BPM

Problems recording HTTPS with VuGen

Problems recording HTTPS with VuGen

Recently a client had an urgent request to monitor a HTTPS URL due to poor availability and performance. No problem, give me the URL and I’ll have the monitor set up and running in 10 minutes. However, a simple task turned into an investigation of Vugen certificates and Windows security patching.

For any HTTPS request Vugen would not show any events after code generation and the recording browser would show:

The recording environment was:

  • Vugen 11.04
  • Windows XP
  • Internet Explorer 7

As HTTPS requests worked from normal browsing the problem pointed towards a Certificate issue somewhere between Vugen and the requested site. Investigation discovered that a recent Windows Security patch (http://support.microsoft.com/kb/2661254) now blocks all RSA certificates less than 1024 bits long.

This is a problem for Vugen as it uses RSA private key of length 512 bits in files wplusCA.crt and wplusCAOnly_.crt.

Note: In Vugen 11.50 these files are called 1.wplusCA_Expiration_2020.crt and wplusCAOnly_Expiration_2020.crt.

You can find the Vugen certificates in the following directory:

<LoadRunner installation folder>\bin\certs\

Fortunately HP are aware of the problem and have issued the following critical updates to increase the private key length to 2048 bits:

Note you will need a valid HP Support account to download these patches.

Tech tips from JDS

Posted by David Batty in Tech Tips, 7 comments
Monitoring Active Directory accounts with HP BAC

Monitoring Active Directory accounts with HP BAC

Lately we’ve had an annoying problem of an Active Directory (AD) account that is used for our HP Business Process Monitor (BPM) scripts getting locked at random times. Because it’s an intermittent problem, it’s hard to track down where the request is coming form.

I wasn’t getting alerted straight away of login failure because of how slowly the AD replication works at the site I was on. The account will keep on working for most BPM’s for up to a day after the original failure and alerts don’t get sent out until it’s too late to check the domain controller logs for the original lock.

One of the Active Directory sysadmins sent me a Microsoft program called lockoutstatus.exe. This tool queries the domain controllers and reports on if the account is locked out and for how long it has been locked out. Unfortunatly this only lets you check the problem re-actively instead of proactively. So I thought that maybe we could monitor the lockout status by using a BPM, recorded in the LDAP recording protocol.

Recording lockoutstatus.exe showed many hits other DCs as well as additional search functions, but we’re just interested in the bind (mldap_logon_ex function) and the search query (mldap_search_ex function). The “SaveAsParam=True” in the mldap_search_ex function saves the LDAP directory entries as parameters, the one that we’re interested in is {mldap_attribute_lockoutTime_1}.

This attribute is the amount in seconds since the account was locked. So if its not 0 we can fail the transaction and have BAC alert on this. We had some spare transactions in our BAC prod environment, while we worked out the problem, but this might be able to be deployed as a SiteScope VuGen script too if you have a stand alone SiteScope server and are short on BPM licenses.

Here is the code I used:

You will need to put these lines into your globals.h file if you’re creating a script from scratch (this will be done automatically if you do a record using LDAP protocol script):

#include "mic_mldap.h"
MLDAP mldap1;

Put this code into your Action.c or main block and modify the lr_save_string parameters to suit your environment:

Action()
{
      int Locktime;

      lr_start_transaction("LDAP Login and search");

	  lr_save_string("myaccount", "LDAPUser");  // AD account that's authorised to search AD
	  lr_save_string(lr_decrypt("4fc861406e270d5297cb2c4097f8"), "LDAPPass"); // Password for account
	  lr_save_string("dc01.mydomain.com.au", "DCmachine"); // FQDN of the domain controller
	  lr_save_string("lockoutaccount", "SearchUser");  // Account that's being monitored for lockout
	  lr_save_string("mydomain.com.au", "SearchUserDomain");  // Domain for the account that's being monitored for lockout

      mldap1 = 0;

	// Logon to Active Directory or LDAP

      mldap_logon_ex(&mldap1,
                     "LdapLogon",
                     "URL=ldap://{LDAPUser}:{LDAPPass}@{DCmachine}",
                     "Version=3",
                     LAST);
	// Execute seach

      mldap_search_ex(&mldap1,
                      "LdapSearch",
                      "Base=CN={SearchUser},OU=Service Accounts,OU=Security Principles,DC={SearchUserDomain},DC"
                      "=subdomain,DC=client,DC=com,DC=au",
                      "Scope=Base",
                      "SaveAsParam=True",
                      "Filter=(objectClass=*)",
                      LAST);

      lr_end_transaction("LDAP Login and search", LR_AUTO);
      lr_start_transaction("Account not locked");

