HCL Workload Automation, Version 9.4

Creating a certificate for the HCL Workload Automation agent

Perform the following steps to create certificates that are signed by a local common trusted CA on every HCL Workload Automation agent in your network.
  1. Enter the following command to create a default CMS key database client.kdb” with password “password02” that expires after 1000 days. The password is also stored in stash file “client.sth”.
    gsk7capicmd -keydb -create -db client.kdb -pw password02 
        -stash -expire 1000 -fips
  2. Enter the following command to add the CA certificate as trusted in the CMS key database. The label “CA certificate client” is used to address that certificate.
    gsk7capicmd -cert -add -db client.kdb -pw password02 
        -label "CA certificate client" -trust enable -file CA.crt 
        -format ascii -fips
  3. Enter the following command to create the client certificate request based on 2048 bits key, with label “Client TWS85 Certificate” and distinguish name “CN=Client TWS85,O=IBM,OU=TWS,C=IT”. The certificate request “client.csr” is generated and the private key is created in the key database client.kdb.
    gsk7capicmd -certreq -create -db client.kdb -pw password02 
        -label "Client TWS85 Certificate" -size 2048 -file client.csr 
        –dn "CN=Client  TWS85,O=IBM,OU=TWS,C=IT" -fips
  4. Enter the following command so that the CA signs the client's certificate request and generates a new signed in file “client.crt”.
    gsk7capicmd -cert -sign -db ca.kdb -pw password00 -label "CA certificate" 
         -target client.crt -expire 365 -file client.csr -fips
  5. Enter the following command to import the signed certificate “client.crt” in the CMS key database “client.kdb”.
    gsk7capicmd -cert -receive -db client.kdb -pw password02 -file client.crt -fips
You can repeat these steps above for all agents or you can use the same certificate for all agents, depending on your security policies and HCL Workload Automation localopts configurations.