How to implement SSL for a TS (Top Secret) endpoint in CA Identity Manager.

The mainframe port,1636 for example, needs to be configured as BOTH SSL and non-SSL so that the Prov Server can run startTLS. Make sure the port allows both SSL and non-SSL. This is a configuration on the mainframe that must be performed by the MF administrator.

Then test to see if startTLS is working by running ldapbind with -ZZ option. For syntax see:

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/command-reference/command-line-utilities-for-the-ca-ldap-server/ldapbind-verify-a-user-id-and-password.html

Note that,

-Z[Z]

Issues StartTLS (Transport Layer Security) extended operation. For -ZZ, if StartTLS does not finish successfully the utility exits when a failure occurs. 

For example here is what was used for another site to test StartTLS,

ldapbind -h mainframe.TSS.com -p 1636 -D "cn=<UserName>,host=<Hostname>,c=us" -w PWD -ZZ -d 65535 > result.txt 2>&1

Also, the original v1 type Top Secret Connector requires that the certificate be installed on the Provisioning Server machine (not the connector server):

https://knowledge.broadcom.com/external/article/52461