Customizing TLS to connect components with HCL Workload Automation for Z

Before you begin

To use secure ciphers, which are required in TLS connection, ensure that you have z/OS ICSF up and running. For information about how to install z/OS ICSF, see z/OS Cryptographic Services ICFS Administrator's Guide.

About this task

To customize TLS v1.2 and v1.3 to connect with HCL Workload Automation for Z, perform the following steps:

Specify the following statement in the started task, job, or TSO logon procedure of each component that you want to connect:

//STDENV DD card

Add this DD card to point to a PDS member (for example, a member of the PARMLIB) where you specify the values for the environment variable that you need. For example, //STDENV DD DISP=SHR,DSN=TWS.SUBSYSN.PARM(ENVVAR)

In the PDS member (ENVVAR in the previous example), define the following values. For a complete list of the environment variables that you can set to configure TLS, see the z/OS Cryptographic Services System SSL Programming manual.
```
GSK_PROTOCOL_TLSV1_2=ON
GSK_PROTOCOL_TLSV1_3=ON
GSK_V3_CIPHER_SPECS_EXPANDED=130313021301C030009FC02F009E
```
Note:
1. If you set both GSK_PROTOCOL_TLSV1_2 and GSK_PROTOCOL_TLSV1_3 to OFF or you do not set any of them, TLS v1.2 is automatically enabled (this is the default).
  If you set only GSK_PROTOCOL_TLSV1_3 to ON, TLS v1.2 is not enabled.
2. To enable the TLS communication between a component that has been migrated to version 10.1 and a component that is still at a version earlier than 10.1, ensure that you set the following environment variable:
```
GSK_V3_CIPHER_SPECS_EXPANDED=130313021301C030009FC02F009E0035
```
According to the component that you are configuring, set the required SSL parameters. For a summary of the statements related to the SSL communication, see SSL connection.

For a scenario about how to set up a TLS communication with custom self-signed certificates, see Scenario: configuring TLS with custom self-signed certificates.