July 19, 2018 at 8:57 pm #22572martin.bertrandParticipant
Greetings, my question is about the mechanism used by the Web Agent (V5) to get it’s configuration from OpenAM (13.5), when centralized repository location is selected.
com.sun.identity.agents.config.repository.location = centralized # this is my load balancer OpenAM com.sun.identity.agents.config.naming.url = https://openam.example.com:8555/auth # from the doc I read, this is not used in V5 # com.sun.identity.client.notification.url = NOTHING! [...] THE REST OF THE CONFIG
From what I understand, the agent will connect to OpenAM at
https://openam.example.com:8555/authto authenticate and authorize. How does it get it’s centralized configuration? Through the same connection? Or does OpenAM initiate a connection back to the agent?
The doubt comes from the fact that our security guy is seeing connections from OpenAM to the public URL of our site. Almost like OpenAM wants to talk to the agents, by going out on the web and comming back like clients, on the public URL.
Another thing I heard was that the web agent establishes a WebSocket to OpenAM. Others told me it was the other way around, OpenAM creates the WebSocket.
So what is it? Which component initiates the connection? Do I need to open anything in the firewall, load balancer, Apache proxy to let some traffic go through?
Thank you for any hints!July 23, 2018 at 5:43 pm #22590martin.bertrandParticipant
Sniffer traces confirm that the server connects to the WEB Agent through the configured FQDN of the site. Firewall will haveto be open, if security allows it. Otherwise I will have to configure an “internal only” VirtualHost to handle this traffic.August 3, 2018 at 10:40 pm #22728david.bateParticipant
The old Agents 4.x and lower used Notification URL’s. This was from AM to Agent.
For the 5.x Agents, it is my understanding, how the Web Socket’s work is that each Agent opens up a WebSocket to the backend AM. The Web Socket is from the agent to the AM
It’s detailed partially here:
Document new property for websocket balancing
This property is used to define the interval by which agents open a new websocket connection and close the existing one
The new property: org.forgerock.openam.agents.config.balance.websocket.connection.interval.in.minutes
is used so that this Web Socket connection from all the Agents to AM, will be distributed to different AM servers.
Hope this helps!
You must be logged in to reply to this topic.