Control-M SSL Configuration

Control-M works with the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, which enable Control-M components to securely communicate with each other. SSL for Control-M authenticates and secures communications between one or more of the following:

• Control-M Web Server and Its Clients, as described in Zone 1 SSL Configuration.

• Control-M/EM server and Control-M/Servers, as described in Zone 2 and 3 SSL Configuration.

• Control-M/Server and Agents, as described in Zone 2 and 3 SSL Configuration.

• Control-M/EM and the LDAP Server, as described in LDAP SSL Configuration.

Depending on your setup, you can enable security for the following components:

• Control-M Self Service, as described in Zone 1 SSL Configuration.

• Control-M Workload Change Manager (WCM), as described in Zone 1 SSL Configuration.

• Control-M MFT, as described in Configuring Control-M MFT for an Alternative CA.

To configure SSL in your environment, you must do the following:

• Get Signed Certificates: Signed certificates enable secure communication via SSL protocols. Control-M components support only PEM certificates, which are ASCII-encoded X.509 certificates. BMC recommends that you replace the existing certificates by bringing your own certificates, signed by a recognized Certificate Authority (CA). You can either get the signed certificates from your security administrator, or bring your own, as follows:

  • Get Certificates from Your Security Administrator: Obtain a PKCS#12 keystore, or the private key, the signed certificate, and the certificate of the root CA in *.pem file format. The last file must also contain the certificate chain from the certificate that signed your certificate to the root CA certificate, if required.

  • Get Certificates with a CSR File: Obtain a signed certificate from a recognized CA using a Certificate Signing Request file. If the server certificate was issued by an intermediate CA, which has a certificate trusted by a root CA, whether directly or by a chain, you must obtain the certificate chain from the CA.

  • BMC recommends that you the replace existing certificates with your own certificates that are signed by a recognized CA.

  • For demonstration or proof-of-concept purposes, you can use the default certificates that come with the Control-M component or generate new certificates from the CCM, which creates a CA that is signed by BMC for the specific environment. For more information, see Certificate Copies for Control-M for z/OS.

• Deploy SSL: To create an SSL policy, you must deploy the keystore—which contains the private key, the signed certificate, and the certificate chain—to the relevant Control-M components.

• Enable SSL: Enable SSL for relevant Control-M components.

The following diagram shows the multiple ways that you can configure SSL in a Zone-based environment: