Step 1 - Gateway configuration
10.2.2.3.3.1.1. Step 1 - Airlock Gateway (WAF) configuration

To make sure that unauthenticated HTTP requests to the Airlock 2FA self-service result in an HTTP redirect to the Loginapp (JSP) (and not the Loginapp REST UI) the Airlock Gateway (WAF) mapping(s) for IAM need to be adapted as follows.

Procedure-related prerequisites

  • Access to the IAM mapping configuration on the affected Airlock Gateway (WAF) is required.
  • One or more functioning IAM mappings exist.

Restrict access to protected self-services

  • 1.
    Open the Airlock Gateway (WAF) configuration center and log in.
  • 2.
    Open the affected IAM mapping and select the Access tab.
  • 3.
    Add the following entry to the list of Access restrictions:
  • Property
    Value
    HTTP Method
    .*
    Path
    ^%ENTRYDIR%/ui/app/protected/.*
    Restricted to Roles
    authenticated

    Exchange the role authenticated with whatever role(s) relevant to your setup. Remember that access to Airlock 2FA self-services are granted with the specified role(s). The required role(s) should imply strong user authentication.

  • 4.
    The Authentication flow must be set to Redirect.
  • 5.
    Set the Denied access URL to /%ENTRYDIR%/check-login.
    This may require selecting the Custom radio button.
  • The resulting configuration should look like:

    GatewayAccessRestrictionForAirlock2FASelfService
  • 6.
    Activate the configuration.
  • The Airlock Gateway (WAF) now ensures that unauthenticated requests to the protected self-service part of the IAM are redirected to the Loginapp (JSP).

Verify the configuration

To verify the access restriction configuration, do the following:

  • 1.
    Make sure your browser does not have an authenticated session. Terminate existing session using the logout URL https://iam.ext.virtinc.com/auth/logout.
  • 2.
    Open the URL https://iam.ext.virtinc.com/auth/ui/app/protected/tokens/airlock-2fa/devices in the browser.
  • 3.
    The browser should now be redirected to the Loginapp (JSP)'s login page.