Connection security overview

HCL Workload Automation provides a secure, authenticated, and encrypted connection mechanism for communication based on the Secure Sockets Layer (SSL) protocol, which is automatically installed with HCL Workload Automation.

HCL Workload Automation also provides default certificates to manage the SSL protocol that is based on a private and public key methodology.

If you do not customize SSL communication with your certificates, to communicate in SSL mode, HCL Workload Automation uses the default certificates that are stored in the default directories, as explained in SSL connection by using the default certificates. However, in a production environment, it is recommended that you customize SSL communication with your own certificates.

Starting from Version 9.5, Fix Pack 3, you can optionally generate your SSL certificates automatically when you perform a fresh installation from the CLI using either .jks or .PEM certificates, as described in Installing the master domain manager and backup master domain manager, Installing the Dynamic Workload Console servers, and Installing agents.

When you perform a fresh installation, you only need to provide either .jks or .PEM certificates, specify the directory where the files are located and the password you want to use for the keystore and truststore.

Starting from Version 9.5, Fix Pack 4, you can optionally download certificates in .PEM format from the master domain manager to your agent.

When installing the agent with a fresh installation, you only need to provide the credentials to connect to the master domain manager using the wauser and wapassword parameters. The certificates in .PEM format are automatically downloaded and deployed to the agent without further intervention.

If you have previously installed the agent, you can run the AgentCertificateDownloader script on the agent. The script connects to the master domain manager, downloads the certificates in .PEM format, and deploys them to the agent. The certificates must be available on the master domain manager in a specific path. For more information, see Certificates download to dynamic agents - AgentCertificateDownloader script.

The installation program automatically generates the certificates. However, SSL communication between fault-tolerant agents is not enabled by default at installation time, and must be manually configured afterwards. For more information on how to configure SSL for fault-tolerant agents, see Scenario: SSL Communication across the fault-tolerant agent network.

Consider that using .jks and .kdb files is supported but not recommended because it involves several manual steps, which might lead to errors, while the automatic procedure with .PEM files is the recommended method.

Note: Only for version 9.5 Fix Pack 4, if you install your agents so that they communicate with the master through a remote gateway, ensure that they can reach the master directly at installation time. For more information, see Dynamic agent gateway installation examples.

If you are upgrading from a previous version or did not use the SSL parameters when performing a fresh installation of Version 9.5, Fix Pack 3 or later, you can customize SSL communication with your own certificates as explained in the following scenarios: