Actions required when upgrading

This section describes changes in Airlock Gateway 8.0 that may require manual actions. Please read this section carefully to see whether your configuration is affected. Because 8.0 is a major release, several features that have been deprecated for a while are now removed.

Full installation required

Airlock Gateway has been running on CentOS 7 so far. Release 8.0 is based on AlmaLinux 9. Therefore, a full installation is required. Import of configurations from versions Airlock Gateway 7.4 and newer is supported.

Step-by-step instructions for upgrading a cluster are found here: Airlock Gateway failover cluster upgrade with full system installation

AlmaLinux 9 is compatible with RHEL 9. Hardware enablement information for RHEL 9 is found here: Hardware Support for RHEL 9

Legacy deny rules removed

Legacy deny rules have been removed. Deny rule groups on level legacy will be converted to level standard. For each affected mapping, a log message with log_id SY-ALEC-CONV-0001 is written.

IP patterns removed

IP address patterns have been deprecated for several releases and are removed. Central IP address lists have replaced IP patterns.

  • Use the following alternatives instead:
  • IP patterns in DOS Attack Prevention on mapping and Session Denial-of-Service Mitigation on session page: use IP address lists instead.
  • IP patterns in Allow Rules: use IP Whitelists on tab IP Rules on mapping instead.
  • IP patterns in Custom Deny Rules: use IP Blacklists on tab IP Rules on mapping instead.

Docker host support removed

It is no longer possible to use Airlock Gateway as a docker host. Customers currently using this feature to deploy Airlock IAM on Airlock Gateway need to consider standard deployment options.

RAID integration

Software RAID and integration of hardware RAID in Airlock tools for status monitoring or event generation are removed. If hardware RAID is to be used, it must be monitored using native system tools, e.g., ILO.

Missing OpenSSL 3.0 support of Luna HSM

Until the code freeze of the release, Thales could not provide a genuine library that is compatible with OpenSSL 3.0. Therefore, Luna HSM devices are currently not supported with Airlock Gateway 8.0. Thales confirmed that they are currently working on a new version of the library so it seems likely that a compatible library will be available timely for Airlock Gateway 8.1.

SSL 3.0 and old ciphers removed

So far, SSL 3.0 could still be enabled using Apache Expert Settings. This is no longer possible.

  • OpenSSL was updated to version 3.0. Hence, some old ciphers for encrypting private keys are no longer supported:
  • PBE-SHA1-RC2-128, PBE-MD2-DES, PBE-MD5-DES
  • SHA1-RC4-128

Installation from USB Stick with UEFI

Installation from a USB stick only works with boot-type BIOS, not UEFI.

SecurityGateway *-prefix in SG expert settings

The prefix SecurityGateway * for SG expert settings has been deprecated in previous releases and is not supported anymore. Please remove the prefix.

LDAP/RADIUS authentication for Configuration Center

External authentication via LDAP or RADIUS to access the Configuration Center requires updated templates for Airlock Gateway 8.0 and later. The required templates, as well as the required configuration information, are available in the Techzone article Airlock Gateway Configuration Center authentication.

Kibana saved objects

Kibana searches, visualizations, and dashboards will be updated. Modifications to Airlock dashboards will be overwritten and custom objects will be removed. In case you have created custom Kibana objects, make sure to export them prior to the update and import them again after the update (Reporting >> Management >> Saved Objects).

Deny rule updates

Default Deny rules have been improved and extended. Critical applications should be tested in a pre-production environment. In summary, the below changes were made.

  • New rules
  • Security levels of DOR_014A changed from Strict to Standard, Strict.
  • Deleted / changed rules
  • DOR_013A deleted.
  • Security levels of SAN_050B changed from Standard, Strict to Strict.
  • Security improvements
  • Various filter evasion fixes in SQL, XSS, UNIX, Sanity, Insecure Direct Object Reference and Automated Scanning rules. Affected rules:
    • AS_001A, AS_005A, AS_015A, AS_050B
    • DOR_002A, DOR_005A, DOR_014A, DOR_015A
    • HPE_005A
    • SAN_050B
    • SQL_001A, SQL_001B, SQL_005A, SQL_005B, SQL_025A, SQL_025B, SQL_030A, SQL_030B, SQL_040A, SQL_040B, SQL_045A, SQL_045B, SQL_050A, SQL_050B, SQL_055A, SQL_055B, SQL_060A, SQL_060B, SQL_065A, SQL_065B
    • UNIX_005A, UNIX_005B, UNIX_006A, UNIX_006B, UNIX_010A, UNIX_010B
    • XSS_030A, XSS_030B, XSS_035A, XSS_055A, XSS_055B
  • False-positive reduction
  • DOR_012C no longer blocks wp-admin directory.
  • UNIX_005A no longer blocks unknown top-level UNIX directory names.
  • SAN_025E no longer blocks header names consisting only of a single character.
  • SQL_050 no longer considers unlimited tables/column names with special characters.
  • Various
  • The short names of all deny rules have changed to uppercase letters. E.g. deny rule SQL_001a has changed to SQL_001A.