Certificates

BMC recommends that you replace the existing certificates using one of the following methods:

• Generate new certificates using the Control-M Configuration Manager: Use this method when you are using the site CA provided by BMC (different per customer). The site CA is stored in the Control-M/EM Server machine, and is used to sign the certificates for Control-M/EM, Control-M/Server, and Control-M/Agent.
• Bringing your own certificate (signed by a different certified CA), then you must be able to provide the certificates, their private key, and the trusted CA.

  NOTE: To ensure a secure connection between both components, verify both are signed by the same CA.

  NOTE: In high availability or distributed environments, each Web component needs its own trusted CA that is installed on all Control-M clients as root CA.

Before applying certificates for Control-M/EM for SSL with Control-M/Server, you must verify the following:

• All Control-M/Servers must be version 8.0.00.600 or version 9.0.00.400 or higher.
• For Control-M/Server 8.0.00.600, you must also create or modify the use_openssl key string value to Y in the registry (Windows) or in the policy file co.plc and ca.plc (UNIX) for both client and server:
  • Windows:

    HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\Control-M/Server\SecurityPolicy\CO\server

    HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\Control-M/Server\SecurityPolicy\CA\server

  • UNIX: In the policy file co.plc and ca.plc, create or modify the line "use_openssl=Y"