Zone 1 SSL Configuration
Zone 1 SSL configuration allows you to configure SSL between Control-M Web Server and Control-M client applications.
The following procedures describe how to configure SSL in zone 1.
Generating a Signed Certificate
This procedure describes how to generate a signed certificate.
You do not need to perform this procedure if you received a private key, signed certificate, root certificate or a .p12 keystore from your Security Administrator, or you are using the default tomcat.p12 provided with the installation.
Begin
-
Navigate to one of the following directories:
-
UNIX: <EM Home Directory>/data/SSL/config directory
-
Windows: <EM Home Directory>\Data\SSL\config directory
-
-
In the csr_params.cfg.file, in the [dn] section, change the value of the following fields to the required values:
-
C = ex
-
ST = example_state
-
L = example_locality
-
O = example_organization
-
OU = example_unit
-
CN = example.example.com (FQDN of the Control-M/EM server)
To enable you to specify both the shortname and the FQDN of the Control-M/EM Server, this field supports the asterisk wildcard, as in CN = example*. -
emailAddress = admin@example.com
The csr_params.cfg file is a standard openssl configuration file. If you have any requirements from the certificate, you can include them in this file. In addition, for browser compatibility, it is recommended to add the following section to the file:
[ req_ext ]
keyUsage = digitalSignature, keyEncipherment
subjectAltName = DNS:<Web Server FQDN>
And on [ req ] section, after distinguished_name = dn, add the following line:
req_extensions = req_ext
For more information, see https://www.openssl.org.
If you want the certificate that is generated by the CA using the generated csr file to support several DNS names, in the subjectAltName attribute value, you can define all DNS names that must be supported, separated by commas, in the following format:
subjectAltName = DNS:<DNS name 1>, DNS:<DNS name 2>, DNS:<DNS name 3>
-
-
Create the private key and certificate signing request file by running the following:
<ctmkeytool location>/ctmkeytool -create_csr -password <private key password>
-
(UNIX only) Ensure that you run this script using the Control-M/EM shell, such as em tcsh.
-
For more information, see ctmkeytool.
-
-
Use the Certificate Signing Request (CSR) file to obtain the certificate file and the certificate chain file with a .pem extension, from an external recognized CA. PEM format specify that these certificates are ASCII encoded X.509 certificates.
Common suffixes for PEM files are .pem, .crt, .cer, .or ca-bundle.
Generating the tomcat.p12 Keystore
This procedure describes how to generate the tomcat.p12 certificate keystore.
-
You do not need to perform this procedure if you received the tomcat.p12 keystore from your Security Administrator, or you are using the default tomcat.p12 provided with the installation.
-
If you did not use the default tomcat.p12 password (changeit), you need to update it, as described in Updating the tomcat.p12 Password.
Begin
-
Back up the existing tomcat.p12 keystore file in the <EM Home Directory>/ini/ssl directory.
-
Create the tomcat.p12 keystore file by running the following command:
openssl pkcs12 -in <certificate pem file name> -inkey <private key file name> -export -passout pass:<new tomcat.p12 keystore password> -passin pass:<private key password> -CAfile <certificate chain pem file name> -chain -out tomcat.p12 -name <keystore friendly name> -caname <ca friendly name>
-
Save the tomcat.p12 file in the <EM Home Directory>/ini/ssl directory.
-
Verify that the Web Server certificate is installed on Control-M client computers.
If the certificate is not installed, copy the tomcat.p12 keystore file that contains the certificate to the Control-M client computer and run the certificate installation.
Updating the tomcat.p12 Password
This procedure describes how to update/change the tomcat.p12 password in the Web Server configuration. You need to perform this procedure every time you create a new tomcat.p12 keystore or change its password.
-
You do not need to perform this procedure if you use the default tomcat.p12 provided with the installation.
-
This procedure updates the new password in Control-M/EM. It does not change the keystore password in the keystore file.
Begin
-
Update the tomcat.p12 keystore password in the <EM Home Directory>/ini/ssl/tomcat.ini file by running the following command:
emcryptocli <new tomcat.p12 keystore password> <EM Home Directory>/ini/ssl/tomcat.ini
-
Type the following command:
manage_webserver
-
Update the keystore password, as follows:
-
Press 1 to display the Tomcat configuration.
-
Press 3 to display Secure Connector Configuration.
-
Press 3 to edit the SSL connector.
-
Select the connector to edit.
-
Press 9 to update the keystore password.
-
Configuring SSL on Control-M Web Server
This procedure describes how to configure and enable SSL between Control-M client applications and the Control-M Web Server with the tomcat.p12.keystore. This SSL configuration occurs in zone 1.
BMC recommends you bring your own certificate, For POC or demo purposes, you can use the default demo certificate provided with the installation in the <EM_HOME>/ini/ssl/tomcat.p12 keystore, or generate certificates signed by BMC using ManageSSL, as described in Generating Self Signed Certificates.
Before You Begin
-
If you did not receive a private key, signed certificate, root CA certificate and chain in PEM format or the tomcat.p12 keystore from your Security Administrator, you need generate the certificate and the tomcat.p12 keystore, as described inGenerating a Signed Certificate and Generating the tomcat.p12 Keystore .
-
Verify that the certificates have the required authentication level, as described in Verifying Certificates Authentication Levels in Zone 1.
Begin
-
Type the following command:
manage_webserver
-
Turn on SSL mode, by doing the following:
-
Press 1 to display the Tomcat configuration.
-
Press 4 to display SSL mode.
-
Set the current configuration for using SSL to [true].
-
-
Run the following command:
stop_web_server
-
Recycle the GUI Server and the CMS.
-
Verify that the Web Server certificate is installed on the Control-M client computer.
If the certificate is not installed, copy the p12 keystore file that contains the certificate to the Control-M client computer and run the certificate installation.
If you are working in a Control-M/EM Distributed environment with multiple Control-M Web Servers, or in a high availability environment, you must provide a different keystore for each server.
Removing the Non-secured Connectors from the Web Server
This procedure describes how to remove the non-secured port between Control-M client applications and the Control-M Web Server. BMC recommends to remove the non-secured ports.
Begin
-
Type the following command:
manage_webserver
-
Press 1 to display the Tomcat configuration.
-
Press 2 to display Connector Configuration.
-
Delete a connector, as follows:
-
Press 4.
-
Choose the connector you want to delete from the list.
-
-
Repeat the above step for all configured non-secured connectors.
Managing Secure Connectors
This procedure describes how to add, change, or delete secure connectors. By default, the installation includes a secure (HTTPS) and non-secure (HTTP) connector. If you want to add, change, or delete, use this procedure.
Begin
-
Type the following command:
manage_webserver
-
Press 1 to display the Tomcat configuration.
-
Press 3 to display Secure Connector Configuration.
-
Do one of the following:
-
To add a new connector, do the following:
-
Press 2.
-
Provide the name of the keystore this connector will use.
-
-
To update a connector, do the following:
-
Press 3.
-
Choose the connector that you want to edit from the list.
-
Choose a parameter that you want to edit and update its value.
-
-
To delete a connector, do the following:
-
Press 4.
-
Choose the connector you want to delete from the list.
-
-
Testing SSL on the Control-M Web Server
This procedure describes how to test the HTTPS connector on the Control-M Web Server.
Begin
-
Verify the hostname and port which are used by the relevant connector, by doing the following:
-
Type the following command:
manage_webserver
-
Press 1 to display the Tomcat configuration.
-
Press 3 to display the secure connector configuration.
-
Press 1 to display the list of secure connectors.
-
-
Log in to the CCM, select Web server URLs and then click Web Server.
-
From the web browser on the Control-M client computer, type the URL as follows:
https://<web server’s fqdn>:<web server’s port>
The Control-M Welcome Page appears.
