Introduction to SSL

Control‑M works with the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, ensuring secure communication between the various Control-M components.

SSL for Control-M authenticates and secures communications between one ore more of the following:

• Control-M Web Server and its clients (see Zone 1 SSL configuration)
• Control-M/EM Server and Control-M/Servers (see Zone 2 and 3 SSL configuration)
• Control-M/Server and Control-M/Agents (see Zone 2 and 3 SSL configuration)
• Control-M/EM and the LDAP Server (see LDAP SSL configuration)

Depending on your setup, you can enable security for the following components:

• Control-M Self Service (see Zone 1 SSL configuration)
• Control-M Workload Change Manager (WCM) (see Zone 1 SSL configuration)
• Control-M MFT (see Configuring Control-M MFT for an alternative CA)

To configure SSL in your environment, you must do the following:

• Get Signed Certificates: Signed certificates are required for enabling secured communication using SSL protocols. You need to request a signed certificate from a recognized Certificate Authority (CA) using a Certificate Signing Request file. The signed certificate also contains your public key. If the server’s certificate was issued by an intermediate CA, which has a certificate trusted by a root CA (directly or by a chain), you need to receive a certificate chain from the CA, which allows a client to trust a server.

  NOTE: BMC recommends that you replace the existing certificates by bringing your own certificate (signed by an external recognized CA).

  For demo or POC purposes, you can generate new certificates from the CCM. Use this method when you are using the site CA provided by BMC (different per user). The site CA is stored in the Control-M/EM Server machine, and is used to sign the certificates for Control-M/EM, Control-M/Server, and Control-M/Agent. For more information, see Generating self signed certificates.

   These methods enable you to configure SSL for each of the zones. 

• Deploy SSL: To create an SSL policy, you must deploy the keystore, which contains the private key, the certificate, and possibly the certificate chain to the relevant Control-M components.
• Enable SSL: Enable SSL for relevant Control-M components.

The following diagram shows the multiple ways you can configure SSL in environment based on zones: