Home
HCL Workload Automation
Welcome to the HCL Workload Automation documentation, where you can find information about how to install, maintain, and use HCL Workload Automation. The documentation has been updated for HCL Workload Automation Version 9.5 Fix Pack 6.
Administration Guide
Connection security overview
Scenario: SSL Communication across the fault-tolerant agent network
Using SSL for netman and conman
Configuring SSL attributes

HCL Workload Automation
Welcome to the HCL Workload Automation documentation, where you can find information about how to install, maintain, and use HCL Workload Automation. The documentation has been updated for HCL Workload Automation Version 9.5 Fix Pack 6.
- Fix Pack readmes
  For the latest information about a Fix Pack, see the appropriate Readme File.
- Planning and Installation
- User's Guide and Reference
- Administration Guide
  - Customizing and configuring HCL Workload Automation
  - Configuring the Dynamic Workload Console
  - Configuring user authorization (Security file)
  - Configuring authentication
  - Network administration
  - Connection security overview
    - Creating a Certificate Authority
      How to create a CA and generate the key
    - SSL connection by using the default certificates
      The SSL connection between the console and other product components is enabled by using the default certificates.
    - Customizing certificates for master domain manager and dynamic agent communication
      Supported scenarios for creating custom certificates for communication between master domain manager and dynamic agent
    - Scenario: Connection between the Dynamic Workload Console and the HCL Workload Automation components
      The Dynamic Workload Console connects in SSL mode with the HCL Workload Automation components by using the default certificates. You might configure the Dynamic Workload Console to connect in SSL mode by using your certificates.
    - Extending communication scenarios to other server components
      Apply custom certificates to backup master domain manager and dynamic domain manager
    - Scenario: SSL Communication across the fault-tolerant agent network
      - Using SSL for netman and conman
        Setting up private keys and certificates
        Creating Your Own Certification Authority
        Creating private keys and certificates
        Configuring SSL attributes
        Configuring the SSL connection protocol for the network
        Configuring full SSL security
    - SSL command reference
      List of commands for managing certificates
  - Data maintenance
  - Administrative tasks
  - Administering IBM i dynamic environment
    On overview on how to administer the HCL Workload Automation IBM i dynamic environment.
  - Performance
  - Availability
  - License computation model
- Scheduling with the Agent for z/OS
- Database Views
- Integrating
- High Availability Cluster Environment
- Driving HCL Workload Automation
- Extending HCL Workload Automation

Configuring SSL attributes

Use the composer command line or the Dynamic Workload Console to update the workstation definition in the database. See the HCL Workload Automation: User's Guide and Reference for further information.

Configure the following attributes:

secureaddr

Defines the port used to listen for incoming SSL connections. This value must match the one defined in the nm SSL port local option of the workstation. It must be different from the nm port local option that defines the port used for normal communications. If securitylevel is specified but this attribute is missing, 31113 is used as the default value.

securitylevel

Specifies the type of SSL authentication for the workstation. It must have one of the following values:

enabled: The workstation uses SSL authentication only if its domain manager workstation or another fault-tolerant agent below it in the domain hierarchy requires it.
on: The workstation uses SSL authentication when it connects with its domain manager. The domain manager uses SSL authentication when it connects to its parent domain manager. The fault-tolerant agent refuses any incoming connection from its domain manager if it is not an SSL connection.
force: The workstation uses SSL authentication for all of its connections and accepts connections from both parent and subordinate domain managers. It will refuse any incoming connection if it is not an SSL connection.

If this attribute is omitted, the workstation is not configured for SSL connections. In this case, any value for secureaddr will be ignored. You should also set the nm ssl port local option to 0 to be sure that this port is not opened by netman. The following table describes the type of communication used for each type of securitylevel setting.

Table 1. Type of communication depending on the securitylevel value
Fault-tolerant agent (domain manager)	Domain manager (parent domain manager)	Connection type
-	-	TCP/IP
Enabled	-	TCP/IP
On	-	No connection
Force	-	No connection
-	On	TCP/IP
Enabled	On	TCP/IP
On	On	SSL
Force	On	SSL
-	Enabled	TCP/IP
Enabled	Enabled	TCP/IP
On	Enabled	SSL
Force	Enabled	SSL
-	Force	No connection
Enabled	Force	SSL
On	Force	SSL
Force	Force	SSL

The following example shows a workstation definition that includes the security attributes:

cpuname MYWIN
os WNT
node apollo
tcpaddr 30112
secureaddr 32222
for maestro
autolink off
fullstatus on
securitylevel on
end

Have feedback?
Google Analytics is used to store comments and ratings. To provide a comment or rating for a topic, click Accept All Cookies or Allow All in Cookie Preferences in the footer of this page.