Control-M SSL Guide. Supporting

Transcription

1 Control-M SSL Guide Supporting Version of Control-M/Enterprise Manager Version of Control-M/Server for UNIX and Microsoft Windows Version of Control-M/Agent for UNIX and Microsoft Windows April

2 Contacting BMC Software You can access the BMC Software website at From this website, you can obtain information about the company, its products, corporate offices, special events, and career opportunities. United States and Canada Address BMC SOFTWARE INC 2101 CITYWEST BLVD HOUSTON TX USA Outside United States and Canada Telephone or Telephone (01) Fax (01) Fax Copyright 2010 BMC Software, Inc. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. Linux is the registered trademark of Linus Torvalds. Java runtime environment and JRE are registered trademarks of Sun Microsystems, Inc., in the U.S. and other countries. The information included in this documentation is the proprietary and confidential information of BMC Software, Inc., its affiliates, or licensors. Your use of this information is subject to the terms and conditions of the applicable End User License agreement for the product and to the proprietary and restricted rights notices included in the product documentation. Restricted rights legend U.S. Government Restricted Rights to Computer Software. UNPUBLISHED -- RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Section , DFARS , DFARS , DFARS , and DFARS , as amended from time to time. Contractor/Manufacturer is BMC SOFTWARE INC, 2101 CITYWEST BLVD, HOUSTON TX , USA. Any contract notices should be sent to this address.

3 Customer support You can obtain technical support by using the BMC Software Customer Support website or by contacting Customer Support by telephone or . To expedite your inquiry, see Before contacting BMC. Support website You can obtain technical support from BMC 24 hours a day, 7 days a week at From this website, you can read overviews about support services and programs that BMC offers find the most current information about BMC products search a database for issues similar to yours and possible solutions order or download product documentation download products and maintenance report an issue or ask a question subscribe to receive proactive alerts when new product notices are released find worldwide BMC support center locations and contact information, including addresses, fax numbers, and telephone numbers Support by telephone or In the United States and Canada, if you need technical support and do not have access to the web, call or send an message to [email protected]. (In the subject line, enter SupID:<yourSupportContractID>, such as SupID:12345). Outside the United States and Canada, contact your local support center for assistance. Before contacting BMC Have the following information available so that Customer Support can begin working on your issue immediately: product information product name product version (release number) license number and password (trial or permanent) operating system and environment information machine type operating system type, version, and service pack or other maintenance level such as PUT or PTF system hardware configuration serial numbers related software (database, application, and communication) including type, version, and service pack or maintenance level sequence of events leading to the issue commands and options that you used messages received (and the time and date that you received them) product error messages messages from the operating system, such as file system full messages from related software 3

4 License key and password information If you have questions about your license key or password, use one of the following methods to get assistance: Send an message to Use the Customer Support website at 4 Control-M SSL Guide

5 Contents Chapter 1 Preparing to use SSL 9 Conventions used in this guide Overview of SSL for Control-M SSL communication parameters Control-M/Server Control-M/Agent Control-M/EM Key Store files Checking hardware and software requirements Chapter 2 Configuring Control-M components to use SSL 15 Overview Configuring Control-M/Server and Control-M/Agent Configuring a Control-M/Server to use SSL Configuring a Control-M/Agent to use SSL Changing a server-agent connection mode for an existing agent Configuring Control-M/EM communication with Control-M/Server to use SSL (managed Control-M instances) Configuring Control-M/EM communication with Control-M/Server to use SSL (unmanaged Control-M instances) Configuring Control-M/EM components Configuring Control-M/EM client and Control-M/EM servers to use SSL Configuring Control-M/EM client and Control-M/EM servers to use TCP/IP. 23 Configuring the Control-M/EM client to use SSL when logging on as a nonadministrator user Storing certificates for TAO Common SSL error messages Configuring Control-M Self Service web component Configuring NamingViewer (browser for Naming Service) Using your own encrypted password Configuring Control-M/EM API JacORB Processing SSL certificates with JacORB Configuring BMC Batch Impact Manager Default values for SSL certificates Exporting or importing private/public keys Processing certificates Configuring communication with LDAP or Active Directory servers using SSL Configuring Control-M/EM Web Server to work with HTTPS Contents 5

6 Chapter 3 Managing certificates 45 Overview of key databases Generate Component Certificates wizard Generating component certificates using the wizard Creating an SSL key database using the sslcmd utility sslcmd menu Recommended task summary Setting up a signed certificate Installing a trusted root authority certificate Generating public-private key pairs Creating and installing the signed certificate Creating key database files Maintaining certificates Appendix A Configuring security policies 71 UNIX environment Sample.plc files Microsoft Windows environment Sample Microsoft Windows registry keys Security policy variables Security levels Access files Index 83 6 Control-M SSL Guide

7 Tables Control-M/Server communication modes Control-M/EM communication modes Control-M Key Store files Software requirements for using SSL with Control-M SSL parameters for JacORB in the jacorb.properties file SSL parameters for JacORB in the jacorb.properties file Arguments for the configmanager utility Steps in the Generate Component Certificates wizard Key store files in Control-M_for_zOS folder sslcmd utility options Task summary: implementing keys and signed certificates Locations of alias IDs for public-private key pairs Distinguished name information Security policy variables Services to be stopped and restarted Access file parameters Tables 7

8 8 Control-M SSL Guide

9 Chapter 1 Preparing to use SSL 1 This chapter presents the following topics: Conventions used in this guide Overview of SSL for Control-M SSL communication parameters Control-M/Server Control-M/Agent Control-M/EM Key Store files Checking hardware and software requirements Conventions used in this guide Text and examples are given according to UNIX usage, unless otherwise stated. Component Control-M/Agent Control-M/Server Control-M/EM Convention The default home directory of the UNIX user account under which Control-M/Agent is installed is <agenthome>. The default full path name of the home directory of the UNIX user account under which Control-M/Server is installed is $HOME/ctm_server, for example, $HOME/ ctm_server/data. The default full path name of the home directory in which Control-M/EM is installed is <Control-M/EM_directory>/ctm_em The following abbreviations are used in this guide: Abbreviation Control-M/Agent Control-M/Server Description Control-M/Agent for UNIX and Microsoft Windows Control-M/Server for UNIX and Microsoft Windows Chapter 1 Preparing to use SSL 9

10 Overview of SSL for Control-M Abbreviation Control-M/EM <Control-M/EM_directory>/ctm_em Description Control-M/Enterprise Manager Directory in which Control-M/EM is installed Overview of SSL for Control-M The Control-M Administrator Guide discusses standard Control-M security features. In addition, you can enhance Control-M communications security through the Secure Sockets Layer (SSL) protocol: You can use SSL to protect communication links between Control-M components. You can configure Control-M to encrypt and decrypt confidential information (such as job scheduling details) dynamically. You can use digital signatures to ensure that unknown parties cannot modify Control-M elements. For example, setting the appropriate authentication and privacy levels protects Control-M communication links as follows: Authentication enables each Control-M component to ensure the identity of other Control-M components with which it is communicating. Privacy prevents a third party from capturing data by monitoring traffic between Control-M components. SSL for Control-M authenticates and encrypts communications between Control-M/Server and Control-M/Agent Control-M/Server and Control-M/Enterprise Manager (Control-M/EM) Control-M/EM and its clients Control-M/EM and the Lightweight Directory Access Protocol (LDAP) Server BMC Batch Impact Manager and its clients 10 Control-M SSL Guide

11 SSL communication parameters SSL communication parameters This section briefly describes the SSL-related parameters that determine communication modes for Control-M/Server, Control-M/Agent, and Control-M/EM. Control-M/Server The Secure Sockets Layer system parameter determines the communication mode that the Server uses to communicate with Agents and Control-M/EM. You can set this parameter to any of the communication modes shown in Table 1. Table 1 Mode ENABLED INACTIVE DISABLED Control-M/Server communication modes Description Control-M/Server works in SSL mode. When attempting to connect to an Agent that is in SSL=N mode (discussed subsequently), the Server tries to switch the Agent to SSL=Y mode. Control-M/Server works in non-ssl mode. When attempting to connect to an Agent that is in SSL=Y mode, the Server tries to switch the Agent to SSL=N mode. Control-M/Server works in non-ssl mode. When attempting to connect to an Agent that is in SSL=Y mode, the Server does not try to switch the Agent to SSL=N mode. NOTE Changing the Server communication mode from ENABLED to DISABLED can cause all Agents to become unavailable. In that case, you would need to change the Server mode to INACTIVE and wait until all required Agents are available again. Then, you can change the Server mode to ENABLED or DISABLED. Control-M/Agent For Control-M/Agent, the COMMOPT parameter determines the Agent s communication mode. Valid values for COMMOPT are SSL=Y (communication is enabled) or SSL=N (communication is disabled). On Microsoft Windows computers, COMMOPT is in the Control-M/Agent registry. On UNIX computers, COMMOPT is in the agent_home/ctm/data/config.dat file. Chapter 1 Preparing to use SSL 11

12 SSL communication parameters Control-M/EM The CmsCommMode parameter determines the communication mode between Control-M/EM and Control-M/Server. When this parameter is set to auto, SSL communication is automatically enabled for Control-M/EM. In that case, Control-M Configuration Manager retrieves the communication protocol from Control-M/Server and sets it for Control-M/EM. No manual definition of communications is required for Control-M/EM. In contrast, to specify the mode for communication between a specific Control-M/Server and Control-M/EM, you must set the Protocol parameter as instructed in Configuring Control-M/EM communication with Control-M/Server to use SSL (unmanaged Control-M instances) on page 19. Table 2 Mode auto TCP Control-M/EM communication modes Description This mode enables Control-M/EM to detect the communication protocol of Control-M/Server (TCP or SSL) and set up communications as required. Control-M/EM Gateway works only in TCP/IP mode and does not change mode, even if communication fails. NOTE Control-M Configuration Manager detects the communication protocol automatically after Control-M is defined and running. You must restart the corresponding gateway if Control-M/Server changes from TCP to SSL mode or vice versa. Key Store files This section describes the Key Store files that are used by Control-M. Table 3 Key Store file KDB key database file Control-M Key Store files PEM Privacy enhanced mail Control-M component Control-M/Agent Control-M/Server Control-M/EM servers (Gateway) Control-M/EM servers (GSR, GAS, CMS, and BIM server) Control-M/EM client 12 Control-M SSL Guide

13 Checking hardware and software requirements Table 3 Control-M Key Store files Key Store file Control-M component Java KeyStore Control-M/Server Control-M/EM EMAPI client Control-M/BPI interface Control-M/EM BMC Batch Impact Manager PKCS#12 Control-M for z/os NOTE For background information about SSL, see SSL documentation on the Internet. For more information about Control-M authentication and privacy levels, see Appendix A, Configuring security policies on page 71. Checking hardware and software requirements All Control-M/Server and Control-M/EM platforms support SSL. To use SSL with Control-M/Server, Control-M/Agent, and Control-M/EM gateways, you must have the product versions shown in Table 4. Table 4 Software requirements for using SSL with Control-M For You must have version Control-M/Server or later Control-M/Agent or later Control-M/Agent for Linux x or later Control-M/Agent for HP Itanium or later Control-M/Agent for Solaris x or later Control-M/EM Gateway Control-M/EM or later CORBA servers and clients Control-M/EM or later BMC Batch Impact Manager Control-M/EM or later Control-M/EM APIs Control-M/EM or later WARNING Control-M is delivered with default security keys and certificates that are not unique. BMC recommends that you change them. Otherwise, anyone who gains physical access to your network, or to data that you send over the Internet, can use the default keys and certificates to gain access to Control-M. BMC is not responsible for damage or liability associated with keys and certificates. Chapter 1 Preparing to use SSL 13

14 Checking hardware and software requirements 14 Control-M SSL Guide

15 Chapter 2 Configuring Control-M components to 2 use SSL This chapter presents the following topics: Overview Configuring Control-M/Server and Control-M/Agent Configuring a Control-M/Server to use SSL Configuring a Control-M/Agent to use SSL Changing a server-agent connection mode for an existing agent Configuring Control-M/EM communication with Control-M/Server to use SSL (managed Control-M instances) Configuring Control-M/EM communication with Control-M/Server to use SSL (unmanaged Control-M instances) Configuring Control-M/EM components Configuring Control-M/EM client and Control-M/EM servers to use SSL Configuring Control-M/EM client and Control-M/EM servers to use TCP/IP. 23 Configuring the Control-M/EM client to use SSL when logging on as a non-administrator user Storing certificates for TAO Common SSL error messages Configuring Control-M Self Service web component Configuring NamingViewer (browser for Naming Service) Using your own encrypted password Configuring Control-M/EM API JacORB Processing SSL certificates with JacORB Configuring BMC Batch Impact Manager Default values for SSL certificates Exporting or importing private/public keys Processing certificates Configuring communication with LDAP or Active Directory servers using SSL Configuring Control-M/EM Web Server to work with HTTPS Chapter 2 Configuring Control-M components to use SSL 15

16 Overview Overview This chapter describes how to use a TAO implementation of CORBA to ensure communications security for: CORBA Naming Service Control-M/EM servers and clients NOTE The SSL security policy requires server and client authentication. In addition, an SSL-secured Control-M/EM server or client can only connect to an SSL-secured Naming Service. It also describes how to use SSL with JacORB implementation of CORBA to ensure security when communicating with: NamingViewer (browser for Naming Service) Control-M/Enterprise Manager APIs BMC Batch Impact Manager Web Application Configuring Control-M/Server and Control-M/Agent To configure Control-M/Server and Control-M/Agent to use SSL, complete the relevant procedure in this section: Configuring a Control-M/Server to use SSL on page 17 Configuring a Control-M/Agent to use SSL on page 17 Configuring Control-M/EM communication with Control-M/Server to use SSL (managed Control-M instances) on page 19 Configuring Control-M/EM communication with Control-M/Server to use SSL (unmanaged Control-M instances) on page Control-M SSL Guide

