Updating IQService

IQService has the built-in capability to auto update (this is the default) using the service, UpdateService. UpdateService needs to be configured alongside the IQService installation.

Note

  • Auto update for 32-bit IQServices is not currently supported. Updates to 32-bit IQService deployments, such as with Lotus Domino sources, require manual updates.

  • To upgrade, you must uninstall the previous version and then install the new version in its place. For more information, refer to Installing and Registering IQService.

  • SailPoint recommends that you back up your current installation before starting the update process. If you have issues with the new update, the backup can help with troubleshooting.

Manually Upgrade IQService to Latest Version

To upgrade IQService to the latest version:

  1. Create a backup of your existing IQService Installation folder where you have configured your IQService.

  2. Stop the current IQService service using either from the Services applet or from the command line by running: IQService.exe -k

  3. Extract the latest IQService in the installation directory.

  4. If UpdateService is not already installed, then install UpdateService using the IQService.exe -i -z "tcp://<localhost>:<port>" command. You can check for assigned/unassigned ports by checking your registry. Use an available port in your registry (that is open and available). If you specify a port that is already in use, UpdateService adds a counter and uses an available port.

  5. Start the IQService from the Services applet or from the command line by using the IQService.exe -s command.

Auto Update IQService to Latest Version

SailPoint requires you to install and configure UpdateService to update IQService without manual intervention. UpdateService ensures that you always have the latest released versions of IQService and itself deployed in your environment. Running the latest software version ensures that you always have the latest features and bug fixes.

Note
No internet connection is required for IQService auto update if your Virtual Appliance(VA) is getting other bundles updated in its environment. Updates are downloaded on your VA and then necessary updates will be applied to all the IQService hosts using the UpdateService.

Following are the steps that explain how Auto UpdateService works for the new updated IQService package :

  1. Once the IQService update is available, VA downloads the new IQService package (IQService-xyz).

  2. VA sends the new  IQService package (IQService-xyz) to the IQService configured over the IQService port.

  3. IQService and Upgrade Service confirm the new version of IQService package (IQService-xyz) is different from the existing version.

  4. IQService sends a new upgrade version to UpgradeService over the Upgrade Service port.

  5. UpdateService performs an upgrade on IQService over the IQService port.

Configuring IQService Auto Update

Configuration Details

Standalone Deployment

Load Balancer Deployment

Deployment architecture details

UpdateService manages the update for a single IQService instance and its corresponding secondary IQService.

UpdateService is deployed locally alongside IQService.

Multiple IQService instances are deployed on multiple nodes that cater to incoming requests depending on the load balancing strategy.

UpdateService installation location

Local to the IQService location

One instance of IQService has local UpdateService.

All other IQService instances refer to the configured local instance of UpdateService.

Installation command

  • IQService.exe -z "tcp://localhost:<port>"

  • IQService.exe -z "tcps://localhost:<port>"

  • UpdateService node:

    • IQService.exe -z "tcp://localhost:<port>"
    • IQService.exe -z "tcps://localhost:<port>"

  • Remote IQService instance:

    • IQService.exe -z "tcp://<updateservice-hostname>:<updateservice-port>"
    • IQService.exe -z "tcps://<updateservice-hostname>:<updateservice-port>"

Installation details

UpdateService can be configured during installation or at a later point of time. It requires an IQService restart.

While configuring UpdateService for the first time, if the hostname in the URL for UpdateService maps to the hostname of the local machine (localhost/ IP/ FQDN) then the UpdateService is installed on the machine.

You can start UpdateService using the following:

  • Starting IQService automatically starts UpdateService

  • Start UpdateService through the command line option -t

  • Once installed, Start UpdateService through services.msc

UpdateService can be configured during installation or at a later point of time. It requires an IQService restart.

If the hostname for UpdateService is remote, then IQService communicates directly with the remote UpdateService and does not install the UpdateService locally.

Update UpdateService details

To update or reconfigure any configuration parameters associated with UpdateService, SailPoint recommends:

  1. You stop all IQService instances and UpdateService.

  2. You update the configuration using the command line options.

  3. You start the respective service instances.

To update or reconfigure any configuration parameters associated with UpdateService, SailPoint recommends:

  1. You stop all IQService instances and UpdateService.

  2. You update the configuration using the command line options.

  3. You start the respective service instances.

 

Services installed in the deployment

  • Primary IQService

  • Secondary IQService

  • UpdateService

  • IQService node with UpdateService

  • Other IQService nodes without UpdateService local installation

Note
You must install IQService by applying the -b option that skips the installation of the secondary IQService, which is not required for a load balanced deployment.

Security and client authentication

Prerequisite: To use TLS/ Client Authentication for UpdateService, you must configure IQService to use TLS communication with the corresponding client authentication details.

tcps can be configured to use TLS for inter-service communication.

No special steps need to be performed for a standalone deployment. If IQService is configured to use TLS, UpdateService uses the IQService certificate and user for client authentication.

Prerequisite: To use TLS/ Client Authentication for UpdateService, you must configure IQService to use TLS communication with the corresponding client authentication details.

tcps can be configured to use TLS for inter-service communication.

To ensure smooth TLS communication:

  • Add the certificate issuer in the Trusted Root Certification Authorities

  • The nodes should be in the same domain to use the same IQService user for client authentication

Integrity

IQService and UpdateService validate the signature of the dll files of the IQService zip before proceeding with any operation.

IQService and UpdateService validate the signature of the dll files of the IQService zip before proceeding with any operation.

Extra open ports

As the IQService and the respective UpdateService are present on the same local machine, no extra ports need to be exposed for communication.

For remote IQService instances to be able to communicate with UpdateService, the port that the UpdateService is listening on needs to be open for external communication with remote IQService instances.

UpdateService Configuration Parameters

For more information on securing communication between IQService and UpdateService, refer to Secure Communication Between IQService and UpdateService.

Important
Any IQService or UpdateService configuration changes require a restart of the corresponding service.

Option

Parameters

Details

-a

Trusted client certificate trusted names or Subject Alternative Name

Provide a list of semi-colon (;) separated trusted client certificate subject names or Subject Alternative Name (SAN) of the IQService machines that will be communicating with the UpdateService.

For example:

  • UpdateService.exe -a iqservice.test.com

  • UpdateService.exe -a iqservice.test.com;iqservice1.test.com

-a list

N/A

Displays the list of trusted certificate subject names configured with UpdateService.

-h | ?

N/A

Prints the help for the UpdateService.

-t

N/A

Restarts the UpdateService.

-l

0 - 3

Trace level 0 - 3

  • 0 - Off

  • 1 - Error

  • 2 - Information

  • 3 - Debug

Changing trace level requires a restart of UpdateService.

-f

fileName

Trace file name.

-p

Port

Update the UpdateService port.

Updating the port requires a restart of UpdateService.

-u

true/false

True to enable TLS and false to disable TLS.

Enabling or disabling TLS requires a restart of UpdateService.

-q

Timeout in seconds

Connection read timeout for UpdateService.

-x

N/A

Deletes the list of trusted certificate subject names.

Note
If configured, UpdateService will not validate the certificate-based client authentication during the TLS handshake.