This configuration example refers to the Airlock IAM JSP-Loginapp.
- Configure a new Target Application using Identity Propagator in Airlock IAM:
- Recommended: To avoid log spam due to roles that are not used in Airlock Gateway, add the role processing according to the screenshot.
- Configure an SSO Ticket Identity Propagator:
- Configure a Mapping Ticket Service:
- Configure the JWT Ticket Encoder.
- Set HS_512 as algorithm for Signer in JWT Ticket HMAC Settings.
- Set A256CBC_HS512 as algorithm for Encrypter in JWT Ticket Direct AES Encryption Settings.
- Set Claims Stored As Array to roles.
- Configure two new Allowed Forward Location Patterns in Loginapp >> Security Settings:
https://iam\.example\.com:8443/auth-login/check-login\?Location=https%3A%2F%2Fgw\.example\.com%2Fairlock%2Falec_security_check
https://gw\.example\.com/airlock/alec_security_check
- Airlock IAM is now prepared to act as the identity provider for the Gateway Configuration Center.
- On Airlock Gateway, adapt the Gateway hostname, IAM hostname, and IAM instance in the Airlock Gateway properties file below as user root.
/opt/airlock/custom-settings/mgt-tomcat/java-options.properties
- Restart the Airlock Gateway Configuration Center:
- Access to the Configuration Center using JWT in a parameter now managed by Airlock IAM.
For both Signer and Encrypter, the content of /opt/airlock/custom-settings/mgt-auth/jwt-secret
of the corresponding Airlock Gateway must be used as the passphrase.
If multiple Gateways are to be connected via this IAM, the file must be identical on all Gateways. The jwt-secret
file can be copied from one Gateway to all other Gateways.