HCL Workload Automation, Version 9.4

Enabling server-to-server trust

Use this procedure to enable nodes to connect to each other and send notifications in High Availability configuration.

About this task

These steps are required to enable High Availability configuration between the participating nodes. Complete these steps on each node.

Procedure

  1. In a text editor, open the ssl.client.props file from the
    JazzSM_profile_dir/properties directory. The default path for the JazzSM_profile_dir is /opt/IBM/JazzSM/profile.
  2. Uncomment the section that starts with com.ibm.ssl.alias=
    AnotherSSLSettings     so that it looks like this:     
    com.ibm.ssl.alias=AnotherSSLSettings
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustManager=IbmX509
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.contextProvider=IBMJSSE2
com.ibm.ssl.enableSignerExchangePrompt=true
#com.ibm.ssl.keyStoreClientAlias=default
#com.ibm.ssl.customTrustManagers=
#com.ibm.ssl.customKeyManager=
#com.ibm.ssl.dynamicSelectionInfo=
#com.ibm.ssl.enabledCipherSuites=
  3. Uncomment and modify the section that starts with com.ibm.ssl.trustStoreName=AnotherTrustStore to have it look like this: 
    com.ibm.ssl.trustStoreName=AnotherTrustStore
com.ibm.ssl.trustStore=${user.root}/etc/trust.p12
com.ibm.ssl.trustStorePassword=trustStore_password
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStoreProvider=IBMJCE
com.ibm.ssl.trustStoreFileBased=true
com.ibm.ssl.trustStoreReadOnly=false

    where, by default the trustStore password is WebAS.

    Example:
    com.ibm.ssl.trustStore=JazzSM_profile_dir/etc/trust.p12
com.ibm.ssl.trustStorePassword=WebAS
com.ibm.ssl.trustStoreType=JKS
    Note: This is a valid example if default HCL Workload Automation certificates have been used. If you then want to encrypt the entered password, run the encryptProfileProperties script wastool, as described in Application server - encrypting the profile properties files.
  4. Update the location of the trust store that the signer should be added to in the com.ibm.ssl.trustStore property of AnotherTrustStore by replacing the default value com.ibm.ssl.trustStore=${user.root}/etc/trust.p12 with the correct path for your trust store. Example: 
    com.ibm.ssl.trustStore=${user.root}/config/cells/JazzSMNode01Cell/nodes/JazzSMNode01/trust.p12
    After the update, the section must look like this: 
    com.ibm.ssl.trustStoreName=AnotherTrustStore
com.ibm.ssl.trustStore=${user.root}/config/cells/JazzSMNode01Cell/nodes/JazzSMNode01/trust.p12
com.ibm.ssl.trustStorePassword=trustStore_password
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStoreProvider=IBMJCE
com.ibm.ssl.trustStoreFileBased=true
  5. Save your changes to ssl.client.props.
  6. Stop and restart the Jazz™ for Service Management application server:
    1. In the JazzSM_WAS_Profile/bin directory, for a server named server1, run the following command:
      On Windows
      stopServer.bat server1
      On UNIX
      stopServer.sh server1
      Note: You are prompted to provide an administrator username and password.
    2. In the JazzSM_WAS_Profile/bin directory, for a server named server1, run the following command:
      On Windows
      startServer.bat server1
      On UNIX
      startServer.sh server1
  7. Complete all of the steps so far on each node before you continue with the remaining steps.
  8. Run the following command on each node for each myremotehost (that is, for every node that you want to enable trust with) in the High Availability configuration:
    On Windows:
    JazzSM_profile_dir\bin\retrieveSigners.bat
    NodeDefaultTrustStore AnotherTrustStore -host myremotehost -port remote_SOAP_port
    On UNIX and Linus:
    JazzSM_profile_dir/bin/bin/retrieveSigners.sh NodeDefaultTrustStore AnotherTrustStore -host myremotehost
    -port remote_SOAP_port
    where myremotehost is the name of the computer to enable trust with; remote_SOAP_port is the SOAP connector port number (16313 is the default). If you have installed with non-default ports, use the showHostProperties utility to check the SOAP port number, as described in Changing host properties.
  9. Stop and restart WebSphere Application Server by entering the following commands:
    1. stopWas.bat -direct -user ldapuser -password ldpapwd (locate the stopWas.bat in TWA_home\wastools directory.)
    2. startWas.bat -direct -user ldapuser -password ldpapwd (locate the startWas.bat in TWA_home\wastools directory.)

Example

In this example, High Availability configuration is comprised of two Microsoft Windows nodes named myserver1 and myserver2. The command entered on myserver1:
retrieveSigners.bat NodeDefaultTrustStore AnotherTrustStore -host myserver2 -port 16313
The command entered on myserver2: 
retrieveSigners.bat NodeDefaultTrustStore AnotherTrustStore -host myserver1 -port 16313
Then, enter Dynamic Workload Console user and password, when prompted.
The following is an example of two nodes on Linux, abc.rome.example.com and xyz.rome.example.com. The command entered on abc.rome.example.com: 
./retrieveSigners.sh NodeDefaultTrustStore AnotherTrustStore 
-host xyz.rome.example.com -port 1631
The command entered on xyz.rome.example.com: 
./retrieveSigners.sh NodeDefaultTrustStore AnotherTrustStore 
-host abc.rome.example.com -port 1631
Parent topic: Configuring High Availability for Dynamic Workload Console
Previous topic: Configure the Dynamic Workload Console in LDAP
Next topic: Verifying a successful High Availability configuration