Using WebLoad and SPENGO/Kerberos to stress test your SPNEGO server
Keywords: SPNEGO, WebLoad, HTTP load tool, stress test
Introduction :
WebLoad [1] is an http/https based stress-test-tool. Many products like WebLoad exists, but not many of them support SPNEGO, NTLM and Client certificate authentication protocols.
WebLoad is an advanced multi-agent tool where agents can be controlled from a central Analyzer server. Load scripts and statistics can be uploaded and downloaded on-the-fly, agents can be started and stopped. All controlled from the central Analyzer.
WebLoad plays back recorded scripts containing HTTP requests and records the response time and return code। A script can reference multiple users and a script can be played back using multiple worker threads। All-in-all this simulated multiple user connections to one or more target sites – at the same time.
WebLoad handles the client side SPNEGO negotiation which includes acquisition of Kerberos ticket granting ticket and authentication tickets।
Downloading and installing
To get this up and running you need to download WebLoad from http://webload.dk and SPNEGO/Kerberos from http://appliedcrypto.com
You will also need a valid license to run. See details on how to acquire a license on the specific sites.
Download the WebLoad product into a directory on the target machine. Since WebLoad is 100% it runs on Windows, Linux and Unix machine, where a SUN JDK 1.4 or IBM JDK 1.3.1 or IBM JDK 1.4.1 or JRockit 1.4.1 is available. Install WebLoad in to a directory, e.g. c:\webload
Download the SPNEGO/Kerberos product [2] spnego.jar library and save it into the lib directory of WebLoad, e.g. c:\webload\lib
Modify the webload.cmd to include -Djava.security.krb5.conf=.\lib\krb5.conf as a JVM startup parameter.
Add the krb5.conf file to the lib directory:
[libdefaults]
default_realm = TEST.NET
default_tkt_enctypes = des-cbc-md5;des-cbc-crc
default_tgs_enctypes = des-cbc-md5;des-cbc-crc
default_checksum = rsa-md5
kdc_timesync = 0
kdc_default_options = 0x40000010
clockskew = 300
check_delegate = 0
ccache_type = 3
kdc_timeout = 60000
[domain_realm]
.test.net = TEST.NET
[realms]
TEST.NET = {
kdc = 192.168.1.2:88
}
This will configure Kerberos to know the KDC (Active Directory) and describe some default settings like the encryption algorithms.
Open the local.dat in the records directory. This file is the script that we want to play. Modify it to look something like:
?>?>?>?>
This script will fire a HTTP GET request to the host: webserver.test.net (port 8080) with the URL /spnegosample/spnegopacservletfilter. And it will use the user: test@TEST.NET (the user test at the realm TEST.NET).
We need to specify the password since the script can contain multiple users and we cannot rely on getting the Kerberos TGT from the local windows ticket cache for this purpose.
Now copy the acquired license file to the webload directory. Licenses can be acquired by writing an email to spnego@it-practice.dk.
Now we have configured WebLoad for SPNEGO and we launch the WebLoad agents by starting the webload.cmd from the command line. To do the same thing from Linux or Unix, launch the webload.sh shell script. Wait a couple of seconds to verify that it starts up correctly and then start the WebLoad analyzer by launching the webloadanalyzer.cmd (or webloadanalyzer.sh).
Below we see the started WebLoad analyzer.
Configuring and running WebLoad
WebLoad has two important configuration files. The first configuration file which is located in the records directory is the script file, the “action” script that tell WebLoad what to do. The second configuration file which is located in the config directory tells WebLoad how to handles special situations like timeout but also how many concurrent threads it will use to bombard the web server. Each thread will run the script in a loop.
To change the number of concurrent threads, change the line in the local.dat file:
Above setting tells WebLoad to run one script play back thread.
More details of specific setting in WebLoad can be found in the WebLoad documentation.
Now we are ready to upload the script to the webload agent.
Select the WebLoad agent and expand the configuration. Press the “upload” button. Now select the local.dat which contains the configuration. The configuration contains a reference to the script file which is also loaded into the WebLoad agent.
1) Request is the HTTP GET without any credentials (no SPNEGO token).
2) Reply is a NEGOTIATE challenge from the webserver SPNEGO protocol handler. This triggers the SPNEGO protocol sequence.
3) Using the userid a Kerberos TGT is requested.
4) The reply contains an encrypted TGT which is decrypted using the password.
5) The TGT is used to request an authentication ticket.
6) The reply contains an encrypted authentication ticket. This ticket is enveloped into a SPNEGO token.
7) The original HTTP GET is resent, now containing the SPNEGO token.
8) The Web server decodes, decrypts and verifies the authentication ticket and responds with the requested HTML page.
WebLoad will count this as two requests, since this is the number of requests sent to the target web server.
Below we see a real-time graph of the number of requests per second sent to the web server. Below graph is running with 4 concurrent threads.
A quick statistics round up gives us the following performance figures:
This shows that it scales quite good up to 6 threads. Above 6 threads it increases the load but the number of requests per second does not increase with 8 requests as generated with one thread alone.
References
[1] WebLoad from IT Practice, http://webload.dk/index.html
[2] SPNEGO/Kerberos from IT Practice, http://appliedcrypto.com/spnego/tryit
Above setting tells WebLoad to run one script play back thread.
More details of specific setting in WebLoad can be found in the WebLoad documentation.
Now we are ready to upload the script to the webload agent.
Select the WebLoad agent and expand the configuration. Press the “upload” button. Now select the local.dat which contains the configuration. The configuration contains a reference to the script file which is also loaded into the WebLoad agent.
We are now ready to run the script.
Select the WebLoad agent and press “start”. Now expand the “Online information”. Select the configuration. Now you should see a graph indicating the real time requests per second, based on the number of concurrent threads set in the configuration file.
The script in this article is very simple and consists of only one HTTP request। This request is replied with a NEGOTIATE challenge which triggers the SPNEGO negotiation.
Figure 1: WebLoad communication with Active Directory server and Web server. The figure shows that one HTTP request results in total 8 request/replies between the servers in the setup.Select the WebLoad agent and press “start”. Now expand the “Online information”. Select the configuration. Now you should see a graph indicating the real time requests per second, based on the number of concurrent threads set in the configuration file.
The script in this article is very simple and consists of only one HTTP request। This request is replied with a NEGOTIATE challenge which triggers the SPNEGO negotiation.
1) Request is the HTTP GET without any credentials (no SPNEGO token).
2) Reply is a NEGOTIATE challenge from the webserver SPNEGO protocol handler. This triggers the SPNEGO protocol sequence.
3) Using the userid a Kerberos TGT is requested.
4) The reply contains an encrypted TGT which is decrypted using the password.
5) The TGT is used to request an authentication ticket.
6) The reply contains an encrypted authentication ticket. This ticket is enveloped into a SPNEGO token.
7) The original HTTP GET is resent, now containing the SPNEGO token.
8) The Web server decodes, decrypts and verifies the authentication ticket and responds with the requested HTML page.
WebLoad will count this as two requests, since this is the number of requests sent to the target web server.
Below we see a real-time graph of the number of requests per second sent to the web server. Below graph is running with 4 concurrent threads.
A quick statistics round up gives us the following performance figures:
References
[1] WebLoad from IT Practice, http://webload.dk/index.html
[2] SPNEGO/Kerberos from IT Practice, http://appliedcrypto.com/spnego/tryit
