Previous Topic: Password Policy Issue When Using a Combined User Store and Provisioning DirectoryNext Topic: Workflow Participant Resolver Fails for EnableUserEventRoles

Release NotesKnown IssuesGeneralCannot Connect to the CA IdentityMinder server when configuring the 64-bit Active Directory Password Synchronization Agent

Cannot Connect to the CA IdentityMinder server when configuring the 64-bit Active Directory Password Synchronization Agent

Symptom:

When configuring the 64-bit Password Synchronization Agent (PSA), I am unable to connect to the CA IdentityMinder server to retrieve the list of available Active Directory endpoints.

Solution:

You can configure only the ciphers that the CA IAM CS uses. Add the three new SSL FIPS ciphers to the cipher suite that CA IAM CS uses.

Follow these steps:

  1. Open the following configuration file in a text editor: 
    cs_home\jcs\conf\server_osgi_shared.xml
  2. Locate the defaultCipherSuite property in the file. The following example code in the file: 
    <property name="defaultCipherSuite"><value>FIPS_TLS_PLUS_SSL_Ciphers</value></property>
<property name="cipherSuites">
            <map>
                <entry key="FIPS_TLS_PLUS_SSL_Ciphers">
                    <list>
                        <value>TLS_RSA_WITH_AES_128_CBC_SHA</value>
                        <value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</value>
                        <value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</value>
                      </list>

    In this example, FIPS_TLS_PLUS_SSL_Ciphers is the default suite that corresponds to the list of ciphers under cipherSuites property.

  3. Add the following entries to the list: 
    <value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</value>
<value>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</value>
<value>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value>
  4. Click Save.
  5. Restart the CA IAM CS service.

    The 64-bit active directory PSA now connects without an error.