17 Configuring Control-M/Server and Control-M/Agent Before you begin Ensure that the Control-M/Server and Control-M/Agent meets the software version requirement shown in Table 4 on page 13. Configuring a Control-M/Server to use SSL NOTE You must complete this procedure for each Control-M/Server that will use SSL. 1 Run the ctmsys utility. For more information about the ctmsys utility, see the Control-M Administrator Guide. 2 In the ctmsys Main menu, select option 2 System Parameters. 3 Enter n to move to the next page of parameters. 4 Set option 9 Secure Sockets Layer to ENABLED. Configuring a Control-M/Agent to use SSL For each Control-M/Agent on which you want to configure SSL, complete the appropriate instruction: For Control-M/Agent for UNIX Control-M/Agent for Microsoft Windows (version and later) Control-M/Agent for Microsoft Windows (versions earlier than ) Do this In the agent_home/ctm/data/config.dat file, set COM- MOPT to SSL=Y. Run the ctmagcfg utility, select option 7 (Advanced Parameters), and specify Y for option 8 in the Advanced menu. Run the ctmagcfg utility, and specify Y for option 16 (SSL). Chapter 2 Configuring Control-M components to use SSL 17

18 Configuring Control-M/Server and Control-M/Agent NOTE Completing this step can save time if you have a large number of Agents that work with Control-M/Server. If you skip this step, Control-M/Server automatically makes a one-time request to set the SSL parameter. This request requires from two to five minutes for each Agent. To configure a new agent, you can use Control-M Configuration Manager or ctm_menu. You can set one or more Agents to SSL mode and other Agents to TCP mode. For example, you can use Control-M/Server to work with the majority of the Agents it is connected to in SSL mode and can connect to other Agents in TCP mode. When adding a Control-M/Agent to a Control-M/Server using Control-M Configuration Manager to configure the Control-M/Agent to work with SSL, click the down-arrow next to the Secure Socket Layer field. The values are: Default inherit the value from the Control-M/Server configuration Enabled the connection between the Agent and Control-M Server is in SSL mode, irrespective of the Server connection mode Disabled - the connection between the Agent and Control-M Server is in TCP mode irrespective of the Server connection mode Changing a server-agent connection mode for an existing agent Use the following procedure to modify the settings of each Agent according to its required configuration. 1 In Control-M Configuration Manager, right-click the required Control-M/Agent and select Properties. 2 In the Communication tab click the down-arrow next to Secure Socket Layer and select the required value. The values are: Default inherit the value from the Control-M/Server configuration Enabled the connection between the Agent and the Control-M/Server is SSL mode irrespective of the Server connection mode Disabled the connection between the Agent and the Control-M/Server is TCP mode irrespective of the Server connection mode 3 Click Test to check that your settings are correct and workable. 18 Control-M SSL Guide

19 Configuring Control-M/Server and Control-M/Agent 4 Once the test has validated the settings, click OK. The connection mode for the agent can be set for any of the valid values. The server will adjust to the changes made. TIP BMC recommends that switching from SSL Enabled to the server default mode (when the mode is set to DISABLED) should be performed in the following steps: 1. Set the agent to SSL disabled and then wait for the agent to become available again. 2. When the agent is available (connecting in TCP mode), set the agent to work in default mode. Configuring Control-M/EM communication with Control-M/Server to use SSL (managed Control-M instances) To enable SSL communication between Control-M/EM and Control-M/Server (for managed instances of Control-M), set the value of CmsCommMode to auto. Restart the Control-M Configuration Server to implement the change. Configuring Control-M/EM communication with Control-M/Server to use SSL (unmanaged Control-M instances) Use the following procedure to configure Control-M/EM communication with Control-M/Server to use SSL (unmanaged Control-M instances). 1 Log on to Control-M Configuration Manager. 2 Use the left panel of the Configuration Manager window to select a Server definition: A At the bottom of the panel, select the By Computer tab. B Expand the Control-M/Server node of the All Components tree. C Select the Control-M/Server definition that you want to configure. The components of the selected definition are displayed in the right panel of the window. Chapter 2 Configuring Control-M components to use SSL 19

20 Configuring Control-M/EM components 3 Double-click the line displaying the Control-M/Server definition component that you want to configure. The Control-M Definition window is displayed. 4 In the Protocol field of the definition window, select SSL_ENABLE or TCP, and click OK. 5 Use the Control-M Configuration Manager to stop and restart the Control-M/EM Gateway to implement the change. For more information about the Control-M Configuration Manager, see the Control-M Administrator Guide. Upon startup, the Gateway tries to communicate with the Server using TCP/IP protocol. If the Server does not respond during the synchronization interval (90 seconds by default), the Gateway automatically changes its protocol to SSL and tries to communicate by using the SSL protocol. Configuring Control-M/EM components Use the following procedures to configure Control-M/EM client and Control-M/EM servers communication protocol. Configuring Control-M/EM client and Control-M/EM servers to use SSL on page 21 Configuring Control-M/EM client and Control-M/EM servers to use TCP/IP on page 23 Configuring the Control-M/EM client to use SSL when logging on as a non-administrator user on page 24 Storing certificates for TAO on page 24 Common SSL error messages on page Control-M SSL Guide

21 Configuring Control-M/EM components Before you begin Ensure that the Control-M/EM clients and Control-M/EM servers meet the software version requirement shown in Table 4 on page 13. Configuring Control-M/EM client and Control-M/EM servers to use SSL Use the following procedure to configure Control-M/EM client and Control-M/EM servers to use SSL. 1 Stop the following Control-M/EM components: CORBA Naming Service Control-M/EM GUI Server (GSR) Control-M/EM Global Alerts Server (GAS) BMC Batch Impact Manager Server Control-M/Forecast Control-M/Configuration Manager Control-M/EM clients Control-M/EM Global Conditions Server (GCS) Control-M/EM Gateway NOTE On Windows the Naming Service can be stopped only from the Services window. The orbadmin ns stop command cannot stop the Naming Service, because the Control-M Configuration Server depends on it. On UNIX use the orbadmin ns stop command. WARNING When configuring SSL on clusters, the Naming Service must remain online. Otherwise, the new configurations will not be permanent. W Chapter 2 Configuring Control-M components to use SSL 21

22 Configuring Control-M/EM components 2 On UNIX computers only, enter the following command: setenv DISPLAY terminal_ip_address 3 Start the Domain Configuration (orbconfigure) wizard with one of the following commands: [UNIX] orbconfigure [Windows] orbconfigure.vbs 4 The Domain Configuration window is displayed. 5 In the Domain Settings panel you can configure the following settings, as desired: Select the Use Secure Sockets Layer (SSL) check box. The Use TAO internal configuration file check box is automatically selected. Click Browse to select ssl_client_server.conf from the <Control-M/EM_directory>/etc/ path To set the Setup Listen Ports, click the drop-down list and select one of the following items: Random This is the default value and is recommended if the component is not behind a firewall. The operating system selects a free port automatically. Range Recommended value for components behind a firewall. Two text boxes are displayed. Specify the lowest and highest ports in these text boxes. Click Next to continue to the following panel. 22 Control-M SSL Guide

23 Configuring Control-M/EM components 6 The Naming Service panel is displayed. Configure the Host and Port values as desired. To configure the naming service as desired, click Show local settings. The Repository files path and Use TAO internal configuration file text boxes are added to the panel. Specify the full path and name of the configuration file for the secure Naming Service in the Use TAO internal configuration file text box. Click Next. 7 The summary of the Domain Configuration settings is displayed. Click Finish. 8 Restart all the Control-M/EM components. Configuring Control-M/EM client and Control-M/EM servers to use TCP/IP Use the following procedure to configure Control-M/EM client and Control-M/EM servers to use TCP/IP. 1 Start the orbconfigure GUI as described in step 1 through step 3 on page In the Domain Settings panel (see step 5 on page 22): Clear the Use Secure Sockets Layer (SSL) check box. Replace the ssl_client_server.conf file, by specifying the full path and name of the client_server.conf file from the <Control-M/EM_directory>/etc/ path. Chapter 2 Configuring Control-M components to use SSL 23

24 Configuring Control-M/EM components Click Next. 3 If you are configuring the computer running the installation s Naming Service, perform the following substeps, in the Naming Service panel: Click Show local settings. Clear the Use TAO internal configuration file check box. Click Next. 4 Click Finish. 5 Restart all the Control-M/EM components. Configuring the Control-M/EM client to use SSL when logging on as a non-administrator user On Windows 7 and Vista, when configuring the Control-M/EM client to work with SSL and logging on as a non-administrator user, do either one of the following actions: disable User Account Control (UAC) right click the Control-M Configuration Manager icon and choose Properties => Compatibility. In the Compatibility screen, select Run this program in compatibility mode for: Win XP SP3 and click OK. Storing certificates for TAO Default CA and application certificates are provided and stored in standard PEM format. To store a Root Certificate of Authority (CA) and signed certificates 1 Place the certificates (ca_cert.pem, cert_name.pem, and cert_name_priv_key.pem) in the <Control-M/EM_directory>/ini/ssl/new_ca.pem directory. 2 Update the ssl_client_server.conf and ssl_ns.conf files in the <Control-M/EM_directory>/etc> directory by changing the names of the demonstration certificates to the names of your certificates. Parameters in the ssl_client_server.conf file are described in the following table: 24 Control-M SSL Guide

25 Configuring Control-M/EM components Parameter -SSLAuthenticate -SSLPrivateKey -SSLCertificate -SSLCAfile -SSLrand Description Indicates whether authentication is required for server, client, or both. Valid values: SERVER, CLIENT, SERVER_AND_CLIENT Points to the location of the private key. Points to the location of the public key. Points to the CA certificate. Default: <Control-M/EM_directory>/ini/ssl/new_ca.pem The CA certificate, public key, and private key files can be replaced. Points to a binary file used to generate random numbers for dynamically encrypting communications between client and server. The file provided by Control-M/EM can be replaced with another binary file. Client and server binary files are independent and do not need to match. Default: <Control-M/EM_directory>/ini/ssl/rnd.bin Note: This parameter is optional on Windows installations. EXAMPLE If the original content of the ssl_client_server.conf file is: dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() " -SSLAuthenticate SERVER_AND_CLIENT -SSLPrivateKey 'PEM:/home/ecs1/ctm_em/ini/ssl/CertDemoU_pk.pem' -SSLCertificate 'PEM:/home/ecs1/ctm_em/ini/ssl/CertDemoU.pem' -SSLCAfile 'PEM:/home/ecs1/ctm_em/ini/ssl/new_ca.pem' -SSLrand /home/ecs1/ctm_em/ini/ssl/rnd.bin" static Client_Strategy_Factory " -ORBConnectStrategy blocked" static Resource_Factory " -ORBProtocolFactory SSLIOP_Factory" Change the full path name of the certificates (bold above) to the names of your certificates. In this example, authentication of both the server and the client is required because the -SSLAuthenticate parameter is set to SERVER_AND_CLIENT. Private key password The private key password for demonstration certificates is stored in the ClientServerSSL.ini file in the <Control-M/EM_directory>/ini/ssl directory. Control-M/EM components read and decode this password and provide it to the SSL layer. To update the private key password for use with your site s certificates 1 Go to the <Control-M/EM_directory>/ini/ssl directory. 2 Update the ClientServerSSL.ini file with the new encrypted password by entering the command cryptocli new_password ClientServerSSL.ini Chapter 2 Configuring Control-M components to use SSL 25

26 Configuring Control-M/EM components Naming service certificate The Naming Service requires the private key password interactively during startup. This requirement prevents users from activating the Naming Service in batch mode. In the Control-M/EM demonstration certificates, the password has been stripped from the private key so that the Naming Service can be invoked without entering the password. The ssl_ns.conf configuration file points to the stripped private key file. To activate the Naming Service using a new stripped private key 1 Use the ssl_ns.conf file for the Naming Service. 2 Place the stripped private key file in the <Control-M/EM_directory>/ini/ssl directory. 3 Update the ssl_ns.conf file with the new private key file name, as described in step 2 on page 24 for the ssl_client_server.conf file. To activate the Naming Service interactively using a secure private key In the Naming Service panel, set TAO internal configuration file to the same file that Control-M/EM CORBA servers and clients use: <Control-M/EM_directory>/etc/ssl_client_server.conf NOTE However, this alternative requires that the PEM password be entered interactively and therefore the Naming Service cannot be run as a Windows service. 26 Control-M SSL Guide

27 Configuring Control-M/EM components Certificate expiration Control-M/EM has demonstration SSL certificates with an expiration period of 4 years. The client applications check certificate expiration on each connection attempt. The client issues a warning if the certificate expires in less than the number of days specified in the WarningSSLExpirationDays system parameter. Valid values: Default: 60. If an SSL certificate is going to expire in less than the number of days specified in this parameter, a message is displayed in the Message column of the Control-M Configuration Manager main window and a record is written to the application log. Common SSL error messages Message 1 ACE_SSL ( ) error code: error: :ssl routines:ssl3_read_bytes:tlsvl alert unknown ca Failed to register in the CORBA services. Explanation: The GUI server fails to resolve a secure Naming Service. The -SSLCAfile parameter is not specified in the TAO configuration file, or it points to an invalid location. User Response: Determine which reason caused the failure and correct the problem. Message 2 ACE_SSL ( ) error code: error: :ssl routines:ssl3_get_server_certificate:certificate verify failed Failed to register in the CORBA services. Explanation: The GUI server fails to resolve a secure Naming Service for one of the following reasons: The -SSLCAfile parameter is not specified in the TAO configuration file. The -SSLCAfile parameter points to an invalid location. The CA PEM file (new_ca.pem) is corrupted. The CA PEM file (new_ca.pem) doesn't match the certificates used. User Response: Determine which reason caused the failure and correct the problem. Chapter 2 Configuring Control-M components to use SSL 27

