Security for HTTP connections

You can provide security for an HTTP connection between the following components:
  • The Z controller and the HCL Workload Automation Agent (z-centric agent).
  • The Z controller and another Z controller (z/OS remote engine).
  • The Z controller and the dynamic domain manager.
  • The Z controller and the HCL Workload Automation master domain manager (distributed remote engine).
SSL-secure connections are implemented using specific settings in the HTTPOPTS statement, and the HTTPS keyword in the ROUTOPTS statement.
You can provide security for an HTTP connection between the following components:
  • The z/OS controller and the HCL Workload Automation Agent (z-centric agent).
  • The z/OS controller and another z/OS controller (z/OS remote engine).
  • The z/OS controller and the dynamic domain manager.
  • The z/OS controller and the HCL Workload Automation master domain manager (distributed remote engine).
SSL-secure connections are implemented using specific settings in the HTTPOPTS statement, and the HTTPS keyword in the ROUTOPTS statement.
If you use the secure connection with the SSL protocol, you must import the security certificates into your security system.
Note: If you imported the default security certificates during the installation of the previous version of the product, you must remove them and run the EQQRCERT job to import the new certificates. If you already imported the new default security certificates during the installation of the HCL Workload Automation agent for z/OS, then you must not perform this procedure again. Complete the procedure for creating a secure connection by configuring the SSLKEYRING keyword with the value used for installation of the HCL Workload Automation agent for z/OS.
At installation time, the default security certificates are automatically stored into the SEQQDATA library:
EQQCERCL
The security certificate for the client.
EQQCERSR
The security certificate for the sever.
You can decide to use these default certificates or create your own. In both cases, you must import them into your security system. If you are using RACF®, you are provided with the sample job EQQRCERT to import the certificates. To run this job, ensure that you use the same user ID that RACF® associates with the controller started task.

If you create your own certificates for an HTTP connection with the master domain manager or with the dynamic domain manager, you must run the customizing steps described in the section about customizing SSL connection to the master domain manager and dynamic domain manager in HCL Workload Automation: Administration Guide. A procedure about creating your own custom self-signed certificates is described in Scenario: configuring TLS with custom self-signed certificates.

If you are using SSL to communicate with a master domain manager, backup master domain manager, or dynamic domain manager, then the prefix of the common name of the controller certificate must be defined in the Broker.AuthorizedCNs option in the BrokerWorkstation.properties file located in the TWA_home/TDWB/config directory of the distributed engine.

The EQQRCERT job performs the following actions:
  • Copies the EQQCERCL certificate to a temporary sequential data set
  • Copies the EQQCERSR certificate to a temporary sequential data set
  • Imports EQQCERCL to RACF®
  • Imports EQQCERSR to RACF®
  • Deletes the temporary sequential data sets
  • Creates the SAF key ring that is used to connect the imported certificates
  • Updates the RACF® database with the new certificates and key ring