Configuring SSL attributes

Use the composer command line or the Dynamic Workload Console to update the workstation definition in the database. See Workstation definition for further information.

Configure the following attributes:

secureaddr

Defines the port used to listen for incoming SSL connections. This value is read when the securitylevel attribute is set.

For workload broker workstations: Ignore this attribute.
For remote engine workstations using HTTPS protocol to communicate with the remote engine: Specify the HTTPS port number of the remote engine.
For other types of workstations: Specify the value assigned in the localopts file for variable nm ssl port. The value must be different value from the value assigned to nm port variable in the localopts file.

If securitylevel is specified, but this attribute is missing, the default value for this field is 31113. Specify a value in the range from 1 to 65535.

See Setting local options for information about SSL authentication and local options set in the TWS_home/localopts configuration file.

securitylevel

Specifies the type of SSL authentication for the workstation. Do not specify this attribute for a workstation with type broker. It can have one of the following values:

enabled: The workstation uses SSL authentication only if its domain manager workstation or another fault-tolerant agent below it in the domain hierarchy requires it.
on: The workstation uses SSL authentication when it connects with its domain manager. The domain manager uses SSL authentication when it connects to its parent domain manager. The fault-tolerant agent refuses any incoming connection from its domain manager if it is not an SSL connection.
force: The workstation uses SSL authentication for all of its connections and accepts connections from both parent and subordinate domain managers.
force_enabled: The workstation uses SSL authentication for all of its connections to all target workstations which are set to this value. The workstation tries to establish a connection in FULLSSL mode and, if the attempt fails, it tries to establish an unsecure connection. If you plan to set different security levels between master domain manager and fault-tolerant agents, ensure all these components are at version 95 Fix Pack 4 or later. For versions earlier than 95 Fix Pack 4, the same security level is required for master domain manager and fault-tolerant agents.

If this attribute is omitted, the workstation is not configured for SSL connections and any value for secureaddr is ignored. Make sure, in this case, that the nm ssl port local option is set to 0 to ensure that netman process does not try to open the port specified in secureaddr. See Setting local options for information about SSL authentication and local options set in the TWS_home/localopts configuration file.

The following table describes the type of communication used for each type of securitylevel setting.

Table 1. Type of communication depending on the security level value
Value set on the Fault-tolerant Agent (or the Domain Manager)	Value set on its Domain Manager (or on its Parent Domain Manager)	Type of connection established
Not specified	Not specified	TCP/IP
Enabled	Not specified	TCP/IP
On	Not specified	No connection
Force	Not specified	No connection
Not specified	On	TCP/IP
Enabled	On	TCP/IP
On	On	SSL
Force	On	SSL
Not specified	Enabled	TCP/IP
Enabled	Enabled	TCP/IP
On	Enabled	SSL
Force	Enabled	SSL
Not specified	Force	No connection
Enabled	Force	SSL
On	Force	SSL
Force	Force	SSL
force_enabled	force_enabled	SSL

The value for securitylevel is not specified for dynamic workload broker workstations.

The following example shows a workstation definition that includes the security attributes:

cpuname MYWIN
os WNT
node apollo
tcpaddr 30112
secureaddr 32222
for maestro
autolink off
fullstatus on
securitylevel on
end