Customizing the SSL connection between IBM i agents and the Z controller when using your certificates

Customizing the SSL connection between IBM i agents and the Z controller when using your certificates.

About this task

The communication between IBM i agents and the Z controller to which they are registered to is, by default, in http. If you are using your own certificates, to enable an https communication you must customize the agent certificates and the configuration file by performing the following steps:
  1. Generate a random file.
  2. Generate a PEM file containing the private key of the agent and call it ita_prv<suffix>.pem. The HCL Workload Automation default PEM file is called ita_prvtws.pem.
  3. Save the password of the agent private key in a stash file (.sth file).
  4. Generate another PEM file and call it ita_pub<suffix>.pem. It must contain the certificate for the agent private key.
  5. Create a copy of the file created in Step 4 and call it ita_cert<suffix>.pem.
  6. Generate another PEM file and call it ita_ca_cert<suffix>.pem. This file must contain the certificate of both the agent and the Z controller or the dynamic domain manager to which the agent is connected.
  7. Open the ita.ini agent configuration file and set the values appropriate for your environment in the following properties: 
    password_file=<stash_file_fullpath>
  random_file=<random_file_fullpath>
  cert_label=<label_agent_private_key>
  key_db_name=<suffix>
  key_repository_dir=<directory_ita_*<suffix>.pem>
tcp_port=0
ssl_port=<ssl_port_value>
    Where:
    stash_file_fullpath
    Specify the fully qualified path to the stash file that contains the agent private key password. This is the file that you created in the Step 3. The default value is /opt/HCL/TWA_<TWS_user>/TWS/ITA/cpa/ita/cert/password.sth.
    random_file_fullpath
    Specify the fully qualified path to the random file. This is the file that you created in the Step 1. The default value is /opt/HCL/TWA_<TWS_user>/TWS/ITA/cpa/ita/cert/TWS.rnd.
    label_agent_private_key
    Specify the label of the agent private key. The default is client.
    suffix
    Specify the suffix you used in the names of all the files that you generated. The default product value is tws.
    directory_ita_*<suffix>.pem
    Specify the directory that contains all the .pem files that you generated. The default directory is /opt/HCL/TWA_<TWS_user>/TWS/ITA/cpa/ita/cert.
    tcp_port_value
    Specify 0 as TCP/IP port value.
    ssl_port_value
    Specify the tcp_port_value. For example, if the TCP/IP port value was 31114, specify 31114.
  8. Stop the IBM i agent by using the following command:
    ShutDownLwa
  9. Start the IBM i agent by using the following command:
    StartUpLwa

After you complete the procedure, depending on the SSL storing certificate method you use, import the certificates in a RACF KEYRING or in a keystore created in the UNIX System services. Depending on the method you use refer either to the RACF or the Unix System services documentation.