HCL Workload Automation, Version 9.4

Using Dynamic Workload Console and FIPS

About this task

To ensure that you connect to Dynamic Workload Console using FIPS, perform the following steps:
  1. Enable Transport Layer Security (TLS) in your browser as follows:
    • To enable TLS in Internet Explorer, open the browser and click Tools > Internet Options. On the Advanced tab, select Use TLS 1.0.
    • To enable TLS in Mozilla Firefox, open the browser and click Tools >Options >Advanced. On the Encryption tab, select Use TLS 1.0.
    • To enable TLS on other internet browsers, see the product documentation for that browser.
  2. Depending on your configuration, perform one of the following procedures:
    • Dynamic Workload Console on a WebSphere Application Server:
    • Dynamic Workload Console with a DB2 settings repository:
      • Ensure that DB2 is FIPS-compliant. See Configuring DB2 for FIPS.
      • Ensure that DB2 and Dynamic Workload Console are mutually trusted by exchanging their certificates on their truststore. Using default certificates:
        • Keystore for Dynamic Workload Console:
          C:\Program Files\HCL\JazzSM\profile\config\cells\JazzSMNode01Cell\nodes\
            JazzSMNode01\key.p12
        • Truststore for Dynamic Workload Console:
          C:\Program Files\HCL\JazzSM\profile\config\cells\JazzSMNode01Cell\nodes\
            JazzSMNode01\trust.p12
        • ssl_svr_keydb (path of the key database file) configured for Dynamic Workload Console in FIPS:
          C:\Program Files\HCL\TWA\TWS\ssl\GSKit\TWSClientKeyStore.kdb.
        • Extract Dynamic Workload Console certificate:
          C:\Program Files (x86)\HCL\WebSphere\AppServer\java_1.8_64\jre\
          bin\ikeycmd -cert -extract -db <DWC keystore> -label default -target
          c:\temp\tdwc.arm -pw WebAS
        • Extract DB2 certificate:
          C:\Program Files (x86)\HCL\WebSphere\AppServer\java_1.8_64\jre\bin
          \ikeycmd -cert -extract -db <ssl_svr_keydb> -label client -target
          c:\temp\db2.arm -pw default
        • Import Dynamic Workload Console certificate into DB2 ssl_svr_keydb
          C:\Program Files (x86)\HCL\WebSphere\AppServer\java_1.8_64\jre\
          bin\ikeycmd -cert -add -db <ssl_svr_keydb> -file "c:\temp\tdwc.arm"
          -label tdwc -pw default -type cms -trust enable
        • Import DB2 certificate into Dynamic Workload Console truststore
          C:\Program Files (x86)\HCL\WebSphere\AppServer\java_1.8_64\jre\
          bin\ikeycmd -cert -add -db <ssl_svr_keydb> -file "c:\temp\db2.arm"
          -label db2 -pw WebAS -type pkcs12 -trust enable
    1. To ensure the required SSL connection between DB2 and Dynamic Workload Console, perform the following procedure:
      1. Go to the HCL Workload Automation wastools directory and modify the TDWCDataSource properties to include the following parameters:
        useSslConnection=true
        deleteAndRecreate=true
        databasePort=nnnnn
        where nnnnn is the SSL DB2 port number.
      2. Run installTDWCDataSource by entering the following commands:
      UNIX and Linux operating systems
      InstallTDWCDataSource.sh TDWCDataSource.properties
      Windows operating systems
      InstallTDWCDataSource.bat TDWCDataSource.properties
    2. Restart the WebSphere Application Server and DB2.
  3. If you are using Dynamic workload broker, set a secure connection by performing the following:
    1. In Dynamic Workload Console, access Dynamic Workload Broker and expand the Configuration menu.
    2. Click Server Connections.
    3. In the Server Connections screen, select Use Secure Connection.
    4. Click OK.
  4. If you want to configure an SSL connection with a IBM Workload Scheduler for z/OS engine, launch one of the following utilities, setting the useSSL parameter to true:
    createZosEngine
    use this utility if you have not created a connection with IBM Workload Scheduler for z/OS engine, yet.
    • On Windows operating systems, launch: \wastools\createZosEngine.bat
    • On UNIX and Linux operating systems, launch: /wastools/createZosEngine.sh
    updateZosEngine
    use this utility if you have already created a connection with IBM Workload Scheduler for z/OS engine and you want to update its configuration.
    • On Windows operating systems, launch: \wastools\updateZosEngine.bat
    • On UNIX and Linux operating systems, launch: /wastools/updateZosEngine.sh
Note: To enable communication between Dynamic Workload Console and DB2, configure the Java system properties in Dynamic Workload Console to use the trustStore. To do this, set the following Java system properties:
javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
For more information, see the DB2 documentation.