28 Configuring Control-M/EM components Message 3: Failed to register in the CORBA services. Explanation: An attempt was made to connect to a non-secure Naming Service. User Response: Ensure that the attempted connection is to a secure Naming Service and ensure that the Naming Service was started as a secure Naming Service. Message 4 ClientServerSSL.ini was not found at D:\ Program Files\BMC Software\Control-M EM \Default\ini\ssl dynamic initialization failed for SSLIOP_Factory ( ) Unable to initialize the Service Configurator: Invalid argument Failed to register in the CORBA services. Explanation: The GUI server fails to initialize. The ClientServerSSL.ini file was not found in the <Control-M/EM_directory>/ini/ssl directory. User Response: Ensure that the ClientServerSSL.ini file is located in the <Control-M/EM_directory>/ini/ssl directory. Message 5 Password decryption error.key string file may be corrupted.: Unknown error dynamic initialization failed for SSLIOP_Factory ( ) Unable to initialize the Service Configurator: Invalid argument Failed to register in the CORBA services. Explanation: The GUI server fails to initialize. The ClientServerSSL.ini file is corrupted or contains a password that was encrypted using the wrong key. User Response: Ensure that the ClientServerSSL.ini file is not corrupted and contains a properly encrypted password. Message 6 dynamic initialization failed for SSLIOP_Factory ( ) Unable to initialize the Service Configurator: Invalid argument Failed to register in the CORBA services. Explanation: The GUI server fails to initialize. The private or public key certificate was not found. 28 Control-M SSL Guide

29 Configuring Control-M Self Service web component User Response: Ensure that the -SSLPrivateKey parameter points to the file containing the private key. Ensure that the -SSLCertificate parameter points to the file containing the public key. When using the demonstration certificates, the default values are: -SSLPrivateKey 'PEM:/home/ctm_em/ini/ssl/CertDemoU_pk.pem' -SSLCertificate'PEM:/home/ctm_em/ini/ssl/CertDemoU.pem'" Message 7: TAO ( ) Service Configurator unable to open file be D:\ Program Files\BMC Software\Control-M EM \Default\ini\ssl ( ) Unable to initialize the Service Configurator: Invalid argument Failed to register in the CORBA services. Explanation: The GUI server fails to initialize. The configuration file referenced in the -ORBSvcConf parameter was not found. For more information, see the example on page 24. User Response: Ensure that the file that is being pointed to exists in the specified location. CORBA::TRANSIENT exceptions Why do I get a CORBA::TRANSIENT exception when using SSLIOP? A CORBA::TRANSIENT exception usually indicates that the client was unable to connect to the server when attempting to invoke a request. For standard IIOP, this normally occurs when the client cannot resolve the hostname embedded in the IOR or cannot reach the specified IP address. In the case of SSLIOP, a CORBA::TRANSIENT exception may also be thrown when the certificates in use are invalid (for example, expired), or the certificate authority certificate has not been set. Configuring Control-M Self Service web component The Control-M Self Service web component supports communicating with the Control-M/EM GUI Server with SSL using JacORB implementation of CORBA. SSL parameters for JacORB can be found in the jacorb.properties file located in the following directory: Chapter 2 Configuring Control-M components to use SSL 29

30 Configuring Control-M Self Service web component <Control-M/EM_directory>/etc/jacorb.properties Table 5 SSL parameters for JacORB in the jacorb.properties file Parameter jacorb.security.support_ssl jacorb.security.keystore jacorb.security.keystore_ password Description Indicates whether SSL is enabled. Valid values: on (use the SSL protocol), off (use the TCP/IP protocol). Default: off. Contains the full path and name of the keystore file. Contains the keystore file password. NOTE For information on creating a keystore for use with the Control-M Self Service web component, see Exporting or importing private/public keys on page 38. To configure Control-M Self Service web component to work with SSL: 1 In the jacorb.properties file, set the jacorb.security.support_ssl parameter to on. 2 JacORB SSL clients on IBM must set the following parameters in jacorb.properties file (for IBM JSSE implementation): jacorb.security.jsse.server.key_manager_algorithm=ibmx509 jacorb.security.jsse.server.trust_manager_algorithm=ibmx509 jacorb.security.jsse.client.key_manager_algorithm=ibmx509 jacorb.security.jsse.client.trust_manager_algorithm=ibmx509 The default value for all the above parameters above is SunX509 (Sun JSSE implementation). 3 Continue with Configuring Control-M/EM Web Server to work with HTTPS on page 42. To configure Control-M Self Service web component to work with TCP/IP 1 Edit the jacorb.properties file manually. 2 Set the jacorb.security.support_ssl parameter to off. 30 Control-M SSL Guide

31 Configuring NamingViewer (browser for Naming Service) Configuring NamingViewer (browser for Naming Service) The NamingViewer utility now supports the browsing of secure naming services that use SSL with JacORB implementation of CORBA. SSL parameters for JacORB can be found in the jacorb.properties file located in the following directory: <Control-M/EM_directory>/etc/jacorb.properties To enable browsing of secure naming services with SSL 1 In the jacorb.properties file, set the jacorb.security.support_ssl parameter to on. 2 JacORB SSL clients on IBM must set the following parameters in jacorb.properties file (for IBM JSSE implementation): jacorb.security.jsse.server.key_manager_algorithm=ibmx509 jacorb.security.jsse.server.trust_manager_algorithm=ibmx509 jacorb.security.jsse.client.key_manager_algorithm=ibmx509 jacorb.security.jsse.client.trust_manager_algorithm=ibmx509 The default value for all the above parameters above is SunX509 (Sun JSSE implementation). To browse non-secure naming services 1 Edit the jacorb.properties file manually. 2 Set the jacorb.security.support_ssl parameter to off. Using your own encrypted password The keystore password for demonstration certificates is not encrypted. To use an encrypted password, run the changepass utility as follows: (UNIX) changepass in the <Control-M/EM_directory>/bin directory (Windows) changepass in the <Control-M/EM_directory>\bin directory This utility accepts a keytool password, encrypts it, and updates the jacorb.security.keystore and jacorb.security.keystore_password_crypt parameters in the jacorb.properties file. Chapter 2 Configuring Control-M components to use SSL 31

32 Configuring NamingViewer (browser for Naming Service) NOTE If you configure the <Control-M/EM_directory>/etc/jacorb.properties file to use SSL, you will not be able to browse non-secure naming services. 32 Control-M SSL Guide

33 Configuring Control-M/EM API JacORB Configuring Control-M/EM API JacORB The SSL parameters for JacORB are in the jacorb.properties file. This file is in the following Control-M/Enterprise Manager directory: <EM API>/etc/keystore These parameters are described in the following table: Table 6 SSL parameters for JacORB in the jacorb.properties file Parameter jacorb.security.support_ssl jacorb.security.keystore jacorb.security.keystore_ password jacorb.security.keystore_ password_crypt Description Indicates whether SSL is enabled. Valid values: on (use the SSL protocol), off (use the TCP/IP protocol). Default: off. Contains the full path and name of the keystore file. Contains the keystore file password. Indicates whether the keystore file password is encrypted. Valid values: on (yes), off (no). Default: off. To configure Control-M/EM APIs to use the SSL protocol 1 Run emapi-configure with the -ssl option, or edit the jacorb.properties file manually as follows: A Set the jacorb.security.support_ssl parameter to on. B Set the ORBInitRef.NameService parameter to corbaloc:ssliop:ns_host:ns_port/nameservice (replace ns_host and ns_port with the correct values). For information about emapi-configure, see Installation in the Control-M/Enterprise Manager API Developers Guide. 2 JacORB SSL clients on IBM must set the following parameters in jacorb.properties file (for IBM JSSE implementation): jacorb.security.jsse.server.key_manager_algorithm=ibmx509 jacorb.security.jsse.server.trust_manager_algorithm=ibmx509 jacorb.security.jsse.client.key_manager_algorithm=ibmx509 jacorb.security.jsse.client.trust_manager_algorithm=ibmx509 The default value for all the above parameters above is SunX509 (Sun JSSE implementation). Chapter 2 Configuring Control-M components to use SSL 33

34 Configuring Control-M/EM API JacORB The jacorb.properties file is located in the following directory: <EM API>/etc/jacorb.properties To configure Control-M/EM APIs to use the TCP/IP protocol 1 Run emapi-configure without the -ssl option, or edit the jacorb.properties file manually as follows: A Set the jacorb.security.support_ssl parameter to off. B Set the ORBInitRef.NameService parameter to corbaloc:iiop:ns_host:ns_port/nameservice (replace ns_host and ns_port with the correct values). Processing SSL certificates with JacORB The application is provided with a default CA certificate and default application certificates in key database (keystore) format for use with JacORB. The default parameter values for the demonstration certificates are: jacorb.security.keystore=emapi_root/etc/keystore/emapi.keystore jacorb.security.keystore_password=emdemo jacorb.security.keystore_password_crypt=off These parameters are in the jacorb.properties file. NOTE For information on creating a keystore for use with the Control-M/Enterprise Manager API, see Exporting or importing private/public keys on page 38. For more information on certificates, see Processing certificates on page 38 and Certificate expiration on page Control-M SSL Guide

35 Configuring BMC Batch Impact Manager Configuring BMC Batch Impact Manager BMC Batch Impact Manager is provided with bim_ssl.ear or bim_ssl.war files, which are configured with a default SSL certificate. To deploy the BMC Batch Impact Manager web client using the default SSL certificate, start with step 3 of the following procedure. Start with step 1 of the following procedure only when the system uses SSL protocol and there is a need for replacing keys or passwords deploying to any web server that uses the SSL protocol and the IBM JDK (for example, most WebSphere configurations) NOTE Unlike regular bim.ear and bim.war files, the bim_ssl.ear and bim_ssl.war files can only be used to communicate with an SSL-enabled Control-M/EM installation. To configure BMC Batch Impact Manager Web Application to use the SSL protocol 1 To configure the BMC Batch Impact Manager Web Application for use with customized SSL key, password or IBM JDK, run the configmanager utility: A Navigate to the BMC Batch Impact Manager root directory: UNIX: cd <Control-M/EM_directory>/APPL/BIM/WEBAPP Windows: cd <Control-M/EM_directory>\bim NOTE All paths for the computers to which you are deploying must be absolute paths (not relative). Use the slash (/) instead of the backslash (\) when specifying paths, because this symbol works on all platforms. B Run the utility: (UNIX) sh bim_configmanager.sh <arguments> (Windows) bim_configmanager.bat <arguments> A list of arguments is provided in Table 7 on page 36. Examples are provided on page 37. Chapter 2 Configuring Control-M components to use SSL 35

36 Configuring BMC Batch Impact Manager Table 7 Arguments for the configmanager utility Argument -SSLJSSEplatform <SUN IBM> -SSLkeystorepassword <password> -SSLkeystorepasswordencryption <on off> -SSLkeystorepath<fullPath> -nshost<hostname> -nsport<portname> -pathtobim<fullpath> Description and values -v Verbose output Platform of the JDK. Mandatory. Valid values: SUN: Default IBM: For web servers such as WebSphere Password for opening the keystore. Optional. Encryption mode for the password. Optional. Valid values are: on: Password is encrypted. off: Password is not encrypted. Default. Full path to new keystore. Optional. Naming service host. Optional. Naming service port. Optional. Full path to the BMC Batch Impact Manager Web Application installation directory. Mandatory. Valid values are: Windows: <Control-M/EM_directory>\bim\webapp UNIX: <Control-M/EM_directory>/etc/bim/webapp NOTE If the SSL arguments are not included when running the utility, the SSL deployment files will not be created. 2 When the utility finishes, use the newly-created bim_ssl.ear and bim_ssl.war files to deploy. 3 Follow the instructions provided with your web application server. 4 After starting the BMC Batch Impact Manager Server, follow the instructions under Logging on to the BMC Batch Impact Web Manager Web Client in the BMC Batch Impact Manager User Guide to verify the successful deployment, and user accessibility, of the BMC Batch Impact Manager Web Application. The Web Application installation and deployment is now complete. 36 Control-M SSL Guide

37 Configuring BMC Batch Impact Manager Examples EXAMPLE Run the configuration utility to use an IBM JDK: sh bim_configmanager.sh -pathtobim <Control-M/EM_directory>/etc/bim/webapp -SSLJSSEplatform IBM EXAMPLE Run the configuration utility to replace the keystore, using a Sun Microsystem s JDK, on UNIX, without password encryption: sh bim_configmanager.sh -pathtobim <Control-M/EM_directory>/etc/bim/webapp -SSLkeystorepath mykeystore -SSLkeystorepassword emdemo To go back to non-secure TCP/IP protocol Deploy BMC Batch Impact Manager Web Application using the regular default bim.ear and bim.war files. Default values for SSL certificates The application is provided with a default CA certificate and default application certificates in key database (keystore) format for use with JacORB. Default keystore and keystore_password parameter values for BMC Batch Impact Manager demonstration certificates: jacorb.security.keystore=bim_root/etc/em.keystore jacorb.security.keystore_password=emdemo jacorb.security.keystore_password_crypt=off These parameters are located in the jacorb.properties file, which is found in the bim.ear and bim.war files. NOTE For information on creating a keystore for use with the BMC Batch Impact Web Manager web client, see Exporting or importing private/public keys on page 38. Chapter 2 Configuring Control-M components to use SSL 37

