Customizing TLS to connect components with HCL Workload Automation for Z

Before you begin

To use secure ciphers, which are required in TLS connection, ensure that you have z/OS ICSF up and running. For information about how to install z/OS ICSF, see z/OS Cryptographic Services ICFS Administrator's Guide.

About this task

To customize TLS v1.2 and v1.3 to connect with HCL Workload Automation for Z, perform the following steps:
  1. Specify the following statement in the started task, job, or TSO logon procedure of each component that you want to connect:
    //STDENV DD card
    Add this DD card to point to a PDS member (for example, a member of the PARMLIB) where you specify the values for the environment variable that you need. For example, //STDENV DD DISP=SHR,DSN=TWS.SUBSYSN.PARM(ENVVAR)
    In the PDS member (ENVVAR in the previous example), define the following values. For a complete list of the environment variables that you can set to configure TLS, see the z/OS Cryptographic Services System SSL Programming manual.
    GSK_PROTOCOL_TLSV1_2=ON
    GSK_PROTOCOL_TLSV1_3=ON
    GSK_V3_CIPHER_SPECS_EXPANDED=130313021301C030009FC02F009E
    
    
    Note:
    1. If you set both GSK_PROTOCOL_TLSV1_2 and GSK_PROTOCOL_TLSV1_3 to OFF or you do not set any of them, TLS v1.2 is automatically enabled (this is the default).

      If you set only GSK_PROTOCOL_TLSV1_3 to ON, TLS v1.2 is not enabled.

    2. To enable the TLS communication between a component that has been migrated to version 10.1 and a component that is still at an earlier version, ensure that you set the following environment variable to specify at least one cipher in common with the component to which you are going to connect. (For a list of cipher codes, see the section about the cipher suite definitions in the z/OS Cryptographic Services System SSL Programming manual.)
      GSK_V3_CIPHER_SPECS_EXPANDED=130313021301C030009FC02F009E0035
  2. According to the component that you are configuring, set the required SSL parameters. For a summary of the statements related to the SSL communication, see SSL connection.

For a scenario about how to set up a TLS communication with custom self-signed certificates, see Scenario: configuring TLS with custom self-signed certificates.