Web Policy Agents 2023.6

Upgrade

For information about upgrade between supported versions of Web Agent, refer to Release and Lifecycle dates | Identity Gateway.

This section describes how to upgrade a single Web Agent instance. The most straightforward option when upgrading sites with multiple Web Agent instances is to upgrade in place. One by one, stop, upgrade, and then restart each server individually, leaving the service running during the upgrade.

Web Agent supports the following types of upgrade:

  • Drop-in software update:

    Usually, an update from a version of Web Agent to a newer minor version, as defined in Release naming. For example, update from 2023.3 to 2023.6 can be a drop-in software update.

    Drop-in software updates can introduce additional functionality and fix bugs or security issues. Consider the following restrictions for drop-in software updates:

    • Do not require any update to the configuration

    • Cannot cause feature regression

    • Can change default or previously configured behavior only for bug fixes and security issues

    • Can deprecate but not remove existing functionality

  • Major upgrade:

    Usually, an upgrade from a version of Web Agent to a newer major version, as defined in Release naming. For example, upgrade from 5.10 to 2023.3 is a major upgrade.

    Major upgrades can introduce additional functionality and fix bugs or security issues. Major upgrades do not have the restrictions of drop-in software update. Consider the following features of major upgrades:

    • Can require code or configuration changes

    • Can cause feature regression

    • Can change default or previously configured behavior

    • Can deprecate and remove existing functionality

Drop-in software update

Perform a drop-in software update

  1. Read the release notes for information about changes in Web Agent.

  2. Download the agent binaries from the ForgeRock BackStage download site.

  3. Redirect client traffic away from the protected website.

  4. Stop the web server where the agent is installed.

  5. Replace the following executable files in the current installation with the corresponding files in the downloaded binaries, and make sure that they have the same permissions as the original files:

    • Apache Web Agent:

      • web_agents/apache24_agent/lib/mod_openam.so

      • web_agents/apache24_agent/bin/agentadmin

    • IIS Web Agent:

      • web_agents/iis_agent/lib/mod_iis_openam_64.dll

      • web_agents/iis_agent/lib/mod_iis_openam_64.pdb

      • web_agents/iis_agent/lib/mod_iis_openam_32.dll

      • web_agents/iis_agent/lib/mod_iis_openam_32.pdb

      • web_agents/iis_agent/bin/agentadmin.exe

      • web_agents/iis_agent/bin/agentadmin.pdb

    • NGINX Plus Web Agent:

      • web_agents/nginx<version-number>_agent/lib/openam_ngx_auth_module.so

      • web_agents/nginx<version-number>_agent/bin/agentadmin

        Use the module in the directory for your NGINX version. The following example is for NGINX Plus 29: web_agents/nginx29_agent/lib/openam_ngx_auth_module.so

  6. Start the web server where the agent is installed.

  7. Validate that the agent is performing as expected in the following ways:

    • Check in /path/to/web_agents/agent_type/log/system_n.log that the new version of the agent is running.

    • Go to a protected page on the website and confirm whether you can access it according to your configuration.

    • Check logs files for errors.

    To troubleshoot your environment, run the agentadmin command with the --V option.

  8. Allow client traffic to flow to the protected website.

Roll back from a drop-in software update

Before you roll back to a previous version of Web Agent, consider whether any change to the configuration during or since upgrade could be incompatible with the previous version.

To roll back from a drop-in software update, run through the procedure in Drop-in software update, but replace the executables with the previous files, or with those from an earlier version of the agent.

Major upgrade

Perform a major upgrade

  1. Read the release notes for information about changes in Web Agent.

  2. Download the agent binaries from the ForgeRock BackStage download site.

  3. Plan for server downtime.

    Plan to route client applications to another server until the process is complete and you have validated the result. Make sure the owners of client application are aware of the change, and let them know what to expect.

  4. Back up the directories for the agent installation and web server configuration and store them in version control so that you can roll back if something goes wrong:

  5. Redirect client traffic away from the protected website.

  6. Stop the web server where the agent is installed.

  7. Remove the old Web Agent, as described in Remove Web Agent.

  8. Delete the following shared memory files:

    • /dev/shm/am_cache_0

    • /dev/shm/am_log_data_0

    Depending on your configuration, the files can be named differently.

  9. Install the new agent.

    In local configuration mode, provide the agent.conf file. For more information, refer to Local configuration (agent.conf).

  10. Review the agent configuration:

  11. (If you provided the agent.conf file to the installer and you are upgrading from an agent version earlier than 4.1.0 hotfix 23) Re-encrypt the password specified in the Agent Profile Password:

    1. Obtain the encryption key from the bootstrap property Agent Profile Password Encryption Key in the new agent.conf file.

    2. (Unix only) Store the agent profile password in a file; for example, newpassword.file. Obtain the encryption key from the

    3. Encrypt the agent profile password with the encryption key by running the agentadmin command with the --p option.

      • Unix

      • Windows

      $ ./agentadmin --p "YWM0OThlMTQtMzMxOS05Nw==" “cat newpassword.file”
Encrypted password value: 07bJOSeM/G8ydO4=
      $ agentadmin.exe --p "YWM0OThlMTQtMzMxOS05Nw==" "newpassword"
Encrypted password value: 07bJOSeM/G8ydO4=

    4. Set the encrypted password as the value of the Agent Profile Password property in the new agent.conf file.

  12. (NGINX Plus and Unix Apache agents only) Configure shared runtime resources and shared memory. For more information, refer to Configure shared runtime resources and memory.

  13. Ensure the communication between AM and the web agent is secured with the appropriate keys. For more information, refer to Configuring AM to sign authentication information.

  14. Start the web server where the agent is installed.

    Web Agent 5 changed the default size of the agent session and policy cache from 1 GB to 16 MB. In the unlikely case that an old Apache agent could not release the shared memory, the new Apache agent may not start. For more information, refer to Troubleshooting.

  15. Validate that the agent is performing as expected in the following ways:

    • Check in /path/to/web_agents/agent_type/log/system_n.log that the new version of the agent is running.

    • Go to a protected page on the website and confirm whether you can access it according to your configuration.

    • Check logs files for errors.

    To troubleshoot your environment, run the agentadmin command with the --V option.

  16. Allow client traffic to flow to the protected website.

Roll back from a major upgrade

Before you roll back to a previous version of Web Agent, consider whether any change to the configuration during or since upgrade could be incompatible with the previous version.

To roll back from a major upgrade, run through the procedure in Major upgrade, but use the backed up directories for the agent installation and web server configuration.

Post update and upgrade tasks

After upgrade, review the what’s new section in the release notes and consider activating new features and functionality.

For information about other post-installation options, refer to Post-installation tasks.

Copyright © 2010-2023 ForgeRock, all rights reserved.