Customizing TLS to connect components with HCL Workload Automation for Z
About this task
To customize the TLS v1.2 connection between HCL Workload Automation for Z and its components,
perform the following steps.
- Specify the following statements in the server started task:
- PARM='ENVAR("_CEE_ENVFILE:DD=STDENV")'
- Insert this statement at the top of the started-task JCL. It is used to export the environment variable to the Language Environment.
- //STDENV DD card
- Add this DD card to the server started-task JCL to point to a PDS member (for
example, a member of the PARMLIB) where you specify the values for the environment
variable that you need. For example,
//STDENV DD DISP=SHR,DSN=TWS.SUBSYSN.PARM(ENVVAR)
In the PDS member (ENVVAR
in the previous example) of the started task, task, or TSO logon procedure of each component to be connected, define the following values:GSK_PROTOCOL_TLSV1_2=ON
In addition, to enable the TLS communication between HCL Workload Automation for Z and its components, specify at least one cipher in common with the component to which you are going to connect. (For a list of cipher codes, see the section about the cipher suite definitions in the z/OS Cryptographic Services System SSL Programming manual.)GSK_V3_CIPHER_SPECS_EXPANDED=130313021301C030009FC02F009E0035
- In the TCPOPTS
statement, set the following
parameters:
For example:SSLLEVEL(FORCE) SSLKEYSTORE('SSL keystore db filename') SSLKEYSTOREPSW('SSL keystore pw filename')
SSLLEVEL(FORCE) SSLKEYSTORE('/u/usr/sslzos/ws95ssl.kdb') SSLKEYSTOREPSW('/u/usr/sslzos/ws95ssl.sth')
- On the Dynamic Workload Console,
enable the SSL communication with the HCL Workload Automation for Z engine by
editing the
connectionFactory.xml
file as follows:
For example:useSsl="true"
<connectionFactory id="EngineZ" jndiName="eis/tws/zconn/EngineZ"> <properties.ZConnectorAdapter hostName="10.999.49.333" portNumber="9919" useSsl="true">
Note: The Dynamic Workload Console V9.5
Fix Pack 4, or later, does not use TLS unsecure ciphers. To enable TLS communication with a
Z controller V9.5
or earlier, you are requested to enable the unsecure ciphers on the Dynamic Workload Console.