Configure Airlock IAM access management using URL parameters (recommended)

This configuration example refers to the Airlock IAM JSP-Loginapp.

  1. Configure a new Target Application using Identity Propagator in Airlock IAM:
  2. target app configuration 5
  3. Recommended: To avoid log spam due to roles that are not used in Airlock Gateway, add the role processing according to the screenshot.
  4. Roles processing
  5. Configure an SSO Ticket Identity Propagator:
  6. SSO identity propagator 6
  7. Configure a Mapping Ticket Service:
  8. mapping ticket service 7
  9. Configure the JWT Ticket Encoder.
    • Set HS_512 as algorithm for Signer in JWT Ticket HMAC Settings.
    • Set A256CBC_HS512 as algorithm for Encrypter in JWT Ticket Direct AES Encryption Settings.
    • Set Claims Stored As Array to roles.
    JWT ticket encoder 8

    For both Signer and Encrypter, the content of /opt/airlock/custom-settings/mgt-auth/jwt-secret of the corresponding Airlock Gateway must be used as the passphrase.

    If multiple Gateways are to be connected via this IAM, the file must be identical on all Gateways. The jwt-secret file can be copied from one Gateway to all other Gateways.

  10. Configure two new Allowed Forward Location Patterns in Loginapp >> Security Settings:
    • https://iam\.example\.com:8443/auth-login/check-login\?Location=https%3A%2F%2Fgw\.example\.com%2Fairlock%2Falec_security_check
    • https://gw\.example\.com/airlock/alec_security_check
  11. Airlock IAM is now prepared to act as the identity provider for the Gateway Configuration Center.
  12. On Airlock Gateway, adapt the Gateway hostname, IAM hostname, and IAM instance in the Airlock Gateway properties file below as user root.
    /opt/airlock/custom-settings/mgt-tomcat/java-options.properties
  13. copy
    IAM_HOST=iam.example.com:8443 
    IAM_INSTANCE=auth 
    GATEWAY_HOST=gw.example.com 
     
    JAVA_OPTS="${JAVA_OPTS} -Dmgt.auth.logout.url=https://${IAM_HOST}/${IAM_INSTANCE}-login/logout?Location=https%3A%2F%2F${IAM_HOST}%2F${IAM_INSTANCE}-login%2Fcheck-login%3FLocation%3Dhttps%253A%252F%252F${GATEWAY_HOST}%252Fairlock%252Falec_security_check -Dmgt.auth.assertion.transport=parameter"
  14. Restart the Airlock Gateway Configuration Center:
  15. copy
    systemctl restart airlock-mgt-tomcat
  16. Access to the Configuration Center using JWT in a parameter now managed by Airlock IAM.