Web Policy Agents

What’s new

What’s new in Web Agent 2024.6

Overrides for request protocol, host, and port

In certain circumstances, the new property Disable Override Request URL Port, Host, or Protocol facilitates access to the agent by bypassing load balancers.

Audit

The new property Audit Path as Full URL is available to manage how the agent includes an HTTP request path in an audit log.

What’s new in Web Agent 2024.3

Hardened security of agent secrets

Because of the hardened security of agent secrets, drop-in software update to this release isn’t possible. Upgrade to this release from an earlier release is a major upgrade. Learn more in Upgrade.

Strengthened encryption of agent secrets

The agentadmin --k command now generates a base64-encoded 256-bit random key.

The agentadmin --p command now generates AES-256-GCM encrypted ciphertext.

The agentadmin --V command now verifies that the agent can decrypt the ciphertext.

Runtime encryption and decryption of on-disk agent secrets

At runtime, the agent decrypts the agent credentials and then generates a one-time symmetric encryption key to re-encrypt the credentials.

This feature creates crypto material at runtime. In previous releases, crypto material was created and stored only on-disk.

Encryption key and ciphertext removed from bootstrap configuration file

The encryption key and ciphertext are stored in new agent configuration files, agent-key.conf and agent-password.conf. The following properties are removed from agent.conf:

For more information, refer to Agent configuration.

Log of decryption errors for agent profile password

If the agent can’t decrypt the password in Agent Profile Password a message is now written to the logs.

Use of the secret service in PingOne Advanced Identity Cloud and AM

With PingOne Advanced Identity Cloud and from AM 7.5, the agent profile password can optionally be managed through the identity provider’s secret service. If the identity provider finds a matching secret in a secret store, it uses that secret instead of the hard-coded agent password.

Flexibility when client IP validation fails

A new property Client IP Validation Failure Response is available to force logout when Client IP Validation is true and the IP address of an authenticated request doesn’t originate from the IP address used for authentication.

In previous releases, the agent could only return an HTTP 403 Forbidden.

Warnings for TLS certificates validation

When Server Certificate Trust is set to true, the agent trusts any server certificate. Validation of the installation with agentadmin now returns a warning to set the property to false in production environments.

ISAPI Web Agent

The ISAPI Web Agent is now supported. Learn more from Install IIS and ISAPI Web Agent.

Key rotation with the agentadmin command

The agentadmin command now provides an option for key rotation. Learn more in Rotate keys.

What’s new in Web Agent 2023.11

Hardened security of agent responses with JavaScript

All agent responses that contain JavaScript are now protected by a Content-Security-Policy header.

Examples of responses protected by this change include:

  • HTML forms returned by the agent during POST data preservation

  • Preserved browser fragments returned by the agent during authentication

Deployment with Docker

A Dockerfile is now provided to deploy Apache Web Agent to extend and protect an application. For more information, refer to Deploy Web Agent with Docker.

What’s new in Web Agent 2023.9

Supported platforms

Web Agent 2023.9 supports the following additional platforms:

  • IBM HTTP Server 8.5 for Linux

  • Red Hat JBoss Core Services for Red Hat Enterprise Linux

  • NGINX Plus R30

What’s new in Web Agent 2023.6

Use Apache Web Agent with Apache directives

Apache Web Agent can now be configured with the following Apache directives, globally or independently for different server locations:

  • AmAgent to switch the agent on or off

  • AmAuthProvider to use Apache as the policy enforcement point

For more information, refer to Configure Apache Web Agent.

Authentication of Web Agent to PingOne Advanced Identity Cloud and AM

Web Agent agents are automatically authenticated to PingOne Advanced Identity Cloud and AM by a non-configurable authentication module. Authentication chains and modules are deprecated and replaced by nodes, trees, and journeys.

You can now authenticate Web Agent to PingOne Advanced Identity Cloud and AM 7.3 with a journey. The procedure is currently optional, but will be required when authentication chains and modules are removed in a future release.

Management of agent credentials

An encryption key in agent.conf is used to decrypt credentials for the agent profile, the SSL certificate, and the HTTP proxy. By default, the agent caches the encryption key. A new property Disable Caching of Agent Profile Password Encryption Key is available to disable caching and require the agent to securely wipe the encryption key after it is read.

Use the agentadmin --V command to verify that the agent can decrypt the credentials correctly.

NGINX Plus R29

The NGINX Plus R29 platform is available in this release.

What’s new in Web Agent 2023.3

Remove HTTP Server header in IIS

In IIS, the agent can now remove the Server header from all responses. To enable the feature, set the Remove IIS HTTP Server Header property (org.forgerock.agents.config.iis.headers.server.disable) to true.

Limit the number of stored log files

To help manage the amount of stored data, the new property Maximum Number of Debug Log Files is now available to limit the number of rotated log files that the agent stores.

SUSE Linux Enterprise

Apache Web Agent now supports SUSE Linux Enterprise 15.

Log agent errors in the Apache log system

In Apache Web Agent, it is now possible to cause the agent error logs to appear in the Apache log system. For more information, refer to Configure error logs.

What’s new in Web Agent 5.10.3

Web Agent 5.10.3 is a Maintenance version. It contains no new features.

