SSL and certificates

Digital Lab enables you to work in secure environments using SSL and to apply certificates when necessary. This section describes how to work with SSL connections. For details about installing certificates on your device for the purpose of accessing secure sites, see Testing sites that require certificates.

Supported SSL protocols

The Digital Lab server and connector support the latest SSL standards for all communication between server and connectors, supported testing tools (UFT One, UFT Developer, LoadRunner, and Appium) and browsers:

  • TLS v1.2,
  • TLS v1.1,
  • TLS v1.0.

Back to top

Connecting to Digital Lab over SSL

When you install the UFT Digital Lab server, you can select a non-secure (HTTP) or a secure (SSL) connection. When you select the SSL option during server installation, a self-signed SSL certificate is automatically generated on the local Digital Lab machine. Alternatively, you can import a certificate from a certified authority (CA). For details, see Using SSL certificates issued by a Certification Authority.
ValueEdge Digital Lab/ UFT Digital Lab Managed SaaS: The connection to the Digital Lab server is secure, and the server is installed with a CA certificate.

For web browsers to trust the certificate presented by the server, the SSL certificate must be issued by a recognized Certificate Authority (CA). Self-signed certificates encrypt the data but do not provide a trusted identity of the server owner. When using the default self-signed certificate, browsers display a warning or error when you first try to access the Digital Lab server over SSL. The warning informs you that the SSL certificate was self-signed by the server and not by a CA. To access the server, you need to trust the self-signed SSL certificate.

If the server was installed with the SSL option, all connectors and testing tool machines must connect to the server over a secure connection. When installing a connector with the SSL enabled option selected, a self-signed certificate is automatically generated on the connector machine. When you first access the connector from a browser, by opening the device remote view, a warning is displayed. Navigate to the connector URL, and trust the self-signed SSL certificate. Alternatively, you can import a certificate from a certified authority (CA). For details, see Using SSL certificates issued by a Certification Authority. For more details on connector installation, see Install the connector on a Windows machine or Install the connector on a Linux machine.

You can also reconfigure the connection to the server from non-secure to secure (or vice versa), or change the server address or port. For details, see Reconfigure the Digital Lab server.

Note: If you change the certificate on the server, you may need to re-establish trust between connectors and the Digital Lab server. For details, see Using SSL certificates issued by a Certification Authority.

Back to top

Using SSL certificates issued by a Certification Authority

It is a best practice in a security conscious environment to replace the self-signed certificates on the server and connectors, with certificates issued by a trusted Certification Authority (CA).

ValueEdge Digital Lab/ UFT Digital Lab Managed SaaS: The connection to the Digital Lab server is secure and the server is installed with a CA certificate. The UFT Digital Lab connectors are installed with self-signed certificates. Follow the procedure detailed in this section to replace the self-signed certificates on connectors.

After you obtain your certificate file from a Certification Authority, ensure that it contains a complete chain of trust. A chain of trust is a list of certificates that enable the receiver to verify that the sender and all intermediate certificates are trustworthy. To detect and solve problems with your SSL certificate installation, perform an Internet search for "SSL checker" and use one of the online tools to diagnose your problems.

Tip: Digital Lab is a multi-hosted deployment. We suggest generating the SSL certificate for both the server and connectors with a wildcard, and not for specific host. For example, *.LAB01.TEST.ACME.COM, and not MACHINEA.LAB01.TEST.ACME.COM. Without a wildcard, each certificate generated for a specific FQDN needs to be trusted on all browsers and by all OpenText testing tools accessing Digital Lab.

To import an SSL certificate: 

If your SSL certificate is divided into separate key and certificate files, combine them into one PFX file.

The following example demonstrates how to combine your certificate and key. Run the commands below on the same machine on which the certificate is saved:

  1. Ensure that OpenSSL is installed on the machine using the following commands:

    Linux: 
    In the terminal window enter the following to view the OpenSSL details for the machine:
    rpm -qa | grep -i openssl (rpm)
    dpkg -l | grep -i openssl (deb)

    Windows:
    In a command line window, enter the following:

    Copy code
    openssl version –a

    If OpenSSL is installed, the OpenSSL information, such as the date and version number, is displayed. Otherwise, download and install the latest version of OpenSSL.

  2. Run the following command to convert the key and certificate files into one PFX certificate:
    Copy code
    openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -descert

  1. In the terminal window, change the directory to the server/ connector's Security directory:

    <Path to Digital Lab server installation directory>/server/Security

    <Path to Digital Lab connector installation directory>/connector/Security
  2. Enter ./importCA.sh to import the authorized certificate to the server.

