Set Up Security Between the Agent and the Scheduling Manager

Set Up Security between the Agent and the Scheduling Manager
Encryption is a mandatory security feature that safeguards communication between the agent and the scheduling manager. Your scheduling manager administrator must complete configuration tasks so that the agent and the scheduling manager can communicate with message encryption.
To set up security between the agent and the scheduling manager, follow these steps:
  1. Test the security by running a test job.
    For detailed instructions to run a test job, see the documentation for your scheduling manager.
Security Permissions on the Scheduling Manager
Your scheduling manager administrator must set up the following security permissions on the scheduling manager to control agent access:
  • Permission to run work on the agent
  • Permission to run a job on the agent under a user ID
  • Permission for the agent to issue control commands
For more information about security permissions, see the documentation for your scheduling manager.
Set the Encryption on the Agent Using the Keygen Utility
You can install the agent with one of four types of encryption: AES, Blowfish, DES, or DESEDE. The encryption key is specified during the agent installation, but you can change it any time using this procedure.
The keygen utility that is provided with the agent lets you encrypt a key. By default, the encryption key is stored in the cryptkey.txt file, which is located in the agent installation directory. You can replace the encryption key in this file or can specify a different file to store it.
Make a note of the encryption key, and set the same value on the scheduling manager.
Follow these steps:
  1. (iSeries systems only) Open a PASE terminal session.
  2. Change to the agent installation directory.
  3. Enter the following command at the command prompt:
    keygen 0x
    key
    cipher
    destination
    • key
      Defines the encryption key the agent uses to communicate with the scheduling manager. The encryption key must be prefixed with 0x and followed by the number of characters that are required for the chosen cipher algorithm:
      • AES -- 32- or 64-character hexadecimal encryption key.
        Note:
        AES 256-bit encryption requires a 64-character hexadecimal key.
      • Blowfish -- 32 to 64 even-numbered character hexadecimal encryption key
      • DES -- 16-character hexadecimal encryption key
      • DESEDE -- 48-character hexadecimal encryption key
      Limits:
      16-64 alphanumeric characters (any digits and letters A-F only)
      • Workload Automation AE and Workload Automation CA-7 Edition support only AES encryption. To determine which encryption types are supported, consult the documentation for your scheduling manager.
      • If you omit the 0x prefix, the keygen utility interprets the inputted value as a 16-character passphrase and not as a hexadecimal number. If you enter fewer than 16 characters, the keygen utility appends the passphrase with spaces for the missing number of characters. The keygen utility internally encodes the 16-character passphrase into a 32-character hexadecimal character AES encryption key.
    • cipher
      Specifies the type of cipher algorithm the agent uses to encrypt and decrypt messages that are sent to the scheduling manager. The agent supports the following types:
      • AES -- Advanced Encryption Standard that uses a 32- or 64-character encryption key. AES is the algorithm that U.S. Government organizations require to protect sensitive (unclassified) information (FIPS-140-2 compliance).
      • BLOWFISH -- A license-free encryption algorithm that uses an encryption key of 32 to 64 even-numbered characters.
      • DES -- Data Encryption Standard that uses a 16-character encryption key.
      • DESEDE -- Triple Data Encryption Algorithm that applies the DES algorithm three times to each data block.
      Default:
      DES
      Workload Automation AE and Workload Automation CA-7 Edition support only AES encryption. To determine which encryption types are supported, consult the documentation for your scheduling manager.
    • destination
      (Optional) Specifies the name of a text file that stores the encryption key.
      Default:
      cryptkey.txt
      If you specify a new text file, update the security.cryptkey parameter in the agentparm.txt file.
    The keygen utility encrypts the key.
Example: Encrypt a Key
This example encrypts the key 0x1020304050607080 for 16-character (DES) encryption:
keygen 0x1020304050607080 DES
Set the Encryption Key on the Scheduling Manager
The scheduling manager and the agent must have the same encryption key to communicate. The encryption key for the agent is stored in a text file. The security.cyrptkey parameter in the agentparm.txt file sets the path to the text file. After you set the encryption key on the agent, set the same key on the scheduling manager. If the keys are different, the agent and scheduling manager cannot communicate. An AGENTDOWN state occurs when you try to run workload.
For detailed instructions to set the encryption key on the scheduling manager, see the documentation for your scheduling manager.
Restart the Agent
After you have set up encryption on the agent, restart the agent to complete the configuration.
Follow these steps:
  1. (iSeries systems only) Open a PASE terminal session.
  2. Ensure that you are in the agent installation directory.
  3. Stop the agent using one of the following commands:
    • On UNIX:
      ./cybAgent -s
    • On Windows:
      cybAgent -s
    • On iSeries:
      ./cybAgent -s
  4. Start the agent using one of the following commands:
    • On UNIX:
      ./cybAgent &
    • On Windows:
      cybAgent -a
    • On iSeries:
      ./cybAgent