Generating Self-Signed Certificates
This procedure describes how to generate self-signed certificates for Control-M/EM, Control-M/Server, and Control-M/Agent and replace the preinstalled certificates.
-
Self-signed SSL certificates are generated by servers, and are not validated by a recognized trusted CA. Therefore, it is not recommended.
-
Control-M Mobile does not work with self-signed SSL certificates.
-
The version of Control-M/EM listed in the CCM must be the same version of Control-M/EM that you want to generate certificates for in this procedure.
-
Control-M/Server and Agent can be any supported version.
Begin
-
In the CCM, select the required Control-M/EM component.
-
Select System Parameters and then select Manage SSL.
-
Define SSL parameters, as described in Defining Manage SSL System Parameters.
-
From the Securitytab, click Manage SSL.
-
Do one of the following:
-
If you want to use the BMC-provided demo certificate, select Use the following site certificate authority, and do the following:
-
The parameter fields in the first screen are populated with values supplied by BMC. Click Next.
-
Select one of the following:
-
All Control-M Components: Generates certificates for all components.
-
By Component Type, and then select the component from the drop-down list.
You can also enter a Unique Component Instance ID (Email) for all components of this type or for each instance of this component. This option is not available for the Control-M/EM Server component.
-
-
Define the generated keystore password, which must be at least eight characters.
-
Accept the default location to save the generated certificates, or type in a new path.
-
Click Next to generate the certificates.
-
Click Submit.
The new certificate deployment directories are created in the location you requested in the CCM client machine.
-
-
If you want to create a new and unique instance of the preinstalled site Certificate Authority, select Create new Certificate Authority for the site, and do the following:
-
Click Yes to accept generating a new certificate.
You are informed that certificates will be generated for all the Control-M components.
-
Enter the Country Name, Common Name (fully qualified domain name—FQDN), Email Address and other optional CA parameters, and click Next.
-
Define the generated keystore password, which must be at least eight characters.
-
Accept the default location to save the generated certificates, or type in a new path.
-
Click Next to generate the certificates.
-
Click Submit .
The new certificate deployment directories are created in the location you requested in the CCM client machine.
-
-
-
Copy the directory Certificate_for_<component name> to a temporary directory in the computer where the component is installed.
<tempLocation>
-
Stop the component.
-
In the temporary directory, open the README.TXT file to learn how to run the setup script, which installs the generated certificates on the component.
If your version of Control-M/EM is lower than 9.0.21 and the destination component (Control-M/Server or Agent) is version 9.0.21 or higher, ignore the README.TXT file in the package. Instead, follow the instructions in the README.TXT file in the <Component_Home_Directory>/data/SSL/manage directory.
-
Start the relevant component.
After you upgrade to 9.0.21.200 or higher, a new CA is used when you run Manage SSL. Therefore, you must generate and deploy certificates for all components.
Bringing Your Own Certificate
This procedure describes how to apply your own certificates signed by approved third-parties using the Manage_SSL_BYO script.
The certificate that you apply must be a valid X509 certificate.
The following components are supported:
-
Control-M/Agent
-
Control-M/Server
-
Control-M/Enterprise Manager Servers
-
Control-M zOS
Before You Begin
You must have one of the following for the component where SSL configuration is deployed:
-
Private key, certificate, trusted root CA certificate and the certificate chain, all in PEM format, and the password of the private key. The certificates must not be locked/protected by password.
-
PKCS#12 file that includes the private key, certificate, trusted root CA certificate and the certificate chain. If the PKCS#12 contains multiple certificates and key pairs, then you must also have available the name of the pair to use. You must also have the password of the keystore.
-
The version of Control-M/EM listed in the CCM must be the same version of Control-M/EM that you want to generate certificates for in this procedure.
-
Control-M/Server and Agent can be any supported version.
-
The certificates for all components must be signed by the same root CA.
Begin
-
Create a new output directory for the generated files.
Verify that the directory has read, write, and execute permissions for the user that runs the Manage_SSL_BYO script.
-
Run Manage_SSL_BYO with all required attributes.
Verify that -output attribute is mapped to the directory in the above step..
-
Copy the output directory specified by -output to a temporary directory in the computer where the component is installed.
-
Stop the component.
-
In the temporary directory, open the README.TXT file to learn how to run the setup script, which installs the generated certificates on the component.
If your version of Control-M/EM is lower than 9.0.21 and the destination component (Control-M/Server or Agent) is version 9.0.21 or higher, ignore the README.TXT file in the package. Instead, follow the instructions in the README.TXT file in the <Component_Home_Directory>/data/SSL/manage directory.
Certificate Copies for Control-M for Z/OS
For Control-M for Z/OS you need to pass the directory content to your z/OS Control-M administrator.
The following table describes the keystore files for z/OSthat are generated by running Manage SSL from CCM.
Keystore File |
Details |
---|---|
IOAGATE.p12 |
Export the certificate for Control-M for z/OS with the key-pair to be used by IOAGATE in PKCS#12 format. The password for the PCKS#12 file is displayed in the summary window that is generated when running the Generate Component Certificates wizard. |
CA.pem |
Export the certificate of the Site CA that signed the certificate in PEM format when CLIAUTH=YES (which uses client authentication) is defined in IOAGATE. |
For more information about how to use these files, see the SSL Support. |
Restoring a BMC Self-Signed Certificate
This procedure describes how to restore a BMC self-signed certificate from a backup for Control-M/EM server.
The setup scripts save a backup of the certificate state prior to the deployment in a separate directory.
Begin
-
From the Control-M/EM home directory, run one of the following:
-
UNIX: <Product Home Directory>/ssl_setup/ssl_certificate_backup_<timestamp>/setup.sh <clients-em|em-ctm>
-
Windows: <Product Home Directory>\ssl_setup\ssl_certificate_backup_<timestamp>\setup.bat <clients-em|em-ctm>
-