not the Cert Authorities
. This can happen if the keystore is missing the client certificate chain. The certificate chain is required for connecting the client's certificate to its issuer's certificate, then to any intermediate certificate authorities, and then to one of the Cert Authorities
requested by the server. If the certificate chain is missing, then the client's keystore file needs to be rebuilt to include the missing certificate chain.
You can use the openssl command line tool to rebuild the client's keystore. The following openssl example commands will rebuild a client's keystore if the certificate file is "ssl-certificate-file.crt", the cert chain is "ssl-certificate-chain.crt", and the certificate's key "ssl-certificate-key.key":
No Format |
---|
# build PEM file containing client certificate and certificate chain cat ssl-certificate-file.crt ssl-certificate-chain.crt >ssl-certificate-all.pem # build pfx file openssl pkcs12 -export -in ssl-certificate-all.pem -inkey ssl-certificate-key.key -out keystore.pfx -name myname -CAfile ssl-certificate-chain.crt -caname mycaname |
JMS SSL
See JMS.