Performancing Metrics

Vamsi Tokala's blog: Client Side certificates with LoadRunner

Friday, April 23, 2010

Client Side certificates with LoadRunner

Many applications make use of the SSL extension to the HTTP protocol that adds an encryption layer to the HTTP stack. If performance test tool can't handle SSL then you won't be able to record any transactions.
One way of increasing security is to make use of client certificates, which can be installed into the application

client before access is permitted to an application. The certificates are provided in a number of formats (typically pfx or p12) and must be made available to your performance testing tool for successful capture and replay.
Please follow the steps below to import, export the certificate in the format recommended by LoadRunner.
 
Import Client Certificate in Browser

1. Click Start, click Control Panel, double-click Internet Options, and then click the Content tab

2. Click Certificates.

        a)The Certificates dialog box opens.
3. Click the Personal tab, and then click Import.

        a)The Certificate Import Wizard opens.
        b)On the Welcome page, click Next.

4. On the File to Import page, click Browse, select your certificate (if necessary, select your certificate type in Files of Type drop-down menu), and then click Next.

5. On the Password page, type the certificate’s password, select Mark this key as exportable, and then click Next.

6. On the Certificate Store page, select Place all certificates in the following store, browse to the Personal certificate store (if it’s not already selected), and then click Next.

7. On the Completing the Certificate Import Wizard page, click Finish.

8. Verify that the imported certificate appears in the Personal tab of the Certificates dialog box.

Export a private key

1. Under Internet Options, and then click the Content tab.

2. Click Certificates.

       a)The Certificates dialog box opens.
3. In the Certificates dialog box, click the Personal tab, select the certificate to export, and then click Export.

       a)The Certificate Export Wizard opens.
       b)On the Welcome page, click Next.

4. On the Export Private Key page, select Yes, export the private key, and then click Next.

5. On the Export File Format page, choose Personal Information Exchange – PKCS #12 (.PFX), select Include all certificates in the certification path if possible, clear the other check boxes, and then click Next.

6. On the Password page, type and retype the certificate’s password, and then click Next.

7. On the File to Export page, type the path and name of the file to export, and then click Next.

     a)The wizard will add the .pfx extension automatically.

8. On the Completing the Certificate Export Wizard page, click Finish.


Convert .PFX to .PEM format using OpenSSL

1. Download latest version of OpenSSL from OpenSSl Website

    a. http://www.openssl.org/source/

2. Convert PFX format to PEM format using the command below

a. OPENSSL PKCS12 –in <> -out <>

b. Enter the password given while exporting the certificate

c. Enter any PEM pass phase :e:g 2222

d. Reconfirm the pass phase by typing the same number again.

Open SSL
Note: SSL utility available in LoadRunner 9.5 may crash or may not work as intended. It is better to download the utility from OpenSSL website
 
WebServices Security in LoadRunner

Transport Level Security

Secure Sockets Layer (SSL) is a common transport layer approach that is used to provide encryption to message layer security. If your web service URL begins with https, SSL is automatically used.

  •  First copy the created .pem file using OpenSSL utility into LoadRunner Script folder
  • Set up the transport level security using the following function in LoadRunner
 web_set_certificate_ex("CertFilePath=testpem1111.pem",

"CertFormat=PEM",
"KeyFilePath=testpem1111.pem",
"KeyFormat=PEM",
"Password=2222", // PEM pass phase
LAST);

Note: if a web service doesn’t uses https URL then this function is not required in VuGen

Legacy Based Security

If in addition to SSL you are using message-level security (for example a username) then you must configure the security for the message separately using the Legacy/Scenario based security model (web_service_set_security) function.

When a SOAP message sends a request, those security credentials, known as security tokens, are placed in the SOAP message. When the Web server receives the SOAP request, it does not need to send additional requests to verify the integrity of the sender. The server verifies that the credentials are authentic before letting the Web Service execute the application. By not having to go back to the source of the credentials, this significantly improves the application’s scalability

VuGen allows you to create security tokens for your script. You can create multiple tokens and set their properties. After creating a token, you use it to sign or encrypt a SOAP message. When you add a security token to a SOAP message, it is added to the SOAP message in the form of an XML element in the WS-Security SOAP header.

a. LoadRunner supports different types of security tokens. The available tokens are

Username and Password, X.509 Certificate,Kerberos Ticket, Kerberos2 Ticket, Security Context Token, andDerived Token.

