User Lookup Helper does not consider SSL Port correctly
When using the RTE initialization of the User Lookup Helper (ULH), the SSL port is not considered correctly while ssl-enabled is defined in ivmgrd.conf.
When setting the non-ssl LDAP port in ldap.conf to 636, the ULH is connecting correctly.
The runtime trace shows that the connection uses <URL>:389:readwrite:5.
(FYI: One cannot use a different init method since you depend on a federated AD with Basic Users. )
The reason for this behaviour is that the ULH only works with Federated Registries and Basic Users if using RTE. It assumes SSL for directory connection.
The ULH cannot assume that it is running on the same appliance as a policy server, so it cannot rely on using ivmgrd.conf, it has to use ldap.conf.
You should put a cert for internal LDAP into your registry keystore with AD cert and update ldap.conf, ivmgrd.conf and WebSEAL conf. Specify a keystore in your ldap.conf when there is SSL to AD if required.
And yes, ISAM is reading non-ssl port from LDAP servers and then is trying to connect via SSL. (ie. it uses the port parameter and not ssl-port parameter for connection so you need to change port to 636 to make it work.)
By the way, User Lookup Helper is also used for username password mechanism and within AAC mapping rule.
More support for:
IBM Security Access Manager
Component: Advanced Access Control
Software version: All Versions
Operating system(s): Platform Independent
Reference #: 0884160
Modified date: 13 May 2019