Steps 1–5 in this section describe how the Airlock Gateway configuration must be adapted in order to use Front-side Kerberos with the One-Shot authentication flow. The second half of the steps describe how to use the previously configured Kerberos setting to finalize the one-shot flow in Airlock IAM.
Step 1 – Create a back-end group for IAM
- Sign in to Airlock Gateway Configuration Center as an admin
- To add a new Back-end Group, go to Application Firewall >> Reverse Proxy and click on the + sign at the top of the Back-end Group column.
- Enter a name for the Back-end Group Name, select the correct protocol, enter a Hostname and the Port as well.
Step 2 - Import a mapping for IAM
- In the mapping column, click the + button and choose New from template.
- The Mapping Templates list appears.
- In the section Airlock IAM, choose Download Mapping Templates.
- The latest Airlock IAM manual opens up in the browser.
- From the download table of the manual page, select and download the IAM Loginapp Template that matches with your Airlock Gateway version.
- Change back to the Airlock Gateway Configuration Center page and close the Mapping Templates list.
- In the mapping column, click the + button and choose Import.... Select and import the downloaded mapping template zip file.
- After the import has finished, the new mapping opens in edit mode.
- Switch to the tab Allow Rules and enable the rule Kerberos Functionality.
- Change back to the Reverse Proxy view.
- The new Airlock-IAM-Loginapp mapping is now shown in the Mapping column.
- Connect the Airlock-IAM-Loginapp mapping to the Virtual Host that is connected to the web application mapping.
- Connect the Airlock-IAM-Loginapp with the IAM Back-end Group.
Step 2 – Create a mapping for IAM
- To add a new Mapping, go to Application Firewall >> Reverse Proxy and click on the + sign at the top of the Mapping column and afterward choose New from template.
- On the Mapping template screen, select the Airlock IAM Mapping template.
- Switch to the tab Response Actions and disable the action (default) Remove Negotiate Header.
- Switch to the tab Allow Rules and enable the rule One-Shot Functionality.
- Connect the new Airlock IAM Mapping with the Virtual Host the web application Mapping is connected to.
- Connect the new Airlock IAM Mapping with the IAM Back-end Group.
Step 3 – Customize the application mapping
- Go to Application Firewall >> Reverse Proxy and edit the Mapping of the web application for which Front-side Kerberos should be used.
- Configure the Denied access URL point to the correct instance of Airlock IAM. For the IAM auth instance the URL would be /auth/login-oneshot
- Select One-Shot in the Authentication flow drop-down list.
- Enter the credential Airlock IAM sets after a successful authentication under Restricted to roles.
Step 4 – Configure the maximal allowed HTTP request header size
- Go to Expert Settings >> Security Gate / Apache
- Enable the Apache Expert Settings and configure the following setting:
- Please ensure that the Airlock Gateway setting configured in this step is identical or smaller than the one configured in Airlock IAM. How this can be achieved is described in .
- For further information about issues caused because of wrong configuration of the allowed HTTP request header size, check .
# Increase the maximal allowed HTTP request header size LimitRequestFieldSize 16384
Step 5 – Activate Airlock Gateway configuration
After going through the previous steps, activate the new configuration.
- Click on the Activate button in the Airlock Gateway Configuration Center.
Step 6 – Create krb5.conf file in Airlock IAM
Create a /etc/krb5.conf
file and configure it with the correct values for the Windows domain.
/etc/krb5.conf
[libdefaults] default_realm = AIRLOCK.COM [realms] AIRLOCK.LOCAL = { kdc = dc.airlock.com default_domain = AIRLOCK.COM } [domain_realm] .airlock.local = AIRLOCK.COM
- The uppercase values are settings to describe the Kerberos realm, while the lowercase values are DNS settings. Configure the settings in the same upper-/lowercase as illustrated above.
- To make the new settings from the
/etc/krb5.conf
file active, Airlock IAM must be restarted.
Step 7 – Copy the *.keytab file
Copy the *.keytab
file into the IAM instance directory (e.g. /home/airlock/iam/instances/auth/
).
Step 8 – Create a One-Shot configuration for authentication flow One-Shot
- Go to:
Loginapp >> One-Shot Authentication - Create a new Target Application/Service
- Configure the Kerberos SPNEGO Extractor as the Credential Extractor
- Create a new Kerberos Config
- Configure the Keytab File which has been copied into the instance directory previously (e.g.
instances/auth/airlock.com.keytab
) - Configure the Service Principal (e.g.
HTTP/a.airlock.com
) - Go back and continue editing the Target Application/Service
- It is recommended to configure a Lookup and Accept Authenticator as the Authenticator to check whether the user is locked or not and to potentially load context data/roles.
- Go back and continue editing the Target Application/Service
- Configure the Kerberos SPNEGO Error Mapper as the Failure Responses
- Go back and continue editing the Target Application/Service
- Click on the Activate button in the Airlock IAM Config Editor.
If multiple Service Principal (SPN) have to be supported, either create a new Kerberos Config per SPN (using contexts and with a context extractor to choose the correct context) or specify "*" as the SPN to simply accept all SPNs contained in the *.keytab file.
From a Front-side Kerberos perspective, these are all the necessary settings. Nevertheless, ensure that all other important settings for a One-Shot Target Application are set.