Configure TLS Communication

You can configure TLS communication between the IBM Tivoli Directory Server source and the LDAP Server. For a Java client to connect using TLS and self-signed certificates, you must install the certificate into the JVM keystore.

Note
SailPoint recommends using TLS along with Simple Authentication.

To configure TLS communication between the IBM Tivoli Directory Server and the LDAP server, perform the following:

From the IBM Tivoli Directory Server, export the LDAP X.509 Certificate and copy it to the SailPoint computer.

Note
Ensure that the SailPoint computer also trusts the CA Root. To do that, add the CA Root certificate to the truststore of JRE running the SailPoint application.

If you are using CAcerts as the Java default keystore, then run the following command on the SailPoint server:

Copy

keytool -keystore <"absolutePathtoJavaKeystoreCAcerts"> -importcert -alias <"userDefinedAliasNameForLDAPCert"> -file <"absoluterPathToLDAPCertificate">

If you are using a custom keystore, then add the following lines into the catalina.bat (Tomcat Configuration) and the iiq.bat configuration file as follows:
Copy
```
-Djavax.net.ssl.trustStore="<path to keystore>"
-Djavax.net.ssl.trustStorePassword="<keystore password>"
```
Restart the application server after the certificate import or after any changes are made to application server configuration.
While configuring IBM Tivoli DS - Direct, be sure to select the Use TLS checkbox.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.

Configure TLS Communication

Documentation Feedback