38 Configuring BMC Batch Impact Manager Exporting or importing private/public keys To create the em.keystore file and export or import a private/public key: Run the keytool utility with the following parameters: keytool -genkey -alias alias_for_the_entry -keystore keystore_file_path -storepass keystore_password -keypass keystore_password -dname distinquished_name EXAMPLE keytool -genkey -alias em -keystore em.keystore -storepass empass -keypass empass -dname C=IS, ST=Texas, L=Houston, O=bmc, OU=ESM, CN=em/ [email protected] NOTE The passwords for storepass and keypass must be identical because JacORB only handles one password. Processing certificates To export a CSR (Certificate Signing request) from keystore in order to sign it 1 Run the keytool utility with the following parameters: keytool -certreq -alias alias_for_the_entry -keystore keystore_file_path -storepass keystore_password -file certfilename.crs EXAMPLE keytool -certreq -alias em -keystore em.keystore -storepass empass -file EmCert.crs 2 Use a private or commercial trusted CA to sign the certificate. 38 Control-M SSL Guide

39 Configuring BMC Batch Impact Manager To import a CA certificate into keystore Run the keytool utility with the following parameters: keytool -import -alias alias_for_the_ca_entry -keystore keystore_file_path -storepass keystore_password -file cacert.pem EXAMPLE keytool -import -alias systemca -keystore em.keystore -storepass empass -file new_ca.pem To import a signed certificate into keystore Run the keytool utility with the following parameters: keytool -import -alias alias_for_the_key_entry -keystore keystore_file_path -storepass keystore_password -file certfilename.der The signed certificate must be in X.509 DER (Definite Encoding Rules) format. EXAMPLE keytool -import -alias em -keystore em.keystore -storepass empass -file EmCert.der For more information on certificate expiration, see Certificate expiration on page 27. Chapter 2 Configuring Control-M components to use SSL 39

40 Configuring communication with LDAP or Active Directory servers using SSL Configuring communication with LDAP or Active Directory servers using SSL For Control-M/EM installed on UNIX and Linux operating systems: 1 Obtain a.cer format certificate file from the directory server. Creating and exporting certificate files are different for each LDAP server vendor. Refer to your LDAP server administrator in order to obtain the correct certificate file. For an example on how to obtain a certificate from the Windows Active Directory, see Example on page Verify that the em_ldap_ssl.pem file is located in the <Control-M/EM_directory>\etc\keystore directory. 3 Verify that a randomness device is installed on the Control-M/EM computer as follows: A Locate either the random or urandom file in the /dev directory. B If neither of these files exist, open the <Control-M/EM_directory>/etc/ldap.conf file in a text editor. C Locate the #TLS_RANDFILE <Control-M/EM_directory>/ini/ssl/rnd.bin line and remove the # character. D Save the modified file. Example The following procedure provides an example on how to obtain a certificate file from the Windows Active Directory server. The.pem format certificate file name should be renamed em_ldap_ssl.pem. The rename procedure is outlined in the Active Directory server example in step 8B. 1 Select Programs => Administrative Tools => Certification Authority to open the Certification Authority application. 2 Right-click Certification Authority, and select Properties. 3 Click View Certificate to view the certificate s page. 4 In the Details tab, click Copy to file to start the Certificate Export Wizard. 5 In the Export File Format page, select the Base-64 Encoded X.509 (.cer) format and click Next. 40 Control-M SSL Guide

41 Configuring communication with LDAP or Active Directory servers using SSL 6 Enter a file name with a.cer extension that includes the Active Directory server name. 7 Complete the steps in the wizard to create an exported copy of the Certification Authority for the Active Directory server. 8 Convert the certificate from.cer format to.pem format as follows: A Using FTP or another file copying application, copy the Active Directory server certificate file you just created to a system on which the Active Directory client runs. B Log on to the system where you copied the certificate and run the following command: openssl x509 -in AD certificate name -out em_ldap_ssl.pem AD certificate name represents the file name given in step 6. NOTE For a certificate file obtained from a different LDAP server, rename the file em_ldap_ssl.pem. The location and name of the certificate (.pem) file can be changed by configuring the TLS_CACERT parameter value in the <Control-M/EM_directory>/etc/ldap.conf file for the new path and name. For Control-M/EM installed on Windows: 1 Obtain a.pem format certificate file from the directory server. Creating and exporting certificate files are different for each LDAP server vendor. Refer to your LDAP server administrator to obtain the correct certificate file. For an example on how to obtain a certificate from the Windows Active Directory, see Example on page Place the certificate file in the proper location and follow the SSL certificate installation instructions, as provided by Microsoft, using the MMC utility. For more information about continuing the LDAP and SSL configuration, see the Control-M Administrator Guide. Chapter 2 Configuring Control-M components to use SSL 41

42 Configuring Control-M/EM Web Server to work with HTTPS Configuring Control-M/EM Web Server to work with HTTPS This procedure describes how to configure Control-M/EM Web Server to work with HTTPS, which secures data between the web browser and the web server. NOTE Note the following: Control-M/EM Web Server is Apache Tomcat Web Server. To work with HTTPS, you must have a trusted certificate. If you generate your own certificate, you must add to the trusted zone so Microsoft Silverlight will recognize your site. The Control-M/EM Web Server provides a DEMO certificate signed by the DEMO CA of Control-M. The DEMO CA of Control-M, which certifies the DEMO Certificate, is not trusted by the Web browser. The Web browser issues a warning message informing you not to browse to this site, because the DEMO CA is not trusted by the Web browser. If you continue, you will receive a certificate error notification. BMC Software recommends that you replace the demo certificate with a certificate signed by a known CA in your organization. To configure Control-M/EM Web Server to work with HTTPS: 1 Create a certificate keystore by running one of the following commands: Windows: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore -storepass {password} UNIX: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore -storepass {password} NOTE For information on creating a keystore for use with the Tomcat Web Server, see Exporting or importing private/public keys on page 38. The alias_for_the_entry variable must be tomcat. 2 Edit one of the following files: Windows: {CONTROL-M/EM}\{Instance}\emweb\tomcat\conf\server.xml UNIX: {CONTROL-M/EM}/ctm_em/etc/emweb/tomcat/conf/server.xml 42 Control-M SSL Guide

43 Configuring Control-M/EM Web Server to work with HTTPS If you change the password or change the keystore file name change the keystorepass and keystorefile attributes, as shown in the example below: 3 In the server.xml file, navigate to the following xml content. <!-- A "Connector" represents an endpoint by which requests are received > 4 Add the the following xml content after the above content. <Connector port="8443" protocol="http/1.1" SSLEnabled="true" maxthreads="150" scheme="https" secure="true" clientauth="false" sslprotocol="tls" keystorefile="conf/tomcat.keystore" keystorepass="{password}" /> The value of the keystorepass parameter for the demo certificate is emdemo. For an example of this configuration, open the server.xml.https file. Chapter 2 Configuring Control-M components to use SSL 43

44 Configuring Control-M/EM Web Server to work with HTTPS 44 Control-M SSL Guide

45 Chapter 3 Managing certificates 3 This chapter presents the following topics: Overview of key databases Generate Component Certificates wizard Generating component certificates using the wizard Creating an SSL key database using the sslcmd utility sslcmd menu Recommended task summary Setting up a signed certificate Installing a trusted root authority certificate Generating public-private key pairs Creating and installing the signed certificate Creating key database files Maintaining certificates Overview of key databases To implement public-private key pairs, certificates, and certificate requests for use with SSL, you can use either: the Generate Component Certificates wizard in the Control-M Configuration Manager, see Generating component certificates using the wizard (recommended method) to automatically generate certificates and to setup scripts the sslcmd utility and SSL key databases, see Creating an SSL key database using the sslcmd utility to manually generate certificates and to manually update the keystores at the components NOTE Changes to the key database, its password, and the security policy configuration do not take effect until you restart Control-M/Server, Control-M/Agent, and Control-M/EM. Chapter 3 Managing certificates 45

46 Generating component certificates using the wizard Generate Component Certificates wizard As of Control-M/EM , you can use the Generate Component Certificates wizard in the Control-M Configuration Manager to take you through the process of creating certificates. The Certificate Authority (CA) is based on the OpenSSL utility. For more information about OpenSSL, see the openssl documentation on the following website: Generating component certificates using the wizard In the Control-M Configuration Manager, choose Tools => Security => Manage SSL => Generate Component Certificates... The wizard opens and takes you through the steps needed to create CAs. Table 8 describes the steps and screens in the wizard. Table 8 Steps in the Generate Component Certificates wizard (Part 1 of 3) Step Description Steps when accepting the default selection in the first screen 1 In Screen 1, accept the default setting Use the following site Certificate Authority. The parameter fields in the screen are populated with values supplied by BMC for demonstration purposes. The demonstration Certificate Authority (CA) is used to sign and generate the certificates for the components that are chosen in Screen 2. Click Next. 46 Control-M SSL Guide

47 Generating component certificates using the wizard Table 8 Steps in the Generate Component Certificates wizard (Part 2 of 3) Step Description 2 In Screen 2: All Components of Control-M field If you accept the default setting, certificates are generated for all Control-M components By Component Type field If you select this field, choose the required component from the drop-down menu. When By Component Type is selected, you then also have the option to select Enter Unique Component Instance ID ( ). However, if the CONTROL-M/Enterprise Manager Servers component is displayed, the checkbox for this field is disabled. If the Enter Unique Component Instance ID ( ) option is selected, in the following screen you can choose to create a certificate for all components of the same type, or to create a certificate for each component instance. If this option is not selected, in the following screen a certificate is generated for the selected Control-M component. if you select Key Store Password, specify the Key Store Password (the password must be 8 characters long) and Retype Password fields. The Key Store Password option is applicable also for CONTROL-M for z/os. For more information about the Key Store Password, see the note under this table. Click Next. 3 In Screen 3 you can either accept the default or specify a path where the generated certificates will be saved. Click Next. 4 The certificates are created. Steps when Create new Certificate Authority for the site is selected in the first screen 1 In Screen 1, select Create new Certificate Authority for the site. A message is displayed, asking if you are sure that this is what you want to do. Click Yes. Chapter 3 Managing certificates 47

48 Generating component certificates using the wizard Table 8 Steps in the Generate Component Certificates wizard (Part 3 of 3) Step Description 2 In Screen 2 you are informed that certificates are generated for all the Control-M components. You can choose to use a password. If you select this, the wizard will prompt you for further details. Click Next. 3 In Screen 3 you can either accept the default or specify a path where the generated certificates will be saved. Click Next. 4 The certificates are created. If Create new Certificate Authority for the site is checked, you can create a new site Certificate Authority of the Control-M to be used to sign all certificates needed for Control-M Components. NOTE Ability to specify Key Store Password: Step 2 of the Wizard: Password area In the Step 2 screen of the wizard, if Set Key Store Password is not checked (default), a default keystore password is used for all Distributed Key Stores for Control-M for z/os. The new password is created in the following format: ctm_zos_{hh}{mm} The {hh} variable is hour and the {mm} variable is for the minutes. This password is shown as clear text in the Summary screen of the wizard. The password is also available in the Control-M for z/os Action Report. If you choose the Set Key Store Password option, you will be prompted for the password and then prompted to retype the password. This password is used for Control-M for z/os as well. If you would like to set a different password for Control-M for z/os, you will need to activate this step separately according to component. When the wizard ends, the Action Result window is displayed with an action line per component for which a certificate has been generated. To locate the Control-M certificates directories Use the following examples to locate the Control-M certificates directories: 48 Control-M SSL Guide

49 Generating component certificates using the wizard Where the path specified was C:\Control-M Certificates and the ALL Components option was chosen, the following directories are created under C:\Control-M Certificates: Certificate_for_BMC Batch_Impact_Manager_Web_Application Certificate_for Control-M_Agent Certificate_for Control-M_Business_Process_Integration_Interface Certificate_for Control-M_EnterpriseManager_Servers Certificate_for Control-M_EnterpriseManager_API Certificate_for Control-M_EnterpriseManager_Client Certificate_for Control-M_for_zOS Certificate_for Control-M_Server Where the Enter unique component instance ID( ) option was not specified, the key store files are created under the name of the component without subdirectories. Where the Enter unique component instance ID( ) option for a component was specified (for example Control-M/Agent), sub-directory containing all the files of the Certificate is created according to the name of the component. After locating the certificates directory, copy it and its contents to a temporary directory in the computer of the Control-M component or place it in an accessible location in the network. To copy the certificates for Control-M distributed components 1 Copy the directory Certificate_for_<component name> to a temporary directory in the computer where the component is installed, for example, <templocation>. 2 From the root directory of the Control-M component run the following command: For UNIX - <templocation>/setup.sh For Windows - <templocation>\setup.bat The files are deployed to the required locations and the Control-M component uses either the default password of keystore, or if you have specified a Key Store Password, the password by which the Certificates Key Store is locked is used. Chapter 3 Managing certificates 49

50 Generating component certificates using the wizard NOTE Note the following: For changes to take affect after running setup.bat/setup.sh, restart the relevant component. If you want to automatically restore a previous certificate from a backup for Control- M/EM Client, Control-M/EM Server, Control-M/Server and Control-M/Agent, run the setup script from the backup, as follows: UNIX: <sslbackupdir>/setup.sh Windows: <sslbackupdir>\setup.bat The setup scripts save a backup of the certificate state prior to the deployment in a seperate directory in the ssl_backup directory. If you are using Windows with UAC enabled, run the script from Administrative console. The CORBA Naming Service process must be up when running BMC Batch Impact Manager WEB User Interface setup script. NOTE Running the install script from the SSL package that is used to automatically install the certificates fails for Control-M/Agent or earlier. For a workaround to this problem, see solution number SLN on the BMC Support webpage ( To copy the certificates for Control-M for z/os Table 9 on page 50 describes the key store files for z/os. Table 9 Key store file IOAGATE.pck12 CA.pem Key store files in Control-M_for_zOS folder Details Export the certificate for Control-M for z/os with the key-pair to be used by IOAGATE in PKCS#12 format. The password for the PCKS#12 file is displayed in the summary window that is generated when running the Generate Component Certificates wizard, see page 46. Export the certificate of the Site CA that signed the client's certificate in PEM format when security level 4 (which uses client authentication) is defined in Control-M/EM. For more information about how to use these files, see the INCONTROL for z/os Installation Guide, Appendix B IOAGATE installation and configuration considerations, SSL support. 50 Control-M SSL Guide

