When you configure your LoadRunner system to use SSL authentication, the client initiates an SSL request to negotiate the cipher suite, then the server responds by sending its own certificate and an optional request to validate the client certificate. Finally, the client sends the encrypted shared key, and its certificate if requested. All subsequent messages are encrypted using the shared key, and authentication is completed by verifying the certificate on the other side.
For details of possible client-server configuration setups, see Client-Server Authentication Configurations.
A digital certificate is issued by a Certification Authority (CA). It contains the IP address of the machine for which it is issued, a validation date, and the digital signature of the certificate-issuing authority.
Certificates created by LoadRunner utilities have following attributes:
- Signature hash algorithm: sha256
- Encryption algorithm: RSA (2048 Bits)
You can also use an existing CA certificate from your own organization as long as it complies with the following:
- base64 encoded DER certificate (*.pem)
- enclosed between
When the MI Listener sends its Public Key to the LoadRunner agent, it always sends its certificate as well (this is the server-side certificate). The LoadRunner agent can also be configured to authenticate the certificate it received. If the agent is configured to authenticate the certificate, it can verify whether the sender is really the machine that it claims to be by:
The MI Listener may also require the LoadRunner agent to send a certificate at any point in the session. This is called the client-side certificate. You can set this option in the MI Listener Configuration Dialog Box. If the LoadRunner agent owns a certificate, it sends it to the MI Listener for the same authentication process. If the LoadRunner agent does not own a certificate, the communication might not be continued.
LoadRunner provides a default SSL CA and SSL certificate for all LoadRunner components. It is located in the <LoadRunner installation>\dat\cert folder. However, for a more secure process, create your own Certificate Authority, include it in the list, and issue matching certificates for your machines.
When a Load Generator connection is SSL enabled, it is indicated by a special SSL icon in Controller.