So this snuck it without much fanfare but I was waiting for this feature (and just in time) as a client had just asked about it.

IDN is a great SaaS platform application which requires very little on-prem deployments. VA (Virtual Appliance) is obviously the key one but all the security and patching is managed by SailPoint itself. 

IQService is another must have tool for most clients as it is needed for AD Provisioning (among few other things it does for other connectors). So its generally deployed in nearly every client instance. One of the main thing about this is that it was not autoupdated and thus client needed to download the latest and do an update themselves. Although its not a lot (maybe twice a year) but still good to have a software which can patch itself to latest version. And of course this is optional and who don’t want this can choose not to install the feature but we highly recommend it.  

You DON’T need to give internet access to the IQService boxes to download latest updates. The latest IQService binaries are pushed to and are present on VA. This is via our existing process of update bundles being pushed to VA from cloud. At connector level, version is checked for IQService and if there is mismatch (new version available), latest version will be pushed out to UpdateService from the VA (As they already have line of sight to each other). Then UpdateService will coordinate and update local and then remote services.  It is quite simple process where in the respective services are stopped and binaries are replaced.

Article assumes you know what IQService is and where to deploy it. I will quickly give some commands on how to do so with the latest release. I will show various setups and quick commands to run to update them.

NOTE: You must have Provisioning License to use IQService. Talk to your CSM about it and make sure you are licensed to use it.

Documentation: https://documentation.sailpoint.com/connectors/iqservice/help/integrating_iqservice_admin/intro.html

Uninstall Previous IQService

Single Box install with Fallback Implementation

Assumptions
  • Installing TLS port only: 5060
  • UpdateService Port: 5062
  • User authenticating against IQService: abc\sailpoint
  • Software downloaded and extracted: C:\SailPoint\IQService\
  • Domain: abc.local
  • Certificates already configured and working for TLS (Check this post to do self sign cert for home labs)
  • Firewall is open for TLS port. You don’t have to open for 5062 as no remote IQService is connecting to it in this configuration. 
Check Status of Services
Check Status of UpdateService

IQService UpdateService

Multiple Box Install with Client Side Load Balancer

Assumptions
  • Installing TLS port only: 5060
  • UpdateService Port: 5062
  • User authenticating against IQService: abc\sailpoint
  • Software downloaded and extracted: C:\SailPoint\IQService\
  • Domain: abc.local
  • Certificates already configured and working for TLS (Check this post to do self sign cert for home labs)
  • Firewall is open for ports 5060 TLS on both servers and on primary server for UpdateService 5062 to accept incoming requests from other IQService boxes for update check.
  • Installing on two boxes: iqservice1.abc.local (considered primary) ; iqservice2.abc.local (considered secondary)
  • Box boxes can talk to each other for UpdateService
iqservice1.abc.local (installing UpdateService here)
iqservice2.abc.local (Going to connect to above UpdateService Instance)

That is it!!! you should have an IQService which can update itself and keep the environment updated with latest features and bug fixes.

 


5 Comments

Tom Bui · 07/19/2022 at 2:33 AM

Probably want to talk about the UpdateServices.exe -h

UpdateService [-p ] [-c] [-t] [-l ] [-f ] [-u ] [-q ]
-? | h This help output
-t Restart (stop/start) the service

Following Parameters: (require a restart of the UpdateService)

-l Trace Level 0-3 0=off 1=error 2=info 3=debug
-f Trace File Name
-p Update the port
-u Enable or disable TLS
-q Connection read timeout for the UpdateService

Also, any way to force an update by chance?

What’s the difference between tcp vs tcps? I am assuming the secure.
What’s the default port that the UpdateService actually tries to install on?
Typically, customers will need to open firewalls and application-id to the IQService Host for the update to be successful.

    Piyush Khandelwal · 07/19/2022 at 1:36 PM

    Hey Tom

    Thanks for the update.. Yes those commands are helpful and in documentation. There is no way to force update as it will be a push from connector afaik. You can always do a manual update like previously. Yeah TCP/TCPS is also just secure ports thing. In my testing the default port picked up by UpdateService is the next available one (so if installing on 5050 then it tries to take 5051 in a load balancer config or 5052 in a fallback config since 5051 is taken by the secondary service).. Did mention about firewall that for update we need VA -> PrimaryIQS and Secondary IQS<->Primary for updates..

    Cheers

Rodrigo · 04/27/2023 at 5:28 AM

Hello, we are implementing balanced IQService with F5, but it gives us a Connection reset error, it is enabled with TCP port 5050 and a self-signed domain certificate. Any idea what it could be?

    Piyush Khandelwal · 04/27/2023 at 7:10 AM

    Hi @Rodrigo

    Could be multiple things and I would recommend a support ticket to resolve the issue. Few things I would try it to connect without F5 and see if it works (to see LB issue), connect without SSL port and see if that works (SSL Cert Issue). Self signed definitely works as I have shown in another article of mine

    Recommend raising a support ticket.

    Thanks

Tom Bui · 04/27/2023 at 9:09 AM

Your load balancer is doing health check and it is causing the time out error. You can increase the health check time out or developer other mechanisms to check for up time.

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: