How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure SSL offloading at the Agent (All versions) for virtual hosts?

Last updated Sep 22, 2021

The purpose of this article is to provide information on configuring SSL offloading at the Agent (Web and Java) for virtual hosts. It is assumed that you have correctly configured your virtual hosts for SSL; you must specify the SSL parameters in all the ssl vhost sections rather than just the default ssl vhost.


1 reader recommends this article

Configuring SSL offloading at the Agent

You can configure SSL offloading at the agent using either the console or ssoadm:

  • AM 6 and later console: navigate to: Realms > [Realm Name] > Applications > Agents > Web or Java > [Agent ID] > Global > FQDN Virtual Host Map and enter the virtual host domain name you want to map in the 'Map Key' field and the actual FQDN in the 'Corresponding Map Value' field.
  • AM 5.x console: navigate to: Realms > [Realm Name] > Applications > Agents > Web or J2EE > [Agent Name] > Global > Fully Qualified Domain Name Checking > FQDN Virtual Host Map and enter the virtual host domain name you want to map in the 'Map Key' field and the actual FQDN in the 'Corresponding Map Value' field.
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.fqdn.mapping=[[domainname]]=[FQDN]replacing [realmname], [agentname], [adminID], [passwordfile], [domainname] and [FQDN] with appropriate values. For example, if you have a virtual host domain name of example.net and your FQDN is host1.example.com, you would specify this property as follows in the ssoadm command: com.sun.identity.agents.config.fqdn.mapping=[example.net]=host1.example.com
Note

You should set up FQDN mapping for all virtual hosts; if a domain can be reached with and without www, you should specify mapping for both variants. For example, [example.net]=host1.example.com and [www.example.net]=www.host1.example.com

This FQDN mapping will allow you to access the agent on different FQDNs but won't affect how policies are evaluated; the policy rule must still match the requested URL for it to be evaluated. 

See Also

How do I configure a Web Agent (All versions) for SSL offloading?

How do I configure a Java Agent (All versions) for SSL offloading?

FAQ: SSL/TLS secured connections in AM and Agents

Agents and policies in AM

FQDN Virtual Host Map

FQDN Map

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.