Configuring SSL attributes

Use the composer command line or the Dynamic Workload Console to update the workstation definition in the database. See for further information.

Configure the following attributes:
secureaddr
Defines the port used to listen for incoming SSL connections. This value is read when the securitylevel attribute is set.
For workload broker workstations
Ignore this attribute.
For remote engine workstations using HTTPS protocol to communicate with the remote engine
Specify the HTTPS port number of the remote engine.
For other types of workstations
Specify the value assigned in the localopts file for variable nm ssl port. The value must be different value from the value assigned to nm port variable in the localopts file.

If securitylevel is specified, but this attribute is missing, the default value for this field is 31113. Specify a value in the range from 1 to 65535.

See Setting local options for information about SSL authentication and local options set in the TWS_home/localopts configuration file.
securitylevel
Specifies the type of SSL authentication for the workstation. Do not specify this attribute for a workstation with type broker. It can have one of the following values:
enabled
The workstation uses SSL authentication only if its domain manager workstation or another fault-tolerant agent below it in the domain hierarchy requires it.
on
The workstation uses SSL authentication when it connects with its domain manager. The domain manager uses SSL authentication when it connects to its parent domain manager. The fault-tolerant agent refuses any incoming connection from its domain manager if it is not an SSL connection.
force
The workstation uses SSL authentication for all of its connections and accepts connections from both parent and subordinate domain managers.
force_enabled
The workstation uses SSL authentication for all of its connections to all target workstations which are set to this value. The workstation tries to establish a connection in FULLSSL mode and, if the attempt fails, it tries to establish an unsecure connection. If you plan to set different security levels between master domain manager and fault-tolerant agents, ensure all these components are at version 95 Fix Pack 4 or later. For versions earlier than 95 Fix Pack 4, the same security level is required for master domain manager and fault-tolerant agents.

If this attribute is omitted, the workstation is not configured for SSL connections and any value for secureaddr is ignored. Make sure, in this case, that the nm ssl port local option is set to 0 to ensure that netman process does not try to open the port specified in secureaddr. See Setting local options for information about SSL authentication and local options set in the TWS_home/localopts configuration file.

The following table describes the type of communication used for each type of securitylevel setting.
Table 1. Type of communication depending on the security level value
Value set on the Fault-tolerant Agent (or the Domain Manager) Value set on its Domain Manager (or on its Parent Domain Manager) Type of connection established
Not specified Not specified TCP/IP
Enabled Not specified TCP/IP
On Not specified No connection
Force Not specified No connection
Not specified On TCP/IP
Enabled On TCP/IP
On On SSL
Force On SSL
Not specified Enabled TCP/IP
Enabled Enabled TCP/IP
On Enabled SSL
Force Enabled SSL
Not specified Force No connection
Enabled Force SSL
On Force SSL
Force Force SSL
The value for securitylevel is not specified for dynamic workload broker workstations.
The following example shows a workstation definition that includes the security attributes:
cpuname MYWIN
os WNT
node apollo
tcpaddr 30112
secureaddr 32222
for maestro
autolink off
fullstatus on
securitylevel on
end