Front-Side Kerberos configuration in the JSP-Loginapp (redirect flow)

The following chapter describes how the Airlock Gateway (WAF) and Airlock IAM configuration must be adapted in order to use Front-side Kerberos with the Redirect authentication flow.

Airlock Gateway (WAF) configuration

Create a back-end group for IAM

  1. Sign in to Airlock Gateway (WAF) Configuration Center as an admin
  2. To add a new Back-end Group, go to Application Firewall > Reverse Proxy and click on the + sign at the top of the Back-end Group column.
  3. Enter a name for the Back-end Group Name, select the correct protocol, enter a Hostname and the Port as well.

Import a mapping for IAM

  1. In the mapping column, click the + button and choose New from template.
  2. The Mapping Templates list appears.
  3. In the section Airlock IAM, choose Download Mapping Templates.
  4. The latest Airlock IAM manual opens up in the browser.
  5. From the download table of the manual page, select and download the IAM Loginapp Template that matches with your Airlock Gateway version.
  6. Change back to the Airlock Gateway Configuration Center page and close the Mapping Templates list.
  7. In the mapping column, click the + button and choose Import.... Select and import the downloaded mapping template zip file.
  8. After the import has finished, the new mapping opens in edit mode.
  9. Switch to the tab Allow Rules and enable the rule Kerberos Functionality.
  10. Change back to the Reverse Proxy view.
  11. The new Airlock-IAM-Loginapp mapping is now shown in the Mapping column.
  12. Connect the Airlock-IAM-Loginapp mapping to the Virtual Host that is connected to the web application mapping.
  13. Connect the Airlock-IAM-Loginapp with the IAM Back-end Group.

Customize the application mapping

  1. Go to Application Firewall > Reverse Proxy and edit the Mapping of the web application for which Front-side Kerberos should be used.
  2. Configure the Denied access URL to point to the correct instance of Airlock IAM. For the IAM auth instance the URL would be /auth/check-spnego
  3. Select Redirect in the Authentication flow drop-down list.
  4. Specify the credential Airlock IAM sets after a successful authentication under Restricted to roles.

Configure the maximal allowed HTTP request header size

  1. Go to Expert Settings > Security Gate / Apache
  2. Enable the Apache Expert Settings and configure the following setting:
    3. # Increase the maximal allowed HTTP request header size
LimitRequestFieldSize 16384
    • Please ensure that the Airlock Gateway (WAF) setting configured in this step is identical or smaller than the one configured in Airlock IAM. How this can be achieved is described in HTTP Request Header Size.
    • For further information about issues caused because of wrong configuration of the allowed HTTP request header size, check HTTP Request Header Size.

Activate Airlock Gateway (WAF) configuration

After going through the previous steps, activate the new configuration.

  1. Click on the Activate button in the Airlock Gateway (WAF) Configuration Center.

Airlock IAM configuration

The following chapter describes what must be configured in order to use authentication flow Redirect.

Create krb5.conf file

Step 6 – Create krb5.conf file in Airlock IAM

Create a /etc/krb5.conf file and configure it with the correct values for the Windows domain.

/etc/krb5.conf

[libdefaults]
default_realm = AIRLOCK.COM

[realms]
AIRLOCK.LOCAL = {
kdc = dc.airlock.com
default_domain = AIRLOCK.COM
}

[domain_realm]
.airlock.local = AIRLOCK.COM
  • The uppercase values are settings to describe the Kerberos realm, while the lowercase values are DNS settings. Configure the settings in the same upper-/lowercase as illustrated above.
  • To make the new settings from the /etc/krb5.conf file active, Airlock IAM must be restarted.

Copy the keytab file

Step 7 – Copy the *.keytab file

Copy the *.keytab file into the IAM instance directory (e.g. /home/airlock/iam/instances/auth/).

Create a SPNEGO Config

  1. Sign in to Airlock IAM Admin App as an admin
  2. Open the Config Editor
  3. Go to Loginapp >> Front-side Kerberos
  4. Create a new SPNEGO Config
  5. It is recommended to configure a Lookup and Accept Authenticator as the Authenticator to check whether the user is locked or not and to potentially load context data/roles.
  6. Configure the Keytab File which has been copied into the instance directory previously (e.g. instances/auth/airlock.com.keytab)
  7. Configure the Service Principal (e.g. HTTP/a.airlock.com)

If multiple Service Principal (SPN) have to be supported, either create a new SPNEGO Config per SPN (using contexts and with a context extractor to choose the correct context) or specify "*" as the SPN to simply accept all SPNs contained in the key tab.

Configure Kerberos as the login page

  1. Go to Loginapp > Authentication Settings
  2. Change the Login Page Type to Kerberos

Only with the Login Page Type Kerberos does Airlock IAM send the correct response to the client in case he accesses the login application directly. In case that other Login Page Types are needed, create IAM contexts and configure a context extractor to choose the correct context.

Activate Airlock IAM configuration

After going through the previous steps, activate the new configuration.

  1. Click on the Activate button in the Airlock IAM Config Editor.