Using profiles
In some scenarios (e.g. some Docker deployments) it is preferable to use the environment to emulate profiles.
Instead of creating a profile properties file, the environment can be used to change which modules are enabled. For every application parameter, an environment variable can be set; use all caps and replace punctuation with underscores.
E.g. “IAM_MODULES=loginapp” in the environment can be used to override the “iam.modules” parameter from the instance.properties file.
Creating Profiles
A profile is a .properties file in the profiles/ directory that overrides some of the application parameters defined in instance.properties.
To create a new profile named “external”, a new file named external.properties must be created. The contents of a profile configuration file is similar to instance.properties.
For example:
instances/auth/profiles/external.properties
# The external profile only launches Loginapp iam.modules = loginapp
instances/auth/profiles/internal.properties
# The internal profile only launches Adminapp and the service container applications iam.modules = adminapp, service-container
Having created these files, we can say that the instance “auth” now has two different launch profiles. Profiles are primarily applied when launching Airlock IAM. You will note that many CLI commands do not include an option where a profile can be specified.
If a profile exposed to the internet, for example a Loginapp, does not require access to some secrets, consider using a separate sensitive value store.
For integration and test environments, Configuration environments can be used to limit the exposure of production secrets.
Launching with profiles
Using the previously created profiles, we can now launch the applications separately on two different machines:
airlock@internal.example.com
iam run -c /home/airlock/iam -i auth -p internal
external.example.com
iam run -c /home/airlock/iam -i auth -p external
Launching Multiple Profiles on the Same Machine
Launching multiple Airlock IAM profiles on one machine provides less isolation protection than using separate machines.
In order to launch multiple profiles on the same machine, it is necessary to change the web server port. In addition to configuring the iam.modules parameter, the ports for the connectors must be changed. By default both processes would try to bind to 8443 for HTTPS and 8080 for HTTP, which does not work. Different ports must be assigned to each profile.
If the machine has multiple network interfaces it is also possible to change the address from the default “0.0.0.0” to the IP address of the machine for a given network interface.
System-service integration
With systemd, each profile should have its own service file. The iam systemd command supports the same --profile command line argument. See Starting and stopping Airlock IAM (system service integration).