How to configure the Control-M Web Server used for example by Self Service, BIM and Automation API to use SSL (https)

Knowledge Article

Article Number

000226914

Old Article Number

000030567

Article Type

FAQ/Procedural

Title

How to configure the Control-M Web Server used for example by Self Service, BIM and Automation API to use SSL (https)

Summary

How to configure the Control-M Web Server to use SSL (https).

Product

Control-M/Enterprise Manager

Component

Control-M/Enterprise Manager

Applies to

Control-M/Enterprise Manager 8.0.00 and 9.0.00

Question

How to configure the Control-M EM Web Server to use SSL, so that Self Service, Batch Impact Manager (BIM) and Automation API can be reached over https?

Answer

This example walks you through creating a certificate signing request (CSR) to send to a certificate authority (CA) and installing the obtained certificate on the Control-M Web Server running on host example.bmc.com.

1. Generate a key pair. Make sure the alias is tomcat. This creates a keystore file named new_tomcat.jks that now holds a key pair (private/public). This file will be used for the certificate request and later will hold the certificates. Note that all configuration files mentioned below exist in the ctm_em/etc/emweb/tomcat/conf/ directory and all commands should be be run from that location.

Run these commands:

cd ~/ctm_em/etc/emweb/tomcat/conf
keytool -genkey -alias tomcat -keyalg RSA -keystore new_tomcat.jks -keysize 2048

You will be prompted to enter the following information. The hostname, example.bmc.com in the example, must be specified in the exact same form as users will refer to it in their browser url. Apart from the hostname you are free to enter anything, but the details should correctly identify your server so that users viewing the certificate know they can trust it. Make sure to enter a new password and remember it, please avoid using special characters since they cannot be handled by the keytool utility.

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  example.bmc.com
What is the name of your organizational unit?
  [Unknown]:  Control-M
What is the name of your organization?
  [Unknown]:  BMC Software Inc
What is the name of your City or Locality?
  [Unknown]:  Houston
What is the name of your State or Province?
  [Unknown]:  Texas
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=example.adprod.bmc.com, OU=Control-M, O=BMC Software Inc, L=Houston, ST=Texas, C=US correct?
  [no]:  yes

Enter key password for <tomcat>
    (RETURN if same as keystore password): PRESS ENTER - It's mandatory that the key's password and the keystore's password match

2. Create a csr (certificate sign request). This will create a .csr (certreq.csr) file. This file should be sent to a Certificate Authority (CA) for signing. Make sure to ask for a root chain certificate.

keytool -certreq -alias tomcat -file certreq.csr -keystore new_tomcat.jks
Enter keystore password:

3. The Certificate Authority (CA) should return at least two files. A primary root certificate, optional intermediate certificates, and a certificate with your public key, signed by the CA private key.
In our example, we got three IOU files: root.crt, secondary.cert and newcert.crt

4. Now import these certificates into the keystore in this order: primary, secondaries, cert, using the below commands.

cd ~/ctm_em/etc/emweb/tomcat/conf
keytool -import -alias primary -trustcacerts -file "root.crt"  -keystore new_tomcat.jks 
Enter keystore password: 
Certificate was added to keystore
keytool -import -alias secondary -trustcacerts -file "secondary.crt"  -keystore new_tomcat.jks 
Enter keystore password: 
Certificate was added to keystore
keytool -import -alias tomcat -trustcacerts -file "cert.crt"  -keystore new_tomcat.jks 
Enter keystore password: 
Certificate reply was installed in keystore

The -alias parameter must be set to tomcat for the new certificate for this server (third command).  For the root or intermediate certificates, the alias can be any unique name of your choice (first two commands).

5. Move the file new_tomcat.jks to the directory ctm_em/etc/emweb/tomcat/conf/

6. Make a backup copy of the file server.xml in that same directory, then open server.xml in an editor and make sure your HTTPS connector is pointing to the new key store, with the new password you set in step 1:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocols="TLSv1, TLSv1.1, TLSv1.2"
           keystoreFile="conf/new_tomcat.jks"
           keystorePass="yournewpassword" />

7. Recycle the Control-M Web Server (tomcat)
Now connect to https://example.bmc.com:8443/SelfService, and you should see https working and using the new certificate (click on the lock icon in your browser to view the https connection details).

Note : it is mandatory to use the same password in all steps ( 1 to 4 ) otherwise the Web Server will fail to start with following error in the
tomcat_start_server.log :

Jul 17, 2018 10:57:39 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
Jul 17, 2018 10:57:39 AM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"]
java.io.IOException: Keystore was tampered with, or password was incorrect

Attachment(s):