51 Creating an SSL key database using the sslcmd utility Creating an SSL key database using the sslcmd utility You can implement keys and certificates on any component where the sslcmd utility is available. Performing sslcmd functions separately for each Control-M component enhances security if users of each component cannot access key databases of other components. Copying keys and certificates to other Control-M components minimizes the effort required to maintain SSL key databases. WARNING The sslcmd examples in this chapter are based on hypothetical database and certificate data. Do not use this data in a production environment. sslcmd menu If you do not use the Generate Component Certificates wizard, most of the work that is performed with keys and certificates begins at the sslcmd menu. You access the menu by running the sslcmd utility from the command line. Table 10 provides an overview of the menu s options. Table 10 sslcmd utility options (Part 1 of 2) Option Function Description 1 Generate key generate public-private key pairs for a certificate 2 Add CA install a trusted root authority certificate 3 Generate CSR create a certificate signing request 4 Add Cert install the signed certificate 5 List keys generate public-private key pairs for a certificate 6 Delete key delete a public-private key pair and certificate 7 List certs list signed certificates a 8 List CA list certificates found in the SSL key database a 9 View CA view information about CA certificates 10 Delete CA delete a trusted root authority certificate 11 Add CRL install a new certificate revocation list (CRL) 12 Change KDB password change the key database password 13 Add labeled password add a labeled password a 14 List labeled password list labeled password a 15 Delete labeled password delete a labeled password a 16 Import key pair import a key pair a Chapter 3 Managing certificates 51

52 Creating an SSL key database using the sslcmd utility Table 10 sslcmd utility options (Part 2 of 2) Option Function Description 17 Export key pair export a key pair 18 Change label of key pair change the label of a key pair a 19 Exit exit the sslcmd utility a Because SSL for Control-M does not use this option, this guide does not discuss the option. Recommended task summary Table 11 lists the recommended workflow for setting up and maintaining keys and signed certificates when using the sslcmd menu. Table 11 Task summary: implementing keys and signed certificates Workflow Specific tasks Page Create an SSL key database create an SSL key database 52 Set up a signed certificate install a trusted root authority certificate 54 generate public-private key pairs for a certificate 55 create a certificate signing request 56 install the signed certificate 57 Create key database files create key database files for Control-M/EM, Control- M/Server, and Control-M/Agent 60, 62 Performing maintenance view information about CA certificates 63 delete a trusted root authority certificate 64 delete a public-private key pair and certificate 64 install a new certificate revocation list (CRL) 65 change the key database password 65 export a key pair 69 To create an SSL key database 1 At the command line of the directory where you want the database to be, enter sslcmd -k keyfile_name, replacing keyfile_name with the name of the key database to be created. Because the new database does not exist yet, a message indicates that the file cannot be found. 2 Enter a password (eight or more characters) for the new database. 3 When prompted, retype the password. 52 Control-M SSL Guide

53 Setting up a signed certificate A key database with the specified name is created. The sslcmd utility menu displays the actions that you can perform with the new key database. NOTE After creating the key database, always use the same keyfile name on the sslcmd command line. The database can be accessed only by using the password that you specified. Setting up a signed certificate You set up a signed certificate by completing these tasks: Installing a trusted root authority certificate Generating public-private key pairs Creating and installing the signed certificate Installing a trusted root authority certificate To use SSL, you must obtain a trusted root authority certificate (CA) from an organization that validates digital certificates used in online transactions. A certificate is validated by a hierarchy of CAs that approve the certificate. The ultimate CA in the chain is the trusted root certificate authority. Before you begin Obtain a trusted root certificate from a certificate signing authority (CSA). Guidelines are as follows: Select a public or private CSA and determine how it issues certificates before you begin using this product. Use the public key of the CSA when requesting the certificate for this product. The digital certificate of the CSA can be used to authenticate certificates that are validated by that CA. SSL certificates must be in the X.509 PEM (Privacy-Enhanced Mail) format. If your certificate is in another format, convert it to X.509 PEM format. For example, to convert a Microsoft certificate to an X.509 PEM certificate, use the Microsoft INETSDK tools. Chapter 3 Managing certificates 53

54 Setting up a signed certificate To install a trusted root authority certificate 1 On the sslcmd menu, select option 2 Add CA. 2 Enter the full path and file name of the CA certificate. The CA certificate is installed in the key database, and a verification message similar to this one is displayed BEGIN CERTIFICATE----- MIICSDCCAfKgAwIBAgIQLMQ4SxAAEo8R0uLgqRaB1DANBgkqhkiG9w0BAQQFADCB htelmakga1uebhmcvvmxdjambgnvbagtbvrlegfzmrawdgydvqqhewdib3vzdg9u MRUwEwYDVQQKEwxCTUMgU29mdHdhcmUxDzANBgNVBAsTBldFQkRFVjEsMCoGA1UE AxMjV1dXUUEgVGVzdGluZyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNOTkwMzI1 MTg0NDE0WhcNMDQwMzI1MTg0NDE0WjCBhTELMAkGA1UEBhMCVVMxDjAMBgNVBAgT BVRleGFzMRAwDgYDVQQHEwdIb3VzdG9uMRUwEwYDVQQKEwxCTUMgU29mdHdhcmUx DzANBgNVBAsTBldFQkRFVjEsMCoGA1UEAxMjV1dXUUEgVGVzdGluZyBDZXJ0aWZp Y2F0ZSBBdXRob3JpdHkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAlRjFdJsiLN82 7lSwm7vcby/CdkGt5oE6GRSNlU/tfyEKGR4bzs1M+WO0SVemtOewcV2YiTzWgAr+ nec0y+qgjqidaqabozwwojalbgnvhq8ebamcamqwdaydvr0tbauwaweb/zadbgnv HQ4EFgQUnwn4N+0AnUpVkzFTgHuhQuAElCUwDQYJKoZIhvcNAQEEBQADQQBr/i2j ArvbTJfmeTld8bzsPlakDZbmL7Hcud4etJezq4XNSwlDZ5LuqfX7ACBrfs53R9BY ecwzm0m3sfkuaort -----END CERTIFICATE----- WWWQA Testing Certificate Authority Command Add CA successful Enter to proceed 3 On the sslcmd menu, select option 8 List CA to list the certificates that are in the SSL key database 4 Verify that the installed certificate appears in the resulting list, which should resemble the following output: ***CA number 1, Label Compiled Trusted Root Subject Distinguished Name: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US ***CA number 2, Label Compiled Trusted Root Subject Distinguished Name: OU=Commercial Certification Authority,O="RSA Data Security, Inc.",C=US ***CA number 3, Label Compiled Trusted Root Subject Distinguished Name: OU=Secure Server Certification Authority,O="RSA Data Security, Inc.",C=US ***CA number 4, Label Compiled Trusted Root Subject Distinguished Name: OU=Secure Server Certification Authority,O="RSA Data Security, Inc.",C=US 54 Control-M SSL Guide

55 Setting up a signed certificate Command List CA successful Generating public-private key pairs A cryptographic key pair is a set of two cryptographic keys (one public and one private) that is used to start an SSL session. Before requesting a certificate from the CA, you must use this procedure to generate a cryptographic key pair and assign that key pair to the new certificate. To generate public-private key pairs for a certificate 1 On the sslcmd menu, select option 1 Generate key to generate a public-private key pair. 2 At the Enter Identity prompt, enter an alias ID that identifies the public-private key pair. The following default alias names are specified in the UNIX.plc file or the Microsoft Windows Registry: Table 12 Locations of alias IDs for public-private key pairs For communication from Location Control-M/Server to Control-M/Agent NSDN is specified in the ns.plc file. Control-M/Server to Control-M/EM CODN is specified in the co.plc file. Control-M/Server Configuration Agent to Control-M CADN is specified in the ca.plc file. Configuration Server Control-M/Agent to Control-M/Server AGDN is specified in the ag.plc file. Control-M/EM to Control-M/Server CODN is specified in the gtw.plc file. Control-M/EM to Control-M Configuration Agent CADN is specified in the cmsg.plc file. 3 At the Enter keypair type prompt, press Enter (or any key except D) to specify the RSA. 4 Enter the key length in bits (512 or 1024). If the key pair is generated successfully, the following message is displayed: Command Generate key successful 5 On the sslcmd menu, select option 5 List keys to verify that the key pair is displayed. Chapter 3 Managing certificates 55

56 Setting up a signed certificate For each public-private key pair, the utility lists the alias assigned to the certificate that uses that key pair. Creating and installing the signed certificate A certificate signing request (CSR) is a document that asks a CA to bind the associated information into a certificate and sign it with the digital signature of the authority. After validation, the certificate is a valid identification certificate. Installing the certificate in the key database makes the certificate available to a Control-M component. Complete the tasks in this section to install the certificate: create a certificate signing request install the signed certificate NOTE You must install the trusted root authority certificate in the database before you install a certificate signed by it. To create a certificate signing request 1 On the sslcmd menu, select option 3 Generate CSR. 2 Enter the output path and file name for the generated CSR. 3 At Enter alias name, enter the name specified for Enter identity. This public-private key pair name should be the same as the name of the key database file you are working with. 4 Respond to the prompt for data about the distinguished name (DN) for the new certificate. The DN is a fully qualified, hierarchical name that uniquely identifies the entity authenticated by a certificate. Its Lightweight Directory Access Protocol (LDAP) uses attributes to structure data in a directory or name-space. 56 Control-M SSL Guide

57 Setting up a signed certificate Table 13 Prompt Country State Locality Name Unit Common Name Address Distinguished name information Description of requested value two-character country code of the country where the entity resides state or region where the entity resides locality or place where the entity resides organization to which the entity belongs organizational unit to which the entity belongs name of the entity that you are certifying destination (if more than one, separated by a comma) to which signed certificates should be sent The BMC Extended Security Subsystem DENY_ACL and ALLOW_ACL variables use this value. Setting this value to * (asterisk) allows signed certificates to be sent to any address. For more information, see Access files on page 81. A message informs you when the CSR is successfully generated. To install the signed certificate 1 If a certificate is not in X.509 format, use a translation program to convert it. 2 On the sslcmd menu, select option 4 Add cert to add a digital certificate to the SSL key database. 3 Enter the full path and file name for the digital certificate. The certificate is installed in the key database. Lines similar to the following output are displayed: -----BEGIN CERTIFICATE----- MIID5TCCA4+gAwIBAgIIZfuEvAAADDAwDQYJKoZIhvcNAQEEBQAwgYUxCzAJBgNV BAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEQMA4GA1UEBxMHSG91c3RvbjEVMBMGA1UE ChMMQk1DIFNvZnR3YXJlMQ8wDQYDVQQLEwZXRUJERVYxLDAqBgNVBAMTI1dXV1FB IFRlc3RpbmcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAzMDQzMDEwMTg1MloX DTA0MDMyNTE4NDQxNFowejEoMCYGCSqGSIb3DQEJARYZdGVjaG5pY2FsX3N1cHBv cnraym1jlmnvbtelmakga1uebhmcsuwxfjaubgnvbactdutpcmlhdcbbdglkaw0x DDAKBgNVBAoTA0JNQzEMMAoGA1UECxMDTVBNMQ0wCwYDVQQDEwROU0ROMFowDQYJ KoZIhvcNAQEBBQADSQAwRgJBAOU2fcKSIHJZ10dsWGl62vuhLFD/YcLZ+6KVdHko rldjjpgvwyuuj/ngwcqpp40asmjausuc+nsbx5j7rnyjuvccaqojgghtmiib6tcb wqydvr0jbig5mig2gbsfcfg37qcdslwtmvoae6fc4asujagbi6sbidcbhtelmakg A1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMRAwDgYDVQQHEwdIb3VzdG9uMRUwEwYD VQQKEwxCTUMgU29mdHdhcmUxDzANBgNVBAsTBldFQkRFVjEsMCoGA1UEAxMjV1dX UUEgVGVzdGluZyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCECzEOEsQABKPEdLi4KkW gdqwgbega1udhwsbqtcbpjbqoe6gtizkahr0cdovl0tftk5ftlbdl0nlcnrtcnyv Q2VydEVucm9sbC9XV1dRQSBUZXN0aW5nIENlcnRpZmljYXRlIEF1dGhvcml0eS5j cmwwuqbqoe6gtgzpbgu6ly9cxetftk5ftlbdxenlcnrtcnzcq2vydevucm9sbfxx V1dRQSBUZXN0aW5nIENlcnRpZmljYXRlIEF1dGhvcml0eS5jcmwwbwYIKwYBBQUH Chapter 3 Managing certificates 57

