HCL Workload Automation on Amazon Web Services

Configuring custom certificates

About this task

You can optionally replace the default certificates installed on the web HTTP server and on the agents with custom keys signed by a Certificate Authority (CA) and exported from a customer-owned key store. You can customize all available keys.

Use the customizeCerts command to replace the target key with a new self-signed key or user-provided key and update the keys on the backup domain manager and agents, if present. For more information, see customizeCerts command. The command also applies the changes in the keys to all affected key stores and, if necessary, updates the agent images which are available for download. A .zip file is prepared to be distributed to all installed agents so that changes are applied to the whole environment.

You can replace the default certificates with self-signed certificates or certificates signed by a CA, as described below. Follow the appropriate procedure depending on the certificates you plan to use, custom or CA-signed:

Perform the following steps to replace default certificates with self-signed certificates:
  1. On the master domain manager, run the following command to stop the HCL Workload Automation on AWS instance:
    sudo service hwa stop
  2. Login as wauser and browse to /images/Infrastructure/Utilities/postconfigscripts.
  3. Run
    customizeCertscreate -WAPassword password_of_TWA_key_stores -DWCPassword password_of_DWC_key_stores -targetKey custom_key
    where
    WAPassword
    Is the password of the wauser user. The default value is default.
    DWCPassword
    Is the Dynamic Workload Console password. The default value is WebAS.
Perform the following steps to replace default certificates with certificates provided by a CA:
  1. On the master domain manager, run the following command to stop the HCL Workload Automation on AWS instance:
    sudo service hwa stop
  2. Login as wauser and browse to /images/Infrastructure/Utilities/postconfigscripts.
  3. Run
    customizeCertsloadwebKey path_to_web_server_key -clientKey path_to_agent_key
    where
    • The webKey and agentKey options can be used either alone or in combination.
    • Keys are obtained by exporting a CA signed personal certificate into a file. It is recommended, but not mandatory, to use gskit command line to export the personal certificates.
Depending on the results of the command, perform one of the following steps:
Command completes successfully
Run the following command to restart the HCL Workload Automation on AWS instance and proceed to the next steps, if applicable:
sudo service hwa start
Command completes with warnings
Manually launch the updateAgentDepot command located in /images/Infrastructure/Utilities/postconfigscripts.
Command completes with errors
The master domain manager is automatically rolled back to use the default certificates. Restart the master domain manager to complete the rollback procedure and contact HCL support.
After replacing the certificates, perform the following steps to apply the changes to the backup domain manager, present:
  1. On the master domain manager, log in as wauser and browse to /images/Infrastructure/Utilities/postconfigscripts.
  2. Run
     customizeCertspackfile fully_qualified_path_to_zip_file
    If you do not specify a path, the following default value is used: /images/Infrastructure/Config/Certificates/packedCerts.zip.
  3. Copy the resulting .zip file to the backup domain manager in the default /images/Infrastructure/Config/Certificates path or in a custom path.
  4. On backup domain manager, run the following command to stop the HCL Workload Automation on AWS instance:
    sudo service hwa stop
  5. Log in as wauser, browse to /images/Infrastructure/Utilities/postconfigscripts.
  6. Run
    customizeCertsimportfile fully_qualified_path_to_zip_file
    .
Depending on the results of the command, perform one of the following steps:
Command completes successfully
Run the following command to restart the HCL Workload Automation on AWS instance and proceed to the next steps, if applicable:
sudo service hwa start
Command completes with errors
The backup domain manager is automatically rolled back to use the default certificates. Restart the backup domain manager to complete the rollback procedure and contact HCL support.
After configuring the backup domain manager, if present, perform the following steps on each agent to apply the changes to all agents in the environment:
  1. Copy the /images/Infrastructure/Config/Certificates/agentKeys.zip file from the master domain manager and copy it to all agents.
  2. Stop the agent using the ShutDownLwa command.
  3. Proceed as follows depending on the operating system installed on the agent:
    All operating systems, with the exception of IBM i
    1. Browse to agent_install_dir/TWS/ITA/cpa/ita/cert and create a backup copy of the TWSClientKeyStore.kdb and TWSClientKeyStore.sth files.
    2. Unzip the agentKeys.zip file.
    3. Copy the updated .kdb and .sth files to the agent_install_dir/TWS/ITA/cpa/ita/cert folder, and set the same ownership and permissions defined for the original files, if necessary.
    IBM i operating systems only
    1. Backup all files in agent_install_dir/TWS/ITA/cpa/ita/cert.
    2. Unzip the agentKeys.zip file.
    3. Replace the original files with the updated files and set the same ownership and permissions defined for the original files, if necessary.
  4. Restart the agent using the StartUpLwa command.

What to do next