IAM mapping
IAM mapping configuration for bank API calls

The following changes to the IAM mapping are based on the latest IAM mapping template (download from Airlock Gateway for Airlock IAM configuration).

The latest IAM mapping template already includes settings necessary to allow HTTP signature verification. The list below only describes PSD2-specific settings.

  • 1.
    Create or reuse an IAM mapping on the Airlock Gateway (WAF) (see Airlock Gateway for Airlock IAM configuration) and connect it to bank APIs virtual host.
  • 2.
    Make sure the "one-shot" allow rule is enabled on the mapping (see also HTTP request authentication (Airlock One-Shot flow))
  • 3.
    If JSON parsing in on (it is the default in the IAM mapping template), edit the parameter name pattern in allow rule "One-Shot Functionality" as follows:
  • Instead of ^[[:alpha:]][[:alnum:]._\-]*$

    use the pattern (add # in two places).^[[:alpha:]#][[:alnum:]._\-#]*$

  • 4.
    Add the following HTTP header names to the "IAM header whitelist" (the one from the template on Airlock Gateway for Airlock IAM configuration):|Signature|Date|Digest|X-Request-Id|PSU-.*|TPP-.*|AL_ENV_REQUEST_LINE
  • 5.
    To allow the "Signature" and the "TTP-Signature-Certificate" headers, you need to add the following deny rule exceptions:
  • for Airlock Gateway (WAF) Versions
    with deny rule "Security Level"
    add exception to "Deny Rule"
    using "Header Name Pattern"
    and "Path Pattern"
    all
    Strict (recommended)
    (default HTML_003b) HTML attribute in quoted context in HTTP header value
    ^Signature$
    ^%ENTRYDIR%/log(?:in|out)-oneshot$
    Standard
    (default HTML_004b) Known HTML attribute in quoted context in HTTP header value
    >= 7.1
    Strict
    (default SAN_060b) Header value longer than 300 characters
    ^Signature$
    ^%ENTRYDIR%/log(?:in|out)-oneshot$
    ^TPP-Signature-Certificate$
    ^%ENTRYDIR%/log(?:in|out)-oneshot$