Generating self signed certificates

This procedure describes how to generate self signed certificates for Control-M/EM and Control-M/Server and replace the pre-installed certificates.

To generate certificates:

1. In the CCM, from the Home tab, select System Configuration > Control-M/EM System Parameters > Manage SSL.
2. Define SSL parameters, as described in Defining Manage SSL system parameters.
3. Select the component in the left pane, and from the Security tab, click Manage SSL.
4. Do one of the following:
   • If you want to use the BMC-provided demo certificate, select Use the following site certificate authority, and do the following:
     1. The parameter fields in the first screen are populated with values supplied by BMC. Click Next.
     2. Select one of the following:
     • All Components of Control-M: Generate certificates for all components
     • By Component Type, and then select the components from the drop-down list.

     You can also enter a Unique Component Instance ID (email). You can do this for all components of this type, or for each instance of this component. Note that this option is not available for the Control‑M/EM Server component.

   NOTE: You can enter a KeyStore Password, which must be eight characters in length.

   1. Accept the default location to save the generated certificates, or enter a new path.
   2. Click Next to generate the certificates, and then Submit after the generation process finishes.
   • If you want to create a new and unique instance of the pre-installed site Certificate Authority, select Create new Certificate Authority for the site, and do the following:
     1. Click Yes to accept generating a new certificate.

        You are informed that certificates will be generated for all the Control-M components.

     2. Enter the Country Name, Common Name (FQDN), Email Address and other optional parameters of the CA and click Next.
     3. If you want to use a password, enter the password and click Next.
     4. Accept the default location to save the generated certificates, or type in a new path.
     5. Click Next to generate the certificates.
     6. Click Submit after the generation process finishes.

     The new certificate deployment directories are created in the location you requested in the CCM client machine.

5. Copy the directory Certificate_for_<component name> to a temporary directory in the computer where the component is installed. For example: <tempLocation>.
6. Stop the component.
7. From the root directory of the Control-M component, run the following command:
   • Windows (Run as Administrator) - <tempLocation>\setup.bat <clients-em|corba|em-ctm>
   • UNIX - <tempLocation>/setup.sh <clients-em|corba|em-ctm>

     NOTE: To run on Control-M/EM, define one of the following parameters: clients-em or em-ctm or corba, according to the SSL policy you want to create or update.

   EXAMPLE: If you placed the deployment directories in /p/Control-M_new_demo, and your Control-M/Server is installed at /bmc/ctm_server, then you must run the commands inside the UNIX shell as follows:

   • $ cd /bmc/ctm_server
   • $ /p/Control-M_new_demo/Certificate_for_CONTROL-M_Server/setup.sh

   The files are deployed to the required locations and the Control-M component uses either the default keystore password, or specified KeyStore Password.

8. Restart the relevant component.