How to test an ssl encrypted ldapsearch query against the CALDAP server. 
This is server side SSL only (DN and password authentication) - Client authentication is not required.

A query to a non-SSL port works without problem.

Release : 16.0

Component : CA LDAP Server

To be able to use ldapsearch line command, with ssl server setup,
setup a keyring for the user that contains the signing certauth certificates of the server certificate.
Then setup a file called ldaprc in the users home directory.
The contents of ldaprc should be...

TLS_KEYRING owner/ringname

You can also specify any preferred cipher suite e.g.
TLS_Cipher_Suite DEFAULT 

And add minimum protocol level e.g.
TLS_Protocol_Min  tls1.2

note: only TLS_KEYRING is required.

This link provides details of all available client configuration options.

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/configuring/configure-the-ca-ldap-server/client-ssl-setup-from-the-command-line/ldap-client-configuration/ldap-client-configuration-options.html