How do I configure AM 6.0.0.x to work with older policy agents (Web 4.x and JEE 3.5.x)?

Last updated Jan 5, 2021

The purpose of this article is to provide information on using Web and JEE policy agents with AM 6. This is a supported combination but requires setting the AM Login URL and AM Logout URL for new installs and new agent profiles. Otherwise, you will encounter "unable to find active OpenAM server URL". This article assumes that Restricted Tokens are not enabled.

1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Limitations

The experimental REST login mode that was introduced in Web Agents 4.1.0.30 will not work with AM 6.0.0.x. This feature is only officially supported with Web Agents 4.2. If you wish to use this login mode with Web Agents 4.x and AM 6.0.0.x, you must use Web Agents 4.2.
Restricted Tokens in AM 6.0.0.x are not compatible with older agents. It is strongly recommended that you upgrade policy agents to version 5.x before upgrading to AM 6.0.0.x due to a limitation on the usage of restricted tokens with WPA 4.x/JEE Agent 3.5.x. See OPENAM-16357 (enabling Restricted Token (com.sun.identity.enableUniqueSSOTokenCookie=true) causes error when AM checks property value) and OPENAM-16816 (Discrepancy found in AM6 + Older Agents compatibility docs.) for further details.

Configuring AM 6.0.0.x

AM 6 introduced profile changes to support Agents 5, which removed the legacy login and logout URL property values required by older policy agents. If you try to use Web policy agents 4.x or JEE policy agents 3.5.x without setting these properties, you may encounter 403 Forbidden responses and will see the following error in the agent debug.log:

2018-10-11 11:37:26.436 +1000 ERROR [0x7fe007f1c8c0:40] handle_exit(): unable to find active OpenAM server URL

New installs and new profiles

If you have a new install of AM 6 or add a new profile, you must populate the AM Login URL and AM Logout URL using either the console, REST or ssoadm:

Console: navigate to: Realms > [Realm Name] > Applications > Agents > [Web or Java] > [Agent Name] > AM Services and specify both the AM Login URL and AM Logout URL including the realm. The URL should be in the correct format, for example: http://host1.example.com:8080/openam/XUI?realm=/#login/
REST: update the com.sun.identity.agents.config.login.url and com.sun.identity.agents.config.logout.url properties as described in How do I create and update an Agent in AM (All versions) using the REST API?
ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.login.url[0]=[loginURL] com.sun.identity.agents.config.logout.url[0]=[logoutURL] replacing [realmname], [agentname], [adminID], [passwordfile], [loginURL] and [logoutURL] with appropriate values.

Upgrades

If you upgrade to AM 6, existing profiles will not be affected and older policy agents will work without any changes needed.

Caution

Web policy agents 4.x and JEE policy agents 3.5.x are not supported in AM 6.5; you will need to upgrade to the latest Agents 5 release ahead of upgrading to AM 6.5.

Related Training

N/A

Related Issue Tracker IDs

OPENAM-16816 (Discrepancy found in AM6 + Older Agents compatibility docs.)

OPENAM-16357 (enabling Restricted Token (com.sun.identity.enableUniqueSSOTokenCookie=true) causes error when AM checks property value)

AMAGENTS-2070 (AM_AGENT_REST_LOGIN does not work with AM 6)

OPENAM-13565 (agent 4 ft for ssl requires login.url set in profile when using with AM 6)

OPENAM-12666 (Agent OAuth 2 provider does not support custom login URLs)