Health check endpoints, responses, and security

Available endpoints

The following table shows the endpoints available for health checks:

IAM 7.5 (MicroProfile 3.0)

IAM 7.4 (MicroProfile 2.0)

deprecated in IAM 7.5 and scheduled for removal in Airlock IAM 8.0

Liveness

/health/live

/health

Readiness

/health/ready

/auth-login/rest/health

Available in the Loginapp and the Transaction Approval modules only.

  • The health check endpoint consists of a list of different checks:
  • Liveness endpoint: has a fixed list of checks, which is currently not configurable. The configurationActivation check is not included in this list. Liveness checks will therefore report Airlock IAM to be UP, even if the configuration was not loaded yet.
  • Readiness endpoint: health checks can be configured in the Config Editor for the Loginapp and the Transaction Approval modules. The configurationActivation check is always part of the checks and cannot be removed.

Health check responses

The response to a health check request can be UP or DOWN. This is also indicated by the HTTP response status code:

Status

HTTP status code

UP

200 OK

DOWN

Any non-200 status, typically 503, or a connection error.

Health check endpoints also provide a JSON response body, which is intended to be human-readable and indicate which check failed.

Edge cases

The health check endpoints have been designed for the following usage:

  • If an IAM module (adminapp, loginapp, ...) is configured in the instance properties file, it automatically provides the liveness endpoint.
  • The Loginapp and the Transaction Approval automatically check whether the configuration can be activated in the readiness endpoint.
  • Even if an IAM module has no configuration, it is considered to be in a correct state regarding the liveness endpoint.
  • The liveness endpoint reports all modules as UP during configuration activation.
  • If there is no configuration for an IAM module or if the activation fails, the readiness endpoint reports status DOWN.

Health check endpoint security

Feature

Description

Port number

It is possible to configure the health checks on a separate port. This can be used as a security measure to prevent health check traffic from passing through firewalls and being accessible from the outside as part of regular Airlock IAM traffic.

This feature is configured in the instance.properties file.

If the port configured for the health checks is already in use, Airlock IAM fails to start.

IP filtering

The health check endpoint provides an IP address filter that only allows access from localhost by default.

This behavior is configured in the instance.properties file.

HTTPS

Health checks are only accessible over HTTPS if these conditions are met:

  • Airlock IAM is configured to use HTTPS.
  • Health checks do not use a different port than Airlock IAM.