Control-D/WebAccess Server SSL Settings

Control‑D works with the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, which ensures safe and secure communication between Control-D and the Control-D/WebAccess Server. SSL for Control-D authenticates and secures communications for the Control-D/WebAccess Server Web Application and Control-D/WebAccess Server Desktop.

You can enable SSL and configure Control-D/WebAccess Server SSL settings when you do the following:

Encryption with IOAGATE synchronization

Control-D/WebAccess Server and IOAGATE must use the same certificate chain and the same encryption algorithm.

Demo certificate copies are available, as described in Certificate copies for Control-D/WebAccess Server.

The following procedures describe how to complete the encryption process.

Certificate copies for Control-D/WebAccess Server

The following table describes the keystore files for Control-D/WebAccess Server to send the directory content to the Control-D Mainframe administrator.

Key store file

Details

IOAGATE.pcks12

Exports a demo certificate for Control-D/WebAccess Server with the key-pair for the IOAGATE in PKCS#12 format to use. The password for the PCKS#12 file is ctm_zos_1202.

The default files are located in the following directory:

<Installation Path>/config/ssl/ioagte

cacert.pem

Exports the certificate of the Site CA that signed the certificate in PEM format when you define CLIAUTH=YES in IOAGATE, which uses client authentication.

Generating Signed Certificates

This procedure describes how to generate a signed certificate for Control-D/WebAccess Server. BMC recommends that you bring your own certificate.

You do not need to do this procedure if you receive a private key, signed certificate, root certificate or a .p12 keystore from your Security Administrator, or you use the default tomcat.p12 provided with the installation.

Begin

  1. Navigate to one of the following directories:

    • UNIX: <Product Home Directory>/data/SSL/config

    • Windows: <Product Home Directory>\Data\SSL\config

  2. In the csr_params.cfg file, in the [dn] section, change the value of the following fields to the required values:

    • C: example_country.

    • ST: example_state.

    • L: example_locality.

    • O: example_organization.

    • OU: example_unit.

    • CN: example.example.com .

    • emailAddress: [email protected].

  3. Ensure that the certificate suffices, by doing the following:

    1. Add the following commands at the end of the file:

      [ req_ext ]

      keyUsage = digitalSignature, keyEncipherment

      extendedKeyUsage = serverAuth, clientAuth

    2. In the [ req ] section, add the following command:

      req_extensions = req_ext

      The csr_params.cfg file is a standard openssl configuration file. Include any requirements from the certificate in this file.

      For more information, see https://www.openssl.org.

  4. Create the private key and certificate signing request file by running the following command:

    <Installation Path>/bin/openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr

  5. Define a password.

    The password must be exactly eight characters.

  6. Use the Certificate Signing Request (CSR) file to obtain the certificate file and the certificate chain file with a .pem extension, from an external recognized CA. PEM format define that these certificates are ASCII encoded X.509 certificates.

    Common suffixes for PEM files are .pem, .crt, .cer, or ca-bundle.

Generating a PKCS12 keystore

This procedure describes how to generate a PKCS12 certificate keystore, which enables you to generate a signed certificate.

Begin

  1. Create the .pkcs12 keystore file by running the following command:

    openssl pkcs12 -in <certificate pem filename> -inkey <private key filename> -export -passout pass:<new keystore password> -passin pass:<private key password> -CAfile <certificate chain pem filename|certificate authority pem filename> [-chain] -out <keystore pkcs12 name>

    The password must be exactly eight characters.

  2. If the CA is trusted using a certificate chain, do the following:

    1. Define the -chain flag.

    2. Point the -CAfile flag to the certificate chain .pem file.

  3. If the CA is not trusted, do the following: 

    1. Do not define the -chain flag.

    2. Point the -CAfile flag to the root certificate authority .pem filename.

The pkcs12 keystore file is appears in the <Installation Path>/config/ssl directory.

Using an Encrypted Password

This procedure describes how to use your own encrypted password for Control-D/WebAccess Server for <Installation Path>/config/ssl/bmc-ctd-wa-server.jks file to encrypt the encrypt_jks_password.

