How to Secure a 10.2.1 Agent in the HCL Workload Automation 9.5 Environment Using Default Certificates

To foster infrastructure security, in the WA 10.2.1 version, the default certificates are created in a more secure way compared to previous versions of the product. The default certificate format is changed from jks to pem.

If you install a 10.2.1 dynamic agent in a 9.5 environment that is working with the default certificates, you have to import the brand new, more secure certificates (10.2.1) into the existing 9.5 master domain manager to enable the communication.

How Do You Enable This Communication?

After converting the default certificates of the 9.5 master domain manager to pem format, you can choose one of the following ways:

PROC 1: Select a path of your choice on the workstation where you plan to install the dynamic agent by using the parameter sslkeysfolder. For more information about the agent installation parameters, see: https://www.ibm.com/docs/en/workload-automation/10.2.1?topic=agents-agent-installation-parameters-twsinst-script

PROC 2: Move them to the ❮twa_data_dir❯/ssl/depot directory of the master domain manager and install the agent by using the wauser and wapassword parameters. The difference between PROC 2 and PROC 1 is that in this latter case, the certificates are downloaded from the master domain manager depot folder instead of being passed during the installation phase.

For more information about the agent installation parameters, see: https://www.ibm.com/docs/en/workload-automation/10.2.1?topic=agents-agent-installation-parameters-twsinst-script

To convert the certificates from jks to pem format, perform the following steps:

1. Browse the ❮twa_data_dir❯/usr/servers/engineServer/resources/security folder and run the following commands to extract the master domain manager certificates:

keytool -importkeystore -srckeystore TWSServerKeyFile.jks -destkeystore server.p12 -deststoretype pkcs12

These commands ask you for a destination keystore password and the source keystore password and generates the server.p12 file:

openssl pkcs12 -in server.p12 -nocerts -out tls.key

openssl pkcs12 -in server.p12 -nokeys -clcerts -out tls.crt

where the tls.key file generated is the private key and the tls.crt file generated is the public key.

2. Copy the contents of the tls.crt file into a new file named ca.crt.

3. Create a file named tls.sth containing the passphrase you have specified for creating the .p12 certificate in step 1, encoded in base64 format. To create the tls.sth file, you can use the following command:

secure -password your_password -base64 e -out tls.sth

4. Run the following command from this path ❮twa_dir❯/TWS/tmpGSKit64/8/bin/ to extract the client certificates from the ❮twa_dir❯/TWS/ssl/GSKit folder:

gsk8capicmd_64 -cert -extract -db
❮twa_dir❯/TWS/ssl/GSKit/TWSClientKeyStore.kdb -stashed -label client -target client.crt

PROC 1

1. Copy the new certificates into a folder of your choice and insert the client.crt in the additionalCAs folder when providing the certificates to the installation script with the sslkeysfolder parameter. The content of your sslkeysfolder should be the same as the following image.

2. Install the dynamic agent with sslkeysfolder and sslpassword parameters.

Example of the installation command:

./twsinst -new -uname twsuser -tdwbport tdwbport_number -tdwbhostname host_name -inst_dir “inst_dir_path” -agent dynamic -addjruntime true -acceptlicense yes -sslkeysfolder “sslkeysfolder_path” -sslpassword “your_sslpassword”

PROC 2

1. Copy the new certificates into the master domain manager

❮twa_data_dir❯/ssl/depot folder.

The required files are:

ca.crt — the Certificate Authority (CA) public certificate

tls.key — the private key for the instance to be installed

tls.crt — the public part of the previous key

tls.sth — the file storing your encoded password in Base64 encoding

You can optionally create a subfolder to contain one or more *.crt files to be added to the server truststore as trusted CA. This can be used, for example, to add to the list of trusted CAs the certificate of the LDAP server or DB2 server. Additionally, you can store here any intermediate CA certificate to be added to the truststore. The subfolder must be named additionalCAs.

2. Modify all certificate file permissions to 755.

3. Install agent with wauser and wapassword master domain manager parameters.

4. Set the jwt parameter to false.

Example command:

./twsinst -new -uname twsuser -tdwbport tdwbport_number -tdwbhostname host_name -inst_dir “inst_dir_path” -agent dynamic -addjruntime true -acceptlicense yes -wauser wauser -wapassword wapassword -jwt false

The jwt parameter is supported from the 10.1 FixPack 1 version, so it has to be set to a false value because the master domain manager is a 9.5 version.