Control-M/Server API Gateway HTTPS Configuration

You can configure HTTPS between the Control-M/Server API Gateway and the following components and utilities that connect to it:

  • EM-CTM Request Service

  • EM-MFT Updates Service

  • Order service

  • ctmorder

  • ctmudchk

  • ctmudly

BMC recommends you bring your own certificate, For POC or demo purposes, you can use the default demo certificate provided with the installation. The default cert or certificates generated by ManageSSL might not work when you change the ignoreCertificateTrustVerify parameter to false.

The following procedures describe how to configure HTTPS for the Control-M/Server API Gateway and the components and utilities that connect to it:

Enabling HTTPS for the Control-M/Server API GatewayLink copied to clipboard

This procedure describes how to enable HTTPS for the Control-M/Server API Gateway in the CCM.

Before You Begin

Verify that you have deployed the keystore that contains the signed certificate on Control-M/EM and Control-M/Server, as described in Configuring SSL in Zone 2 and 3.

Begin

  1. From the CCM, select the Control-M/Server for the Control-M/Server API Gateway that you want to configure HTTPS.

  2. From the Home tab, select System Parameters.

  3. In the Name column, type SERVICE.API_GATEWAY_PORT_PROTOCOL.

  4. Change the value to https.

  5. Recycle the Control-M/Server.

  6. Recycle the EM-CTM Request Service and EM-MFT Updates Service components on all Control-M/EM primary and Distributed instances.

Configuring HTTPS Authentication for the Control-M/Server API GatewayLink copied to clipboard

This procedure describes how to configure HTTPS authentication for the Control-M/Server API Gateway, Control-M/EM Services, Control-M/Server Services and its utilities.

Begin

  1. Navigate to the following file:

    <EM_Home>/services/config/https_client_server.properties

  2. Do the following:

    1. Change the value of bmc_https_client_server.ignoreCertificateTrustVerify to false.

      This enforces certificate authentication on the HTTPS connection. Control-M/EM services verify that its trustore contains either the Control-M/Server API Gateway certificate or root CA that is sent in the HTTPS connection. The trustore is defined by the bmc_https_client_server.truststorePath in the https_client_server.properties file.

    2. Change the value of bmc_https_client_server.ignoreHostnameVerify to false.

      This enforces hostname authentication on the HTTPS connection. Control-M/EM services verify that the hostname in the request that is sent is the same as the hostname in the certificate sent by the Control-M/Server API Gateway.

    3. Recycle the EM-CTM Request Service and EM-MFT Updates Service components on all Control-M/EM primary and Distributed instances.

  3. Navigate to the following file:

    <CTM_Home>/services/config/https_client_server.properties

  4. Do the following:

    1. Change the value of bmc_https_client_server.ignoreCertificateTrustVerify to false.

      This enforces certificate authentication on the HTTPS connection. Control-M/Server services or utilities verify that its trustore contains either the Control-M/Server API Gateway certificate or root CA that is sent in the HTTPS connection. The trustore is defined by the bmc_https_client_server.truststorePath in the https_client_server.properties file.

    2. Change the value of bmc_https_client_server.ignoreHostnameVerify to false.

      This enforces hostname authentication on the HTTPS connection. Control-M/Server services or utilities verify that the hostname in the request that is sent is the same as the hostname in the certificate sent by the Control-M/Server API Gateway.

    3. Recycle Control-M/Server.