Java Policy Agents 2024.6

Deploy Java Agent with Docker

The example in this section provides a Dockerfile and instructions to deploy Tomcat Java Agent on Linux to extend and protect an application. Adapt the information for other agent containers and platforms.

Consider the following limitations:

  • The Dockerfile doesn’t manage logs, so agent logs are lost when the Docker container is killed. Manage logs independently of the Dockerfile in the following ways, according to your environment:

    • Store logs persistently to a volume

    • Store logs to a host machine

    • Tail logs into STDOUT or STDERR so that Docker can collect the data

  • The Dockerfile isn’t suitable for local configuration mode and doesn’t update bootstrap properties. The agent must be configured to operate in the default remote configuration mode. For more information, refer to Location of Agent Configuration Repository.

  1. In PingOne Advanced Identity Cloud or AM, set up an agent profile and policy. For more information, refer to PingOne Advanced Identity Cloud’s Prepare for installation or AM’s Prepare for installation.

    This example uses the following configuration:

    • AM URL:

    • AM realm: top-level

    • Agent URL:

    • Agent profile name: java-agent

    • Agent profile password: password

    • Policy set and policy: Allow HTTP GET and POST for all authenticated users.

  2. Create a local folder for your application’s web.xml file, the agent .zip file, the Dockerfile, and the agent profile password—they must be in the same folder. This example uses /path/to/docker.

  3. Build a Docker image of your web application. This example uses a sample application called fr-sample-app:1.0.

  4. Configure the agent filter in your application’s web.xml file and save it to /path/to/docker/web.xml. For more information, refer to Configure the agent filter for a web application.

    This example uses the following web.xml file:

    <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "">
    <web-app version="3.0" xmlns="" xmlns:xsi="" xsi:schemaLocation="">
      <display-name>AM Agent</display-name>
      <description>AM Agent Filter</description>
  5. Download the agent .zip file to /path/to/docker/. The .zip in this example is

  6. Create a file containing the agent profile password. The filename in this example is agent_secret and the password is password.

    /path/to/docker$ cat > agent_secret
    Although the agent accepts any password length and content, you are strongly encouraged to generate secure passwords. This can be achieved in various ways, for example using a password manager or by using the command line tool agentadmin --key.
  7. Create the following Dockerfile in /path/to/docker/Dockerfile. Arguments are provided by the build command.

    # Application Docker image
    # Install and unzip the application, required for unpacking the agent build.
    # Not required if the base image is already unzipped.
    # For non-Debian Linux distributions, use the appropriate package manager.
    RUN apt-get update && \
    	apt-get install unzip --no-install-recommends -y && \
    	apt-get clean
    # Define the build arguments.
    # Arguments without default values must be specified in the build command.
    ARG SERVER_HOME=/usr/local/tomcat
    ARG AGENT_URL=http://agent.dummy.url:8080/app
    # Copy the agent .zip file to the Docker directory where the agent is installed.
    # Unzip the agent and delete the .zip file
    RUN cd ${AGENT_HOME} && \
    	unzip ./${AGENT_ZIP_FILE} && \
    	rm -rf ./${AGENT_ZIP_FILE}
    # Create an agent installation file called install_file
    RUN echo "CONFIG_DIR= ${SERVER_HOME}/conf" > ${AGENT_HOME}/install_file && \
    	echo "AM_SERVER_URL= ${AM_URL}" >> ${AGENT_HOME}/install_file && \
    	echo "CATALINA_HOME= ${SERVER_HOME}" >> ${AGENT_HOME}/install_file && \
    	echo "INSTALL_GLOBAL_WEB_XML= false" >> ${AGENT_HOME}/install_file && \
    	echo "AGENT_URL= ${AGENT_URL}" >> ${AGENT_HOME}/install_file && \
    	echo "AGENT_PROFILE_NAME= ${AGENT_PROFILE}" >> ${AGENT_HOME}/install_file && \
    	echo "AGENT_PROFILE_REALM= ${AGENT_REALM}" >> ${AGENT_HOME}/install_file && \
    	echo "AGENT_PASSWORD_FILE= /run/secrets/agent_secret" >> ${AGENT_HOME}/install_file
    # Install the agent and mount the file containing the agent password
    # This command uses silent installation with a provided install_file
    RUN --mount=type=secret,id=agent_secret,required=true \
    	"${AGENT_HOME}"/java_agents/tomcat_agent/bin/agentadmin \
    	--forceInstall \
    	--useResponse ${AGENT_HOME}/install_file && \
    	rm -rf ${AGENT_HOME}/install_file
    # Copy the new web.xml file, which includes agent filter
    COPY web.xml ${AGENT_HOME}/
    # Replace the original web.xml with the new web.xml file, which includes agent filter
    RUN mkdir /tmp/app && \
    	cd /tmp/app/ && \
    	mv ${SERVER_HOME}/webapps/${APP_NAME} ./ && \
    	jar -xf ./${APP_NAME} && \
    	rm -rf ./${APP_NAME} && \
    	mv ${AGENT_HOME}/web.xml ./WEB-INF/web.xml && \
    	jar -cf ${SERVER_HOME}/webapps/${APP_NAME} * && rm -rf /tmp/app
  8. Find values for the following arguments that correspond to your application and environment:

    • BASE_DOCKER_IMAGE: The name and path to the base image of your application.

    • AGENT_VERSION: The agent version in the Docker image.

    • AGENT_ZIP_FILE: Name of the agent .zip file. Default: Derived from AGENT_VERSION. Define this property for Jakarta builds.

    • APP_NAME: Application name including the extension. For example, app.war

    • AGENT_HOME: Docker directory where the agent is installed. Default: /opt.

    • AM_URL: PingOne Advanced Identity Cloud or AM server URL including port number.

    • SERVER_HOME: Path to the Tomcat server configuration. Default: /usr/local/tomcat.

    • AGENT_URL: Agent URL.

    • AGENT_REALM: PingOne Advanced Identity Cloud or AM realm containing the agent profile.

    • AGENT_PROFILE: Agent profile name. Default /.

  9. With a Docker daemon running, build the Docker image with the following command, replacing the example values with your own values:

    /path/to/docker$ docker build --secret id=agent_secret \
      --build-arg BASE_DOCKER_IMAGE=fr-sample-app:1.0 \
      --build-arg AGENT_VERSION=2024.6 \
      --build-arg \
      --build-arg APP_NAME=app.war \
      --build-arg AGENT_HOME=/opt \
      --build-arg AM_URL= \
      --build-arg AGENT_URL= \
      --build-arg SERVER_HOME=/usr/local/tomcat \
      --build-arg AGENT_REALM=/ \
      --build-arg AGENT_PROFILE=java-agent \
      --tag agent-image:2024.6 .
     => => writing image sha256:803...ada  0.0s
     => => naming to
  10. Run the container:

    /path/to/docker$ docker run -it --name java-agent -p 8080:8080 agent-image:2023.11
    ...INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler...
    ...INFO [main] org.apache.catalina.startup.Catalina.start Server startup ...
  11. Access your application through the agent at Access is managed by PingOne Advanced Identity Cloud or AM according to the policy configured for the agent profile.

    This example displays the PingOne Advanced Identity Cloud or AM login page. When you log in as a user, you access the sample application.

Upgrade and rollback

To upgrade or roll back an agent Docker container to a different agent version:

  1. Build a new Docker container with the different agent version, using a tag that corresponds to the version.

  2. Replace the image tag in your environment.

Copyright © 2010-2024 ForgeRock, all rights reserved.