[Webtest] Testing SSL site with non-trusted cert

Paul King webtest@lists.canoo.com
Wed, 18 Aug 2004 11:53:56 +1000


Dwayne Miller wrote:

> Can anyone point me to docs that show how to setup WebTest for a server 
> running SSL.  Also, the client cert is a hand-rolled cert, not a trusted 
> one.  While I'd like to run the webserver in SSL mode, I dont' really 
> care if WebTest is somehow told to ignore problems with the cert if that 
> is possible.

Not sure where this is in the docs, but here is what we do.

We have the following in a separate XML file (SSLprops.xml):

  <property name="webtest.truststore.file" 
value="${webtest.home}/certs/client_testcacerts"/>
  <property name="webtest.keystore.file" 
value="${webtest.home}/certs/client_testcacerts"/>
  <property name="webtest.keystore.alias" value="MyAlias"/>
  <property name="webtest.connectioninitializer" 
value="com.canoo.webtest.security.SunJsseBaseConnectionInitializer"/>

Of course, you will have to add the certificate (and possibly other 
certificates in your trust chain) into the certs file and you may have 
different certs files for different environments. The theory is that you 
will have stored your certificate in the cert using the alias provided. 
In practice, I don't think this is checked. We certainly have multiple 
certs in our keystore/certs file, so the alias doesn't matter.

Then setup up an SSL module, i.e. declare an entity reference to the file:

   <!ENTITY ssl SYSTEM "file:../SSLprops.xml">

Then just use &ssl; within your build file. We do this inside our init 
target.

We mainly use WebLogic Workshop as our IDE and invoke our test scripts 
from within it. To avoid classpath/classloader/ant version problems we 
call our webtest ant build files in a nested fashion. We feed some 
additional parameters related to security/SSL to the nested ant 
invocation. This will allow your webtest build file to do other steps 
which trust the SSL certificates on your server. I am not sure any of 
these affect webtest but it might (in our case we also use sqlunit - it 
supports the webtest reporting format - which grabs a datasource via 
SSL). The different options instruct Apache HttpClient/Sun JSSE and 
WebLogic client classes to trust the certificate.

   <target name="myTests" description="Invoke ant externally to avoid 
classpath/classloader problems">
     <java fork="true" classname="org.apache.tools.ant.Main">
     <sysproperty key="bea.home" value="C:/bea"/>
     <sysproperty key="weblogic.security.TrustKeyStore" 
value="CustomTrust"/>
     <sysproperty key="weblogic.security.CustomTrustKeyStoreFileName" 
value="${webtest.certs}/${certname}"/>
     <sysproperty key="javax.net.ssl.trustStore" 
value="${webtest.certs}/${certname}" />
     <arg line="-f mySubdir/myTests.xml"/>
     <classpath>
           <pathelement path="${webtest.lib}"/>
           <fileset dir="${webtest.lib}" includes="*.jar"/>
           <pathelement path="${sqlunit.lib}/sqlunit.dtd"/>
           <fileset dir="${sqlunit.lib}" includes="*.jar"/>
     </classpath>
     </java>
   </target>

Cheers, Paul.