--- title: New in Web Agent 2024.x description: Web Agent 2024.11.2 is a maintenance release that introduces security enhancements and fixes. component: web-agents version: release-notes page_id: web-agents::whats-new-2024 canonical_url: https://docs.pingidentity.com/web-agents/release-notes/whats-new-2024.html section_ids: web_agent_2024_11_x: Web Agent 2024.11.x whats-new-2024.11.2: Web Agent 2024.11.2 whats-new-2024.11.1: Web Agent 2024.11.1 whats-new-2024.11: Web Agent 2024.11 request-handling: Request handling agent-authentication: Agent authentication to Advanced Identity Cloud and AM userid-audit-logs: Include userId in audit logs whats-new-2024.9: Web Agent 2024.9 prometheus-monitoring: Prometheus monitoring jwt-signature-validation: JWT signature validation tls13-security-protocol: TLSv1.3 security protocol tls-key-logging: TLS key logging whats-new-2024.6: Web Agent 2024.6 override-request-protocol-host-port: Overrides for request protocol, host, and port audit: Audit whats-new-2024.3: Web Agent 2024.3 hardened-security-20243: Hardened security of agent secrets flexibility_when_client_ip_validation_fails: Flexibility when client IP validation fails warnings_for_tls_certificates_validation: Warnings for TLS certificates validation isapi_web_agent: ISAPI Web Agent key_rotation_with_the_agentadmin_command: Key rotation with the agentadmin command --- # New in Web Agent 2024.x ## Web Agent 2024.11.x ### Web Agent 2024.11.2 Web Agent 2024.11.2 is a maintenance release that introduces security enhancements and fixes. ### Web Agent 2024.11.1 Web Agent 2024.11.1 is a maintenance release. It contains no new features. ### Web Agent 2024.11 Web Agent 2024.11 is a minor release that introduces new features, functional enhancements, and fixes. #### Request handling We've made changes to the Web Agent to improve the security of handling requests from upstream Java servers. The agent now rejects unsafe uses of path parameters with an `HTTP 400` in the following scenarios: * The request contains one or more `%2F` or `%2f` (encoded forward slash) characters in the path parameters. * The request contains one or more `%5C` or `%5c` (encoded backslash) characters in the path parameters on a Windows server. * The request includes empty path segments or dot path segments with path parameters. Some example unsafe uses include: * `/;/` * `/..;` * `/.;` * `/..;parameter/` Legitimate uses of `;` as a path parameter are still permitted. For example, the agent won't reject this request with the `jessionid` parameter: `/segment1/segment2/;jsessionid=1234` | | | | - | -------------------------------------------------------------------------------------------------------------- | | | Path parameters (also known as matrix parameters) are used by J2EE and Spring-based Java servers in URL paths. | Learn more in [Path traversal attempts](https://docs.pingidentity.com/web-agents/2024.11/security-guide/threats.html#path-traversal-attempts). #### Agent authentication to Advanced Identity Cloud and AM Web Agent authenticates to Advanced Identity Cloud and AM using a non-configurable authentication module or the `Agent` authentication journey if it exists. A new [AM\_AGENT\_AUTH\_MODE](https://docs.pingidentity.com/web-agents/2024.11/installation-guide/installer-env-vars.html#am-agent-auth-mode) installation environment variable controls which authentication method the agent uses. By default, the agent authenticates using the `Agent` journey but falls back to using the deprecated authentication module if authentication fails. This behavior is unchanged from earlier agent versions. A new [Agent Authentication Mode](https://docs.pingidentity.com/web-agents/2024.11/properties-reference/com.forgerock.agents.config.agent.auth.mode.html) property allows the authentication method to be changed post-installation. If you use PingAM 7.3 or 7.4 and experience issues with session quotas, set this property or environment variable to `2` to always authenticate using the authentication module. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The default fallback mode is deprecated and will be removed in the next release. The default will change to always authenticate using the `Agent` journey. | #### Include userId in audit logs We've made changes to audit logging in the Web Agent to output the `userId` field in the audit logs. Providing the `/access/userId` field is [allowlisted](https://docs.pingidentity.com/pingam/8/security-guide/sec-maint-audit-ref.html#audit-log-whitelist) (which it is by default), the `userId` field is now included in the audit event logs. It is populated with the value of the `universalId` attribute retrieved from the session by default. For example: ```json "userId":"id=demo,ou=user,dc=example,dc=com" ``` The following new properties provide additional control over how the universal ID is retrieved: * [Universal ID Parameter](https://docs.pingidentity.com/web-agents/2024.11/properties-reference/com.sun.identity.agents.config.universal.id.param.html) * [Universal ID Parameter Type](https://docs.pingidentity.com/web-agents/2024.11/properties-reference/com.sun.identity.agents.config.universal.id.param.type.html) | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The `user` field is currently incorrectly output in the audit logs. This output is deprecated and the `user` field will be removed from audit logs in the next release. | ## Web Agent 2024.9 Web Agent 2024.9 is a minor release that introduces new features, functional enhancements, and fixes. ### Prometheus monitoring To improve monitoring in the agent, a Prometheus monitoring endpoint is now available at `/agent/metrics`. You can access this endpoint to return Prometheus metrics relevant to your deployment. Learn more in *Monitor services*. ### JWT signature validation A new `Validate JWT Signature Locally` property controls how the JWT signature is validated. By default, the property is set to `0`, which doesn't change JWT signature validation. Set this property to `1` to validate the JWT signature locally. | | | | - | ------------------------------------------------------------------------------------- | | | When the JWT signature is validated locally, there is an expected performance impact. | ### TLSv1.3 security protocol The TLS 1.3 security protocol can now be disabled for OpenSSL if required by adding `-TLSv1.3` to the `Security Protocol List`. ### TLS key logging TLS key logging is now available for troubleshooting TLS issues between the agent and AM. When enabled, TLS session keys are logged to an SSL key log file. To troubleshoot TLS issues, enable TLS key logging using one of the following options: * The new `Enable TLS key logging` property. * The new `AM_SSL_KEYLOG_ENABLE` installation environment variable. Then configure the new `AM_SSL_KEYLOG_FILE` environment variable to specify the name of the SSL key log file. Learn more in *TLS key logging*. ## Web Agent 2024.6 Web Agent 2024.6 is a minor release that introduces new features, functional enhancements, and fixes. ### Overrides for request protocol, host, and port In certain circumstances, the new property `Disable Override Request URL Port, Host, or Protocol` facilitates access to the agent by bypassing load balancers. ### Audit The new property `Audit Path as Full URL` is available to manage how the agent includes an HTTP request path in an audit log. ## Web Agent 2024.3 Web Agent 2024.3 is a major release that introduces new features, functional enhancements, and fixes. ### Hardened security of agent secrets Because of the hardened security of agent secrets, drop-in software update to this release isn't possible. Upgrade to this release from an earlier release is a major upgrade. Learn more in *Upgrade*. * Strengthened encryption of agent secrets The `agentadmin --k` command now generates a base64-encoded 256-bit random key. The `agentadmin --p` command now generates AES-256-GCM encrypted ciphertext. The `agentadmin --V` command now verifies that the agent can decrypt the ciphertext. - Runtime encryption and decryption of on-disk agent secrets At runtime, the agent decrypts the agent credentials and then generates a one-time symmetric encryption key to re-encrypt the credentials. This feature creates crypto material at runtime. In previous releases, crypto material was created and stored only on-disk. * Encryption key and ciphertext removed from bootstrap configuration file The encryption key and ciphertext are stored in new agent configuration files, `agent-key.conf` and `agent-password.conf`. The following properties are removed from `agent.conf`: * `Agent Profile Password` * `Private Key Password` * `Proxy Server Password` * `Agent Profile Password Encryption Key` * `Disable Caching of Agent Profile Password Encryption Key` For more information, refer to *Agent configuration*. - Log of decryption errors for agent profile password If the agent can't decrypt the password in `Agent Profile Password` a message is now written to the logs. * Use of the secret service in PingOne Advanced Identity Cloud and AM With PingOne Advanced Identity Cloud and from AM 7.5, the agent profile password can optionally be managed through the identity provider's secret service. If the identity provider finds a matching secret in a secret store, it uses that secret instead of the hard-coded agent password. Learn more from *Create an agent profile* in PingOne Advanced Identity Cloud and *Create agent profiles* in AM. ### Flexibility when client IP validation fails A new property `Client IP Validation Failure Response` is available to force logout when `Client IP Validation` is `true` and the IP address of an authenticated request doesn't originate from the IP address used for authentication. In previous releases, the agent could only return an HTTP 403 Forbidden. ### Warnings for TLS certificates validation When `Server Certificate Trust` is set to `true`, the agent trusts any server certificate. Validation of the installation with `agentadmin` now returns a warning to set the property to `false` in production environments. ### ISAPI Web Agent The ISAPI Web Agent is now supported. Learn more from *Install IIS and ISAPI Web Agent*. ### Key rotation with the `agentadmin` command The `agentadmin` command now provides an option for key rotation. Learn more in *Rotate keys*.