How to setup IQS Servers using TLS with Load Balancer

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi! I has 4 IQS that must be configured with a Load Balancer in front. I read the article

https://community.sailpoint.com/t5/IdentityNow-Connectors/High-Availability-for-IQService/ta-p/77511

But it says nothing about TLS. Do I have to configure each IQS with its server machine, and LB as a TLS client in that communication? Or it works with LB-IQS connection on plain text and LB is the one who handle the TLS communication?

2

The load balancer is configured to send traffic just to pass incoming traffic to the configured IQService on the back end. While we know that is XML RPC over TLS, the load balancer just sees a packet.

You will need to generate a certificate with the FQDN of the load balancer as the subject. Then you will upload that certificate to each IQService host.

On the IQService, you can use the iqservice.exe -m command to link your common certificate the IQService and not default to the computer certificate.

If your certificate is not signed by a trusted CA, you will also need to upload your intermediate and root certificates to the VA as well.

This document may also be helpful: IQService architecture: Network ports and firewalls - Compass (sailpoint.com)

Alicia

3

Hi @agutschow , thanks for the response! So it seems that LB only bypass traffic. But does it means that the LB common certificate must reside on each server cert store? Any IQS that receives an incomming TLS handshake will send the same certificate to VA right?

Perhaps something like this?

image
image1041×614 23.2 KB

4

Yes, each IQ service will need a certificate for lb.domain.local.

Alicia

5

Hi @jsosa @agutschow
I’m configuring 2 IQService with 2 VA using Load Balancer…Do you guys have any document to follow as i dont see proper guide for this. I need step by step process to follow.

Any Help would be appreciated.

Thankyou
Amarjeet

6

Hi @akumar58 ! Is on documentation, although a little dispersed.

Fisrt, you must install both iqservice. This must be made on all nodes:

iqservice.exe -i -b -p 5050 -o 5052

  • -b stands for not installing the secondary service, as it is not necessary if having 2 or mode nodes on cluster, p if you want to change default plain text port and -o to establish tls port

after that, register the user (generally, the same AD service user configured in source domain configuration:

iqservice.exe -a “domain\srv_user”

then restart service, do both commands in all nodes.

Before going on, test if iqservice is reachable. Fisrt, test AD source connection without configuring iqservice, for guarantee that domain configuration is right. If succeeded, then configure each iqservice node, and test connection in plain text (5050). Also, first try the ip of each node, then the hostname, only to ensure name resolving problems.

After connection test are passed, then you should configure tls, as Alicia mentioned.

To do this, ask your Load Balancer provider to send you the certificate of load balancer (and the certificate chain also, that is all CAs in chain until the root CA). You must import all certificates in the Windows Certificate console of each windows server (they have to be both in Personal and Root folders, I have problems when not copying to Root).

Then, have to run this command:

iqservice.exe -m “DNS:<load_balancer>”

Please note that <load_balancer> is the text EXACTLY as it is on the ISSUED TO filed in the certificate expended by the load balancer administrator.

Here you can test this configuration, stopping temprarily the iqservice service, and run it on console:

iqservice.exe -d -l 3

this will cause to iqservice run on terminal console (-d) and with trace level (-l 3). You must not see any errors in this screen. Then, ctrl+c and turn iqservice service again.

This procedure have to be performed on all nodes.

Finally, you have to copy the load balancer certificate and its certificate chain certificates, to VA, in directory /home/sailpoint/certificates (you sould restart your VA). Now, go to configuration screen on Tenant, enable TLS and change to tls port.

1 Like
7

Hi @jsosa
Thankyou for the details.
Can you please connect with me on +918709953109 (WhatsApp/Telegram) so I can directly ask you the doubts I’ll be having when configuring the LB.

8

Hi @jsosa
Thank you so much for above illustration.
Can you please help me with below Query:

  1. I must install only one IQS instance without secondary instance?
  2. Can i use Network Load Balancer (NLB) or only Application Load Balancer is supported.
  3. NLB is created in AWS IaaS. How can i check my NLB is working or not. As my IQS Server was working on TLS port 5054 successfully.
  4. I have got 3 Certificates from NLB Root Cert, Intermediate Cert & Server Certificate and a Key File.
  5. I have installed Server Certificate in Both IQService host and kept Key file also in the IQS folder where it is installed.
  6. I need to install the certificate in Personal or Trusted root Certification Authority in MMC.
  7. Do i need to keep all 3 LB certificate and key file in Both the VA also?

I have 2 VA 2 IQServer host and 1 NLB over TLS port 5054.
Please help me with these Queries.
Thankyou in Advance. If possible, please contact me for this issue or If you can provide a detailed Description on connecting this step by step as its urgent requirement.

@agutschow