search cancel

Procedure to implement SSL for Top Secret endpoint


Article ID: 224606


Updated On:


CA Identity Suite


How to implement SSL for a TS (Top Secret) endpoint in CA Identity Manager.


The mainframe port ,1636 for example, needs to be configured as BOTH SSL and non-SSL so that the Prov Server can run startTLS. Make sure the port allows both SSL and non-SSL. This is a configuration on the mainframe that must be porformed ny the MF administrator.

Then test to see if startTLS is working by running ldapbind with -ZZ option. For syntax see:

Note that,


Issues StartTLS (Transport Layer Security) extended operation. For -ZZ, if StartTLS does not finish successfully the utility exits when a failure occurs. 


For example here is what was used for another site to test StartTLS,

ldapbind -h -p 1636 -D "cn=AIAMD,host=TSS-SSA,c=us" -w PWD -ZZ -d 65535 > result.txt 2>&1


Also, the original v1 type Top Secret Connector requires that the certificate be installed on the Provisioning Server machine (not the connector server)