In this section, the procedures using RACF (an example of SAF) and Control-M Configuration Manager are described.
To create keys and certificates using RACF:
RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('MYCA') O('BMC') C('US')) KEYUSAGE(CERTSIGN) WITHLABEL('MYCA')
RACDCERT ID(GATEUSER) GENCERT SUBJECTSDN(CN('IOAGATE') O('BMC') C('US'))WITHLABEL('IOAGATE') SIGNWITH(CERTAUTH LABEL('MYCA')) KEYUSAGE(HANDSHAKE)
RACDCERT ID(GATEUSER) ALTER (LABEL('IOAGATE')) TRUST
RACDCERT CERTAUTH EXPORT(LABEL('MYCA')) DSN('hlq.EXPORT.P12')
To generate certificates with Control-M/EM or "Bring Your Own":
When keys and certificates are generated externally and brought to Control-M/EM for distribution ("Bring Your Own (BYO)" ), the certificates are placed in the same folder as if generated by Control-M/EM.
For use of keys and certificates with Control-D, use the BYO method.
If BYO is used, skip steps 1 & 2, refer to step 3 and continue from step 4.
Two certificates (files) are generated in the Certificate_for Control-M_for_zOS folder.
For Control-D/WebAcess Server, ready-made certificates can be found in <Installation Path>/config/ssl/ioagte.
This is the certificate which includes the private/public key pair of IOAGATE. This file is encrypted with a password that can be found in the README file created by Control-M/EM or provided in Control-D.
This is the certificate of the CA (Control-M/EM or Control-D) itself that is needed for decrypting IOAGATE.PCK12. If client authentication is required, this certificate is also the certificate of the CA that signed the certificate of the client.
By default, FTP allocates the new file with the following attributes:
By default, FTP allocates the new file with the following attributes:
RACDCERT CERTAUTH ADD ('CACERT.PEM') WITHLABEL('CACERTXX')
Choose XX so that the name is unique and does not conflict with an existing name.
RACDCERT ID(GATEUSER) ADDRING(IOAGATERING)
RACDCERT ID(GATEUSER) CONNECT(CERTAUTH LABEL('CACERTXX') RING(IOAGATERING))
RACDCERT ID(GATEUSER) ADD('IOAGATE.PCK12') TRUST WITHLABEL('IOAGATEXX') PASSWORD('ctm_zos_hhmm')
The hhmm part of the password can be found in the README file generated by Control-M/EM.
RACDCERT ID(GATEUSER) CONNECT(ID(GATEUSER) LABEL('IOAGATEXX') RING(IOAGATERING) DEFAULT USAGE(PERSONAL))
If client authentication is needed, also specify:
Both IOAGATEC and IOAGATEM must have the same SSL definitions.
Note: For more information about the CmsCommMode parameter, see the "Control-M/EM" sub-section in the "SSL communication parameters" section in the "Preparing to use SSL" chapter in the Control-M SSL Guide.
For more information about generating the certificates in Control-M/EM, see the "Generating component certificates using the wizard" section in the "Managing certificates" chapter in the Control-M SSL Guide.
Parent Topic |