TLS Enablement for Active Directory [Important Pointers]

IdentityIQ (IIQ) IIQ Community Knowledge Base
,
1

Secure the Active Directory application by using the following communication paths based on the operations performed.

  • IdentityIQ and Active Directory Domain Controller/ Target system: For read operations
  • IdentityIQ and IQService: For provisioning operations
  • IQService and Active Directory Domain Controller/ Target system: For (Write) provisioning operations
  1. Import the DC certificate in to SailPoint App Servers both UI & Task Servers using Java Key store (certificate should be in .cer format)
  2. Import the DC certificate in to SailPoint App Servers both UI & Task Servers using the Windows default method for Client (Certificate will be in .pfx format) Authentication.
    Make sure the DC certificate should be placed in Trusted Root Certificate Authorities
  3. Import the IQ Service Servers Certificates into SailPoint App Servers both UI & Task Servers using Java Key store (certificate should be in .cer format)
  4. Import the DC certificate in to SailPoint IQ Service using the Windows default method for Client Authentication. Make sure the DC certificate should be placed in Trusted Root Certificate Authorities
  5. The IQ Service should be Update Subject name to lookup IQService’s X509 certificate (requires restart) IQ Service -m command

Additionally, Whitelist the IP or FQDN of Load Balancer if present To whitelist the IPs and FQDN, run the command with IP/FQDN. For example, IQService.exe -w {<IP/FQDN>}

  1. Add the Tomcat Java options The custom keystore is used, then add the following lines in catalina.bat (Tomcat Configuration) and iiq.bat configuration file as follows:
    -Djavax.net.ssl.trustStore=“”
    -Djavax.net.ssl.trustStorePassword=“”

  2. Restart the Tomcat Service.

  3. Restart IQ service

In Identity IQ Application :

To enable TLS communication, complete the following: For Active Directory Application

  1. On the application configuration page, select the Use TLS for IQService checkbox.
  2. For more information on the TLS communication between IQService and an IdentityIQ, see IQService.
    #3. Select Save.

Test the Application connectivity after saving the configuration.

Also, check if the TLS is enabled in server.

  1. In registry Editor navigate to this path and check the TLS configuration

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

1 Like
2

Thanks @Akhil for sharing!

3

Thanks @MuhammadMustafa

1 Like