58 Setting up a signed certificate AQEEYzBhMF8GCCsGAQUFBzAChlNodHRwOi8vS0VOTkVOUEMvQ2VydFNydi9DZXJ0 RW5yb2xsL0tFTk5FTlBDX1dXV1FBIFRlc3RpbmcgQ2VydGlmaWNhdGUgQXV0aG9y axr5lmnyddanbgkqhkig9w0baqqfaanbain0kgcur2tnhvlmpca21imcnflriqq+ 35OZLHGHijOL0c8TebXP3h7ora+ddgIhCM7eqyEmOUqjfX+szZyl5fQ= -----END CERTIFICATE----- Command Add cert successful 4 On the sslcmd menu, select option 7 List keys to list the digital certificates that are in the SSL key database. The alias assigned to each signed certificate is displayed in the output, which resembles this data: ***Label 0: NSDN Subject Distinguished Name: CN=NSDN,OU=MPM,O=BMC,L=Costa Mesa,ST=California,C=US,[email protected] Issuer Distinguished Name: CN=WWWQA Testing Certificate Authority,OU=WEBDEV,O=BMC Software,L=Houston,ST=Texas,C=US Certificate Serial=202f8ad RSA public key length: 512 bits Valid Begin: Tue Feb 26 07:57: Valid End: Thu Feb 26 07:57: Status: REVOCATION UNKNOWN The following Certificate Extensions exist: Authority Key Identifier OID: 551d23 Criticality Bit: Off... Data: f b a 2f 2f 4b 45 4e 4e 45 4e f f e 72 6f 6c 6c 2f 4b 45 4e 4e 45 4e f e f e Subject Distinguished Name: CN=WWWQA Testing Certificate Authority,OU=WEBDEV,O=BMC Software,L=Houston,ST=Texas,C=US Issuer Distinguished Name: CN=WWWQA Testing Certificate Authority,OU=WEBDEV,O=BMC Software,L=Houston,ST=Texas,C=US Certificate Serial=2cc4384b f11d2e2e0a91681d4 RSA public key length: 512 bits Valid Begin: Thu Mar 25 20:44: Valid End: Thu Mar 25 20:44: Status: TRUSTED_ROOT The following Certificate Extensions exist: Key Usage OID: 551d0f Criticality Bit: Off Data: c4 Basic Constraints OID: 551d13 Criticality Bit: Off Data: ff Subject Key Identifier OID: 551d0e Criticality Bit: Off Data: f 09 f8 37 ed 00 9d 4a b a1 42 e ***Label 1: CODN Subject Distinguished Name: 58 Control-M SSL Guide

59 Creating key database files CN=CODN,OU=MPM,O=BMC,L=Costa Issuer Distinguished Name: CN=WWWQA Testing Certificate Authority,OU=WEBDEV,O=BMC Software,L=Houston,ST=Texas,C=US Certificate Serial= RSA public key length: 512 bits Valid Begin: Tue Feb 26 07:58: Valid End: Thu Feb 26 07:58: Status: REVOCATION UNKNOWN The following Certificate Extensions exist: Authority Key Identifier OID: 551d23 Criticality Bit: Off... Subject Distinguished Name: CN=WWWQA Testing Certificate Authority,OU=WEBDEV,O=BMC Software,L=Houston,ST=Texas,C=US Issuer Distinguished Name: CN=WWWQA Testing Certificate Authority,OU=WEBDEV,O=BMC Software,L=Houston,ST=Texas,C=US Certificate Serial=2cc4384b f11d2e2e0a91681d4 RSA public key length: 512 bits Valid Begin: Thu Mar 25 20:44: Valid End: Thu Mar 25 20:44: Status: TRUSTED_ROOT The following Certificate Extensions exist: Key Usage OID: 551d0f Criticality Bit: Off Data: c4 Basic Constraints OID: 551d13 Criticality Bit: Off Data: ff Subject Key Identifier OID: 551d0e Criticality Bit: Off Data: f 09 f8 37 ed 00 9d 4a b a1 42 e Command List certs successful Enter to proceed Creating key database files The following sections outline how to create key database files for each individual Control-M component. NOTE Restart Control-M/EM, Control-M/Server, and Control-M/Agent for changes to the key database to take effect. For information about creating a key database, see To create an SSL key database on page 52. Chapter 3 Managing certificates 59

60 Creating key database files Control-M/EM 1 Display the sslcmd -k gtwkey.kdb menu (see sslcmd menu on page 51). 2 Select 2 Add CA. At the prompt, enter the full path and name of the CA certificate. 3 Select 1 Generate key to generate a public-private key pair. At the prompt, enter alias name CODN. 4 Select 3 Generate CSR. Enter the output path and file name for the generated CSR. The generated CSR can be submitted to a CA to obtain a digital certificate. 5 Select 4 Add cert to add the digital certificate to the SSL key database. When the following prompt is displayed Enter certificate file name enter the full path and file name for the digital certificate. The certificate for Control-M/EM is installed in the key database. 6 Display the sslcmd -k cmsgkey.kdb menu (see sslcmd menu on page 51). 7 Select 2 Add CA. At the prompt, enter the full path and name of the CA certificate. 8 Select 1 Generate key to generate a public-private key pair. At the prompt, enter alias name CADN. 9 Select 3 Generate CSR. Enter the output path and file name for the generated CSR. The generated CSR can be submitted to a CA to obtain a digital certificate. 10 Select 4 Add cert to add the digital certificate to the SSL key database. When the following prompt is displayed Enter certificate file name enter the full path and file name for the digital certificate. The certificate for Control-M/EM is installed in the key database. 11 For Control-M/EM client/server communications using CORBA only: Enter 17 (Export key pair) to export the certificate in pkcs#12 file format. 12 Follow the same steps to update the emkey.kdb key database for the encryption of the Control-M/EM administrator password. Use the alias name CODN. Control-M/Server 1 Display the sslcmd -k ctmkey.kdb menu (see sslcmd menu on page 51). 2 Select 2 Add CA. At the prompt enter the full path and file name of the CA certificate. 60 Control-M SSL Guide

61 Creating key database files 3 Select 1 Generate key to generate a public-private key pair. At the prompt enter alias name CODN. 4 Select 3 Generate CSR. Enter the output path and file name for the generated CSR. The generated CSR can be submitted to a CA to obtain a digital certificate. 5 Select 4 Add cert to add the digital certificate to the SSL key database. When the following prompt is displayed Enter certificate file name enter the full path and file name for the digital certificate. The certificate for Control-M/EM is installed in the key database. 6 Select 1 Generate key to generate a public-private key pair. At the prompt enter alias name NSDN. 7 Select 3 Generate CSR. Enter the output path and file name for the generated CSR. The generated CSR can be submitted to a CA to obtain a digital certificate. 8 Select 4 Add cert to add the digital certificate to the SSL key database. When the following prompt is displayed Enter certificate file name enter the full path and file name for the digital certificate. The certificate for Control-M/EM is installed in the key database. 9 Select 1 Generate key to generate a public-private key pair. At the prompt enter the alias name CADN. 10 Select 3 Generate CSR. Enter the output path and file name for the generated CSR. The generated CSR can be submitted to a CA to obtain a digital certificate. 11 Select 4 Add cert to add the digital certificate to the SSL key database. When the following prompt is displayed Enter certificate file name enter the full path and file name for the digital certificate. The certificate for Control-M/EM is installed in the key database. 12 Convert the CO certificate that was signed in step 4 on page 60, into pkcs12 format, for example, by using the OpenSSL utility. For more information about OpenSSL, see the openssl documentation on the following website: 13 To import a CA certificate into the keystore, run the following command: <Control-M Server Home Dir/ctm_server/JRE/bin/keytool -importcert -trustcacerts -alias CA -file <full path to the CA certificate file> -keystore <Control-M Server Home directory\ctm_server\data\ssl\cert\ctmkey.jks" -storepass <password> Chapter 3 Managing certificates 61

62 Maintaining certificates 14 To import the new key into the keystore, run the following command: Control-M Server Home Dir/ctm_server/JRE/bin/keytool -importkeystore -srckeystore <Control-M Server homedir\ctm_server\data\ssl\cert\codn_cert.p12> -destkeystore <Control-M Server homedir\ctm_server\data\ssl\cert\ctmkey.jks> -srcstoretype pkcs12 -deststoretype jks -deststorepass <password> -srcstorepass <password> Control-M/Agent 1 Display the sslcmd -k agkey.kdb menu (see sslcmd menu on page 51). 2 Select 2 Add CA. At the prompt enter the full path and file name of the CA certificate. 3 Select 1 Generate key to generate a public-private key pair. At the prompt enter alias name AGDN. 4 Enter 3 Generate CSR. Enter the output path and file name for the generated CSR. The generated CSR can be submitted to a CA to obtain a digital certificate. 5 Select 4 Add cert to add the digital certificate to the SSL key database. When the following prompt is displayed Enter certificate file name enter the full path and file name for the digital certificate. The certificate for Control-M/EM is installed in the key database. Maintaining certificates The following sslcmd utility functions are described under this topic: view information about CA certificates delete a trusted root authority certificate delete a public-private key pair and certificate install a new certificate revocation list (CRL) change the key database password export a key pair NOTE Changes to the key database, the key database password, and the security policy configuration will not take effect until you restart Control-M/Server, Control-M/Agent, and Control- M/EM. 62 Control-M SSL Guide

63 Maintaining certificates To view information about CA certificates Use this option to display the following data about CA certificates: certificate serial number key length period of validity certificate extensions 1 Run the sslcmd utility (see sslcmd menu on page 51). 2 In the sslcmd Main menu, select 9 View CA to display data about a CA certificate in the key database. You are prompted for the CA certificate number. After the data is displayed, the message Command View CA successful indicates that the display is complete. Data similar to the following is displayed: Enter CA number to view:1 ***CA number 1, Label unknown Subject Distinguished Name: CN=WWWQA Testing Certificate Authority,OU=WEBDEV,O=BMC Software,L=Houston,ST=Texas,C=US Subject Distinguished Name: CN=WWWQA Testing Certificate Authority,OU=WEBDEV,O=BMC Software,L=Houston,ST=Texas,C=US Issuer Distinguished Name: CN=WWWQA Testing Certificate Authority,OU=WEBDEV,O=BMC Software,L=Houston,ST=Texas,C=US Certificate Serial=2cc4384b f11d2e2e0a91681d4 RSA public key length: 512 bits Valid Begin: Thu Mar 25 20:44: Valid End: Thu Mar 25 20:44: Status: TRUSTED_ROOT The following Certificate Extensions exist: Key Usage OID: 551d0f Criticality Bit: Off Data: c4 Basic Constraints OID: 551d13 Criticality Bit: Off Data: ff Subject Key Identifier OID: 551d0e Criticality Bit: Off Data: f 09 f8 37 ed 00 9d 4a b a1 42 e Command View CA successful Enter to proceed Chapter 3 Managing certificates 63

64 Maintaining certificates To delete a trusted root authority certificate 1 Run the sslcmd utility (see sslcmd menu on page 51). NOTE To list all the certificates (including certificate numbers) in the SSL key database, select option 8 List CA from the sslcmd menu. 2 In the ssclmd Main menu, select 10 Delete CA to generate a prompt followed by a confirmation prompt. Enter the number of the certificate you want to delete. Enter CA number:1 Confirm deletion of:1 (Y/N):y Command Delete CA successful 3 The message Command Delete CA successful is displayed when the certificate is successfully deleted. To delete a public-private key pair and certificate Deleting a public-private key pair automatically deletes the associated certificate. 1 Run the sslcmd utility (see sslcmd menu on page 51). 2 In the sslcmd Main menu, select 6 Delete key. A prompt and confirmation prompt for the alias name of the key pair you want to delete are displayed: Enter alias name:codn Confirm deletion of:codn (Y/N):y Command Delete key successful 3 Enter the alias name of the key pair to delete from the SSL key database. The message Command Delete key successful indicates that the key pair and associated certificate were successfully deleted. 64 Control-M SSL Guide

65 Maintaining certificates To install a new certificate revocation list (CRL) 1 Obtain the new CRL from the trusted CA. 1 Run the sslcmd utility (see sslcmd menu on page 51). 2 In the sslcmd Main menu, select 11 Add CRL. You are prompted for the new CRL file name. Enter the file name of the CRL you want to install. A message similar to this one is displayed: Enter crl file name ctm.crl -----BEGIN X509 CRL----- MIICEjCCAXsCAQEwDQYJKoZIhvcNAQEEBQAwgYkxCzAJBgNVBAYTAkZKMQ0wCwYD VQQIEwRGaWppMQ0wCwYDVQQHEwRTdXZhMQ4wDAYDVQQKEwVTT1BBQzEMMAoGA1UE CxMDSVRVMRYwFAYDVQQDEw1TT1BBQyBSb290IENBMSYwJAYJKoZIhvcNAQkBFhdh ZG1pbmlzdHJhdG9yQHNvcGFjLm9yZxcNMDIwNTEwMDI1NTQxWhcNMDIwNTE3MDI1 NTQxWqCBvDCBuTCBtgYDVR0jBIGuMIGrgBQ6oBOW0mqGuX8tVL5QO9PxpOxRr6GB j6sbjdcbitelmakga1uebhmcrkoxdtalbgnvbagtbezpamkxdtalbgnvbactbfn1 dmexdjambgnvbaotbvnpuefdmqwwcgydvqqlewnjvfuxfjaubgnvbamtdvnpuefd IFJvb3QgQ0ExJjAkBgkqhkiG9w0BCQEWF2FkbWluaXN0cmF0b3JAc29wYWMub3Jn ggeama0gcsqgsib3dqebbauaa4gbajthd+ritdqttfv7bcinmtaquaybgadvhfww WXt5BDe9no2t0C6N637BxELfm6FAlsiOuN1y136d8lJAf0qbWDJcT+iF7EvlyBM8 guyc1j8q6aj8x/x2fcslw1hr9+lnkmssdzmm0j/rjqxspmsondia3zbqtvfzcnjl WQXbXCys -----END X509 CRL----- Command Add CRL successful The named CRL is added to the SSL key database. To change the key database password Use your own encrypted password for Control-M/Server for the ctmkey.jks by following the procedure on page 68. Perform the following procedure to change the key database password using the sslcmd utility. 1 Run the sslcmd utility (see sslcmd menu on page 51). The SSL directories for UNIX are: For Control-M/EM: <Control-M/EM_directory>/etc/site/resource/ssl/cert For Control-M/Server: <Control-M/Server_directory>/ctm_server/data/SSL/cert For Control-M/Agent: <Control-M/Server_directory>/ctm_agent/data/SSL/cert or For Control-M/Agent: <Control-M/Agent_directory>/ctm/data/SSL/cert Chapter 3 Managing certificates 65

