Installation environment variables
This section describes Web Agent properties that are configured by environment variables and set during installation.
Use installation environment variables as follows:
-
Add environment variables to the command line when you install the agent. For example:
-
Linux
-
Windows
$ AM_AGENT_AUTH_MODE=1 ./agentadmin --i
C:\>set AM_AGENT_AUTH_MODE=1 C:\>agentadmin.exe --i agent_1
-
-
Use installation environment variables with the
agentadmin -V[i]
command to validate the installation with different parameters. For example:-
Linux
-
Windows
$ AM_PROXY_HOST=proxy.host.net AM_PROXY_PORT=8080 AM_PROXY_USER=user AM_PROXY_PASSWORD=pass ./agentadmin --Vi
C:\>set AM_PROXY_HOST=proxy.host.net C:\>set AM_PROXY_PORT=8080 C:\>set AM_PROXY_USER=user C:\>set AM_PROXY_PASSWORD=pass C:\>agentadmin.exe --Vi agent_1
-
You can find details about other environment variables in Environment variables.
AM_AGENT_AUTH_MODE
-
A flag to determine which method the agent uses to authenticate to Advanced Identity Cloud and AM:
-
0
(default): The agent authenticates using theAgent
journey, but falls back to using the deprecated authentication module if authentication fails.If you use PingAM 7.3 or 7.4 and experience issues with session quotas, set this environment variable to
2
to always authenticate using the authentication module. -
1
: The agent always authenticates using theAgent
journey. If this fails, the agent doesn’t try to authenticate using the authentication module.This is the recommended setting. Make sure the
Agent
journey exists. Learn more in Authenticate agents to the identity provider. -
2
: The agent always authenticates using the authentication module. Modules are deprecated and will be removed in a future release.
-
AM_PROXY_HOST
-
The proxy FQDN, when AM and the agent communicate through a proxy configured in forward proxy mode.
AM_PROXY_PASSWORD
-
The agent password, when AM and the agent communicate through a proxy configured in forward proxy mode, and the proxy requires that the agent authenticates using Basic Authentication.
AM_PROXY_USER
-
The agent username, when AM and the agent communicate through a proxy configured in forward proxy mode, and the proxy requires that the agent authenticates using Basic Authentication.
AM_PROXY_PORT
-
The proxy port number, when AM and the agent communicate through a proxy configured in forward proxy mode.
AM_SSL_KEYLOG_ENABLE
-
A flag to enable TLS key logging during the agent installation process:
-
0
(default): Disable TLS key logging. -
1
: Enable TLS key logging to troubleshoot TLS issues between the agent and AM.If you enable TLS key logging, you must specify the name of the SSL key log file in the AM_SSL_KEYLOG_FILE environment variable.
Only enable TLS key logging when advised by Support. After troubleshooting, disable key logging and remove the SSL key log file.
Learn more in TLS key logging.
-
APACHE_RUN_USER
-
The user running the Apache HTTP or IBM HTTP Server. Set this variable before installation when an Apache user is not defined in
httpd.conf
. This can be the case in non-Red Hat Enterprise Linux-based distributions. APACHE_RUN_GROUP
-
The group to which the user running the Apache HTTP Server or IBM HTTP Server belongs. Set this variable before installation when an Apache group is not defined in
httpd.conf
. This can be the case in non-Red Hat Enterprise Linux-based distributions. AM_SSL_SCHANNEL
-
Use for Windows only, when TLS/SSL is configured in AM or the agent web server.
A flag for whether the agent installation process should use the Windows Secure Channel API:
-
0
: Disable Windows Secure Channel API support. The agent uses OpenSSL libraries instead.Ensure that the OpenSSL libraries are in the appropriate place, as specified in the OpenSSL library location by operating system table.
-
1
: Enable Windows Secure Channel API support.
-
AM_SSL_KEY
-
Use for OpenSSL only, when TLS/SSL is configured in AM or the agent web server.
When AM is configured to perform client authentication, this environment variable specifies a PEM file that contains the private key corresponding to the certificate specified in the
AM_SSL_CERT
environment variable.For example:
-
Unix
-
Windows
/opt/certificates/client-private-key.pem
C:\Certificates\client-private-key.pem
-
AM_SSL_PASSWORD
-
Use for OpenSSL only, when TLS/SSL is configured in AM or the agent web server.
When AM is configured to perform client authentication, this environment variable specifies the obfuscated password of the private key configured in the
AM_SSL_KEY
variable. Configure this variable only if the private key is password-protected.To obfuscate the password, use the
agentadmin --p
command:-
Unix
-
Windows
$ /path/to/web_agents/agent_type/bin/> agentadmin --p "Encryption Key" “cat certificate_password.file” Encrypted password value: zck...jtc=com.forgerock.agents.config.cert.key.password = zck+6RKqjtc=
C:\path\to\web_agents\agent_type\bin> agentadmin.exe --p "Encryption_Key" "Certificate_File_Password" Encrypted password value: zck+6RKqjtc=
-
AM_SSL_CIPHERS
-
Use for OpenSSL only, when TLS/SSL is configured in AM or the agent web server.
The list of ciphers to support. The list consists of one or more cipher strings separated by colons, as defined in the man page for ciphers at http://www.openssl.org.
For example,
HIGH:MEDIUM
. AM_SSL_CERT
-
Use when TLS/SSL is configured in AM or the agent web server.
When AM is configured to perform client authentication, this environment variable specifies a PEM file that contains the certificate chain for the agent.
For example,
/opt/certificates/client-cert.pem
,C:\Certificates\client-cert.pem
(Windows with OpenSSL), orCert:\LocalMachine\My location
(Windows with the Windows Secure Channel API). AM_SSL_CA
-
When configuring the agent to validate AM’s certificate, this environment variable specifies a PEM file that contains the certificates required to validate AM’s server certificate. For example,
/opt/certificates/ca.pem
,C:\Certificates\ca.pem
(Windows with OpenSSL), orCert:\LocalMachine\Ca
(Windows with the Windows Secure Channel API).