Configure Performance Center Host to Support SSL/TLS

hilale Honored Contributor.
Honored Contributor.
0 0 2,986

This post was written by Paul Adrian Utiu, from the PCLR CPE Team

paul.jpg

 And Eyal Rosner, System Architect –Performance Center RnD

Eyal.jpg

 

To configure secure communication on a Performance Center host for incoming requests from the ALM and Performance Center servers, perform the following:

1. Configure the Performance Center host port for SSL 

The default port used by a Performance Center host service is 8731. To configure SSL on a host for port 8731, refer to the Microsoft Web Site: How to Configure a Port with an SSL Certificate, using the following URL: http://msdn.microsoft.com/en-us/library/ms733791.aspx

The SSL Certificate should be in PFX file format, which contains a private key. There are two ways to get that:

  • The CA delivers it according to the server FQDN.
  • You can create a keystore with a private key and request the CA to sign the certificate. You can then convert it to PFX format.

 

To create a PFX file using the second option, perform the following steps on any machine that has Java JRE installed (such as the ALM machine) because you need the keytool or OpenSSL to handle a keystore:

 a) Generate a keystore with a private key.

This is a temporary keystore that can be deleted after completing the following steps to achieve a server certificate. 

C:\Program Files\\ALM\ALM\jre\bin>keytool -genkeypair -validity 1065 -keysize 2048 -keyalg rsa -sigalg SHA256withRSA -keystore keystore -storepass changeit -alias host

 

What is your first and last name?

  [Unknown]:  pchost.domain.com

What is the name of your organizational unit?

  [Unknown]:  OUName

What is the name of your organization?

  [Unknown]:  OName

What is the name of your City or Locality?

  [Unknown]:  CityName

What is the name of your State or Province?

  [Unknown]:  StateName

What is the two-letter country code for this unit?

  [Unknown]:  CountryCode

Is CN=pchost.domain.com, OU=OUName, O=OName, L=CityName, ST= StateName, C=CountryCode correct?

  [no]:  yes

 

Enter key password for <host>

        (RETURN if same as keystore password):

               

NOTE: As for today, the recommended hash is sha2 256 and the key size 2048.

 

b) Generate a server certificate request to have it signed by your Certificate Authority. 

C:\Program Files\\ALM\ALM\jre\bin>keytool -keystore keystore -storepass changeit -alias host -certreq -file CERTREQFILE_HOST.csr

 c) Send the certificate request data to the CA which should sign it.

 d) Once the certificate has been signed, download the <signed server certificate> from your Certificate           Authority.

 e) Obtain the root authority certificate (and any intermediate authority certificates, if applicable).

1. Double-click the signed certificate.

2. Go to the Certification Path.

3. Select Root CA.

4. Click View Certificate.

5. Go to the Details tab.

6. Click Copy to File.

7. Repeat the above steps for any intermediate CA in the chain.

f) Import the authority certificate(s) obtained in the previous step (root certificate and any intermediate authority certificates if applicable) into the keystore created earlier in this procedure (step 1).

keytool -import -trustcacerts -keystore <mykeystore> -storepass <mypass> -alias <rootCA> -file <root CA certificate>

keytool -import -trustcacerts -keystore <mykeystore> -storepass <mypass> -alias <IntermediateCA> -file <Intermediate CA certificate>

keytool -import -trustcacerts -keystore <mykeystore> -storepass <mypass> -alias <IssuingCA > -file <Issuing CA certificate>

 

NOTE: If you have not done this for each CA certificate (root and all intermediate), you will see the following error during the next step of importing the signed server certificate:

keytool error: java.lang.Exception: Failed to establish chain from reply

 

 

            c:\Program Files\\ALM\ALM\java\bin>keytool -import -trustcacerts -keystore keystore -storepass mercury -alias                    rootCA -file rootCA.cer

 

            Owner: CN=CA, DC=security, DC=domain, DC=com

            Issuer: CN=CA, DC=security, DC=domain, DC=com

            Serial number: 1a4cdd86c675dda146222023c1a8a67

            Valid from: Thu May 19 16:16:13 BST 2016 until: Tue May 19 16:26:12 BST 2026

            Certificate fingerprints:

