URL parameters configuration (recommended)

Configuring IAM access management using URL parameters

 
Info

This configuration example refers to the Airlock IAM JSP-Loginapp.

  1. Configure a new Target Application using Identity Propagator in Airlock IAM:
  3. Recommended: To avoid log spam due to roles that are not used in Airlock Gateway, add the role processing according to the screenshot.
  5. Configure an SSO Ticket Identity Propagator:
  7. Configure a Mapping Ticket Service:
  9. Configure the JWT Ticket Encoder.
    • Set HS_512 as algorithm for Signer in JWT Ticket HMAC Settings.
    • Set A256CBC_HS512 as algorithm for Encrypter in JWT Ticket Direct AES Encryption Settings.
    • Set Claims Stored As Array to roles.
  12.  
    Notice

    For both Signer and Encrypter, the content of /opt/airlock/custom-settings/mgt-auth/jwt-secret of the corresponding Airlock Gateway must be used as the passphrase.

    If multiple Gateways are to be connected via this IAM, the file must be identical on all Gateways. The jwt-secret file can be copied from one Gateway to all other Gateways.

  13. Configure two new Allowed Forward Location Patterns in Loginapp >> Security Settings:
    • https://iam\.example\.com:8443/auth-login/check-login\?Location=https%3A%2F%2Fgw\.example\.com%2Fairlock%2Falec_security_check
    • https://gw\.example\.com/airlock/alec_security_check
  15. Airlock IAM is now prepared to act as the identity provider for the Gateway Configuration Center.
  16. On Airlock Gateway, adapt the Gateway hostname, IAM hostname, and IAM instance in the Airlock Gateway properties file below as user root.
    /opt/airlock/custom-settings/mgt-tomcat/java-options.properties
  17.  
    Example
    IAM_HOST=iam.example.com:8443 
IAM_INSTANCE=auth 
GATEWAY_HOST=gw.example.com 
 
JAVA_OPTS="${JAVA_OPTS} -Dmgt.auth.logout.url=https://${IAM_HOST}/${IAM_INSTANCE}-login/logout?Location=https%3A%2F%2F${IAM_HOST}%2F${IAM_INSTANCE}-login%2Fcheck-login%3FLocation%3Dhttps%253A%252F%252F${GATEWAY_HOST}%252Fairlock%252Falec_security_check -Dmgt.auth.assertion.transport=parameter"
  18. Restart the Airlock Gateway Configuration Center:
  19.  
    Terminal box
    systemctl restart airlock-mgt-tomcat
  20. Access to the Configuration Center using JWT in a parameter now managed by Airlock IAM.