Security for HTTP connections
|You can provide security for an HTTP connection between the following |components:
|- |
|
- The z/OS controller and the Tivoli Workload Scheduler for z/OS Agent. |
- The z/OS controller and another z/OS controller (z/OS remote engine). |
- The z/OS controller and the dynamic domain manager. |
- |The z/OS controller and the Tivoli Workload Scheduler master domain manager (distributed |remote engine).| |
SSL-secure connections are implemented using specific settings |in the HTTPOPTS initialization statement, and the HTTPS keyword in |the ROUTOPTS initialization. For more information about these statements, |see Customization and Tuning.
|If you use the secure connection with the SSL protocol, you must |import the security certificates into your security system.
|At installation time, the default security certificates are automatically |stored into the SEQQDATA library:
|-
|
- EQQCERCL |
- The security certificate for the client. | |
- EQQCERSR |
- The security certificate for the sever. | |
You can decide to use these default certificates or create your |own. In both cases, you must import them into your security system. |If you are using RACF®, you |are provided with the sample job EQQRCERT to import the certificates. |To run this job, ensure that you use the same user ID that RACF associates with the controller |started task.
||If you create your own certificates for an HTTP connection |with the master domain manager or with the dynamic domain manager, you must run the customizing steps |described in the section about customizing SSL connection to the master domain manager and dynamic domain manager in Tivoli® Workload Scheduler: Administration Guide.|
||If you are using SSL to communicate with a master domain manager, backup master domain manager, |or dynamic domain manager, then the prefix of the common name of the controller certificate |must be defined in the Broker.AuthorizedCNs option in the BrokerWorkstation.properties file |located in the TWA_home/TDWB/config directory |of the distributed engine.|
|The EQQRCERT job performs the following actions:
|-
|
- Copies the EQQCERCL certificate to a temporary sequential data |set |
- Copies the EQQCERSR certificate to a temporary sequential data |set |
- Imports EQQCERCL to RACF |
- Imports EQQCERSR to RACF |
- Deletes the temporary sequential data sets |
- Creates the SAF key ring that is used to connect the imported |certificates |
- Updates the RACF database |with the new certificates and key ring