The information you need to provide differs for each token

b. This following is an example of legacy based security Model using User Name and Password token in LoadRunner

web_service_set_security(
SECURITY_TOKEN, "Type=USERNAME","LogicalName=DP", "UserName=XXXXXX", "Password=XXXXX", "PasswordOptions=SendPlainText", "Add=True",
LAST);

c. X.509 Certificate: When you add an X.509 token to the Vuser script, you specify the Logical Name, Store Name, Key identifier type, Key identifier value, and Store Location arguments.

These inputs to this function can be obtained by downloading Microsoft WSE X509 certificate tool from Microsoft website


web_service_set_security(
SECURITY_TOKEN, "Type=X509", "LogicalName=MyStore", "StoreName=My",
"IDType=SubjectName", "IDValue=C=US, S=CA, L=San Rafael, O=Inc., OU=IT, CN=IT Internal", "StoreLocation=CurrentUser", "Add=True",
MESSAGE_SIGNATURE, "UseToken=MyStore",
LAST);

Scenario based Security Model

LoadRunner also supports Scenario based Security Model for WCF Services which is out of scope of this post

55 comments:

Anonymous said...

Hi Vamsi Tokala,

I am looking for some advice on implementing solutions around "Legacy Based Security model using Loadrunner". Apologies for a lengthy post. From your blog I see that Loadrunner can support different types of security tokens such as Username and Password, Kerberos Ticket, Kerberos2 Ticket, Security Context Token, and Derived Token.

The application I am currently testing is integrated with ‘Correspond Now product’, which is used to generate and edit documents.

The Vugen (LR) has recorded considerable sets of secure web service requests with encrypted soap body, when trying to record this document generation functionality. These WS requests are implemented with Kerberos security mechanism. Within the Soap Header, is the UsernameToken. This is the key element considered by the server while authenticating the client requests. As per the application client security documentation, the username tokens are encrypted with RSA encryption.

In addition to this there are many other encrypted data within the Soap headers and Soap body. When I come to play the script back it fails due to the hardcoded encryption and security tokens.

Following are the tokens present with the header of WS requests,
1. The element with unique timestamp
2. with subelements as and . The Username Token uses RSA encryption mechanism.
3.
4. within , each of these elements holds sub elements called and which are unique and looks like a base64 string.
5. The and within the element.

There are similar tokens present within the SOAP body as well. I am not sure as how to handle these tokens, how can I use Loadrunner to generate these tokens?

I am eagerly looking for your advice and help, you can send your response to my query to the below given email address.

If required I can post even the sample Soap_requests. Please let me know.

Regards,
Shobitha
Shobithanavin@gmail.com

Anonymous said...

Hi Vamsi,

Element names were missing in my previous post. Apologies for this.
Please find the list of tokens present within the WS requests.

Following are the tokens present with the header of WS requests,

1. The 'wsse:security' element with unique timestamp

2. 'wsse:UsernameToken' with subelements as 'xenc:EncryptedData' and 'xenc:CopherValue'. The Username Token uses RSA encryption mechanism.

3. 'wsse:Binary security token'

4. 'xenc:EncryptedKey' within 'wsse:security', each of these elements holds sub elements called 'xenc: CipherValue' and 'xenc:Datareference' which are unique and looks like a base64 string.

5. The 'wssc:SecurityContextToken' and 'wssc:DerivedkeyToken' within the 'wsse:security' element.


Regards,
Shobitha
shobithanavin@gmail.com

Vamsi Tokala said...

LoadRunner has given documentation on using these certificates. Have you referred those? Token's such as Timestamps can be correlated using LrRfunctionsand also Download Microsoft WSE tool to read encrypted key related to Security tokens

butter lion said...

Hi,

It seems that this tool is not to be found on Microsoft website. Could you point out the link to download this Microsoft WSE X509 tool?
I would like to try your sugestion...

Thank you in advance!

Vamsi Tokala said...

Try here
http://www.microsoft.com/download/en/details.aspx?id=14089

butter lion said...

Got it, thanks!

Anonymous said...

Vasmi,
Using the tool, I see 3 key identifiers, RFC3280, Windows and SHA-1, how do I handle that?
Thanks,
Jim

Vamsi Tokala said...

