Airlock Gateway Configuration Center access via IAM

Access to the Airlock Gateway Configuration Center requires proper authentication for security reasons. With Airlock Gateway 7.7 the authentication options have been extended so that Airlock IAM can be configured as the access management and identity provider for the Airlock Gateway Configuration Center, offering the latest Airlock IAM authentication methods.

When using Airlock IAM for access management, the local Airlock Gateway users can be removed to improve security. However, for fallback and emergency situations e.g. in the case the IAM is down, a local user with the role airlock-admin could be required. See also Emergency access and troubleshooting.

The Airlock IAM and Airlock Gateway instance should be time-synchronized i.e. using NTP.

• In the examples, we use the following example hostnames:
• gw.example.com – the management access hostname for the Airlock Gateway Configuration Center.
• iam.example.com – the Airlock IAM in charge of access and identity management to the Airlock Gateway Configuration Center.

• There are two ways to configure Gateway Configuration Center access via IAM:
• Configure Airlock IAM access management using URL parameters (recommended)
• Configure IAM access management using cookies (alternative)

Airlock Gateway Configuration Center accepts encrypted and signed JWT types for authentication.

• Supported signatures:
• A256CBC_HS512
• HS512

• The JWT can be delivered in a cookie or as an URL parameter and requires the following claims:
• subject – the username can only contain characters from A-Z, a-z, numbers from 0-9 and the special characters '@' , '.' , '-' and '_'
• roles – an array of one or more roles e.g. airlock-supervisor
• exp – the expiration time in seconds for the JWT

Choose a low expiration time value of i.e. 10s – long enough to cover typical latencies but short enough to effectively prevent token misuse.