Procedure to implement SSL for Top Secret endpoint

book

Article ID: 224606

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

How to implement SSL for a TS (Top Secret) endpoint in CA Identity Manager.

Resolution

The mainframe port ,1636 for example, needs to be configured as BOTH SSL and non-SSL so that the Prov Server can run startTLS. Make sure the port allows both SSL and non-SSL. This is a configuration on the mainframe that must be porformed ny the MF administrator.

Then test to see if startTLS is working by running ldapbind with -ZZ option. For syntax see:

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/command-reference/command-line-utilities-for-the-ca-ldap-server/ldapbind-verify-a-user-id-and-password.html

Note that,

-Z[Z]

Issues StartTLS (Transport Layer Security) extended operation. For -ZZ, if StartTLS does not finish successfully the utility exits when a failure occurs. 

 

For example here is what was used for another site to test StartTLS,

ldapbind -h mainframe.TSS.com -p 1636 -D "cn=AIAMD,host=TSS-SSA,c=us" -w PWD -ZZ -d 65535 > result.txt 2>&1

 

Also, the original v1 type Top Secret Connector requires that the certificate be installed on the Provisioning Server machine (not the connector server)