What’s new in Web Agent 5.10.2

Remove HTTP Server header in IIS

In IIS, the agent can now remove the Server header from all responses. To enable the feature, set the Remove IIS HTTP Server Header property (org.forgerock.agents.config.iis.headers.server.disable) to true.

What’s new in Web Agent 5.10.1

Limit the number of debug log files

To help manage the amount of stored data, the new property Maximum Number of Debug Log Files is now available to limit the number of debug log files that the agent stores after file rotation.

What’s new in Web Agent 5.10

Matching FQDNs to URL patterns

The wildcard * can now be used in FQDN Virtual Host Map. to match a domain name. Use this feature to pass requests with dynamically allocated hostnames, for example, in Kubernetes deployments, without redirecting them to another domain.

For more information, see FQDN checking.

Authorization flow for single page applications using Javascript

Authorization flow for applications using Javascript is a new property to enable callbacks into JavaScript applications, after an authentication or transactional authorization journey.

The property provides support for single page applications (SPAs) that use embedded login or authorization dialogs within iframes or embedded tags.

This feature is in Technology Preview, as defined in Release levels and interface stability, for use only with assistance from Ping Identity.

Current limitations:

  • The property cannot be set in agent.conf. Set it in the Advanced tab of the AM console.

  • The feature might require configuration changes to on-prem AM servers.

  • The feature does not work with the PingOne Advanced Identity Cloud, unless the service is accessed through a reverse proxy on the application site.

Apache built-in modules available for authentication

Use Built-in Apache HTTPD Authentication Directives is a new property to enable Apache Web Agent to use built-in Apache authentication directives, such as AuthName, FilesMatch, and Require for specified not-enforced URLs.

In previous releases, use of built-in Apache authentication directives was not supported. The agent replaced authentication functionality provided by Apache.

POST data preservation: use a single agent profile for multiple agent instances

In previous releases, to correctly configure POST data preservation, a separate agent profile was required in AM for each agent instance. From this release, a single agent profile can be used for multiple agent instance.

Use this feature for scalable deployments, where resources are dynamically created or destroyed.

URI fragments persisted in custom login mode

When the value of Enable Custom Login Mode is 2, URI fragments were previously lost during login. From this release, URI fragments in the browser are not lost after the custom login procedure.

Pre-authentication cookies expire immediately after authentication

In previous releases, the pre-authentication cookie, agent-authn-tx, expired when it reached the age configured by Profile Attributes Cookie Maxage. From this release, the pre-authentication cookie expires when the first of the following events occur:

Expiring the cookie immediately after authentication reduces the amount of used header space, and prevents authentication errors and errors in applications that set headers.

Limit on the size to which a JWT can be decompressed

The maximum size to which a compressed JWT can be decompressed is now limited to 1 MB, and is not configurable. This change reduces the risk of memory exhaustion DOS by reducing the risk of a decompressed JWT consuming too much available memory.

What’s new in Web Agent 5.9.1

Pre-authentication Cookies Are Expired Immediately After Authentication

In previous releases, the pre-authentication cookie, agent-authn-tx, expired when it reached the age configured by Profile Attributes Cookie Maxage. From this release, the pre-authentication cookie expires when the first of the following events occur:

Expiring the cookie immediately after authentication reduces the amount of used header space, and prevents authentication errors and errors in applications that set headers.

URI Fragments Persisted in Custom Login Mode

When the value of Enable Custom Login Mode is 2, URI fragments were previously lost during login. From this release, URI fragments in the browser are not lost after the custom login procedure.

Post Data Preservation: Use a Single Agent Profile for Multiple Agent Instances

In previous releases, to correctly configure post data preservation, a separate agent profile was required in AM for each agent instance. From this release, a single agent profile can be used for multiple agent instance.

Use this feature for scalable deployments, where resources are dynamically created or destroyed. For more information, see Create an Agent Profile for Multiple Agent Instances When POST Data Preservation is Enabled and Map One Agent Profile to Multiple Agent Instances When POST Data Preservation is Enabled.

NGINX Plus R25

The NGINX Plus R25 platform is available in this release.

What’s New in Web Agent 5.9

Keep Session Cache After Configuration Change

Retain Session Cache After Configuration Change is a new property to stop the agent from purging the session cache each time the agent configuration is changed. Use this property to prevent the agent from flooding AM instances with requests, when the agent configuration changes regularly, and the changes do not affect the agent authorisation decisions.

Profile, Response, and Session Attributes Take Multiple Values

The following properties can now take multiple values:

Reduced Authentication Requests to AM

The agent reads its configuration from AM in the following situations:

  • When it connects to AM

  • After a configuration change

  • When it authenticates with AM

If the AM server is flooded with requests from the agent, it can become unresponsive, causing the agents to stop functioning normally and refuse access.

In previous releases, after a configuration update each request thread retrieved the new configuration, and re-authenticated with AM.

In this release, a single request thread retrieves the new configuration, and re-authenticates with AM only if necessary. Concurrent request threads wait for the time specified by TCP Receive Timeout for the retrieving request thread to complete, and then they use the new configuration.

Copyright © 2010-2024 ForgeRock, all rights reserved.