Security policies

The security policy is defined by entries made in security policy tables. A Site Policy table is required for each major Control-M component in zone 2 and 3 (Control-M/Server, Control‑M/Agent, and Control-M/EM). The entries in these Site Policy tables provide the basic framework for the Control-M site’s security policy. Additions and modifications to the Site Policy, if needed, are defined in optional Application Policy tables for various Control-M functions. Entries in these tables add to and supersede the entries in the Site Policy tables.

On UNIX computers, the security policy tables are contained in .plc files. On Microsoft Windows computers, these tables are contained in the Registry.

SSL communication policy is based on variable value pairs – called attributes – that are stored in Policy Tables. Each UNIX stanza (or Microsoft Windows Registry key) contains appropriate attributes. Some attributes do not apply to certain functions, some do not apply to certain security levels, and some cannot be changed.

Security policy is implemented by assigning values to the attribute variables described in the Security policy table referred to in Security policy variables. Default policy values for each major Control-M component are specified in that component’s site.plc file or site Registry hive.

When a network communication connection is established, the profile for that connection is obtained from variables in the .plc files (for UNIX) or in the Registry (for Microsoft Windows). The .plc files are described on Sample .plc files. The Microsoft Windows Registry is described on Microsoft Windows environment.

Create or modify the use_openssl key string value to Y in the registry (Windows) or in the policy file site.plc (UNIX) for both client and server:

• Windows:

  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\Control-M/Agent\SecurityPolicy\site\server

  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\Control-M/Agent\SecurityPolicy\site\client

• UNIX: In the policy file site.plc, create or modify the line use_openssl=Y

  NOTE: The default from version 9.0.20 is Y, but for previous versions, it is recommended to change it to Y.

Changes to the key database, key database password, and security policy do not take effect until you restart Control-M/Server, Control-M/Agent, or Control-M/EM components.

NOTE: BMC recommends changing the encryption file permissions according to the security policy of the organization.