Advanced configuration of Airlock Gateway for Airlock IAM

Expert Settings for enabling HTTP Keep-Alive for SSL Connections to Airlock IAM

If the connection to the back-end is SSL protected, the following settings have to be applied in order to use HTTP-Keep-Alive. This will avoid connection timeouts caused by Tomcat performance issues.

HTTP-Keep-Alive can be enabled for specific back-end groups. The following setting has to be added to the Expert SettingsTab (Security Gate) of the Back-end Group – not in the global expert settings:

BackendForceNewConnections   "FALSE"

Client certificate authentication with Airlock Gateway

If using pure client certificate authentication with Airlock Gateway, in addition to the steps of the sections above, do the following:

  1. If requests should be passed to IAM even if no client certificate was involved in the TLS-handshake: On the Airlock IAM mapping, set the value SSL Client Certificate to Optional.
  2. SSL Client Certificate
  3. In the Airlock Gateway virtual host definition(s) to which the mapping is connected, store the list of allowed certificate authorities (CAs). It defines who is trusted to issue client certificates.

Favorite icon path rewrite for Internet Explorer

Some older versions of Microsoft's Internet Explorer will always request /favicon.ico to get the favorite icon of a web page regardless of the path and name of the favorite icon in the HTML header.

It may therefore be necessary to introduce a special path redirect on the Airlock Gateway virtual host in order to map the URL /favicon.ico to the actual URL of the favorite icon in the Loginapp.

Example "path redirect" definition:

Path Redirects