Configuring secure communication between Control-M client applications and the Web Server

This procedure describes how to configure Control-M/EM Web Server to work with HTTPS, which secures data between the Control-M client applications and the the Control-M Web Server using certificates contained in a PKCS#12 keystore.

NOTE: BMC provided demo certificates are not supported in the Web Server. If you generated a certificate using Manage SSL in the CCM, HTTPS cannot be used and you cannot log in to the Control-M client.

To configure Control-M/EM Web Server to work with HTTPS:

1. Bring your own certificates to the Control-M/EM Web Server.
   • Self-signed (demo) certificates have very limited functionality. To bring your own certificate, obtain a signed certificate from a recognized Certificate Authority first.
   • Certificate requests (CSR) must be generated for the public hostname of the computer running the Web Server. The public hostname is the fully qualified domain name that is used by Control-M clients to connect to Control-M/EM server. If your public URL is https://www.example.com, then the Common Name for your certificate is www.example.com.
   • If the hostname changes, a new certificate is required.A certificate is needed for each hostname that will be serving requests.
   • If there are multiple computers, each needs its own Certificate Requests that creates separate certificates/keystores. For more information consult the Apache Tomcat Web Server documentation.
2. Create a PKCS#12 keystore that contains the certificate.

   EXAMPLE: openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile myCA.crt -caname root -chain

   The keystore must include the root CA certificate bundle (-CA file), the key created with the CSR (-inkey), and the new certificate (-in). Certificates and keystores in other formats must be converted to a PKCS#12 format prior to use.

   NOTE: Ensure that the certificate in use by the Control-M/Enterprise Manager's web server is trusted by the Windows installation. You might need to import the certificate of the Signing Authority that generated the web server's certificate into the Windows Trusted Root CA keystore.

3. Save the <keystoreFilename> in the %EM_HOME%/ini/ssl directory.
4. If you have a secure connector that is not in use, you need to delete it , as follows:
   1. From a command line, type the following:

      manage_webserver

   2. Press 1. Tomcat Configuration --> 4. Display Connectors List --> 2. Connectors Configuration --> 4. Delete Connector.
   3. Press the number of the HTTP connector that you want to delete.

      A confirmation message appears.

   4. Press Y.
5. Create a secure connector, as follows:
   1. From a command line, type the following:

      manage_webserver -action create_secure_connection

   NOTE:

   • The keystore filename and the keystore password are prompted after you run the command.
   • The keystore filename cannot contain the path.
   • The keystore password must be entered without encryption.
6. Test the new connector by copying the URL output and using a web browser to access the Control-M page.
7. Delete all non-secure http connector as follows:
   1. From a command line, type the following:

      manage_webserver

   2. Press 1. Tomcat Configuration --> 4. Display Connectors List --> 2. Connectors Configuration --> 4. Delete Connector.
   3. Press the number of the HTTP connector that you want to delete.

      A confirmation message appears.

   4. Press Y.
8. In the CCM, recycle the Control-M Web Server.
9. Restart the Control-M/EM Configuration Agent.
10. From the CCM, verify that the connector is working by right-clicking the Web Server component and select the new URL.

    To connect to the Control-M/EM server, all Control-M clients must connect using the hostname and port number in the SSL connector.

    NOTE: If you are working in a Control-M/EM Distributed or High Availability environment with multiple Control-M Web Servers, you must provide a different keystore for each Web server.

    NOTE: If you are working in a High Availability environment with SSL, run the following command on both the primary and secondary hosts.

    em restore_host_config -interface_name -name <FQDN>