                         MD5:  F9:D9:2E:10:00:09:C1:9B:8F:2E:4B:F4:B9:1E:98:0B

                         SHA1: D4:E2:4B:0E:E4:C6:E9:46:E6:74:50:50:08:8E:E9:C8:11:BC:6B

                         SHA256: 1E:E4:B3:0B:67:65:01:CF:6A:E1:11:4A:DC:D6:06:75:30:8A:1F:B6:ED:88:9F:94:5F:09:BD:7A:73

                         Signature algorithm name: SHA256withRSA

                         Version: 3

 

            Extensions:

 

            #1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false

            0000: 1E 04 00 43 00 41                                  ...C.A

 

 

            #2: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false

            0000: 02 01 00                                           ...

 

 

            #3: ObjectId: 2.5.29.19 Criticality=true

            BasicConstraints:[

              CA:true

              PathLen:2147483647

            ]

 

            #4: ObjectId: 2.5.29.15 Criticality=true

            KeyUsage [

              DigitalSignature

              Key_CertSign

              Crl_Sign

            ]

 

            #5: ObjectId: 2.5.29.14 Criticality=false

            SubjectKeyIdentifier [

            KeyIdentifier [

            0000: 94 B3 1B F2 37 44 64 D0   71 9D 78 7C E1 FD 97 3B  ....7Dd.q.x....;

            0010: BE E1 30..0.

            ]

            ]

 

            Trust this certificate? [no]:  yes

            Certificate was added to keystore

                

            Import any intermediate and issuing authority certificates if applicable. Below are additional commands if the                             CA provided the IntermediateCA and IssuingCA certificates:                               

            c:\Program Files\\ALM\ALM\java\bin>keytool -import -trustcacerts -keystore keystore -storepass mercury -                 alias IntermediateCA -file IntermediateCA.cer

                 

            c:\Program Files\\ALM\ALM\java\bin>keytool -import -trustcacerts -keystore keystore -storepass mercury -                 alias IssuingCA -file IssuingCA.cer

 

 g) Import the signed certificate into your keystore under the original alias.

keytool -import -v -alias <myserver.mydomain> -file <signed server certificate> -keystore <mykeystore> -keypass <mypass> -storepass <mypass>

 

NOTE: Make sure that the private key password and keystore password are the same <mypass>. You should see: “certificate reply was installed in keystore”. The size of the file will now be significantly larger.

 

C:\Program Files\\ALM\ALM\jre\bin>keytool -import -trustcacerts -keystore keystore -storepass changeit -alias host -file certhost.cer

Certificate reply was installed in keystore

 

 h) Create a PKCS12 (.pfx / .p12) from a JKS / JAVA keystore 

If you have the Keytool application and your JKS file, launch the one-line command (you can use PFX or P12 format):

keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] -destkeystore [MY_FILE.p12]

 -srcstoretype JKS -deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]

 -srcalias [ALIAS_SRC] -destalias [ALIAS_DEST] -srcstorepass [PASSWORD_KEYSTORE]

 

Modify the following parameters:

 -  p12: path to the PKCS#12 file (.p12 or .pfx extension) that is going to be created.

 -  jks: path to the keystore that you want to convert.

 -  PASSWORD_PKCS12: password that will be requested at the PKCS#12 file opening.

 -  ALIAS_SRC: name matching your certificate entry in the JKS keystore, "tomcat" for example.

 -  ALIAS_DEST: name that will match your certificate entry in the PKCS#12 file, "tomcat" for example.

  

C:\Program Files\\ALM\ALM\jre\bin>keytool -importkeystore -srckeystore keystore -destkeystore PFX_HOST.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass changeit –srcstorepass changeit -srcalias host -destalias host

 i) Import the PFX_HOST.p12 file to PC Host Microsoft Management Console (MMC) Personal. Import the CA Root/Intermediate/Issuing certificates to the Trusted Local Machine. Also add the same certificates to the Trusted Root CA in MMC for the ALM and PC Server Windows machines.

