Configuring Control-M for AFT for an alternative CA

Before you begin

If you are using an alternative CA, ensure that you have the following:

• A CA in X.509 PEM (Privacy-Enhanced Mail) format for the Control-M for AFT.
• A certificate in PKCS#12 format for the Control-M for AFT. You must also know both encryption and integrity (MAC) passwords for this certificate.

  NOTE: PKCS#12 certificates have two passwords: encryption and integrity (Message Authentication Codes, or MAC). The integrity password is used to verify that the file has not been corrupted. Therefore, if you provide a PKCS#12 certificate, you must know both these passwords, which would have been specified during the creation of the PKCS#12 certificate.

Both these files should be saved in a local directory on the host computer on which the Control-M for AFT is installed, prior to performing the following procedure.

To configure Control-M for AFT for an alternative CA:

1. Import the CA to your FTP server.
2. Navigate to the following location, and rename the aftkey.kdb file to aftkey‑old.kdb.

   <Control-M/Agent home directory>/cm/AFT/data/SSL/cert

3. From this location, run the following command:

   ../bin/sslcmd -k aftkey.kdb

   The following message is displayed:

   File not found aftkey.kdb. Enter new key file password (aftkey.kdb):

4. Define and enter an initial password for the aftkey.kdb file. This password must be at least 8 characters long. Re-enter the password when prompted. The following menu is displayed:

   1. Generate key

   2. Add CA

   3. Generate CSR

   4. Add cert

   5. List keys

   6. Delete key

   7. List certs

   8. List CA

   9. View CA

   10. Delete CA

   11. Add CRL

   12. Change KDB Password

   13. Add Labeled Password

   14. List Labeled Password

   15. Delete Labeled Password

   16. Import Key Pair

   17. Export Key Pair

   18. Change Label of Key Pair

   19. EXIT

   Enter a choice [1 - 19]:

5. Enter 2.

   You are prompted to enter the CA certificate file name.

6. Define the path to and file name of the Control-M for AFT CA file.

   Example: /home/ctmagent/SSL/AFT.pem

   The new Certificate of Authentication is added and displayed.

7. Press Enter.

   The main menu is displayed.

8. Enter 16.

   You are prompted to enter the certificate file name.

9. Define the path to and file name of the Control-M for AFT CA.

   Example: /home/ctmagent/SSL/AFT_cert.p12

10. When prompted for an identity, enter AFTDN.
11. When prompted, enter the first PKCS#12 format certificate password.
12. When prompted, enter the MAC PKCS#12 format certificate password.

    The following message is displayed:

    Command successful: Import Key Pair
    Enter to proceed.

13. Press Enter. Select 19 to exit the utility.
14. Perform one of the procedures described in Changing the AFT key database password. Then, if your FTP over SSL/TLS server requires server authentication, proceed to Configuring Control-M for AFT for server authentication. Otherwise, you do not require any further configuration.