Generating Self Signed Certificates

This procedure describes how to generate Self Signed Certificates for Control-M/EM, Control-M/Server, and Control-M/Agent and replace the pre-installed certificates.

  • Self-signed SSL certificates are generated by your servers, and are not validated by a recognized trusted CA. Therefore, it is not recommended.

  • Control-M Mobile does not work with self-signed SSL certificates.

  • The version of Control-M/EM listed in the CCM must be the same version of Control-M/EM that you are generating certificates for in this procedure.

  • The version of Control-M/Server and Control-M/Agent can be any supported version.

Begin

  1. In the CCM, select the Control-M/EM component that you want to do define.

  2. Select System Parameters and then select Manage SSL.

  3. Define SSL parameters, as described in Defining SSL system parameters.

  4. From the Security tab, click Manage SSL.

  5. Do one of the following:

    • If you want to use the BMC-provided demo certificate, select Use the following site certificate authority, and do the following:

      1. The parameter fields in the first screen are populated with values supplied by BMC. Click Next.

      2. Select one of the following:

        • All Components of Control-M: Generate certificates for all components

        • By Component Type, and then select the component from the drop-down list.

        You can also enter a Unique Component Instance ID (email). You can do this for all components of this type, or for each instance of this component. Note that this option is not available for the Control-M/EM Server component.

        If you want to use a different password than the default, you can enter a KeyStore Password, which must be eight characters in length.

      3. Accept the default location to save the generated certificates, or type in a new path.

      4. Click Next to generate the certificates.

      5. Click Submit .

        The new certificate deployment directories are created in the location you requested in the CCM client machine.

    • If you want to create a new and unique instance of the pre-installed site Certificate Authority, select Create new Certificate Authority for the site, and do the following:

      1. Click Yes to accept generating a new certificate.

        You are informed that certificates will be generated for all the Control-M components.

      1. Enter the Country Name, Common Name (FQDN), Email Address and other optional parameters of the CA and click Next.

      1. If you want to use a password, enter the password and click Next.

      2. Accept the default location to save the generated certificates, or type in a new path.

      3. Click Next to generate the certificates.

      4. Click Submit .

        The new certificate deployment directories are created in the location you requested in the CCM client machine.

  6. Copy the directory Certificate_for_<component name> to a temporary directory in the computer where the component is installed. For example: <tempLocation>.

  7. Stop the component.

  8. In the temporary directory, open the README.TXT file to learn how to run the setup script, which installs the generated certificates on the component.

    If Control-M/EM is older than 9.0.21, and the destination component (Control-M/Server or Control-M/Agent) is 9.0.21 or above, ignore the README.TXT file in the package, and follow the instructions in the README.TXT file located at <component home directory>/data/SSL/manage directory.

  9. Start the relevant component.

Bringing Your Own Certificate

This procedure describes how to apply your own certificates signed by approved third-parties using the Manage_SSL_BYO script.

The certificate that you apply must be a valid X509 certificate.

The following components are supported:

  • Control-M/Agent

  • Control-M/Server

  • Control-M/Enterprise Manager Servers

  • Control-M zOS

Before you begin

You must have one of the following for the component where SSL configuration is deployed:

  • Private key, certificate, trusted root CA certificate and the certificate chain, all in PEM format, and the password of the private key. The certificates must not to be locked/protected by password.

  • PKCS#12 file that includes the private key, certificate, trusted root CA certificate and the certificate chain. If the PKCS#12 contains multiple certificates and key pairs, then you must also have available the name of the pair to use. You must also have the password of the keystore.

  • The version of Control-M/EM listed in the CCM must be the same version of Control-M/EM that you are generating certificates for in this procedure.

  • The version of Control-M/Server and Control-M/Agent can be any supported version.

  • The certificates for all components must be signed by the same root CA.

Begin

  1. Create a new output directory for the generated files.

    Verify that the directory has read, write, and execute permissions for the user that runs the Manage_SSL_BYO script.

  2. Run Manage_SSL_BYO with all required attributes.

    Verify that -output attribute is mapped to the directory in the above step..

  3. Copy the output directory specified by -output to a temporary directory in the computer where the component is installed.

  4. Stop the component.

  5. In the temporary directory, open the README.TXT file to learn how to run the setup script, which installs the generated certificates on the component.

    If Control-M/EM is older than 9.0.21, and the destination component (Control-M/Server or Control-M/Agent) is 9.0.21 or above, ignore the README.TXT file in the package, and follow the instructions in the README.TXT file located at <component home directory>/data/SSL/manage directory.

Certificate Copies for Control-M for Z/OS

For Control-M for Z/OS you need to pass the directory content to your z/OS Control-M administrator.

The following table describes the keystore files for z/OSthat are generated by running Manage SSL from CCM.

Key store file

Details

IOAGATE.p12

Export the certificate for Control-M for z/OS with the key-pair to be used by IOAGATE in PKCS#12 format. The password for the PCKS#12 file is displayed in the summary window that is generated when running the Generate Component Certificates wizard.

CA.pem

Export the certificate of the Site CA that signed the certificate in PEM format when CLIAUTH=YES (which uses client authentication) is defined in IOAGATE.

For more information about how to use these files, see the INCONTROL for z/OS Installation Guide, Appendix B "IOAGATE installation and configuration considerations, SSL support".

 

Restoring a BMC Self-Signed Certificate

This procedure describes how to restore a BMC Self-Signed Certificate from a backup for Control-M/EM server.

The setup scripts save a backup of the certificate state prior to the deployment in a separate directory.

Begin

  • From the Control-M/EM home directory, run one of the following:

    • UNIX: <Product Home Directory>/ssl_setup/ssl_certificate_backup_<timestamp>/setup.sh <clients-em|em-ctm>

    • Windows: <Product Home Directory>\ssl_setup\ssl_certificate_backup_<timestamp>\setup.bat <clients-em|em-ctm>