Airlock Gateway reports Status 503 or Status 400 when trying to access Airlock IAM (HTTP Header Size)

Symptoms

Trying to access Airlock IAM Loginapp, Airlock Gateway reports logs like the following (not providing any information about the back-end):

Mar 1 08:07:42 airlock Web-Requests: ... 
(https) GET /auth-cert/check-client-cert => https://{airlock-iam-host:8443}/auth/check-client-cert, 
status:503 , ... request size: 365 , back-end response size: <n/a> , audit token:\- ,
time statistics (microseconds): ...

At first sight, the line suggests that the error happened in the gateway because there is no information about the back-end request in the above line.

When setting the Operational mode on the corresponding Airlock Gateway mapping to Integration the usage log will be more verbose, showing the following information:

Mar  1 08:07:42 airlock Web-Requests: ... m:WR-SG-BACK-502 c:U Communication error 
(52: Server returned nothing (no headers, no data); Empty reply from server)
(errno:0: Error 0) during back-end request ...

Also in the webserver.log of the IAM instance, you might see exceptions: ArrayIndexOutOfBoundsException in the class InternalOutputBuffer.

Possible cause

IAM's web container closes the connection (not returning anything to the client = Airlock Gateway) if the configured maximum HTTP header size is exceeded.

This may happen if very large cookies or HTTP headers are set by Airlock IAM. By default, IAM's Apache Tomcat allows a maximum of 8k characters in the whole HTTP response header.

  • This can be easily exceeded when using the following identity propagator plugins:
  • Saml11Propagator
  • SamlAssertionCookiePropagator

It can theoretically also be achieved with other identity propagators with a very large amount of information to be transported (e.g. hundreds of roles).

Solution

Increase the maximum header size in the instance configuration (e.g. instances/auth/instance.properties) using property iam.web-server.header.bytes.max.

Example (instance.properties):

copy
...
## Maximum size of HTTP headers in bytes.
iam.web-server.header.bytes.max = 32768
...

The IAM instance needs to be restarted - see for example Starting and stopping Airlock IAM (system service integration).