TLS Configuration Between VA and IQService
The following are prerequisites for TLS communication between VA and IQService:
-
.NET Framework version 4.5.x onwards is required.
-
Subject and Subject Alternative Name of the certificate must match the fully qualified domain name of the host.
-
Certificate should have private key.
-
Certificate should have Enhanced Key Usage(EKU) as Server authentication with client authentication.
-
Certificate must be present in the Personal folder.
-
In the case of a Non-Trusted certificate, the same certificate should also be copied into Trusted folder.
-
Configuration of Client Authentication is mandatory when the TLS communication is enabled for IQService.
-
TLS requirement of Identity Security Cloud machine: the same certificate must be imported in the keystore using the following command:
keytool -import -alias fabrikam -keystore myCaCerts.jks -file c:\temp\fabrikam.cer
To enable TLS communication between the VA and IQService, complete the following:
-
Download the Integration Service from the IQService Settings page on your Active Directory source.
Note
Alternatively, you can download the software directly from https://s3.amazonaws.com/files.accessiq.sailpoint.com/integrations/iqservice/IQService.zip -
Unzip the downloaded IQService.zip archive into the created or desired location. For example,
C:\SailPoint\IQService\ -
Use the following command to enable IQService to communicate with Identity Security Cloud only through the TLS port:
IQService.exe -i -o TLS Port Number
The above command installs IQService with name IQService-Instance1 and given TLS port number.
-
On the Active Directory source, go to IQService Settings and select the Enable Transport Layer Security (TLS) checkbox.