Migrating a network to full SSL connection security
About this task
Run the following steps to migrate your HCL Workload Automation version
8.3 production environment to full SSL connection security support.
The scenario assumes that the network already runs on non-full SSL;
that is, that the master and all the agents have:
- The securitylevel attribute set to enabled, on, or force in their workstation definition. On the master it is set to enabled.
- Either the nm port or the nm SSL port local option configured and the port number set as the value of the secureaddr attribute in their workstation definition.
- Group or individual private keys and certificates.
Proceed as follows:
- Upgrade all the agents. The objective is to upgrade locally every
agent in the network (including the master domain manager). You can
perform this step over several days. On the master and on every agent:
- Install the fix containing the full SSL support feature.
- Add the nm SSL full port local option and set it to a port number.
At this stage, the network is still operating on non-full SSL connection security.
- Enable full SSL support in the network. Perform this step in one
single time slot. To do this:
- Check that no firewall blocks the connection between the agents and their domain manager (and, optionally, the master domain manager).
- In the workstation definition of the master and of every agent set the value of the secureaddr attribute to the port number you configured for the nm SSL full port local option.
- Use Optman to set the enSSLFullConnection global option to yes in the database.
- Run JnextPlan -for 0000 to make these settings operational.
At this stage, the network is operating on full SSL connection security. Any agents left on SSL security can no longer communicate with the rest of the full SSL security network.
The upgraded workstations still have the old SSL and TCP ports open in listening mode. The aim of the final step is to close them down.
- Disable the old SSL and TCP ports on the master and on every agent.
You can perform this step over several days. To do this, edit the
local options file of every workstation as follows:
- On the workstations that have the securitylevel attribute set to enabled or on, set the nm SSL port local option to 0.
- On the workstations that have the securitylevel attribute set to force, set both nm port and nm SSL port local options to 0.
At this stage, all the agents operate with the new SSL connections and all agents set on securitylevel=force listen only on the new SSL full port. From now on:- No bytes are sent in clear.
- No active services are left in clear.
- No TCP ports are left in listening mode on agents with securitylevel=force.