What’s new

We’ve made changes to the Web Agent to improve the security of handling requests from upstream Java servers.

The agent now rejects unsafe uses of path parameters with an HTTP 400 in the following scenarios:

Learn more in Path traversal attempts.

Web Agent authenticates to Advanced Identity Cloud and AM using a non-configurable authentication module or the Agent authentication journey if it exists.

A new AM_AGENT_AUTH_MODE installation environment variable controls which authentication method the agent uses. By default, the agent authenticates using the Agent journey but falls back to using the deprecated authentication module if authentication fails. This behavior is unchanged from earlier agent versions.

A new Agent Authentication Mode property allows the authentication method to be changed post-installation.

If you use PingAM 7.3 or 7.4 and experience issues with session quotas, set this property or environment variable to 2 to always authenticate using the authentication module.

We’ve made changes to audit logging in the Web Agent to output the userId field in the audit logs. Providing the /access/userId field is allowlisted (which it is by default), the userId field is now included in the audit event logs. It is populated with the value of the universalId attribute retrieved from the session by default. For example:

The following new properties provide additional control over how the universal ID is retrieved:

To improve monitoring in the agent, a Prometheus monitoring endpoint is now available at /agent/metrics. You can access this endpoint to return Prometheus metrics relevant to your deployment.

Learn more in Monitor services.

A new Validate JWT Signature Locally property controls how the JWT signature is validated. By default, the property is set to 0, which doesn’t change JWT signature validatation.

Set this property to 1 to validate the JWT signature locally.

The TLS 1.3 security protocol can now be disabled if required by adding -TLSv1.3 to the Security Protocol List.

TLS key logging is now available for troubleshooting TLS issues between the agent and AM. When enabled, TLS session keys are logged to an SSL key log file.

To troubleshoot TLS issues, enable TLS key logging using one of the following options:

Then configure the new AM_SSL_KEYLOG_FILE environment variable to specify the name of the SSL key log file.

Learn more in TLS key logging.

In certain circumstances, the new property Disable Override Request URL Port, Host, or Protocol facilitates access to the agent by bypassing load balancers.

The new property Audit Path as Full URL is available to manage how the agent includes an HTTP request path in an audit log.

Because of the hardened security of agent secrets, drop-in software update to this release isn’t possible. Upgrade to this release from an earlier release is a major upgrade. Learn more in Upgrade.

A new property Client IP Validation Failure Response is available to force logout when Client IP Validation is true and the IP address of an authenticated request doesn’t originate from the IP address used for authentication.

In previous releases, the agent could only return an HTTP 403 Forbidden.

When Server Certificate Trust is set to true, the agent trusts any server certificate. Validation of the installation with agentadmin now returns a warning to set the property to false in production environments.

The ISAPI Web Agent is now supported. Learn more from Install IIS and ISAPI Web Agent.

The agentadmin command now provides an option for key rotation. Learn more in Rotate keys.

We’ve made changes to the Web Agent to improve the security of handling requests from upstream Java servers.

The agent now rejects unsafe uses of path parameters with an HTTP 400 in the following scenarios:

Learn more in Path traversal attempts.

The TLS 1.3 security protocol can now be disabled if required by adding -TLSv1.3 to the Security Protocol List.

All agent responses that contain JavaScript are now protected by a Content-Security-Policy header.

Examples of responses protected by this change include:

A Dockerfile is now provided to deploy Apache Web Agent to extend and protect an application. For more information, refer to Deploy Web Agent with Docker.

Web Agent 2023.9 supports the following additional platforms:

For more information, refer to Supported operating systems and web servers Web Agent 2023.9.

Apache Web Agent can now be configured with the following Apache directives, globally or independently for different server locations:

For more information, refer to Configure Apache Web Agent.

Web Agent agents are automatically authenticated to PingOne Advanced Identity Cloud and AM by a non-configurable authentication module. Authentication chains and modules are deprecated and replaced by nodes, trees, and journeys.

You can now authenticate Web Agent to PingOne Advanced Identity Cloud and AM 7.3 with a journey. The procedure is currently optional, but will be required when authentication chains and modules are removed in a future release.

For more information, refer to Authenticate agents to PingOne Advanced Identity Cloud and Authenticate agents to AM.

An encryption key in agent.conf is used to decrypt credentials for the agent profile, the SSL certificate, and the HTTP proxy. By default, the agent caches the encryption key. A new property Disable Caching of Agent Profile Password Encryption Key is available to disable caching and require the agent to securely wipe the encryption key after it is read.

Use the agentadmin --V command to verify that the agent can decrypt the credentials correctly.

The NGINX Plus R29 platform is available in this release.

In IIS, the agent can now remove the Server header from all responses. To enable the feature, set the Remove IIS HTTP Server Header property to true.

To help manage the amount of stored data, the new property Maximum Number of Debug Log Files is now available to limit the number of rotated log files that the agent stores.

Apache Web Agent now supports SUSE Linux Enterprise 15.

In Apache Web Agent, it is now possible to cause the agent error logs to appear in the Apache log system. For more information, refer to Configure error logs.

In IIS, the agent can now remove the Server header from all responses. To enable the feature, set the Remove IIS HTTP Server Header property (org.forgerock.agents.config.iis.headers.server.disable) to true.

To help manage the amount of stored data, the new property Maximum Number of Debug Log Files is now available to limit the number of debug log files that the agent stores after file rotation.

The wildcard * can now be used in FQDN Virtual Host Map. to match a domain name. Use this feature to pass requests with dynamically allocated hostnames, for example, in Kubernetes deployments, without redirecting them to another domain.

For more information, see FQDN checking.

Authorization flow for applications using Javascript is a new property to enable callbacks into JavaScript applications, after an authentication or transactional authorization journey.

The property provides support for single page applications (SPAs) that use embedded login or authorization dialogs within iframes or embedded tags.

This feature is in Technology Preview, as defined in Release levels and interface stability, for use only with assistance from Ping Identity.

Current limitations:

Use Built-in Apache HTTPD Authentication Directives is a new property to enable Apache Web Agent to use built-in Apache authentication directives, such as AuthName, FilesMatch, and Require for specified not-enforced URLs.

In previous releases, use of built-in Apache authentication directives was not supported. The agent replaced authentication functionality provided by Apache.

In previous releases, to correctly configure POST data preservation, a separate agent profile was required in AM for each agent instance. From this release, a single agent profile can be used for multiple agent instance.

Use this feature for scalable deployments, where resources are dynamically created or destroyed.

For more information, see Create an agent profile for multiple agent instances when POST data preservation is enabled and Map one agent profile to multiple agent instances when POST data preservation is enabled.

When the value of Enable Custom Login Mode is 2, URI fragments were previously lost during login. From this release, URI fragments in the browser are not lost after the custom login procedure.

In previous releases, the pre-authentication cookie, agent-authn-tx, expired when it reached the age configured by Profile Attributes Cookie Maxage. From this release, the pre-authentication cookie expires when the first of the following events occur:

Expiring the cookie immediately after authentication reduces the amount of used header space, and prevents authentication errors and errors in applications that set headers.

The maximum size to which a compressed JWT can be decompressed is now limited to 1 MB, and is not configurable. This change reduces the risk of memory exhaustion DOS by reducing the risk of a decompressed JWT consuming too much available memory.