Customizing the SSL connection between the agents and Z controller when using your certificates (USS)

Customizing the SSL connection between the agents and theZ controller to which they are connected, when using your certificates.

About this task

To communicate, the HCL Workload Automation Agents (z-centric agents) and the Z controller use the HTTPS protocol. The communication process uses the certificates obtained by customizing the Z controller certificates using the USS (UNIX System Services) component. In addition to customizing those certificates, you need to customize the agent certificates and the configuration file. To enable SSL communication, perform the following steps.
  1. Generate a .kdb CMS key store file. This file must contain a private key trusted by the Z controller to which the agent is registered, and the Z controller public key that enables the agent to trust it.
  2. Save the password of the key store in a stash file with the same name as the file that you generated in step 1, and give it the extension .sth.
  3. Edit the ita.ini agent configuration file by setting the following properties to the values specific for your environment: 
    cert_label=<label_agent_private_key>
 key_db_name=<file_name>
 key_repository_dir=<directory>
tcp_port=0
ssl_port=<ssl_port_value>
verify_cn_string=<common_name>
    Where:
    label_agent_private_key
    Label of the agent private key that you want to use to communicate. The default is client.
    file_name
    Name of the file, without its extension. The default value is TWSClientKeyStore.
    directory
    Name of the folder that contains the files generated in step 1 and in step 2. The default path is /opt/HCL/TWA_<TWS_user>/TWS/ITA/cpa/ita/cert.
    tcp_port_value
    TCP/IP port value. Specify 0.
    ssl_port_value
    Same as the tcp_port_value. For example, if the TCP/IP port value is 31114, specify 31114.
    common_name
    HCL Workload Automation for Z checks the validity of the certificate and verifies that the peer certificate has been issued by a recognized CA. If you set the verify_cn_string parameter, HCL Workload Automation for Z verifies that the Common Name (CN) of the Certificate Subject matches the common_name that you set in this parameter.

    This setting is valid for both dynamic and z-centric agents. To make the changes effective, you must restart the agent.

    To configure the TLS v1.2 connection, in the ita.ini file add the following properties to the [ITA SSL] section:
    sslv3_cipher = NONE
 tls10_cipher = NONE
 tls11_cipher = NONE-->
 tls12_cipher = DFLT
  4. Stop the agent with the following command:
    ShutDownLwa
  5. Restart the agent with the following command:
    StartUpLwa

After you complete the procedure, depending on the SSL storing certificate method you use, import the certificates in a RACF key ring or in a key store created in the UNIX System services. Depending on the method you use, refer either to the RACF or the Unix System services documentation.