4 Replies Latest reply on Jul 12, 2018 9:18 AM by David Payne

    Importing SSL Certificate in Control-M

    David Payne

      I am trying to import a new BYO certificate for our Control-M Self Service.


      • I generated the keystore and csr files
      • Passed the csr file to our Tech Delivery team
      • The Tech Delivery team provided me with a signed cert and the CA, with combined root and intermediaries
      • I used the CA, signed cert and keystore files to run the Manage_SSL_BYO command for the Control-M component ‘CONTROL-M_Web_Application’
      • This has updated the directory /home/ctrlm/ctm_em/etc/site/manageSSL/workarea/CONTROL-M_Web_Application/ & created files into the output directory I requested
      • After taking backup copies of the existing files, I placed the new tomcat and em keystore files to /home/ctrlm/ctm_em/emweb/tomcat/conf/tomcat.keystore & /home/ctrlm/ctm_em/etc/keystore/em.keystore
      • Following the BMC SSL Guide, I the stopped the Control-M Web Server
      • Ran /home/ctrlm/ctm_em/etc/site/manageSSL/workarea/CONTROL-M_Web_Application/setup.sh from /home/ctrlm/ location
      • This created an ssl_setup folder in /home/ctrlm/ but output with the follow message:


                Verifying component existance...

                Use of uninitialized value in numeric ne (!=) at /home/ctrlm/ctm_em/etc/site/manageSSL/workarea/CONTROL-M_Web_Application/setup.pl line 1555.



                Performing SSL certificates setup for component type <WEBAPPLICATION>, please wait...

                Backing up existing files and replacing with new files...

                Unknown component type <WEBAPPLICATION>


      The certificate has still not been renewed.



      Is there a step I have missed?

        • 1. Re: Importing SSL Certificate in Control-M
          Bentze Perlmutter

          Hi David,

          Are you on ver 9.0.18 or

          If yes, the process has changed, compared to v9.0.00 or earlier, and the docs haven't caught up yet.


          Let us know if you're on 9.0.18.xxx and I'll send you the steps I followed for that version.




          • 2. Re: Importing SSL Certificate in Control-M
            David Payne

            Hi Bentze,


            Thank you for your reply.


            We are on Version


            I am finding the guides a bit confusing. I have been advised elsewhere, that I may need to recreate the certificates from the start again.




            • 3. Re: Importing SSL Certificate in Control-M
              Bentze Perlmutter

              Hi David,

              For v9.0.00.500 I think you followed the correct steps except you don't need to execute setup.sh for Web Server SSL deployment, just copy the correct files to correct places.


              Here are the steps I use, in case they help:


              TASK 1 - Generate CSR
              1. On EM Server create a temporary directory that only EM user has access too
              mkdir –p ~/yourcompany/byo_ssl/working

              2. Navigate to the temp dir you created in point 1
              cd ~/yourcompany/byo_ssl/working

              3. Run Manage_SSL_Generate_CSR to generate a private key:

              Manage_SSL_Generate_CSR -workarea ~/yourcompany/byo_ssl/working -genkey -keysize 2048 -password <keys store password>

              Where <keys store password> is a secure 8-character password of your choice.

              4. Run Manage_SSL_Generate_CSR to generate a CSR:

              Manage_SSL_Generate_CSR -workarea ~/yourcompany/byo_ssl/working -gencsr -subj "/C=US/ST=<state>/L=<city>/O=
              <company name>/OU=Control-M/CN=<EM FQDN> /emailAddress= <your teams email address>" -password <keys store password>

              This command will create a file called ‘request.csr’.

              TASK 2- Send CSR to Security Team
              Usually the security team will return two files:
              1. The CA Chain (*.pem)
              2. The Certificate (.cer)

              TASK 3 - Generating SSL Certificate for Web Server
              1. Transfer the files provided by the Security Team to the related EM server and place in the same folder where the file request.csr is located

              2. On EM Server, navigate to the working directory and run Manage_SSL_BYO to generate the Tomcat Key Store:

              cd ~/yourcompany/byo_ssl/working

              Manage_SSL_BYO -input pem -component CONTROL-M_Web_Application -output ~/yourcompany/byo_ssl/working/EM_Web_Apps/ -output_keystores_password <keys store password> -certificate <cert file from SA team> -private_key privatekey.pem -password <keys store password> -ca_certificates <CA Chain from SA team>

              NOTE: "/EM_Web_Apps/" should not exist. The Manage_SSL_BYO will create it.

              <keys store password> = The password set when generating the CSR
              <CA Chain from SA team> = The filename of the CA Chain (*.pem)
              <cert file from SA team> = The filename of the Certificate (*.cer)

              TASK 4 - Deploy and Enable SSL Certificate for Web Server
              1. From CCM, Stop the Web Server
              2. On EM Server, backup the file ~/ctm_em/etc/emweb/tomcat/conf/tomcat.keystore

              cd ~/ctm_em/etc/emweb/tomcat/conf
              cp -p tomcat.keystore tomcat.keystore.ControlM_Site_CA

              3. On EM Server, backup the file ~/ctm_em/etc/emweb/tomcat/conf/server.xml
              cp -p server.xml server.xml.ControlM_Site_CA

              4. Copy the tomcat.keystore created in previous task  from ~/yourcompany/byo_ssl/working/EM_Web_Apps to ~/ctm_em/etc/emweb/tomcat/conf
              cp -p ~/yourcompany/byo_ssl/working/tomcat.keystore ~/ctm_em/etc/emweb/tomcat/conf/tomcat.keystore.YOURCOMPANY_CA

              5. Shutdown the Control-M/EM Web Server via CCM

              6. Replace the old tomcat.keystore with the new one

              cd ~/ctm_em/etc/emweb/tomcat/conf
              cp -p tomcat.keystore.YOURCOMPANY_CA tomcat.keystore

              7. Backup ~/ctm_em/etc/emweb/tomcat/conf/server.xml
              cp -p server.xml server.xml.ORIG.`date +%Y%m%d_%H%M%S`

              8. Update ~/ctm_em/etc/emweb/tomcat/conf/server.xml by adding the following lines in bold

              <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                         maxThreads="150" scheme="https" secure="true"
                         clientAuth="false" sslProtocol="TLS" 
                  keystorePass="vpma1234" />  
              <!--    keystorePass="emdemo" /> -->
              NOTE: replace vpma1234 with the password set when generating the CSR and the keystore.

              9. In server.xml comment out the section after above so that no connection over http and port 18080 can be made:

                  <Connector port="18080" protocol="HTTP/1.1"
                             redirectPort="8443" />
              10. Update web_server_params.xml
              cd ~/ctm_em/Client_Updates/conf
              cp -p web_server_params.xml web_server_params.xml.ORIG.`date +%Y%m%d_%H%M%S`

              Set the following bold values:
              <WEB_SRV_HOST><your FQDN></WEB_SRV_HOST>


              11. Run the following SQL command on EM database:
              SQL>update CONFIG_HA set WEB_SRV_PORT='8443',HTTP_MODE='https'


              12. Logoff and Login to CCM


              13. Start the Control-M/EM Web Server via CCM




              1 of 1 people found this helpful
              • 4. Re: Importing SSL Certificate in Control-M
                David Payne

                Hi Bentze,


                Thank you so much for the detailed guide.


                Unfortunately, it did not work. I can still access our Self Service, but the certificate still shows as the previous one, and has not been renewed.


                I think I may begin the whole process again from the start. I will double check the method of creation and contents of the new cert provided to me by our Security Team.


                Thank you for your help.