Secure communication and the system user

This topic provides information on communication security and the product's system user.

Overview

When installing servers and hosts, a Communication Security passphrase is defined which enables secure communication between the components. You can update the Communication Security passphrase on the system components. For details, see Update the Communication Security passphrase.

The installation creates a default system user for use by the server and hosts, the Site Management console, and the Load Generator standalone machines. You can change the system user using the System Identity Changer Utility. For details, see Change the system user.

Update the Communication Security passphrase

This task describes how to update the Communication Security passphrase on the system components. The Communication Security passphrase must be identical on all of the components of the system.

From the server installation's \bin directory, open the System Identity Changer Utility (<install_dir>\IdentityChangerBin).

Note: You can run this utility from any one of the servers in the system.

The System Identity Changer Utility opens. For user interface details, see System Identity Changer Utility.

In the Communication Security Passphrase section, select Change, and enter the new Communication Security passphrase.

Click Apply.

After the Communication Security passphrase has been successfully updated on the system's components, you must reset IIS and restart the OpenText Performance Engineering Backend Service and the OpenText Performance Engineering Alerts Service on the servers.

Change the system user

During installation of the server and hosts, a default system user, IUSR_METRO (default password P3rfoRm@1nceCen1er), is created in the Administrators user group of the server/host machines.

The server is installed with the System Identity Changer Utility that enables you to manage the system user on the server and hosts from one centralized location. Use this utility to update the system user name and password.

When you change the system user, or a user's password, the System Identity Changer Utility updates all the system components.

Note:

To prevent security breaches, you can replace the default system user by creating a different local system user, or by using a domain user.
You can use a REST command to silently change the system user password in the System Identity Changer utility without having to use the user interface. For details, see Change the database administrator and user passwords.

To change the system user:

Prerequisites.
- When changing the system user, the server must be down: all users must be logged off the system and no tests can be running.
- When changing the user password:
Note: This utility does not apply changes to UNIX machines, Standalone load generators, or machines that are located over the firewall.
Launch the System Identity Changer Utility on the server.

In the server installation's \bin directory, open the System Identity Changer Utility (<install_dir>\IdentityChangerBin).

The System Identity Changer Utility opens. For user interface details, see System Identity Changer Utility.
Change the details of the user.
1. Enter the relevant details to update and click Apply.
2. The Machines table displays the status of each machine during the configuration process.
3. The utility performs steps in the following order:
  1. Hosts are reconfigured first. Any failures at this phase won't stop the process from continuing.
  2. If you are using a cluster environment with multiple servers, all servers except for the one from which the utility is running are reconfigured. Any failures at this phase won't stop the process from continuing.
  3. The server from which the utility is running is reconfigured. Failure at this level is critical, and prevents the process from continuing.
  4. The configuration shared by all environments is updated. This step is dependent on the previous step succeeding.
4. The utility attempts to configure all the hosts, even if the configuration on one or more hosts is unsuccessful. In this case, after the utility has attempted to configure all the hosts, correct the errors on the failed hosts and click Reconfigure. The utility runs again on the whole system.
  
  For details on troubleshooting System Identity Changer Utility issues, see System Identity Changer and system user issues.
Verify that the system user was changed on the server.
1. Open IIS Manager. Under Sites > Default Web Site, choose a virtual directory.
2. Under Authentication select Anonymous Authentication. Verify that the anonymous user defined was changed for the following virtual directories: PCS, LoadTest and Files (a virtual directory in LoadTest).
3. Check in the PCQCWSAppPool and LoadTestAppPool application pools that the identity is the OpenText Enterprise Performance Engineering user.

System Identity Changer Utility

This utility enables you to update the Communication Security passphrase, as well as the system user and/or password on the server, hosts, and Site Management console from one centralized location.

You can open the System Identity Changer Utility from <install_dir>\IdentityChangerBin.

Note:

When using the System Identity Changer Utility, always authenticate with internal authentication using the initial admin user and password provided during configuration, no matter which authentication type is in use.
For a single tenant environment: Only a Site Admin user can sign in to the System Identity Changer Utility.
For a multi-tenant environment: Only a Site Management user can sign in to the System Identity Changer Utility. For details, see Multi-tenancy.

