How to force Control-M/Server to only accept TLS 1.2 connections or use a suite based on SHA256, or a specific cipher ?

Knowledge Article

How to force Control-M/Server to only accept TLS 1.2 connections or use a suite based on SHA256, or a specific cipher ?
How to force Control-M/Server to only accept TLS 1.2 connections or use SHA256 or a specific cipher ?
Control-M/Server for UNIX and Microsoft Windows
Control-M/Server for UNIX and Microsoft Windows
Control-M/Server for UNIX and Microsoft Windows 8.0.00 and up
Control-M/Server for UNIX and Microsoft Windows
Control-M/Server for UNIX and Microsoft Windows
Control-M/Server for UNIX and Microsoft Windows 8.0.00 and up
How to force Control-M/Server to only accept TLS 1.2 connections or use a suite based on SHA256, or a specific cipher ?

For example, if a  security scan shows Control-M/Server by default accepts SSLv3 connections, and it is necessary to force only TLS 1.2 connections and use SHA256 cipher .
1.  Apply the latest available Fix Pack to Control-M/Server
TLS 1.2 support was first made available in Fix Pack 4 of version 9.0.00, and Fix Pack 5 of version 8.0.00.

2.
UNIX / Linux:
- Backup the ctm_server/data/SSL/cert/site.plc file.
- Edit site.plc and change the two occurrences of the parameter "provider_options" to:
provider_options=SSLProtocol=TLS1_2
If there is a need to force SHA256 ciphers also , set instead :
provider_options=SSLProtocol=TLS1_2,TLSCipherSuite=AES128-SHA256 AES256-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256

If there is a need to force just one specific cipher, set just the one cipher instead:
provider_options=SSLProtocol=TLS1_2,TLSCipherSuite=DHE-RSA-AES256-SHA256


Windows
- Export/backup the registry key:  In the following registry key:  HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\Control-M/Server\SecurityPolicy\site
- Edit the following "provider_options" key in the following two locations:
HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\Control-M/Server\SecurityPolicy\site\client
HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\Control-M/Server\SecurityPolicy\site\server

Set the value to:   SSLProtocol=TLS1_2

If there is a need to force SHA256 ciphers also , set instead :
SSLProtocol=TLS1_2,TLSCipherSuite=AES128-SHA256 AES256-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256

If there is a need to force just one specific cipher, set just the one cipher:
provider_options=SSLProtocol=TLS1_2,TLSCipherSuite=DHE-RSA-AES256-SHA256

3.
- Backup the java.security file found in:
Unix/Linux - version 9.0.19 and earlier:  ctm_server/JRE/lib/security
Unix/Linux - version 9.0.20:  cd $CTM_JAVA_HOME/conf/security
Windows - version 9.0.19 and earlier: <Server Install Location>\JRE\lib\security
Windows - version 9.0.20: <Server Install Location>\Control-M Common\bmcjava\bmcjava-V#\conf\security
- Edit java.security and add the line:
jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 1024

4. If the Database Server used is MSSQLL Server, install the ODBC 13 SQL Server's drivers, and Native Client 2012, otherwise move to point 5.

5. Stop and restart Control-M/Server to make the changes take effect.
The following video shows this process (up to version 9.0.19):
Control-M/Server for UNIX and Microsoft Windows
Control-M/Server for UNIX and Microsoft Windows
Control-M/Server for UNIX and Microsoft Windows 8.0.00 and up
Attachment(s):