Web Policy Agents 5.10

agentadmin command

The agentadmin command manages Web Agent installation. It returns EXIT_SUCCESS (or 0) when it completes successfully, and EXIT_FAILURE (or a code greater than zero) when it fails.

The following options are supported:


Install a new agent instance.

Usage: agentadmin --i


Silently, non-interactively, install a new agent instance.

Usage: agentadmin --s web-server-config-file openam-url agent-url realm agent-profile-name agent-profile-password [--changeOwner] [--acceptLicense] [--forceInstall]


(Apache HTTP Server) The full path to the Apache HTTP server configuration file. The installer modifies this file to include the agent configuration and module.

(Microsoft IIS) The ID number of the IIS site in which to install the web agent. To list the available sites in an IIS server and the relevant ID numbers, run agentadmin.exe --n.


The full URL of the AM instance that the agent will use. Ensure the deployment URI is specified.

Example: https://am.example.com:8443/am

If a reverse proxy is configured between AM and the agent, set the AM URL to the proxy URL, for example, https://proxy.example.com:443/am. For information about setting up an environment for reverse proxies, see Configure Apache HTTP Server as a reverse proxy.

The full URL of the server on which the agent is running.

Example: http://www.example.com:80


The AM realm containing the agent profile.


The name of the agent profile in AM.


The full path to the agent profile password file.


Apache web agent for Unix only: Change the ownership of created directories to the user and group as specified in the Apache configuration file.

To use this option, you must run the agentadmin command as the root user or with the sudo command. If you cannot run the agentadmin command as the root user or with the sudo command, you must change the ownership manually.


Suppress the license agreement prompt. Specifying this option indicates that you have read and accepted the terms stated in the license.

View the license agreement at /path/to/web_agents/agent_type/legal/Forgerock_License.txt.


If the agent cannot connect to the specified AM server during installation, proceed with a silent installation instead of exiting.


(IIS web agent only) List the sites available in an IIS server.


c:\web_agents\iis_agent\bin> agentadmin.exe --nIIS Server Site configuration:
     id       details

     Default Web Site
     application path:/, pool DefaultAppPool
     1.1.1    virtualDirectory path:/, configuration: C:\inetpub\wwwroot\web.config

     application path:/, pool: MySite
     2.1.1    virtualDirectory path:/, configuration C:\inetpub\MySite\web.config
     application path:/MyApp1, pool: MySite


List existing configured agent instances.

Usage: agentadmin --l


$ ./agentadmin --l
AM Web Agent configuration instances:

      id:            agent_1
      configuration: /opt/web_agents/apache24_agent/bin/../instances/agent_1
      server/site:   /etc/httpd/conf/httpd.conf

      id:            agent_2
      configuration: /opt/web_agents/apache24_agent/bin/../instances/agent_2
      server/site:   /etc/httpd/conf/httpd.conf

      id:            agent_3
      configuration: /opt/web_agents/apache24_agent/bin/../instances/agent_3
      server/site:   /etc/httpd/conf/httpd.conf


(IIS web agent only) Remove all web agent instances and libraries from an IIS installation.

Usage: agentadmin.exe --g

For more information, see To remove Web Agents from IIS.


(IIS web agent only) Enable an existing agent instance.

Usage: agentadmin.exe --e agent-instance

For more information, see To disable and enable Web Agents.


(IIS web agent only) Disable an existing agent instance.

Usage: agentadmin.exe --d agent-instance

For more information, see To disable and enable Web Agents.


(IIS web agent only) Modify Access Control Lists (ACLs) for files and folders related to a web agent instance.

Usage: agentadmin.exe --o "identity_or_siteID" "directory" [--siteId]

Usage: agentadmin.exe --o "directory" --addAll --removeAll


Specify the identity to be added to the directory’s ACLs. When used with the --siteId option, this option specifies an IIS site ID.


Specify the directory that would be modified.


Specify that the agentadmin should use identity_or_siteID as an IIS site ID.


Add all IIS application pool identities to the directory’s ACLs. This option is not compatible with the --removeAll option.


Remove all IIS application pool identities from the directory’s ACLs. This option is not compatible with the --addAll option.


C:\web_agents\iis_agent\bin> agentadmin.exe --o "IIS_user1" "C:\web_agents\iis_agent\lib"
C:\web_agents\iis_agent\bin> agentadmin.exe --o "2" "C:\web_agents\iis_agent\lib" --siteId
C:\web_agents\iis_agent\bin> agentadmin.exe --o  "C:\web_agents\iis_agent\lib" --addAll


Remove an existing agent instance.

