JDS Australia » Tech Tips » Client-side certificates for VuGen

Client-side certificates for VuGen

May 29th, 2009 Posted by Daniel La No Comments »

Client-side certificates are a way to more securely identify a user of a web application. VuGen supports client-side certificates, but there are one or two gotchas…

To use a certificate, you call web_set_certificate_ex function. This function can either use a certificate that is on the file system (using the CertFilePath argument), or a certificate that has been installed in Internet Explorer (using the CertIndex argument).

It is always preferred to reference a certificate file that is on the local filesystem, as referencing a certificate installed in Internet Explorer has several disadvantages:

  • If you are using it with LoadRunner, all virtual users will use the same certificate
  • If you are using it with a BPM script, the certificate is only available to the user account that you installed the certificate with. i.e. if you log in as “daniel” and install a certificate, but your BPM runs under the “system” account, then the script will not be able to reference the certificate.
  • If you have multiple BPMs, the certificate must be installed in the same order on each computer (so the CertIndex argument is the same on each).

Client-side certificates come in a variety of formats. VuGen supports PEM or ASN1 (sockets replay only, not WinInet), but certificates in other formats should be able to be converted to a usable format.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

/* 
Digital certificate - .pfx file was supplied by technical team.
Steps required to get this to work:
 
1. Import certificate into IE -> Tools -> Internet Options -> Content -> Certificates. 
Under Personal tab click import and find the .pfx file. Click Next and make sure you 
click on "Mark this key as exportable..." then hit next again. Place the cert under 
Personal.
 
2. Export the cert, select to export the private key. Select include all certificates, 
and uncheck strong protection. Leave password blank and export it as a pfx file.
 
3. In a dos prompt, go to LR bin directory and run:
 
<LR_HOME>\bin\openssl pkcs12 -in <export pfx> -out <temp>\cert.pem 
 
Press <enter> when prompted for import password.
 
Enter a PEM pass phrase, ie. 1234
 
You should now have a cert.pem file
 
Location of the ipsp.pem is place in the extracted script directory.
If you want to put the certificate somewhere else, you can provide a full
file path to the certificate. e.g. "C:\\BPM\\ipsp.pem"
*/
 
web_set_certificate_ex( 
  "CertFilePath=ipsp.pem",   
  "CertFormat=PEM",
  "KeyFilePath=ipsp.pem",   
  "KeyFormat=PEM", 
  "Password=1234", 
  LAST);

If you have any other tips on using client-side certificates, please leave a comment.

 

Related posts:

  1. Solving VuGen Script Generation Errors On very rare occasions you may encounter a web-based application...
  2. VuGen String Comparison Behaviour Anyone who works with VuGen should know that they should...
  3. Load balancing vusers without a load balancer Recently I ran a test at a company which had...
  4. Think time that cannot be ignored Someone asked me once if there was a way of...
  5. LoadRunner in Windows 7 Windows 7 has finally been released, and I’ve had the...


Bookmark using any bookmark manager!

 

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply