IBM Support

User Lookup Helper does not consider SSL Port correctly

How To


Summary

When using the RTE initialization of the User Lookup Helper (ULH), the SSL port is not considered correctly while ssl-enabled is defined in ivmgrd.conf.

When setting the non-ssl LDAP port in ldap.conf to 636, the ULH is connecting correctly.
The runtime trace shows that the connection uses <URL>:389:readwrite:5.
(FYI: One cannot use a different init method since you depend on a federated AD with Basic Users. )

The reason for this behaviour is that the ULH only works with Federated Registries and Basic Users if using RTE. It assumes SSL for directory connection.

The ULH cannot assume that it is running on the same appliance as a policy server, so it cannot rely on using ivmgrd.conf, it has to use ldap.conf.

You should put a cert for internal LDAP into your registry keystore with AD cert and update ldap.conf, ivmgrd.conf and WebSEAL conf. Specify a keystore in your ldap.conf when there is SSL to AD if required.

And yes, ISAM is reading non-ssl port from LDAP servers and then is trying to connect via SSL. (ie. it uses the port parameter and not ssl-port parameter for connection so you need to change port to 636 to make it work.)

By the way, User Lookup Helper is also used for username password mechanism and within AAC mapping rule.

Historical Number

TS002042375

Product Alias/Synonym

TAM
SAM
ISAM

Document information

More support for: IBM Security Access Manager

Component: Advanced Access Control

Software version: All Versions

Operating system(s): Platform Independent

Reference #: 0884160

Modified date: 13 May 2019