Hi @akumar58 ! Is on documentation, although a little dispersed.
Fisrt, you must install both iqservice. This must be made on all nodes:
iqservice.exe -i -b -p 5050 -o 5052
- -b stands for not installing the secondary service, as it is not necessary if having 2 or mode nodes on cluster, p if you want to change default plain text port and -o to establish tls port
after that, register the user (generally, the same AD service user configured in source domain configuration:
iqservice.exe -a “domain\srv_user”
then restart service, do both commands in all nodes.
Before going on, test if iqservice is reachable. Fisrt, test AD source connection without configuring iqservice, for guarantee that domain configuration is right. If succeeded, then configure each iqservice node, and test connection in plain text (5050). Also, first try the ip of each node, then the hostname, only to ensure name resolving problems.
After connection test are passed, then you should configure tls, as Alicia mentioned.
To do this, ask your Load Balancer provider to send you the certificate of load balancer (and the certificate chain also, that is all CAs in chain until the root CA). You must import all certificates in the Windows Certificate console of each windows server (they have to be both in Personal and Root folders, I have problems when not copying to Root).
Then, have to run this command:
iqservice.exe -m “DNS:<load_balancer>”
Please note that <load_balancer> is the text EXACTLY as it is on the ISSUED TO filed in the certificate expended by the load balancer administrator.
Here you can test this configuration, stopping temprarily the iqservice service, and run it on console:
iqservice.exe -d -l 3
this will cause to iqservice run on terminal console (-d) and with trace level (-l 3). You must not see any errors in this screen. Then, ctrl+c and turn iqservice service again.
This procedure have to be performed on all nodes.
Finally, you have to copy the load balancer certificate and its certificate chain certificates, to VA, in directory /home/sailpoint/certificates (you sould restart your VA). Now, go to configuration screen on Tenant, enable TLS and change to tls port.