Bug 54977

Summary: Ability to choose the client alias for the cert key in JsseSslManager such that Mutual SSL auth testing can be made more flexible
Product: JMeter Reporter: chrisryp
Component: MainAssignee: JMeter issues mailing list <issues>
Severity: enhancement CC: p.mouawad, support
Priority: P2    
Version: 2.9   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: Patch proposal that implements this feature
Screenshot showing KeystoreConfig
Plan showing how to use feature

Description chrisryp 2013-05-15 18:39:06 UTC
Currently, in JsseSSLManager the alias selection is managed soley by the incrementing key index value. The user cannot override the selection of a specific client alias for a thread in ThreadGroup. This makes testing Mutual SSL auth impossible to do if each thread must be assigned a specific client alias. One potential approach is to handle this is to allow the user to define a hint variable in the thread and parse that in WrappedX509KeyManager.chooseClientAlias() as such:

> diff JsseSSLManager.java JsseSSLManager.java.proposed 
> import org.apache.jmeter.threads.JMeterContextService;
<             String alias = this.store.getAlias();
>             // Give the user a choice to select the alias by reading an alias hint from
>             // a thread local variable
>             String aliasHint = 
>                     JMeterContextService.getContext().getVariables().
>                     get("jmeter.keystore.alias.hint");
>             String alias = aliasHint;
>             if (alias == null) {
>                 alias = this.store.getAlias();
>             }

A better, long term approach is to improve KeyStoreConfiguration to allow a thread local variable to specify the alias for the cert key but this requires the SSLManager to not be a singleton or to process thread local variables as above.

Note that chooseClientAlias() has a comment currently that suggests allowing the user to choose the client alias is already on the TODO list:
 TODO? - does not actually allow the user to choose an alias at present
Comment 1 UbikLoadPack support 2013-12-19 20:30:24 UTC
Created attachment 31134 [details]
Patch proposal that implements this feature

Please find attached a patch that implements the described feature.
Note by the way it fixes the following:
- When certificates are not found, IllegalArgumentException or IllegalStateException are thrown making debug much easier
- SSLManager#getKeyStore has been synchronized to avoid synchronization issues if Preload is set to false and performance issues due to as many loads as there are threads in worst case

As always, we grant full rights to use, modify, do anything project wants to do with classes as per our signed CLA.
Comment 2 UbikLoadPack support 2013-12-19 20:31:44 UTC
Created attachment 31135 [details]
Screenshot showing KeystoreConfig
Comment 3 UbikLoadPack support 2013-12-19 20:34:48 UTC
Created attachment 31136 [details]
Plan showing how to use feature
Comment 4 UbikLoadPack support 2013-12-19 20:57:11 UTC
Date: Thu Dec 19 20:56:21 2013
New Revision: 1552423

URL: http://svn.apache.org/r1552423
Bug 54977 - Ability to choose the client alias for the cert key in JsseSslManager such that Mutual SSL auth testing can be made more flexible
Bugzilla Id: 54977

Comment 5 Philippe Mouawad 2013-12-19 21:00:59 UTC
Thanks for patch , applied with minor changes on message labels.

PS : Next time, wait for a JMeter commiter to put the commit mail message and mark bug as resolved.