  3. Enter the current key store password (Default. password) and the password from the CA. This password is generated when creating the PFX file.The CA password becomes the new key store password. Store the password in a safe place for future access.

  4. The script adds a private certificate to keyStoreHpmc and a public certificate to trustStoreHpmc.
  5. Restart the Digital Lab server/ connector.
  6. Using your web browser, navigate to the server/ connector address:
    https://<Digital Lab server/ connector IP address>:<port>
  7. Validate that the correct CA certificate is displayed in the browser.
  1. Navigate to the server/ connector's Security directory:
    <Path to Digital Lab server installation folder>\server\Security.
    <Path to Digital Lab connector installation folder>\connector\Security.
  2. Enter importCA.bat to import the authorized certificate to the server. Admin permissions are required to run the batch file.
  3. Enter the current key store password (Default. password) and the password from the CA. This password is generated when creating the PFX file. The CA password becomes the new key store password. Store the password in a safe place for future access.

  4. The script adds a private certificate to keyStoreHpmc and a public certificate to trustStoreHpmc.

  5. Restart the  service/ connector from the Start Menu.

  6. Using your web browser, navigate to the server/ connector address:
    https://<Digital Lab server/ connector IP address>:<port>

  7. Validate that the correct CA certificate is displayed in the browser.

Back to top

Establishing server trust on the connector in SSL connections

This section is relevant for UFT Digital Lab server installations only.

When a connector acts as a client connecting to the UFT Digital Lab server, there needs to be trust present on the client, to the certificate on the server. This trust is initially established during the installation of the connector. If you replace the self-signed certificate on the server with a CA issued certificate, the trust needs to be re-established.

If the CA is a common one, such as Verisign, the CA already exists in the connector’s truststore, and the connector trusts the server certificate. If not, for example if the CA is private, the CA is not yet in the connector’s truststore. The CA certificate should be imported to the truststore for the connector to trust the server certificate. To establish trust when using a non-common CA on the Digital Lab server, you need to import the public certificate of the Certificate Authority (CA) that issued the server certificate—not the server certificate itself. To import the public certificate, see To import an SSL certificate: 

After you import this certificate, trust is established between the client and any certificate issued by this CA. If this trust is not established correctly, there is an SSL handshake failure and an error message is issued.

Back to top

Configuring Digital Lab for secure LDAP

To use Digital Lab with secure LDAP (SSL), see Use secure LDAP on the Digital Lab server .

Back to top

Generating a new certificate

This section is relevant for UFT Digital Lab server installations only.

You many need to generate a new self-signed certificate if:

  • You are using a CA certificate and would like to switch back to using a self-signed certificate
  • The self-signed certificate, which is valid for 3 years, has expired.

You generate a new certificate for the server using the script in the Security folder as follows: 

  1. Log in as UFT Digital Lab user and change directory to:
    <Path to UFT Digital Lab server installation directory>/server/Security
  2. Run the following command to generate a new self-signed certificate on the server:
    ./generateSelfSignCertificate.sh
  3. Enter the required credentials. The script adds a private certificate to keyStoreHpmc and a public certificate to trustStoreHpmc.
  4. Restart the Digital Lab service:
    service dl restart

Note: If the IP or FQDN is unavailable, the connection to the server fails and you must regenerate the certificate. After regenerating the certificate, you must also modify the configuration of connectors connecting to the Digital Lab server. For details, see Modify the connector (Windows), Change the configuration of the connector (Linux), or Reconfigure the connector ( Mac).

  1. On the server machine, navigate to:
    <Path to Digital Lab server installation>\server\Security
  2. Run the following batch file to generate a new self-signed certificate on the server:
    generateSelfSignCertificate.bat

  3. Enter the required credentials.

  4. The script adds a private certificate to keyStoreHpmc and a public certificate to trustStoreHpmc.
  5. Restart the Digital Lab service either via the Start Menu or by navigating to <Path to Digital Lab server installation>\scripts\ and running restart.bat

Note: If the IP or FQDN is unavailable, the connection to the server fails and you must regenerate the certificate. After regenerating the certificate, you must also modify the configuration of connectors connecting to the Digital Lab server. For details, see Modify the connector (Windows), Change the configuration of the connector (Linux), or Reconfigure the connector ( Mac).

Back to top

See also: