Airlock Microgateway for Airlock IAM configuration

The IAM Loginapp must necessarily be placed behind an Airlock Gateway or Airlock Microgateway. It is configured as back-end application that is allowed to authenticate sessions.

This applies to both Loginapp (JSP) and the Loginapp REST API.

Each of the Airlock IAM modules (i.e. Loginapp or Adminapp) may be used with a single Airlock Microgateway mapping.

However, multiple mappings are required in the following situations:
Two or three mappings are required if the Airlock Microgateway's API Enforcement feature is used to protect IAM's Loginapp REST API (enhances security).
Two mappings are required if client certificate authentication is mixed with form-based authentication in one virtual host (domain).

Procedure-related prerequisites

Airlock Microgateway mappings must be available as separate files for each mapping.

Download the required Microgateway mappings

Airlock Microgateway version	Airlock IAM version	Mapping template
3.0 and newer	7.7 and newer	iam-loginapp-mgw3.0-mapping-template.xml iam-loginapp-rest-public-mgw3.0-mapping-template.xml iam-loginapp-rest-protected-mgw3.0-mapping-template.xml iam-adminapp-mgw3.0-mapping-template.xml iam-servicecontainer-mgw3.0-mapping-template.xml iam-transaction-approval-mgw3.0-mapping-template.xml

CSRF token protection of Airlock Microgateway:
The gateway CSRF token protection is activated on all Loginapp REST Mappings.
This may require small changes to your single-page application to handle possible CSRF Blocks. If this is not possible, the CSRF protection on these mappings can be disabled to return to the previous behavior.

Microgateway DSL

Open the Microgateway DSL in the preferred Editor
add a mapping name
add a mapping_template_file
add api_security.openapi
add api_security.openapi.spec_file
The mapping is loaded and validated against the openapi specification provided

Example

The following code sample shows an excerpt from a Microgateway DSL:

copy

- name: iam-loginapp-rest-public
  mapping_template_file: /config/templates/loginapp-7.7-REST-public.xml
  api_security:
    openapi:
      spec_file: /config/templates/login-rest-openapi.json
  ...
- name: iam-loginapp-rest-protected
  mapping_template_file: /config/templates/loginapp-7.7-REST-protected.xml
  api_security:
    openapi:
      spec_file: /config/templates/login-rest-openapi.json
  ...