Control-M/Server API Gateway HTTPS Configuration

You can configure HTTPS between the Control-M/Server API Gateway and the following components and utilities that connect to it:

  • EM-CTM Request Service

  • EM-MFT Updates Service

  • Order service

  • ctmorder

  • ctmudchk

  • ctmudly

BMC recommends you bring your own certificate, For POC or demo purposes, you can use the default demo certificate provided with the installation. The default cert or certificates generated by ManageSSL might not work when you change the ignoreCertificateTrustVerify parameter to false.

The following procedures describe how to configure HTTPS for the Control-M/Server API Gateway and the components and utilities that connect to it:

Enabling HTTPS for the Control-M/Server API Gateway

This procedure describes how to enable HTTPS for the Control-M/Server API Gateway in the CCM.

Before You Begin

Verify that you have deployed the keystore that contains the signed certificate on Control-M/EM and Control-M/Server, as described in Configuring SSL in Zone 2 and 3.

Begin

  1. From the CCM, select the Control-M/Server for the Control-M/Server API Gateway that you want to configure HTTPS.

  2. From the Home tab, select System Parameters.

  3. In the Name column, type SERVICE.API_GATEWAY_PORT_PROTOCOL.

  4. Change the value to https.

  5. Recycle the Control-M/Server.

  6. Recycle the EM-CTM Request Service and EM-MFT Updates Service components on all Control-M/EM primary and Distributed instances.

Configuring HTTPS Authentication for the Control-M/Server API Gateway

This procedure describes how to configure HTTPS authentication for the Control-M/Server API Gateway, Control-M/EM Services, Control-M/Server Services and its utilities.

Control-M for z/OS only

  • Due to RACF limitations, you cannot create the private key with encryption algorithms, such as AES-256 and higher. However, 3DES is supported.

  • Verify that the keystore you deploy on the Control-M for z/OS contains the trustedCertEntry entry, which contains the root CA certificate of the CA that signed the Control-M/EM server certificate, by running the following command:

    keytool -list -keystore <keystore p12 file> -v

    If the entry does not exist in the keystore, add it manually by running the following command:

    keytool -importcert -trustcacerts -alias <CA certificate alias> -file <CA certificate URL> -keystore <keystore file URL> -storetype pkcs12 -storepass <keystore password> -noprompt

Begin

  1. Run one of the following commands:

    • UNIX: em keytool -list -keystore <EM_HOME>/etc/site/resource/ssl/cert/ctmkeystore.p12 -v

    • Windows: %EM_JAVA_HOME%\bin\keytool -list -keystore <EM_HOME>\etc\site\ssl\cert\ctmkeystore.p12 -v

  2. Verify that the output includes the following line:

    Entry type: trustedCertEntry

    If the output does not contain this line, see Adding the root CA certificate to the Control-M/EM Truststore.

  3. Navigate to the following file:

    <EM_Home>/services/config/https_client_server.properties

  4. Do the following:

    1. Change the value of bmc_https_client_server.ignoreCertificateTrustVerify to false.

      This enforces certificate authentication on the HTTPS connection. Control-M/EM services verify that its truststore contains the trustedCertEntry entry with the root CA that signed the Control-M/Server API Gateway component. The trustore is defined by the bmc_https_client_server.truststorePath in the https_client_server.properties file.

    2. Change the value of bmc_https_client_server.ignoreHostnameVerify to false.

      This enforces hostname authentication on the HTTPS connection. Control-M/Server services or utilities verify that its truststore contains the trustedCertEntry entry with the root CA that signed the Control-M/EM component.

    3. Recycle the EM-CTM Request Service and EM-MFT Updates Service components on all Control-M/EM primary and Distributed instances.

  5. Navigate to the following file:

    <CTM_Home>/services/config/https_client_server.properties

  6. Do the following:

    1. Change the value of bmc_https_client_server.ignoreCertificateTrustVerify to false.

      This enforces certificate authentication on the HTTPS connection. Control-M/Server services or utilities verify that its trustore contains either the Control-M/Server API Gateway certificate or root CA that is sent in the HTTPS connection. The trustore is defined by the bmc_https_client_server.truststorePath in the https_client_server.properties file.

    2. Change the value of bmc_https_client_server.ignoreHostnameVerify to false.

      This enforces hostname authentication on the HTTPS connection. Control-M/Server services or utilities verify that the hostname in the request that is sent is the same as the hostname in the certificate sent by the Control-M/Server API Gateway.

    3. Recycle Control-M/Server.

Adding the root CA certificate to the Control-M/EM Truststore

This procedure describes how to add the root CA certificate as a trusted certificate to the Control-M/EM truststore.

Begin

  1. Verify that you have the root CA certificate file in PEM format.

  2. Back up your keystore file from one of the following locations:

    • UNIX: <EM_HOME>/etc/site/resource/ssl/cert/ctmkeystore.p12

    • Windows: <EM_HOME>\etc\site\ssl\cert\ctmkeystore.p12

  3. Stop all Control-M/EM processes and services.

  4. Run one of the following commands:

    • UNIX: em keytool -import -trustcacerts -alias <alias name> -file <root CA certificate file> -keystore <keystore file>

    • Windows: %EM_JAVA_HOME%\bin\keytool -import -trustcacerts -alias <alias name> -file <root CA certificate file> -keystore keystore file>

  5. Start all Control-M/EM processes and services.