Configure Performance Center Server to Support SSL/TLS

Vice Admiral
Vice Admiral
1 2 5,939

This post was written by Paul Adrian Utiu, from the PCLR CPE Team

 

paul.jpg

  And Eyal Rosner, System Architect –Performance Center RnDEyal.jpg

 

 

This article describes the steps to configure secure communication on a Performance Center Server for incoming requests from the ALM server and Performance Center hosts.

 

Step 1: Configuring IIS to Work over SSL 

This section describes the basic steps involved in setting up IIS on the Performance Center Server machine to use SSL.

To configure IIS to use SSL on the Performance Center Server machine:

  1. Obtain a server certificate issued to the fully qualified domain name of your Performance Center Server.
  2. Configure IIS to work with SSL. For information, see http://support.microsoft.com/.

a) Open Internet Information Services (IIS) Manager.

b) Click the server name.

c) In Features View, double-click Server Certificates in the IISPC-FeaturesView.png

 

 

 d) There are two options for the IIS Server Certificate: 

 - If you have a server signed certificate delivered by the CA (which you can import directly), select the Complete         Certificate Request option, and continue from step i).  

 - Otherwise, select the Create Certificate Request option, and follow the steps below. 

    In the Actions pane, click Create Certificate Request. The Create Certificate Request wizard opens.

PC-CreateCertRequest.png

 

 

 e) On the Distinguished Name Properties page, type the required information for the certificate, and then click Next.

PC-DistinguishedName.png

  

f) On the Cryptographic Service Provider Properties page, select the cryptographic service provider and a bit                length that can be used by the provider.PC-Cryptographic.png

 

NOTE: As for today, the recommended hash is sha2 256 and the key size 2048.

 g) On the File Name page, specify the file name and location for the certificate request file that will be send to the CA to       be signed, and then click Finish.PC-FileName.png

 

 

 h) The content of the Certificate Request file should look like this:PC-ContentCertificate.png

 

 

 i) The server certificate request should be sent to the CA which will sign it. You need to import the signed certificate. 

In the Actions pane, click Complete Certificate Request. The Complete Certificate Request wizard opens.PC-CompleteCertRequest.png

 

 

j) Browse to the certificate file that was provided to you by the CA, and type a friendly name. The friendly name is       not part of the certificate itself, but is used by the server administrator to easily distinguish the certificate. Choose     to place the new certificate in the Personal certificate store.PC-CertPersonal.png

 

 

3. If you are using a secure connection for the internal URL of the Performance Center Server, you need to establish trust     to the Certificate Authority (CA) that issued your Performance Center Server certificate.

    This trust must be established on the ALM server and on each Performance Center host.

 

To configure trust on the ALM server: 

  1. Obtain the certificate of the root and any intermediate Certificate Authority that issued the Performance Center Server certificate.
  2. On the ALM server, go to the \ALM\java bin. For example: C:\ProgramFiles\\ALM\java\jre\bin
  3. Import this certificate into the ALM java truststore by using a keytool command. For example:

..\keytool -import -trustcacerts -alias myCA -file <path to ca.cer> -keystore "c:\Program Files\\ALM\java\jre\lib\security\cacerts"

 

c:\Program Files\\ALM\java\bin>keytool -import -trustcacerts -alias myCA -file RootCA.cer -keystore "c:\Program Files\\ALM\java\jre\lib\security\cacerts" 

 4. Replace the path to the file for your root certificate authority certificate.

NOTE: changeit is the default password to the java truststore. Replace as necessary.

5. If your access is denied, run CMD as an administrator.

6. Restart ALM.

For Performance Center host, the root certificate of the CA should appear in the Microsoft Management Console under Certificates (Local Computer) > Trusted Root Certification Authorities.

 

Step 2: Configuring Performance Center to Support SSL 

  1. Configure the port that will be used to ensure secure communication on the Performance Center Server. Note that the port used by IIS for the SSL binding is 443. However, by default, the RemoteManagement Agent Service uses port 443. Either change the service's port, or configure IIS to use a port other than 443 for the SSL binding. 

 

In the Actions pane, click Bindings. The Site Bindings window opens. 

PC-Bindings.png

 

 

 In this demo, we will use a different port (444) for the IIS SSL Port.

PC-Port444.png

 

 

 2. Update the web.config file located in the <Install path>\PCS directory by performing the following steps:

 a) Create a backup copy of the web.config file, and save it to a different folder.

b) To update the web.config file, you can replace it with the predefined web.config-for_ssl file. To replace web.config with the predefined web.config-for_ssl file, copy web.config-for_ssl from the <install path>\conf\httpsConfigFiles directory and place it under the <install path>\PCS directory.

Rename web.config-for_ssl to web.config.

 3. Restart IIS.

 4. If you have added the same Performance Center Server previously over HTTP, restart the ALM service.

 5. Add the Performance Center Server to ALM and define the internal and external URL (make sure the URL to the               Performance Center Server begins with “HTTPS”).

You can verify this before adding the Performance Center Server to ALM by opening the My Performance Center web page using HTTPS.

NOTE: If you encounter the below error (the CA being used to sign the server certificate is not known at the client computer), it means that the certificate needs to be imported to the Trusted Root certification Authorities. 

PC-Note.png

 

 

Hope you have found this blog beneficial, see additional related blogs:

How to configure ALM Application Server to support SSL

How to configure Performance Center Host to support SSL

 

Interested in more information about LoadRunner, Performance Center or StormRunner? Visit the LoadRunner, Performance Center or StormRunner forums to find information, submit questions and collaborate with peers.

 

Interested in more information about Performance Center, visit the  Performance Center Help Center.

2 Comments
Captain Captain
Captain

How do you change the RemoteManagement agent's port to something other than 443?

Ensign Ensign
Ensign

How do you change the Remote Management agent's port to something other than 443?

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.