This post was written by Paul Adrian Utiu, from the PCLR CPE Team
And Eyal Rosner, System Architect –Performance Center RnD
This article describes the steps to configure secure communication on a Performance Center Server for incoming requests from the ALM server and Performance Center hosts.
Step 1: Configuring IIS to Work over SSL
This section describes the basic steps involved in setting up IIS on the Performance Center Server machine to use SSL.
To configure IIS to use SSL on the Performance Center Server machine:
- Obtain a server certificate issued to the fully qualified domain name of your Performance Center Server.
- Configure IIS to work with SSL. For information, see http://support.microsoft.com/.
a) Open Internet Information Services (IIS) Manager.
b) Click the server name.
c) In Features View, double-click Server Certificates in the IIS
d) There are two options for the IIS Server Certificate:
- If you have a server signed certificate delivered by the CA (which you can import directly), select the Complete Certificate Request option, and continue from step i).
- Otherwise, select the Create Certificate Request option, and follow the steps below.
In the Actions pane, click Create Certificate Request. The Create Certificate Request wizard opens.
e) On the Distinguished Name Properties page, type the required information for the certificate, and then click Next.
f) On the Cryptographic Service Provider Properties page, select the cryptographic service provider and a bit length that can be used by the provider.
NOTE: As for today, the recommended hash is sha2 256 and the key size 2048.
g) On the File Name page, specify the file name and location for the certificate request file that will be send to the CA to be signed, and then click Finish.
h) The content of the Certificate Request file should look like this:
i) The server certificate request should be sent to the CA which will sign it. You need to import the signed certificate.
In the Actions pane, click Complete Certificate Request. The Complete Certificate Request wizard opens.
j) Browse to the certificate file that was provided to you by the CA, and type a friendly name. The friendly name is not part of the certificate itself, but is used by the server administrator to easily distinguish the certificate. Choose to place the new certificate in the Personal certificate store.
3. If you are using a secure connection for the internal URL of the Performance Center Server, you need to establish trust to the Certificate Authority (CA) that issued your Performance Center Server certificate.
This trust must be established on the ALM server and on each Performance Center host.
To configure trust on the ALM server:
- Obtain the certificate of the root and any intermediate Certificate Authority that issued the Performance Center Server certificate.
- On the ALM server, go to the \ALM\java bin. For example: C:\ProgramFiles\\ALM\java\jre\bin
- Import this certificate into the ALM java truststore by using a keytool command. For example:
..\keytool -import -trustcacerts -alias myCA -file <path to ca.cer> -keystore "c:\Program Files\\ALM\java\jre\lib\security\cacerts"
c:\Program Files\\ALM\java\bin>keytool -import -trustcacerts -alias myCA -file RootCA.cer -keystore "c:\Program Files\\ALM\java\jre\lib\security\cacerts"
4. Replace the path to the file for your root certificate authority certificate.
NOTE: changeit is the default password to the java truststore. Replace as necessary.
5. If your access is denied, run CMD as an administrator.
6. Restart ALM.
For Performance Center host, the root certificate of the CA should appear in the Microsoft Management Console under Certificates (Local Computer) > Trusted Root Certification Authorities.
Step 2: Configuring Performance Center to Support SSL
- Configure the port that will be used to ensure secure communication on the Performance Center Server. Note that the port used by IIS for the SSL binding is 443. However, by default, the RemoteManagement Agent Service uses port 443. Either change the service's port, or configure IIS to use a port other than 443 for the SSL binding.
In the Actions pane, click Bindings. The Site Bindings window opens.
In this demo, we will use a different port (444) for the IIS SSL Port.
2. Update the web.config file located in the <Install path>\PCS directory by performing the following steps:
a) Create a backup copy of the web.config file, and save it to a different folder.
b) To update the web.config file, you can replace it with the predefined web.config-for_ssl file. To replace web.config with the predefined web.config-for_ssl file, copy web.config-for_ssl from the <install path>\conf\httpsConfigFiles directory and place it under the <install path>\PCS directory.
Rename web.config-for_ssl to web.config.
3. Restart IIS.
4. If you have added the same Performance Center Server previously over HTTP, restart the ALM service.
5. Add the Performance Center Server to ALM and define the internal and external URL (make sure the URL to the Performance Center Server begins with “HTTPS”).
You can verify this before adding the Performance Center Server to ALM by opening the My Performance Center web page using HTTPS.
NOTE: If you encounter the below error (the CA being used to sign the server certificate is not known at the client computer), it means that the certificate needs to be imported to the Trusted Root certification Authorities.
Hope you have found this blog beneficial, see additional related blogs:
Interested in more information about LoadRunner, Performance Center or StormRunner? Visit the LoadRunner, Performance Center or StormRunner forums to find information, submit questions and collaborate with peers.
Interested in more information about Performance Center, visit the Performance Center Help Center.