Connection security overview

HCL Workload Automation provides a secure, authenticated, and encrypted connection mechanism for communication based on the Secure Sockets Layer (SSL) protocol, which is automatically installed with HCL Workload Automation.

HCL Workload Automation also provides default certificates to manage the SSL protocol that is based on a private and public key methodology.

When configuring security and authentication, you can choose between using Java Web Token (JWT) or certificates, either default or custom. For more information, see Configuring security using Java Web Token (JWT) or Configuring security with default and custom certificates.

Configuring security using Java Web Token (JWT)

JWT ensures mutual authentication between master domain manager and dynamic agents. Using JWT is easier and more immediate than downloading and maintaining certificates and, in a containerized environment, you no longer need to configure the ingress controller for SSL passthrough. For more information about JWT on containers, see the Ingress controller section in HCL Workload Automation Server.

For more information about configuring security and authentication, see Connection security overview.

To download the JWT on your dynamic agents at installation time, use the jwt parameter as explained in Agent installation parameters - twsinst script. You can also download the JWT at a later time as explained in Certificates download to dynamic agents - AgentCertificateDownloader script.

You can find some installation examples in Example installation commands

Configuring security with default and custom certificates

If you do not customize SSL communication with your certificates, to communicate in SSL mode, HCL Workload Automation uses the default certificates that are stored in the default directories, as explained in SSL connection by using the default certificates. However, in a production environment, it is recommended that you customize SSL communication with your own certificates.

You can optionally generate your SSL certificates automatically when you perform a fresh installation from the CLI using either .PEM or .jks files, as described in Installing the master domain manager and backup master domain manager, Installing the Dynamic Workload Console servers, and Installing agents.

When you perform a fresh installation, you only need to provide either .PEM or .jks files, specify the directory where the files are located on the master domain managerand the password you want to use for the keystore and truststore.

If you have previously installed dynamic agents, you can run the AgentCertificateDownloader script on the agent. The script connects to the master domain manager, downloads the certificates in .PEM format, and deploys them to the agent. The certificates must be available on the master domain manager in a specific path. For more information, see Certificates download to dynamic agents - AgentCertificateDownloader script.

The installation program automatically generates the certificates. If you choose to use .PEM files, your whole environment is automatically and completely set up in SSL using your custom certificates.

If you use .jks files, SSL communication is enabled within the fault-tolerant agent network, but configured to use the default certificates. You can manually change the certificates for the fault-tolerant agents afterwards. For more information, see Scenario: SSL Communication across the fault-tolerant agent network.

Note: using .jks files is supported but not recommended because it involves several manual steps, which might lead to errors, while the fully automatic procedure with .PEM files is the recommended method.

If you are upgrading from a previous version, or did not use the SSL parameters when performing a fresh installation of Version 9.5, Fix Pack 3 or later, you can customize SSL communication with your own certificates as explained in the following scenarios: