Emergency access and troubleshooting

Emergency access to the Airlock Gateway Configuration Center

When access management and identity propagation have been configured, direct access to the local Authentication Center login page remains available for local Airlock Gateway users. This can be useful in fallback or emergency scenarios — e.g., if Airlock IAM is temporarily unavailable.

  1. Use the URL /auth/login of Airlock Gateway, in a browser https://gw.example.com/auth/login.
    • The login page of the Airlock Gateway Configuration Center appears.
  3. Use a local user (e.g., with the airlock-administrator role) to log in.
  4. Access to the Airlock Gateway Configuration Center is granted.
 
Functional limitation

After a failed login attempt or after you click Logout in the Airlock Gateway Configuration Center, the browser is redirected to the Airlock IAM login page. To log in again, open /auth/login and sign in.

Set the SameSite policy of the JSESSIONID cookie to Lax

If the Airlock Gateway Configurtion Center and the Airlock IAM Loginapp use different domains, protocols, or ports, the SameSite policy of the Configurtion Center cookie JSESSIONID must be relaxed from Strict to Lax.

  1. Log in to the Airlock Gateway SSH console as user root.
  2. Open the file /opt/airlock/mgt-apache/conf/httpd.conf.in in a text editor.
  3. Change the line Header edit Set-Cookie “^(JSESSIONID=.*)$” "$1; SameSite=Strict{*} to:
  4.  
    Terminal box
    Header edit Set-Cookie "^(JSESSIONID=.*)$" "$1; SameSite=Lax{*}
  5. In the Airlock Gateway Configuration Center, perform an activation.
    • This updates the generated Apache configuration but does not yet restart Apache.
  7. Restart the Apache daemon:
  8.  
    Terminal box
    systemctl restart airlock-mgt-apache
  9. The JSESSIONID cookie is now sent with SameSite=Lax, which allows the Airlock IAM Loginapp to access the Airlock Gateway Configuration Center even if they use different domains, protocols, or ports.

Address ‘Sorry for the inconvenience’ error

If Airlock Gateway displays the Sorry for the inconvenience error during login, one or more of the following causes may apply:

  • Airlock Gateway administrative roles are missing in the identity provisioning process.
  • The HMAC and/or the encryption key in Airlock IAM does not match the JWT secret in Airlock Gateway.
  • Only one role is propagated, but Claims Stored As Array for roles is not configured in the JWT Ticket Encoder.