Secure communication and the system user

This topic provides information on LoadRunner Enterprise communication security and the LoadRunner Enterprise system user.

Overview

When installing LoadRunner Enterprise servers and hosts, a Communication Security passphrase is defined which enables secure communication between the components. You can update the Communication Security passphrase on the LoadRunner Enterprise system components. For details, see Update the Communication Security passphrase.

LoadRunner Enterprise also creates a default system user for use by the LoadRunner Enterprise server and hosts, the Site Management console, and the Load Generator standalone machines. You can change the system user using the System Identity Changer Utility. For details, see Change the system user.

Update the Communication Security passphrase

This task describes how to update the Communication Security passphrase on the LoadRunner Enterprise system components. The Communication Security passphrase must be identical on all of the components of the system.

From the LoadRunner Enterprise server installation's \bin directory, open the System Identity Changer Utility (C:\Program Files (x86)\OpenText\LoadRunner Enterprise\IdentityChangerBin).

Note: You can run this utility from any one of the LoadRunner Enterprise servers in the system.

The System Identity Changer Utility opens. For user interface details, see System Identity Changer Utility.

In the Communication Security Passphrase section, select Change, and enter the new Communication Security passphrase.

Click Apply.

After the Communication Security passphrase has been successfully updated on the LoadRunner Enterprise components, you must reset IIS and restart the LoadRunner Backend Service and the LoadRunner Alerts Service on the LoadRunner Enterprise servers.

Change the system user

During installation of the server and hosts, a default LoadRunner Enterprise system user, IUSR_METRO (default password P3rfoRm@1nceCen1er), is created in the Administrators user group of the server/host machines.

The LoadRunner Enterprise server is installed with the System Identity Changer Utility that enables you to manage the LoadRunner Enterprise system user on the LoadRunner Enterprise server and hosts from one centralized location. Use this utility to update the LoadRunner Enterprise system user name and password.

When you change the system user, or a user's password, the System Identity Changer Utility updates the LoadRunner Enterprise components.

Note:

To prevent security breaches, you can replace LoadRunner Enterprise's default system user by creating a different local system user, or by using a domain user.
You can use a REST command to silently change the system user password in the System Identity Changer utility without having to use the user interface. For details, see Update the system user password.

To change the system user:

Prerequisites
- When changing the system user, LoadRunner Enterprise must be down. That is, all users must be logged off the system and no tests may be running.
- When changing the user password:
Note: This utility does not apply changes to UNIX machines, Standalone load generators, or machines that are located over the firewall.
Launch the System Identity Changer Utility on the LoadRunner Enterprise server

In the LoadRunner Enterprise server installation's \bin directory, open the System Identity Changer Utility (C:\Program Files (x86)\OpenText\LoadRunner Enterprise\IdentityChangerBin).

The System Identity Changer Utility opens. For user interface details, see System Identity Changer Utility.
Change the details of the LoadRunner Enterprise user
1. Enter the relevant details to update and click Apply.
2. The Machines table displays the status of each machine during the configuration process.
3. The utility performs steps in the following order:
  1. LoadRunner Enterprise hosts are reconfigured first. Any failures at this phase won't stop the process from continuing.
  2. If you are using a cluster environment with multiple LoadRunner Enterprise servers, all LoadRunner Enterprise servers except for the one from which the utility is running are reconfigured. Any failures at this phase won't stop the process from continuing.
  3. The LoadRunner Enterprise server from which the utility is running is reconfigured. Failure at this level is critical, and prevents the process from continuing.
  4. The configuration shared by all LoadRunner Enterprise environments is updated. This step is dependent on the previous step succeeding.
4. The utility attempts to configure all the hosts, even if the configuration on one or more hosts is unsuccessful. In this case, after the utility has attempted to configure all the hosts, correct the errors on the failed hosts and click Reconfigure. The utility runs again on the whole system.
  
  For details on troubleshooting System Identity Changer Utility issues, see Troubleshoot System Identity Changer and system user issues.
Verify that the system user was changed on the LoadRunner Enterprise server
1. Open IIS Manager. Under Sites > Default Web Site, choose a virtual directory.
2. Under Authentication select Anonymous Authentication. Verify that the anonymous user defined was changed for the following virtual directories: PCS, LoadTest and Files (a virtual directory in LoadTest).
3. Check in the PCQCWSAppPool and LoadTestAppPool application pools that the identity is the LoadRunner Enterprise user.

System Identity Changer Utility

This utility enables you to update the LoadRunner Enterprise Communication Security passphrase, as well as the LoadRunner Enterprise system user and/or password on the LoadRunner Enterprise server, hosts, and Site Management console from one centralized location.

You can open the System Identity Changer Utility from C:\Program Files (x86)\OpenText\LoadRunner Enterprise\IdentityChangerBin.

Note:

When using the System Identity Changer Utility, always authenticate with internal authentication using the initial admin user and password provided during LoadRunner Enterprise configuration, no matter which authentication type is in use.
For a single tenant environment: Only a Site Admin user can log into the System Identity Changer Utility.
For a multi-tenant environment: Only a Site Management user can log into the System Identity Changer Utility. For details, see Multi-tenancy.

