|
|
|
|
|
In the Control-M Configuration Manager, choose Tools => Security => Manage SSL => Generate Component Certificates. The wizard opens and takes you through the steps needed to create CAs. The following table describes the steps and screens in the wizard.
Steps in the Generate Component Certificates wizard
Step |
Description |
|---|---|
Steps when accepting the default selection in the first screen |
|
1 |
In Screen 1, accept the default setting Use the following site Certificate Authority. The parameter fields in the screen are populated with values supplied by BMC for demonstration purposes. The demonstration Certificate Authority (CA) is used to sign and generate the certificates for the components that are chosen in Screen 2. Click Next. |
2 |
In Screen 2: All Components of Control-M field If you accept the default setting, certificates are generated for all Control-M components By Component Type field If you select this field, choose the required component from the drop-down menu. When By Component Type is selected, you then also have the option to select Enter Unique Component Instance ID (email). However, if the CONTROL‑M/EM Servers component is displayed, the check-box for this field is disabled.
For more information about the Key Store Password, see the note under this table. Click Next. |
3 |
In Screen 3 you can either accept the default or specify a path where the generated certificates will be saved. Click Next. |
4 |
The certificates are created. |
Steps when Create new Certificate Authority for the site is selected in the first screen |
|
1 |
In Screen 1, select Create new Certificate Authority for the site. A message is displayed, asking if you are sure that this is what you want to do. Click Yes. |
2 |
In Screen 2 you are informed that certificates are generated for all the Control-M components. You can choose to use a password. If you select this, the wizard will prompt you for further details. Click Next. |
3 |
In Screen 3 you can either accept the default or specify a path where the generated certificates will be saved. Click Next. |
4 |
The certificates are created. |
If Create new Certificate Authority for the site is checked, you can create a new site Certificate Authority of the Control-M to be used to sign all certificates needed for Control-M Components.
Ability to specify Key Store Password: Step 2 of the Wizard: Password area
NOTE: In the Step 2 screen of the wizard, if Set Key Store Password is not checked (default), a default keystore password is used for all Distributed Key Stores for Control-M for z/OS. The new password is created in the following format: ctm_zos_{hh}{mm}
The {hh} variable is hour and the {mm} variable is for the minutes. This password is shown as clear text in the Summary screen of the wizard. The password is also available in the Control‑M for z/OS Action Report.
If you choose the Set Key Store Password option, you will be prompted for the password and then prompted to retype the password. This password is used for Control-M for z/OS as well.
If you would like to set a different password for Control-M for z/OS, you will need to activate this step separately according to component.
When the wizard ends, the Action Result window is displayed with an action line per component for which a certificate has been generated.
To locate the Control-M certificates directories
Use the following examples to locate the Control-M certificates directories:
After locating the certificates directory, copy it and its contents to a temporary directory in the computer of the Control-M component or place it in an accessible location in the network.
To copy the certificates for Control-M distributed components
The files are deployed to the required locations and the Control-M component uses either the default password of keystore, or if you have specified a Key Store Password, the password by which the Certificates Key Store is locked is used.
NOTE: For changes to take affect after running setup.bat/setup.sh, restart the relevant component.
If you want to automatically restore a previous certificate from a backup for Control-M/EM Client, Control-M/EM Server, Control-M/Server and Control-M/Agent, run the setup script from the backup, as follows:
UNIX: <sslBackupDir>/setup.sh
Windows: <sslBackupDir>\setup.bat
The setup scripts save a backup of the certificate state prior to the deployment in a seperate directory in the ssl_backup directory.
If you are using Windows with UAC enabled, run the script from Administrative console.
The CORBA Naming Service process must be up when running BMC Batch Impact Manager WEB User Interface setup script.
Running the install script from the SSL package that is used to automatically install the certificates fails for Control-M/Agent 6.3.01.300 or earlier. For a workaround to this problem, see solution number SLN000015130380 on the BMC Support webpage (http://www.bmc.com/support).
To copy the certificates for Control-M for z/OS
The following table describes the key store files for z/OS.
Key store files in Control-M_for_zOS folder
Key store file |
Details |
|---|---|
IOAGATE.pck12 |
Export the certificate for Control-M for z/OS with the key-pair to be used by IOAGATE in PKCS#12 format. The password for the PCKS#12 file is displayed in the summary window that is generated when running the Generate Component Certificates wizard. |
CA.pem |
Export the certificate of the Site CA that signed the client's certificate in PEM format when security level 4 (which uses client authentication) is defined in Control‑M/EM. |
For more information about how to use these files, see the INCONTROL for z/OS Installation Guide, Appendix B "IOAGATE installation and configuration considerations, SSL support". |
|
Parent Topic |