How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I check that an Agent (All versions) can connect to AM?

Last updated Jan 11, 2023

The purpose of this article is to provide information on checking that an Agent (Web or Java) can connect to AM. The information in this article serves various purposes, including: checking connectivity, checking credentials are correct, checking a valid agent profile exists and verifying the agent can authenticate to AM.

1 reader recommends this article

Checking that an agent can connect

You can perform a number of checks to confirm that an agent can connect to AM, depending on your requirements.

Agent debug logs

The agent debug log will show any exceptions where the agent cannot connect to AM. Some common error messages to look out for include:

  • The agent has timed out waiting for a response from the AM server: Error 1188:3146f40 all: Connection::read(): NSPR Error while reading data:-5961
  • The agent's password is incorrect: Error 15840:7f4df0490760 AuthService: AuthService::processLoginStatus() Exception message=[invalid password] errorCode='103' templateName=login_failed_template.jspYou need to check that the password used to install the agent matches the password set in the Agent's profile in AM.
  • The agent's name is incorrect or the agent profile does not exist in the top level realm: Error 11704:2b3eda287cf0 AuthService: AuthService::processLoginStatus() Exception message=[Application user ID is not valid.] errorCode='107' templateName=login_failed_template.jsp.You need to check the agent profile exists in the top level realm with the same name.

You can also check the AM CoreSystem debug log, which will show any agent related exceptions where AM cannot connect to the agent.



For an agent to be able to authenticate, agent must be listed as an Identity Type (Realms > [Realm Name] > Authentication > Settings > General > Identity Types). It is included by default, but if it is missing, you will see the following response:

{ "code": 401, "reason": "Unauthorized", "message": "User Requires Profile to Login" }

And should re-add it.

You can make a REST call (from the server on which the agent is installed) to verify that the agent can authenticate to AM. For example: $ curl -X POST -H "X-OpenAM-Username: webagentname" -H "X-OpenAM-Password: webagentpassword" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1"

If authentication is successful, you will receive a response that includes the tokenId that corresponds to the agent session and the URL to which the agent would normally be redirected. This response proves that the agent can connect to AM, their credentials are correct and a valid agent profile exists in AM.

See How do I check that an OAuth 2.0 client can connect to AM (All versions)? for information on checking that an OAuth2 client can connect.

Protected Resource

You can send a request to a URL that is protected by the agent. If the agent can connect to AM, you will be redirected to the login page.

See Also

How do I enable debug logging for troubleshooting Agents (All versions)?

How do I check if AM (All versions) is up and running?

How do I check if a particular AM (All versions) instance is running?

How do I perform a heartbeat check against DS (All versions)?

FAQ: Configuring Agents in Identity Cloud and AM

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.