Advanced Gateway configuration
8.3.1.5. Advanced configuration of Airlock Gateway for Airlock IAM

Expert Settings for enabling HTTP Keep-Alive for SSL Connections to Airlock IAM

If the connection to the back-end is SSL protected, the following settings have to be applied in order to use HTTP-Keep-Alive. This will avoid connection timeouts caused by Tomcat performance issues.

HTTP-Keep-Alive can be enabled for specific back-end groups. The following setting has to be added to the Expert SettingsTab (Security Gate) of the Back-end Group – not in the global expert settings:

copy
BackendForceNewConnections   "FALSE"

Client certificate authentication with Airlock Gateway

If using pure client certificate authentication with Airlock Gateway, in addition to the steps of the sections above, do the following:

  • 1.
    On the Airlock IAM mapping, set the value SSL Client Certificate to Optional.
  • SSL Client Certificate
  • 2.
    In the Airlock Gateway virtual host definition(s) to which the mapping is connected, store the list of allowed certificate authorities (CAs). It defines who is trusted to issue client certificates.

If using form-based authentication mixed with client certificate authentication on the same virtual host, do the following:

  • 1.
    Setup the Airlock IAM mapping as described here for form-based authentication (example entry path /auth).
  • 2.
    For client certificate authentication, create a separate mapping, and therefore a separate entry-path, with the settings as described just above in this section (example entry path /clientcert).
  • 3.
    Define the following path redirects on the virtual host in Airlock Gateway:
    /auth/check-client-cert >> /clientcert/check-client-cert /clientcert/login >> /auth/login

Favorite icon path rewrite for Internet Explorer

Some older versions of Microsoft's Internet Explorer will always request /favicon.ico to get the favorite icon of a web page regardless of the path and name of the favorite icon in the HTML header.

It may therefore be necessary to introduce a special path redirect on the Airlock Gateway virtual host in order to map the URL /favicon.ico to the actual URL of the favorite icon in the Loginapp.

Example "path redirect" definition:

Path Redirects