Configuring TLS and Client Authentication for IQService

• The IQService host's X.509 certificate with Extended Key Usage (EKU) used as Server Authentication must be available in the Personal Certificate Store of the host. The subject of the certificate should match the FQDN of the IQService host. An example subject is iqservice.test.com.

• The matching private key must be present in the host's RSA key directory.

• If the IQService host's X.509 certificate is not available, create a CSR (Certificate Signing Request) from the IQService host.

• Submit the CSR to a trusted (internal or third party) certificate authority (CA) for signing. Ensure that the CA is on trusted root CA in the host.

• The configuration of Client Authentication is mandatory when TLS communication is enabled for IQService.

• To configure client authentication when the IQService host is added to any domain, you need to have a domain user whose credentials can be used to authenticate a connection between Identity Security Cloud and IQService.

• If the IQService host is not added to any domain, the Windows local user from the IQService host can be used authenticate a connection between Identity Security Cloud and IQService instead of the domain user.

Note
No specific additional user permissions are required.

• The X.509 certificate is located in the Local Computer's Personal certificate store.

• A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate.

  For example, as displayed in the following screenshot, you can confirm if the certificate has a private key. A certificate with a private key (on the right, highlighted in green) has a different icon than a certificate without one (highlighted in red).

  

• The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier.

• The IQService host's fully qualified domain name (FQDN) must be in the common name (CN) in the Subject field in the X.509 certificate, and it must be a DNS entry in the Subject Alternative Name extension in the X.509 certificate.

  An example of IQService's FQDN is iqservice.test.com. Refer to the following examples:

  1. Common Name (CN) in the Subject field in X.509 certificate

     

  2. DNS entry in the Subject Alternative Name extension in the X.509 certificate

     

• The X.509 certificate must be trusted by the IQService host. Trust is established by configuring the IQService host to trust the root CA to which the issuing CA chains. Refer to the following examples:

  • X.509 certificate (Non trusted)

    

  • X.509 certificate (Trusted)

    

The virtual appliance (VA) must trust the IQService X.509 certificate. Trust is established by configuring the VA to trust the root CA to which the issuing CA chains. To establish trust between the VA and the root CA:

1. Add the root CA cert in the /home/sailpoint/certificates directory of the VA.

2. Restart the CCG service.

Resolution:

• Ensure that the certificate is placed at correct path in VA: /home/sailpoint/certificates

• This error message might come if IQService is an older version or a non-TLS port is provided. Ensure your IQService is upgraded to latest IQService and TLS port is provided.

Resolution:

• Ensure that the certificate is properly placed in VA: /home/sailpoint/certificates.

• Check communication between IQService host and VA.

• Ensure that the DNS settings are correct. Alternatively add the appropriate mapping entry for IQService host in hosts.yaml file in the /home/sailpoint directory.

  Note
  For information on creating a hosts.yaml file, refer to Configuring a Hosts.yaml File.

Resolution: Verify the following:

• This could be because IQService TLS is disabled and you have provided TLS port. Ensure that the Use TLS for IQService checkbox is selected.

• This could be because the hostname of the IQService server does not match the FQDN of the TLS certificate. Verify that the hostname matches the FQDN or the SubjectAlternateName DN is the same as the FQDN of the TLS certificate. If they are not the same, use the following commands to specify the certificate FQDN for IQService and then restart IQService:

  iqservice.exe -m hostname.example.com

  iqservice.exe -t

Resolution – Ensure your IQService service is running.

Resolution – This could be because the IQService version is older. Ensure your IQService service is upgraded to latest version. Deselect the Use TLS for IQService checkbox for non-TLS communication.

Resolution – If you want to use the IQService TLS functionality, use the latest CCG version and IQService version. If you are not using the latest CCG version and IQService version, ensure that the Use TLS for IQService checkbox is unchecked on source configuration.

Resolution – If you want to use the IQService TLS functionality, ensure that latest CCG version and IQService is deployed. If you are not using the latest CCG version and IQService version, ensure that the Use TLS for IQService checkbox is unchecked on source configuration.

Resolution:

• Ensure that you have registered and configured the IQService user and password on IQService host using the following command:

  IQService -a username

• Ensure that you have provided the correct IQService user or password. Use the latest CCG version and IQService version.

Resolution – Check if the is checked. the IQService user's password could be expired. To resolve the issue, change the password for IQService user.

Resolution – Password could be expired for IQService user. To resolve the issue, change the password for IQService user.

Resolution – Ensure that the IQService user is not locked.

Resolution: Ensure that the IQService user is not locked.

Resolution – The reason could be IQService user has enabled logon hours and you are trying to perform an operation outside of their defined logon hours. Ensure that logon hours are correctly configured.

Resolution – This is the error that displays if you are trying to perform client authentication with an old CCG version but the latest IQService version. You need to remove the user details from IQService using the command: IQService -x username. Also remove IQService user and password from source config.