Configure load generators to work with TLS/SSL

This section describes how to configure TLS (SSL) communication to the load generators. It describes how to create and install a Certification Authority and a Client Certificate for working with TLS to secure communication to your load generators. It also describes how to enable TLS from Administration.

Create and copy digital certificates

  1. Create a Certification Authority (CA)

    Note: This step describes how to create a CA using the gen_ca_cert.exe utility. If you are working on a Linux platform, use the gen_ca_cert utility instead.

    On one of your hosts, run the gen_ca_cert command from the <Host_installdir>\bin with at least one of the following options:

    • -country_name

    • -organization name

    • -common_name

    • This process creates two files in the folder from which the utility was run: the CA Certificate (cacert.cer), and the CA Private Key (capvk.cer).

      Note: By default, the CA is valid for three years from when it is generated. To change the validation dates, use the -nb_time (beginning of validity) and/or -na_time (end of validity) options.

      The following example creates two files: ca_igloo_cert.cer and ca_igloo_pk.cer in the current folder:

    Copy code
    gen_ca_cert - country_name "North Pole" -organization_name "Igloo Makers" -common_name "ICL" -CA_cert_file_name "ca_igloo_cert.cer" - CA_pk_file_name "ca_igloo_pk.cer" -nb_time 10/10/2013 -na_time 11/11/2013
  2. Install Certification Authority (CA)

    You need to install the CA on the hosts that you want to enable TLS communication including Controllers, servers, Load Generators, and MI Listeners.

    Run the gen_ca_cert utility from the <Host_installdir>\bin
    folder with one of the following parameters:

    • -install <name/path of the CA certificate file>. Replaces any previous CA list and creates a new one that includes this CA only.
    • -install_add <name/path of the CA certificate file>. Adds the new CA to the existing CA list.

    Note:  

    • The -install and -install_add options install the certificate file only. Keep the private key file in a safe place and use it only for issuing certificates.

    • If your load generator is over firewall, install the CA on the MI Listener machine.

  3. Create a Client Certificate

    Note: This step describes how to create a client certificate using the gen_cert.exe utility. If you are working on a Linux platform, use the gen_cert utility instead.

    On one of your hosts, run the gen_cert command from the <Host_installdir>\bin folder with at least one of the following options:

      • -country_name

      • -organization_name

      • -organization_unit_name

      • -eMail

      • -common_name

    It is important to note the following:

    • The CA Certificate and the CA Private Key files are necessary for the creation of the certificate. By default, it is assumed that they are in the current folder, and are named cacert.cer and capvk.cer respectively. In any other case, use the -CA_cert_file_name and -CA_pk_file_name options to give the correct locations.

    • The certificate file is created in the folder from which the utility was run. By default, the file name is cert.cer.

  4. Install a Client Certificate

    You need to install the client certificate on the hosts that you want to enable TLS including hosts used as Controllers, servers, Load Generators, and MI Listeners.

    Run the gen_cert utility from the <Host_installdir>\bin folder with the following parameter:

    Copy code
    -install <name/path of the client certificate file>

    Note:  

    • Steps 3 and 4 describe how to install the same client certificate. Alternatively, you can create a new client certificate on each machine.

    • Make sure the certificate files within the <installdir>\dat\cert folder have the exact names of cert.cer and verify\cacert.cer, no matter if they are the default ones provided as part of the installation, or if they are your company certificates.

  5. Restart the agent configuration

    On the load generator machines, open LoadRunner Agent Configuration and click OK to restart the agent configuration. On the MI Listener machines, open Agent Configuration and click OK to restart the agent configuration.

Enable TLS communication for load generators

  1. Sign in to Administration. For details, see Sign in to Administration.

  2. On the Administration sidebar, under Maintenance select Hosts.
  3. Under the Host Name column, click the name of an existing host or load generator over a firewall host.

    Alternatively, click the Add Host Add buttonbutton to create a new host.

  4. In the Host Details or New Host page, select Enable SSL.