UI Elements	Description
Apply	Applies the selected changes on the server and hosts, starting with the server.
Reconfigure	If, when applying a change, there are errors on any of the hosts, troubleshoot the problematic host machines, then click Reconfigure. The utility runs again on the server and hosts.
OpenText Enterprise Performance Engineering User	The system user details. Change. Enables you to select which detail to change. None. Do not change the user's name or password. Password Only. Enables you to change only the system user's password. See Prerequisites. User. Enables you to change the system user name and password. Domain\Username. The domain and user name of the system user. Password/Confirm Password. The password of the system user. Delete Old User. If you are changing the user, this option enables you to delete the previous user from the machine. Note: You cannot delete a domain user.
User Group	The details of the user group to which the system user belongs. Group type. The type of user group. Administrator Group. Creates a user in the Administrators group with full administrator policies and permissions. Other. Creates a local group under the Users group, granting policies and permissions as well as other permissions. Note: To configure with a configuration user and a restricted user, you must specify a Group type. If the group type is not the Administrator Group, you must set the group with full permission over the repository prior to applying the change from the System Identity Changer Utility. To do this: On the server(s), go to the OpenText Enterprise Performance Engineering repository. Right-click the folder, and select Properties. Select the Security tab. Edit the "Group or user names" section. Add the group you intend to use in the System Identity Change Utility. Allow this group to have Full control and apply the change.
Configuration User	If you are creating a non-administrative system user, that is, if you selected Other under User Group, you need to configure a configuration user (a system user with administrative permissions) that the non-administrative system user can impersonate when it needs to perform administrative tasks. For details, refer to Change the system user. If you selected Delete Old User in the OpenText Enterprise Performance Engineering User area, ensure that the configuration user you are configuring is not the same as the system user you are deleting. Alternatively, do not delete the old user. Domain\Username. The domain and user name of a system user that has administrator permissions on the server and hosts. Password/Confirm Password. The password of a system user that has administrator permissions on the server and hosts.
Communication Security Passphrase	The Communication Security passphrase that enables the servers and hosts to communicate securely. Change. Enables you to change the passphrase. New passphrase. The new Communication Security passphrase. Note: This passphrase must be identical on all components. For details, refer to the Update the Communication Security passphrase.
Machines grid	The machine configuration settings: Type. Indicates whether the machine type is a server or a host. Name. The machine name. Configuration Status. Displays the configuration status on each of the components. Configuration complete. The system user configuration was completed. Needs to be configured. The server/host is pending configuration. Displayed only after the server configuration is complete. Configuring..... The server/host is being configured. Configuration failed. The server/host configuration failed. The utility displays the reason for failure together with this status. See Change the details of the user.

Configure a non-administrator system user

For stronger security, you can configure the system to use a non-administrator user and a custom group (lockdown mode).

This system user has the same permissions granted to any user in the built-in ‘Users’ group with additional extended rights to Web services and the file system and registry as described below:

Granted all the permissions described in Required policies for the system user.

Added to the built-in system groups Performance Log Users and IIS_IUSRS (on the server only).
The custom group is added to the built-in system groups Distributed COM Users and Users.

With the above-mentioned permissions, a system user cannot perform all of the administrative system tasks. Therefore, when configuring the system to use non-administrator user, you need to specify a configuration user (a user with administrative permissions that is defined on the server and hosts).

This configuration user is used when administrative tasks are required by the system. For example, tasks for changing a system user, resetting IIS, restarting services, accessing IIS metadata, configuring DCOM.

After completing such tasks, the system user reverts back to the previous user with the limited user permissions.

Note: The configuration user is saved in the database, so that whenever an administrative-level system user is required to perform a task, the system automatically uses the configuration user, without prompting for the user's credentials.

Required policies for the system user

This section describes the required policies that are granted automatically to a system user.

Note: This section applies to:

An administrative or non-administrative user.
All OpenText Enterprise Performance Engineering servers and hosts.

The user must be granted all of the following policies.

Policy Name	Reason
Create global object (SeCreateGlobalPrivilege)	For Autolab running Vusers on the Controller.
Batch logon rights (SeBatchLogonRight)	The minimum policies required to run Web applications.
Service logon rights (SeServiceLogonRight)	The minimum policies required to run Web applications.
Access this computer from the network (SeNetworkLogonRight)	The minimum policies required to run Web applications.
Log on locally (SeInteractiveLogonRight)	Required by infra services. For example, after restart, the system logs in with the system user.
Impersonate a client after authentication (SeImpersonatePrivilege)	Required for running processes under the system user.