Enhanced security for default certificates

Enhanced security for default certificates.

Certificates, either default or custom, are now required when installing HCL Workload Automation. You can no longer install HCL Workload Automation without securing your environment with certificates.

Default certificates are generated automatically when you install the master domain manager. To generate default certificates, define the password for the certificates using the sslpassword parameter when you run the serverinst script. The certificates are generated using a strong 4k encryption key and the password you specified. These certificates feature a long-term expiration date and are unique for each environment you install. Because the certificates are unique for each environment, if you install a new master domain manager and want it to communicate with an existing Dynamic Workload Console, you need to import the certificates from the master domain manager to the Dynamic Workload Console. For more information, see How do I connect a new master domain manager to an existing Dynamic Workload Console?.

The certificates are then stored on the master domain manager in the installation_directory/defaultCerts and TWA_DATA_DIR/ssl/depot directories. You can use the TWA_DATA_DIR/ssl/depot folder to retrieve the default certificates for the other product components.

Before you install the other server components (backup master domain manager, domain manager, backup domain manager, dynamic domain manager, backup dynamic domain manager ) or the Dynamic Workload Console with the installation scripts, copy the certificates from the master domain manager to the workstation where you plan to install the component.

When you run the installation script, specify the sslkeysfolder and sslpassword parameters. These parameters indicate the path on the local workstation where the certificates are stored and the password you defined for the certificates when installing the master domain manager.

When you install a dynamic agent or fault-tolerant agent using the twsinst script, specify the wauser and wapassword parameters. The agent uses these parameters to log in to the master domain manager and download the default certificates from the TWA_DATA_DIR/ssl/depot directory.

If you are upgrading all your components from earlier versions where you used default certificates, the certificates are updated automatically. Before you upgrade your environment, create an environment variable named JKS_SSL_PASSWORD on each server component (with the exception of the master domain manager) and on each Dynamic Workload Console workstation. In the JKS_SSL_PASSWORD environment variable store the password for the default certificates. For both fault-tolerant agents and dynamic agents, the updated certificates are downloaded automatically from the master domain manager without user intervention. You can find useful information about upgrading in FAQ - Upgrade procedures.

If you plan to upgrade a part of your environment, for example you plan to connect an agent at 10.2.x version with a master domain manager at an earlier version, convert the certificates to the new .PEM format before the upgrade, as described in Upgrading in a mixed-version environment when using default certificates

For more information, see the upgrade procedures in Upgrading from the CLI.

For more information about connection security, see Connection security overview.

For more information about using default certificates, see SSL connection by using the default certificates.

For more information about all the installation commands, see Reference.