Security for HTTP connections

You can provide security for an HTTP connection between the following |components:

The z/OS controller and the Tivoli Workload Scheduler for z/OS Agent.

The z/OS controller and another z/OS controller (z/OS remote engine).

The z/OS controller and the dynamic domain manager.

|The z/OS controller and the Tivoli Workload Scheduler master domain manager (distributed |remote engine).|

SSL-secure connections are implemented using specific settings |in the HTTPOPTS initialization statement, and the HTTPS keyword in |the ROUTOPTS initialization. For more information about these statements, |see Customization and Tuning.

If you use the secure connection with the SSL protocol, you must |import the security certificates into your security system.

Note:

| |

If you imported the default security certificates during |the installation of the previous version of the product, you must |remove them and run the EQQRCERT job to import the new certificates. |If you already imported the new default security certificates during |the installation of the Tivoli Workload Scheduler agent for z/OS, then you must not perform this |procedure again. Complete the procedure for creating a secure connection |by configuring the SSLKEYRING keyword with the value used for installation |of the Tivoli Workload Scheduler agent for z/OS.

At installation time, the default security certificates are automatically |stored into the SEQQDATA library:

EQQCERCL: The security certificate for the client. |
EQQCERSR: The security certificate for the sever. |

You can decide to use these default certificates or create your |own. In both cases, you must import them into your security system. |If you are using RACF®, you |are provided with the sample job EQQRCERT to import the certificates. |To run this job, ensure that you use the same user ID that RACF associates with the controller |started task.

|If you create your own certificates for an HTTP connection |with the master domain manager or with the dynamic domain manager, you must run the customizing steps |described in the section about customizing SSL connection to the master domain manager and dynamic domain manager in Tivoli® Workload Scheduler: Administration Guide.|

|If you are using SSL to communicate with a master domain manager, backup master domain manager, |or dynamic domain manager, then the prefix of the common name of the controller certificate |must be defined in the Broker.AuthorizedCNs option in the BrokerWorkstation.properties file |located in the TWA_home/TDWB/config directory |of the distributed engine.|

The EQQRCERT job performs the following actions:

Copies the EQQCERCL certificate to a temporary sequential data |set

Copies the EQQCERSR certificate to a temporary sequential data |set

Imports EQQCERCL to RACF

Imports EQQCERSR to RACF

Deletes the temporary sequential data sets

Creates the SAF key ring that is used to connect the imported |certificates

Updates the RACF database |with the new certificates and key ring