Security Policies

The security policy is defined by entries made in security policy tables. A Site Policy table is required for each major Control-M component in zone 2 and 3 (Control-M/Server, Control‑M/Agent, and Control-M/EM). The entries in these Site Policy tables provide the basic framework for the Control-M site’s security policy. Additions and modifications to the Site Policy, if needed, are defined in optional Application Policy tables for various Control-M functions. Entries in these tables add to and supersede the entries in the Site Policy tables.

On UNIX computers, the security policy tables are contained in .plc files. On Microsoft Windows computers, these tables are contained in the Registry.

SSL communication policy is based on variable value pairs – called attributes – that are stored in Policy Tables. Each UNIX stanza (or Microsoft Windows Registry key) contains appropriate attributes. Some attributes do not apply to certain functions, some do not apply to certain security levels, and some cannot be changed.

Security policy is implemented by assigning values to the attribute variables described in the Security policy table referred to in Security Policy Variables. Default policy values for each major Control-M component are specified in that component’s site.plc file or site Registry hive.

When a network communication connection is established, the profile for that connection is obtained from variables in the .plc files (for UNIX) or in the Registry (for Microsoft Windows). The .plc files are described in UNIX Environment. The Microsoft Windows Registry is described on Windows Environment.

Changes to the key database, key database password, and security policy do not take effect until you restart Control-M/Server, Control-M/Agent, or Control-M/EM components.

Security Policy Variables

The following security policy variables are located in the appropriate Microsoft Windows Registry keys and UNIX .plc files and are applicable to Control-M/EM, Control-M/Server, and Control-M/Agent. To configure the security policy, you need to update the values of these variables.

Variable

Description

security_level

A digit from 1 through 4. These levels are described in Security Levels.

bindir

Absolute path to a subdirectory containing the dynamically loaded security binary modules. For example:
C:\Program Files\BMC Software\Control-M Server\ctm_server\exe

bindir64

bindir for 64-bit computer. For example: C:\Program Files\BMC Software\Control-M Server\ctm_server\exe

sksdir

Absolute path to a Security KeyStore read/write subdirectory where Control‑M encrypted keys are stored. For example: C:\Program Files\BMC Software\Control-M Server\ctm_server\data\SSL\cert

securitydir

Absolute path to read only subdirectory where .p12 keystores and .pem key files. For example:

C:\Program Files\BMC Software\Control-M Server\ctm_server\data\SSL\cert

keyfile

Absolute path of the component keystore. For example:

C:\Program Files\BMC Software\Control-M Server\ctm_server\data\SSL\cert\ctmkeystore.p12

identity

Key pair label in a key database.

Valid values:

  • CADN

  • CODN

  • NSDN

  • AGDN

logdir

Absolute path to subdirectory containing the log file. For example:

C:\Program Files\BMC Software\Control-M Server\ctm_server\data\SSL\log

loglevel

One or more of the following values separated by commas:
ERROR WARNING INFO TRACE

logfile

Log file (path and) name. For example:

gtw_ssl.log

provider_options

Determines SSL protocol(s) that will be used and cipher(s) that will be used for each protocol.

provider_options=SSLProtocol=TLS1_2,TLSCipherSuite =<ciphers list>

All ciphers with SHA256 can be used only with TLS1_2 protocol.