Creating a certificate for the HCL Workload Automation agent
Perform the following steps to create certificates that are signed
by a local common trusted CA on every HCL Workload Automation agent
in your network.
- Enter the following command to create a default CMS key database
client.kdb” with password “password02” that expires after 1000 days.
The password is also stored in stash file “client.sth”.
gsk7capicmd -keydb -create -db client.kdb -pw password02 -stash -expire 1000 -fips - Enter the following command to add the CA certificate as trusted
in the CMS key database. The label “CA certificate client” is used
to address that certificate.
gsk7capicmd -cert -add -db client.kdb -pw password02 -label "CA certificate client" -trust enable -file CA.crt -format ascii -fips - Enter the following command to create the client certificate request
based on 2048 bits key, with label “Client TWS85 Certificate” and
distinguish name “CN=Client TWS85,O=IBM,OU=TWS,C=IT”.
The certificate request “client.csr” is generated and the private
key is created in the key database client.kdb.
gsk7capicmd -certreq -create -db client.kdb -pw password02 -label "Client TWS85 Certificate" -size 2048 -file client.csr –dn "CN=Client TWS85,O=IBM,OU=TWS,C=IT" -fips - Enter the following command so that the CA signs the client's
certificate request and generates a new signed in file “client.crt”.
gsk7capicmd -cert -sign -db ca.kdb -pw password00 -label "CA certificate" -target client.crt -expire 365 -file client.csr -fips - Enter the following command to import the signed certificate “client.crt”
in the CMS key database “client.kdb”.
gsk7capicmd -cert -receive -db client.kdb -pw password02 -file client.crt -fips