z/OS Connect - Group home

In this article we discuss how to configure JMeter to use client side SSL to authenticate each request. This will allow each request to be signed and encrypted. In turn, this configuration allows CICS to map the certificate to a RACF user ID and run the transaction as that user. This article assumes that RACF and CICS are configured and that the private key along with the certificate signing authority have been exported from RACF and are available on your machine. There are 3 stages to complete:

1. Set up certificate keystore
2. Set up signing authority
3. Configure JMeter

Set up certificate keystore

First, the exported certificate needs to be imported into a java keystore so it can be read by java.
Copy the *.p12 file (and the certificate authority .cer file) to a directory on your laptop. Drop into a command shell and issue the following command to generate the keystore:

C:\Users\IBM_ADMIN\Documents\IBM\HermesTest\jmx files\certificates>keytool -importkeystore -srckeystore certificate.P12 -srcstoretype PKCS12 -srcstorepass certificate_password -keystore mystore.keystore -storepass keystore_password

where:

certificate.P12 is your personal certificate file that you extracted from RACF
certificate_password is the password for the certificate
keystore_password a new password for this keystore. Advice online says that you should set this to be the same as certificate_password however I cannot see why this would be necessary.

You will see output similar to the following:

Entry for alias 0cn=cics 2048 sample certification authority, ou=cics test department, o=leading edge cics enterprise, l=gotham city, st=xanadu, c=us successfully imported.
Entry for alias attlsring2c-2048-certificate successfully imported.
Import command completed:  2 entries successfully imported, 0 entries failed or ca-celled

You can see that both the certificate and the signing authority have both been imported into the keystore. Note the alias of your personal certificate (highlighted in bold above), you will need that later. You will have a new file in the directory called mystore.keystore.

Set up the signing authority

If your personal certificate has been signed by a bona fide CA, then you can simply skip this step. However if you are using your own CA then you will need to pay attention. Before Java will be able to use your certificate to sign the requests from JMeter it will need to be able to get a copy of the CA. When we generated the key-store in the step above the CA was automatically imported into the keystore as well as your certificate. All we need to do is allow java to read that file.

1. Copy the file mystore.keystore to a new file called jssecacerts (note the lack of a file extension)
2. Copy jssecacerts to the jre/lib/security folder of the installed Java runtime environment that JMeter is using. This file will automatically get read instead of the cacerts file that is already in the same directory.

An alternate method is to import the sample CA into the cacerts keystore that already exists in the JRE

Configure JMeter

Configuring JMeter to use your keystore to sign the outbound request is ‘fairly’ straightforward. It does seem complex initially to sign a single request with a single certificate. However if you later want to scale up to use more requests signed with a range of certificates, then you will have done most of the hard work already.

1. Create your thread group as normal.
2. Create a HTTP Request and configure as the image below. Pay special attention to the Implementation and Protocol fields
   
   
   
   Figure 1. Creating an HTTP Request
3. Create a Keystore Configuration element as a child of the HTTP Request. Use the figure below to con-figure the panel:
   

   
   Figure 2. Configuring Keystore

   Note the value of cert_name is not a variable but a literal value. Just type it into the box and trust me. This configures the request to use a specific certificate alias from the keystore. However it does not allow a literal alias name to be entered in the field. It has to be a variable name that is resolved by JMeter. We will set this up by using a (very short) csv file and a CSV data set config.

4. Create a CSV DataSet Config as a child of the thread group as illustrated in the following figure.
   

   
   Figure 3. CSV Data Set Config

   Note the cert_name value we used in the keystore Configuration is here again. Basically this panel is allowing JMeter to pick the value of the cert_name variable from a CSV file. Each thread will be given a random line from the CSV file, the line will be split into values and assigned to variables in the order specified in the Variable Names field. Since we only have one variable and one possible value a lot of this seems overkill but if I had 30 certificates and lots of other variables this solution is quite nice.

5. The filename points to a csv file that should exist in the same location as the JMX file we are creating. To create the csv file just create a new text file and enter the alias of the certificate that we imported in-to the keystore in the very first step.
6. The final step is to finally point JMeter at the keystore we want to use. Click Options -> SSL Manager and select the mystore.keystore keystore that we created and press Enter.

You are done! When you run the thread group you will be prompted for a password. This is the password you set as the keystore password. Each request will now be signed and CICS can use that certificate to run the work under a specific user ID.