Airlock as a Service Knowledge Base
API Reference Service Status Airlock Console
airlock.com

Migrate an on-premises Airlock IAM to Airlock as a Service

Notice
This functionality is currently limited to partners. Your partner can support you in migrating your on-premises installation to Airlock as a Service.


Initial analysis

To migrate a tenant Airlock IAM from an on-premises installation to Airlock SaaS, you need to obtain the following details in advance:

  • The actual Airlock IAM configuration and its version. This can be downloaded from the Config Editor within the Airlock IAM Adminapp.

  • Access to secrets and key pairs

  • Details about their network environment, i.e. whether the tenant Airlock IAM shall be accessed through TLS or mTLS only

    • In case of mTLS, all necessary client and server certificates, including private keys and subject alternative names

Verifying the version compatibility

Once you have obtained the details above, first make sure that the version of the on-premises Airlock IAM installation is actually supported by Airlock SaaS.

Notice
Airlock SaaS supports Airlock IAM 8.4 and later.

Recommendation
We strongly recommend updating the on-premises Airlock IAM installation to the latest supported Airlock IAM version on Airlock SaaS to ensure long-term support.

Details on how to Upgrade to a new IAM version can be found here.

Setting up organization and tenant

  1. Create an organization for your customer in Airlock SaaS if it does not exist.

  2. Create a new non-production service-level tenant.

  3. Apply the required Airlock SaaS specific configuration variables and settings.

  4. Upload the configuration as ZIP-File into Airlock SaaS within "Configuration" -> "Configuration files" menu entry

  5. Activate the configuration within "Operation" -> "Activate configuration"

  6. Await successful activation or analyze logs why config activation failed

  7. Thoroughly test the deployed tenant IAM

  8. For On-Prem Gateway mTLS integration

    1. Clone Back-end group of current on prem IAM

    2. Clone Mapping of current On-Prem IAM mapping

    3. Connect newly cloned mapping with newly cloned Back-end group

      1. This setup allows you to quickly remap your virtual hosts with the Airlock SaaS Tenant IAM solution and your exisitng on prem IAM solution

    4. Create mTLS certificates

      1. Add certificates in the Back-end group of the on-premise gateway

      2. Add certificates and keys in the Airlock SaaS portal tenant settings

    5. Verify WAF has access to where the Airlock SaaS Tenant IAM is running

    6. Connect virtual hosts with new mapping replacing existing connections with old mapping

  9. Stage config into production