66 Maintaining certificates The Encryptor directories for UNIX are: For Control-M/EM: <Control-M/EM_directory>/etc/site/resource/local For Control-M/Server: <Control-M/Server_directory>/ctm_server/data/SSL/cert For Control-M/Agent: <Control-M/Agent_directory>/ctm_server/data/SSL/cert The SSL directory for Windows is: For Control-M/EM: <Control-M/EM_directory>\etc\resource\ssl\cert For Control-M/Server: <Control-M_SERVER directory>\data\ssl\cert For Control-M/Agent: <Control-M/Agent_directory>\data\SSL\cert The Encryptor directory for Windows is: <Control-M/EM_directory>\ini\local 2 In the sslcmd Main menu, select 12 Change KDB password. The following prompt is displayed: Enter new key file SSL_directory/keyfile_name password (at least 8 characters): 3 Enter the new password. You are prompted to retype the password. When you retype the new password, this message is displayed: Command Change password successful Enter to proceed Press Enter. After the menu is displayed, select 19 to exit the sslcmd utility. 4 To generate an encrypted version of the new password, enter the command: bmcryptpw -m Encryptor_directory/tree.bin -e The Enter password prompt is displayed. Enter the new password used in step 3 above. An encoded password similar to this one is generated: Encoded passwd: e b2854c59258c5061f04ef1f1a72ed785e Use an editor to update the encrypted password. UNIX For example, on UNIX platforms running v, change the following string a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d 66 Control-M SSL Guide

67 Maintaining certificates to e b2854c59258c5061f04ef1f1a72ed785e on both of the following lines in the site.plc file: vi SSL_directory/etc/site.plc [server]... password= a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,/encryptor_director y/tree.bin [client]... password= a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,/encryptor_director y/tree.bin NOTE On UNIX platforms running Control-M/EM, make the above changes in the: <SSL_directory>/gtw.plc file <SSL_directory>/cmsg.plc file <SSL_directory>/em.plc file Do not make the above changes in the site.plc file. Microsoft Windows NOTE BMC does not recommend editing the Windows registry unless you have experience working with the registry and you back up the registry before proceeding. For example, on Microsoft Windows platforms, in the password Registry key, change a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d to e b2854c59258c5061f04ef1f1a72ed785e Chapter 3 Managing certificates 67

68 Maintaining certificates for Control-M/EM: \HKEY_LOCAL_MACHINE\SOFTWARE\Bmc Software\CONTROL-M/Server\CONTROL- M/EM\SecurityPolicy\site\{client server keystore}" "password"="a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,d: \Program Files\BMC Software\CONTROL-M EM \Ini\local\tree.bin" for Control-M/Server: \HKEY_LOCAL_MACHINE\SOFTWARE\Bmc Software\CONTROL-M/Server\ SecurityPolicy\site\{client server keystore}" "password"="a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,d: \Program Files\BMC Software\CONTROL-M Server\Ctm\DATA\SSL\Cert\tree.bin" for Control--M/Agent: \HKEY_LOCAL_MACHINE\SOFTWARE\Bmc Software\CONTROL-M/Server\ SecurityPolicy\site\{client server keystore}" "password"="a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,d: \Program Files\BMC Software\CONTROL-M Agent\Agent_installation\DATA\SSL \Cert\tree.bin" and in the client, server, and common Windows Registry hives: \HKEY_LOCAL_MACHINE\SOFTWARE\Bmc Software\CONTROL-M/Server\ SecurityPolicy\site\{client server keystore}" For more information, see Appendix A, Configuring security policies. To use your own encrypted password for Control-M/Server for the ctmkey.jks The password that was used for creating the ctmkey.jks should be encrypted and saved in the following file: <Control-M Server Home dir/ctm_server/data/ssl/cert/jks.properties> To encrypted this password, run the change_pass utility as follows: <Control-M Home dir>/change_pass <Control-M Server Home dir/ctm_server/data/ssl/cert/jks.properties> The change_pass utility accepts a keytool password, encrypts it and updates the following file: 68 Control-M SSL Guide

69 Maintaining certificates <Control-M Server Home dir/ctm_server/data/ssl/cert/jks.properties> To export a key pair 1 Run the sslcmd utility (see sslcmd menu on page 51). 2 In the sslcmd Main menu, select 17 Export key pair. 3 Enter the file name for the key pair. 4 Enter the identity for the key pair. 5 Enter the encryption password for the key pair and retype the password for confirmation. 6 Enter and re-type the MAC password. Chapter 3 Managing certificates 69

70 Maintaining certificates 70 Control-M SSL Guide

71 Appendix A Configuring security policies A Security policy is defined by entries made in security policy tables. A Site Policy table is required for each major Control-M component (Control-M/Server, Control-M/Agent, and Control-M/EM). The entries in these Site Policy tables provide the basic framework for the Control-M site s security policy. UNIX environment Sample.plc files Microsoft Windows environment Sample Microsoft Windows registry keys Security policy variables Security levels Access files Additions and modifications to the Site Policy, if needed, are defined in optional Application Policy tables for various Control-M functions. Entries in these tables add to and supersede the entries in the Site Policy tables. On UNIX computers, the security policy tables are contained in.plc files. On Microsoft Windows computers, these tables are contained in the Registry. SSL communication policy is based on variable value pairs called attributes that are stored in Policy Tables. Each UNIX stanza (or Microsoft Windows Registry key) contains appropriate attributes. Some attributes do not apply to certain functions, some do not apply to certain security levels, and some cannot be changed. Security policy is implemented by assigning values to the attribute variables described in Table 14 on page 78. Default policy values for each major Control-M component are specified in that component s site.plc file or site Registry hive. When a network communication connection is established, the profile for that connection is obtained from variables in the.plc files (for UNIX) or in the Registry (for Microsoft Windows). The.plc files are described on page 72. The Microsoft Windows Registry is described on page 74. Appendix A Configuring security policies 71

72 UNIX environment NOTE Changes to the key database, key database password, and security policy do not take effect until you restart Control-M/Server, Control-M/Agent, and Control-M/EM. UNIX environment In the UNIX environment, Policy Tables are implemented in ASCII text Policy Files in standard.ini format. Policy Tables are stored in.plc files located in these directories: <CONTROL-M/Server_directory>/ctm_server/data/SSL/cert <CONTROL-M/Agent_directory>/ctm_server/data/SSL/cert or <CONTROL-M/Server_directory>/ctm_agent/ctm/data/SSL/cert <CONTROL-M/EM_directory>/etc/site/resource/SSL/cert Stanzas in the Site Policy and Application Policy files specify the security module that supports the role defined by the stanza. If an application acts like a network server, security attributes are obtained from the [server] stanza. If an application acts like a network client, security attributes are obtained from the [client] stanza. A typical Site Policy is shown in Control-M/Server site.plc file on page 73. When establishing the type of communication listed in the table below, the values (if any) in the relevant application.plc file override the values in the site.plc file. Application.plc file ns.plc co.plc ca.plc ag.plc gtw.plc cmsg.plc em.plc Type of communication Control-M/Server to Control-M/Agent Control-M/Server to Control-M/EM Control-M/Server Configuration Agent to Control-M Configuration Manager Control-M/Agent to Control-M/Server Control-M/EM gateway to Control-M/Server Control-M Configuration Server to Control-M Configuration Agent (for Control-M/EM internal encryption purposes) Sample.plc files Sample.plc files similar to the ones shown below are provided with the installation. 72 Control-M SSL Guide

73 UNIX environment Control-M/Server co.plc file [server] identity=codn logfile=cosrv.log [client] logfile=cocln.log identity=codn keyfile=$controlm/data/ssl/cert/ctmkey.kdb Control-M/Server site.plc file [server] bindir=<controlm>/exe_<machine> bindir64=<controlm>/exe_<machine> keyfile=ctmkey.kdb security_level=4 logdir=$controlm/data/ssl/log loglevel=error,warning,info,trace securitydir=$controlm/data/ssl/cert sksdir=$controlm/data/ssl/cert password=a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,<controlm>/data /SSL_directory/cert/tree.bin [client] bindir=<controlm>/exe_<machine> bindir64=<controlm>/exe_<machine> keyfile=ctmkey.kdb security_level=4 logdir=$controlm/data/ssl/log loglevel=error,warning,info,trace securitydir=$controlm/data/ssl/cert sksdir=$controlm/data/ssl/cert password=a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,<controlm>/data /SSL_directory/cert/tree.bin Control-M/Server ns.plc file [server] identity=nsdn logfile=nssrv.log security_level=3 [client] identity=nsdn logfile=nscln.log keyfile=$controlm/data/ssl/cert/ctmkey.kdb Control-M/Enterprise Manager site.plc file [client] bindir=$em_home/appl/lib/bin.$arch bindir64=$em_home/appl/lib/bin.$arch keyfile=gtwkey.kdb Appendix A Configuring security policies 73

74 Microsoft Windows environment security_level=4 logdir=$em_home/site/resource/ssl/log loglevel=error securitydir=$em_home/site/resource/ssl/cert sksdir=$em_home/site/resource/ssl/cert Control-M/Enterprise Manager co.plc file [client] logfile=gtw_ssl.log identity=codn keyfile=$em_home/site/resource/ssl/cert/gtwkey.kdb password=a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,$em_home/site/resource /local/tree.bin Microsoft Windows environment NOTE BMC does not recommend editing the Windows registry unless you have experience working with the registry and you back up the registry before proceeding. A security policy is defined by string entries in Policy Tables in the Windows Registry. The Site Policy key is always required. Its path is "\HKEY_LOCAL_MACHINE\SOFTWARE\Bmc Software\CONTROL-M/Server\SecurityPolicy\ site" The basic security policy is defined by Site Policy keys. Modifications, if needed, are defined by optional Application Policy keys. Policy Tables contain string entries that specify the security module that supports the function defined by the keys in the Windows Registry. The communications security policy is determined by the role the application is playing: client or server. Therefore, the Policy Tables contain two communications keys, one for the server function: \HKEY_LOCAL_MACHINE\SOFTWARE\Bmc Software\CONTROL-M/Server\ SecurityPolicy\site\client" and one for the client function: "\HKEY_LOCAL_MACHINE\SOFTWARE\Bmc Software\CONTROL-M/Server\ SecurityPolicy\site\server". 74 Control-M SSL Guide

75 Microsoft Windows environment Sample Policy Tables for Microsoft Windows are listed under Control-M/Server registry on page 75. The Policy Tables are at the following Registry location: [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL- M\{Agent Server}\SecurityPolicy\{site NS CA CO AG}\{client server common} Values (if any) specified in the relevant NS, CA, CO, and AG. Registry keys override the values specified in the site Registry key. Sample Policy Tables for Microsoft Windows are listed under Control-M/Enterprise Manager registry on page 77. The Policy Tables are at the following Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M\CONTROL-M/Enterprise Manager\7.0.X\SecurityPolicy\{site GTW CMSG EM}\{client server common} Values (if any) specified in the relevant GTW, CMSG, and EM. Registry keys override the values specified in the site Registry key. NOTE The EM Registry contains an EM key for internal encryption purposes. Do not change this key. Sample Microsoft Windows registry keys Default Registry key entries are shown below for Control-M/Server and Control-M/EM. Control-M/Server registry REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M/Server\SecurityPolicy] [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M/Server\SecurityPolicy\CO] [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M/Server\SecurityPolicy\CO\client] "logfile"="cocln.log" "keyfile"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\data\\ssl\\cert\\ctmkey.kdb" "identity"="codn" [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M/Server\SecurityPolicy\CO\server] "identity"="codn" "logfile"="cosrv.log" Appendix A Configuring security policies 75

76 Microsoft Windows environment [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M/Server\SecurityPolicy\NS] [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M/Server\SecurityPolicy\NS\client] "identity"="nsdn" "logfile"="nscln.log" "keyfile"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\data\\ssl\\cert\\ctmkey.kdb" [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M/Server\SecurityPolicy\NS\server] "identity"="nsdn" "logfile"="nssrv.log" "security_level"="3" [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M/Server\SecurityPolicy\site] [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M/Server\SecurityPolicy\site\client] "bindir"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\exe" "securitydir"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\data\\ssl\\cert" "logdir"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\data\\ssl\\log" "loglevel"="error" "keyfile"="ctmkey.kdb" "security_level"="4" "sksdir"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\data\\ssl\\cert" "password"="a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,d:\\program Files\\BMC Software\\CONTROL-M Server\\CTM_SERVER\\DATA\\SSL\\Cert\\tree.bin" [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M/Server\SecurityPolicy\site\common] "sksdir"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\data\\ssl\\cert" "bindir"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\exe" "keyfile"="ctmkey.kdb" "security_level"="4" "logdir"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\data\\ssl\\log" "loglevel"="error,warning,info,trace" "securitydir"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\data\\ssl\\cert" "password"="a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,d:\\program Files\\BMC Software\\CONTROL-M Server\\CTM_SERVER\\DATA\\SSL\\Cert\\tree.bin" [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M/Server\SecurityPolicy\site\server] "bindir"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\exe" "keyfile"="ctmkey.kdb" "security_level"="4" "logdir"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\data\\ssl\\log" "loglevel"="error" "securitydir"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\data\\ssl\\cert" "sksdir"="d:\\program Files\\BMC Software\\CONTROL-M Server\\ctm_server\\data\\ssl\\cert" "password"="a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,d:\\program Files\\BMC Software\\CONTROL-M Server\\CTM_SERVER\\DATA\\SSL\\Cert\\tree.bin" 76 Control-M SSL Guide

