Configuring client-side SSL/TLS security certificates to enable TruClient to work with HTTPS

This post was written by Yehuda Sabag, from the HP TruClient R&D team.

 

A customer recently encountered a situation where he was unable to use HP LoadRunner’s TruClient protocol to record a business process that involved communicating with an HTTPS-secured web application. The solution was to configure the security certificate as exportable.  In this post, I’ll describe how you can diagnose security issues with TruClient, and how I was able to resolve this issue.

 

Background

 

When a web site requires a client certificate during the recording phase, TruClient for Internet Explorer will display a dialog box showing the available client certificates that are installed in the machine’s certificate store. This dialog will appear even if only one certificate is available, since the user needs to be aware of the fact that a client certificate is being used. In Internet Explorer, when there is only one client certificate, whether the dialog is displayed or not depends on the configuration of the option “Don’t prompt for client certificate selection when only one certificate exists” (in Internet options > Security > Custom level > Miscellaneous).

 

Once the user has chosen the client certificate, TruClient will make it available to the browser, and will export it to the script directory as a file called CC.pfx. During replay, when a client certificate needs to be sent, the CC.pfx file will be imported into the certificate store and passed to the browser, which will then sent it to the web site.

 

TruClient for Firefox works slightly differently.  The user needs to install the client certificate in the browser in advance, as follows:

 

  • Open VuGen’s Tools > TruClient General Settings dialog, and click on the Encryption tab
  • Click View Certificates, and click Import
  • Select the certificate file and import it

Here’s a screenshot of Firefox's certificate manager:

 

firefox.png

 

 

The certificate is saved inside Firefox’s certificate store.  Firefox will automatically use the one certificate that is installed without prompting the user during replay.

  

The problem (and the solution)

My customer was using TruClient for Internet Explorer, and the problem was that during the recording, he chose the client certificate from the dialog, but the authentication failed and no CC.pfx file was created in the script directory.

 

As a general guideline, whenever you encounter a problem in TruClient, I suggest trying to perform the same business process in Internet Explorer 9, with Standard Mode enforcement.  You can do that by navigating to your web application in Internet Explorer 9, and pressing F12 to open the Developer Tools.  In the Developer Tools menu, make the following changes:

 

  • Change the Browser Mode to Internet Explorer 9
  • Change the Document Mode to Internet Explorer 9 Standards

Continue using your web application as usual and check that it is working as expected.  When I did this on the customer’s machine, everything worked as expected.

 

When you are diagnosing issues with certificates, you should disable the “Don’t prompt…” configuration mentioned above and verify that you are choosing the right certificate from the dialog.

 

The next thing to look at is the client certificate export process. I tried to export the certificate manually, as follows: Go to Internet options > Content > Certificates > Personal, choose the certificate, and click “Export…”. A wizard opens, and when you click ‘Next’, there are two options:

 

  •  Yes, export the private key
  • No, do not export the private key

Since a client certificate without a private key is essentially useless, you need to choose the “Yes” option. But what if the ‘Yes’ option is disabled, as in this situation:

 

export.png

 

This means that when the certificate was installed on the machine, its private key was marked as non-exportable. In this case you should request your IT department to supply you with a certificate that has an exportable key. This explains why TruClient was not able to export the certificate.  TruClient is trying to export the client certificate with a private key, but since the private key was non-exportable, it’s not possible.

 

After getting an appropriate certificate from IT, you should install it on the machine. But you must make sure that when you install  it, you include the private key. Double click the certificate file, click ‘Next’ on the Welcome screen, choose the certificate and click ‘Next’ again to show the Password screen. After entering the password, make sure you check the “Mark this key as exportable…” option:

 

markasexportable.png

 

If you forget to check this box, you’ll end up in the same situation that you were in the first place. Once I reinstalled the certificate and made sure that the private key was marked as exportable, everything worked fine, and the customer was able to record and replay his business processes correctly.

 

I hope you found this useful.  Leave us a comment in the box below to let us know how TruClient is helping you test your secure web applications.

 

Thanks to Yehuda for providing this article!

 

 

Click here to learn more about HP LoadRunner

 

 

TruClient-WP-Button.png

Comments
ronyram | ‎09-05-2013 07:42 PM

Hi All,

 

I have used all Performance testing to record a banking applicatin, but in vain as the password has been encrypted, am not able to do the record and replay.. but I tried using Ajax Truclient protocl, and I can able to record and replay the script, The Password encryption which I faced earlier , was not there, Thanks to Ajax Truclient protocl developers,

 

But the issue is when I start running the  load test, all the tests were failed, It is because of the encryption issue in Password ??

 

Pls clarify whether the Encrypion issue of Password can be bypassed using the Ajax truclilent protocl.

 

Regards,

Rony

| ‎09-08-2013 12:20 AM

Hi ronyram,

 

Thanks for your comment.

 

There should be no issue with password encryption since TruClient records the input of the user on thekeyboard. The encryption phase is performed later by the browser, so a long as the password was not changed it suppose to be OK.

 

What are the errors that you see? In which phase you recorded the log-in process, in the Init or in the Action? If you recorded it in the init, and 'Simulate new user in each iteration' in the RTS is on, the authentication session will end between the Init and Action and it may fail the script.

 

Please try to supply more information on the issue.

 

Thanks

ronyram | ‎09-08-2013 09:04 PM

Thanks Permalink.

 

I have done the recording in Action items. I have done the validation of the script with just Login and Logout functionality to check the password encryption through Ajax Truclient protocol.

 

It validated successfully, but when running the load test am gettign the error. After login page, it throws error, and I think its because of the password encrytpion.

 

Pls let me know if there is anyway to bypass this.

| ‎09-08-2013 11:12 PM

Hi ronyram,

 

There should not be any issue with the encryption.

What exactly do you mean "when running the load test"? You mean that you are running the in controller or in VuGen?

 

What is the error that you see in the log?

 

Can you change the key "PaintWindowsInLoad" in the default.cfg file to 1 (it will enable you to see the browser in load) and see if the Login is succesfull or not.

 

BTW, in which TruClient protocol are you using, the FF one or the IE? Which LR version?

 

Thanks

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Malcolm is a functional architect, focusing on best practices and methodologies across the software development lifecycle.


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation