Control-M Workload Automation SSL Guide May 2015

Control-M Workload Automation

8.0.00.700

SSL Guide

Contacting BMC Software

You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain information about the company, its products, corporate offices, special events, and career opportunities. United States and Canada

Address BMC SOFTWARE INC 2101 CITYWEST BLVD HOUSTON TX 77042-2827 USA Telephone



713 918 8800



800 841 2031 Fax 713 918 8000

Outside United States and Canada

Telephone (01) 713 918 8800 Fax (01) 713 918 8000 © Copyright 1999-2015 BMC Software, Inc.

BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. IT Infrastructure Library® is a registered trademark of the Office of Government Commerce and is used here by BMC Software, Inc., under license from and with the permission of OGC.

ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office, and is used here by BMC Software, Inc., under license from and with the permission of OGC.

IBM® Tivoli® Business Service Manager, IBM Tivoli Workload Scheduler, IBM Cognos, IBM InfoSphere DataStage, IBM iSeries, IBM Websphere, and AIX® are the trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both.

UNIX® is the registered trademark of The Open Group in the US and other countries. Linux is the registered trademark of Linus Torvalds.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

SAP® R/2 and SAP R/3, SAP Business Objects, and SAP NetWeaver are trademarks or registered trademarks of SAP AG in Germany and in several other countries.

BMC Software considers information included in this documentation to be proprietary and confidential. Your use of this information is subject to the terms and conditions of the applicable End User License Agreement for the product and the proprietary and restricted rights notices included in this

documentation.

U.S. Government Restricted Rights to Computer Software. UNPUBLISHED -- RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Section 52.227-14, DFARS 252.227-7013, DFARS 252.227-7014, DFARS 252.227-7015, and DFARS 252.227-7025, as amended from time to time. Contractor/Manufacturer is BMC SOFTWARE INC, 2101 CITYWEST BLVD, HOUSTON TX 77042-2827, USA. Any contract notices should be sent to this address. Customer support

You can obtain technical support by using the BMC Software Customer Support website or by contacting Customer Support by telephone or e-mail. To expedite your inquiry, see “Before contacting BMC.” Support website

You can obtain technical support from BMC 24 hours a day, 7 days a week at

http://www.bmc.com/support. From this website, you can:



Read overviews about support services and programs that BMC offers



Find the most current information about BMC products



Search a database for issues similar to yours and possible solutions



Order or download product documentation



Download products and maintenance



Report an issue or ask a question



Subscribe to receive proactive e-mail alerts when new product notices are released



Find worldwide BMC support center locations and contact information, including e-mail addresses, fax numbers, and telephone numbers

Support by telephone or e-mail

In the United States and Canada, if you need technical support and do not have access to the web, call 800 537 1813 or send an e-mail message to [email protected](In the subject line, enter SupID:<yourSupportContractID>, such as SupID:12345). Outside the United States and Canada, contact your local support center for assistance.

Before contacting BMC

Have the following information available so that Customer Support can begin working on your issue immediately:



Product information • Product name

• Product version (release number)

• License number and password (trial or permanent)



Operating system and environment information • Machine type

• Operating system type, version, and service pack or other maintenance level such as PUT or PTF • System hardware configuration

• Serial numbers

• Related software (database, application, and communication) including type, version, and service pack or maintenance level



Sequence of events leading to the issue



Commands and options that you used



Messages received (and the time and date that you received them) • Product error messages

• Messages from the operating system, such as file system full

• Messages from related software License key and password information

If you have questions about your license key or password, contact BMC as follows:



(USA or Canada) Contact the Order Services Password Team at 800 841 2031, or send an e-mail message to [email protected].



(Europe, the Middle East, and Africa) Fax your questions to EMEA Contracts Administration at +31 20 354 8702, or send an e-mail message to [email protected].



(Asia-Pacific) Contact your BMC sales representative or your local BMC office. Third party Software

For the provisions described in the BMC License Agreement and Order related to third party products or technologies included in the BMC Product, see

https://docs.bmc.com/docs/display/workloadautomation/Control-M+Workload+Automation+Documentati on and click Third-party software (TPS).

Contents

Introduction to SSL for Control-M ... 7

Conventions ... 7

SSL communication parameters... 8

Checking hardware and software requirements ... 10

Configuring Control-M components to use SSL ... 11

Configuring Control-M/Server and Control-M/Agent ... 11

Configuring Control-M/EM components ... 14

Configuring Control-M Self Service and Control-M Workload Change Manager web components ... 21

Configuring Control-M Workload Archiving server to use SSL ... 22

Configuring Control-M Workload Archiving server to use TCP/IP ... 22

Configuring NamingViewer (browser for Naming Service) ... 23

Configuring Control-M/EM API JacORB ... 23

Configuring BMC Batch Impact Manager ... 25

Configuring communication with LDAP or Active Directory servers using SSL ... 28

Configuring Control-M/EM Web Server to work with HTTPS... 30

Importing your own certificates into the default Apache Tomcat Web Server keystore ... 31

Managing certificates ... 33

Generate Component Certificates wizard ... 33

Generating component certificates using the wizard ... 34

Creating an SSL key database using the sslcmd utility ... 37

Setting up a signed certificate ... 40

Creating key database files... 49

Control-M/EM ... 49

Control-M/Server ... 50

Control-M/Agent ... 50

Maintaining certificates ... 51

Maintaining certificates on UNIX ... 54

Maintaining certificates on Microsoft Windows ... 55

Configuring security policies ... 56

Microsoft Windows environment ... 60

1

1

Introduction to SSL for Control-M

Control-M/Server security discusses standard Control-M security features. In addition, you can enhance Control-M communications security through the Secure Sockets Layer (SSL) protocol:



You can use SSL to protect communication links between Control-M components.



You can configure Control-M to encrypt and decrypt confidential information (such as job scheduling details) dynamically.



You can use digital signatures to ensure that unknown parties cannot modify Control-M elements. For example, setting the appropriate authentication and privacy levels protects Control-M communication links as follows:



Authentication enables each Control-M component to ensure the identity of other Control-M

components with which it is communicating.



Privacy prevents a third party from capturing data by monitoring traffic between Control-M

components.

SSL for Control-M authenticates and encrypts communications between



Control-M/Server and Control-M/Agent



Control-M/Server and Control-M/Enterprise Manager (Control-M/EM)



Control-M/EM and its clients



Control-M/EM and the Lightweight Directory Access Protocol (LDAP) Server



BMC Batch Impact Manager and its clients (on page 25)

Conventions

Text and examples are given according to UNIX usage, unless otherwise stated.

Component Convention

Control-M/Agent The default home directory of the UNIX user account under which Control-M/Agent is installed is <agentHome>.

Control-M/Server The default full path name of the home directory of the UNIX user account under which Control-M/Server is installed is

$HOME/ctm_server, for example, $HOME/ ctm_server/data.

Control-M/EM The default full path name of the home directory in which

SSL communication parameters

This section briefly describes the SSL-related parameters that determine communication modes for Control-M/Server, Control-M/Agent, and Control-M/EM.

Control-M/Server

The Secure Sockets Layer system parameter determines the communication mode the Server uses to communicate with Agents and Control-M/EM. You can set this parameter to any of the communication modes shown in the following table.

Control-M/Server communication modes

Mode Description

ENABLED Control-M/Server works in SSL mode. When attempting to connect to an Agent that is in SSL=N mode (discussed subsequently), the Server tries to switch the Agent to SSL=Y mode.

INACTIVE Control-M/Server works in non-SSL mode. When attempting to connect to an Agent that is in SSL=Y mode, the Server tries to switch the Agent to SSL=N mode.

DISABLED Control-M/Server works in non-SSL mode. When attempting to connect to an Agent that is in SSL=Y mode, the Server does not try to switch the Agent to SSL=N mode.

NOTE: Changing the Server communication mode from ENABLED to DISABLED can cause all agents to become unavailable. In that case, you need to change the Server mode to INACTIVE and wait until all required agents are available again. Then, you can change the Server mode to ENABLED or DISABLED.

Control-M/Agent

For Control-M/Agent, the COMMOPT parameter determines the Agent’s communication mode. Valid values for COMMOPT are SSL=Y (communication is enabled) or SSL=N (communication is disabled).



On Microsoft Windows computers, COMMOPT is in the Control-M/Agent registry.



On UNIX computers, COMMOPT is in the agent_home/ctm/data/CONFIG.dat file.

Control-M/EM

This section describes communications for Control-M/EM.

1. Display the sslcmd -k gtwkey.kdb menu (see sslcmd menu).

2. Select 2 Add CA. At the prompt, enter the full path and name of the CA certificate.

3. Select 1 Generate key to generate a public-private key pair. At the prompt, enter alias name CODN. 4. Select 3 Generate CSR. Enter the output path and file name for the generated CSR. The generated

5. Select 4 Add cert to add the digital certificate to the SSL key database.

When the following prompt is displayed: Enter certificate file name, enter the full path and file name for the digital certificate.

The certificate for Control-M/EM is installed in the key database. 6. Display the sslcmd -k cmsgkey.kdb menu (see sslcmd menu).

7. Select 2 Add CA. At the prompt, enter the full path and name of the CA certificate.

8. Select 1 Generate key to generate a public-private key pair. At the prompt, enter alias name CADN. 9. Select 3 Generate CSR. Enter the output path and file name for the generated CSR. The generated

CSR can be submitted to a CA to obtain a digital certificate.

10. Select 4 Add cert to add the digital certificate to the SSL key database.

When the following prompt is displayed: Enter certificate file name, enter the full path and file name for the digital certificate.

The certificate for Control-M/EM is installed in the key database.

11. For Control-M/EM client/server communications using CORBA only: Enter 17 (Export key pair) to export the certificate in pkcs#12 file format.

12. Follow the same steps to update the emkey.kdb key database for the encryption of the Control-M/EM administrator password. Use the alias name CODN.

Key Store files

This section describes the Key Store files that are used by Control-M. Control-M Key Store files

Key Store file Control-M component

KDB

key database file Control-M/Agent Control-M/Server

Control-M/EM servers (Gateway) PEM

Privacy enhanced mail

Control-M/EM servers (GSR, CMS, and BIM server) Control-M/EM client

Java KeyStore Control-M/Server

Control-M/EM EMAPI client

Control-M Web Services and Messaging API Control-M/EM BMC Batch Impact Manager

Key Store file Control-M component

PKCS#12 Control-M for z/OS

NOTE: For background information about SSL, see SSL documentation on the Internet. For more information about Control-M authentication and privacy levels, see Configuring security policies (on page

56).

Checking hardware and software requirements

All Control-M/Server and Control-M/EM platforms support SSL. To use SSL with Control-M/Server,

Control-M/Agent, and Control-M/EM gateways, you must have the product versions shown in the following table.

Software requirements for using SSL with Control-M

For You must have version

Control-M/Server 6.2.01 or later

Control-M/Agent 6.2.01 or later

Control-M/Agent for Linux x86 6.2.01 or later Control-M/Agent for HP Itanium 6.3.01 or later Control-M/Agent for Solaris x86 6.3.01 or later

Control-M/EM Gateway Control-M/EM 6.2.01 or later CORBA servers and clients Control-M/EM 6.2.01 or later BMC Batch Impact Manager Control-M/EM 6.2.01 or later Control-M/EM APIs Control-M/EM 6.2.01 or later

Control-M is delivered with default security keys and certificates that are not unique. BMC recommends that you change them. Otherwise, anyone who gains physical access to your network, or to data that you send over the Internet, can use the default keys and certificates to gain access to Control-M. BMC is not responsible for damage or liability associated with keys and certificates.

2

2

Configuring Control-M components to use SSL

The following describes how to use a TAO implementation of CORBA to ensure communications security for:



CORBA Naming Service



Control-M/EM servers and clients

NOTE: The SSL security policy requires server and client authentication. In addition, an SSL-secured Control-M/EM server or client can only connect to an SSL-secured Naming Service.

It also describes how to use SSL with JacORB implementation of CORBA to ensure security when communicating with:



NamingViewer (browser for Naming Service)



Control-M/Enterprise Manager APIs



BMC Batch Impact Manager Web Application

Configuring Control-M/Server and Control-M/Agent

To configure Control-M/Server and Control-M/Agent to use SSL, complete the relevant procedure in this section:



Configuring a Control-M/Server to use SSL (on page 11)



Configuring a Control-M/Agent to use SSL (on page 12)



Configuring Control-M/EM communication with Control-M/Server to use SSL (managed Control-M instances) (on page 13)



Configuring Control-M/EM communication with Control-M/Server to use SSL (unmanaged Control-M instances) (on page 13)

Before You Begin

Ensure that the Control-M/Server and Control-M/Agent meets the software version requirement as shown in the previous table - Software requirements for using SSL with Control M (see Checking hardware and software requirements (on page 10)).

Configuring a Control-M/Server to use SSL

You must complete this procedure for each Control-M/Server that will use SSL. 1. Run the ctmsys utility.

For more information about the ctmsys utility, see ctmsys. 2. In the ctmsys Main menu, select option 2 System Parameters. 3. Enter n to move to the next page of parameters.

4. Set option 9 Secure Sockets Layer to ENABLED.

Configuring a Control-M/Agent to use SSL

For each Control-M/Agent on which you want to configure SSL, complete the appropriate procedure:

For Do this

Control-M/Agent for UNIX In the agent_home/ctm/data/CONFIG.dat file, set COM\-MOPT to SSL=Y.

Control-M/Agent for Microsoft Windows (version 6.4.01 and later)

Run the ctmagcfg utility, select option 7 (Advanced Parame\-ters), and specify Y for option 8 in the Advanced menu.

Control-M/Agent for Microsoft Windows (versions earlier than 6.4.01)

Run the ctmagcfg utility, and specify Y for option 16 (SSL).

NOTE: Completing this step can save time if you have a large number of agents that work with

Control-M/Server. If you skip this step, Control-M/Server automatically makes a one-time request to set the SSL parameter. This request requires between two and five minutes for each agent.

To configure a new agent, you can use Control-M Configuration Manager or ctm_menu.

You can set one or more Agents to SSL mode and other Agents to TCP mode. For example, you can use Control-M/Server to work with the majority of the agents it is connected to in SSL mode, and can connect to other agents in TCP mode.

When adding a Control-M/Agent to a Control-M/Server using Control-M Configuration Manager to

configure the Control-M/Agent to work with SSL, click the down-arrow next to the Secure Socket Layer field. The values are:



Default – inherit the value from the Control-M/Server configuration



Enabled – the connection between the Agent and Control-M Server is in SSL mode, irrespective of the Server connection mode



Disabled - the connection between the Agent and Control-M Server is in TCP mode irrespective of the Server connection mode

Changing a server-agent connection mode for an existing agent

This procedure describes how to modify the settings of each agent according to its required configuration.



To change server-agent connection mode:

1. In Control-M Configuration Manager, right-click the required Control-M/Agent, and select Properties. 2. In the Communication tab, click the down-arrow next to Secure Socket Layer and select the

required value. The values are:

• Enabled – the connection between the Agent and the Control-M/Server is SSL mode irrespective of the Server connection mode

• Disabled – the connection between the Agent and the Control-M/Server is TCP mode irrespective of the Server connection mode

3. Click Test to check that your settings are correct and workable. 4. Once the test has validated the settings, click OK.

The connection mode for the agent can be set for any of the valid values. The server will adjust to the changes made.

NOTE: BMC recommends that switching from SSL Enabled to the server default mode (when the mode is set to DISABLED) must be performed in the following steps:



Set the agent to SSL disabled and then wait for the agent to become available again.



When the agent is available (connecting in TCP mode), set the agent to work in default mode.

Configuring Control-M/EM communication with Control-M/Server

to use SSL (managed Control-M instances)

This procedure describes how to configure Control-M/EM communication with Control-M/Server to use SSL (managed Control-M instances).



To configure Control-M/EM communication with Control-M/Server to use SSL

(managed Control-M instances):

1. Set the value of CMS parameters to auto.

2. Restart the Control-M Configuration Server to implement the change.

Configuring Control-M/EM communication with Control-M/Server

to use SSL (unmanaged Control-M instances)

The following procedure describes how to configure Control-M/EM communication with Control-M/Server to use SSL (unmanaged Control-M instances).



To configure SSL for unmanaged Control-M instances:

1. Log in to Control-M Configuration Manager.

2. Use the left panel of the Configuration Manager window to select a Server definition: a. At the bottom of the panel, select the By Computer tab.

b. Expand the Control-M/Server node of the All Components tree. c. Select the Control-M/Server definition you want to configure.

The components of the selected definition are displayed in the right panel of the window. 3. Double-click the line displaying the Control-M/Server definition component you want to configure.

The Control-M Definition window is displayed.

5. Use the Control-M Configuration Manager to stop and restart the Control-M/EM Gateway to implement the change.

For more information about the Control-M Configuration Manager, see Administration.

At startup, the Gateway tries to communicate with the Server using TCP/IP protocol. If the Server does not respond during the synchronization interval (90 seconds by default), the Gateway automatically changes its protocol to SSL and tries to communicate by using the SSL protocol.

Configuring Control-M/EM components

Use the following procedures to configure Control-M/EM client and Control-M/EM servers communication protocol.



Configuring Control-M/EM client and Control-M/EM servers to use SSL (on page 14)



Configuring Control-M/EM client and Control-M/EM servers to use TCP/IP (on page 15)



Configuring the Control-M/EM client to use SSL when logging on as a non-administrator user (on page

16)



Storing certificates for TAO (on page 16)



Common SSL error messages (on page 19)

Before You Begin

Ensure that the Control-M/EM clients and Control-M/EM servers meet the software version requirement shown in the table - Software requirements for using SSL with Control-M (see Checking hardware and software requirements (on page 10)).

Configuring Control-M/EM client and Control-M/EM servers to use

SSL

Use the following procedure to configure Control-M/EM client and Control-M/EM servers to use SSL. 1. Stop the following Control-M/EM components:

• CORBA Naming Service

• Control-M/EM GUI Server (GSR) • BMC Batch Impact Manager Server • Control-M/Forecast

• Control-M/Configuration Manager • Control-M/EM clients

• Control-M/EM Global Conditions Server (GCS) • Control-M/EM Gateway

NOTE: On Windows the Naming Service can be stopped only from the Services window. The

orbadmin ns stop command cannot stop the Naming Service, because the Control-M Configuration Server depends on it.

On UNIX use the orbadmin ns stop command.

When configuring SSL on clusters, the Naming Service must remain online. Otherwise, the new configurations will not be permanent.

2. On UNIX computers only, enter the following command: setenv DISPLAY terminal_IP_address

3. Start the Domain Configuration (orbconfigure) wizard with one of the following commands: • [UNIX] orbconfigure

• [Windows] orbconfigure.vbs

The Domain Configuration window is displayed.

4. In the Domain Settings panel you can configure the following settings, as desired: • Select the Use Secure Sockets Layer (SSL) check box.

• The Use TAO internal configuration file check box is automatically selected. Click Browse to select ssl_client_server.conf from the <Control-M/EM_directory>/etc/ path.

• To set the Setup Listen Ports, click the drop-down list and select one of the following items: Random – This is the default value and is recommended if the component is not behind a firewall. The operating system selects a free port automatically.

Range – Recommended value for components behind a firewall. Two text boxes are displayed. Specify the lowest and highest ports in these text boxes.

Click Next to continue to the next panel. 5. The Naming Service panel is displayed.

• Configure the Host and Port values as desired.

• To configure the naming service as desired, click Show local settings. The Repository files path and Use TAO internal configuration file text boxes are added to the panel. Specify the full path and name of the configuration file for the secure Naming Service in the Use TAO internal configuration file text box. Click Next.

6. The summary of the Domain Configuration settings is displayed. Click Finish. 7. Restart all the Control-M/EM components.

