Tivoli Workload Automation, Version 9.2

Enabling server-to-server trust

Use this procedure to enable nodes to connect to each other and send notifications in High Availability configuration.

About this task

These steps are required to enable High Availability configuration between the participating nodes. Complete these steps on each node.

Procedure

In a text editor, open the ssl.client.props file from the JazzSM_profile_dir/properties directory. The default path for the JazzSM_profile_dir is /opt/IBM/JazzSM/profile.

Uncomment the section that starts with com.ibm.ssl.alias=AnotherSSLSettings to have it look like this:

com.ibm.ssl.alias=AnotherSSLSettings
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustManager=IbmX509
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.contextProvider=IBMJSSE2
com.ibm.ssl.enableSignerExchangePrompt=true
#com.ibm.ssl.keyStoreClientAlias=default
#com.ibm.ssl.customTrustManagers=
#com.ibm.ssl.customKeyManager=
#com.ibm.ssl.dynamicSelectionInfo=
#com.ibm.ssl.enabledCipherSuites=

Uncomment and modify the section that starts with com.ibm.ssl.trustStoreName=AnotherTrustStore to have it look like this:
```
com.ibm.ssl.trustStoreName=AnotherTrustStore
com.ibm.ssl.trustStore=${user.root}/etc/trust.p12
com.ibm.ssl.trustStorePassword=trustStore_password
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStoreProvider=IBMJCE
com.ibm.ssl.trustStoreFileBased=true
com.ibm.ssl.trustStoreReadOnly=false
```
where, by default the trustStore password is WebAS.
Example:
```
com.ibm.ssl.trustStore=JazzSM_profile_dir/etc/trust.p12
com.ibm.ssl.trustStorePassword=WebAS
com.ibm.ssl.trustStoreType=JKS
```
Note: This is a valid example if default Tivoli Workload Scheduler certificates have been used. If you then want to encrypt the entered password, run the encryptProfileProperties script wastool, as described in Application server - encrypting the profile properties files.
Save your changes to ssl.client.props.
Stop and restart the Dashboard Application Services Hub:
1. In the JazzSM_profile_dir/bin directory, depending on your operating system, enter one of the following commands:
  - stopServer.bat server1
  - stopServer.sh server1
    Note: On UNIX and Linux systems, you are prompted to provide an administrator username and password.
2. In the JazzSM_profile_dir/bin directory, depending on your operating system, enter one of the following commands:
  - startServer.bat server1
  - startServer.sh server1
Complete all of the steps so far on each node before you continue with the remaining steps.
Run the following command on each node for each myremotehost (that is, for every node that you want to enable trust with) in the High Availability configuration:
- JazzSM_profile_dir\bin\retrieveSigners.bat NodeDefaultTrustStore AnotherTrustStore -host myremotehost -port remote_SOAP_port
- JazzSM_profile_dir/bin/bin/retrieveSigners.sh NodeDefaultTrustStore AnotherTrustStore -host myremotehost -port remote_SOAP_port
where myremotehost is the name of the computer to enable trust with; remote_SOAP_port is the SOAP connector port number (16313 is the default). If you have installed with non-default ports, use the showHostProperties utility to check the SOAP port number, as described in Changing host properties.
Stop and restart WebSphere Application Server by entering the following commands:
1. stopWas.bat -direct -user ldapuser -password ldpapwd (locate the stopWas.bat in TWA_home\wastools directory.)
2. startWas.bat -direct -user ldapuser -password ldpapwd (locate the startWas.bat in TWA_home\wastools directory.)

Example

In this example, High Availability configuration is comprised of two Microsoft Windows nodes named myserver1 and myserver2. The command entered on myserver1:

retrieveSigners.bat NodeDefaultTrustStore AnotherTrustStore -host myserver2 -port 16313

The command entered on myserver2:

retrieveSigners.bat NodeDefaultTrustStore AnotherTrustStore -host myserver1 -port 16313

Then, enter Dynamic Workload Console user and password, when prompted.