How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure a Web Agent (All versions) for SSL offloading?

Last updated Sep 22, 2021

The purpose of this article is to provide information on configuring a Web Agent for SSL offloading to ensure the agent can redirect to the goto parameter URL successfully, even if this parameter uses protocol http instead of https.


1 reader recommends this article

Configuring an Agent for SSL offloading

You can configure a Web Agent for SSL offloading using either the console or ssoadm:

  • AM 6 and later console: navigate to: Realms > [Realm Name] > Applications > Agents > Web > [Agent ID] > Advanced and enable Override Request URL Protocol.
  • AM 5.x console: navigate to: Realms > [Realm Name] > Applications > Agents > Web > [Agent Name] > Advanced > Load Balancer > Override Request URL Protocol and select the Enabled option.
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.override.protocol=truereplacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.

When this enabled, the protocol part of the incoming request is overridden with the one specified in the com.sun.identity.agents.config.agenturi.prefix property, so you also need to ensure this is set appropriately.

Note

You should enable this property if the agent sits behind a SSL/TLS offloader, a load balancer or a proxy, and the protocol used by users is different to the protocol used by the agent.

You can set this property using either the console or ssoadm:

  • AM 6 and later console: navigate to: Realms > [Realm Name] > Applications > Agents > Web > [Agent ID] > Global > Agent Deployment URI Prefix and specify the correct URI.
  • AM 5.x console: navigate to: Realms > [Realm Name] > Applications > Agents > Web > [Agent Name] > Global > Profile > Agent Deployment URI Prefix and specify the correct URI.
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.agenturi.prefix=[URI]replacing [realmname], [agentname], [adminID], [passwordfile] and [URI] with appropriate values.

Example

For example, with the following settings:

Load balancer URL=http://host1.example.com:8080 com.sun.identity.agents.config.override.protocol=true com.sun.identity.agents.config.agenturi.prefix=https://agent.example.com:443/amagent

When a request is received, the agent overrides the protocol part of the incoming URL (http) with the protocol specified in com.sun.identity.agents.config.agenturi.prefix (https) and uses this for the goto parameter.

See Also

How do I configure a Java Agent (All versions) for SSL offloading?

How do I configure SSL offloading at the Agent (All versions) for virtual hosts?

FAQ: SSL/TLS secured connections in AM and Agents

Agents and policies in AM

Configuration for Load Balancers and Reverse Proxies

<Overriding Protocol, Host, and Port

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.