6.2 Using Secure Sockets for Identity Applications Connections to the Identity Vault

By default, secure sockets are used for communication between the identity applications server and the Identity Vault. However, in some environments, not all communication needs to be secured. For example, if the identity applications and Identity Vault servers are on an isolated network, and the only ports available to the outside are the HTTP ports, it might be acceptable for some communication between the two servers to be accomplished using non-secure sockets. Some aspects of the application will always use a secure connection (for example, a user changing a password) even though the setting might indicate that secure connections are not required. Turning off secure connections, especially for user connections, can greatly increase performance and scalability. If, in a particular environment, there are many concurrent logins, and communication between the identity applications server and the Identity Vault server have been secured using the network setup, then turning off the secure connection for user connections greatly increase the number of concurrent logins that can be processed. We recommend that this option be used only when there is actual evidence of scaling or performance problems in the environment, and adding additional eDirectory servers is not an option.

Additionally, secure connections can be turned off for administrative connections. These connections are used for general queries on the Identity Vault server that do not require user credentials. These connections are pooled and used round-robin. The bind over a secure connection is only done once at application startup (or possibly again later on if the connection becomes unresponsive) and so does not represent the scalability issues that can arise with the user connections. However, the time it takes to encrypt and decrypt the data at both ends does add overhead. We recommend that the default setting be used, unless there is a need to gain extra performance.

Secure communications for administrative and user connections must be disabled in both the identity applications and in iManager.

6.2.1 Disabling Secure Communications Using the Configuration Update Utility

To disable the secure administrative and user connections in the identity applications:

  1. Run the configuration update utility:

    • Linux: configupdate.sh

    • Windows: configupdate.bat

    Launches Configuration Update utility.

  2. Deselect Secure Admin Connection and Secure User Connection.

  3. Click OK.

6.2.2 Disabling Secure Communications Using iManager

To disable the requirement for secure LDAP (LDAPS) connections for administrative and user connections to eDirectory using iManager:

  1. Log into your eDirectory .

  2. Navigate to the LDAP group object and display its properties.

  3. Click General.

  4. Deselect Require TLS for Simple Binds with Password.

NOTE:In a multi-server eDirectory , disabling TLS on the LDAP group removes the TLS requirement from all servers. If you want mixed TLS requirements for each individual server in your , you must enable the TLS requirement on each server.