Configuring SSL on Control-M Web Server with an external CA

This procedure describes how to configure SSL between Control-M client applications and the Control-M Web Server using a recognized external CA. This SSL configuration occurs in zone 1.

To use the self-signed certificate, generated and signed by BMC, and to establish an SSL connection between the client and the web server, see Configuring SSL on Control-M Web Server with the default certificate.

To configure SSL for Control-M Web Server:

Navigate to one of the following directories:
- UNIX: /data/SSL/config directory
- Windows: \Data\SSL\config directory
In the csr_params.cfg.file, in the [dn] section, change the value of the following fields to the required values:
- C = ex
- ST = example_state
- L = example_locality
- O = example_organization
- OU = example_unit
- CN = example.example.com (FQDN of the Control-M/EM server)
 To enable you to specify both the shortname and the FQDN of the Control-M/EM Server, this field supports the asterisk wildcard, as in CN = example*.
- emailAddress = [email protected]
The csr_params.cfg file is a standard openssl configuration file. If you have any requirements from the certificate, you can include them in this file. In addition, for browser compatibility, it is recommended to add the following section to the file:

[ req_ext ]

keyUsage = digitalSignature, keyEncipherment

subjectAltName = DNS:<Web Server FQDN>
Create the private key and certificate signing request file by running the following:
<ctmkeytool location>/ctmkeytool -create_csr -password <private key password>

The .pem private key file appears in the /data/SSL/private_keys directory and the .csr file appears in the /data/SSL/certificate_requests directory.

NOTE: For more information, see ctmkeytool.
Use the Certificate Signing Request (CSR) file to obtain the certificate file and the certificate chain file with a .pem extension, from an external recognized CA. All certificates must be valid X509 certificates.
Back up the existing tomcat.p12 keystore file in the /ini/ssl directory.
Create the tomcat.p12 keystore file by running the following command:
openssl pkcs12 -in <certificate pem file name> -inkey <private key file name> -export -passout pass:<new tomcat.p12 keystore password> -passin pass:<private key password> -CAfile <certificate chain pem file name> -chain -out tomcat.p12 -name <keystore friendly name> -caname <ca friendly name>

The private key file name appears as a result in step 3.
Save the tomcat.p12 file in the /ini/ssl directory.
Type the following command:
manage_webserver
Do the following:
1. Turn on SSL mode, by doing the following:
  1. Press 1 to display the Tomcat configuration.
  2. Press 4 to display SSL mode.
  3. Set the current configuration for using SSL to [true]
2. Update the keystore password, as follows:
  1. Press 3 to display Secure Connector Configuration.
  2. Press 3 to edit the SSL Connector
  3. Select the connector to edit.
  4. Press 5 to update the keystore password
Restart the Web Server by typing the following commands:
- stop_web_server
- start_web_server
Recycle the GUI Server and the CMS.
Verify that the Web Server certificate is installed on the Control-M client computer.
If the certificate is not installed, copy the p12 keystore file that contains the certificate to the Control-M client computer and run the certificate installation.

NOTE:
- If you are working in a Control-M/EM Distributed environment with multiple Control-M Web Servers, or in a high availability environment, you must provide a different keystore for each server.
- BMC recommends that you bring your own certificate for the usage of the Web Server. BMC provided demo certificates are supported in the Web Server with limited conditions (see Control-M Web Server certificate limitations). If you generated a new certificate using Manage SSL in the CCM, HTTPS cannot be used and you cannot log in to Control-M client using SSL.

Parent Topic

Zone 1 SSL configuration