 Welcome to the ControlM SSL Configuration video series. In this video, you will learn how to configure SSL between ControlM clients and the ControlM web server. ControlM works with TLS and SSL protocols, ensuring secure communication between the various ControlM components. To configure SSL in your environment, you must get sign certificates, deploy SSL, and enable SSL. Sign certificates are required for enabling secure communication using SSL protocols. You need to request a sign certificate from a recognized certificate authority, also known as the CA, using a certificate signing request file. The signed certificate also contains your public key. BMC recommends that you replace the existing certificates by bringing your own certificate that is signed by an external recognized CA. For more information on these methods, see the ControlM help. Next, you must deploy the key store, which contains the private key, the certificate, and possibly the certificate chain to the relevant ControlM components. Last, you must enable SSL on the relevant ControlM components. SSL configuration in ControlM is divided into zones. Zone 1 is the configuration between ControlM clients and the ControlM web server. Zone 2 is the configuration between the ControlM EM server and ControlM server. And zone 3 is the configuration between ControlM server and ControlM agents. In this video, we'll focus on zone 1, the configuration between ControlM clients and the ControlM web server. First, you need to edit the parameters in the CSRparams.cfg file. In the DN section, change the value of these parameters to the required values. The CN parameter must be the FQDN of the ControlM EM server. Next, you need to create the private key and certificate signing request file by running the CTM key tool utility. Use the certificate signing request file to obtain the certificate and possibly the certificate chain file from an external recognized CA. All certificates must be valid X509 certificates. Back up the existing Tomcat.p12 file in the EM SSL directory. Create the Tomcat.p12 keystore file by running the open SSL command. Save the Tomcat.p12 file in the EM SSL directory. Now we need to enable SSL mode and update the keystore password with the manage web server utility. First, let's turn on SSL mode. Press 1 to display the Tomcat configuration. Press 4 to display SSL mode. Set the current configuration for using SSL to true. Next, we need to update the keystore password. Press 3 to display secure connector configuration. Press 3 to edit the SSL connector. Select the connector to edit. Press 5 to update the keystore password. In the CCM, recycle the web server. Verify that the web server certificate is installed on the ControlM client computer. If the certificate is not installed, copy the p12 keystore file that contains the certificate to the ControlM client computer and run the certificate installation. BMC recommends that you bring your own certificate for the usage of the web server. BMC provided demo certificates are supported in the web server with limited conditions. For more information, see the ControlM help. Now we need to test the SSL configuration on the ControlM web server. From a web browser on the ControlM client computer, type the URL of the web server's FQDN. Verify the hostname and port which are used by the relevant connector by running the manage web server utility. Press 1 to display the Tomcat configuration. Press 3 to display the secure connector configuration. Press 1 to display the list of secure connectors. If you want to add, change or delete secure connectors, see the ControlM help. In addition, the ControlM web server only supports the TLS v1.2 SSL protocol. The available ciphers for zone 1 are defined in the SSL Tomcat ciphers.xml file. If you want to use a cipher that is not listed in the file or limit the listed ciphers, see the ControlM help. ControlM client applications and the ControlM web server now communicate through SSL. Thank you for watching this video. For more information, see the ControlM help.