Incompatible changes
Incompatible changes impact existing functionality and might have an effect on your migration from a previous release. Before you upgrade, review these lists and make the appropriate changes to your scripts and plugins.
Incompatible changes in Web Agent 2024.3
Support for SSLv3
Support for SSLv3 was removed.
NGINX binaries renamed
The operating system name in NGINX binaries on Backstage has been replaced with
Linux. A single build is now suitable for all NGINX versions and operating
systems.
-
Example formats for previous release:
web-agent-2023.11-NGINX_r30_Rhel7_64bit.zip
web-agent-2023.11-NGINX_r30_Rhel8_64bit.zip
web-agent-2023.11-NGINX_r30_Rhel9_64bit.zip
web-agent-2023.11-NGINX_r30_Ubuntu20_64bit.zip
web-agent-2023.11-NGINX_r30_Ubuntu22_64bit.zip -
Example format for this release:
web-agent-2024.3-NGINX_r30_Linux_64bit.zip
AES-256-GCM encryption
Because of the changes in Hardened security of agent secrets, drop-in software update to this release isn’t possible. Upgrade to this release from an earlier release is a major upgrade. Learn more in Upgrade.
Incompatible changes in Web Agent 2023.6
Management of agent credentials
An encryption key in agent.conf is used to decrypt credentials for the
following properties:
When decryption failed in previous releases, sometimes the agent attempted to use the encrypted form of the password. From this release, the agent does not attempt to use the encrypted form of the password.
Incompatible changes in Web Agent 2023.3
NGINX binaries renamed
NGINX binaries on Backstage have been renamed as follows:
-
Old name format:
web-agent-version-NGINX_rn_Centosn_64bit.zip -
New name format:
web-agent-version-NGINX_rn_Rheln_64bit.zip
OpenSSL support
The following versions of OpenSSL are no longer supported:
| Operating systems | OpenSSL versions |
|---|---|
|
|
|
|
|
|
Incompatible changes in Web Agent 5.10.x
Regular expression pattern matching is platform-dependent.
IIS agents use Windows libraries and ECMAScript-compatible regular expressions. Adapt the regular expression settings for IIS agents to account for this change.
Fragment redirect
From Web Agent 5.8.1, when
Enable Fragment Redirect
is true, the agent redirects the user back to the original resource using an
absolute URL. In previous Web Agent 5 versions, the agent redirects the user
using a relative URI.
Proxy rules that rely on fragment redirect to a relative URI, now result in a
redirect to a full URL. For example a redirect to /a/b#c results in the final URL
prot://host:port/a/b#c.
Ordered rules that rely on matching a plain URL followed by fully qualified alternatives can result in the fully qualified alternatives matching first.
Incompatible changes in Web Agent 5.9.x
AM 5.x.x EOL
AM 5.x.x has reached Product End of Life and is no longer supported. For more information, refer to ForgeRock Product Support Lifecycle Policy | IG and Agents.
Error Logic for Login Time Out in Sessions
The fix for AMAGENTS-2717 changes the error logic that caused 403s to be seen on agent/cdsso-redirect or agent/custom-login-response when a user is redirected to authenticate, but then stays on the authentication page for longer than the default of 5 minutes.
This error could occur when a user logged out, was redirected for authentication by the agent, and then reopened the same browser the next day. Similarly, it could occur with a similar use case, on a mobile browser application.
Workarounds that were previously recommended, such as using non-default values for the following properties are no longer necessary or advised:
To prevent problems, remove such workarounds from your configuration. If you have not customized these properties, no change is required.