Configuring Control-M/EM client and Control-M/EM servers to use

TCP/IP

Use the following procedure to configure Control-M/EM client and Control-M/EM servers to use TCP/IP. 1. Start the orbconfigure GUI as described in steps 1 trough 3 referred to in Configuring Control-M/EM

client and Control-M/EM servers to use SSL (on page 14).

2. In the Domain Settings panel (see step 5 in Configuring Control-M/EM client and Control-M/EM

servers to use SSL (on page 14)):

b. Replace the ssl_client_server.conf file, by specifying the full path and name of the client_server.conf file from the <Control-M/EM_directory>/etc/ path.

Click Next.

3. If you are configuring the computer running the installation’s Naming Service, perform the following steps in the Naming Service panel:

a. Click Show local settings.

b. Clear the Use TAO internal configuration file check box. c. Click Next.

d. Click Finish.

e. Restart all the Control-M/EM components.

Configuring the Control-M/EM client to use SSL when logging on

as a non-administrator user

On Windows 7 and Vista, when configuring the Control-M/EM client to work with SSL and logging on as a non-administrator user, perform one of the following actions:



Disable User Account Control (UAC)



Right-click the Control-M Configuration Manager icon and choose Properties => Compatibility. In the Compatibility screen, select Run this program in compatibility mode for: Win XP SP3, and click OK.

Storing certificates for TAO

Default CA and application certificates are provided and stored in standard PEM format.



To store a Root Certificate of Authority (CA) and signed certificates:

1. Place the certificates (ca_cert.pem, cert_name.pem, and cert_name_priv_key.pem) in the

2. Update the ssl_client_server.conf and ssl_ns.conf files in the <Control-M/EM_directory>/etc> directory by changing the names of the demonstration certificates to the names of your certificates. Parameters in the ssl_client_server.conf file are described in the following table:

Parameter Description

-SSLAuthenticat

e Indicates whether authentication is required for server, client, or both. Valid values: SERVER, CLIENT, SERVER_AND_CLIENT -SSLPrivateKey Points to the location of the private key.

-SSLCertificate Points to the location of the public key. -SSLCAfile Points to the CA certificate. Default:

<Control-M/EM_directory>/ini/ssl/new_ca.pem

The CA certificate, public key, and private key files can be replaced. -SSLrand Points to a binary file used to generate random numbers for dynamically

encrypting communications between client and server. The file provided by Control-M/EM can be replaced with another binary file. Client and server binary files are independent and do not need to match. Default:

<Control-M/EM_directory>/ini/ssl/rnd.bin

Note: This parameter is optional on Windows installations.

EXAMPLE: If the original content of the ssl_client_server.conf file is:

dynamic SSLIOP_Factory Service_Object *

TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() " -SSLAuthenticate SERVER_AND_CLIENT

-SSLPrivateKey 'PEM:/home/ecs1/ctm_em/ini/ssl/CertDemoU_pk.pem' -SSLCertificate 'PEM:/home/ecs1/ctm_em/ini/ssl/CertDemoU.pem' -SSLCAfile 'PEM:/home/ecs1/ctm_em/ini/ssl/new_ca.pem'

-SSLrand /home/ecs1/ctm_em/ini/ssl/rnd.bin" static Client_Strategy_Factory " -ORBConnectStrategy blocked" static Resource_Factory "

-ORBProtocolFactory SSLIOP_Factory"

Change the full path name of the certificates (bold above) to the names of your certificates. In this example, authentication of both the server and the client is required because the

-SSLAuthenticate parameter is set to SERVER_AND_CLIENT.

Private key password

The private key password for demonstration certificates is stored in the ClientServerSSL.ini file in the

<Control-M/EM_directory>/ini/ssl directory. Control-M/EM components read and decode this password

and provide it to the SSL layer.



To update the private key password for use with your site’s certificates:

2. Update the ClientServerSSL.ini file with the new encrypted password by entering the command cryptocli new_password ClientServerSSL.ini

Naming service certificate

The Naming Service requires the private key password interactively during startup. This requirement prevents users from activating the Naming Service in batch mode.

In the Control-M/EM demonstration certificates, the password has been stripped from the private key so that the Naming Service can be invoked without entering the password. The ssl_ns.conf configuration file points to the stripped private key file.



To activate the Naming Service using a new stripped private key:

1. Use the ssl_ns.conf file for the Naming Service.

2. Place the stripped private key file in the <Control-M/EM_directory>/ini/ssl directory.

3. Update the ssl_ns.conf file with the new private key file name, as described in 2 referred to in

Storing certificates for TAO (on page 16) for the ssl_client_server.conf file.



To activate the Naming Service interactively using a secure private key:

In the Naming Service panel, set TAO internal configuration file to the same file that Control-M/EM CORBA servers and clients use: <Control-M/EM_directory>/etc/ssl_client_server.conf

However, this alternative requires that the PEM password be entered interactively, and therefore the Naming Service cannot be run as a Windows service.

Certificate expiration

Control-M/EM comes with demonstration SSL certificates with an expiration period of 4 years. The client applications check certificate expiration on each connection attempt. The client issues a warning if the certificate expires in less than the number of days specified in the WarningSSLExpirationDays system parameter, as described in General parameters. Valid values: 1 - 365. Default: 60.

If an SSL certificate is going to expire in less than the number of days specified in this parameter, a message is displayed in the Message column of the Control-M Configuration Manager main window, and a record is written to the application log.

Common SSL error messages

The following are Common SSL error messages:



Message 1 (on page 19)



Message 2 (on page 19)



Message 3 (on page 19)



Message 4 (on page 20)



Message 5 (on page 20)



Message 6 (on page 20)



Message 7 (on page 20)

Message 1

ACE_SSL (2372 | 1656) error code: 336151576 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsvl alert unknown ca

Failed to register in the CORBA services.

Explanation: The GUI server fails to resolve a secure Naming Service. The -SSLCAfile parameter is not

specified in the TAO configuration file, or it points to an invalid location.

Corrective Action: Determine which reason caused the failure and correct the problem.

Message 2

ACE_SSL (3632|2580) error code: 336134278 - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Failed to register in the CORBA services.

Explanation: The GUI server fails to resolve a secure Naming Service for one of the following reasons:

The -SSLCAfile parameter is not specified in the TAO configuration file. The -SSLCAfile parameter points to an invalid location.

The CA PEM file (new_ca.pem) is corrupted.

The CA PEM file (new_ca.pem) doesn't match the certificates used.

Corrective Action: Determine which reason caused the failure and correct the problem.

Message 3

Failed to register in the CORBA services.

Explanation: An attempt was made to connect to a non-secure Naming Service.

