Using Digital Certificates with Firewalls

When you configure your LoadRunner system to use SSL authentication, the client initiates an SSL request to negotiate the cipher suite, then the server responds by sending its own certificate and an optional request to validate the client certificate. Finally, the client sends the encrypted shared key, and its certificate if requested. All subsequent messages are encrypted using the shared key, and authentication is completed by verifying the certificate on the other side.

For details of possible client-server configuration setups, see Client-Server Authentication Configurations.

A digital certificate is issued by a Certification Authority (CA). It contains the IP address of the machine for which it is issued, a validation date, and the digital signature of the certificate-issuing authority.

Certificate Attributes and Requirements

Certificates created by LoadRunner utilities have following attributes:

  • Signature hash algorithm: sha256
  • Encryption algorithm: RSA (2048 Bits)

You can use an existing CA certificate from your own organization as long as it complies with the following:

  • base64 encoded DER certificate (*.pem)
  • enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

You can also provide certificate files that contain a root CA and one or more intermediate CAs. LoadRunner supports chain verification as long as all the certificates in the chain from the root to the client certificate can be verified.

For example, suppose your Controller machine cacert.cer verification file contains A (root), B (signed by root), C (signed by root).

Then suppose that on a load generator machine, the cert.cer certificate file contains D (signed by B) and E (signed by D).

The certificate chain is valid: A > B > D > E.

Back to top

LoadRunner Default Certificate

LoadRunner provides a default CA and SSL certificate for all LoadRunner components. They are located in the <LoadRunner installation>\dat\cert folder. However, for a more secure process, create your own Certificate Authority, include it in the list, and issue matching SSL certificates for your machines. For details, see How to Configure Client-Server Authentication.

Back to top

Using Certificates with the MI Listener or Load Generator

When the MI Listener sends its Public Key to the LoadRunner agent, it always sends its certificate as well (this is the server-side certificate). The LoadRunner agent can also be configured to authenticate the certificate it received. If the agent is configured to authenticate the certificate, it can verify whether the sender is really the machine that it claims to be by:

  • Comparing the certificate's IP address with the sender's IP address

  • Checking the validation date

  • Looking for the digital signature in its Certification Authorities list

The MI Listener may also require the LoadRunner agent to send a certificate at any point in the session. This is called the client-side certificate. You can set this option in the MI Listener Configuration Dialog Box. If the LoadRunner agent owns a certificate, it sends it to the MI Listener for the same authentication process. If the LoadRunner agent does not own a certificate, the communication might not be continued.

When a Load Generator connection is SSL enabled, it is indicated by a special SSL icon in Controller.

Back to top