Cryptographic Algorithms and Encryption Keys

The following table describes the protocols and algorithms that Control-M uses to secure data.

Algorithm or Protocol	Description
PBKDF2 Hashing Algorithm with HMAC SHA-512	Encrypts stored local end user credentials.
AES256-GCM	Symmetrically encrypts data that is in transit and at rest.
TLS 1.2	Encrypts via SSL protocol in zones 1–3.
SCRAM-SH-256	Encrypts passwords that are used to authenticate access to the PostgreSQL database server.

Replacing the Control-M Encryption Keys

This procedure describes how to replace the Control-M factory encryption keys from the installation for all components.

To replace the transient_key.txt, see Control-M Encryption Keys.
You can also use the ctmkeystore_mng utility to change the encryption key in Control-M/Server.

Begin

Create a new key using the keygen script, as follows:
- UNIX:
  - ./ctm_agent/ctm/scripts/keygen.sh -keyoutput <file path>
  - ./ctm_server/scripts/keygen.sh -keyoutput <file path>
- Windows:
  - <AGENT_HOME>\keygen.bat -keyoutput <file path>
  - <CTM_SERVER_HOME>\ctm_server\scripts\ keygen.bat -keyoutput <file path>
Replace the following keys with the same name in the required locations at the same time, as described in Control-M Encryption Keys:
- ctm_key.txt
- transfer_key.txt
- Local.key
- new_local.txt (You must restart Control-MFT)

Control-M Encryption Keys

The following table lists the Control-M encryption keys and their locations:

Key	Components	Usage	Replace
ctm_key.txt	CCM CM_PLUGIN Control-M/EM Server Control-M/Server Control-M/Agent CM	Encrypts the following: run_as_user password run_as in the Agentless Host	CCM, CM_PLUGIN: <EM_HOME>\ini\fips Control-M/Server: ctm_server\data Control-M/Agent: ctm_agent\ctm\data\keys Control-M/EM Server: <EM_HOME>\ini\fips
security_aes_key.txt	Control-M/Server	Encrypts the following: Passwords and passphrases that are stored in the database Email password in <Control-M/Server home directory> /ctm_server/data/ mail_auth.properties	UNIX: replace_encryption_key.sh Windows: replace_encryption_key.bat
db_aes_key.txt	Control-M/Server	Encrypts the database password	You cannot update this key.
transfer_key.txt	Control-M/EM Desktops Control-M/EM Server	Encrypts local Control-M/EM files	<EM_HOME>\ini\fips
transient_key.txt	Control-M/EM clients Control-M/EM Server	Encrypts local Control-M/EM files with a key unique to the specific installation. Do not copy this file or the files that it encrypts	UNIX: <EM_HOME>/ctm_em/bin/change_transient_key Windows: <EM_HOME>\bin\change_transient_key.bat
local.key	Control-M/Agent	Encrypts local passwords in the Control-M/Agent	Run the ctmagcpk utility
new_local.txt	Control-M MFT	Encrypts passwords and passphrases in the following files: accounts.xml Pgp_templates.dat aft_configurable.properties ftpssl_config.properties fts_config.properties	<Agent_Home>\CM\AFT\data If you want share files such as accounts.xml between two hosts with Control-M MFT, the same key must exist on each host.
db_enc_key.txt	Control-M/EM Workflow insight AAPI	Encrypts the following: Connection profiles in def_conf_items table in EM DB. Workflow insight passwords in PARAMS table in EM DB AAPI secrets in def_items table in EM DB Email password in <EM_HOME>/etc/mail_auth.properties	Windows: run <EM_HOME>\bin\replace_db_enc_key.bat Unix: run: em replace_db_enc_key.sh If you want to replace the db_enc_key.txt file using the replace_db_enc_key script, see Replacing the key in the db_enc_key.txt file.

Stored passwords refer to both passwords for Agentless Hosts and non-default Control-M/Agent users and the SSH key passphrase. The Agentless Hosts and Non-Default Control-M/Agent users are stored in the database encrypted with the data\keys\security_aes_key.txt encryption key. If you replace the key, a new key is generated and all passwords stored in the database are re-encrypted.

The replace_encryption_key script replaces the key. The previous key and database tables that contain the previous encrypted passwords are saved in the following locations:

Windows: <installation dir>\bcp_backup_<time_stamp> directory
UNIX: <installation dir>/backup_db_<time_stamp> directory

The previous key is saved in the <installation dir> /data/keys/security_aes_key_<time_stamp>.txt file.

You must delete the backups after you verify the conversion has completed successfully and new jobs can be submitted to Agentless Hosts and Control-M/Agents that run as a not-default user.

Replacing the key in the db_enc_key.txt file

This procedure describes how to replace the key in the db_enc_key.txt file using the replace_db_enc_key script. This enables you to change the database encryption key.

You can find the db_enc_key.txt file in the following locations:

Windows: <EM_HOME>\ini\fips
Linux: <EM_HOME>/ini/fips

Begin

Shut down all the Control-M/EM processes in all the Control-M/EM machines in your environment.
From the home directory of your active primary or secondary Control-M/EM machine, run one of the following scripts:
- Windows: Navigate to <EM_HOME>\bin and run replace_db_enc_key.bat and follow the on-screen instructions.
- Linux: Navigate to <EM_HOME>/bin/ and run replace_db_enc_key.sh and follow the on-screen instructions.
(Linux only) Ensure that you are using EM Shell, such as em tcsh.
Verify that the script ended successfully and start all the processes in all the Control-M/EM machines in your environment.

You can view the logs of the scripts in the <EM_HOME>/log directory.
Verify that all the processes are UP in your active environment.

Configuring Security Filters

This procedure describes how to configure security filters in the Control-M Web Server. Security filters provide enhanced browser security. By default, a set of filters are enabled. You can add, edit, delete or disable security filters.

Begin

From a command line, type the following:

manage_webserver
Press 2. Security Filter Configuration.
Do one of the following:
- To disable security filters, press 1.
- To disable secure cookies, press 2.
- To add, edit, or delete security filters, press 3. Security Filters Configuration.