Configuring SSL in zone 2 and 3

This procedure describes how to configure SSL on Control-M/Server, Control-M/EM server, and Control-M/Agents.

NOTE: You must perform this procedure for each component.

To configure SSL in zone 2 and 3:

1. Navigate to one of the following directories:
   • UNIX: <Product Home Directory>/data/SSL/config directory
   • Windows: <Product Home Directory>\Data\SSL\config directory
2. In the csr_params.cfg.file, in the [dn] section, change the value of the following fields to the required values:
   • C = ex
   • ST = example_state
   • L = example_locality
   • O = example_organization
   • OU = example_unit
   • CN = example.example.com (FQDN of the Control-M component)
   • emailAddress = [email protected]
3. Ensure that the certificate suffices, by doing the following:
   1. Add the following lines to the file:

      [ req_ext ]

      keyUsage = digitalSignature, keyEncipherment

      extendedKeyUsage = serverAuth, clientAuth

   2. In the [ req ] section, add the following line:

      req_extensions = req_ext

   The csr_params.cfg file is a standard openssl configuration file. If you have any requirements from the certificate, you can include them in this file.

4. Create the private key and certificate signing request file by running the following:

   <ctmkeytool location>/ctmkeytool -create_csr -password <private key password>

   The .pem private key file appears in the <Product Home Directory>/data/SSL/private_keys directory and the .csr file appears in the <Product Home Directory>/data/SSL/certificate_requests directory.

   NOTE: For more information, see ctmkeytool.

5. Use the Certificate Signing Request (CSR) file to obtain the certificate file and the certificate chain file with a .pem extension, from an external recognized CA. All certificates must be valid X509 certificates.
6. Create the .p12 keystore file by running the following command:

   openssl pkcs12 -in <certificate pem file name> -inkey <private key file name> -export -passout pass:<new keystore password> -passin pass:<private key password> -CAfile <certificate chain pem file name|certificate authority pem file name> [-chain] -out <keystore p12 name>

   The private key file name appears as a result of step 3.

   NOTE: If the CA is trusted using a certificate chain, then the -chain flag must be specified, and the -CAfile flag must point to the certificate chain .pem file. Otherwise, the -chain flag must not be specified, and the -CAfile flag must point to the root certificate authority .pem file name.

7. Deploy SSL on each component:

   <ctmkeytool location>/ctmkeytool -keystore <p12 keystore file with its full path> -password <keystore password> -passwkey <name of file containing the password encryption key, with its full path>

   The file that uses the -passwkey parameter is an encryption key, which is used to encrypt the keystore password in the environment’s SSL configuration. Both binary and textual files can be used for this purpose. It is possible to use the tree.bin file in the following locations:

   Control-M/EM: <EM Home Directory>/etc/site/resource/local/tree.bin.

   Control-M/Server: <CTM Home Directory>/data/SSL/cert/tree.bin

   Control-M/Agent: <Agent Home Directory>/data/SSL/cert/tree.bin

8. Update the supported protocols and ciphers in your environment, as described in Configuring protocols and ciphers for zones 2 and 3.