Not sure what you are asking for? Use to tool to identify the right parameters required to authenticate the certificate and substitute it in the script

Anonymous said...

Vasmi,
Hello, I am referring to the picture above. In your screenshot, we see one identifier. In my screen of the WSE tool, I see 3 identifiers. That is my question, sorry it wasn't clear
Thanks,
Jim

Vamsi Tokala said...

Not sure, try to test each of these identifiers in the script and verify which is the right one to authenticate

Anonymous said...

Hi Vamsi, thank you for this information. I am using Performance Center 9.52. Should I install these certificates on loadgen machine and controller?

Thanks,

HB

Vamsi Tokala said...

Cerificates has to be installed in LoadGenerator Machine

Prasanna said...

Hi Vamsi,

I tried this option and I am able to record now and login into the client, however after recording when the script is generated it asks for the cert and while rerunning the script I get an error "MERR-26612" and "MMSG-26388"


Thanks
Prasanna

Ganesh said...

This is very good information. Thanks so much for the step by step information!

Gav said...

Hi Vasmi,

We currently have a couple of web service test in soap ui which use binary security token. We would like to have the same test in loadrunner using the web service protocol. Before we dive into it does loadrunner support binary security tokens. If so do ween need to implement via the web_set_security method

Thanks

Anonymous said...

Hi Vamsi,

I am testing an web service application and am getting below error
Hash values do not match. (from client)
I got the SSL certificate and converted it into >PEM file also placed the web_set_certificate but still i am getting the same error.
Can you please let me know what can be done here.

Is there some other different way for this?

Thanks in Advance...

Vamsi Tokala said...

LR supports binary securtiy token and has to implemented via the web_set_security method

Vamsi Tokala said...

Check the data used in the request

Data can be compared to a hash value to determine its integrity. Usually, data is hashed at a certain time and the hash value is protected in some way. At a later time, the data can be hashed again and compared to the protected value. If the hash values match, then the data has not been altered. However, if the values do not match, the data has been corrupted. For this system to work, the protected hash must be encrypted or kept secret from all untrusted parties.

Anonymous said...

Hi Vamsi,

In what scenarios, we need to use these methods? I recorded the https applications straight away. I worked fine. I didn't have any problem.

Thanks

Vamsi Tokala said...

This post is related to certificates and functions used will be usedwhen application is using certificates to increase security

Anonymous said...

Hi Vamsi,

Thanks for your reply on Hash value issue.

I can successfully overcome the Hash value issue, It looks like the SSL certificate was not imported and exported properly for creating .PFX file now it is rectified.

But still there is another issue found which is quoted

"The request was invalid for WS-Security standard, it has more than one Security header for the configured actor: "" (from client)"

I placed "Web_Service_Set_Security" as i found HTTPS protocol passed in the URL i used "Username and Password" token, As the user name and password are passed in the request but it didn't succeed. I am not sure where it's goes wrong.

And one more thing is i see X.509 certificate is passed in the request as well. I dont know whether we need to use both the tokens as headers!!!

Can you please let me know how to handle this.

Thanks in Advance.

Vamsi Tokala said...

Why can't you ask the developers regarding this? send your request to them and confirm them if the format is correct?

Jim D said...

Hello there,
A couple of questions:
1) Do I follow the points in the article in sequence? Do I first import the certificate, then export the private key, then convert using openSSL?
2) for Legacy security, could that be on top of the certificate above? Are you using the word certificate<>Token interchangeably? Could the application be using more than one legacy token?

Thanks,
Jim

Vamsi Tokala said...

Jim, Please follow the sequence in the mail. First try transport level security and then message level security.

I haven't came across any applciation which uses multiple legacy security tokens

rahul sinha said...

Hi Vamsi,
Thank You for sharing such invaluable information. It is really helpful. I had a question. I created a web service script and ran it in the test environemnt and it ran fine without any errors. Since i have to conduct the tests in stage i changed the endpoint URL and the server name and ran in stage which came out giving me a 401 error. So i went ahead and changed the endpoint URl and the server name back to stage and it started giving me the 401 error. This was not happening earlier. I have used the web_set_user and the web_set_security function in web service but still not able to resolve this error. Can you please suggest me something?

Thanks,
Rahul

Robert said...

Hi Vamsi,

Thank you for this write up, It has helped our company to run many successful test.

I have one question for you though, and anyone else who reads this.

