By default, secure sockets are used for communication between the User Application server and the Identity Vault. However, in some environments, not all communication needs to be secured. For example, if the User Application and Identity Vault servers are on an isolated network, and the only ports available to the outside are the HTTP ports, it might be acceptable for some communication between the two servers to be accomplished using non-secure sockets. Some aspects of the application will always use a secure connection (for example, a user changing a password) even though the setting might indicate that secure connections are not required. Turning off secure connections, especially for user connections, can greatly increase performance and scalability. If, in a particular environment, there are many concurrent logins, and communication between the User Application server and the Identity Vault server have been secured using the network setup, then turning off the secure connection for user connections greatly increase the number of concurrent logins that can be processed. We recommend that this option be used only when there is actual evidence of scaling or performance problems in the environment, and adding additional eDirectory servers is not an option.
Additionally, secure connections can be turned off for administrative connections. These connections are used for general queries on the Identity Vault server that do not require user credentials. These connections are pooled and used round-robin. The bind over a secure connection is only done once at application startup (or possibly again later on if the connection becomes unresponsive) and so does not represent the scalability issues that can arise with the user connections. However, the time it takes to encrypt and decrypt the data at both ends does add overhead. We recommend that the default setting be used, unless there is a need to gain extra performance.
Secure communications for administrative and user connections must be disabled in both the User Application and in iManager.
To disable the secure administrative and user connections in the User Application:
Run the configupdate script, located in the User Application directory, as follows:
Linux: Type the following to run configupdate.sh:
./configupdate.sh
Windows: Run configupdate.bat
Launches Configuration Update utility.
Deselect Secure Admin Connection and Secure User Connection.
Click OK.
To disable the requirement for secure LDAP (LDAPS) connections for administrative and user connections to eDirectory using iManager:
Log into your eDirectory tree.
Navigate to the LDAP group object and display its properties.
Click General.
Deselect Require TLS for Simple Binds with Password.
NOTE:In a multi-server eDirectory tree, disabling TLS on the LDAP group removes the TLS requirement from all servers. If you want mixed TLS requirements for each individual server in your tree, you must enable the TLS requirement on each server.