So this snuck it without much fanfare but I was waiting for this feature (and just in time) as a client had just asked about it.
IDN is a great SaaS platform application which requires very little on-prem deployments. VA (Virtual Appliance) is obviously the key one but all the security and patching is managed by SailPoint itself.
IQService is another must have tool for most clients as it is needed for AD Provisioning (among few other things it does for other connectors). So its generally deployed in nearly every client instance. One of the main thing about this is that it was not autoupdated and thus client needed to download the latest and do an update themselves. Although its not a lot (maybe twice a year) but still good to have a software which can patch itself to latest version. And of course this is optional and who don’t want this can choose not to install the feature but we highly recommend it.
You DON’T need to give internet access to the IQService boxes to download latest updates. The latest IQService binaries are pushed to and are present on VA. This is via our existing process of update bundles being pushed to VA from cloud. At connector level, version is checked for IQService and if there is mismatch (new version available), latest version will be pushed out to UpdateService from the VA (As they already have line of sight to each other). Then UpdateService will coordinate and update local and then remote services. It is quite simple process where in the respective services are stopped and binaries are replaced.
Article assumes you know what IQService is and where to deploy it. I will quickly give some commands on how to do so with the latest release. I will show various setups and quick commands to run to update them.
NOTE: You must have Provisioning License to use IQService. Talk to your CSM about it and make sure you are licensed to use it.
Documentation: https://documentation.sailpoint.com/connectors/iqservice/help/integrating_iqservice_admin/intro.html
Uninstall Previous IQService
1 2 3 4 5 6 |
IQService.exe -v // keep a copy for backup IQService.exe -a list /// keep a copy of registered users for backup IQService.exe -u //uninstall the service //Keep a copy of existing IQService logs and delete the files in folder //Download latest IQService files in the folder. |
Single Box install with Fallback Implementation
Assumptions
- Installing TLS port only: 5060
- UpdateService Port: 5062
- User authenticating against IQService: abc\sailpoint
- Software downloaded and extracted: C:\SailPoint\IQService\
- Domain: abc.local
- Certificates already configured and working for TLS (Check this post to do self sign cert for home labs)
- Firewall is open for TLS port. You don’t have to open for 5062 as no remote IQService is connecting to it in this configuration.
1 2 3 4 5 |
IQService.exe -i -o 5060 //install with TLS port 5060 IQService.exe -a abc\sailpoint // register user with service IQService.exe -z "tcp://localhost:5062" // Enable UpdateService for TCP on port 5062 IQService.exe -z "tcps://localhost:5062" // Enable UpdateService for TCPS on port 5062 IQService.exe -t //restart service |
Check Status of Services
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
C:\SailPoint\IQService>IQService.exe -v ServiceName : IQService-Instance1 Display Name : SailPoint IQService-Instance1 Configured TLS Port : 5060 Connection Read Timeout : 15 Update Interval : 30 Build version : IQService-Jun-2022 Build timestamp : 06/15/2022 12:38 AM -0500 Build location : master Build builder : jenkins Build Number : 250 Executable : C:\SailPoint\IQService\IQService.exe File Size : 68416 File Date : 11/07/2022 4:44:53 PM Trace Level : 1 [ error ] Secondary Service : IQService-Instance1-Secondary Secondary Service TLS Port: 5061 Secondary Service Status : RUNNING UpdateService Host : dc1.abc.local UpdateService Port : 5062 UpdateService Name : IQService-Instance1-UpdateService UpdateService Status : RUNNING UpdateService Version : UpgradeService-Jun-2022 |
Check Status of UpdateService
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
C:\SailPoint\IQService\UpdateService>UpdateService.exe -v ServiceName : IQService-Instance1-UpdateService Display Name : Sailpoint IQService-Instance1-UpdateService Primary Service : IQService-Instance1 Configured Port : 5062 Build version : UpgradeService-Jun-2022 Build timestamp : master Build location : jenkins Build Number : 250 Executable : C:\SailPoint\IQService\UpdateService\UpdateService.exe File Size : 59200 File Date : 11/07/2022 4:44:54 PM TLS Enabled : True Trace Level : 1 [ error ] Connection Read Timeout: 15 |
Multiple Box Install with Client Side Load Balancer
Assumptions
- Installing TLS port only: 5060
- UpdateService Port: 5062
- User authenticating against IQService: abc\sailpoint
- Software downloaded and extracted: C:\SailPoint\IQService\
- Domain: abc.local
- Certificates already configured and working for TLS (Check this post to do self sign cert for home labs)
- Firewall is open for ports 5060 TLS on both servers and on primary server for UpdateService 5062 to accept incoming requests from other IQService boxes for update check.