I am executing soap_requests and the web service wants a binanry security token and a username token within the security header.

the service also wants both the binary security token and the username token to be signed by the binary security token.

I can see within the MESSAGE_SIGNATURE identifier within a web_service_set_security() LR function that I can only supply one token to be signed. If I place these elements within the request it will throw an error saying that there are two security headers.

If i leave these elements out of the security header and just place them in the header, I will get an error stating that it will not validate signature.

do you know anyway around this?

Thanks!
Robert

Vamsi Tokala said...

Robert, I would suggest you run the script with extended log with the tokens and get the logs examined by the developers and identify the issue with the scirpt.

get the request corrected and fix the script. if possibl;e you can also use web custom request function to directly input the valid xml convert in the script

Nithin said...

Hi Vamsi,
Is there a way that I can disable client side certificate verification in Loadrunner?

Thanks,
Nithin

Vamsi Tokala said...

Server will not recognize the requests if you don't pass client certificates in the script

aayush said...

Hi Vamsi,

Very informative article.

I need your guidance on one of my project.

I want to do perf testing of Mobile application. Dev team has provided me the json type requests which I need to submit through loadrunner. I used Http post to submit the request. But there is a glitch its a secure webservice(https). Since it is a not browser application from where I can get the certificate to authenticate web server.

Also dev team has given me an access to Linux machine from where I can hit the web server, since the web server has shared its certificate with that machine.

So my question is can I use the same certificate from that machine and install it on my local machine or I need to ask dev team specific certificate for my local machine.

Your suggestion will be highly appreciated.

Thanks,
Aayush

Vamsi Tokala said...

I am not fully understand your question. If your Linux box has client side certificate then you don't need to install it.

First you need to create script in a windows machine there you have to install it.

also use wget command in Linux to validate if you can access the requests in Linux box to confirm if the certificate is installed properly

Anonymous said...

Hi Vamsi Tokala,

my client side certificate is present in a smart card.

when I open my browser it requests for the certificate and a PIN to enter the website.

when I recorded that in vugen the client certificate is not recorded, I am able to export the certificate from the card as .cer,.der format only,but not able to export the keys

since .cer is base64 format just renamed the file to .pem.

but when I reran the script it is showing error. I used my PIN as my key for the certificate.

plz tell me wat mistake I am doin...

Siji Prasanth said...

Hi Vamsi,

Thanks for sharing step by step information.

I have the certificate in .PFX format imported to the browser certificate and was unable to private key asssociated with it.
it couldnt select yes with the private key option. it shows private key associted with the certificate is not found. Can you help me on this.

Anonymous said...

Hi vamsi,

I need to record a mobile native aplication which uses a https comm protocol for communicating with server.
Do I need to install some server certificate es on my device.
I read in lr prod doc abt importing lr ssl certificates on the device...don really understand wat has to be done....ur advice wud b of great help

Aravind Kumar said...

Hi Vamsi,
Your Blog is very useful and i referred it many times. I am using web services with HTTPS with SSL certification with your steps and it working for one application but for another application am getting a error message "Error -27780: [GENERAL_MSG_CAT_SSL_ERROR]connect to host "XXXXXXXXXXXXX" failed: [10054] Connection reset by peer" so can you please help to resolve this issue.

Regards,
Aravind

Sravan Kumar said...

Hi Vamsi,

I'm facing an issue with HTTPS protocol
URL - HTTPS
Load Runner version - 11.04
Steps followed -
• Recorded script using HTTP-HTML protocol
• I'm able to record the script, but unable to replay - getting an error message "SSL Protocol error when attempting to connect with host".

Can you please help me on this issue
Thanks,
Sravan
sravanesr@gmail.com

Anonymous said...

Hi,

I am able to record the application in Load runner using HTTP/HTML protocol.The URL of the application starts with https. Whenever I do replay I am getting the following error:
Action.c(10): ssl_handle_status encounter error : SSL_ERROR_SSL, error message : error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number [MsgId: MMSG-26000]
Action.c(10): Error -27776: SSL protocol error when attempting to connect with host "host" [MsgId: MERR-27776]
Action.c(10): Error -27762: Request "host" failed [MsgId: MERR-27762]
Action.c(10): web_url("host") highest severity level was "ERROR", 0 body bytes, 0 header bytes

Could anyone provide the solution for this?

Anonymous said...

