Configuring the TLS V1.3 security protocol

The following procedures enable you to configure the TLS V1.3 security protocol for HCL Workload Automation. If you want to configure your environment with the TLS V1.3 protocol, it is recommended to use a 4k-length certificate.

The configuration of the TLS V1.3 security protocol can be manually done on every component:

The configuration of the TLS V1.3 security protocol can only be set using custom certificates with RSA keys of at least 2K.

Dynamic agents

To enable the TLS V1.3 security protocol for dynamic agents you must open the <TWSDATA>/ITA/cpa/ita/ita.ini file and go to the ITA SSL section. Here you can set the security modifying the following keywords:
Enabling the TLS V1.3 security protocol exclusively
ssl version= TLSv1.3
ssl_ciphers=
Enabling the TLS V1.2 and TLS V1.3 security protocols
ssl version= atleast.TLSv1.2
ssl_ciphers=
where:
ssl_version
Specify the SSL version to be used. Supported values are:
  • atleast.TLSv1.0
  • atleast.TLSv1.1
  • atleast.TLSv1.2
  • atleast.TLSv1.3
where you specify the minimum version of the TLS protocol to be used. In this case, HCL Workload Automation uses the specified version of the protocol or a higher version, if supported.
  • max.TLSv1.0
  • max.TLSv1.1
  • max.TLSv1.2
  • max.TLSv1.3
where you specify the maximum version of the TLS protocol to be used. In this case, HCL Workload Automation uses the specified version of the protocol or a lower version.
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3
where you specify the exact version of the TLS protocol to be used. In this case, HCL Workload Automation uses the specified version of the protocol.
ssl_ciphers
Define the ciphers that the workstation supports during an SSL connection.
If you want to use an OpenSSL cipher class, use the following command to find out the list of available classes: 
openssl ciphers

For a full list of supported ciphers, see SSL Ciphers and OpenSSL.

Note: The dynamic agents must be restarted after the modifications are completed.

Open Liberty

The following procedures must be repeated for every HCL Workload Automation component in the environment that has Open Liberty installed.

To enable the TLS V1.3 security protocol for Open Liberty you must copy the <TWA_INSTALL_FOLDER>/usr/servers/engineServer/configDropins/defaults/ssl_config.xml file and paste it in the following folders:
  • <TWA_INSTALL_FOLDER>/usr/servers/engineServer/configDropins/overrides
  • <DWC_INSTALL_FOLDER>/usr/servers/dwcServer/configDropins/overrides
You must then edit the ssl_config.xml file:
Enabling the TLS V1.3 security protocol exclusively
sslProtocol="TLSv1.3"
Enabling the TLS V1.2 and TLS V1.3 security protocols
sslProtocol="TLSv1.2,TLSv1.3"
No spaces can be used before or after the comma.
Note: Open Liberty must be restarted after the modifications are completed.

Native components and fault-tolerant agents

The following procedures must be repeated for every native component and fault-tolerant agents in the HCL Workload Automation environment.

To enable the TLS V1.3 security protocol for native components and fault-tolerant agents, you must open the <TWSDATA>/localopts file. Choose the procedure that applies to the kind of certificates you are using:
Opens SSL
Enabling the TLS V1.3 security protocol exclusively
Set the ssl version keyword as follows:
ssl version = TLSv1.3
Note: The native components and fault-tolerant agents must be restarted after the modifications are completed.