Front-Side Kerberos configuration
17.4.1.10. Front-Side Kerberos configuration in the JSP-Loginapp (redirect flow)

The following chapter describes how the Airlock Gateway (WAF) and Airlock IAM configuration must be adapted in order to use Front-side Kerberos with the Redirect authentication flow.

17.4.1.10.1. Airlock Gateway (WAF) configuration
17.4.1.10.1.1. Create a back-end group for IAM
  • 1.
    Sign in to Airlock Gateway (WAF) Configuration Center as an admin
  • 2.
    To add a new Back-end Group, go to Application Firewall > Reverse Proxy and click on the + sign at the top of the Back-end Group column.
  • 3.
    Enter a name for the Back-end Group Name, select the correct protocol, enter a Hostname and the Port as well.
17.4.1.10.1.2. Create a mapping for IAM
  • 1.
    To add a new Mapping, go to Application Firewall > Reverse Proxy and click on the + sign at the top of the Mapping column and afterward choose New from template.
  • 2.
    On the Mapping template screen, select the Airlock IAM Mapping template.
  • 3.
    Switch to the tab Response Actions and disable the action (default) Remove Negotiate Header.
  • 4.
    Switch to the tab Allow Rules and enable the rule Kerberos Functionality.
  • 5.
    Connect the new Airlock IAM Mapping with the Virtual Host the web application Mapping is connected to.
  • 6.
    Connect the new Airlock IAM Mapping with the IAM Back-end Group.
17.4.1.10.1.3. Customize the application mapping
  • 1.
    Go to Application Firewall > Reverse Proxy and edit the Mapping of the web application for which Front-side Kerberos should be used.
  • 2.
    Configure the Denied access URL to point to the correct instance of Airlock IAM. For the IAM auth instance the URL would be /auth/check-spnego
  • 3.
    Select Redirect in the Authentication flow drop down list.
  • 4.
    Specify the credential Airlock IAM sets after a successful authentication under Restricted to roles.
17.4.1.10.1.4. Configure the maximal allowed HTTP request header size
  • 1.
    Go to Expert Settings > Security Gate / Apache
  • 2.
    Enable the Apache Expert Settings and configure the following setting:
  • # Increase the maximal allowed HTTP request header size
    LimitRequestFieldSize 16384
    • Please ensure that the Airlock Gateway (WAF) setting configured in this step is identical or smaller than the one configured in Airlock IAM. How this can be achieved is described in HTTP Request Header Size.
    • For further information about issues caused because of wrong configuration of the allowed HTTP request header size, check HTTP Request Header Size.
17.4.1.10.1.5. Activate Airlock Gateway (WAF) configuration

After going through the previous steps, activate the new configuration.

  • 1.
    Click on the Activate button in the Airlock Gateway (WAF) Configuration Center.
17.4.1.10.2. Airlock IAM configuration

The following chapter describes what must be configured in order to use authentication flow Redirect.

17.4.1.10.2.1. Create krb5.conf file

Step 6 – Create krb5.conf file in Airlock IAM

Create a /etc/krb5.conf file and configure it with the correct values for the Windows domain.

/etc/krb5.conf

[libdefaults]
default_realm = AIRLOCK.COM

[realms]
AIRLOCK.LOCAL = {
kdc = dc.airlock.com
default_domain = AIRLOCK.COM
}

[domain_realm]
.airlock.local = AIRLOCK.COM
  • The uppercase values are settings to describe the Kerberos realm, while the lowercase values are DNS settings. Configure the settings in the same upper-/lowercase as illustrated above.
  • To make the new settings from the /etc/krb5.conf file active, Airlock IAM must be restarted.
17.4.1.10.2.2. Copy the keytab file

Step 7 – Copy the keytab file

Copy the keytab file created earlier on the Active Directory Domain Controller into the IAM instance directory (e.g. /home/airlock/iam/instances/auth/).

17.4.1.10.2.3. Create a SPNEGO Config
  • 1.
    Sign in to Airlock IAM Admin App as an admin
  • 2.
    Open the Config Editor
  • 3.
    Go to Loginapp >> Front-side Kerberos
  • 4.
    Create a new SPNEGO Config
  • 5.
    It is recommended to configure a Lookup and Accept Authenticator as the Authenticator to check whether the user is locked or not and to potentially load context data/roles.
  • 6.
    Configure the Keytab File which has been copied into the instance directory previously (e.g. instances/auth/airlock.com.keytab)
  • 7.
    Configure the Service Principal (e.g. HTTP/a.airlock.com)

If multiple Service Principal (SPN) have to be supported, either create a new SPNEGO Config per SPN (using contexts and with a context extractor to choose the correct context) or specify "*" as the SPN to simply accept all SPNs contained in the key tab.

17.4.1.10.2.4. Configure Kerberos as the login page
  • 1.
    Go to Loginapp > Authentication Settings
  • 2.
    Change the Login Page Type to Kerberos

Only with the Login Page Type Kerberos does Airlock IAM send the correct response to the client in case he accesses the login application directly. In case that other Login Page Types are needed, create IAM contexts and configure a context extractor to choose the correct context.

17.4.1.10.2.5. Activate Airlock IAM configuration

After going through the previous steps, activate the new configuration.

  • 1.
    Click on the Activate button in the Airlock IAM Config Editor.