Recent Updates
UpdateService
With the latest release, IQService is packaged with UpdateService which needs to be configured alongside IQService to enable the auto update functionality. Once the UpdateService is configured, no manual intervention is required for further releases. To ensure secure communication between the services, SailPoint recommends that you use TLS and Client Authentication for IQService configuration, which in turn is used by the UpdateService for communication.
Configuration of Timeout
IQService supports configuring a maximum waiting time before terminating the inactive connection while reading requests. By default, the timeout value is 15 seconds. For example, you can use the IQService.exe -q 20
command to set up the time for 20 seconds.
.Net Framework Prerequisite for IQService
One of the prerequisites as a software requirement for IQService now, is the .NET Framework version 4.8. IQService is compatible with lower versions of .NET Framework (4.5.2 onwards). However SailPoint recommends to use the latest version of .NET Framework 4.8 to align your environment with future releases of this Service.
Correct Display of Logs
The IQService IQService.exe -v
command now displays the trace level logs.
Additionally, the IQService log level values:
-
0=off
-
1=error
-
2=info
-
3=debug
By default, it is 1 = error level logs.
Improved TLS Connection
IQService now successfully connects with TLS from Identity Security Cloud when certificate SAN (subject name) is in a foreign language.
Disabling Non-TLS Communication for an Existing IQService Instance
If you are enabling TLS communication for an existing IQService instance that previously used non-TLS communication, you must ensure that non-TLS communication is disabled for that same instance. You can achieve this using one of the following methods:
Method 1
-
Set the existing non-TLS port to zero (0) or any negative number (such as -1, -2, -3 ) using the command line:
IQService.exe -p <zero or negative port number>
For example,
IQService.exe -p 0
IQService.exe -p -1
Note
Ensure to disable the non-TLS port for both the primary service and the secondary service (if configured). -
After setting the port, restart the IQService.
Method 2
Optionally, you can delete the non-TLS port entry from the IQService instance registry configuration.
Warning
Directly editing the registry can cause serious, potentially unrecoverable errors if done incorrectly. Only modify fields that are specifically intended for modification.
Following are the steps to delete non-TLS port entry from IQService instance:
-
Locate the registry configuration for your IQService instance.
You can find the registry path for the primary service at:
HKEY_LOCAL_MACHINE\SOFTWARE\SailPoint\IQService Instances\<IQService-Instance>
You can find the registry path for the secondary service at:
HKEY_LOCAL_MACHINE\SOFTWARE\SailPoint\IQService Instances\<IQService-Instance>\Secondary
Replace <IQService-Instance> with the name of your IQService instance.
-
Look for the port attribute.
-
Delete the port attribute entry.
After completing one of these methods, the IQService will only communicate using TLS, ensuring secure communication between the IQService and other components. To verify that the non-TLS port has been successfully disabled for your IQService instance, run the following command:
IQService.exe -v
After running this command, the output should display only the Configured TLS Port information along with the corresponding TLS port number, such as Configured TLS Port : <TLS Port Number>