Usage: agentadmin --r agent-instance


The ID of the agent configuration instance to remove.

Respond yes when prompted to confirm removal.

On IIS web agents, the --r option does not remove the web agent libraries since they can be in use by other web agent instances configured on the same site. To remove all web agent instances and libraries, use the --g option instead.


Generate a new signing key.

Usage: agentadmin --k


  • Unix

  • Windows

$ cd /web_agents/apache24_agent/bin/
$ ./agentadmin --k
Encryption key value: YWM…​5Nw==
C:\> cd web_agents\apache24_agent\bin
C:\web_agents\apache24_agent\bin> agentadmin --k
Encryption key value: YWM…​5Nw==


Use a generated encryption key to encrypt a new password.

Usage: agentadmin --p encryption-key password


An encryption key, generated by the agentadmin --k command.


The password to encrypt.


  • Unix

  • Windows

$ ./agentadmin --p "YWM0OThlMTQtMzMxOS05Nw==" "cat newpassword.file"
Encrypted password value: 07b…​dO4=
C:\path\to\web_agents\apache24_agent\bin> agentadmin.exe --p "YWM0OThlMTQtMzMxOS05Nw==" "newpassword"
Encrypted password value: 07b…​dO4=


Use this command in conjunction with sustaining to troubleshoot an installation. This command validates the following points:

  • The agent can reach the AM server(s) configured in AM Connection URL.

  • Critical bootstrap properties are set. For more information, see Configuration location.

  • TLS/SSL libraries are available and that SSL configuration properties are set, if the agent is configured for SSL communication.

  • The agent can log in to AM to fetch the agent profile.

  • The system has enough RAM and shared memory.

  • The agent can log in to AM with the provided user and password credentials.

  • WebSocket connections are available between the agent and AM.

  • The core init and shutdown agent sequences are working as expected. This validation requires the --Vi flag.

  • (IIS agent only) IIS is configured for running application pools in Integrated mode.

  • To prevent service outage or an unresponsive agent, run agentadmin --V[i] only when the agent instance is not actively protecting a website.

  • On Unix, run agentadmin --V[i] as the same user that runs the web server. For example, to use the Apache HTTP Server daemon user:

    $ sudo -u daemon ./bin/agentadmin --V agent_1

    Running the command as a different user can cause the log/system_0.log and log/monitor_0.pipe files to be created with permissions that prevent the agent from writing to them, causing an error such as:

    2018-09-19 13:54:52 GMT ERROR   [0x7f0c9cf05700:22420]: unable to open event channel

    If you have run the validator command as any other user, ensure the agent files have the correct permissions. For more information, review the installation instructions for your web agent in Install Web Agent.


agentadmin --V[i] agent_instance [user name] [password file] [realm]


(Optional) Ensure that the core init and shutdown agent sequences are working as expected.


(Required) The agent instance where to run the validation tests. For example, agent_1.

user name

(Optional) A user ID that exists in the AM server. Required only for the validate_session_profile test. For example, demo.

password file

(Optional) A file containing the password of the user ID used for the validate_session_profile test. For example, /tmp/passwd.txt


(Optional) The realm of the user ID used for the validate_session_profile test. For example, /customers.


$ ./agentadmin --Vi agent_1 demo passwd.txt /
Saving output to /web_agents/apache24_agent/bin//../log/validate_20180831121402.log

Running configuration validation for agent_1:

Agent instance is configured with 1 naming.url value(s):
1. https://am.example.com:8443/am is valid
selected https://am.example.com:8443/am as naming.url value
validate_bootstrap_configuration: ok
validate_ssl_libraries: ok
validate_agent_login: ok
get_allocator_blockspace_sz(): trying for configured cache size 16777216 bytes
validate_system_resources: ok
validate_session_profile: ok
validate_websocket_connection: ok
validate_worker_init_shutdown: ok

Result: 7 out of 7 tests passed, 0 skipped.


Display information about agentadmin build and version numbers, and available system resources.


AM Web Agent for IIS Server 7.5, 8.x
     Version: 5.10
     Revision: ab12cde
     Build machine: WIN-6R2CH15R77
     Build date: Nov  8 2016 11:30:18

     System Resources:
     total memory size: 7.7GB
     pre-allocated session/policy cache size: 1.0GB
     log buffer size: 128.5MB
     min audit log buffer size: 2MB, max 2.0GB
     total disk size: 162.4GB
     free disk space size: 89.6GB

     System contains sufficient resources (with remote audit log feature enabled).
Copyright © 2010-2022 ForgeRock, all rights reserved.