Configure servers and hosts to work with TLS/SSL

The following section describes how to enable TLS to ensure secure communication. It includes:

Tip: For additional information and examples on how to configure secure communication on components, see our blog series:

TLS/SSL configuration workflow

This section describes the workflow for configuring the OpenText Enterprise Performance Engineering server and hosts to work over TLS. You can configure both the server and hosts, or the server only.

Machine Procedure

OpenText Enterprise Performance Engineering Server

  1. Configure IIS

    For details, see Configure IIS to work with TLS/SSL.

  2. Add the root certificate to the machine truststore

    For details, see Distribute certificates.

  3. Configure the server to work with TLS/SSL

    1. Replace the certificates* on the OpenText Enterprise Performance Engineering server. For details, see Configure components to work with TLS/SSL.

    2. Update and replace the relevant configuration files (update pcs.config internalUrl with https URL and replace web.config). For details, see Configure servers to work with TLS/SSL.

    3. Restart the OpenText Performance Engineering Backend Service and IIS.

    4. Update the internal and external URLs with the "https" URL.

OpenText Enterprise Performance Engineering Hosts

  1. Add certificates to the machine truststore

    For details, see Distribute certificates.

  2. Configure hosts and load generators to work with TLS/SSL

    1. Replace the certificates* on OpenText Enterprise Performance Engineering hosts and load generators. For details, see Configure load generators to work with TLS/SSL.

    2. Configure secure communication on host machine. For details, see Configure hosts to work with TLS/SSL.

 

*The certificate files within the <installdir>\dat\cert folder should have the exact names of cert.cer and verify\cacert.cer, no matter if they are the default ones provided as part of the installation, or if they are your company certificates. The certificate names should be the same for all components: servers, hosts, and load generators.

Configure IIS to work with TLS/SSL

This section describes the basic steps involved in setting up IIS (Microsoft Internet Information Server) on the OpenText Enterprise Performance Engineering server machine to use TLS/SSL.

IIS is a prerequisite software for OpenText Enterprise Performance Engineering servers. You can configure the IIS OpenText Enterprise Performance Engineering virtual directories (server and host) to use TLS/SSL.

For hosts, the root certificate of the CA should appear in the Microsoft Management Console under Certificates (Local Computer) > Trusted Root Certification Authorities. For details, see Distribute certificates.

To configure IIS to use TLS/SSL on the server machine, you need to perform the following:

  1. Perform the following before you configure IIS.

    Action Description
    Support latest TLS versions

    Configure your servers to support the latest TLS versions to ensure you are using only the strongest cryptographic protocols. Deactivate old SSL and TLS versions (SSLv2, SSLv3, TLS 1.0, and TLS 1.1) on IIS and on your operating system.

    Disable ciphers on TLS 1.2

    If you are using TLS 1.2, we recommend deactivating the 3DES and RC4 ciphers on Windows servers by removing them from the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
    Cryptography\Configuration\Local\SSL\00010002
    registry. To check the list of the ciphers on a machine, run the Get-TlsCipherSuite command in PowerShell.

    Make port 443 available for IIS

    Make sure port 443 on the server is available for use by IIS. IIS uses port 443 to work with TLS/SSL. If other components are also configured to use this port, configure them to use a different port.

    Prevent host header injection

    Prevent host header injection in a Server-Side Request Forgery (SSRF) attack.

    We recommend configuring the HTTPS communication and IIS host binding for all relevant protocols. These configurations are not provided by OpenText by default.

    Note: By not implementing secure configuration and proper hardening of the IIS you may expose the system to increased security risks. 

  2. Obtain a server certificate issued to the fully qualified domain name of your OpenText Enterprise Performance Engineering server.

  3. Configure IIS to work with TLS/SSL.

    Update IIS with the https binding (the same port as you used in step 1 above) and remove the http binding.

    1. Open IIS Manager, and select Server Home > Server Certificates > Import.

    2. Import the server certificate (in PFX format) that you obtained above.

    3. In the Actions pane, click Bindings. and then click Add in the Site Bindings window.

    4. In the Edit Site Binding dialog box, configure the following:

      • Type: https

      • IP address: All Unassigned

      • Port: 443

      • SSL Certificate: *.<your domain name>

    Refer to the product documentation for more details.

Distribute certificates

Add the root certificate to the machine truststore on the server, hosts, and OneLG standalone load generators.

  1. Extract the contents from the domain certificate in .pfx format to the personal truststore of the host.

  2. Add the CA certificate to the machine's truststore.

    If your are using a secure connection for the internal URL of the OpenText Enterprise Performance Engineering server, you need to establish trust to the Certificate Authority (CA) that issued your server certificate.