- Installing on two boxes: iqservice1.abc.local (considered primary) ; iqservice2.abc.local (considered secondary)
- Box boxes can talk to each other for UpdateService
iqservice1.abc.local (installing UpdateService here)
1 2 3 4 5 |
IQService.exe -i -b -o 5060 // Install with TLS port 5060 and without fallback implementation (secondary service) IQService.exe -a abc\sailpoint // Register user with service IQService.exe -z "tcp://localhost:5062" // Enable UpdateService for TCP on port 5062 IQService.exe -z "tcps://localhost:5062" // Enable UpdateService for TCPS on port 5062 IQService.exe -t //restart service |
iqservice2.abc.local (Going to connect to above UpdateService Instance)
1 2 3 4 5 |
IQService.exe -i -b -o 5060 // Install with TLS port 5060 and without fallback implementation (secondary service) IQService.exe -a abc\sailpoint // Register user with service IQService.exe -z "tcp://iqservice1.abc.local:5062" // Enable UpdateService for TCP on port 5062 IQService.exe -z "tcps://iqservice1.abc.local:5062" // Enable UpdateService for TCPS on port 5062 IQService.exe -t //restart service |
That is it!!! you should have an IQService which can update itself and keep the environment updated with latest features and bug fixes.
12 Comments
Tom Bui · 07/19/2022 at 2:33 AM
Probably want to talk about the UpdateServices.exe -h
UpdateService [-p ] [-c] [-t] [-l ] [-f ] [-u ] [-q ]
-? | h This help output
-t Restart (stop/start) the service
Following Parameters: (require a restart of the UpdateService)
-l Trace Level 0-3 0=off 1=error 2=info 3=debug
-f Trace File Name
-p Update the port
-u Enable or disable TLS
-q Connection read timeout for the UpdateService
Also, any way to force an update by chance?
What’s the difference between tcp vs tcps? I am assuming the secure.
What’s the default port that the UpdateService actually tries to install on?
Typically, customers will need to open firewalls and application-id to the IQService Host for the update to be successful.
Piyush Khandelwal · 07/19/2022 at 1:36 PM
Hey Tom
Thanks for the update.. Yes those commands are helpful and in documentation. There is no way to force update as it will be a push from connector afaik. You can always do a manual update like previously. Yeah TCP/TCPS is also just secure ports thing. In my testing the default port picked up by UpdateService is the next available one (so if installing on 5050 then it tries to take 5051 in a load balancer config or 5052 in a fallback config since 5051 is taken by the secondary service).. Did mention about firewall that for update we need VA -> PrimaryIQS and Secondary IQS<->Primary for updates..
Cheers
Rodrigo · 04/27/2023 at 5:28 AM
Hello, we are implementing balanced IQService with F5, but it gives us a Connection reset error, it is enabled with TCP port 5050 and a self-signed domain certificate. Any idea what it could be?
Piyush Khandelwal · 04/27/2023 at 7:10 AM
Hi @Rodrigo
Could be multiple things and I would recommend a support ticket to resolve the issue. Few things I would try it to connect without F5 and see if it works (to see LB issue), connect without SSL port and see if that works (SSL Cert Issue). Self signed definitely works as I have shown in another article of mine
Recommend raising a support ticket.
Thanks
Ashish · 10/15/2023 at 1:04 AM
Hi Rodrigo,
We too are facing same issue. Any solution can you advice which worked for you?
Tom Bui · 04/27/2023 at 9:09 AM
Your load balancer is doing health check and it is causing the time out error. You can increase the health check time out or developer other mechanisms to check for up time.
Ashish · 09/21/2023 at 11:24 PM
Hi,
We have two IQService behind LB say.
IQService 1: A
IQService 2: B
LB host: Z
We installed IQService on IQService 1 using
IQService.exe -b -z tcps://A:port
– It got installed
then installed on IQService 2 using
IQService.exe -b -z tcps://A:port – it didn’t work.
IQService.exe -b -z tcps://Z:port – it worked.
We did test by switching to both servers (turning off/on) for both, provisioned user and everything worked fine.
But when we do a test connection by just turning on IQService 2, test connection works fine, but we get below logs in ccg.log
RpcServer [ Thread-8 ] ERROR : “Error while upgrade check: No connection could be made because the target machine actively refused it :”
RpcServer [ Thread-8 ] ERROR : “Error occurred while checking the availaility of newer version :: No connection could be made because the target machine actively refused it :”
Piyush Khandelwal · 09/25/2023 at 8:40 PM
Hi Ashish
Best will be to raise a support ticket to see what is going on. Might have to see firewall between the two boxes or something else.
Ashish · 10/15/2023 at 1:11 AM
Yeah, thanks!
Port was not opened.
Another issue we are now facing in prod wherein we are getting connection reset error on TLS enabled. Before the upgrade it was working. Without TLS it works
Tony · 10/07/2023 at 1:48 AM
Has anyone seen the newest version of the IQService (with update service installed) cause CPU usage to gradually increase until it consumes the entire server CPU? We recently upgraded our IQService version to the newest 2023 version and had to rollback because it was eventually crashing the server.
Piyush Khandelwal · 10/07/2023 at 7:23 AM
@Tony I have not seen this happen on my box. Definitely raise a support ticket for it.
Tom Bui · 10/07/2023 at 10:18 AM
I looked back and have not noticed high CPU utilization but it would depends on a number of factors. How many sources leveraging that IQService. Are you utilizing powershell scripts?