Configure IAM access management using cookies (alternative)

This configuration example refers to the Airlock IAM JSP-Loginapp.

Using local admin-users for emergency login is not possible with this type of configuration. Direct access to the Airlock Gateway Configuration Center with local admin-users requires URL parameter configuration.

  1. Configure a new Target Application using Identity Propagator in Airlock IAM:
  2. target app configuration 1
  3. Recommended: To avoid log spam due to roles that are not used in Airlock Gateway, add the role processing according to the screenshot.
  4. Roles processing
  5. Configure a Cookie Ticket Identity Propagator:
  6. cookie ticket 2
  7. Configure a Mapping Ticket Service:
  8. validity time settings 3
  9. Configure the JWT ticket encoder.
    • Set HS_512 as Signer algorithm.
    • Set A256CBC_HS512 as Encrypter algorithm.
    • Set Claims Stored As Array to roles.
    JWT ticket encoder 8

    For both Signer and Encrypter, the content of /opt/airlock/custom-settings/mgt-auth/jwt-secret of the corresponding Airlock Gateway must be used as the passphrase.

    If multiple Gateways are to be connected via this IAM, the file must be identical on all Gateways. The jwt-secret file can be copied from one Gateway to all other Gateways.

  10. Configure two new Allowed Forward Location Patterns in Loginapp >> Security Settings:
    • https://iam\.example\.com:8443/auth-login/check-login\?Location=https%3A%2F%2Fgw\.example\.com%2Fairlock%2Falec_security_check
    • https://gw\.example\.com/airlock/alec_security_check
  11. Airlock IAM is now prepared to act as the identity provider for the Airlock Gateway Configuration Center.
  12. On Airlock Gateway, adapt the Gateway hostname, IAM hostname, and IAM instance in the Airlock Gateway properties file below as user root.
    /opt/airlock/custom-settings/mgt-tomcat/java-options.properties
  13. copy
    IAM_HOST=iam.example.com:8443 
    IAM_INSTANCE=auth 
    GATEWAY_HOST=gw.example.com 
     
    JAVA_OPTS="${JAVA_OPTS} -Dmgt.auth.logout.url=https://${IAM_HOST}/${IAM_INSTANCE}-login/logout?Location=https%3A%2F%2F${IAM_HOST}%2F${IAM_INSTANCE}-login%2Fcheck-login%3FLocation%3Dhttps%253A%252F%252F${GATEWAY_HOST}%252Fairlock%252Falec_security_check -Dmgt.auth.assertion.transport=cookie"
  14. Restart the Airlock Gateway Configuration Center:
  15. copy
    systemctl restart airlock-mgt-tomcat
  16. Access to the Configuration Center using JWT in a cookie is now managed by Airlock IAM.