Hi,

Is there a way to decrypt the response in loadrunner script, if the response sent by server was encrypted by server.

Pankaj Harde said...

Hey Vamsi,
Pankaj Here. I am stuck with the below issue "Action.c(69): Error -27775: No certificate file type [MsgId: MERR-27775]
Action.c(69): Error -27779: SSL server ucv-itest-ui.allstate.com requires client certificate." I have added the certificates to the script and it is in .pem extension. Help is much appreciated.

Pankaj Harde said...

I am not sure why is this happening. I tried all the workaround available on the web throught the week and none of them are working.

Vamsi Tokala said...

Testing certificates requires patience. You may have made some mistake. Try to test using soap ui and then work with loadrunner

Anonymous said...

Hi Tokala,

Is it possible to detect the certificate errors in bpm?

I have a script running in BPM ,while recording the script I did not face any certificate error and the script works fine in BPM also.

But now when I login to the application I'm getting certificate error but the same is not being detected in BPM or vugen

The script runs fine still.So is it possible to detect certificate error?

thanks,
suderson

Vamsi Tokala said...

Use fiddler and compare

Sumit said...

Hi Vamsi,

I am facing SSL protocol error when attempting to connect with host issue. Earlier i successfully executed same script with 100 users. After that they has updated users and license key.
Now i am able to access Application Manually but not by tool.Now we have some confusion that we should install Application certificate or load balancer certificate and where to Install this certificate?
1. In LR Tool -> recording option ->Port mapping ->Client certificate
2. or in LG, Vugen machine cert directory
3.Internet Options -> Content ->Certificate

Please help me on this.
Thanks in advance

Sumit said...

Hi Vamsi,

I am facing SSL protocol error when attempting to connect with host issue. Earlier i successfully executed same script with 100 users. After that they has updated users and license key.
Now i am able to access Application Manually but not by tool.Now we have some confusion that we should install Application certificate or load balancer certificate and where to Install this certificate?
1. In LR Tool -> recording option ->Port mapping ->Client certificate
2. or in LG, Vugen machine cert directory
3.Internet Options -> Content ->Certificate

Please help me on this.
Thanks in advance

Baskar chinnakonda said...

Hi guys i am facing an issue with load runner http/html scripting

1. my script uses websocket connect ... & when i ran my script it was a creating a dynamic token and that it comes from client side and i am not sure how to pass the client side security token to my script. Please help me out on this.

I got the below error:
Error 472 Action.c(472): Error -26627: HTTP Status-Code=404 (Not Found) for "https://gkt.am.darth.macs.com/csp/GB6T/kbw.dbms.comm.Engine.cls?token=b33cIfIA4I6355855817904554910937&debug=0%20HTTP/1.1" [MsgId: MERR-26627] Action.c C:\Users\fz016513\Documents\VuGen\Scripts\WebHttpHtml_Date_Solution_17_Dec WebHttpHtml_Date_Solution_17_Dec


supratim roy said...
This comment has been removed by the author.
FAL said...

Really awesome. Thanks for detailing the whole concept and workaround.

Melisa said...

Hello Admin, thank you for enlightening us with your knowledge sharing.
Qtp training |Qtp training institutes in chennai|Loadrunner course in Chennai

Rasool Bevi said...

Thanks for blogging about Software Testing, I hope you will post more regarding software testing, keep blogging...
Regards,
Software testing training|Software training|Software testing training in chennai

Hosting Safety said...

Thnaks for sharing your information. Hostingsafety is also one of secured hosting services in Bangalore.
Click on our tags to know more.
Web Hosting India | Domain Name Registration India | Web Hosting Companies in India

Paul Miller said...


Excellent post! When you are going to update your next post, I really very excited to see your upcoming articles. So please share information with an effective content of latest technology.
Selenium Training in Chennai|Selenium Training

sunilkumarkuppam said...


This article is more interesting and content is really useful to me. Keep updating the content regularly and this software testing content is helped to know more detailed.Software testing training in Chennai | Software testing training | testing training in Chennai

Ramya Krishnan said...

Nice info, Thanks for your valuable information and impressive testing article.
Software Testing Training in chennai T

jhansi joe said...

The future of software testing is on positive note. It offers huge career prospects for talented professionals to be skilled software testers.
Regards,
Software testing training in Chennai| Best software testing training institute in Chennai|Software testing courses in Chennai