IQService Commands

In addition to the commands -i to install and -s to start, other command line options with IQService include:

Command Line Options

Description

-b

Skips the installation of secondary IQService. This is recommended to use for IQService instances installed on a load balanced deployment.

-d

Run in console mode

-i

Install a service

-k

Stop the service

-m

Allows you to pick the best certificate for TLS communication (when there are multiple) from the IQService host personal folder.

To pick the certificate with a matching subject name:

IQService.exe -m DNS:<Subject Name of the Certificate>

To pick the certificate with a matching serial number:

IQService.exe -m SN:<Certificate Serial Number>

To pick the certificate with a matching subject name and serial number:

IQService.exe -m DNS:<Subject Name of the Certificate> -m SN:<Certificate Serial Number> 

-p

Update the port (requires restart)

-r

Remove the service

-u

Uninstall the service. Removes the service components and clears the registry entries.

-s

Start the service

-t

Restart (stop/start) the service

-v

Print version information

-l <level>

Trace Level 0-3; 0=off 1=error 2=info 3=debug

-f <filename>

Trace the file name. Defaults to system32 directory. Enter the full path with filename to log to a different path.

For example: iqservice -l 3 -f

"C:\Sailpoint\IQService\iqtrace.log"

-a {<Domain User/s> | list}

Registers a domain user for Client Authentication. Pass domain user name in msDS-PrincipalName (domain\user) format. Multiple users can be registered in single command by separating users with semicolon ( ; ). This command appends the users to already registered users list if exist.

For example: -a "Acme\John.Smith; Acme\Joe.Phillips"

Please ensure that exact same user name is configured on the source for this feature to work.

To list already registered users, run the command with "list" parameter.

For example: -a list

-x {<Domain User/s> | list}

De-registers a user from Client Authentication Users List. Pass domain user name in msDS-PrincipalName (domain\user) format. Multiple users can be registered in single command by separating users with semicolon ( ; ).

For example: -x "Acme\John.Smith; Acme\Joe.Phillips"

To list already registered users, run the command with "list" parameter.

For example: -x list

-o <port number>

TLS port for communication between IQService and SailPoint. This port accepts communication over TLS only.

-j <TLS Version>

Enforce the specific TLS version for communication between IQService and SailPoint. Supported values are: TLS1.2, TLS1.1, TLS1.0. Default is TLS1.2.

-m <Subject CN>

"Issued To" (CN of Subject) of the X.509 certificate. It is applicable to communication between IQService and SailPoint. This overrides the default lookup text for IQService to search for the X.509 certificate on the machine. By default, IQService looks for the X.509 certificate issued to the FQDN of the current machine. For example: - example.com

-y <Interval in minutes>

IQService update availability check interval.

-z tcp(s)://<hostname>:<port>

Configures the UpdateService details that IQService communicates with.

-z enableClientAuth

Enables the certificate-based client authentication between UpdateService and IQService. Configuring this will require an X.509 certificate be present in the personal certificate store of the IQService machine with EKU having Client Authentication.

-z disableClientAuth

Disables the certificate-based client authentication. Configuring this will not provide a client certificate during the TLS handshake while communicating with UpdateService.

Warning
If UpdateService is configured to communicate with only trusted clients, then this configuration will break the communication channel.

-? | h:

This is for help output

-w

Whitelist the IP or FQDN of additional client host(s) configured for an instance. Multiple client host(s) can be configured using semicolon(;). For example, IQService.exe 10.10.20.30;LB.domain.com

To whitelist the IPs and FQDN, run the command with IP/FQDN. For example, IQService.exe -w {<IP/FQDN>}

To list the whitelisted IPs and FQDN, run the command with list parameter. For example, IQService.exe -w list

To delete the whitelisted IPs and FQDN, run the command with delete parameter. For example, IQService.exe -w delete

tlsVersion Configuration

The Identity Security Cloud IQService supports a new tlsVersion configuration 'default'. To enable it, execute the IQService.exe -j default command.

With this configuration the operating system selects the best available protocol. This configuration requires that SystemDefaultTlsVersions is enabled on the IQService machine. If it is not enabled, then IQService falls back to the highest common supported version from the predefined list of TLS versions.