Modifying SSL configuration between Control-M/Agent and Remote hosts

This procedure describes how to modify SSL configuration between Control-M/Agent and Remote hosts to enable running utilities on remote hosts.

NOTE: If you are using an expired SSL certificate for Control-M/Agent, all jobs with remote host utilities will fail.

The following message is an example that appears in the job output on failure:

Oct 24, 2018 7:31:37 PM com.bmc.ctm.agent.util.communication.Communicator sendMessage

SEVERE: SSLException occurred while sending message to <hostname>.

Oct 24, 2018 7:31:37 PM com.bmc.ctm.agent.util.communication.Communicator sendMessage

SEVERE: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

Oct 24, 2018 7:31:37 PM com.bmc.ctm.agent.util.UtilityExecuter sendMessageToAgentAndReceiveResponse

SEVERE: Failed to send to Agent or receive from Agent.

Result: Failure

Failed to send to Agent or receive from Agent.

To modify SSL configuration:

1. Do one of the following:
   • Windows: Navigate to the following path in the Registry Editor:

     HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\Control-M/Agent <instance>\SecurityPolicy\RU\server

   • UNIX: Navigate to the following file:

     <Control-M/Agent Home Directory>/ctm/data/SSL/cert/ru.plc

2. In the [server] section, edit the provider_options parameter with SSL protocols and ciphers, if needed.

   EXAMPLE:

   • SSLProtocol=TLS1_2,TLSCipherSuite=DHE-RSA-AES256-SHA AES256-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA AES128-SHA EDH-RSA-DES-CBC-SHA DHE-RSA-AES256-SHA AES256-SHA
   • SSLProtocol=TLS1,SSLV3CipherSuite=DHE-RSA-AES256-SHA AES256-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA AES128-SHA EDH-RSA-DES-CBC-SHA DHE-RSA-AES256-SHA AES256-SHA
3. From the RU key, create or edit the client key.
4. Add or edit the following parameters in the client key:
   • ssl_protocol: (TLSv1 or TLSv1.2)
   • cipher_suite: You can use the following ciphers:

   TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV

EXAMPLE:

[server]

identity=AGDN

logfile=rusrv.log

security_level=3

provider_options=SSLProtocol=TLS1_2,SSLV3CipherSuite=DHE-RSA-AES256-SHA AES256-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA AES128-SHA EDH-RSA-DES-CBC-SHA DHE-RSA-AES256-SHA AES256-SHA

[client]

ssl_protocol=TLSv1.2

cipher_suite=TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV