Configuring the SSL connection protocol for the network

About this task

To configure SSL for your network, perform the following steps:
  1. Create an SSL directory under the TWA_home/TWS directory. By default, the path DATA_DIR/ssl is registered in the localopts file. If you create a directory with a name different from ssl in the DATA_DIR directory, then update the localopts file accordingly. For example, if you decide to use the TWA_home/TWS/ssl/CustomSSL/ folder instead of the default one, you can modify localopts as follows:
    SSL key	  ="TWA_HOME/TWS/ssl/CustomSSL/workstationname.key" 
    SSL certificate	   ="TWA_HOME/TWS/ssl/CustomSSL/workstationname.crt"   
    SSL key pwd	       ="TWA_HOME/TWS/ssl/CustomSSL/workstationname.sth"  
    SSL CA certificate      ="TWA_HOME/TWS/ssl/CustomSSL/TWSTrustCertificates.cer" 
    SSL random seed	   ="TWA_HOME/TWS/ssl/CustomSSL/workstationname.rnd" 
    SSL Encryption Cipher   =HIGH

    If you created multiple TWSca.crt,you can simply append the content of each of them on a new line of the TWSTrustCertificates.cer.

  2. Copy openssl.cnf and openssl.exe to the SSL directory.
  3. Create as many private keys, certificates, and trusted CA lists as you plan to use in your network. For more information, see Creating private keys and certificates.
  4. For each workstation that will use SSL authentication:
    • Update its definition in the HCL Workload Automation database with the SSL attributes. For more information, see Configuring SSL attributes.
    • Add the SSL local options in the localopts file.
    • Update the SSL port parameter. The value must match the value added to the corresponding definition in the HCL Workload Automation database:
      # Netman SSL port
      # the value "0" means port close
      nm SSL port    =PORT_NUMBER
      For more information, see Setting up full SSL security.
Although you are not required to follow a particular sequence, these tasks must all be completed to activate SSL support.

In HCL Workload Automation, SSL support is available for the fault-tolerant agents only (including the master domain manager and the domain managers), but not for the extended agents. If you want to use SSL authentication for a workstation that runs an extended agent, you must specify this parameter in the definition of the host workstation of the extended agent.