Update Communication Security and System User

During installation of ALM and the Performance Center server and hosts, a Communication Security passphrase is defined which enables secure communication between the Performance Center components and ALM. Performance Center also creates a default system user for use by the Performance Center server, hosts and the Load Generator standalone machines.

Update the Communication Security passphrase

This task describes how to update the Communication Security passphrase on the ALM-Performance Center system components. The Communication Security passphrase must be identical on all of the components of the system.

Update the Communication Security passphrase on ALM

  1. In Site Administration, update the COMMUNICATION_SECURITY_PASSPHRASE default parameter. For details, see Setting ALM Configuration Parameters in the ALM Lab Management Guide.

  2. Restart the HPE Application Lifecycle Management service on the ALM server.

Update the Communication Security passphrase on the Performance Center components

The System Identity Utility is installed on the Performance Center server. You use this utility to update the Communication Security passphrase on the Performance Center server and hosts from one centralized location.

  1. From the Performance Center server installation's bin directory, open the System Identity Utility (<Performance Center server installation directory>\bin\IdentityChangerUtil.exe).

  2. Note: You can run this utility from any one of the Performance Center servers in the system.

  3. Enter the ALM details to connect to ALM.

  4. The System Identity Utility opens. For user interface details, see System Identity Utility Window.

  5. In the Communication Security Passphrase section, select Change, and enter the new Communication Security passphrase.

  6. Click Apply.

Back to top

Change the Performance Center system user

During installation of the server and hosts, a default Performance Center system user, IUSR_METRO (default password P3rfoRm@1nce), is created in the Administrators user group of the server/host machines.

The Performance Center server is installed with the System Identity Utility that enables you to manage the Performance Center system user on the Performance Center server and hosts from one centralized location. Use this utility to update the Performance Center system user name and password.

Note: To prevent security breaches, you can replace Performance Center's default system user by creating a different local system user, or by using a domain user.

When you change the system user, or a user's password, the System Identity Utility updates the Performance Center server and hosts.

To change the system user:

  1. Prerequisites

    • When changing the system user, Performance Center must be down. That is, all users must be logged off the system and no tests may be running.

    • When changing the user password:

      • Ensure that each host is listed in the Machines table under one alias only.

      • In the case of a domain user, when the domain IT team notifies you that the password is to be changed, you need to temporarily change the Performance Center system user on the Performance Center server and hosts to a different user. After the domain IT team has changed the password of the domain user and has notified you of this change, you need to change the Performance Center system user back to the domain user on the Performance Center server and hosts.

    Note:  

    • This utility does not apply changes to UNIX machines, Standalone load generators, or machines that are located over the firewall.
    • This utility does not apply changes to UNIX machines, Standalone load generators, or machines that are located over the firewall.

    • When updating the Communication Security passphrase, it is essential that it is updated in ALM as well. This utility applies changes to the Performance Center servers and hosts listed in the Machines grid.

  2. Launch the System Identity Utility on the Performance Center server

    1. In the Performance Center server installation's bin directory, open the System Identity Utility (<Performance Center server installation directory>\bin\IdentityChangerUtil.exe).

    2. Enter the ALM details to connect to ALM.

      The System Identity Utility opens. For user interface details, see System Identity Utility Window.

  3. Change the details of the Performance Center user

    Enter the relevant details to update and click Apply. The utility updates the Performance Center server and hosts, starting with the Performance Center server.

    In the lower part of the utility window, the Machines table displays the status of each machine during the configuration process.

    If the utility is unable to change the user on the Performance Center server, it stops the configuration, rolls back the change, and issues a message explaining why the change cannot be made. Correct the error and click Apply again.

    When configuration completes successfully on the Performance Center server, the utility proceeds with the configuration of the hosts. The utility attempts to configure all the hosts, even if the configuration on one or more hosts is unsuccessful. In this case, after the utility has attempted to configure all the hosts, correct the errors on the failed hosts, and click Reconfigure. The utility runs again on the whole system.

    Back to top

    System Identity Utility Window

    This utility enables you update the ALM-Performance Center Communication Security passphrase, as well as the Performance Center system user and/or password on the Performance Center server and hosts from one centralized location.

    UI Elements

    Description


    Applies the selected changes on the Performance Center server and hosts, starting with the Performance Center server.


    If, when applying a change, there are errors on any of the Performance Center hosts, troubleshoot the problematic host machines, then click Reconfigure. The utility runs again on the Performance Center server and hosts.

    Performance Center User

    The Performance Center system user details.

    • Change. Enables you to select which detail to change.

      • None. Do not change the user's name or password.

      • Password Only. Enables you to change only the Performance Center system user's password.

        Note: When changing the password:

        • Ensure that each host is listed in the Machines table under one alias only.

        • In the case of a domain user, when the domain IT team notifies you that the password is to be changed, you need to temporarily change the Performance Center system user on the Performance Center server and hosts to a different user. After the domain IT team has changed the password of the domain user and has notified you of this change, you need to change the Performance Center system user back to the domain user on the Performance Center server and hosts.

      • User. Enables you to change the Performance Center system user name and password.

    • Domain\Username. The domain and user name of the Performance Center system user.

    • Password/Confirm Password. The password of the Performance Center system user.

    • Delete Old User. If you are changing the user, this option enables you to delete the previous user from the machine.

