Control-M Security

Control‑M works with the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, ensuring secure communication between the various Control-M components.

SSL for Control-M authenticates and secures communications between one or more of the following:

• Control-M Web Server and its clients (see Zone 1 SSL Configuration)

• Control-M/EM Server and Control-M/Servers (see Zone 2 and 3 SSL Configuration)

• Control-M/Server and Control-M/Agents (see Zone 2 and 3 SSL Configuration)

• Control-M/EM and the LDAP Server (see LDAP SSL Configuration)

Depending on your setup, you can enable security for the following components:

• Control-M Self Service (see Zone 1 SSL Configuration)

• Control-M Workload Change Manager (WCM) (see Zone 1 SSL Configuration)

• Control-M MFT (see Configuring Control-M MFT for an Alternative CA

To configure SSL in your environment, you must do the following:

• Get Signed Certificates: Signed certificates are required for enabling secured communication using SSL protocols. Control-M components supports only PEM certificates, which are ASCII encoded X.509 certificates. BMC recommends that you replace the existing certificates by bringing your own certificates (signed by a recognized CA). You can either get the signed certificates from your security administrator, or bring your own, as follows:

  • Get certificates from your security administrator: Obtain a pkcs12 keystore, or the private key, the signed certificate, and the certificate of the root CA in pem format. The last file must also contain the certificate chain from the certificate that signed your certificate to the root CA certificate, if required.

  • Get certificates with a CSR file: Obtain a signed certificate from a recognized Certificate Authority (CA) using a Certificate Signing Request file. If the server’s certificate was issued by an intermediate CA, which has a certificate trusted by a root CA (directly or by a chain), you need to receive the certificate chain from the CA.

  BMC recommends that you replace the existing certificates by bringing your own certificate (signed by a recognized CA).

  For demo or POC purposes, you can use the default certificates that come with the component or generate new certificates from the CCM, which creates a CA signed by BMC for the specific environment. For more information, see Generating Self Signed Certificates.

• Deploy SSL: To create an SSL policy, you must deploy the keystore, which contains the private key, the signed certificate, and the certificate chain to the relevant Control-M components.

• Enable SSL: Enable SSL for relevant Control-M components.

The following diagram shows the multiple ways you can configure SSL in environment based on zones: