Customizing the SSL connection between the agents and the Z controller when using your certificates

Customizing the SSL connection between the agents and the Z controller connected to it when using your certificates.

About this task

The HCL Workload Automation Agents and the Z controller use HTTPS to communicate. The communication process uses the default SSL certificates that come with the product. If you want to use your own certificates, attained by customizing the Z controller certificates, you need to customize also the agent certificates and the configuration file. To enable SSL communication, perform the following steps:
  1. Generate a .kdb CMS key store file. This file must contain a private key trusted by the Z controller to which the agent is registered, and the Z controller public key to allow the agent to trust it.
  2. Save the password of the key store in a stash file that has the same name as the file that you generated in step 1 and give it extension .sth.
  3. Edit the ita.ini agent configuration file by setting the following properties to the values specific for your environment: 
    cert_label=<label_agent_private_key>
 key_db_name=<file_name>
 key_repository_dir=<directory>
tcp_port=0
ssl_port=<ssl_port_value>
verify_cn_string=<common_name>
    Where:
    label_agent_private_key
    Label of the agent private key that you want to use to communicate. The default is client.
    file_name
    Name of the file, without its extension. The default value is TWSClientKeyStore.
    directory
    Name of the directory that contains the files generated in step 1 and in step 2. The default path is /opt/HCL/TWA_<TWS_user>/TWS/ITA/cpa/ita/cert.
    tcp_port_value
    The TCP/IP port value. Specify 0.
    ssl_port_value
    The tcp_port_value. For example, if the TCP/IP port value was 31114, specify 31114.
    common_name
    HCL Workload Automation for Z checks the validity of the certificate and verifies that the peer certificate has been issued by a recognized CA. If you set the verify_cn_string parameter, HCL Workload Automation for Z verifies that the Common Name (CN) of the Certificate Subject matches the common_name that you set in this parameter. You can add more than one server by separating them with ;.

    This setting is valid for both dynamic and z-centric agents. To make the changes effective, you must restart the agent.

    To configure the TLS v1.2 connection, in the ita.ini file add the following properties to the [ITA SSL] section:
    sslv3_cipher = NONE
 tls10_cipher = NONE
 tls11_cipher = NONE
 tls12_cipher = DFLT
  4. Use the following command to stop the agent:
    ShutDownLwa
  5. Use the following command to restart the agent:
    StartUpLwa

After you complete the procedure, depending on the SSL storing certificate method you use, import the certificates in a RACF KEYRING or in a keystore created in the UNIX System services. Depending on the method you use refer either to the RACF or the Unix System services documentation.