Begin

  1. Do one of the following:

    • Windows: Open a command prompt window and navigate to the bin folder, located in the installation folder where Control-D/WebAccess Server is installed.

    • UNIX: Log into a Control-D/WebAccess Server administrator account.

  2. Type the following command:

    encrypt_jks_password <password>

    An encrypted password of JKS file appears.

Importing a Certificate Chain from IOAGATE

This procedure describes how to export a certificate chain that is used by IOAGATE in the mainframe and import it to a PKCS12 file for use by Control-D/WebAccess Server.

Before You Begin

Ensure that the following IOAGATE parameters are set in the ECAPARMD member:

Copy 
SSL=YES,
KEYRING=<Ring name>,
KEYRLAB=<Label Name>,

Alternatively, set the equivalent parameters using AT-TLS.

Begin

  1. In the mainframe, obtain the certificate chain based on its label by running the following TSO command line:

    RACDCERT LISTCHAIN (LABEL('<Label Name>')) ID(<Id of label>)

    RACDCERT LISTCHAIN (LABEL('MYTEST')) ID(STCUSER)

  2. Export the certificate chain to a file using the following TSO command line:

    RACDCERT EXPORT(LABEL('<Label Name>')) DSN('<File Name>')ID(<Id of Label>) FORMAT(PKCS7B64)

    RACDCERT EXPORT(LABEL('MYTEST')) DSN('m70c.cert7') ID(STCUSER) FORMAT(PKCS7B64)

  3. Transfer the exported file in text mode to your Control-D/WebAccess Server’s server.

    Commands for an FTP transfer:

    ascii

    get 'm70c.cert7' cert7.p7b

  4. On the Server where Control-D/WebAccess Server is installed, do the following :

    1. Change directory to <Installation Path>/bin

    2. On Windows enter the following command line:

      set OPENSSL_CONF=..\config\ssl\openssl.cnf

    3. Create a pem file from the pkcs7 file with the certificate chain:

      openssl pkcs7 -in <PKCS7 file> -out <Certificate file> -print_certs -text

      openssl pkcs7 -in cert7.p7b -out cert1.pem -print_certs -text

  5. If you want to use your own certificate and private key, create and sign them by running the following command line:

    openssl req -x509 -newkey rsa:<number of bits> -keyout <Private Key file Name> -days <Number of days> -out "<Certificate file>" -passin pass:<Password> pass -passout pass:<Password> -subj /C=<Country>/ST=<State>/L=<Location>/CN=<Common Name>/OU=<Organization Unit>/emailAddress=<Email Address/

    openssl req -x509 -newkey rsa:4096 -keyout "privateKey1.pem" -days 3650 -out "certification.pem" -passin pass:abcd1234 -passout pass:abcd1234 -subj /C=US/ST=Florida/L=Miami/CN=Control-M/OU=Control-M/[email protected]/

  6. Create a PKCS12 file by running the following command line:

    openssl pkcs12 -in <certificate pem file name> -inkey <private key file name> -export -passout pass:<new keystore password> -passin pass:<private key password> -certfile <certificate chain pem file name|certificate authority pem file name> -out <keystore pkcs12 name>

    openssl pkcs12 -export -out test1.pkcs12 -inkey "privateKey1.pem" -in certification.pem -certfile cert1.pem -password pass:abcd1234 -passin pass:abcd1234 -passout pass:abcd1234

    where the certificate and private key are from one of the following sources:

  7. In Control-D/Desktop, configure SSL/TLS communication by doing the following:

    1. Open Control-D/Desktop and navigate to Definitions>Common>Repositories>CONTROL-D/MF Repositories.

    2. Access repository definitions of an existing repository or new repository.

    3. Select the Using SSL/TLS check box.

    4. Under SSL/TLS Settings, set the properties of the PKCS12 file that you created in the previous step:

      • PKCS12 file (file name)

      • PKCS12 password

    5. Click OK.

  8. Stop and Restart Control-D/WebAccess Server.