HTTPS/TLS with authentication of IAM

Configuration of Airlock Gateway

The use of HTTPS/TLS in conjunction with a server certificate for IAM guarantees that only IAM can send commands using the Airlock Gateway Control API to the Airlock Gateway and the privacy of the data exchanged between Gateway and IAM. IAM is delivered with a default certificate for HTTPS which should be replaced by a custom certificate since the same private key is included in all IAM installations.

  1. HTTPS/TLS with authentication of IAM is configured as follows (requires OpenSSL):
  2. Create a self-signed Certificate:
  3. copy
    openssl req -x509 -sha512 -newkey rsa:3072 -keyout iam-private-key.pem -out iam-certificate.pem -days 365

    If "BackendSSLVerifyHost" is set to "TRUE" in the Airlock Gateway expert settings on the Airlock IAM backend, the common name (CN) of the certificate must match the hostname of the host running Airlock IAM.

  4. Create a key store containing the generated certificate and private key if not already done:
  5. copy
    openssl pkcs12 -export -name IamServerCert -in iam-certificate.pem -inkey iam-private-key.pem -out iam-keystore.p12
  6. In order to keep all configuration files in the same place, the created iam-keystore.p12 should be copied into the relevant instance's configuration directory. (e.g. instances/auth/iam-keystore.p12)
  7. Update the instance parameters in instance.properties:
  8. copy
    # Only enable the HTTPS connector
    iam.web-server.connectors = https
    
    # Configure key store
    iam.web-server.https.keystore.type = PKCS12
    iam.web-server.https.keystore.file = instances/auth/iam-keystore.p12
    iam.web-server.https.keystore.password = <keystore-password>
  9. Restart Airlock IAM
  10. Add the self-signed IAM server certificate as BackendSSLServerCA certificate to the IAM back-end group of the Airlock Gateway and enable BackendSSLVerifyHost for this backend group (for a detailed description of this step see: https://techzone.airlock.com/backend-ssl).

Configuration of Airlock Microgateway

Airlock Microgateway is configured with a YAML config file using a DSL (domain-specific language) to configure HTTPS and the certificate-related settings. The Complex example configuration with Airlock IAM SSL/TLS show how to achieve this.