      Note: You cannot delete a domain user.

    User Group

    The details of the user group to which the Performance Center system user belongs.

    Group type. The type of user group.

    • Administrator Group. Creates a user in the Administrators group with full administrator policies and permissions.

    • Other. Creates a local group under the Users group, granting policies and permissions as well as other Performance Center permissions.

    Configuration User

    If you are creating a non-administrative Performance Center system user, that is, if you selected Other under User Group, you need to configure a configuration user (a system user with administrative privileges) that the non-administrative Performance Center system user can impersonate when it needs to perform administrative tasks. For details, refer to Change the Performance Center system user.

    If you selected Delete Old User in the Performance Center User area, ensure that the configuration user you are configuring is not the same as the system user you are deleting. Alternatively, do not delete the old user.

    • Domain\Username. The domain and user name of a system user that has administrator privileges on the Performance Center server and hosts.

    • Password/Confirm Password. The password of a system user that has administrator privileges on the Performance Center server and hosts.

    Communication Security Passphrase

    The Communication Security passphrase that enables the Performance Center server and hosts to communicate securely with ALM.

    • Change. Enables you to change the passphrase.

    • New passphrase. The new Communication Security passphrase.

    Note: This passphrase must be identical to the Communication Security passphrase defined in ALM. For details, refer to the Update the Communication Security passphrase.

    Machines grid

    The machine configuration settings:

    • Type. Indicates whether the machine type is a Performance Center server or a host.

    • Name. The machine name.

    • Configuration Status. Displays the configuration status on each of the Performance Center components.

      • Configuration complete. The system user configuration was completed.
      • Needs to be configured. The Performance Center server/host is pending configuration. Displayed only after the Performance Center server configuration is complete.
      • Configuring..... The Performance Center server/host is being configured.
      • Configuration failed. The Performance Center server/host configuration failed. The utility displays the reason for failure together with this status.

      Note:

      • If the utility is unable to apply the change on the Performance Center server, the utility stops the configuration, rolls back the change, and issues a message explaining why the change cannot be applied. Correct the error and click Apply again.

      • When configuration completes successfully on the Performance Center server, the utility proceeds with the configuration of the hosts. The utility attempts to configure all the hosts, even if the configuration on one or more hosts is unsuccessful. In this case, after the utility has attempted to configure all the hosts, correct the errors on the failed hosts, and click Reconfigure. The utility runs again on the whole system.

  4. Verify that the system user was changed on the Performance Center server

    1. Open IIS Manager. Under Sites > Default Web Site, choose a virtual directory.

    2. Under Authentication select Anonymous Authentication. Verify that the anonymous user defined was changed for the following virtual directories: PCS, LoadTest and Files (a virtual directory in LoadTest).

    3. Check in the PCQCWSAppPool and LoadTestAppPool application pools that the identity is the Performance Center user.

Back to top

Administer a Performance Center server and host remotely

To perform administrative tasks on the Performance Center server or hosts (such as adding, configuring, or resetting a Performance Center server/host), Performance Center must use a user with administrative privileges. This must be the Performance Center system user with administrative privileges or, if the Performance Center system user is non-administrative, a configuration user.

When the Performance Center system user has administrative privileges and is defined on the remote machine, tasks are performed upon request. After validating the Performance Center system user or configuration user, Performance Center can perform required tasks.

Back to top

Configure a non-administrator Performance Center system user

For stronger security, you can configure the Performance Center system to use a non-administrator user and a custom group (lockdown mode).

This system user has the same permissions granted to any user in the built-in ‘Users’ group with additional extended rights to Web services and the HPE file system and registry as described below:

  • Added to the built-in system groups Performance Log Users and IIS_IUSRS (on Performance Center server only).
  • The custom group is added to the built-in system groups Distributed COM Users and Users.

With the above-mentioned permissions, a system user cannot perform all of the administrative system tasks. Therefore, when configuring the system to use non-administrator user, you will need to specify a configuration user (a user with administrative privileges that is defined on the Performance Center server and hosts).

This configuration user will be used by Performance Center when administrative tasks are required by system. For example, tasks for changing a system user, resetting IIS, restarting services, accessing IIS metadata, configuring DCOM.

After completing such tasks, the system user reverts back to the previous user with the limited Performance Center user permissions.

Note: The configuration user is saved in the database, so that whenever an administrative-level system user is required to perform a task, the system automatically uses the configuration user, without prompting for the user's credentials.

Back to top

Required Policies for the Performance Center System User

This section describes the required policies Performance Center grants automatically to a system user.

Note: This section applies to:

  • An administrative or non-administrative Performance Center user.

  • All Performance Center servers and hosts.

The Performance Center user must be granted all of the following policies:

Policy Name

Reason

Create global object (SeCreateGlobalPrivilege)

For Autolab running Vusers on the Controller.

Batch logon rights (SeBatchLogonRight)

The minimum policies required to run Web applications.

Service logon rights (SeServiceLogonRight)

The minimum policies required to run Web applications.

Access this computer from the network (SeNetworkLogonRight)

The minimum policies required to run Web applications.

Log on locally (SeInteractiveLogonRight)

Required by infra services. For example, after reboot, the system logs in with the Performance Center system user.

Impersonate a client after authentication (SeImpersonatePrivilege) Required for running Performance Center processes under the Performance Center system user.

Back to top