Configuring Control-M for AFT for server authentication

This procedure describes how to configure Control-M for AFT for server authentication. To implement server authentication, you must import the CA belonging to each of the FTP over SSL/TLS servers to which Control-M for AFT connects.

You must define an individual password to ensure data security.

Before you begin

Ensure that you have an FTP over SSL/TLS server installed and configured.
Determine whether your server requires:
- Client authentication
- Server authentication
- Client and Server authentication
- None of the above.

To configure Control-M for AFT for server authentication:

Set the host security level to Level 3.
Copy the FTP over SSL/TLS server CA file to a temporary location on the computer on which Control-M for AFT is installed.
NOTE:The Control-M for AFT SSL administration utility (sslcmd) uses the X.509 PEM (Privacy-Enhanced Mail) format to import certificates. If you have a certificate in another format, use a translator program to convert it to X.509 PEM format. For example, to convert a Microsoft certificate to an X.509 PEM certificate, use the Microsoft INETSDK tools.
Navigate to the following location:
<Control-M/Agent home directory>/cm/AFT/data/SSL/cert
Type the following command:
../bin/sslcmd -k aftkey.kdb
The aftkey.kdb file is provided with a default password.
- If you created a new aftkey.kdb file inConfiguring Control-M for AFT for an alternative CA , use the password that you created.
- If you already changed the password, use the new password.
- If you did not create a new aftkey.kdb file, enter the default password:
  cmforaft
NOTE: This password should be changed as soon as possible to ensure data security. To do this, go to Changing the AFT key database password Otherwise, go directly to step 6.
From the sslcmd utility menu, select Option 2 (Add CA).
Define the path to and file name of the server CA file.
EXAMPLE: /home/ctmagent/CA/server.pem
To save and exit, select Option 19.

Parent Topic

Certification