Web Agent, centralized, websocket, …

Tagged: ,

This topic contains 2 replies, has 2 voices, and was last updated by  david.bate 1 week, 6 days ago.

  • Author
    Posts
  • #22572
     martin.bertrand 
    Participant

    Greetings, my question is about the mechanism used by the Web Agent (V5) to get it’s configuration from OpenAM (13.5), when centralized repository location is selected.

    In agent.conf:

    com.sun.identity.agents.config.repository.location = centralized
    # this is my load balancer OpenAM
    com.sun.identity.agents.config.naming.url = https://openam.example.com:8555/auth
    # from the doc I read, this is not used in V5
    # com.sun.identity.client.notification.url = NOTHING!
    [...] THE REST OF THE CONFIG

    From what I understand, the agent will connect to OpenAM at https://openam.example.com:8555/auth to authenticate and authorize. How does it get it’s centralized configuration? Through the same connection? Or does OpenAM initiate a connection back to the agent?

    The doubt comes from the fact that our security guy is seeing connections from OpenAM to the public URL of our site. Almost like OpenAM wants to talk to the agents, by going out on the web and comming back like clients, on the public URL.

    Another thing I heard was that the web agent establishes a WebSocket to OpenAM. Others told me it was the other way around, OpenAM creates the WebSocket.

    So what is it? Which component initiates the connection? Do I need to open anything in the firewall, load balancer, Apache proxy to let some traffic go through?

    Thank you for any hints!

    #22590
     martin.bertrand 
    Participant

    Sniffer traces confirm that the server connects to the WEB Agent through the configured FQDN of the site. Firewall will haveto be open, if security allows it. Otherwise I will have to configure an “internal only” VirtualHost to handle this traffic.

    #22728
     david.bate 
    Participant

    Hello,

    The old Agents 4.x and lower used Notification URL’s. This was from AM to Agent.

    For the 5.x Agents, it is my understanding, how the Web Socket’s work is that each Agent opens up a WebSocket to the backend AM. The Web Socket is from the agent to the AM

    It’s detailed partially here:

    AMAGENTS-822
    Document new property for websocket balancing

    This property is used to define the interval by which agents open a new websocket connection and close the existing one

    The new property: org.forgerock.openam.agents.config.balance.websocket.connection.interval.in.minutes

    is used so that this Web Socket connection from all the Agents to AM, will be distributed to different AM servers.

    Hope this helps!
    David

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?