Automating SSL certificate updates on Control-M/Agents

9.0.20.000 As the administrator, you can automate updates to SSL certificates on multiple Control-M/Agents by incorporating the provided AAPI commands in scripts.

Below is an example of a method that involves two scripts for automating updates of SSL certificates on multiple Control-M/Agents.

First script: Creating CSRs for certificates that are about to expire

This first script uses API commands to automate the following tasks:

  1. Get a list of Control-M/Servers, using the config servers::get command.
  2. Get a list of Control-M/Agents for each server, using the config server:agents::get command.
  3. Determine which of the agents has a certificate that is about to reach its expiration date, using the config server:agent:crt:expiration::get command.
  4. Create a Certificate Signing Request (CSR) for each agent that is about to expire, and store all CSR files in one directory. Use the config server:agent:csr::create command.

Signing CSRs

Before running the second script, get the security team at your organization to sign the CSRs that were created by the first script.

Second script: Deploy signed certificates to agents

This second script uses API commands to automate the following tasks:

  1. Get a list of Control-M/Servers, using the config servers::get command.
  2. Get a list of Control-M/Agents for each server, using the config server:agents::get command.
  3. Determine which of the agents has a certificate that is about to reach its expiration date, using the config server:agent:crt:expiration::get command.
  4. Deploy each of the signed certificates to its proper agent, using the config server:agent:crt::deploy command.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*