To set up secure communication using TLS (SSL), you need to install a CA certificate, and TLS certificate issued by that CA, on each LoadRunner Professional machine. You can manage these certificates using the Certificate Manager, or using a command line interface.
LoadRunner Professional default certificate
LoadRunner Professional provides a default CA and TLS certificate for all LoadRunner Professional machines. They are located in the <LoadRunner Professional root>\dat\cert folder.
However, for a more secure process, create your own CA and issue matching TLS certificates for your machines. For details, see Two-way TLS (SSL) authentication.
Certificate attributes and requirements
Certificates created by LoadRunner Professional
In general, all certificates created by LoadRunner Professional utilities have the following attributes:
- Signature hash algorithm: sha256
- Encryption algorithm: RSA (2048 Bits)
Requirements for using existing CA certificates
You can use an existing CA certificate from your own organization—one that was not created by LoadRunner Professional—as long as it complies with the following:
base64 encoded DER certificate (*.pem)
Tip: If your certificate is not already in PEM format, you can use any known tool to convert it.
You can also provide certificate files that contain a root CA and one or more intermediate CAs. LoadRunner Professional supports verification via a chain of trust, as long as all the certificates in the chain from the root to the client certificate can be verified.
If your CA has an Issuing or Intermediate certificate, then you need to also add that to the cert.cer file content.
cert.cer file content:
Content of TLS (SSL) certificate
-----BEGIN PRIVATE KEY-----
Private Key of TLS (SSL) certificate
-----END PRIVATE KEY-----
Content of Issuing/Intermediate certificate
cacert.cer verification file content:
Content of CA/root certificate
Manage certificates using the Certificate Manager
Using the Certificate Manager, you can create a CA certificate (or select an already existing one), create server/client certificates, and install the certificates on your LoadRunner Professional machines.
Launch the Certificate Manager; select Windows Start menu > Micro Focus > Certificate Manager.
- If you have previously installed CA and TLS certificate with this application, these certificates are displayed. If not, the default LoadRunner Professional certificates are displayed.
Select a CA certificate:
- Click the Change button.
On the Select CA Certificate page, select a CA Certificate. If no certificate is displayed in the list, do one of the following:
Create a new CA certificate Click New and, in the Create New CA Certificate screen, enter the required details. When finished, click Create. Then select the certificate in the list.
Tip: To export the CA certificate so that you can install it on other LoadRunner Professional machines, click Export.
Import an existing CA certificate
If you already have a CA certificate in your organization, you can import it:
- Click Import.
On the Import a CA Certificate page, click the CA Certificate and Private Key buttons to browse to and select the required files. Then click Import.
The imported certificate appears in the CA Certificates list.
- Select the imported certificate.
Click Next. The SSL Certificate page opens.
Select or create a TLS (SSL) certificate.
Note: For higher security, it is recommended to create and install a separate certificate for each machine.
Create a new TLS certificate
On the Select SSL Certificate page, click New to create a new TLS certificate.
Tip: If you are creating one certificate for all LoadRunner Professional machines, click Export to export the TLS certificate, so that you can install it on other machines.
Import an existing TLS certificate To import an existing certificate, use the gen_cert utility with the -install option, as described in Manage certificates using the command line utility below.
Click Finish. The CA certificate and corresponding TLS certificate are installed on the current LoadRunner Professional machine.
- Restart the LoadRunner Agent service.
Use the gen_ca_cert utility to create a new CA certificate, and the gen_cert utility to create the TLS certificate.
Create a CA certificate using the gen_ca_cert command line utility:
From the <LoadRunner Professional root>\bin folder, run gen_ca_cert, using at least one of the following options:
This process creates two files in the folder from which the utility was run: the CA Certificate (cacert.cer), and the CA Private Key (capvk.cer).
(Optional) Rename the files created by the utility.
To rename the certificate files, use the -CA_cert_file_name and the -CA_pk_file_name options respectively.
Note: By default, the CA certificate is valid for three years from when it is generated. To change the validation dates, use the -nb_time (beginning of validity) and/or -na_time (end of validity) options.
Example: The following command creates two files: ca_igloo_cert.cer and ca_igloo_pk.cer in the current folder, and sets the validity to 10/10/2013-11/11/2017:
gen_ca_cert -country_name "North Pole" -organization_name "Igloo Makers" -common_name "ICL" -CA_cert_file_name "ca_igloo_cert.cer" -CA_pk_file_name "ca_igloo_pk.cer" -nb_time 10/10/2017 -na_time 11/11/2017
Install the CA certificate.
Use one of the following options:
-install <name of certificate file> Replaces any previous CA list and creates a new one that includes this CA certificate only. -install_add <name of certificate file>
Adds the new CA certificate to the existing CA list.
Note: The -install and -install_add options install only the certificate file. Keep the private key file in a safe place and use it only for issuing certificates.
Create a TLS certificate using the gen_cert command line utility.
From the <LoadRunner Professional root>\bin folder, run:
Windows gen_cert.exe Linux gen_cert
Run the gen_cert command with at least one of the following options:
- The CA Certificate and the CA Private Key files that you created manually in step 1, above, are necessary for the creation of the TLS certificate. By default, it is assumed that they are in the current folder, and are named cacert.cer and capvk.cer respectively. In any other case, use the -CA_cert_file_name and -CA_pk_file_name options to give the correct files and locations.
- The certificate file is created in the folder from which the utility was run. By default, the file name is cert.cer. To rename the TLS certificate, use the -cert_file_name option.
Install the TLS certificate using the gen_cert command with the -install option.
- Restart the LoadRunner Agent service.
Other tools for setting up communication with TLS
You can also use the following tools to set up TLS authentication:
|Network and Security Manager command line tool||
Automate your certificate setup process with the Network and Security Manager command line tool using the -generate_new_cert option command to create a new TLS certificate.
For details, see Network and Security Manager - command line tool.
You can automatically generate a TLS certificate on Controller, associating the certificate with your scenario run.
To do this, in the Authentication Settings tool, select the Generate a certificate automatically option.