Setting SSL-secure connections for communication

Customizing the SSL connection between the agents and the Z controller to which they are connected, when using your certificates (SAF).

About this task

The management of security certificates is different between product versions. Depending on the agent version you choose, you can customize the SSL connection between the agents and Z controller when using your certificates (SAF) or set SSL-secure connections for communication using the default certificates. The main differences between the versions of the agent are as follows:
If you are installing an agent with version later than or equal to 10.2.1
You need to customize the Z controller using the SAF (System authorization facility) interface, the agent certificates and the configuration file. For more information, see Customizing the SSL connection between the agents and Z controller when using your certificates (SAF).
If you are installing an agent with version earlier than or equal to 10.2.0
You can either use default certificates or create your own. For more information, see Setting SSL-secure connections for communication using the default certificates.

Customizing the SSL connection between the agents and Z controller when using your certificates (SAF)

About this task

To communicate, the HCL Workload Automation Agents (z-centric agents) and the Z controller use the HTTPS protocol. The communication process uses the certificates obtained by customizing the Z controller using the SAF (System authorization facility) interface. In addition to customizing those certificates, you need to customize the agent certificates and the configuration file. To enable SSL communication, perform the following steps:

Procedure

  1. Generate the distributed certificates for the agent. Consider the following example commands: 
    openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes –key ca.key -subj "/CN=<common_name>" 
-days 3650 -out ca.crt 
openssl genrsa -des3 -out tls.key 4096
openssl req -new -key tls.key -out tls.csr
openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial 
-out tls.crt -extfile /etc/pki/tls/openssl.cnf -extensions v3_req
  2. Store the resulting ca.crt, tls.crt, and tls.key files on the agent in a folder of your choice. When running the twsinst script to install the agent, specify that folder with the sslkeysfolder parameter.
  3. Generate a z/OS certificate as follows:
    1. Create a z/OS certificate and save it with the .crt extension.
    2. Export the certificate in ASCII mode to the distributed environment.
    3. On the workstation where you plan to install the agent, create a folder named additionalCAs nested in the folder where you previously stored the distributed certificates created in step 2.
    4. Store the certificate in the additionalCAs folder. The additionalCAs folder must also contain the public key certificate or public certificate chain of the Z controller SSL key ring.
  4. Import the distributed certificates (ca.crt and tls.crt) in the z/OS environment in ASCII mode.
  5. Install the agent by running the twsinst script and specifying the sslkeysfolder and sslpassword parameters. Consider the following example: 
    ./twsinst -agent zcentric -new -uname <agent_name> -acceptlicense yes 
-addjruntime true -inst_dir <inst_dir> -jmport xxxxx -jmportssl true -sslkeysfolder <path_to_distr_cert> 
-sslpassword <keystore_password>
    where:
    agent zcentric
    Installation of the z-centric agent.
    new
    A fresh installation of the agent.
    uname
    Name of the user for which the agent is being installed.
    acceptlicense
    Whether to accept the License Agreement.
    addjruntime
    Adds the Java™ run time to run job types with advanced options, both those types that are supplied with the product and the additional types that are implemented through the custom plug-ins.
    inst_dir
    Folder of the agent installation.
    jmport
    JobManager port number used by the Z controller to connect to the agent.
    jmportssl
    Type of connection to be initiated between the controller and the agent on the port defined in the JMPORT parameter. Supported values are true and false.
    sslkeysfolder
    Name and path of the folder on the agent containing certificates. The folder must contain the following items:
    • ca.crt
    • tls.crt
    • tls.key
    • additionalCAs folder
    sslpassword
    Password to access the certificates.

Results

The agent is now completely configured.

Setting SSL-secure connections for communication using the default certificates

About this task

To provide SSL security for an HTTP connection between the Z controller and HCL Workload Automation Agent, set the HTTPS keyword in the ROUTOPTS statement .

At installation time, the default security certificates are automatically stored in the SEQQDATA library:
EQQCERCL
The security certificate for the client.
EQQCERSR
The security certificate for the server.

You can decide to use these default certificates or create your own. However, in a production environment, it is recommended that you customize SSL communication with your own certificates.

In both cases, you need to import them into your security system. If you are using RACF®, you are provided with the EQQRCERT sample job that you can run to import the certificates. To run this job, ensure that you use the same user ID that RACF® associates with the controller started task.

The EQQRCERT job:
  • Copies the EQQCERCL certificate to a temporary sequential data set
  • Copies the EQQCERSR certificate to a temporary sequential data set
  • Imports EQQCERCL to RACF®
  • Imports EQQCERSR to RACF®
  • Deletes the temporary sequential data sets
  • Creates the SAF key ring that is used to connect the imported certificates
  • Updates the RACF® database with the new certificates and key ring