Which IIQ version are you inquiring about?
8.4P2+
In early April, the communication I’ve pasted below was sent to me by the customer success team. At the time I was unable to get a straightforward answer to what exactly this means. Will the Before/After scripts be entirely disabled moving forward, or will they only be disabled if the IQService is not using TLS with a customer issued SSL cert for use with the IQService? I heard an announcement that IdentityIQ version 8.5 is scheduled for release sometime this July, I’m curious if Before/After scripts have been disabled in this version.
Hello Customer,
I am reaching out to let you know about an upcoming change to IQService, related to a recent vulnerability discovery (identified through our Vulnerability Disclosure Program). If you are not using IQService, you can disregard this notification.
Why we are making this change
It has been our long-standing recommendation to secure communication between IdentityIQ and IQService using Transport Layer Security (TLS) along with client authentication. If TLS is not configured, IQService encrypts messages using a default encryption key. However, this default key – designed to simplify setup and deployment for system administrators – is the same for all installations and can be exploited to allow unauthorized access.
Action required: What to expect in the next release of IdentityIQ
Moving forward, to ensure the security of our customers, the before and after script execution will be disabled in all upcoming releases of IdentityIQ.
In the meantime, if you are leveraging IQService before and after scripts, you must configure the TLS along with the client authentication for IQService to continue execution of these scripts and to address this vulnerability.
Please refer to TLS and Client Authentication Configuration for more information.
Where to get help
We are here to help if you run into any issues or have questions, you can reply to this email or open a Support ticket with the subject line, “IQService - Upcoming release assistance requested.”
Regards,
SailPoint Customer Success