Procedure to implement SSL for Top Secret endpoint
search cancel

Procedure to implement SSL for Top Secret endpoint


Article ID: 224606


Updated On:


CA Identity Suite


How to implement SSL for a TS (Top Secret) endpoint in CA Identity Manager.


The mainframe port,1636 for example, needs to be configured as BOTH SSL and non-SSL so that the Prov Server can run startTLS. Make sure the port allows both SSL and non-SSL. This is a configuration on the mainframe that must be performed by the MF administrator.

Then test to see if startTLS is working by running ldapbind with -ZZ option. For syntax see:

Note that,


Issues StartTLS (Transport Layer Security) extended operation. For -ZZ, if StartTLS does not finish successfully the utility exits when a failure occurs. 

For example here is what was used for another site to test StartTLS,

ldapbind -h -p 1636 -D "cn=<UserName>,host=<Hostname>,c=us" -w PWD -ZZ -d 65535 > result.txt 2>&1

Also, the original v1 type Top Secret Connector requires that the certificate be installed on the Provisioning Server machine (not the connector server):