Customizing the SSL connection with the Z controller when using your certificates (USS)

About this task

To communicate, the z-centric agents and Z controller use the HTTPS protocol. The communication process uses the certificates obtained by customizing the Z controller certificates with the USS (UNIX System Services) component. In addition to customizing those certificates, you need to customize the agent certificates and the configuration file. To enable SSL communication, perform the following steps:
  1. Generate a .kdb CMS key store file. This file must contain a private key trusted by the Z controller to which the agent is registered, and the Z controller public key to allow the agent to trust it.
  2. Save the password of the key store in a stash file that has the same name as the file that you generated in step 1 and give it extension .sth.
  3. Edit the ita.ini agent configuration file by setting the following properties to the values specific for your environment:
    cert_label=<label_agent_private_key>
     key_db_name=<file_name>
     key_repository_dir=<directory>
    tcp_port=0
    ssl_port=<ssl_port_value>
    verify_cn_string=<common_name>
    Where:
    label_agent_private_key
    Label of the agent private key that you want to use to communicate. The default is client.
    file_name
    Name of the file, without its extension. The default value is TWSClientKeyStore.
    directory
    Name of the directory that contains the files generated in step 1 and in step 2. The default path is /opt/HCL/TWA_<TWS_user>/TWS/ITA/cpa/ita/cert.
    tcp_port_value
    TCP/IP port value. Specify 0.
    ssl_port_value
    Same as tcp_port_value.
    common_name
    HCL Workload Automation for Z checks the validity of the certificate and verifies that the peer certificate has been issued by a recognized CA. If you set the verify_cn_string parameter, HCL Workload Automation for Z verifies that the Common Name (CN) of the Certificate Subject matches the common_name that you set in this parameter.

    This setting is valid for both dynamic and z-centric agents. To make the changes effective, you must restart the agent.

    To configure the TLS v1.2 connection, in the ita.ini file add the following properties to the [ITA SSL] section:
    sslv3_cipher = NONE
     tls10_cipher = NONE
     tls11_cipher = NONE-->
     tls12_cipher = DFLT
  4. Stop the agent:
    ShutDownLwa
  5. Restart the agent:
    StartUpLwa

After you complete the procedure, depending on the SSL storing certificate method you use, import the certificates in a RACF KEYRING or in a keystore created in the UNIX System Services. Depending on the method you use refer either to the RACF or the Unix System Services documentation.