The fields are arranged in the order they appear when selecting the LDAPS option in the EEM UI User Store connection settings window. All paths below can be written literally, or else EEM assumes the files are taken from the EIAM_HOME environment variable as the start point if using just the file name. Please include the file extension. 

• This is required when LDAP Server mandates client certificate during SSL/TLS handshake for SSL/TLS communication. If the LDAP server does not require client certificate, this field can be left empty. In other words, if a certificate authority server requires the local machine client cert as part of the signing chain, you will need this. The LDAP server will have the corresponding certificate which it will use to validate the certificate during handshake process. This is rarely needed in most cases. 

• This field is required in conjunction with the above field. It represents the key file separated from the Certificate chain. This is a private key which was used to generate the client certificate. It is a physical file, not a path to a keystore file. 

This is the field you specify the Certificate Authority certificate which will be used by EEM server to validate the certificate sent by LDAP Server. If the customer does not provide any certificate over here, EEM server will accept any certificates which it receives from LDAP during SSL/TLS handshake. This is not ideal in a secure environment, but EEM will accept the certificate presented by the LDAP server and use it it the LDAP server does not require one be present on the client machine (EEM server). This is possible because SSL/TLS protocol does not mandate use of client certificate. It’s optional and will depend upon how LDAP Server is configured. This field is what has been by experience, the most widely used option for connection from EEM to LDAP over a secure port (636, 3269).