77 Microsoft Windows environment Control-M/Enterprise Manager registry [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M\CONTROL-M/Enterprise Manager\7.0.X\Default\SecurityPolicy] [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M\CONTROL-M/Enterprise Manager\7.0.X\Default\SecurityPolicy\CMSG] [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M\CONTROL-M/Enterprise Manager\7.0.X\Default\SecurityPolicy\CMSG\client] "securitydir"="d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\Gtwgcs\\appl\\ecs\\resource\\ssl\\cert" "loglevel"="error" "logfile"="cmsgssl.log" "keyfile"="d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\Gtwgcs\\appl\\ecs\\resource\\ssl\\cert\\cmsgkey.kdb" "password"="a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\Ini\\local\\tree.bin" "identity"="cadn" "security_level"="4" "sksdir"="d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\Gtwgcs\\appl\\ecs\\resource\\ssl\\cert" [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M\CONTROL-M/Enterprise Manager\7.0.X\Default\SecurityPolicy\EM] [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M\CONTROL-M/Enterprise Manager\7.0.X\Default\SecurityPolicy\EM\client] "securitydir"="d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\Gtwgcs\\appl\\ecs\\resource\\ssl\\cert" "identity"="codn" "logfile"="emssl.log" "loglevel"="error" "password"="a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\Ini\\local\\tree.bin" "keyfile"="d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\Ini\\local\\emkey.kdb" [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M\CONTROL-M/Enterprise Manager\7.0.X\Default\SecurityPolicy\GTW] [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M\CONTROL-M/Enterprise Manager\7.0.X\Default\SecurityPolicy\GTW\client] "sksdir"="d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\Gtwgcs\\appl\\ecs\\resource\\ssl\\cert" "security_level"="4" "identity"="codn" "password"="a877b993b0b40c558176bbb07efc54da43505b61b5d07d9d,d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\Ini\\local\\tree.bin" "keyfile"="d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\Gtwgcs\\appl\\ecs\\resource\\ssl\\cert\\gtwkey.kdb" "logfile"="gtwssl.log" "loglevel"="error" "securitydir"="d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\Gtwgcs\\appl\\ecs\\resource\\ssl\\cert" [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M\CONTROL-M/Enterprise Manager\7.0.X\Default\SecurityPolicy\site] [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M\CONTROL-M/Enterprise Manager\7.0.X\Default\SecurityPolicy\site\client] "bindir"="d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\bin" "logdir"="d:\\program Files\\BMC Software\\CONTROL-M EM \\Default\\Ini\\local\\log" [HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\CONTROL-M\CONTROL-M/Enterprise Appendix A Configuring security policies 77

78 Security policy variables Security policy variables The following security policy variables are located in the appropriate Microsoft Windows Registry keys and UNIX.plc files. Table 14 Variable security _level bindir bindir64 sksdir securitydir password keyfile identity logdir loglevel logfile Security policy variables Description A digit from 1 through 4. These levels are described in Security levels on page 79. Absolute path to a subdirectory containing the dynamically loaded security binary modules. For example: D:\Program Files\BMC Software\Control-M Server\ctm_server\exe bindir for 64-bit computer. For example: D:\Program Files\BMC Software\Control-M Server\exe_MACHINE Absolute path to a Security Key Store read/write subdirectory where Control-M encrypted keys are stored. For example: D:\Program Files\BMC Software\Control-M Server\etc\site\resource\ssl\cert Absolute path to read only subdirectory where *.kdb key databases and key material files are stored. For example: "securitydir"="d:\program Files\BMC Software\Control-M Server\ctm_server\data\SSL\cert" Encrypted password (generated by the bmcryptpw utility), followed by a comma, followed by the absolute path of the keymaterial file (used for 3 DES key computation). Embedded blanks are not allowed. See To create an SSL key database on page 52 and To change the key database password on page 65. Absolute path of the key database file. For example: keyfile=d:\program Files\BMC Software\Control-M Server\data\SSL_directory\cert\ctmkey.kdb Key pair label (CADN, CODN, NSDN, or AGDN) in a key database. Absolute path to subdirectory containing the log file. For example: "logdir"="d:\program Files\BMC Software\Control-M Server\ctm_server\etc\site\resource\ssl\log" One or more of the following values separated by commas: ERROR WARNING INFO TRACE Log file (path and) name. For example: logfile=gtw_ssl.log 78 Control-M SSL Guide

79 Security levels Security levels For Control-M/Server and Control-M/Agent, the default security level is 3 in server role and 4 in client role. For Control-M/EM gateways, the default security level is always 4. You must specify the same security level for a pair of components that communicate with each other. There is one exception: you can specify level 3 for communication in server role and level 4 for communication in client role to the communication channel between Control-M/Agent and Control-M/Server. Security level 1 Security level 1 provides privacy only. After a secure connection is established, user data is encrypted using TripleDES. This level does not provide authentication. When a client-server connection is established, a session key is generated and exchanged using the Diffie-Helman secure key exchange method. Security level 1 usually prevents access by a casual network browser. To prevent access by a skilled and determined intruder, use security level 2 or later. Security level 2 Security level 2 implements the Secure Socket Layer protocol. A server operating at security level 2 accesses a private database of key pairs and retrieves the key pair named in the identity attribute of its security policy. It uses the key pair values and accompanying certificate to establish an SSL connection with the client. A client operating at security level 2 accepts the server's certificate. SSL ordinarily requires the client to establish a chain of trust for the server's certificate down to a trusted root. But, in security level 2, the client omits this step and accepts the server s certificate if the certificate s attributes (for example, inception and expiration date) are acceptable. When using security level 2, the server and client cannot be sure of each other s identity. Nevertheless, a secure exchange of the session key occurs and privacy superior to that of security level 1 is provided. Security level 3 Security level 3 operates like security level 2 except that the client must use its own database of certificates to establish a chain of trust for the server's certificate down to a trusted root. This is in addition to the requirement that all other attributes of the server s certificate be acceptable. Therefore, the client can be certain of the identity of the server, but the server cannot be certain of the identity of the client. This connection is said to have server authentication only. Appendix A Configuring security policies 79

80 Security levels Security level 4 Security level 4 provides privacy and authentication for both client and server. Security level 4 is enforced by the server. After a handshake with the client as described in security level 3, the server sends a message to the client demanding a rehandshake. The client returns its own certificate, which the server verifies down to a trusted root. If the client does not provide a certificate that the server can verify, the server shuts down the connection. Since each peer has identified itself to the other, this connection is said to have mutual authentication. After changing the security level, stop and restart the services listed in Table 15 to implement the change. Table 15 Services to be stopped and restarted Service Reference Control-M/Server Control-M Administrator Guide Control-M/Agent Control-M Administrator Guide Control-M/EM Gateway Use the Control-M Configuration Facility to stop and restart Control-M/EM Gateway to implement the change. This facility is described in the Control-M Administrator Guide. 80 Control-M SSL Guide

81 Security levels Access files Access files use fields in server certificates for authentication. Access files can be defined for Control-M/Server and Control-M/Agent. The default access file contains lines similar to these: [SSL_SERVER] ; ALLOW_ACL = * DENY_ACL = Table 16 describes the parameters in the access file. Table 16 Access file parameters Parameter Description SSL_SERVER Authentication confirming a server's identity ALLOW_ACL Allows signed certificates to be sent to specified addresses. Default: * (Allow every client). DENY_ACL Deny the sending of signed certificates to specified addresses. Default: blank (Does not deny any client). NOTE The security level must be 4. For more information, see Security level 4 on page 80. The server certificate field is checked after the regular SSL handshake, and after both peers have checked that the certificates that they received are signed by a trusted root CA. DENY_ACL and ALLOW_ACL are used to control the sending of signed certificates to destinations. For more information, see Table 13 on page 57. EXAMPLE Include the following lines in an access file to accept only the certificates issued to [email protected] and @bmc.com. The access file must deny all other certificates, including those signed by a trusted root. [SSL_SERVER] ; ALLOW_ACL = [email protected], @bmc.com DENY_ACL = Appendix A Configuring security policies 81

82 Security levels 82 Control-M SSL Guide

83 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Index publications, related 11 A absolute paths, for deploying web application servers 35 Access Files 81 Add CA function sslcmd utility 51 Add cert function sslcmd utility 51, 57, 60, 61, 62 Add CRL function sslcmd utility 51, 65 ag.plc file AGDN alias ID 55 alias IDs 55 ALLOW_ACL access files 81 APIs certificates 38 communication 33 TCP/IP communication 34 application policy configuring 71 attributes security policy 71 authentication client 16 mutual 80 overview 10 re-handshake 80 server 16, 79 B bindir variable 78 bindir64 variable 78 BMC Batch Impact Manager certificates 38 TCP/IP 37 BMC Software, contacting 2 C certificate format.cer 41.pem 41 convert 41 certificate signing authority 53 certificate signing request 38, 56 certificates and TAO 24 default 14 demo 34 expiration 27 formats 24, 39 listing 51 private key for SSL 25 processing for APIs and BMC Batch Impact Manager 38 X.509 format 57 Change password function sslcmd utility 51, 66 client authentication 16 client stanza security policy 72 CmsCommMode Control-M/EM communication mode 12 co.plc file CODN alias ID 55 CODN alias ID 55 Common Name 57 COMMOPT determine Agent s communication mode 11 communication mode COMMOPT parameter 11 communication modes ctmsys utility 11 disabled 11 enabled 11 inactive 11 communication types API 33 plc files 72 configmanager utility 35 Control-M managed instances 19 unmanaged instances 19 Control-M/Agent COMMOPT parameter 11 SSL installation 17 unavailable 11 Index 83

84 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Control-M/EM APIs 34 co.plc file 74 Registry 77 site.plc file 73 Control-M/Server co.plc file 73 ctmsys utility 17 ns.plc file 73 Registry 75 site.plc file 73 SSL installation 17, 21 CORBA naming service 26 cryptographic key pair 55 CSR 38 ctmsys utility Control-M/Server 17 SSL parameter 11 customer support 3 D database keys listing 51 Define Encoding Rules format 39 Delete CA function sslcmd utility 51 Delete key function sslcmd utility 51, 64 demo certificates 34 DENY_ACL access files 81 Diffie-Hellman protocol 79 disabled communication mode 11 Distinguished Name Information 57 E enabled communication mode 11 encrypted passwords updating 66 encryption Triple DES 79 errors SSL 27 Exit function sslcmd utility 52 expiration certificates 27 Export key pair function sslcmd utility 69 G Generate CSR function sslcmd utility 51, 60, 61, 62 Generate key function sslcmd utility 51, 55, 56, 60, 61, 62 Generate Public/Private Keys for a Certificate 55 generate public-private key pairs for a certificate 51 gtw.plc file CODN alias ID 55 I identity variable 78 inactive communication mode 11 INETSDK tools, Microsoft 53 installation SSL for Control-M/Agent 17 SSL for Control-M/EM 19 SSL for Control-M/Server 17, 21 J JacORB CORBA implementation 16 Java KeyStore 13 K KDB key database file 12 key databases functions 45 overview 45 key pairs cryptographic 55 keyfile variable 78 keys default 14 Registry 75 L List CA function sslcmd utility 51 List certs function sslcmd utility 51 List keys function sslcmd utility 51 logdir variable 78 logfile variable 78 loglevel variable Control-M SSL Guide

85 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z M mutual authentication 80 N name,value pairs security attributes 71 security policy 74 naming service (CORBA) 26 NamingViewer Naming Service browser 16 ns.plc file NSDN alias ID 55 NSDN alias ID 55 O openssl convert format 41 documentation 46, 61 P password variable 78 passwords private key for SSL 25 updating 66 path Registry 74 paths absolute 35 relative 35 PEM certificate format 24 PEM Privacy enhanced mail 12 plc files samples 72 Unix environment 72 policy attributes security policy 16, 74 policy tables.ini format 72.plc files 72 Microsoft Windows 74 privacy overview 10 Privacy-Enhanced Mail format 53 product support 3 R Registry keys 75 path 74 security policy 71, 75 re-handshake authentication 80 relative paths, for deploying web application servers 35 S security levels 79 security policy configuring 71 default values 71 levels 79 overview 10 policy attributes 74 Registry 71 SSL 16 stanzas 72 Unix environment 72 variables 78 Windows 74 security_level variable 78 securitydir variable 78 server authentication 16, 79 server stanza security policy 72 site policy configuring 71 examples 72 sksdir variable 78 Software Requirements 13 SSL 10 error messages 27 overview 10 ssl_client_server.conf file 25 SSL option ctmsys utility 11 SSL_SERVER 81 sslcmd utility database maintenance 62 key maintenance 62 stanza security module support 72 support, customer 3 T TAO certificates 24 TCP/IP APIs 34 BMC Batch Impact Manager 37 technical support 3 Triple DES encryption 79 Trusted Root Certificate Authority 53 Index 85

86 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z U Unix environment security policy 72 updating encrypted passwords 66 V View CA function sslcmd utility 51 W WarningSSLExpirationDays system parameter 27 Windows Registry Keys 75 security policy 74 Windows Registry path 74 security policy 71, 74 wizard to generate Component Certificates 46 X X.509 DER format 39 X.509 PEM format 53, Control-M SSL Guide

87 Notes

88 *200339* *200339* *200339* *200339* *200339*