Corrective Action: Ensure that the attempted connection is to a secure Naming Service and ensure that

Message 4

ClientServerSSL.ini was not found at D:\ Program Files\BMC Software\Control-M EM 7.0.00\Default\ini\ssl

dynamic initialization failed for SSLIOP_Factory

(3868|2956) Unable to initialize the Service Configurator: Invalid argument Failed to register in the CORBA services.

Explanation: The GUI server fails to initialize. The ClientServerSSL.ini file was not found in the

<Control-M/EM_directory>/ini/ssl directory.

Corrective Action: Ensure that the ClientServerSSL.ini file is located in the

<Control-M/EM_directory>/ini/ssl directory.

Message 5

Password decryption error.Key string file may be corrupted.: Unknown error dynamic initialization failed for SSLIOP_Factory

(1556|2364) Unable to initialize the Service Configurator: Invalid argument Failed to register in the CORBA services.

Explanation: The GUI server fails to initialize. The ClientServerSSL.ini file is corrupted or contains a

password that was encrypted using the wrong key.

Corrective Action: Ensure that the ClientServerSSL.ini file is not corrupted and contains a properly

encrypted password.

Message 6

dynamic initialization failed for SSLIOP_Factory

(3868|3820) Unable to initialize the Service Configurator: Invalid argument Failed to register in the CORBA services.

Explanation: The GUI server fails to initialize. The private or public key certificate was not found.

User Response: Ensure that the -SSLPrivateKey parameter points to the file containing the private

key. Ensure that the -SSLCertificate parameter points to the file containing the public key. When using the demonstration certificates, the default values are:

-SSLPrivateKey 'PEM:/home/ctm_em/ini/ssl/CertDemoU_pk.pem' -SSLCertificate'PEM:/home/ctm_em/ini/ssl/CertDemoU.pem'"

Message 7

TAO (2196|3224) Service Configurator unable to open file be D:\ Program Files\BMC Software\Control-M EM 7.0.00\Default\ini\ssl

(2196|3224) Unable to initialize the Service Configurator: Invalid argument Failed to register in the CORBA services.

Explanation: The GUI server fails to initialize. The configuration file referenced in the -ORBSvcConf

parameter was not found. For more information, see the example in Storing certificates for TAO (on page

16).

CORBA::TRANSIENT exceptions

Why do I get a CORBA::TRANSIENT exception when using SSLIOP?

A CORBA::TRANSIENT exception usually indicates that the client was unable to connect to the server when attempting to invoke a request. For standard IIOP, this normally occurs when the client cannot resolve the hostname embedded in the IOR or cannot reach the specified IP address.

In the case of SSLIOP, a CORBA::TRANSIENT exception may also be thrown when the certificates in use are invalid (for example, expired), or the certificate authority certificate has not been set.

Configuring Control-M Self Service and Control-M Workload

Change Manager web components

The Control-M Self Service and Control-M Workload Change Manager web components support communicating with the Control-M/EM GUI Server with SSL using JacORB implementation of CORBA. SSL parameters for JacORB can be found in the jacorb.properties file located in the following directory: <Control-M/EM_directory>/etc/jacorb.properties

SSL parameters for JacORB in the jacorb.properties file

Parameter Description

jacorb.security.support_ssl Indicates whether SSL is enabled. Valid values: on (use the SSL protocol), off (use the TCP/IP protocol). Default: off.

jacorb.security.keystore Contains the full path and name of the keystore file. jacorb.security.keystore_

password Contains the keystore file password.

Note: For information on creating a keystore for use with the Control-M Self Service or Control-M

Workload Change Manager web components, see Exporting or importing private/public keys (on page 27).



To configure Control-M Self Service or Control-M Workload Change Manager web

components to work with SSL:

1. In the jacorb.properties file, set the jacorb.security.support_ssl parameter to on.

2. JacORB client on IBM (example IBM AIX) must set the following parameters in jacorb.properties file (for IBM JSSE implementation):

jacorb.security.jsse.server.key_manager_algorithm=IbmX509 jacorb.security.jsse.server.trust_manager_algorithm=IbmX509 jacorb.security.jsse.client.key_manager_algorithm=IbmX509 jacorb.security.jsse.client.trust_manager_algorithm=IbmX509

3. From the CCM, recycle the Control-M Web Server.

4. Continue with Configuring Control-M/EM Web Server to work with HTTPS (on page 30)



To configure Control-M Self Service or Control-M Workload Change Manager web

components to work with TCP/IP

1. Edit the jacorb.properties file manually.

2. Set the jacorb.security.support_ssl parameter to off.

Configuring Control-M Workload Archiving server to use

SSL

This procedure describes how to configure Control-M Workload Archiving server to use SSL.



To configure Control-M Workload Archiving server to use SSL:

1. Shut down the Workload Archiving Server with the following command:

arc_stop_server

2. Run the following script:

arc_configure_ssl -on -encrypt_password [YES | NO | ALREADY_ENCRYPTED] -keystore [VAL] -keystore_password [VAL]

3. Start up the Workload Archiving Server with the following command:

arc_start_server

Configuring Control-M Workload Archiving server to use

TCP/IP

This procedure describes how to configure Control-M Workload Archiving server to use TCP/IP.



To configure Control-M Workload Archiving server to use TCP/IP:

1. Shut down the Workload Archiving Server with the following command:

arc_stop_server

2. Run the following script:

arc_configure_ssl -off

3. Start up the Workload Archiving Server with the following command:

Configuring NamingViewer (browser for Naming Service)

The NamingViewer utility now supports the browsing of secure naming services that use SSL with JacORB implementation of CORBA.

SSL parameters for JacORB can be found in the jacorb.properties file located in the following directory:

<Control-M/EM_directory>/etc/jacorb.properties



To enable browsing of secure naming services with SSL

1. In the jacorb.properties file, set the jacorb.security.support_ssl parameter to on.

2. JacORB client on IBM (example IBM AIX) must set the following parameters in jacorb.properties file (for IBM JSSE implementation):

jacorb.security.jsse.server.key_manager_algorithm=IbmX509 jacorb.security.jsse.server.trust_manager_algorithm=IbmX509 jacorb.security.jsse.client.key_manager_algorithm=IbmX509 jacorb.security.jsse.client.trust_manager_algorithm=IbmX509

The default value for all the above parameters above is SunX509 (Sun JSSE implementation).



To browse non-secure naming services

1. Edit the jacorb.properties file manually.

2. Set the jacorb.security.support_ssl parameter to off.

Using your own encrypted password

The keystore password for demonstration certificates is not encrypted. To use an encrypted password, run the changePass utility as follows:



(UNIX) changePass in the <Control-M/EM_directory>/bin directory



(Windows) changePass in the <Control-M/EM_directory>\bin directory

This utility accepts a keytool password, encrypts it, and updates the jacorb.security.keystore and jacorb.security.keystore_password_crypt parameters in the jacorb.properties file.

