Customizing the SSL connection with the Z controller when using your certificates (USS)
About this task
To communicate, the z-centric agents and Z controller use the HTTPS
protocol. The communication process uses the certificates obtained by customizing the
Z controller
certificates with the USS (UNIX System Services) component. In addition to customizing those
certificates, you need to customize the agent certificates and the configuration file. To
enable SSL communication, perform the following steps:
- Generate a .kdb CMS key store file. This file must contain a private key trusted by the Z controller to which the agent is registered, and the Z controller public key to allow the agent to trust it.
- Save the password of the key store in a stash file that has the same name as the file that you generated in step 1 and give it extension .sth.
- Edit the ita.ini agent configuration file by setting the
following properties to the values specific for your environment:
Where:cert_label=<label_agent_private_key> key_db_name=<file_name> key_repository_dir=<directory> tcp_port=0 ssl_port=<ssl_port_value> verify_cn_string=<common_name>
- label_agent_private_key
- Label of the agent private key that you want to use to communicate. The default is client.
- file_name
- Name of the file, without its extension. The default value is TWSClientKeyStore.
- directory
- Name of the directory that contains the files generated in step 1 and in step 2. The default path is
/opt/HCL/TWA_<TWS_user>/TWS/ITA/cpa/ita/cert
. - tcp_port_value
- TCP/IP port value. Specify 0.
- ssl_port_value
- Same as tcp_port_value.
- common_name
-
HCL Workload Automation for Z
checks the validity of the certificate and verifies that the peer certificate has
been issued by a recognized CA. If you set the verify_cn_string
parameter, HCL Workload Automation for Z verifies
that the Common Name (CN) of the Certificate Subject matches the
common_name that you set in this parameter.
This setting is valid for both dynamic and z-centric agents. To make the changes effective, you must restart the agent.
To configure the TLS v1.2 connection, in the ita.ini file add the following properties to the [ITA SSL] section:sslv3_cipher = NONE tls10_cipher = NONE tls11_cipher = NONE--> tls12_cipher = DFLT
- Stop the agent:
ShutDownLwa
- Restart the agent:
StartUpLwa
After you complete the procedure, depending on the SSL storing certificate method you use, import the certificates in a RACF KEYRING or in a keystore created in the UNIX System Services. Depending on the method you use refer either to the RACF or the Unix System Services documentation.