Here are the steps needed to import the certificate in MMC:

  • Open command line and run MMC:Host-MMC.png

     

     

  • In MMC, select File > Add/Remove Snap-in:Host-AddSnap.png

     

     

  • Select Certificates:Host-Certificate.png

 

  • Select Computer account and click Next:Host-Next.png

     

     

  • Select Local computer and click Finish:Host-Finish.png

     

     

  • Click OK to add the snap-in:Host-Snapin.png

     

     

  • Import the PFX certificate to the Personal store (select Personal > Certificates > All Tasks > Import😞Host-PFX.png

     

     

  • The Certificate Import Wizard opens:Host-CertImportWizard.png

 

  • Select the certificate file you want to import:Host-selecttWizard.png

      

  • Type the private key password:Host-privateKey.png

      

  • Select the Certificate Store, in this case, Personal store:Host-personalStore.png

     

     

  • Click Finish to complete the import process:Host-FinishImportWizard.png

     

     

  • An import status message is displayed (make sure the import was successful):Host-statmsg.png

     

     

  • Repeat the same steps for the Trusted Root Certificate Authority store using the CA Root/Intermediate/Issuing                         certificates (only some CAs deliver Intermediate and Issuing certificates):Host-Repeat.png

     

 j) Configure SSL on the Performance Center host for port 8731

    For details, see Microsoft MSDN URL: http://msdn.microsoft.com/en-us/library/ms733791.aspx.

 

Check that the port is not configured:

C:\Users\Demo>netsh http show sslcert ipport=0.0.0.0:8731

 

SSL Certificate bindings:

-------------------------

 

The system cannot find the file specified.

 

Run the netsh command:

(certhash is the certificate thumbprint and the appid is any GUID that can be used to identify the owning application. This can be generated via Visual Studio GUID Generator or you can use the command below):

 

C:\Users\Demo>netsh http add sslcert ipport=0.0.0.0:8731 certhash=1b337c1f17e0f96b09f803fs0c2c7b3621baf2bb appid={114F6E0C-EB01-4EE9-9CEF-3D1A500FD63F}

 

SSL Certificate successfully added

 

Check that the port is now configured: 

C:\Users\Demo>netsh http show sslcert ipport=0.0.0.0:8731

 

SSL Certificate bindings:

-------------------------

 

    IP:port                      : 0.0.0.0:8731

    Certificate Hash             : 1b337c1f17e0f94b09f803ff0c2c7b7621baf2bb

    Application ID               : {114f6e0c-eb01-4ee9-9cef-3d1a500fd63f}

    Certificate Store Name       : (null)

    Verify Client Certificate Revocation : Enabled

    Verify Revocation Using Cached Client Certificate Only : Disabled

    Usage Check                  : Enabled

    Revocation Freshness Time    : 0

    URL Retrieval Timeout        : 0

    Ctl Identifier               : (null)

    Ctl Store Name               : (null)

    DS Mapper Usage              : Disabled

    Negotiate Client Certificate : Disabled

 

 2Perform the following steps to update the LTOPSvc.exe.config file: 

a) Create a backup copy of the LtopSvc.exe.config file located under the <install path>\bin directory, and save it in a              different folder.

b) To update the LtopSvc.exe.config file, you can replace it with the predefined LTOPSvc.exe.config-for_ssl file. See the          step below.

To replace LTOPSvc.exe.config with the predefined LTOPSvc.exe.config-for_ssl file, copy LTOPSvc.exe.config-for_ssl from the <install path>\conf\httpsconfigfiles directory and place it under the <install path>\bin directory. Rename LTOPSvc.exe.config-for_ssl to LTOPSvc.exe.config.

3. Restart the Windows service “Performance Center Load Testing Service” on the host.

4. Update the Performance Center Server to ensure that the communication to the host will use HTTPS.

 

Edit the PCS.config file, located in the <install path>\dat path, by changing the value of the ItopIsSecured parameter to true.

Example:

<PCSSettings ltopPortNumber="8731" ltopIsSecured="true"

StartRunMaxRetry="3" DataProcessorPendingTimeoutMinutes="2880"/>

 

 5. Restart IIS on the Performance Center Server.

6. Configure LoadRunner components to use TLS 1.2

 

 

Hope you have found this blog beneficial, see additional related blogs:

How to configure ALM Application Server to support SSL

How to configure Performance Center Server to support SSL

Interested in more information about LoadRunner, Performance Center or StormRunner? Visit the LoadRunner, Performance Center or StormRunner forums to find information, submit questions and collaborate with peers.

 

Interested in more information about Performance Center, visit the  Performance Center Help Center.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.