 Welcome to the Control-M SSL Configuration video series. In this video, you will learn how to configure SSL between Control-M EM server and Control-M server and between Control-M server and Control-M agent. Control-M works with TLS and SSL protocols, ensuring secure communication between the various Control-M components. To configure SSL in your environment, you must get sign certificates, deploy SSL, and enable SSL. Sign certificates are required for enabling secure communication using SSL protocols. You need to request a sign certificate from a recognized certificate authority, also known as the CA, using a certificate signing request file. The sign certificate also contains your public key. BMC recommends that you replace the existing certificates by bringing your own certificate that is signed by an external recognized CA. For more information on these methods, see the Control-M help. Next, you must deploy the key store, which contains the private key, the certificate, and possibly the certificate chain to the relevant Control-M components. Last, you must enable SSL on the relevant Control-M components. SSL configuration in Control-M is divided into zones. Zone 1 is the configuration between Control-M clients and the Control-M web server. Zone 2 is the configuration between the Control-M EM server and Control-M server. Zone 3 is the configuration between Control-M server and Control-M agents. In this video, we'll focus on Zone 2, the configuration between Control-M EM server and Control-M server, and Zone 3, the configuration between Control-M server and Control-M agents. You must configure SSL for each Control-M component. First, you need to edit the fields in the csrparams.cfg file for each Control-M component. In the DN section, change the value of these fields to the required values. The CN parameter must be the FQDN of each Control-M component. Next, you need to create the private key and certificate signing request file by running the CTM key tool utility. Use the certificate signing request file to obtain the certificate and possibly the certificate chain file from an external recognized CA. All certificates must be valid X509 certificates. Create a .p12 keystore file from the private key, certificate, and certificate chain by running the open SSL command. Deploy SSL on each component by running the CTM key tool. For enhanced security, BMC recommends that you update the supported protocols and ciphers in your environment. For more information, see the Control-M help. Now we need to enable SSL in Zone 2 and 3. First, let's turn on SSL mode on Control-M server. Run the CTM SIS utility. Press 2, System Parameters. Press N to move to the next page of parameters. Set option 9, Secure Socket Layer, to Enabled. By default, all connected Control-M agents are now configured with SSL. Finally, restart the Control-M server configuration agent and the Control-M server component. Next, we need to enable SSL on Control-M agents by restarting each Control-M agent. To enable SSL on specific Control-M agents when Control-M server is not enabled with SSL, see the Control-M help. Finally, we'll enable SSL on the CMS and Gateway components. From the CCM, change the value of the CMS commode system parameter to auto or SSL. Restart the Control-M-EM configuration agent naming service and CMS. Recycle the gateways that are connected to the Control-M servers where SSL is configured. Test the SSL configuration between Control-M-EM and Control-M server by running the CTM key tool on Control-M-EM. Verify that all operations between Control-M-EM and Control-M server, such as job watering, are working. From the CCM, verify that all Control-M servers and Control-M agents are up. Test the connection between Control-M server and Control-M agent by running the AG, Diag, COM, and CTM, Diag, COM utilities. SSL is now configured between Control-M-EM server and Control-M server in zone 2 and Control-M server and Control-M agent in zone 3. Thank you for watching this video. For more information, see the Control-M help.