JMeter Ignore SSL Security Certificate

Question

I am getting the following error while trying to connect to LDAP Server. Is there a way to Ignore SSL Security Certificate. I am able to connect to the server outside of JMeter using other tools.

Thread Name: Thread Group 1-1
Sample Start: 2018-09-23 12:16:48 EDT
Load time: 154
Connect Time: 0
Latency: 0
Size in bytes: 555
Sent bytes:0
Headers size in bytes: 0
Body size in bytes: 555
Sample Count: 1
Error Count: 1
Data type ("text"|"bin"|""): text
Response code: 800
Response message: javax.naming.CommunicationException: x.x.x.x:1636 
[Root exception is javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find valid certification path to requested target]

Response headers:


SampleResult fields:
ContentType: text/xml
DataEncoding: UTF-8

Answer 1

the best (and most common) way to solve this is to trust the LDAPS server, ie add the server's certificate to JRE's cacerts file using keytool . There is already an so answer on how to do this (here: Is there a java setting for disabling certificate validation? ) - the gist is (taken from there)

cd %JRE_HOME%
keytool -alias REPLACE_TO_ANY_UNIQ_NAME -import -keystore ..\lib\security\cacerts -file your.crt

When you don't have the public key (certificate file) yet, you can eg get it by connecting to the LDAPS server with Apache Directory Studio ( https://directory.apache.org/studio/ ) which stores all public keys of LDAPS servers you trust. The exact routine was described on the mailing list already (here: http://mail-archives.apache.org/mod_mbox/directory-users/201004.mbox/%3C4BBF6471.6040900@apache.org%3E ), so I'm just giving the gist (again largely taken from there)

find ~/.ApacheDirectoryStudio -name \*.jks # gives you the keystores managed by DirectoryStudio
keytool -list -keystore path/to/permanent.jks
keytool -exportcert -alias <aliasname> -keystore path/to/permanent.jks -file your.crt

Answer 2

Most probably it indicates the issue with your LDAP server SSL setup, ie one of certificates in chain cannot be checked against authority. I would recommend double-checking the certificate chain using ie

• OpenSSL tool like: openssl s_client -showcerts -connect yourhost:yourport
• SSLPoke tool like: java -Djavax.net.debug=ssl SSLPoke yourhost yourport

You have 2 ways:

1. Add the certificate into the JVM truststore like:

    keytool -import -file your_ldap_certificate -alias certificate -keystore trustStore.keystore 

2. Create a custom class which will be trusting all the certificates and set java.naming.ldap.factory.socket system property to point to that class (the class must be in the JMeter Classpath )

Just in case if you need more information on LDAP servers performance testing with JMeter check out How to Load Test LDAP with Apache JMeter™ article.