Creating a Container Image for an SSL Connection

This procedure describes how to create a Docker container image that installs an SSL certificate and sets SSL mode on the Agent. 

Before You Begin

Ensure that you have already prepared one of the following SSL certificates:

• Your own certificate, as described in Bringing Your Own Certificate.
• A self-signed certificate, as described in Generating Self Signed Certificates.

The output certificate package is available as a compressed tar.gz file.

Begin

1. Choose one of the following existing images as the basis to create the new image:
   • The BMC-provided image, with the 9.21.300-k8s-openjdk tag, from the controlm/agent repository in the Docker Hub.
   • The image that you created to use your external Java, as described in Creating-a-Container-Image-with-External-Java.

2. Create a Dockerfile with the following content.
   In the FROM line, specify the existing image that you chose as the basis for the creation of the new image.

   FROM controlm/agent:9.21.300-k8s-openjdk
   LABEL io.k8s.description="Control-M/Agent image with OpenJDK and an updated Agent certificate"
   
   ARG USERNAME=controlm
   USER $USERNAME
   WORKDIR /home/$USERNAME
   
   # A required input param, the name of the Agent certification package,
   # created by Control-M/EM Manage SSL utility (in CCM), compressed in tar.gz format:
   ARG AG_CERT
   
   # copy and extract the Agent certification tar.gz package
   ADD $AG_CERT.tar.gz .
   
   USER root
   RUN echo "Change Certification files permissions" \
      && chown -R $USERNAME $AG_CERT
   
   USER $USERNAME
   RUN source ~/.bash_profile \
      && echo "Update the Certification scripts with latest from Agent installation:" && cp -p ctm/data/SSL/manage/* $AG_CERT/ \
      && ls -l $AG_CERT/ \
      && echo "Install the Certificate" && $AG_CERT/setup.sh \
      && echo "Cleanup" && rm -rf $AG_CERT \
      && echo "Replace the local.key" && ctmagcpk \
      && echo "Setting agent's comm to SSL:" && ctmcfg -table CONFIG -action update -parameter COMMOPT -value "SSL=Y"

3. Build an image based on the Dockerfile that you created by running the following command:
   docker build --build-arg AG_CERT=<name of compressed certificate package> . --tag <image name>
   The image name includes the name of the repository where you want to upload the created image.
   

   Example

   docker build --build-arg AG_CERT=Certificate_for_CONTROL-M_Agent . --tag private_repo/agent-with-ssl-cert

4. Push the image to your private repository by running the following command:
   docker push <image name>
   The image name includes the name of the repository where you want to upload the image.

   Example

   docker push private_repo/agent-with-ssl-cert

5. If the Control-M/Server is not set to SSL mode by default, set the agent.ssl Helm parameter to true during installation of the Helm chart, as described in Deploying-Agents-Using-a-Helm-Chart. 
   This updates the Control-M/Server that this Agent communicates in SSL mode.