Java Policy Agents 2024.6

Network connections

Protect network traffic by using HTTPS where possible.

Recommendations For Incoming Connections (From Clients to Java Agent)
Protocol Recommendations


HTTP connections that are not protected by TLS use cleartext messages. When you permit insecure connections, you cannot prevent client applications from sending sensitive data. For example, a client could send unprotected credentials in an HTTP Authorization header. Even if the server were to reject the request, the credentials would already be leaked to any eavesdroppers.

Always use HTTPS for connections up to a load-balancer or proxy in front of the web application or server.


Use HTTPS for secure connections. Follow industry-standard TLS recommendations for Security/Server Side TLS.

When using an HTTP connection handler, use HTTPS to protect client connections.

Some client applications require a higher level of trust, such as clients with additional privileges or access. Client application deployers might find it easier to manage public keys as credentials than to manage username/password credentials. Client applications can use TLS client authentication.

Recommendations For Outgoing Connections (From Java Agent to Another Service)
Client Recommendations

Common Audit event handlers

Configure Common Audit event handlers to use HTTPS when connecting to external log services.


Connect to AM over HTTPS, and use Web Socket Secure (WSS) for notifications. When AM listens on HTTPS, by default the agent uses WSS. Otherwise, by default, the agent uses Web Sockets (WS).

Custom login pages

Connect to custom login pages over HTTPS.

Message-level security

Server protocols such as HTTP, LDAP, and JMX rely on TLS to protect connections. To enforce secure communication, refer to Secure communication between the agent and AM.

Communication between the agent and clients is managed by the web application container in which the agent runs. See the web application container documentation for information about how to secure those connections.

Copyright © 2010-2024 ForgeRock, all rights reserved.