Using SSL for netman and conman
HCL Workload Automation provides a secure, authenticated, and encrypted connection mechanism for communication across the network topology. This mechanism is based on the Secure Sockets Layer (SSL) protocol and uses the OpenSSL Toolkit, which is automatically installed with HCL Workload Automation.
- CA trusting only
- Two workstations trust each other if each receives from the other
a certificate that is signed or is trusted. That is, if the CA certificate
is in the list of trusted CAs on each workstation. With this authentication
level, a workstation does not perform any additional checks on certificate
content, such as the distinguished name. Any signed or trusted certificate
can be used to establish an SSL session. See Setting local options for a definition
of the caonly option used by the
ssl auth mode
keyword. - Check if the distinguished name matches a defined string
- Two workstations trust each other if, after receiving a trusted or signed certificate, each performs a further check by extracting the distinguished name from the certificate and comparing it with a string that was defined in its local options file. See Setting local options for a definition of the string option.
- Check if the distinguished name matches the workstation name
- Two workstations trust each other if, after receiving a signed or trusted certificate, each
performs a further check by extracting the distinguished name from the certificate and comparing it
with the unique ID of the workstation that sent the certificate. You can obtain the unique ID by
using the ;showid composer filter. Only if the unique ID is empty, you can use
the name of the workstation instead of the unique ID.
See Setting local options for a definition of the cpu option.
To provide SSL security for a domain manager attached to z/OS® in an end-to-end connection, configure the OS/390® Cryptographic Services System SSL in the HCL Workload Automation code that runs in the OS/390® USS UNIX® shell in the HCL Workload Automation for Z server address space. See the HCL Workload Automation for Z documentation.
- Use the same certificate for the entire network
- If the workstations are configured with CA trusting only, they accept connections with any other workstation that sends a signed or trusted certificate. To enforce the authentication you define a name or a list of names that must match the contents of the certificate distinguished name (DN) field in the localopts file of each workstation.
- Use a certificate for each domain
- Install private keys and signed certificates for each domain in the network. Then, configure each workstation to accept a connection only with partners that have a particular string of the certificate DN field in the localopts file of each workstation.
- Use a certificate for each workstation
- Install a different key and a signed certificate on each workstation and add a Trusted CA list containing the CA that signed the certificate. Then, configure each workstation to accept a connection only with partners that have their workstation name specified in the Symphony file recorded in the DN field of the certificate.