Are you on ver 9.0.18 or 22.214.171.124?
If yes, the process has changed, compared to v9.0.00 or earlier, and the docs haven't caught up yet.
Let us know if you're on 9.0.18.xxx and I'll send you the steps I followed for that version.
Thank you for your reply.
We are on Version 9.0.00.500.
I am finding the guides a bit confusing. I have been advised elsewhere, that I may need to recreate the certificates from the start again.
1 of 1 people found this helpful
For v9.0.00.500 I think you followed the correct steps except you don't need to execute setup.sh for Web Server SSL deployment, just copy the correct files to correct places.
Here are the steps I use, in case they help:
TASK 1 - Generate CSR
1. On EM Server create a temporary directory that only EM user has access too
mkdir –p ~/yourcompany/byo_ssl/working
2. Navigate to the temp dir you created in point 1
3. Run Manage_SSL_Generate_CSR to generate a private key:
Manage_SSL_Generate_CSR -workarea ~/yourcompany/byo_ssl/working -genkey -keysize 2048 -password <keys store password>
Where <keys store password> is a secure 8-character password of your choice.
4. Run Manage_SSL_Generate_CSR to generate a CSR:
Manage_SSL_Generate_CSR -workarea ~/yourcompany/byo_ssl/working -gencsr -subj "/C=US/ST=<state>/L=<city>/O=
<company name>/OU=Control-M/CN=<EM FQDN> /emailAddress= <your teams email address>" -password <keys store password>
This command will create a file called ‘request.csr’.
TASK 2- Send CSR to Security Team
Usually the security team will return two files:
1. The CA Chain (*.pem)
2. The Certificate (.cer)
TASK 3 - Generating SSL Certificate for Web Server
1. Transfer the files provided by the Security Team to the related EM server and place in the same folder where the file request.csr is located
2. On EM Server, navigate to the working directory and run Manage_SSL_BYO to generate the Tomcat Key Store:
Manage_SSL_BYO -input pem -component CONTROL-M_Web_Application -output ~/yourcompany/byo_ssl/working/EM_Web_Apps/ -output_keystores_password <keys store password> -certificate <cert file from SA team> -private_key privatekey.pem -password <keys store password> -ca_certificates <CA Chain from SA team>
NOTE: "/EM_Web_Apps/" should not exist. The Manage_SSL_BYO will create it.
<keys store password> = The password set when generating the CSR
<CA Chain from SA team> = The filename of the CA Chain (*.pem)
<cert file from SA team> = The filename of the Certificate (*.cer)
TASK 4 - Deploy and Enable SSL Certificate for Web Server
1. From CCM, Stop the Web Server
2. On EM Server, backup the file ~/ctm_em/etc/emweb/tomcat/conf/tomcat.keystore
cp -p tomcat.keystore tomcat.keystore.ControlM_Site_CA
3. On EM Server, backup the file ~/ctm_em/etc/emweb/tomcat/conf/server.xml
cp -p server.xml server.xml.ControlM_Site_CA
4. Copy the tomcat.keystore created in previous task from ~/yourcompany/byo_ssl/working/EM_Web_Apps to ~/ctm_em/etc/emweb/tomcat/conf
cp -p ~/yourcompany/byo_ssl/working/tomcat.keystore ~/ctm_em/etc/emweb/tomcat/conf/tomcat.keystore.YOURCOMPANY_CA
5. Shutdown the Control-M/EM Web Server via CCM
6. Replace the old tomcat.keystore with the new one
cp -p tomcat.keystore.YOURCOMPANY_CA tomcat.keystore
7. Backup ~/ctm_em/etc/emweb/tomcat/conf/server.xml
cp -p server.xml server.xml.ORIG.`date +%Y%m%d_%H%M%S`
8. Update ~/ctm_em/etc/emweb/tomcat/conf/server.xml by adding the following lines in bold
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
<!-- keystorePass="emdemo" /> -->
NOTE: replace vpma1234 with the password set when generating the CSR and the keystore.
9. In server.xml comment out the section after above so that no connection over http and port 18080 can be made:
<Connector port="18080" protocol="HTTP/1.1"
10. Update web_server_params.xml
cp -p web_server_params.xml web_server_params.xml.ORIG.`date +%Y%m%d_%H%M%S`
Set the following bold values:
11. Run the following SQL command on EM database:
SQL>update CONFIG_HA set WEB_SRV_PORT='8443',HTTP_MODE='https'
12. Logoff and Login to CCM
13. Start the Control-M/EM Web Server via CCM
Thank you so much for the detailed guide.
Unfortunately, it did not work. I can still access our Self Service, but the certificate still shows as the previous one, and has not been renewed.
I think I may begin the whole process again from the start. I will double check the method of creation and contents of the new cert provided to me by our Security Team.
Thank you for your help.
can you share 126.96.36.199