Configure secure communication with TLS (SSL)

To set up secure communication using TLS (SSL), you need to install a CA certificate, and TLS certificate issued by that CA, on each LoadRunner Professional machine. It is recommended to manage these certificates using the Certificate Manager. You can also use the command line tools to do so.

In this topic:

LoadRunner Professional default certificate

LoadRunner Professional provides a default CA and TLS certificate for all LoadRunner Professional machines. They are located in the <LoadRunner Professional root>\dat\cert folder.

For a more secure process, create your own CA and issue matching TLS certificates for your machines. For details, see Two-way TLS (SSL) authentication.

Back to top

Certificate attributes and requirements

Certificates created by LoadRunner Professional

In general, all certificates created by LoadRunner Professional utilities have the following attributes:

• Signature hash algorithm: sha256
• Encryption algorithm: RSA (2048 Bits)

Requirements for using existing CA certificates

You can use an existing CA certificate from your own organization—one that was not created by LoadRunner Professional—as long as it complies with the following:

• enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

• base64 encoded DER certificate (*.pem)

  Tip: If your certificate is not already in PEM format, you can use any known tool to convert it.

You can also provide certificate files that contain a root CA and one or more intermediate CAs. LoadRunner Professional supports verification via a chain of trust, as long as all the certificates in the chain from the root to the client certificate can be verified.

If your CA has an Issuing or Intermediate certificate, then you can add that to the cacert.cer file content. It is recommended to use the Certificate Manager or command line utilities to add CA and Intermediate certificates, rather than adding them manually.

Back to top

Manage certificates using the Certificate Manager (recommended)

Using the Certificate Manager, you can create a CA certificate (or select an already existing one), create server/client certificates, and install the certificates on your LoadRunner Professional machines.

1. Launch the Certificate Manager: Select Windows Start menu > Micro Focus > Certificate Manager.

   If you have previously installed CA and TLS certificate with this application, these certificates are displayed. If not, the default LoadRunner Professional certificates are displayed.

2. Select a CA certificate:

   1. Click the Change button.

   2. On the Select CA Certificate page, select a CA Certificate. If no certificate is displayed in the list, do one of the following:

      Create a new CA certificate

      Click New and, in the Create New CA Certificate screen, enter the required details. When finished, click Create. Then select the certificate in the list. Tip: To export the CA certificate so that you can install it on other LoadRunner Professional machines, click Export. From version 2022 R1: It is recommended to enter a password so that the private key will be encrypted when it is exported.

      Import an existing CA certificate

      If you already have a CA certificate in your organization, you can import it: Click Import. On the Import a CA Certificate page, click the CA Certificate and Private Key buttons to browse to and select the required files. From version 2022 R1: You are not required to provide the private key in order to import a CA certificate. If you do not provide a private key, you will not be able to generate new TLS (SSL) certificates using this CA certificate. If the CA private key is encrypted, you must provide the password. Click Import. The imported certificate appears in the CA Certificates list. Select the imported certificate.

   1. Click Next. The SSL Certificate page opens.

3. Select or create a TLS (SSL) certificate.

   Note: For higher security, it is recommended to create and install a separate certificate for each machine.

   Create a new TLS certificate	On the Select SSL Certificate page, click New to create a new TLS certificate. Tip: If you are creating one certificate for all LoadRunner Professional machines, click Export to export the TLS certificate, so that you can install it on other machines. Click Next.
   Import an existing TLS certificate	To import an existing certificate, use the gen_cert utility with the -install option, as described in Manage certificates using the command line utilities below.

4. Click Finish. The CA certificate and corresponding TLS certificate are installed on the current LoadRunner Professional machine.

   From version 2022 R1: After installation, you can click Validate to verify the certificate chain and private key.

5. Restart the LoadRunner Agent service.

Back to top

Manage certificates using the command line utilities

Use the gen_ca_cert utility to create a new CA certificate, and the gen_cert utility to create the TLS certificate.

1. Create a CA certificate using the gen_ca_cert command line utility:

   From the <LoadRunner Professional root>\bin folder, run gen_ca_cert, using at least one of the following options:

   • -country_name

   • -organization_name

   • -common_name

   • -CA_pk_pwd (available in version 2022 R1): Use this option to encrypt the CA private key with the specified password.

   This process creates two files in the folder from which the utility was run: the CA Certificate (cacert.cer), and the CA Private Key (capvk.cer).

2. (Optional) Rename the files created by the utility.

   To rename the certificate files, use the -CA_cert_file_name and the -CA_pk_file_name options respectively.

   Note: By default, the CA certificate is valid for three years from when it is generated. To change the validation dates, use the -nb_time (beginning of validity) and/or -na_time (end of validity) options.

   Example:  The following command creates two files: ca_igloo_cert.cer and ca_igloo_pk.cer in the current folder, and sets the validity to 10/10/2013-11/11/2017:

   gen_ca_cert -country_name "North Pole" -organization_name "Igloo Makers" -common_name "ICL" -CA_cert_file_name "ca_igloo_cert.cer" -CA_pk_file_name "ca_igloo_pk.cer" -nb_time 10/10/2017 -na_time 11/11/2017

3. Install the CA certificate.

   Use one of the following options:

   -install <name of certificate file>	Replaces any previous CA list and creates a new one that includes this CA certificate only.
   -install_add <name of certificate file>	Adds the new CA or intermediate certificate to the existing CA list.

   Note: The -install and -install_add options install only the certificate file. Keep the private key file in a safe place and use it only for issuing certificates.

4. Create a TLS certificate using the gen_cert command line utility.

   From the <LoadRunner Professional root>\bin folder, run:

   Windows	gen_cert.exe
   Linux	gen_cert

   Run the gen_cert command with at least one of the following options:

   In version 2022 R1: You must include the -cert_pk_pwd option. This option encrypts the TLS certificate private key with the specified password. To generate an unencrypted private key, specify an empty password: "".

   • -country_name

   • -organization_name

   • -organization_unit_name

   • -eMail

   • -common_name

   The following options are used to customize the certificate and private key files you are creating:

   Option	Notes
   -cert_pk _pwd	(Mandatory in version 2022 R1) This option encrypts the TLS certificate private key with the specified password. To generate an unencrypted private key, specify an empty password: "".
   -cert_pk _file_name	(Available in version 2022 R1) This option renames the TLS certificate private key file (from the default cert.key).
   -cert_file _name	This option renames the TLS certificate file (from the default cert.cer).

   The following keys manage the parent CA certificate and CA private key files:

   Option	Notes
   -CA_cert_ file_name	The CA certificate and the CA private key files that you created manually in step 1, above, are necessary for the creation of the TLS certificate. By default, it is assumed that they are in the current folder, and are named cacert.cer and capvk.cer respectively. In any other case, use these options to give the correct files and locations.
   -CA_pk_ file_name
   -CA_pk_ pwd	(Available in version 2022 R1) If the CA private key is encrypted, use this option to specify the password.

   After you run the command, the certificate file is created in the folder from which the utility was run.

5. Install the TLS certificate using the gen_cert command with the -install option.

6. Restart the LoadRunner Agent service.

Back to top

Other tools for setting up communication with TLS

You can also use the following tools to set up TLS authentication:

Network and Security Manager command line tool	Automate your certificate setup process with the Network and Security Manager command line tool using the -generate_new_cert option command to create a new TLS certificate. For details, see Network and Security Manager - command line tool.
Controller	You can automatically generate a TLS certificate on Controller, associating the certificate with your scenario run. To do this, in the Authentication Settings tool, select the Generate a certificate automatically option.

Back to top