Instead of configuring TLS through LDAP, the recommendation is to set up LDS through AT-TLS. Using AT-TLS provides access to the latest SSL libraries on z/OS and makes for easier configuration from a centralized point, rather than having to configure both IDM and LDS with respective certs/keyrings.

You can set AT-TLS policy to create a SSL pipe for the IP/Port that your remote LDAP is running on and then configure LDS to establish a plain ldap:// connection to the SSL port of the LDAP Server. When LDS goes to connect to LDAP, AT-TLS should establish the SSL connection (like a VPN tunnel) and then allow LDS to use ldap:// over the SSL channel.  The setup is all in AT-TLS and LDS just runs over that tunnel.

The handshake role for the LDS LDAP connection should be set as a client. See Picking the handshake roles for more information.

This will require Top Secret fix LU12726 and the following:
1. Specify the following syntax for the pagent configuration section for the TSSLDS ID based on previous configuration samples we have sent, something like the following:

TTLSKeyringParms keyR1
{
  Keyring owner/ringname
}

Where:
‘owner’ is the keyring owner
‘ringname’ is the keyring name

This should get pagent to pass the correct Top Secret LDS ACID that was set up for the certificate through policy and should be what gets this working.

2. Have LDS SSL turned off (LDAP:// instead of LDAPS://). This is what the "application transparent" piece in AT-TLS means. The LDAP client application (LDS) does not need to be aware that TLS is active for the connection as AT-TLS is encrypting the connection for it.

3. Target the LDAPS URL.

4. Use port 20390 which is the IDM SSL port.