This configuration example refers to the Airlock IAM JSP-Loginapp.
Using local admin-users for emergency login is not possible with this type of configuration. Direct access to the Airlock Gateway Configuration Center with local admin-users requires URL parameter configuration.
- Configure a new Target Application using Identity Propagator in Airlock IAM:
- Recommended: To avoid log spam due to roles that are not used in Airlock Gateway, add the role processing according to the screenshot.
- Configure a Cookie Ticket Identity Propagator:
- Configure a Mapping Ticket Service:
- Configure the JWT ticket encoder.
- Set HS_512 as Signer algorithm.
- Set A256CBC_HS512 as Encrypter algorithm.
- Set Claims Stored As Array to roles.
- Configure two new Allowed Forward Location Patterns in Loginapp >> Security Settings:
https://iam\.example\.com:8443/auth-login/check-login\?Location=https%3A%2F%2Fgw\.example\.com%2Fairlock%2Falec_security_check
https://gw\.example\.com/airlock/alec_security_check
- Airlock IAM is now prepared to act as the identity provider for the Airlock Gateway Configuration Center.
- On Airlock Gateway, adapt the Gateway hostname, IAM hostname, and IAM instance in the Airlock Gateway properties file below as user root.
/opt/airlock/custom-settings/mgt-tomcat/java-options.properties
- Restart the Airlock Gateway Configuration Center:
- Access to the Configuration Center using JWT in a cookie is now managed by Airlock IAM.
For both Signer and Encrypter, the content of /opt/airlock/custom-settings/mgt-auth/jwt-secret
of the corresponding Airlock Gateway must be used as the passphrase.
If multiple Gateways are to be connected via this IAM, the file must be identical on all Gateways. The jwt-secret
file can be copied from one Gateway to all other Gateways.