Configuring Control-M MFT for server authentication

This procedure describes how to configure Control-M MFT for server authentication. To implement server authentication, you must import the CA belonging to each of the FTP over SSL/TLS servers to which Control-M MFT keystore.

To configure Control-M MFT for server authentication:

1. Set the host security level to Level 3.
2. Copy the FTP over SSL/TLS server CA file to a temporary location on the computer on which Control-M MFT is installed.
3. Navigate to the following location:

   <Control-M/Agent home directory>/cm/AFT/JRE_LINK/bin/

4. Import the certificate for the CA as follows:
   • FIPS ON: ./keytool -J-Djava.security.properties==<java_security_file_path> -J--module-path="<ctm_agent>/ctm/cm/AFT/exe/providers" -J-Dorg.bouncycastle.fips.approved_only=true -importcert -alias <server_alias> -file <server_certificate_file> -keystore <keystore_file> -storepass <password> -storetype BCFKS
   • FIPS OFF: ./keytool -J-Djava.security.properties==<ctm_agent>/ctm/cm/AFT/data/java.security.mft -J--module-path="<ctm_agent>/ctm/cm/AFT/exe/providers" -importcert -alias <server_alias> -file <server_certificate_file> -keystore <keystore_file> -storepass <password>

     Where <java_security_file_path> is as follows::

     • Windows, Solaris and AIX: <ctm_agent>/ctm/cm/AFT/data/java.security.mft
     • Linux: <ctm_agent>/ctm/cm/AFT/data/java.security.mft.bcf

   NOTE: Ensure that the certificate is valid before you import it as a trusted certificate. View it with the keytool -printcert command or the keytool -importcert command without the -noprompt option, and verify that the displayed certificate fingerprints match the expected ones.