Configuring SSL local options
About this task
To set the SSL local options you must edit the WRKDIR/localopts file of the HCL Workload Automation for Z master by removing the # sign in column 1 and changing the value
of the corresponding SSL option. This file is also present on the HCL Workload Automation workstations and must be customized as follows:
- SSL key store
- The filename of the GSK database containing keys and certificates.
The default value is WRKDIR
/ssl/TWS.kdb
. The GSK database replaces the following information specified in the distributed localopts file:- SSL Certification Authority certificate
- SSL certificate
- SSL certificate chain
- SSL random seed
- SSL key
- SSL key store pwd
- The name of the file containing the key password. The default
is WRKDIR
/ssl/TWS.sth
. It replaces the SSL key pwd option of the distributed localopts file. - SSL auth mode
- The kind of checks that HCL Workload Automation for Z performs to verify the certificate validity. You can specify one
of the following values:
- caonly
- HCL Workload Automation for Z checks the certificate validity by verifying that a recognized Certification Authority has issued the peer certificate. Information contained in the certificate is not checked. If you do not specify the SSL auth mode keyword or you define a non-permitted value, the caonly value is used.
- string
- HCL Workload Automation for Z checks the certificate validity as described in the caonly option. It also verifies that the Common Name (CN) of the Certificate Subject matches the string specified in the SSL auth string option.
- cpu
- HCL Workload Automation for Z checks the certificate validity as described in the caonly option. It also verifies that the Common Name (CN) of the Certificate Subject matches the name of the CPU that requested the service.
- SSL auth string
- A string (1 to 64 characters in length) used to verify the certificate validity when you specify string as the SSL auth mode value. If the SSL auth string option is required and it is not specified, tws is used as the default value.
Note: The following parameters are ignored:
- nm port and nm ssl port because they are replaced by SSLPORT in the TOPOLOGY statement.
- ssl encryption cipher because it is replaced by the ciphers that the workstation operating system supports during an SSL connection.