Using SSL for netman and conman
HCL Workload Automation provides a secure, authenticated, and encrypted connection mechanism for communication across the network topology. This mechanism is based on the Secure Sockets Layer (SSL) protocol and uses the OpenSSL Toolkit, which is automatically installed with HCL Workload Automation.
The SSL protocol is based on a private and public key methodology.
SSL provides the following authentication methods:
- CA trusting only
- Two workstations trust each other if each receives from the other a certificate that is signed or is trusted. That is, if the CA certificate is in the list of trusted CAs on each workstation. With this authentication level, a workstation does not perform any additional checks on certificate content, such as the distinguished name. Any signed or trusted certificate can be used to establish an SSL session. See Setting local options for a definition of the caonly option used by the ssl auth mode keyword.
- Check if the distinguished name matches a defined string
- Two workstations trust each other if, after receiving a trusted or signed certificate, each performs a further check by extracting the distinguished name from the certificate and comparing it with a string that was defined in its local options file. See Setting local options for a definition of the string option.
- Check if the distinguished name matches the workstation name
- Two workstations trust each other if, after receiving a signed or trusted certificate, each performs a further check by extracting the distinguished name from the certificate and comparing it with the name of the workstation that sent the certificate. See Setting local options for a definition of the cpu option.
To provide SSL security for a domain manager attached to z/OS® in an end-to-end connection, configure the OS/390® Cryptographic Services System SSL in the HCL Workload Automation code that runs in the OS/390 USS UNIX shell in the IBM Workload Scheduler for z/OS server address space. See the HCL Workload Automation z/OS documentation.
When configuring SSL you can:
- Use the same certificate for the entire network
- If the workstations are configured with CA trusting only, they accept connections with any other workstation that sends a signed or trusted certificate. To enforce the authentication you define a name or a list of names that must match the contents of the certificate distinguished name (DN) field in the localopts file of each workstation.
- Use a certificate for each domain
- Install private keys and signed certificates for each domain in the network. Then, configure each workstation to accept a connection only with partners that have a particular string of the certificate DN field in the localopts file of each workstation.
- Use a certificate for each workstation
- Install a different key and a signed certificate on each workstation and add a Trusted CA list containing the CA that signed the certificate. Then, configure each workstation to accept a connection only with partners that have their workstation name specified in the Symphony file recorded in the DN field of the certificate.