How to change SSL Certificate Subject after installing the Control-M Managed File Transfer Enterprise Gateway ?

Knowledge Article

How to change SSL Certificate Subject after installing the Control-M Managed File Transfer Enterprise Gateway ?
How to change SSL Certificate Subject after installing the Control-M Managed File Transfer Enterprise Gateway ?
Control-M Managed File Transfer Enterprise
Control-M Managed File Transfer Enterprise
Control-M Managed File Transfer Enterprise
Control-M Managed File Transfer Enterprise
Control-M Managed File Transfer Enterprise
Control-M Managed File Transfer Enterprise
During the Control-M Managed File Transfer Enterprise installation, there is a need to fill the Certificate Subject with fully qualified format for SSL certificate to be used by Control-M Managed File Transfer Enterprise Gateway.
How to change SSL Certificate Subject after installing the Control-M Managed File Transfer Enterprise Gateway ?
Use the following steps to change the SSL Certificate Subject after installing the Control-M Managed File Transfer Enterprise Gateway:

1. Make sure that the Control-M Managed File Transfer Enterprise Gateway machine has keytool utility(either from JRE or JDK pckage) available

2. Login as Control-M Managed File Transfer Enterprise Gateway user

3. Stop the Control-M Managed File Transfer Enterprise Gateway by running:

$HOME/mft-proxy/exe/gateway.sh stop

4. Edit the $HOME/mft-proxy/data/proxyConfig.properties file to modify the CertificateX509Subject value to correct Certificate Subject using fully qualified format for SSL certificate, and save the file.

eg,
CertificateX509Subject=CN=managefiles.mydomain.com,O=MyCompany_Limited,L=MyLocation,S=MyState,C=MyCountry

Please make sure to check with security team to get the standard format the company used for SSL certificate, and no space inside each field value.

5. Remove the existing keystore with wrong SSL certificate subject:

rm $HOME/mft-proxy/data/ssl_keystore.pfx

6. Then, run the following command to generate the :

$HOME/mft-proxy/exe/post-install-certificates-actions.sh

The script will show the correct certificate subject as part of output on screen. Please proceed with KA#000152499 to generate for Trusted CA signing request and importing of signed certificates into Control-M Managed File Transfer Enterprise Gateway keystore.

NOTE: If the Control-M Managed File Transfer Enterprise Gateway machine doesn't have any JRE or JDK package installed, then temporarily disable NSS for JRE from Control-M Managed File Transfer Enterprise Gateway by copying the non-NSS security policy file, before proceeding with step#6 above(before running post-install-certificates-actions.sh script):

cp $HOME/mft-proxy/JRE/lib/security/java.security.bcf  $HOME/mft-proxy/JRE/lib/security/java.security

After running the post-install-certificates-actions.sh script, put back the NSS for JRE by copy NSS security policy file:

cp $HOME/mft-proxy/JRE/lib/security/java.security.nss  $HOME/mft-proxy/JRE/lib/security/java.security
Control-M Managed File Transfer Enterprise
Control-M Managed File Transfer Enterprise
Control-M Managed File Transfer Enterprise
Attachment(s):