In the latest release of IQService which is released on 1st July,2025, it has become mandatory for all partners which are using SailPoint ISC to provision the data in Active Directory to enable TLS so that AD Connector Rules are triggered as expected. In this article, you will find the high level steps of how to enable TLS for an IQ Service machine using Self Signed Certificate
Diagnosis
The IQ Service machine which was hosting this component did not had a trusted CA due to which it became necessary for us to use Self Signed Certificate instead of CA signed Certificates
Solution
The High Level Steps are as follows.
Open the IQService Windows Machine.
Open the Command Line.
Navigate to the Folder Structure where the IQ Service is installed.
Validate whether TLS Port is already enabled using command : IQService.exe -v
IQService.exe -v
Enable the TLS Port using command :
IQService.exe -o 5052
Validate the TLS Port is Displayed or not using command.
IQService.exe -v
In the details of IQ Service version, you will get the TLS enabled port number as well.
Testing connectivity from Vas to IQ Service TLS Port whether its opened or not using nc -zv -w 5 :Port command.
Generate the Self Signed Certificate for your IQ Service Server if its on Local Domain.
<#
.SYNOPSIS
Generates self-signed TLS Certificate for IQService VMs FQDN.
.DESCRIPTION
Generates a self-signed IQService TLS certificate for the machine FQDN
- $validityPeriod 2 Years
- Exportable 2048 RSA SHA256
Imports to Personal & Trusted Root Certificates
Exports TLS certificate without Private Key
.INPUTS
None. You can't pipe objects to provision_TLS_IQService_FQDN.ps1.
.OUTPUTS
provision_TLS_IQService_FQDN.ps1 exports generated TLS without Private Key.
.EXAMPLE
PS> .\provision_TLS_IQService_FQDN.ps1
#>
######
# Set certificate validity period
$validityPeriod = 2
######
# Get the machine hostname
$hostname = “<HOSTNAME>”
# Generate a self-signed certificate
$cert = New-SelfSignedCertificate -DnsName $hostname -Subject "CN=$hostname" -CertStoreLocation "cert:\LocalMachine\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -NotAfter (Get-Date).AddYears($validityPeriod)
# Copy the certificate to the Trusted Root Certificates store
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store "Root", "LocalMachine"
$rootStore.Open("ReadWrite")
$rootStore.Add($cert)
$rootStore.Close()
# Export the certificate without the private key
$certPath = ".\$hostname.cer"
Export-Certificate -Cert $cert -FilePath $certPath -Type CERT
Write-Host "Certificate generated and exported to $certPath"
Import the Certificate into the Trusted Root Folder and Personal Folder of IQ Service Machine. Make sure that certificates are imported for LocalMachine and not for User.
Execute the command on IQService
IQService.exe -m <FQDN_of_the_HOST>
Enable TLS 1.2 for IQService.
IQservice.exe -j TLS1.2
Restart the IQ Service Server
IQService.exe -t
Import the new CER file/Certificate into /home/sailpoint/certificate folder of all Virtual Appliances present in the VA Cluster.
Restart the CCG Service
sudo systemctl stop ccg
sudo systemctl start ccg
Validate whether Certificate is generated and displayed on ccg-start.log by navigating to /home/sailpoint/log/ folder
Change IQ Service Configurations on SailPoint ISC.
a.
Enable TLS
b.
Provide TLS Port
c.
Change the IQServcieHost from IP to actual HostName/FQDN
d.
Save the Configurations
Test the Connections from SailPoint ISC and connection should be SUCCESS.
Thanks! Yes, but sometime we have seen that customers don’t have Trusted CA in place specially for Lower Environments (In case they have a custom domain which don’t have CA). For PROD, we have a Trusted CA. In those cases, the only way to do it is using Self Signed Certificate which is also recommended to us by SailPoint. Also, with the latest release of IQ Service on July-2025, they have made TLS enablement mandatory for triggering the AD Connector Rule Scripts. Hence, in case, you lower environments on which your IQ Service is hosted do not have Trusted CA in place, then, Self Signed Certificate usage is the only option or else a trusted CA has to be there.
Hi Rohit, I also have a requirement where there is no CA in the lower environment for AD so little option but to use the self-signed certificate to use TLS to configure the IQService.Your documentation for the AD connector does not suggest the use of self signed certificates, if the new requirement is to use TLS as mandatory surely the document should be updated to reflect this.
Additionally, the documentation is suggesting to use pem files as opposed to cer files per your post. Your post does not even suggest converting the cer file to a pem file and adding both the private key and certificate into the pem file to be placed in the home/sailpoint/certificates location.
The self signed certificate generated on the iqservice server has been placed in both the Trusted Root Folder and Personal Folder of IQ Service Machine (also one of DCs - not ideal but that’s what it is) However, using this approach I get the dreaded connection reset error even though in the ccg-start log the certificate has been imported fine. Certificate across all 3 nodes of my cluster have been imported successfully as I can see in ccg-start.log file.
Yes, the documentations has to be updated for sure by SailPoint. Note that we went into situation, we thought that as Self Signed Certificate is not explicitly mentioned in official documentations, we connected with out CSM who provided us some detailed insight and using that we implemented the above steps which I have documented in this Article.
You can use .cer, .crt or .pem file format for your Self Signed Certificates as soon as its sufficing all the requirements of how the certificate should be as per the SailPoint Documentations. Note that if your are creating the Self Signed Certificate, then, you can use the powershell script as provided by me in this article where you can just replace your hostname and that’s it. If you can try , use the powershell script provided by me to generate your self signed certificates.
Hi Rohit, I used your script to create the self sign cert and placed them on our va nodes (restarted ccg) but I am still getting the timeout error. He’s some of the entries from the IQServiceTrace log
We can use port 5050 and that is what the IQService service is listening on.
The certificate running the command from the VA openssl s_client -connect :5050 shows it can establish a connection with the iqservice though further down the feedback returns this error: Verification error: self-signed certificate
AND
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1755591547
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: yes
AND
4027A2C9D17F0000:error:0A000126:SSL routines::unexpected eof while reading:../openssl-3.2.3/ssl/record/rec_layer_s3.c:689:
