HCL Workload Automation, Version 9.4

Customizing the SSL connection between dynamic agents and a master domain manager or a dynamic domain manager using your certificates

Customizing the SSL connection between a master domain manager or a dynamic domain manager and dynamic agents connected to it using your certificates.

About this task

Communication between dynamic agents and a master domain manager, or a dynamic domain manager to which they are registered, is by default in https. This communication uses the product default certificates. If you want to use your own customized certificates for this communication because you customized the master domain manager or the dynamic domain manager certificates you must customize the agent certificates and configuration. To enable the communication between dynamic agents and a master domain manager or a dynamic domain manager, perform the following steps:
  1. Generate a .kdb CMS key store file. This file must contain a private key trusted by the master domain manager or the dynamic domain manager to which the agent is registered, and the master domain manager or the dynamic domain manager public key so that the agent can trust the them. The private key present in TWSClientKeyStore.kdb on the agent must be trusted by the master domain manager, therefore the agent's public certificate must be stored in TWSServerTrustFile.jks in the master domain manager.
    Note: If the private key is provided by a Certificate Authority, the entire certificate chain must be stored in the TWSServerTrustFile.jks file. For details, see the Certificate Authority documentation.
    The master domain manager's private key must also be trusted by the agent, therefore the master domain manager's public certificate must be stored in TWSClientKeyStore.kdb in the master domain manager.
  2. Save the password of the key store in a stash file that has the same name as the file you generated in Step 1 and with extension .sth.
  3. Open the ita.ini agent configuration file and set the values specific for your environment to the following properties: 
    cert_label=<label_agent_private_key>
key_db_name=<file_name>
key_repository_dir=<directory>
    Where:
    label_agent_private_key
    Specify the label of the agent private key that you want to use for the communication. The default is client.
    file_name
    Specify the name of the file without the extension. The default value is TWSClientKeyStore.
    directory
    Specify the directory that contains the files generated in Step 1 and in Step 2. The default path is /opt/HCL/TWA/TWS/ITA/cpa/ita/cert.
  4. Stop the IBM i agent by using the following command:
    ShutDownLwa
  5. Start the IBM i agent by using the following command:
    StartUpLwa