The Automation Engine provides several mechanisms that can be used to protect your AE system from unauthorized usage.
Two categories of mechanisms can be distinguished:
A detailed description of the first one is available in the Administration Guide. This document contains detailed information about encryption.
An AE system consists of various components that are distributed among several computers and communicate with each other. For example, the Automation Engine sends the JCL to an agent which processes it on the computer and reports the result back. Encryption is possible for the communication between the individual components. This prevents potential hackers from reading or modifying transferred data. In addition, you can use an authentication method in order to avoid a hacker pretending to be a component.
Data encryption provides security but additional protective mechanisms such as access rights to sensitive data and physical access protection for the Servers is required in order to ensure the greatest possible security level.
The connection to the AE databaseA database is an organized collection of data including relevant data structures. is protected by the database vendor's database client.
Passwords are stored in the database in encrypted form.
You can define whether communication between the components should be dealt with in encrypted form. If you opt for encryption, you can determine the encryption strength (AES-128, AES-192 and AES-256 are available).
Even the greatest possible encryption strength has no negative affects on the AE system's performance.
Encryption goes hand in hand with authentication. In user sessions, the login data is used for authentication. The agents confirm their identity differently.
The Company Key is very important for the authentication process. Depending on the authentication method, it is composed of your AE system name or a string you define.
The following three authentication methods are available:
|None||An agent that starts for the first time can immediately log on to the AE system. The Company Key (a term used in each AE system) is automatically derived from the AE system's name. It prevents an agent from logging on to an AE system with a different Company Key afterwards.|
|Server||The Company Key must be determined during the Automation Engine installation. Subsequently, it can be exported to a file and used during agent installation. The agents can log on to the AE system when they start the first time but they cannot automatically be used. The administrator must release them in the System Overview of client 0000. By doing so, the Automation Engine automatically transfers the authentication package via the line to the relevant agent. Only then is the agent authenticated and ready to use.|
|Server and agent||
The Company Key must be determined during the Automation Engine installation. Some preparatory work is required to make sure that the agents can log on to the AE system. Create an Agent object for each agent in system client 0000. Subsequently, export an authentication package and store it on the agent's computer for the installation. Now the agent is ready to use.
In order guarantee a top secure installation, Automic recommends transferring the authentication package to the agent either manually or via a secure line. Doing so ensures that potential hackers never obtain access to the authentication package via the network.
The authentication method you select affects the commands shown in the System Overview, category "Agent".
It is also possible to withdraw an authentication of an agent. Highlight the relevant agent in the System Overview of client 0000 and select the corresponding context menu command. The agent can no longer be used until it has been re-authenticated.
By default, the highest possible encryption strength is activated. Log on to system client 0000 to adjust this strength or deactivate encryption. The variable UC_AS_SETTINGS includes the key ENCRYPTION which serves this purpose.
You can specify the authentication method while installing the AE system. Subsequent modification is also possible:
You can use former agent versions in later versions of AE (such as a 10.0.0 agent can also be used in a 11.0.0 AE system). This requires your AE system to be at the latest hotfix level. The Automation Engine supports the extended encryption and authentication functions. Use the variable UC_AS_SETTINGS, key COMPATIBILITY to determine whether former components can participate in the communication.
When the compatibility option is deactivated (COMPATIBILITY=NO), the Job Messenger will only accept encrypted connections. Exempted are only connections from the local IP address and the IP addresses that are defined as an exception in the Attributes tab of the Agent object. For example, when you use event monitors on z/OS in LPARs on different computers, you must enter the IP addresses of these computers in the Attributes tab
The agent retrieves the list of local IP addresses from the local computer name which it obtains from the OS.