Configuring Ciphers for the Control-M Web Server
This procedure describes how to configure ciphers for the Control-M Web Server in zone 1. The Control-M Web Server supports by default the TLSv1.2 SSL protocol. Refer to the manage_webserver utility to allow lower protocol values. The available ciphers for Zone 1 are defined in <EM Home Directory>/ini/ssl_tomcat_ciphers.xml. If you want to use a cipher that is not listed in the file or limit the listed ciphers perform this procedure.
The syntax of the cipher names that is used in this procedure is the same as the syntax used for cipher names in <EM Home Directory>/ini/ssl_tomcat_ciphers.xml.
Begin
-
Add the new ciphers to the <EM Home Directory>/ini/ssl_tomcat_ciphers.xml file.
-
Add the ciphers to the relevant secured connector, as follows:
-
Type the following command:
manage_webserver
-
Press 1 to display the Tomcat configuration.
-
Press 3 to display Secure Connector Configuration.
-
Press 3 to edit the SSL Connector.
-
Select the connector you want to edit.
-
-
Copy the list of existing ciphers to an external file and add or remove ciphers as required, as they appear in the <EM Home Directory>/ini/ssl_tomcat_ciphers.xml file.
-
Select 1 and insert the new list of ciphers.
-
From the CCM, recycle the Control-M Web Server.
Reverting Back to an Old Connector
This procedure describes how to revert back to an old connector if you deleted it.
Begin
-
Do one of the following:
-
To replace the server.xml file if the delete or update action was the last action in the manage_webserver utility, do the following:
-
Navigate to the following directory:
UNIX: <EM_HOME>/etc/emweb/tomcat/conf/
Windows: <EM_HOME>\emweb\tomcat\conf
-
Delete the server.xml file.
-
Rename the server_lastfile.xml file to server.xml in the /backup directory.
-
-
To edit the server.xml file add the http connector:
<Connector port="18080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-
-
From the CCM, recycle the Web Server.
Adding Root CA Certificates to the .p12 Keystore
This procedure describes how to add root CA certificates to the .p12 keystore with minimal downtime. You need to perform this procedure if the root CA certificate or one of the certificates in the intermediate chain is about to expire.
Begin
-
Import the new root CA certificate (or chain of intermediate certificates) into the keystore used by the component.
-
From a command line type the following:
keytool -v -importcert -trustcacerts -alias <new unique alias> -keystore <keystore file name> -storepass <keystore password> -storetype pkcs12 -file <added certificate file>
-
Verify that the new CA certificate was added to your truststore by typing the following:
keytool -keystore <keystore file> -list
The added certificate appears in the list.
-
Restart all components where you updated the keystore, and verify SSL connectivity.
-
Remove the old root CA or intermediate chain certificate from all updated keystores, by running the following command:
keytool -delete -keystore <keystore file> -alias root_to_remove
-
Restart all components where you updated the keystore, and verify SSL connectivity.
Verifying Certificates Authentication Levels in Zone 1
This procedure describes how to verify the authentication level of a certificate and compare it to the security policy in the Web Server.
Each certificate installed on a Control-M component must fit the authentication level required for this component.
If the Control-M component authentication level and the authentication level supported by the installed certificate is not configured correctly, the SSL connection might fail.
Begin
-
Verify the Zone 1 authentication level configuration for a specific HTTPS connector, as follows:
-
Type the following command:
manage_webserver
-
Press 1 to display the Tomcat configuration.
-
Press 3 to display Secure Connector Configuration.
-
Press 3 to edit the SSL Connector.
-
Select the connector you want to edit.
-
Change the value of the 3. clientAuth property (if required).
The default value for clientAuth is false.
-
-
In the certificate attributes, such as Key Usage and Extended Key Usage, check for the following values using openssl:
-
serverAuth
-
clientAuth
-
TLS Web Server Authentication
-
TLS Web Client Authentication
-
Check a CSR: openssl req -text -noout -verify -in CSR.csr.
-
Check a certificate: openssl x509 -in certificate.pem -text -noout.
-
Check a PKCS#12 file: openssl pkcs12 -info -in keyStore.p12.
-
-