Customizing the SSL connection between the agents and Z controller when using your certificates (USS)
Customizing the SSL connection between the agents and theZ controller to which they are connected, when using your certificates.
About this task
To communicate, the HCL Workload Automation Agents (z-centric agents) and the Z controller use the HTTPS
protocol. The communication process uses the certificates obtained by customizing the
Z controller
certificates using the USS (UNIX System Services) component. In addition to customizing
those certificates, you need to customize the agent certificates and the configuration file.
To enable SSL communication, perform the following steps.
- Generate a .kdb CMS key store file. This file must contain a private key trusted by the Z controller to which the agent is registered, and the Z controller public key that enables the agent to trust it.
- Save the password of the key store in a stash file with the same name as the file that you generated in step 1, and give it the extension .sth.
- Edit the ita.ini agent configuration file by setting the
following properties to the values specific for your environment:
Where:cert_label=<label_agent_private_key> key_db_name=<file_name> key_repository_dir=<directory> tcp_port=0 ssl_port=<ssl_port_value> verify_cn_string=<common_name>
- label_agent_private_key
- Label of the agent private key that you want to use to communicate. The default is client.
- file_name
- Name of the file, without its extension. The default value is TWSClientKeyStore.
- directory
- Name of the folder that contains the files generated in step 1 and in step 2. The default path is
/opt/HCL/TWA_<TWS_user>/TWS/ITA/cpa/ita/cert
. - tcp_port_value
- TCP/IP port value. Specify 0.
- ssl_port_value
- Same as the tcp_port_value. For example, if the TCP/IP port value is 31114, specify 31114.
- common_name
-
HCL Workload Automation for Z
checks the validity of the certificate and verifies that the peer certificate has
been issued by a recognized CA. If you set the verify_cn_string
parameter, HCL Workload Automation for Z verifies
that the Common Name (CN) of the Certificate Subject matches the
common_name that you set in this parameter.
This setting is valid for both dynamic and z-centric agents. To make the changes effective, you must restart the agent.
To configure the TLS v1.2 connection, in the ita.ini file add the following properties to the [ITA SSL] section:sslv3_cipher = NONE tls10_cipher = NONE tls11_cipher = NONE--> tls12_cipher = DFLT
- Stop the agent with the following command:
ShutDownLwa
- Restart the agent with the following command:
StartUpLwa
After you complete the procedure, depending on the SSL storing certificate method you use, import the certificates in a RACF key ring or in a key store created in the UNIX System services. Depending on the method you use, refer either to the RACF or the Unix System services documentation.