UI Elements	Description
Apply	Applies the selected changes on the LoadRunner Enterprise server and hosts, starting with the LoadRunner Enterprise server.
Reconfigure	If, when applying a change, there are errors on any of the LoadRunner Enterprise hosts, troubleshoot the problematic host machines, then click Reconfigure. The utility runs again on the LoadRunner Enterprise server and hosts.
LoadRunner Enterprise User	The LoadRunner Enterprise system user details. Change. Enables you to select which detail to change. None. Do not change the user's name or password. Password Only. Enables you to change only the LoadRunner Enterprise system user's password. Note: See Prerequisites above. User. Enables you to change the LoadRunner Enterprise system user name and password. Domain\Username. The domain and user name of the LoadRunner Enterprise system user. Password/Confirm Password. The password of the LoadRunner Enterprise system user. Delete Old User. If you are changing the user, this option enables you to delete the previous user from the machine. Note: You cannot delete a domain user.
User Group	The details of the user group to which the LoadRunner Enterprise system user belongs. Group type. The type of user group. Administrator Group. Creates a user in the Administrators group with full administrator policies and permissions. Other. Creates a local group under the Users group, granting policies and permissions as well as other LoadRunner Enterprise permissions. Note: To configure LoadRunner Enterprise with a configuration user and a restricted user, you must specify a Group type. If the group type is not the Administrator Group, you must set the group with full permission over the LoadRunner Enterprise repository prior to applying the change from the System Identity Changer Utility. To do this: On the LoadRunner Enterprise server(s), go to the LoadRunner Enterprise repository. Right-click the folder, and select Properties. Select the Security tab. Edit the "Group or user names" section. Add the group you intend to use in the System Identity Change Utility. Allow this group to have Full control and apply the change.
Configuration User	If you are creating a non-administrative LoadRunner Enterprise system user, that is, if you selected Other under User Group, you need to configure a configuration user (a system user with administrative permissions) that the non-administrative LoadRunner Enterprise system user can impersonate when it needs to perform administrative tasks. For details, refer to Change the system user. If you selected Delete Old User in the LoadRunner Enterprise User area, ensure that the configuration user you are configuring is not the same as the system user you are deleting. Alternatively, do not delete the old user. Domain\Username. The domain and user name of a system user that has administrator permissions on the LoadRunner Enterprise server and hosts. Password/Confirm Password. The password of a system user that has administrator permissions on the LoadRunner Enterprise server and hosts.
Communication Security Passphrase	The Communication Security passphrase that enables the LoadRunner Enterprise servers and hosts to communicate securely. Change. Enables you to change the passphrase. New passphrase. The new Communication Security passphrase. Note: This passphrase must be identical on all LoadRunner Enterprise components. For details, refer to the Update the Communication Security passphrase.
Machines grid	The machine configuration settings: Type. Indicates whether the machine type is a LoadRunner Enterprise server or a host. Name. The machine name. Configuration Status. Displays the configuration status on each of the LoadRunner Enterprise components. Configuration complete. The system user configuration was completed. Needs to be configured. The LoadRunner Enterprise server/host is pending configuration. Displayed only after the LoadRunner Enterprise server configuration is complete. Configuring..... The LoadRunner Enterprise server/host is being configured. Configuration failed. The LoadRunner Enterprise server/host configuration failed. The utility displays the reason for failure together with this status. Note: See Change the details of the LoadRunner Enterprise user above.

Configure a non-administrator system user

For stronger security, you can configure the LoadRunner Enterprise system to use a non-administrator user and a custom group (lockdown mode).

This system user has the same permissions granted to any user in the built-in ‘Users’ group with additional extended rights to Web services and the file system and registry as described below:

Granted all the permissions described in Required policies for the system user below.

Added to the built-in system groups Performance Log Users and IIS_IUSRS (on LoadRunner Enterprise server only).
The custom group is added to the built-in system groups Distributed COM Users and Users.

With the above-mentioned permissions, a system user cannot perform all of the administrative system tasks. Therefore, when configuring the system to use non-administrator user, you need to specify a configuration user (a user with administrative permissions that is defined on the LoadRunner Enterprise server and hosts).

This configuration user is used by LoadRunner Enterprise when administrative tasks are required by system. For example, tasks for changing a system user, resetting IIS, restarting services, accessing IIS metadata, configuring DCOM.

After completing such tasks, the system user reverts back to the previous user with the limited LoadRunner Enterprise user permissions.

Note: The configuration user is saved in the database, so that whenever an administrative-level system user is required to perform a task, the system automatically uses the configuration user, without prompting for the user's credentials.

Required policies for the system user

This section describes the required policies LoadRunner Enterprise grants automatically to a system user.

Note: This section applies to:

An administrative or non-administrative LoadRunner Enterprise user.
All LoadRunner Enterprise servers and hosts.

The LoadRunner Enterprise user must be granted all of the following policies:

Policy Name	Reason
Create global object (SeCreateGlobalPrivilege)	For Autolab running Vusers on the Controller.
Batch logon rights (SeBatchLogonRight)	The minimum policies required to run Web applications.
Service logon rights (SeServiceLogonRight)	The minimum policies required to run Web applications.
Access this computer from the network (SeNetworkLogonRight)	The minimum policies required to run Web applications.
Log on locally (SeInteractiveLogonRight)	Required by infra services. For example, after restart, the system logs in with the LoadRunner Enterprise system user.
Impersonate a client after authentication (SeImpersonatePrivilege)	Required for running LoadRunner Enterprise processes under the LoadRunner Enterprise system user.