Web Policy Agents 2023.11

Major upgrade

Perform a major upgrade

  1. Read the release notes for information about changes in Web Agent.

  2. Download the agent binaries from the ForgeRock BackStage download site.

  3. Plan for server downtime.

    Plan to route client applications to another server until the process is complete and you have validated the result. Make sure the owners of client application are aware of the change, and let them know what to expect.

  4. Back up the directories for the agent installation and web server configuration and store them in version control so that you can roll back if something goes wrong:

  5. Redirect client traffic away from the protected website.

  6. Stop the web server where the agent is installed.

  7. Remove the old Web Agent, as described in Remove Web Agent.

  8. Delete the following shared memory files:

    • /dev/shm/am_cache_0

    • /dev/shm/am_log_data_0

    Depending on your configuration, the files can be named differently.

  9. Install the new agent.

    In local configuration mode, provide the agent.conf file. For more information, refer to Local configuration (agent.conf).

  10. Review the agent configuration:

  11. (If you provided the agent.conf file to the installer and you are upgrading from an agent version earlier than 4.1.0 hotfix 23)

    Re-encrypt the password specified in the Agent Profile Password:

    1. Obtain the encryption key from the bootstrap property Agent Profile Password Encryption Key in the new agent.conf file.

    2. (Unix only) Store the agent profile password in a file; for example, newpassword.file.

    3. Encrypt the agent profile password with the encryption key by running the agentadmin command with the --p option.

      • Unix

      • Windows

      $ ./agentadmin --p "YWM…​Nw=" “cat newpassword.file”
Encrypted password value: 07b…​dO4=
      $ agentadmin.exe --p "YWM…​5Nw=" "newpassword"
Encrypted password value: 07b…​dO4=

    4. Set the encrypted password as the value of the Agent Profile Password property in the new agent.conf file.

  12. (NGINX Plus and Unix Apache agents only) Configure shared runtime resources and shared memory. For more information, refer to Configure shared runtime resources and memory.

  13. Ensure the communication between AM and the web agent is secured with the appropriate keys. For more information, refer to Configuring AM to sign authentication information.

  14. Start the web server where the agent is installed.

    Web Agent 5 changed the default size of the agent session and policy cache from 1 GB to 16 MB. In the unlikely case that an old Apache agent could not release the shared memory, the new Apache agent may not start. For more information, refer to Troubleshooting.

  15. Validate that the agent is performing as expected in the following ways:

    • Check in /path/to/web_agents/agent_type/log/system_n.log that the new version of the agent is running.

    • Go to a protected page on the website and confirm whether you can access it according to your configuration.

    • Check logs files for errors.

    To troubleshoot your environment, run the agentadmin command with the --V option.

  16. Allow client traffic to flow to the protected website.

Roll back from a major upgrade

Before you roll back to an earlier version of Web Agent, consider whether any change to the configuration during or since upgrade could be incompatible with the earlier version.

To roll back from a major upgrade, run through the procedure in Major upgrade, but use the backed up directories for the agent installation and web server configuration.

Copyright © 2010-2023 ForgeRock, all rights reserved.