The problem is TLS certificate validation in the connectors. They are mostly using system-global truststore now. Midpoint has its own keystore/trustore, which means the truststore has to be set by -Djavax.net.ssl.trustStore. That is not very user-friendly, and it is a source of problems (e.g.
We would like to figure a way, how to make connector use midPoint keystore. Maybe there is a need for ConnId extension that would convey the application (midPoint) setting to the connectors? Maybe there is some way how to do this directly in JCE? There seems to be no easy and straighforward way. This needs to be explored.