Cryptographic Algorithms and Encryption Keys

The following protocols and algorithms are used for the following purposes:

Purpose

Algorithm\Protocol

Stored local end user credentials

PBKDF2 hashing algorithm with HMAC SHA-512

Symmetric encryption of both data in transit and data in rest

AES256-GCM

SSL protocol in Zones 1 - 3

TLS 1.2

Replacing the Control-M Encryption Keys

This procedure describes how to replace the Control-M factory encryption keys from the installation for all components.

Begin

  1. Create a new key using the keygen script, as follows:

    • UNIX:

      • ./ctm_agent/ctm/scripts/keygen.sh -keyoutput <file path>

      • ./ctm_server/scripts/keygen.sh -keyoutput <file path>

    • Windows:

      • <AGENT_HOME>\keygen.bat -keyoutput <file path>

      • <CTM_SERVER_HOME>\ctm_server\scripts\ keygen.bat -keyoutput <file path>

  2. Replace the following keys with the same name in the required locations at the same time, as described in Control-M Encryption Keys:

    • ctm_key.txt

    • transfer_key.txt

    • Local.key

    • new_local.txt (You must restart Control-MFT)

Control-M Encryption Keys

The following table lists the Control-M encryption keys and their locations:

Key

Components

Usage

Replace

ctm_key.txt

  • CCM

  • CM_PLUGIN

  • Control-M/EM Server

  • Control-M/Server

  • Control-M/Agent

  • CM

Encrypts the following:

  • run_as_user password

  • run_as in the Remote Host

  • CCM, CM_PLUGIN: <EM_HOME>\ini\fips

  • Control-M/Server: ctm_server\data

  • Control-M/Agent: ctm_agent\ctm\data\keys

  • Control-M/EM Server: <EM_HOME>\ini\fips

security_aes_key.txt

Control-M/Server

Encrypts the following:

  • Passwords and passphrases that are stored in the database

  • Email password in <Control-M/Server home directory> /ctm_server/data/
    mail_auth.properties

  • UNIX: replace_encryption_key.sh

  • Windows: replace_encryption_key.bat

db_aes_key.txt

Control-M/Server

Encrypts the database password

You cannot update this key.

transfer_key.txt

  • Control-M/EM clients

  • Control-M/EM Server

Encrypts local Control-M/EM files

<EM_HOME>\ini\fips

transient_key.txt

  • Control-M/EM clients

  • Control-M/EM Server

Encrypts local Control-M/EM files with a key unique to the specific installation.

Do not copy this file or the files that it encrypts

  • UNIX: <EM_HOME>/ctm_em/bin/change_transient_key

  • Windows: <EM_HOME>\bin\change_transient_key.bat

local.key

Control-M/Agent

Encrypts local passwords in the Control-M/Agent

Run the ctmagcpk utility

new_local.txt

Control-M MFT

Encrypts passwords and passphrases in the following files:

  • accounts.xml

  • Pgp_templates.dat

  • aft_configurable.properties

  • ftpssl_config.properties

  • fts_config.properties

<Agent_Home>\CM\AFT\data

If you want share files such as accounts.xml between two hosts with Control-M MFT, the same key must exist on each host.

db_enc_key.txt

  • Control-M/EM

  • Workflow insight

  • AAPI

Encrypts the following:

  • Connection profiles in def_conf_items table in EM DB.

  • Workflow insight passwords in PARAMS table in EM DB

  • AAPI secrets in def_items table in EM DB

  • Email password in <EM_HOME>/etc/mail_auth.properties

  • Windows: run <EM_HOME>\bin\replace_db_enc_key.bat

  • Unix: run: em replace_db_enc_key.sh

If you want to replace the db_enc_key.txt file using the replace_db_enc_key script, see Replacing the key in the db_enc_key.txt file.

Stored passwords refer to both passwords for Remote Hosts and non-default Control-M/Agent users and the SSH key passphrase. The Remote Hosts and Non-Default Control-M/Agent users are stored in the database encrypted with the data\keys\security_aes_key.txt encryption key. If you replace the key, a new key is generated and all passwords stored in the database are re-encrypted.

The replace_encryption_key script replaces the key. The previous key and database tables that contain the previous encrypted passwords are saved in the following locations:

  • Windows: <installation dir>\bcp_backup_<time_stamp> directory

  • UNIX: <installation dir>/backup_db_<time_stamp> directory

    The previous key is saved in the <installation dir> /data/keys/security_aes_key_<time_stamp>.txt file.

    You must delete the backups after you verify the conversion has completed successfully and new jobs can be submitted to Remote Hosts and Control-M/Agents that run as a not-default user.

Replacing the key in the db_enc_key.txt file

This procedure describes how to replace the key in the db_enc_key.txt file using the replace_db_enc_key script. This enables you to change the database encryption key.

You can find the db_enc_key.txt file in the following locations:

  • Windows: <EM_HOME>\ini\fips

  • Linux: <EM_HOME>/ini/fips

Begin

  1. Shut down all the Control-M/EM processes in all the Control-M/EM machines in your environment.

  2. From the home directory of your active primary or secondary Control-M/EM machine, run one of the following scripts:

    • Windows: Navigate to <EM_HOME>\bin and run replace_db_enc_key.bat and follow the on-screen instructions.

    • Linux: Navigate to <EM_HOME>/bin/ and run replace_db_enc_key.sh and follow the on-screen instructions.

    (Linux only) Ensure that you are using EM Shell, such as em tcsh.

  3. Verify that the script ended successfully and start all the processes in all the Control-M/EM machines in your environment.

    You can view the logs of the scripts in the <EM_HOME>/log directory.

  4. Verify that all the processes are UP in your active environment.