    1. Run the following command to update the certificates using MMC (Microsoft Management Console):

      Copy code
      run mmc.exe
    2. In the console, select Run > Add/Remove Snap-in.

    3. From the list of available snap-ins, select Certificates and click Add.

    4. In the Certificates snap-in dialog box, select Computer account, and then click Next.

    5. In the Console Root tree, expand Trusted Root Certification Authorities. Right-click Certificates and select All Tasks > Import.

    6. In the Certificate Import Wizard, click Next.

    7. Click Browse, and go to the unzipped certs folder. Select PCSecureEnvTestingCA certificate, and click Open.

    8. Click Next in the certificate stores page of the wizard, and then click Finish. Wait for the import success message.

  3. Repeat on all OpenText Enterprise Performance Engineering machines.

  4. (For hosts used as Controllers only) Import the domain certificate in .pfx format to the personal truststore of the host.

Configure servers to work with TLS/SSL

This section explains how to configure secure communication on an OpenText Enterprise Performance Engineering server for incoming requests from the OpenText Enterprise Performance Engineering server and hosts.

To configure the server to use TLS/SSL:

  1. Update the web.config file located in the <Server_installdir>\PCS directory.

    1. Create a backup copy of the web.config file and save it in a different folder.

    2. To update the web.config file, you can replace it with the predefined web.config-for_ssl file. See step 1d below.

      If you have manual changes you want to preserve in the web.config file, you can manually modify the file. See step 1c below.

    3. Edit the web.config file. Under the <system.servicemodel><services> tag,there are eight areas where the following comment appears: Uncomment to enable SSL. Uncomment the XML lines which appear thereafter, and comment the non-TLS/SSL settings as shown in the example below.

      Copy code
      <!--<endpoint binding="basicHttpBinding" contract="HP.PC.PCS.ILabService"><identity>
      <dns value="localhost"/></identity></endpoint>
      <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/> -->
      <!-- Uncomment to enable TLS/SSL -->
      <endpoint binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_TransportSecurity" contract="HP.PC.PCS.ILabService"><identity>
      <dns value="localhost"/></identity></endpoint>

      Under the <system.servicemodel><behaviors> tag, there are seven areas where you need to change the httpGetEnabled parameter to false, and the httpsGetEnabled parameter to true.

      Copy code
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
    4. To replace web.config with the predefined web.config-for_ssl file, copy web.config-for_ssl from the <Server_installdir>\conf\httpsConfigFiles directory and place it under the <Server_installdir>\PCS directory.

      Rename web.config-for_ssl to web.config.

  2. Open the PCS.config file, located in the <Server_installdir>\dat path, and update the Internal URL attribute with https to connect to OpenText Performance Engineering Backend Service through a secure port:

    Copy code
    internalUrl="https://<lre-dns-name>:443"
  3. Update the OpenText Enterprise Performance Engineering server to ensure that communication with the host is secure (only required when you plan to configure hosts to work with TLS/SSL)

    If the OpenText Enterprise Performance Engineering host is secured, edit the PCS.config file located in the <Server_installdir>\dat path, by changing the value of the ItopIsSecured parameter to true.

    Example:

    Copy code
    <PCSSettings ltopPortNumber="8731" ltopIsSecured="true" StartRunMaxRetry="3" DataProcessorPendingTimeoutMinutes="2880"/>
  4. Restart the OpenText Performance Engineering Backend Service.

  5. Restart IIS.

  6. In Administration, update the OpenText Enterprise Performance Engineering server internal and external URLs with the https URL.

Configure hosts to work with TLS/SSL

This section explains how to configure secure communication on a host for incoming requests from OpenText Enterprise Performance Engineering servers.

To configure the hosts:

  1. The default port used by a host service is 8731. Refer to the Microsoft documentation for details on configuring a port with an SSL certificate.

    Note: Server certificates for all host machines must be installed and trusted on all servers that are part of the environment. This requires:

    • Binding port 8731 on each host to its respective certificate.

    • Making sure that the server certificate within the <Server_installdir>\dat\cert folder contains the private key and the intermediate CA certificates (in the order that they appear in the chain) on all systems.

    Below are examples of the steps described in the above link.

