Web Agent, centralized, websocket, …

Tagged: ,

This topic has 2 replies, 2 voices, and was last updated 4 years, 1 month ago by david.bate.

  • Author
  • #22572

    Greetings, my question is about the mechanism used by the Web Agent (V5) to get it’s configuration from OpenAM (13.5), when centralized repository location is selected.

    In agent.conf:

    com.sun.identity.agents.config.repository.location = centralized
    # this is my load balancer OpenAM
    com.sun.identity.agents.config.naming.url = https://openam.example.com:8555/auth
    # from the doc I read, this is not used in V5
    # com.sun.identity.client.notification.url = NOTHING!

    From what I understand, the agent will connect to OpenAM at https://openam.example.com:8555/auth to authenticate and authorize. How does it get it’s centralized configuration? Through the same connection? Or does OpenAM initiate a connection back to the agent?

    The doubt comes from the fact that our security guy is seeing connections from OpenAM to the public URL of our site. Almost like OpenAM wants to talk to the agents, by going out on the web and comming back like clients, on the public URL.

    Another thing I heard was that the web agent establishes a WebSocket to OpenAM. Others told me it was the other way around, OpenAM creates the WebSocket.

    So what is it? Which component initiates the connection? Do I need to open anything in the firewall, load balancer, Apache proxy to let some traffic go through?

    Thank you for any hints!


    Sniffer traces confirm that the server connects to the WEB Agent through the configured FQDN of the site. Firewall will haveto be open, if security allows it. Otherwise I will have to configure an “internal only” VirtualHost to handle this traffic.



    The old Agents 4.x and lower used Notification URL’s. This was from AM to Agent.

    For the 5.x Agents, it is my understanding, how the Web Socket’s work is that each Agent opens up a WebSocket to the backend AM. The Web Socket is from the agent to the AM

    It’s detailed partially here:

    Document new property for websocket balancing

    This property is used to define the interval by which agents open a new websocket connection and close the existing one

    The new property: org.forgerock.openam.agents.config.balance.websocket.connection.interval.in.minutes

    is used so that this Web Socket connection from all the Agents to AM, will be distributed to different AM servers.

    Hope this helps!

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?