NOTE: If you configure the <Control-M/EM_directory>/etc/jacorb.properties file to use SSL, you will not be able to browse non-secure naming services.

Configuring Control-M/EM API JacORB

The SSL parameters for JacORB are in the jacorb.properties file. This file is in the following Control-M/Enterprise Manager directory:

These parameters are described in the following table:

SSL parameters for JacORB in the jacorb.properties file

Parameter Description

jacorb.security.support_ssl Indicates whether SSL is enabled. Valid values: on (use the SSL protocol), off (use the TCP/IP protocol). Default: off.

jacorb.security.keystore Contains the full path and name of the keystore file. jacorb.security.keystore_

password Contains the keystore file password. jacorb.security.keystore_

password_crypt Indicates whether the keystore file password is encrypted. Valid values: on (yes), off (no). Default: off.



To configure Control-M/EM APIs to use the SSL protocol:

1. Run emapi-configure with the -ssl option, or edit the jacorb.properties file manually as follows: a. Set the jacorb.security.support_ssl parameter to on.

b. Set the ORBInitRef.NameService parameter to

corbaloc:ssliop:ns_host:ns_port/NameService (replace ns_host and ns_port with the correct values).

For information about emapi-configure, see Control-M/EM API Installation.

2. JacORB client on IBM (example IBM AIX) must set the following parameters in jacorb.properties file (for IBM JSSE implementation):

jacorb.security.jsse.server.key_manager_algorithm=IbmX509 jacorb.security.jsse.server.trust_manager_algorithm=IbmX509 jacorb.security.jsse.client.key_manager_algorithm=IbmX509 jacorb.security.jsse.client.trust_manager_algorithm=IbmX509

The default value for all the parameters above is SunX509 (Sun JSSE implementation). The jacorb.properties file is located in the following directory:

<EM API>/etc/jacorb.properties



To configure Control-M/EM APIs to use the TCP/IP protocol:



Run emapi-configure without the -ssl option, or edit the jacorb.properties file manually as follows:

a. Set the jacorb.security.support_ssl parameter to off. b. Set the ORBInitRef.NameService parameter to

corbaloc:iiop:ns_host:ns_port/NameService (replace ns_host and ns_port with the correct values).

Processing SSL certificates with JacORB

The application is provided with a default CA certificate and default application certificates in key database (keystore) format for use with JacORB.

The default parameter values for the demonstration certificates are: jacorb.security.keystore=emapi_root/etc/keystore/emapi.keystore jacorb.security.keystore_password=emdemo

jacorb.security.keystore_password_crypt=off These parameters are in the jacorb.properties file.

NOTE: For more information on certificates, see Processing certificates (on page 28) and Certificate expiration (on page 18)

Configuring BMC Batch Impact Manager

BMC Batch Impact Manager is provided with bim_ssl.ear or bim_ssl.war files, which are configured with a default SSL certificate.

To deploy the BMC Batch Impact Manager web client using the default SSL certificate, start with step of the following procedure.

Start with step 1 of the following procedure only when:



the system uses SSL protocol and there is a need for replacing keys or passwords



deploying to any web server that uses the SSL protocol and the IBM JDK (for example, most WebSphere configurations)

Unlike regular bim.ear and bim.war files, the bim_ssl.ear and bim_ssl.war files can only be used to communicate with an SSL-enabled Control-M/EM installation.



To configure BMC Batch Impact Manager:

1. To configure the BMC Batch Impact Manager Web Application for use with customized SSL key, password or IBM JDK, run the configmanager utility:

a. Navigate to the BMC Batch Impact Manager root directory: o UNIX: cd <Control-M/EM_directory>/APPL/BIM/WEBAPP o Windows: cd <Control-M/EM_directory>\bim

All paths for the computers to which you deploy must be absolute paths (not relative). Use the slash (/) instead of the backslash (\) when specifying paths, because this symbol works on all platforms.

b. Run the utility:

(UNIX) sh bim_configmanager.sh <arguments> (Windows) bim_configmanager.bat <arguments>

A list of arguments is provided in the following table. Examples are provided below. Arguments for the configmanager utility

Argument Description and values

-SSLJSSEplatform <SUN|IBM> Platform of the JDK. Mandatory. Valid values:



SUN: Default



IBM: For web servers such as WebSphere -SSLkeystorepassword <password> Password for opening the keystore. Optional. SSLkeystorepasswordencryption

<on|off>

Encryption mode for the password. Optional. Valid values are:



on: Password is encrypted.



off: Password is not encrypted. Default. -SSLkeystorepath<fullPath> Full path to new keystore. Optional.

-nshost<hostName> Naming service host. Optional. -nsport<portName> Naming service port. Optional.

-pathtobim<fullPath> Full path to the BMC Batch Impact Manager Web Application installation directory. Mandatory. Valid values are:



Windows: <Control-M/EM_directory>\bim\webapp



UNIX: <Control-M/EM_directory>/etc/bim/webapp -v Verbose output

If the SSL arguments are not included when running the utility, the SSL deployment files will not be created.

2. When the utility finishes, use the newly-created bim_ssl.ear and bim_ssl.war files to deploy. 3. Follow the instructions provided with your web application server.

Examples

Example

Run the configuration utility to use an IBM JDK: sh bim_configmanager.sh -pathtobim

<Control-M/EM_directory>/etc/bim/webapp -SSLJSSEplatform IBM

Example

Run the configuration utility to replace the keystore, using a Sun Microsystem’s JDK, on UNIX, without password encryption:

sh bim_configmanager.sh -pathtobim

<Control-M/EM_directory>/etc/bim/webapp -SSLkeystorepath mykeystore

-SSLkeystorepassword emdemo



To go back to non-secure TCP/IP protocol

Deploy BMC Batch Impact Manager Web Application using the regular default bim.ear and bim.war files.

Default values for SSL certificates

The application is provided with a default CA certificate and default application certificates in key database (keystore) format for use with JacORB.

Default keystore and keystore_password parameter values for BMC Batch Impact Manager demonstration certificates:

jacorb.security.keystore=bim_root/etc/em.keystore jacorb.security.keystore_password=emdemo

jacorb.security.keystore_password_crypt=off

These parameters are located in the jacorb.properties file, which is found in the bim.ear and bim.war files.

NOTE: For information on creating a keystore for use with the BMC Batch Impact Web Manager web client, see Exporting or importing private/public keys (on page 27).

Exporting or importing private/public keys



To create the em.keystore file and export or import a private/public key:

Run the keytool utility with the following parameters:

keytool -genkey -alias alias_for_the_entry -keystore keystore_file_path -storepass

EXAMPLE: keytool -genkey -alias em -keystore em.keystore -storepass empass -keypass empass -dname

"C=IS, ST=Texas, L=Houston, O=bmc, OU=ESM, CN=em/[email protected]"

NOTE: The passwords for storepass and keypass must be identical because JacORB only handles one password.

