This procedure describes how to apply your own certificates signed by approved third-parties using the Manage_SSL_BYO script.

The certificate that you apply must be a valid X509 certificate.

The following components are supported:

  • Control-M/Agent

  • Control-M/Server

  • Control-M/Enterprise Manager Servers

  • Control-M for z/OS

Before You Begin

You must have one of the following for the component where SSL configuration is deployed:

  • Private key, certificate, trusted root CA certificate and the certificate chain, all in PEM format, and the password of the private key. The certificates must not be locked or protected by password.

  • PKCS#12 file that includes the private key, certificate, trusted root CA certificate and the certificate chain. If the PKCS#12 contains multiple certificates and key pairs, then you must also have available the name of the pair to use. You must also have the password of the keystore.

  • The version of Control-M/EM listed in the CCM must be the same version of Control-M/EM that you want to generate certificates for in this procedure.

  • Control-M/Server and Agent can be any supported version.

  • The certificates for all components must be signed by the same root CA.

Begin

  1. Create a new output directory for the generated files.

    Verify that the directory has read, write, and execute permissions for the user that runs the Manage_SSL_BYO script.

  2. Run Manage_SSL_BYO with all the required attributes.

    Verify that -output attribute is mapped to the directory in the above step.

    In the following command, out1 is defined as the SSL deployment directory:

    "C:\Program Files\BMC Software\Control-M EM\Default\etc\site\manageSSL\bin\Manage_SSL_BYO.bat" -input pkcs12 -component CONTROL-M_Server -output C:\Users\smartool\Documents\out1 -output_keystores_password abcd1234 -file

  3. Copy the output directory specified by -output to a temporary directory on the host where the component is installed.

  4. Stop the component.

  5. In the temporary directory, open the README.TXT file to learn how to run the setup script, which installs the generated certificates on the component.

    If your version of Control-M/EM is lower than 9.0.21 and the destination component (Control-M/Server or Agent) is version 9.0.21 or higher, ignore the README.TXT file in the package. Instead, follow the instructions in the README.TXT file in the <Component_Home_Directory>/data/SSL/manage directory.

Certificate Copies for Control-M for z/OS

For Control-M for Z/OS you need to pass the directory content to your z/OS Control-M administrator.

The following table describes the keystore files for z/OS that are generated by running Manage SSL from CCM.

Keystore File

Details

IOAGATE.p12

Export the certificate for Control-M for z/OS with the key-pair to be used by IOAGATE in PKCS #12 format. The password for the PCKS #12 file is displayed in the summary window that is generated when running the Generate Component Certificates wizard.

CA.pem

Export the certificate of the Site CA that signed the certificate in PEM format when CLIAUTH=YES (which uses client authentication) is defined in IOAGATE.

For more information about how to use these files, see the SSL Support.

Restoring a BMC Self-Signed Certificate

This procedure describes how to restore a BMC self-signed certificate from a backup for Control-M/EM server.

The setup scripts save a backup of the certificate state prior to the deployment in a separate directory.

Begin

  • From the Control-M/EM home directory, run one of the following commandss:

    • UNIX: <Product Home Directory>/ssl_setup/ssl_certificate_backup_<timestamp>/setup.sh <clients-em|em-ctm>

    • Windows: <Product Home Directory>\ssl_setup\ssl_certificate_backup_<timestamp>\setup.bat <clients-em|em-ctm>