OS, JRE and network
5.5. Operating system, Java runtime, network

Airlock IAM runs on the Java Virtual Machine (JVM). On supported Linux systems, a bundled distribution of the JVM is used automatically. Patches of Airlock IAM will also include security fixes for the bundled JVM.

The security of the OS (operating system) is not managed by Airlock IAM.

The security settings of the OS and the JVM are both crucial for the security of Airlock IAM.

If you do not use the bundled Java distribution, keep the Java distribution up-to-date in order to get the latest security fixes.

Secure the network.

  • Separate the internal from the external network:
    • allow access to the IAM Loginapp / Loginapp REST API only from the back-side of Airlock Gateway (WAF) (never directly from the Internet)
    • allow access to the IAM Adminapp / Adminapp REST API only from the internal trusted network (preferably via an Airlock Gateway (WAF))
  • Limit access to all IAM components to as few network participants as possible
    • If a server has multiple interfaces, use the "address" parameter on web server connectors in order to limit network listening to only the relevant interfaces.

Do not run Airlock IAM as "root" user.

Harden the Operating System.

  • Follow hardening instructions of the corresponding OS documentation
  • Disable all non-necessary services
  • Restrict access to Airlock IAM files (permissions and ownership)
  • Limit access to the Airlock IAM machine to a minimum set of administrators
  • If running IAM on Docker, make the root file system read-only as described in 6.4. IAM as Docker image.