Processing certificates



To export a CSR (Certificate Signing request) from keystore in order to sign it

1. Run the keytool utility with the following parameters:

keytool -certreq -alias alias_for_the_entry -keystore keystore_file_path -storepass

keystore_password -file certfilename.crs

EXAMPLE: keytool -certreq -alias em -keystore em.keystore -storepass empass -file EmCert.crs

2. Use a private or commercial trusted CA to sign the certificate.



To import a CA certificate into keystore

Run the keytool utility with the following parameters:

keytool -import -alias alias_for_the_CA_entry -keystore keystore_file_path -storepass

keystore_password -file cacert.pem

EXAMPLE: keytool -import -alias systemca -keystore em.keystore -storepass empass -file new_ca.pem



To import a signed certificate into keystore

Run the keytool utility with the following parameters:

keytool -import -alias alias_for_the_key_entry -keystore keystore_file_path -storepass keystore_password -file certfilename.der

The signed certificate must be in X.509 DER (Definite Encoding Rules) format.

EXAMPLE: keytool -import -alias em -keystore em.keystore -storepass empass -file EmCert.der

For more information on certificate expiration, see Certificate expiration (on page 18).

Configuring communication with LDAP or Active Directory

servers using SSL

For Control-M/EM installed on UNIX and Linux operating systems:

1. Obtain a .cer format certificate file from the directory server. Creating and exporting certificate files are different for each LDAP server vendor. Refer to your LDAP server administrator in order to obtain the correct certificate file.

For an example on how to obtain a certificate from the Windows Active Directory, see Example (on page 29).

2. Place the em_ldap_ssl.pem file into the <Control-M/EM_directory>\etc\keystore directory. 3. Verify that a randomness device is installed on the Control-M/EM computer as follows:

a. Locate either the random or urandom file in the /dev directory. If you find the random file, verify that its path is part of the search path.

b. If neither of these files exist, open the <Control-M/EM_directory>/etc/ldap.conf file in a text editor.

c. Locate the #TLS_RANDFILE <Control-M/EM_directory>/ini/ssl/rnd.bin line and remove the # character.

d. Save the modified file.

4. Set an environment variable named "LDAPCONF" with a value pointing to the "ldap.conf" file, which gets set by the EM UNIX account profile.

EXAMPLE: setenv LDAPCONF <Control-M/EM_directory>/ctm_em/etc/ldap.conf

5. LDAP hosts must be resolvable in DNS. If not, add to file /etc/hosts a reference to IP address and hostname of the LDAP machine.

EXAMPLE: 1.2.3.4 host1.bmc.com

1.2.3.4 host1

6. Restart all EM components by applying stop_all and start_all commands.

7. Define an LDAP server that can communicate with Control-M/EM in SSL mode, as described in Defining LDAP system parameters.

If you do not apply all of the above steps, LDAP authentication in SSL mode fails. 8. Recycle the GUI and CMS components.

Example

The following procedure provides an example on how to obtain a certificate file from the Windows Active Directory server. The .pem format certificate file name should be renamed em_ldap_ssl.pem. The rename procedure is outlined in the Active Directory server example in step 8b.

1. Select Programs => Administrative Tools => Certification Authority to open the Certification Authority application.

2. Right-click Certification Authority, and select Properties. 3. Click View Certificate to view the certificate’s page.

4. In the Details tab, click Copy to file to start the Certificate Export Wizard.

5. In the Export File Format page, select the Base-64 Encoded X.509 (.cer) format and click Next. 6. Enter a file name with a .cer extension that includes the Active Directory server name.

7. Complete the steps in the wizard to create an exported copy of the Certification Authority for the Active Directory server.

8. Convert the certificate from .cer format to .pem format as follows:

a. Using FTP or another file copying application, copy the Active Directory server certificate file you just created to a system on which the Active Directory client runs.

b. Log on to the system where you copied the certificate and run the following command: openssl x509 -in AD certificate name -out em_ldap_ssl.pem

AD certificate name represents the file name given in step 6.

NOTE: For a certificate file obtained from a different LDAP server, rename the file em_ldap_ssl.pem.

The location and name of the certificate (.pem) file can be changed by configuring the TLS_CACERT parameter value in the <Control-M/EM_directory>/etc/ldap.conf file for the new path and name. For Control-M/EM installed on Windows:

9. Obtain a .pem format certificate file from the directory server. Creating and exporting certificate files are different for each LDAP server vendor. Refer to your LDAP server administrator to obtain the correct certificate file.

For an example on how to obtain a certificate from the Windows Active Directory, see the Example above.

10. Place the certificate file in the proper location and follow the SSL certificate installation instructions, as provided by Microsoft, using the MMC utility.

For more information about continuing the LDAP and SSL configuration, see Administration.

Configuring Control-M/EM Web Server to work with HTTPS

This procedure describes how to configure Control-M/EM Web Server to work with HTTPS, which secures data between the web browser and the web server.

Control-M/EM Web Server is Apache Tomcat Web Server.

To work with HTTPS, you must have a trusted certificate. If you generate your own certificate, you must add to the trusted zone so Microsoft Silverlight will recognize your site.

The Control-M/EM Web Server provides a DEMO certificate signed by the DEMO CA of Control-M. The DEMO CA of Control-M, which certifies the DEMO Certificate, is not trusted by the Web browser. The Web browser issues a warning message informing you not to browse to this site, because the DEMO CA is not trusted by the Web browser. If you continue, you will receive a certificate error notification.

BMC Software recommends that you replace the demo certificate with a certificate signed by a known CA in your organization.



To configure Control-M/EM Web Server to work with HTTPS:

1. Create a certificate keystore by running one of the following commands:

• Windows: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore -storepass {password}

• UNIX: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore -storepass {password}

For information on creating a keystore for use with the Tomcat Web Server, see Exporting or importing private/public keys (on page 27). The alias_for_the_entry variable must be tomcat. 2. Edit one of the following files:

• Windows: {CONTROL-M/EM}\{Instance}\emweb\tomcat\conf\server.xml • UNIX: {CONTROL-M/EM}/ctm_em/etc/emweb/tomcat/conf/server.xml

If you change the password or change the keystore file name change the keystorePass and keystoreFile attributes, as shown in the example below:

3. In the server.xml file, navigate to the following xml content.

<!-- A "Connector" represents an endpoint by which requests are received ...

... -->

4. Add the following xml content after the above content.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"

keystoreFile="conf/tomcat.keystore" keystorePass="{password}" />

The value of the keystorePass parameter for the demo certificate is emdemo. For an example of this configuration, open the server.xml.HTTPS file.