    1. Check that the port is not configured. For example:

      Copy code
      C:\Users\Demo>netsh http show sslcert ipport=0.0.0.0:8731
      SSL Certificate bindings:
      -------------------------
      The system cannot find the file specified.
    2. Run the netsh command:

      You can use the command below (where certhash is the certificate thumbprint and the appid parameter is a GUID that can be used to identify the owning application. You can use any valid GUID. There are many tools that can generate a GUID). For example:

      Copy code
      C:\Users\Demo>netsh http add sslcert ipport=0.0.0.0:8731 certhash=1b337c1f17e0f96b09f803fs0c2c7b3621baf2bb appid={114F6E0C-EB01-4EE9-9CEF-3D1A500FD63F}
      SSL Certificate successfully added
    3. Check that the port is now configured. For example:

      Copy code
      C:\Users\Demo>netsh http show sslcert ipport=0.0.0.0:8731
      SSL Certificate bindings:
      -------------------------
      IP:port                      : 0.0.0.0:8731
      Certificate Hash             : 1b337c1f17e0f94b09f803ff0c2c7b7621baf2bb
      Application ID               : {114f6e0c-eb01-4ee9-9cef-3d1a500fd63f}
      Certificate Store Name       : (null)
      Verify Client Certificate Revocation : Enabled
      Verify Revocation Using Cached Client Certificate Only : Disabled
      Usage Check                  : Enabled
      Revocation Freshness Time    : 0
      URL Retrieval Timeout        : 0
      Ctl Identifier               : (null)
      Ctl Store Name               : (null)
      DS Mapper Usage              : Disabled
      Negotiate Client Certificate : Disabled
  2. Perform the following steps to update the LTOPSvc.exe.config file:

    1. Create a backup copy of the LTOPSvc.exe.config file, and save it in a different folder. The file is located under the <installdir>\bin\LTOPbin directory.

    2. To update the LtopSvc.exe.config file, you can replace it with the predefined LTOPSvc.exe.config-for_ssl file. See step 2d on page 1.

      If you have manual changes you want to preserve in the LTOPSvc.exe.config file, you can manually modify the file. See step 2c below.

    3. Under the <system.servicemodel><bindings><basicHttpBinding> tag, there are two areas where the following comment appears: Uncomment to enable SSL. Uncomment the XML lines which appear thereafter.

      Example:

      Copy code
      <binding name="BasicHttpBinding_ILoadTestingService" closeTimeout="00:10:00"
                   openTimeout="00:01:00" receiveTimeout="00:20:00" sendTimeout="00:10:00"
                   allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                   maxBufferSize="2147483647" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647"
                   messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                  useDefaultWebProxy="true">
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647"
                maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
          <!-- Uncomment to enable TLS/SSL -->
          <security mode="Transport">
             <transport clientCredentialType="None"/>
          </security>
      </binding>

      Under the <system.servicemodel><services> tag, switch between the non-secured and secured endpoints and base addresses.

      Example:

      Copy code
      <service name="HP.PC.LTOP.Services.LoadTestingService" behaviorConfiguration="CommonBasicHTTPBehavior">
              <endpoint contract="HP.PC.LTOP.Services.ILoadTestingService" address="LoadTestingService" name="basicHttp" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ILoadTestingService"/>       
              <!-- Use the first endpoint for regular communication and the second endpoint for TLS/SSL -->
              <!-- <endpoint contract="IMetadataExchange" binding="mexHttpBinding" name="mex" />-->
              <endpoint contract="IMetadataExchange" binding="mexHttpsBinding" name="mex" />
              <host>
                <baseAddresses>
                  <!-- Use the first address for regular communication and the second address for TLS/SSL -->
                  <!--<add baseAddress="http://localhost:8731/LTOP/LoadTestingService"/>-->
                  <add baseAddress="https://localhost:8731/LTOP/LoadTestingService"/>
                </baseAddresses>
              </host>
            </service>

      Under the <system.servicemodel><behaviors><serviceBehaviors><behaviorname="CommonBasicHTTPBehavior"> tag, change the httpGetEnabled parameter to false, and the httpsGetEnabled parameter to true.

      Example:

      Copy code
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />

    1. To replace LTOPSvc.exe.config with the predefined LTOPSvc.exe.config-for_ssl file, copy LTOPSvc.exe.config-for_ssl from the <installdir>\conf\httpsconfigfiles directory and place it under the <installdir>\bin\LTOPbin directory.

      Rename LTOPSvc.exe.config-for_ssl to LTOPSvc.exe.config.

  3. Restart the OpenText Performance Engineering Load Testing Service.

    Note: If the Load Testing Service does not start after configuring the host to listen on HTTPS, see Software Self-solve knowledge base article KM03101264.

  4. Run the following command:

    Copy code
    <installdir>\bin\lr_agent_settings.exe -check_client_cert 1 -restart_agent
  5. After you finish configuring the host to support TLS/SSL, reconfigure any hosts that are part of the environment.