Frequently Asked Questions

Auto-update means that the service updates automatically and does not require any manual intervention to upgrade to the new IQService version. It is like any other connector-bundle release on your VA.

Internet access is not required for IQService auto update as long as your VA is getting other bundles updated in your environment. Updates are downloaded at your VA and then the required updates are applied to all the IQService hosts using the UpdateService.

Auto update should already be enabled on your IQService instance. Other than that, you only need to ensure that IQService and the UpdateService are healthy and running. If auto update is not enabled on your system, refer to Updating IQService for configuration instructions.

Yes, enabling auto updates is safe and recommended by SailPoint. The auto updates ensure that your environment is always up to date with fixes and security patches.

There are no required post update verification steps. If you want, you can check the UpdateService logs to confirm that you have the latest version and to verify the current update status. For more information on setting the trace log level, refer to Updating IQService.

SailPoint does not recommend that you manually update IQService. If you are still using the manual process, IQService releases are announced on the SaaS Release Notes page.

The auto update process includes an auto rollback process. A backup of the existing IQService version is made before starting the auto-update process, and if something goes wrong during the update process the backup is used to restore and restart the required services to restore functionality.

If you run into a case where the update is successful and some functionality is not working, reach out to your SailPoint Customer Success Manager (CSM).

The process is quick and can last anywhere from a few milliseconds to 30 seconds.

The auto-update process waits until there are no ongoing IQService transactions before starting the update. If there is an ongoing process the UpdateService will retry the update until there is a break in the transactions.

Refer to the Load Balancer Deployment column in the table on Updating IQService.

In deployments using a load balancer, the UpdateService is shared amongst multiple IQService hosts. To ensure there is no downtime, updates of IQService one at a time so that there is always an IQService instance available to process requests.

For more information on configuring the UpdateService in an environment with a load balancer, refer to the Load Balancer Deployment column in the table on Updating IQService.

You do not need to go through the entire IQService installation to configure TLS. Run the following command on the UpdateService and on the remote IQService server:  

IQService.exe -z "tcps://<FQDN>:<Port>"

If you have configured TLS and the UpdateService is running after installation, then that's it. You can run the IQService -v command to list the current statuses for all the services including the UpdateService. If the UpdateService is running, then your environment is good to go.

IQService can be behind the load balancer as required for redundancy or load sharing.

Note
SailPoint does not certify any specific load balancer, work with your networking \ IT team to resolve any configuration issue.

For Configuring IQService with Load Balancer, perform the following:

1. For TLS communication, perform the following:

   1. Create a certificate on load balancer.

   2. For IQService hosts, export the certificate with Private Key and copy the certificates to personal and trusted folders.

   3. Import the certificate in keystore and restart the web server.

   4. Configure IQService with -m command (-m <x509 FQDNNameOfLoadBalancer>) as follows:

      iqservice.exe -m "FQDNNameOFLoadBalancer"

   5. Restart the IQService.

2. For unknown hosts error, provide the DNS mapping of Load balancer in IdentityIQ hosts files in the following format:

   IPAddress FQDN

   172.18.40.23 FQDNofLoadBalancer

   File locations:

   • (For windows) C:\Windows\System32\drivers\etc\hosts

   • (For Linux) /etc/hosts

3. For Key exchange, the Key exchange task request would be triggered for one of the IQService hosts. Now copy the keys on other IQService machines.

4. To avoid Load Balancer creating unnecessary logging in IQService, set the IQService log level to 0.

5. In case of any fail over, the Load Balancer mechanism would redirect the requests to appropriate running IQService hosts.

6. TLS and Non -TLS ports of IQService are allowed through firewall for incoming and out going request through Load Balancer.

Yes, you can change the TLS version and cipher suites on the Windows side. Microsoft provides a list of the default prioritized cipher suites that come as part of Windows OS, and on that list the AEAD ciphers (for example, AES-GCM) are usually on top. By default, IQService uses the top AEAD cipher suite unless the peer is configured to use less secure cipher suites.

You have the option to configure TLS versions and cipher suites on Windows, that way if a client tries to negotiate with less secure ciphers, they are disabled on the OS level.

The following lists the cipher suites supported on Windows, you can configure these based on your requirements: Cipher Suites in TLS/SSL.

The following provides information on TLS configurations: Enable TLS 1.1 and TLS 1.2 onwards support in Office Online Server. You can enable TLS on the server side. For more information, refer to Enable TLS 1.1 and TLS 1.2.