So this snuck it without much fanfare but I was waiting for this feature (and just in time) as a client had just asked about it.

IDN is a great SaaS platform application which requires very little on-prem deployments. VA (Virtual Appliance) is obviously the key one but all the security and patching is managed by SailPoint itself. 

IQService is another must have tool for most clients as it is needed for AD Provisioning (among few other things it does for other connectors). So its generally deployed in nearly every client instance. One of the main thing about this is that it was not autoupdated and thus client needed to download the latest and do an update themselves. Although its not a lot (maybe twice a year) but still good to have a software which can patch itself to latest version. And of course this is optional and who don’t want this can choose not to install the feature but we highly recommend it.  

You DON’T need to give internet access to the IQService boxes to download latest updates. The latest IQService binaries are pushed to and are present on VA. This is via our existing process of update bundles being pushed to VA from cloud. At connector level, version is checked for IQService and if there is mismatch (new version available), latest version will be pushed out to UpdateService from the VA (As they already have line of sight to each other). Then UpdateService will coordinate and update local and then remote services.  It is quite simple process where in the respective services are stopped and binaries are replaced.

Article assumes you know what IQService is and where to deploy it. I will quickly give some commands on how to do so with the latest release. I will show various setups and quick commands to run to update them.

NOTE: You must have Provisioning License to use IQService. Talk to your CSM about it and make sure you are licensed to use it.

Documentation: https://documentation.sailpoint.com/connectors/iqservice/help/integrating_iqservice_admin/intro.html

Uninstall Previous IQService

Single Box install with Fallback Implementation

Assumptions
  • Installing TLS port only: 5060
  • UpdateService Port: 5062
  • User authenticating against IQService: abc\sailpoint
  • Software downloaded and extracted: C:\SailPoint\IQService\
  • Domain: abc.local
  • Certificates already configured and working for TLS (Check this post to do self sign cert for home labs)
  • Firewall is open for TLS port. You don’t have to open for 5062 as no remote IQService is connecting to it in this configuration. 
Check Status of Services
Check Status of UpdateService

IQService UpdateService

Multiple Box Install with Client Side Load Balancer

Assumptions
  • Installing TLS port only: 5060
  • UpdateService Port: 5062
  • User authenticating against IQService: abc\sailpoint
  • Software downloaded and extracted: C:\SailPoint\IQService\
  • Domain: abc.local
  • Certificates already configured and working for TLS (Check this post to do self sign cert for home labs)
  • Firewall is open for ports 5060 TLS on both servers and on primary server for UpdateService 5062 to accept incoming requests from other IQService boxes for update check.
  • Installing on two boxes: iqservice1.abc.local (considered primary) ; iqservice2.abc.local (considered secondary)
  • Box boxes can talk to each other for UpdateService
iqservice1.abc.local (installing UpdateService here)
iqservice2.abc.local (Going to connect to above UpdateService Instance)

That is it!!! you should have an IQService which can update itself and keep the environment updated with latest features and bug fixes.

 


12 Comments

Tom Bui · 07/19/2022 at 2:33 AM

Probably want to talk about the UpdateServices.exe -h

UpdateService [-p ] [-c] [-t] [-l ] [-f ] [-u ] [-q ]
-? | h This help output
-t Restart (stop/start) the service

Following Parameters: (require a restart of the UpdateService)

-l Trace Level 0-3 0=off 1=error 2=info 3=debug
-f Trace File Name
-p Update the port
-u Enable or disable TLS
-q Connection read timeout for the UpdateService

Also, any way to force an update by chance?

What’s the difference between tcp vs tcps? I am assuming the secure.
What’s the default port that the UpdateService actually tries to install on?
Typically, customers will need to open firewalls and application-id to the IQService Host for the update to be successful.

    Piyush Khandelwal · 07/19/2022 at 1:36 PM

    Hey Tom

    Thanks for the update.. Yes those commands are helpful and in documentation. There is no way to force update as it will be a push from connector afaik. You can always do a manual update like previously. Yeah TCP/TCPS is also just secure ports thing. In my testing the default port picked up by UpdateService is the next available one (so if installing on 5050 then it tries to take 5051 in a load balancer config or 5052 in a fallback config since 5051 is taken by the secondary service).. Did mention about firewall that for update we need VA -> PrimaryIQS and Secondary IQS<->Primary for updates..

    Cheers

Rodrigo · 04/27/2023 at 5:28 AM

Hello, we are implementing balanced IQService with F5, but it gives us a Connection reset error, it is enabled with TCP port 5050 and a self-signed domain certificate. Any idea what it could be?

    Piyush Khandelwal · 04/27/2023 at 7:10 AM

    Hi @Rodrigo

    Could be multiple things and I would recommend a support ticket to resolve the issue. Few things I would try it to connect without F5 and see if it works (to see LB issue), connect without SSL port and see if that works (SSL Cert Issue). Self signed definitely works as I have shown in another article of mine

    Recommend raising a support ticket.

    Thanks

    Ashish · 10/15/2023 at 1:04 AM

    Hi Rodrigo,

    We too are facing same issue. Any solution can you advice which worked for you?

Tom Bui · 04/27/2023 at 9:09 AM

Your load balancer is doing health check and it is causing the time out error. You can increase the health check time out or developer other mechanisms to check for up time.

Ashish · 09/21/2023 at 11:24 PM

Hi,
We have two IQService behind LB say.
IQService 1: A
IQService 2: B
LB host: Z

We installed IQService on IQService 1 using
IQService.exe -b -z tcps://A:port
– It got installed

then installed on IQService 2 using
IQService.exe -b -z tcps://A:port – it didn’t work.
IQService.exe -b -z tcps://Z:port – it worked.

We did test by switching to both servers (turning off/on) for both, provisioned user and everything worked fine.

But when we do a test connection by just turning on IQService 2, test connection works fine, but we get below logs in ccg.log

RpcServer [ Thread-8 ] ERROR : “Error while upgrade check: No connection could be made because the target machine actively refused it :”
RpcServer [ Thread-8 ] ERROR : “Error occurred while checking the availaility of newer version :: No connection could be made because the target machine actively refused it :”

    Piyush Khandelwal · 09/25/2023 at 8:40 PM

    Hi Ashish

    Best will be to raise a support ticket to see what is going on. Might have to see firewall between the two boxes or something else.

      Ashish · 10/15/2023 at 1:11 AM

      Yeah, thanks!
      Port was not opened.

      Another issue we are now facing in prod wherein we are getting connection reset error on TLS enabled. Before the upgrade it was working. Without TLS it works

Tony · 10/07/2023 at 1:48 AM

Has anyone seen the newest version of the IQService (with update service installed) cause CPU usage to gradually increase until it consumes the entire server CPU? We recently upgraded our IQService version to the newest 2023 version and had to rollback because it was eventually crashing the server.

    Piyush Khandelwal · 10/07/2023 at 7:23 AM

    @Tony I have not seen this happen on my box. Definitely raise a support ticket for it.

Tom Bui · 10/07/2023 at 10:18 AM

I looked back and have not noticed high CPU utilization but it would depends on a number of factors. How many sources leveraging that IQService. Are you utilizing powershell scripts?

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.