Health checks for Loginapp
8.3.1.4. Configure health checks for Loginapp

Airlock Gateway should be configured to check the Loginapp health state. Once configured, it will prevent requests from Gateway to the IAM Loginapp in case of a non-healthy Loginapp state.

  • Health checks can be configured in different ways:
  • Example 1 - This configuration requires a sandboxed Loginapp process via profiles. It is the preferred configuration, following our security best practice.
  • Example 2 - This configuration checks the health of Loginapp only. It can be used if other IAM modules are running in the same process, but should be excluded from the health check.

Procedure-related prerequisites

    • You need to be logged in as admin in the Airlock Gateway Configuration Center.
    • You need CLI access to Airlock IAM to change application parameters and properties.
    • You need to restart Airlock IAM to make the changes take effect.

IAM preparation

  • 1.
    In the IAM config file:
    Configure instance.properties to allow Gateway access to the IAM endpoint.
  • copy
    instance.properties 
     iam.health.address = .* 
    copy
    Containers 
     IAM_HEALTH_ADDRESS=.*

    You can use a more specific access filter attribute i.e. 10\.10\.\d+\.\d+ to restrict the allowed IP-range of health checks to Airlock Gateway IP-range only.

  • IAM allows health requests from remote hosts. You can either finish the configuration by following example 2 or proceed with the next step to prepare IAM for example 1 with sandboxing.
  • 2.
    For a sandboxing setup (example 1):
    Create an external profile for Loginapp in instances/auth/profiles/external.properties.
  • copy
    # The external profile only launches Loginapp and the service container applications
    iam.modules = loginapp
  • The IAM module Loginapp has been sandboxed.

Example 1 – Airlock Gateway configuration

Following this configuration example, the Airlock Gateway will check for a sandboxed non-healthy Loginapp module.

  • 1.
    In the section Out-of-band Checks in the Back-end Group detail page of the Gateway:
    Set the URL path for the IAM health check to /health.
  • Out-of-band Checks (Loginapp health check example 1)
  • When the Loginapp is in a non-healthy state, Airlock Gateway will not forward requests to IAM.

Example 2 – Airlock Gateway configuration

Following this configuration example, the Airlock Gateway will check exclusively for non-healthy Loginapp status. Other modules running in the same process as the Loginapp will not be checked!

This method should only be used in cases where best security measures are not required or where sandboxing cannot be done.

  • 1.
    In the section Out-of-band Checks in the Back-end Group detail page of the Gateway:
    Set the URL path for the IAM health check to /auth-login/rest/health.
  • Out-of-band Checks (Loginapp health check example 2)
  • When the Loginapp is in a non-healthy state, the Airlock Gateway will not forward requests to IAM.