A custom JNDI connector is used for a specific password reset functionality - achieved by utilizing OpBinding.

The problem we encounter is that opening an ldaps connection takes exactly 30 seconds (very long time).

We analysed the network traces and found out that the custom connector presents a client certificate "eta_server" whose CN does not correspond to the name of the machine and the service account used.

We believe that the 30 second delay is caused by the presentation of a client certificate.

How can one avoid presenting a client certificate during SSL handchecking step from an Xpress connector JNDI.

Release : 14.x

Component : IdentityMinder(Identity Manager)

Different behavior of socketFactory classes

Adjusting OpBinding code to utilize CustomSSLSocketFactory instead of the default socketFactory

- Adding line 1:
importClass(Packages.com.ca.commons.security.ssl.CustomSSLSocketFactory)
 
- after env.put(javax.naming.Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put("java.naming.ldap.factory.socket", "com.ca.commons.security.ssl.CustomSSLSocketFactory");

Background info as to why CustomSSLSocketFactory does not send the client certificate, CustomSSLSocketFactory has two different stores. The first is CAKeyStore, and the second is ClientCertKeyStore. CAkeystore holds all private/root/trusted certificates. ClientCertKeyStore, which stores client certificates, however, is NULL, so it will not send the client certificate even if requested.