Customizing TLS to connect components with HCL Workload Automation for Z

About this task

To customize the TLS v1.2 connection between HCL Workload Automation for Z and its components, perform the following steps.
  1. Specify the following statements in the server started task:
    PARM='ENVAR("_CEE_ENVFILE:DD=STDENV")'
    Insert this statement at the top of the started-task JCL. It is used to export the environment variable to the Language Environment.
    //STDENV DD card
    Add this DD card to the server started-task JCL to point to a PDS member (for example, a member of the PARMLIB) where you specify the values for the environment variable that you need. For example, //STDENV DD DISP=SHR,DSN=TWS.SUBSYSN.PARM(ENVVAR)
    In the PDS member (ENVVAR in the previous example) of the started task, task, or TSO logon procedure of each component to be connected, define the following values: 
    GSK_PROTOCOL_TLSV1_2=ON
    In addition, to enable the TLS communication between HCL Workload Automation for Z and its components, specify at least one cipher in common with the component to which you are going to connect. (For a list of cipher codes, see the section about the cipher suite definitions in the z/OS Cryptographic Services System SSL Programming manual.) 
    GSK_V3_CIPHER_SPECS_EXPANDED=130313021301C030009FC02F009E0035
  2. In the TCPOPTS statement, set the following parameters:
    SSLLEVEL(FORCE)                               
SSLKEYSTORE('SSL keystore db filename')    
SSLKEYSTOREPSW('SSL keystore pw filename')
    For example: 
    SSLLEVEL(FORCE)                               
SSLKEYSTORE('/u/usr/sslzos/ws95ssl.kdb')    
SSLKEYSTOREPSW('/u/usr/sslzos/ws95ssl.sth')
  3. On the Dynamic Workload Console, enable the SSL communication with the HCL Workload Automation for Z engine by editing the connectionFactory.xml file as follows:
    useSsl="true"
    For example:
    <connectionFactory id="EngineZ"
                            jndiName="eis/tws/zconn/EngineZ">
                            <properties.ZConnectorAdapter hostName="10.999.49.333"
                                                  portNumber="9919"
                                                  useSsl="true">
Note: The Dynamic Workload Console V9.5 Fix Pack 4, or later, does not use TLS unsecure ciphers. To enable TLS communication with a Z controller V9.5 or earlier, you are requested to enable the unsecure ciphers on the Dynamic Workload Console.