Importing your own certificates into the default Apache

Tomcat Web Server keystore

This procedure describes how to import your own certificate (from a certified CA) into the default Tomcat keystore.

NOTE: This procedure is not for replacing the default keystore itself, but applies only the certificate in the default keystore.



To replace the certificate in the default keystore:

1. Navigate to <KEYSTORE_HOME> (where tomcat.keystore is located): • UNIX: $EM_HOME/emweb/tomcat/conf

• Windows: %EM_HOME%\emweb\tomcat\conf

2. Delete the existing "tomcat" alias from the default keystore:

"keytool -delete -keystore <KEYSTORE_HOME>\tomcat.keystore -alias tomcat" 3. Import ROOT CA of the chain:

"keytool -import -alias <root CA alias> -trustcacerts -file <path to root CA certificate> -keystore <KEYSTORE_HOME>\tomcat.keystore"

4. Import intermediate CAs of the chain (if needed). Repeat this step per intermediate CA in the chain: "keytool -import -alias <intermediate CA alias> -trustcacerts -file <path to intermediate CA

certificate> -keystore <KEYSTORE_HOME>\tomcat.keystore" 5. Import the end-user's certificate signed by above chain:

"keytool -import -alias tomcat -trustcacerts -file <path to end user certificate> -keystore <KEYSTORE_HOME>\tomcat.keystore"

3

3

Managing certificates

To implement public-private key pairs, certificates, and certificate requests for use with SSL, you can use either:



The Generate Component Certificates wizard in the Control-M Configuration Manager, see Generating component certificates using the wizard (on page 34) (recommended method) to automatically generate certificates and to set up scripts



The sslcmd utility and SSL key databases, see Creating an SSL key database using the sslcmd utility

(on page 37) to manually generate certificates and to manually update the keystores at the components

NOTE: Changes to the key database, its password, and the security policy configuration do not take effect until you restart Control-M/Server, Control-M/Agent, and Control-M/EM.

Generate Component Certificates wizard

As of Control-M/EM 7.0.00, you can use the Generate Component Certificates wizard in the Control-M Configuration Manager to take you through the process of creating certificates. The Certificate Authority (CA) is based on the OpenSSL utility. For more information about OpenSSL, see the openSSL

Generating component certificates using the wizard

In the Control-M Configuration Manager, choose Tools => Security => Manage SSL => Generate Component Certificates. The wizard opens and takes you through the steps needed to create CAs. The following table describes the steps and screens in the wizard.

Steps in the Generate Component Certificates wizard

Step Description

Steps when accepting the default selection in the first screen

1 In Screen 1, accept the default setting Use the following site Certificate Authority.

The parameter fields in the screen are populated with values supplied by BMC for demonstration purposes. The demonstration Certificate Authority (CA) is used to sign and generate the certificates for the components that are chosen in Screen 2. Click Next.

2 In Screen 2:

All Components of Control-M field

If you accept the default setting, certificates are generated for all Control-M components

By Component Type field

If you select this field, choose the required component from the drop-down menu. When By Component Type is selected, you then also have the option to select Enter Unique Component Instance ID (email). However, if the

CONTROL-M/EM Servers component is displayed, the check-box for this field is disabled.



If the Enter Unique Component Instance ID (email) option is selected, in the following screen you can choose to create a certificate for all components of the same type, or to create a certificate for each component instance.



If this option is not selected, in the following screen a certificate is generated for the selected Control-M component.



if you select Key Store Password, specify the Key Store Password (the password must be 8 characters long) and Retype Password fields. The Key Store Password option is applicable also for CONTROL-M for z/OS.

For more information about the Key Store Password, see the note under this table.

Step Description

3 In Screen 3 you can either accept the default or specify a path where the generated certificates will be saved.

Click Next.

4 The certificates are created.

Steps when Create new Certificate Authority for the site is selected in the first screen 1 In Screen 1, select Create new Certificate Authority for the site.

A message is displayed, asking if you are sure that this is what you want to do. Click Yes.

2 In Screen 2 you are informed that certificates are generated for all the Control-M components.

You can choose to use a password. If you select this, the wizard will prompt you for further details.

Click Next.

3 In Screen 3 you can either accept the default or specify a path where the generated certificates will be saved.

Click Next.

4 The certificates are created.

If Create new Certificate Authority for the site is checked, you can create a new site Certificate Authority of the Control-M to be used to sign all certificates needed for Control-M Components. Ability to specify Key Store Password: Step 2 of the Wizard: Password area

NOTE: In the Step 2 screen of the wizard, if Set Key Store Password is not checked (default), a default keystore password is used for all Distributed Key Stores for Control-M for z/OS. The new password is created in the following format: ctm_zos_{hh}{mm}

The {hh} variable is hour and the {mm} variable is for the minutes. This password is shown as clear text in the Summary screen of the wizard. The password is also available in the Control-M for z/OS Action Report.

If you choose the Set Key Store Password option, you will be prompted for the password and then prompted to retype the password. This password is used for Control-M for z/OS as well.

If you would like to set a different password for Control-M for z/OS, you will need to activate this step separately according to component.

When the wizard ends, the Action Result window is displayed with an action line per component for which a certificate has been generated.



To locate the Control-M certificates directories

Use the following examples to locate the Control-M certificates directories:



Where the path specified was C:\Control-M Certificates and the ALL Components option was chosen, the following directories are created under C:\Control-M Certificates:

• Certificate_for_BMC Batch_Impact_Manager_Web_Application • Certificate_for Control-M_Agent • Certificate_for Control-M_Business_Process_Integration_Interface • Certificate_for Control-M_EnterpriseManager_Servers • Certificate_for Control-M_EnterpriseManager_API • Certificate_for Control-M_EnterpriseManager_Client • Certificate_for Control-M_for_zOS • Certificate_for Control-M_Server • Certificate_for_CONTROL_M_WorkloadArchiving



Where the Enter unique component instance ID(e-mail) option was not specified, the key store files are created under the name of the component without subdirectories.



Where the Enter unique component instance ID(e-mail) option for a component was specified (for example Control-M/Agent), sub-directory containing all the files of the Certificate is created according to the name of the component.

After locating the certificates directory, copy it and its contents to a temporary directory in the computer of the Control-M component or place it in an accessible location in the network.



To copy the certificates for Control-M distributed components

1. Copy the directory Certificate_for_<component name> to a temporary directory in the computer where the component is installed, for example, <tempLocation>.

2. From the root directory of the Control-M component run the following command: • For UNIX - <tempLocation>/setup.sh

• For Windows - <tempLocation>\setup.bat

The files are deployed to the required locations and the Control-M component uses either the default password of keystore, or if you have specified a Key Store Password, the password by which the Certificates Key Store is locked is used.