After upgrading CA SSO policy server to 12.52SP2 , it's no more able to establish a secure connection to LDAP.

The older version of CA SSO (12.52SP1) is able to establish the secure connection to LDAP just fine.

smps.log shows :

[2700/3456][Thu Jan 05 2017 15:35:55][SmDsLdapConnMgr.cpp:788][WARNING][sm-Ldap-02910] SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols.

[2700/3456][Thu Jan 05 2017 15:35:55][SmDsLdapConnMgr.cpp:950][ERROR][sm-Ldap-01370] SmDsLdapConnMgr Bind. Server ad2k8-01 : 636. Error 81-Can't contact LDAP server

Starting r12.52 SP2 CA SSO Policy Server, the support for SSLv3 protocol for secure connection to LDAP store is disabled by default.

This change was done to mitigate the SSLv3 Poodle Vulnerability : 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3566

This can be seen in the smps.log as well :

[2700/3456][Thu Jan 05 2017 15:35:55][SmDsLdapConnMgr.cpp:788][WARNING][sm-Ldap-02910] SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols.

What this now means is that , Policy Server now uses the TLS protocol instead to establish a secure channel to LDAP store.

The detailed list of TLS protocol supported by different version of CA SSO Policy server is listed here :

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=11564

So, if the supported TLS protocols are NOT enabled on the LDAP server, Policy server wouldn't be able to establish a secure connection to it.

• https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2016/08/24/tech-tip-ca-single-sign-onpolicy-serverdoes-policy-server-supports-tlsv11tlsv12-protocol-for-ldap-connectivity-with-policy-storeuser-store
• https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS10
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3566