How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I set up a monitoring page for the load balancer in front of Web Agents (All versions) for health checks?

Last updated Sep 22, 2021

The purpose of this article is to provide information on setting up a monitoring page for the load balancer in front of Web agents. Creating a monitoring page is best practice for health checking when you have a load balancer in front of your Web agents. This article assumes you have already configured your load balancer and agents.


1 reader recommends this article

Overview

Creating a monitoring page on the server being protected by the Web agent means you can eliminate the agent being involved in the load balancer's health check.

This monitoring page should be an unprotected resource and exist on the Not Enforced URL list. Even though the URL is on the Not Enforced URL list, the agent is still invoked each time the load balancer checks the monitoring page to determine whether the resource needs protecting or not; this means you can use this configuration to check if the agent is responding without the need for policy evaluation.

Note

If you want to remove the reliance on the agent from your load balancer checks, that is, prevent the agent being invoked, you can use fallback mode. Once you have configured your monitoring page and added it to the Not Enforced URL list, you can configure fallback mode as described in  Not-Enforced URL and IP. There is a known issue with this in some versions: AMAGENTS-3303 (Fallback mode does not work reliably). This is fixed in Web agents 5.6.3.

Creating a monitoring page

You can create a monitoring page as follows:

  1. Create a monitor.html file on one of the servers being protected by the Web agent. This file can simply contain the HTML tags; for example, you can use the printf command to create is as follows: $ printf '<HTML>\n</HTML>' > monitor.html
  2. Add the URL for this monitoring page to the Not Enforced URL list for this server:
    • Console: navigate to: Realms > [Realm Name] > Applications > Agents > Web > [Agent Name] > Application > Not Enforced URLs and add the URL for the monitoring page, for example: http://www.host1.example.com:8080/monitor.html
    • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.notenforced.url[0]=[URL]replacing [realmname], [agentname], [adminID], [passwordfile] and [URL] with appropriate values.
  3. Repeat steps 1 and 2 on each server being protected by the Web agent.

The load balancer will now check the monitoring page URL, for example, http://www.host1.example.com:8080/monitor.html on each server to check if the server is up.

You can check this by navigating to the monitoring page URL and observing that you do not need to log in; if you check the agent debug log (when the debug level is set to All) you will see that the agent has been invoked to determine if the resource needs protecting and matches the URL on the Not Enforced URL list. For example:

2016-08-16 20:33:53.504 Debug 65819:7f22ec000950 all: in_not_enforced_list(http://host1.example.com:8080/monitor.html): matched 'http://host1.example.com:8080/monitor.html' entry in not-enforced list 2016-08-16 20:33:53.504 Debug 65819:7f22ec000950 all: in_not_enforced_list: Allowing access to http://host1.example.com:8080/monitor.html

See Also

How do I define a list of Not Enforce URLs that Web Agents can ignore for authentication purposes in AM (All versions)?

How do I configure a Web Agent (All versions) for SSL offloading?

FAQ: Configuring Agents in Identity Cloud and AM

Agents and policies in AM

Not-Enforced URL and IP

FQDN Checking

Related Training

N/A

Related Issue Tracker IDs

OPENAM-5693 (RFE: Web Agent to provide means of monitoring health and active state of Agent to AM communication )


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.