How do you setup ACF2 LDS to use AT-TLS?

Document ID : KB000014141
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How do you setup ACF2 LDS to use AT-TLS?

Answer:

You can set AT-TLS policy to create a SSL pipe for the IP/Port that your remote LDAP is running on and then configure LDS to establish a plain ldap:// connection to the SSL port of the LDAP Server.  When LDS goes to connect to LDAP, AT-TLS should establish the SSL connection (like a VPN tunnel) and then allow LDS to use ldap:// over the SSL channel.  The setup is all in AT-TLS and LDS just runs over that tunnel. 

The handshake role for the LDS LDAP connection should be set as a client. You can review the IBM Handshake Role doc for more info at: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.halz002/attls_handshake_roles.htm 

To avoid non-LDS LDAP client traffic matching the AT-TLS policy, you’ll probably want to specify the local IP address that LDS is using in the policy.