Article

(View Disclaimer)

Introduction

Prior to LoadRunner Version 9.0, binding to an LDAP server using SSL (Secure Socket Layer) was not supported. In LoadRunner 9, there is option in the LDAP C API mldap_logon(), to provide a certificate store cert8.db as parameter, in order to connect to the LDAP server over SSL.

For any LDAP-related operations in eDirectory, you normally use the LDAP Server Certificate, which is signed by the Organizational CA. This certificate can be exported to Client machine using iManager. This certificate is in .der or .b64 format. But Loadrunner's API requires a certificate store (database) consisting of an Organizational CA certificate of eDirectory (cert8.db).

This article provides easy steps to get the certificate store and then bind to eDirectory over SSL.

Prerequisites

• eDirectory should be installed.
• LoadRunner9 should be installed on a Windows PC (e.g., Win 2000 AS).
• Mozilla's NSS tool should be installed on the Windows Machine (LoadRunner Controller Machine).

Why Bind over SSL using LoadRunner9?

In order to perform a system test, such as a Reliability, Scalability, or Stress test, you need to run a Bind Test. This Bind test should be performed over SSL (Secure Connection) and without SSL. If you want to use LoadRunner's C LDAP APIs (#include "mic_ldap.h"), you need to use mldap_logon() API Call and provide the SSL certificate store.

Required Steps

The Organizational CA’s Digital certificate should be present in Client's Trusted Store so the Client can trust any Service (such as eDirectory’s LDAP Server) whose certificates are signed by this Organizational CA. For example, Novell's or Goggler's Digital Certificate is stored in Firefox or IE when browsing the https site for the first time. The certificate for the Organizational CA is automatically created using PKI module when eDirectory is configured.

In order to connect to eDirectory using SSL, you need to provide the cert8.db (SslCertDir as a parameter to mldap_logon API of LoadRunner). The cert8.db is a database for certificates. After it is created, an OrgCA certificate from eDirectory should be added to it.

Steps in Brief

- On the Client machine (say, 164.99.161.27, from where I want to bind to eDirectory on 164.99.156.185), go to iManager > Novell Certificate Access > Server Certificate.

- Get Organizational CA certificate in .der format.

- Open this cert.der certificate on a Windows machine and convert it into base64 format.

- From this step, you will get one certificate cert185.cer in client machine.

- Save this cert185.cer in any folder.

- Create the Certificate Store (cert8.db) using certutil and add this newly created certificate to it.

- Provide the cert8.db as a parameter to the LDAP API.

Steps in Detail

1. Log in to eDirectory (for example, 164.99.156.185) through iManager.

Click to view.

2. Go to Novell Certificate Access > Server Certificates.

Click to view.

3. Check SSL-CertificateDNS and then click Validate.

Click to view.

4. Click Export.

Click to view.

5. Click Save to save the exported certificate.

Click to view.

6. Click Save again.

Click to view.

7. Save the cert.der file in any folder, such as c:\ashcert.

Click to view.

8. Click Open to open the certificate.

Click to view.

9. Click the Details tab.

Click to view.

10. Click Copy to File

Click to view.

11. Click Next.

Click to view.

12. Select the Base-64 encoded X.609 (.CER) radio button and click Next.

Click to view.

13. Save this .cer file in any location, such as c:\ashcert

Click to view.

14. Click Next.

Click to view.

15. Click Next again.

Click to view.

16. Click OK.

Click to view.

17. Get the nss3.9 tool. This is a Mozilla tool with various certificate-related tools, including certutil.exe. At this point, the client still does not have any Certificate Store, so you need to create the cert8.db. To do this,

a. Create a folder on the C: drive, such as c:\ashishcert\
b. Run "certutil -N -d c:\ashishcert" This command will create 3 files: cert8.db, key3.db, and secmod.db, inside the folder you specified (c:\ashishcert).

Click to view.

Now the certificate store is created.

18. Put the cert185.cer certificate into the cert8.db using the following command:

certutil -A -n <AnyNameForCert> -t "p,p,p" -i <.cer file with path> -d <Directory of cert8.db>

19. To verify that the certificate has been added properly, use the following command:

certutil -L -d  

Thats it! Now you can use this cert8.db file to bind to eDirectory over SSL. To use another client as a Load Generators, copy this cert8.db file to the other client machine in the same folder (c:\ashishcert). The bind also will happen successfully from other clients.

Connecting to eDirectory using Load Runner LDAP APIs

In order to connect to eDirectory using the LDAP APIs of LoadRunner, use this command:

 mldap_logon("Admin Bind Using SSL", bindcontext, "SslCertDir=C:\\ashishcert", LAST) 

Note: You should use a double slash (\\) for directories; otherwise, you may get errors.

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.