Trying to Explore Layer7/SCIM endpoint and getting peer not authenticated error in Provisioning Server side

:ETA_E_0257<ECT>, Error listing Groups objects: Connector Server Add failed: code 53 (UNWILLING_TO_PERFORM): failed to add entry eTDYNDirectoryName=<Endpoint Name>,eTNamespaceName=<Endpoint Type Name>dc=im,dc=etasa: JCS@<Hostname>: SCIM: peer not authenticated (ldaps://<hostname of connector server>:20411)

Release : 14.4

Component :

• Api Gateway / Layer7 when configured to require a certificate to authenticate and Certificate Store in Connector Server in IM does not have the certificate
• Also we need that firewall rules allow communication 

Identified that problem was related the certificate stores of CX/CS/IM were without the Api Gateway (Layer7) imported.

The issue was the missing certificate in 14.4. Imported the ApiGateway Certificate in IM side (CS) this resolved the issue.

Following some certificates types that IM need imported as example including the Api gateway certificate locations

• In Connector Xpress: - > Insert custom_root.cer / custom_intermediate.cer / Windows_CS.cer / API_GATEWAY.cer certificates got from Api Gateway. This will allow Test Connection via Connector Xpress and the Layer7 datasource type
  
  Location in Connector Xpress: File ...\Virtual Appliance Tools 14.4\CA-IM_ConnectorXpress\software\confssl.keystore password: changeit
  
  
• In Windows  Connector Server : - > Insert custom_root.cer / custom_intermediate.cer / Windows_CS.cer / API_GATEWAY.cer got from Api Gateway. This will allow the Connector Server itself communicates with layer7 endpoint type created in Cx;
  
  Location in Windows Connector Server:  File ...\Connector Server\jcs\conf\ssl.keystore - > Insert custom_root.cer / custom_intermediate.cer / Windows_CS.cer / API_GATEWAY.cer
  
  
• API GATEWAY    - > Insert custom_root.cer / custom_intermediate.cer / Windows_CS.cer (same that were inserted in CX and Windows Connector Server)
  
  Location in Api Gateway: Menu Tasks/certificates/ Manage certificates where can get the API Gateway certificate and also do other tasks related to Certificates. In this example Api gateway also having same certificates that IM as  root cert, custom intermediate and their windows certificate. This menu also allows export the API_GATEWAY.cer mentioned in above examples.
  
  
• vApp nodes:
  
  Each vApp on the cluster must have those commands to import any certificate that company needs including here the API Gateway certificate to communicate with a Layer7 type endpoint:
  /opt/CA/openjdk1.8/jre/lib/security/cacerts

1 – upload all certificates to /home/config folder
2 - Now in the console of each server, run this commands (adapting the 'custom_root' and 'custom_intermediate' adapting the names to the reality of the environment

keytool -import -file /home/config/custom_root.cer -alias 'custom_root' -keystore /opt/CA/openjdk1.8/jre/lib/security/cacerts -storepass changeit  -noprompt
keytool -import -file /home/config/custom_intermediate.cer -alias 'custom_intermediate' -keystore /opt/CA/openjdk1.8/jre/lib/security/cacerts -storepass changeit
keytool -import -file /home/config/Windows_CS.cer -alias 'Windows_CS' -keystore /opt/CA/openjdk1.8/jre/lib/security/cacerts -storepass changeit
keytool -import -file /home/config/API_GATEWAY.cer -alias 'API_GATEWAY' -keystore /opt/CA/openjdk1.8/jre/lib/security/cacerts -storepass changeit

• Connector Server Ports to Communicate with External Another point is to check if External Windows Connector Server have firewall ports blocking communication. (please see link SYMANTEC IDENTITY MANAGER 14.4 - Default Ports for Identity Manager and Associated Components). 
  
  To allow the ports (in case this are blocked by Windows Firewall) please use the commands below with monitoring of the windows administrator.
  
  Check if ports talking with ApiGateway are allowed in local firewall. If not also include in the list of added ports.
  
  Example allowing ports in Windows Connector Server.
  
  

netsh firewall add portopening TCP 20390 "CA-CS SERVER 20390"
netsh firewall add portopening TCP 20410 "CA-CS LDAP 20410"
netsh firewall add portopening TCP 20411 "CA-CS LDAPS 20411"
netsh firewall add portopening TCP 22001 "CA-CS Broker-HTTP 22001"
netsh firewall add portopening TCP 22002 "CA-CS BROKER-HTTPS 22002"
netsh firewall add portopening TCP 20080 "CA-CS WEB-HTTP 20080"
netsh firewall add portopening TCP 20443 "CA-CS WEB-HTTPS 20443"
netsh firewall add portopening TCP 22099 "CA-CS RMI 22099"