Connection security overview
HCL Workload Automation provides a secure, authenticated, and encrypted connection mechanism for communication based on the Secure Sockets Layer (SSL) protocol, which is automatically installed with HCL Workload Automation.
HCL Workload Automation also provides default certificates to manage the SSL protocol that is based on a private and public key methodology.
When configuring security and authentication, you can choose between using Java Web Token (JWT) or certificates, which can be either default or custom. For more information, see Configuring security using Java Web Token (JWT) or Configuring security with default and custom certificates.
Configuring security using Java Web Token (JWT)
JWT ensures mutual authentication between master domain manager and dynamic agents. Using JWT is easier and more immediate than downloading and maintaining certificates and, in a containerized environment, you no longer need to configure the ingress controller for SSL passthrough. For more information about JWT on containers, see the Ingress controller section in HCL Workload Automation Server.
For more information about configuring security and authentication, see Connection security overview.
To download the JWT on your dynamic agents at installation time, use the jwt parameter as explained in Agent installation parameters - twsinst script. You can also download the JWT at a later time as explained in Certificates download to dynamic agents and fault-tolerant agents - AgentCertificateDownloader script.
You can find some installation examples in Example installation commands
Configuring security with default and custom certificates
If you do not customize SSL communication with your custom certificates, HCL Workload Automation uses the default certificates that are generated automatically when you install the master domain manager, as explained in SSL connection by using the default certificates. However, in a production environment, it is recommended that you customize SSL communication with your own certificates.
You can optionally generate your custom SSL certificates automatically when you perform a fresh installation from the CLI using .PEM files, as described in Installing the master domain manager and backup master domain manager, Installing the Dynamic Workload Console servers, and Installing agents.
When you perform a fresh installation, you only need to provide .PEM files, specify the directory where the files are located on the master domain manager and the password you want to use for the keystore and truststore.
If you have previously installed dynamic agents, you can run the AgentCertificateDownloader script on the agent. The script connects to the master domain manager, downloads the certificates in .PEM format, and deploys them to the agent. The certificates must be available on the master domain manager in a specific path. For more information, see Certificates download to dynamic agents and fault-tolerant agents - AgentCertificateDownloader script.
The installation program automatically generates custom certificates starting from the .PEM files you provided.
If you are upgrading from a previous version, or did not use the SSL parameters when performing a fresh installation of Version 9.5, Fix Pack 3 or later, you can customize SSL communication with your own certificates as explained in the following scenarios:
- Creating a Certificate Authority and generating certificates
- Customizing certificates for master domain manager and dynamic agent communication
- Scenario: Connection between the Dynamic Workload Console and the HCL Workload Automation components.
- Customizing certificates for master domain manager and Dynamic Workload Console communication
- Extending communication scenarios to other server components
- Scenario: SSL Communication across the fault-tolerant agent network