How to enable TLS for windows connector

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Hi All,

We have a requirement to integrate the Windows Connector with the local machine in SailPoint IdentityIQ version 8.5. For this integration, TLS must be enabled on the Windows IQService, and the required certificates need to be generated and configured.Could someone please guide us on the steps to enable TLS for the Windows Connector in IdentityIQ 8.5 and how to generate and configure the necessary certificates?

Thanks In Advance.

2

Hi @durgabhavanirali — for IIQ 8.5 “Windows Local” (Windows Connector), TLS is enabled on the IdentityIQ ↔ IQService channel. This is a clean way to manage this

What you need before starting
IQService server FQDN (example: iqservice01.company.com). Your certificate must match this.
Pick one TLS port (use whatever your org standard is).
A service account that IIQ will use to authenticate to IQService (example: DOMAIN\svc_iqservice).

  1. Issue the IQService server certificate on the Windows host

On the IQService Windows server, make sure the cert is:
• In Local Computer → Personal store
• Has the private key
• EKU includes Server Authentication
• CN = FQDN AND SAN includes DNS = same FQDN

If SAN is missing, TLS will fail even if the cert “looks fine”.

  1. Install (or re-install) IQService to listen on TLS

From the IQService folder (where IQService.exe exists):

Install on TLS port:

IQService.exe -i -o <TLS_PORT>

If you’re converting an existing install and want to avoid mixed-mode confusion:

Disable the non‑TLS port + restart:

IQService.exe -p 0
IQService.exe -t

Verify what IQService is actually listening on:

IQService.exe -v

You should see a configured TLS port.

  1. Force IQService to pick the correct cert (common real-world gotcha)

If the machine has multiple certs, tell IQService which subject to use:

IQService.exe -m DNS:iqservice01.company.com
IQService.exe -t

  1. Enable Client Authentication (required when using TLS)

Register the account that IIQ will use:

IQService.exe -a “DOMAIN\svc_iqservice”

  1. Configure the Windows Local application in IIQ

In the Windows Local Application configuration:
• IQServiceHost = IQService FQDN / IP
• IQServicePort = your TLS port
• useTLSforIQService = true
• IQServiceUser / IQServicePassword = the SAME user registered in step 4

Most failures happen because people enable TLS but forget the IQService user/password or they use a different account than the one registered.

  1. Trust chain (must be correct on both sides)
    • On the IQService Windows host: the issuing CA chain must be trusted.
    • On the IIQ side: the JVM used by the app server must trust the issuing CA/root (import the CA chain into the JVM truststore used by your IIQ runtime).

⸻

Official documentation to check references
Windows Local connector configuration parameters:

IQService: Configuring TLS + Client Authentication (includes commands/checklist):

IQService command reference (e.g., -m, -a, -p, -t, -v):

https://documentation.sailpoint.com/connectors/iqservice/help/integrating_iqservice_admin/commands.

2 Likes
3

you find required useful information given url

https://documentation.sailpoint.com/connectors/identityiq/active_directory/help/integrating_active_directory/securing_communication_path.html#:~:text=To%20enable%20TLS%20communication%2C%20complete%20the%20following%3A%201,checkbox.%204%20Select%20Test%20Connection%20and%20then%20Save

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.