HCL Workload Automation, Version 9.4

Set up the SSL environment

This section describes how to set up SSL protection for the connection between your agent for z/OS and HCL Workload Automation.

To provide SSL security for the HTTP connection between the agent for z/OS and the dynamic workload broker of HCL Workload Automation, in the HTTPOPTS initialization statement:
  • Set the SSL and/or TDWBSSL keywords to Yes
  • Provide values for the SSL-related keywords
  • Select SSL-enabled ports for the two connecting counterparts in the PORTNUMBER (for the agent) and TDWBPORTNUMBER (for dynamic workload broker) keywords

Using security certificates

When you install the agent, the following default security certificates are automatically stored in the SEELDATA library:
EELCERCL
The security certificate for the HTTP client (the dynamic workload broker).
EELCERSR
The security certificate for the HTTP server (the agent for z/OS).

Unless you already did so while running the EELINST installation aid (panel 4/5), or unless you already use SSL with IBM Workload Scheduler for z/OS, you must choose between using these default certificates or creating your own. In both cases, you need to manually import them into your security system. If you are using RACF®, you are provided with the EELRCERT sample job that imports the certificates. To run this job, ensure that you use the same user ID that RACF associates with the agent for z/OS started task.

The EELRCERT job:
  • Copies the EELCERCL and the EELCERSR certificates to temporary sequential data sets.
  • Imports EELCERCL and EELCERSR to RACF.
  • Deletes the temporary sequential data sets.
  • Creates the SAF key ring that is used to connect the imported certificates.
  • Updates the RACF database with the new certificates and key ring.