      Locktime = atoi(lr_eval_string("{mldap_attribute_lockoutTime_1}"));

      if (Locktime != 0) {
                       lr_output_message("\n\n Account is locked out \n\n");
                       lr_fail_trans_with_error("Account locked out for %s seconds", lr_eval_string("{mldap_attribute_lockoutTime_1}"));
      }

      lr_end_transaction("Account not locked", LR_AUTO);

	  /* you can put this part outside of the transaction block to save yourself a transaction
	     because we don't care too much if it doesn't logoff gracefully  */
      mldap_logoff_ex(&mldap1);

      return 0;
}

You can gather a large amount of useful information from Active directory using the LDAP protocol. Some other possible applications for the LDAP protocol in VuGen are:

  • monitor accounts which need to have their passwords changed a few weeks beforehand
  • monitor password resets of sensitive accounts
  • generating reports from active directory

 

Posted by Ryan Castles in Tech Tips, 0 comments
VuGen scripting for BMC Remedy Action Request System 7.1

VuGen scripting for BMC Remedy Action Request System 7.1

I recently created some BPM scripts for the BMC Remedy Action Request System 7.1 web client. This Tech Tip contains some of the things that I learnt.

My favourite part of this exercise was proving that the person from BMC who said "we have already tried, and found that it is impossible to script ARS with VuGen" was totally wrong.

Note that the information should be equally relevant whether you are creating VuGen scripts for LoadRunner, or for use as BPMs for BAC.

Read More

Posted by Stuart Moncrieff in Tech Tips, 7 comments
Unique usernames for BPM scripts

Unique usernames for BPM scripts

Imagine that you have created a BPM script that monitors one of your critical business systems from 10 locations around the world. The application only allows users to log on once, so you must find a way to have each location use a different login account for the application.

Unfortunately the most obvious solution (creating a file-based parameter and setting the "username" field to "Select next row: Unique") does not work for BPM scripts, only with LoadRunner.

There are a few different solutions to this problem, each with their own tradeoffs.

Read More

Posted by Stuart Moncrieff in Tech Tips, 7 comments
Why you must add try/catch blocks to Java-based BPM scripts

Why you must add try/catch blocks to Java-based BPM scripts

On very rare occasions, you will find that you need to create a BPM script using a Java-based vuser type instead of a C-based virtual user type. There is one nasty gotcha to keep in mind if you need to do this.

Read More

Posted by Stuart Moncrieff in Tech Tips, 7 comments
DNS-based load balancing for virtual users

DNS-based load balancing for virtual users

In DNS-based load balancing, a website visitor will request a URL (like www.jds.net.au/tech-tips-articles/). Their web browser will do a DNS lookup of the hostname (www.jds.net.au), and the DNS server will return the IP address of one of several web servers; possibly in a round-robin fashion to distribute the load across the servers.

The visitor will usually cache the results of the DNS lookup for a period of time (30 minutes in Internet Explorer), so their requests will all be sent to the same web server (this is a good example of the fact that "load balancing" is not the same thing as "high availability").

But what if you want to ensure that all your virtual users in a load test are spread evenly across the web servers, or what if you want to have a BPM script check each web server in turn?

This is where you have to get a little sneaky...

Read More

Posted by Stuart Moncrieff in Tech Tips, 7 comments
What’s new in LoadRunner 9.50?

What’s new in LoadRunner 9.50?

LoadRunner 9.5 was released today and the focus has been on refining current functionality rather than adding completely new features.

This is not meant to be an exhaustive list (or a replication of the readme file), but it covers the features that I think are significant, and also my impressions after a day of using the tool.

For those who want the executive summary, LoadRunner now works on Vista, and has an agent for the RDP vuser type. The biggest new feature is the protocol detection feature in VuGen. For those who want a more detailed analysis, read on...

Read More

Posted by Stuart Moncrieff in Tech Tips, 7 comments
The “is it done yet” loop

The “is it done yet” loop

Occasionally you will find that you must write some code in VuGen to continuously check that the system has completed something, before you continue.

Two examples that I have found recently were:

Read More

Posted by Stuart Moncrieff in Tech Tips, 7 comments
Why your BPM scripts should use Download Filters

Why your BPM scripts should use Download Filters

Recently JDS was given a good reminder of why VuGen's Download Filters are an important product feature.

Someone created a BPM script to monitor the performance and availability of the JDS website.

Suddenly our website traffic looked like this on Google Analytics...

Read More

Posted by Stuart Moncrieff in Tech Tips, 7 comments