Web Policy Agents

Incompatible changes

Incompatible changes impact existing functionality and might have an effect on your migration from a previous release. Before you upgrade, review these lists and make the appropriate changes to your scripts and plugins.

Incompatible changes in Web Agent 2024.3

Support for SSLv3

Support for SSLv3 was removed.

NGINX binaries renamed

The operating system name in NGINX binaries on Backstage has been replaced with Linux. A single build is now suitable for all NGINX versions and operating systems.

  • Example formats for previous release:


  • Example format for this release:


AES-256-GCM encryption

Because of the changes in Hardened security of agent secrets, drop-in software update to this release isn’t possible. Upgrade to this release from an earlier release is a major upgrade. Learn more in Upgrade.

Incompatible changes in Web Agent 2023.11

No incompatible changes were introduced in this release.

Incompatible changes in Web Agent 2023.9

No incompatible changes were introduced in this release.

Incompatible changes in Web Agent 2023.6

Management of agent credentials

An encryption key in agent.conf is used to decrypt credentials for the following properties:

When decryption failed in previous releases, sometimes the agent attempted to use the encrypted form of the password. From this release, the agent does not attempt to use the encrypted form of the password.

Incompatible changes in Web Agent 2023.3

NGINX binaries renamed

NGINX binaries on Backstage have been renamed as follows:

  • Old name format: web-agent-version-NGINX_rn_Centosn_64bit.zip

  • New name format: web-agent-version-NGINX_rn_Rheln_64bit.zip

OpenSSL support

The following versions of OpenSSL are no longer supported:

Operating systems OpenSSL versions
  • CentOS

  • Red Hat Enterprise Linux

  • Oracle Linux

  • Ubuntu Linux

  • OpenSSL 1.0.x

  • OpenSSL 1.1.0

  • Microsoft Windows Server

  • OpenSSL 1.0.x

  • OpenSSL 1.1.0


  • OpenSSL 0.9.8

  • OpenSSL 1.0.x

  • OpenSSL 1.1.0

Incompatible changes in Web Agent 5.10.x

Regular expression pattern matching is platform-dependent.

IIS agents use Windows libraries and ECMAScript-compatible regular expressions. Adapt the regular expression settings for IIS agents to account for this change.

Fragment redirect

From Web Agent 5.8.1, when Enable Fragment Redirect is true, the agent redirects the user back to the original resource using an absolute URL. In previous Web Agent 5 versions, the agent redirects the user using a relative URI.

Proxy rules that rely on fragment redirect to a relative URI, now result in a redirect to a full URL. For example a redirect to /a/b#c results in the final URL prot://host:port/a/b#c.

Ordered rules that rely on matching a plain URL followed by fully qualified alternatives can result in the fully qualified alternatives matching first.

Incompatible changes in Web Agent 5.9.x

AM 5.x.x EOL

AM 5.x.x has reached Product End of Life and is no longer supported. For more information, refer to ForgeRock Product Support Lifecycle Policy | IG and Agents.

Error Logic for Login Time Out in Sessions

The fix for AMAGENTS-2717 changes the error logic that caused 403s to be seen on agent/cdsso-redirect or agent/custom-login-response when a user is redirected to authenticate, but then stays on the authentication page for longer than the default of 5 minutes.

This error could occur when a user logged out, was redirected for authentication by the agent, and then reopened the same browser the next day. Similarly, it could occur with a similar use case, on a mobile browser application.

Workarounds that were previously recommended, such as using non-default values for the following properties are no longer necessary or advised:

To prevent problems, remove such workarounds from your configuration. If you have not customized these properties, no change is required.

Copyright © 2010-2024 ForgeRock, all rights reserved.