OPENAM 13.5 - Core Token Service
1 like1,128 views
This document discusses the Core Token Service (CTS) in OpenAM 13.5. It provides an overview of CTS and its requirements. It also covers the architectural considerations for CTS including active/passive and affinity configurations. Additionally, it outlines the steps to configure CTS including OpenDJ setup, CTS files import, and OpenAM configuration. Managing CTS tokens and monitoring CTS with SNMP are also addressed. Pointers to documentation and knowledge base articles on CTS are provided.
OPENAM 13.5 - Core Token Service
- 1. – – – OPENAM 13.5 - CTS Olivier Rivat orivat@janua.fr 6 November 2017
- 2. Agenda ● CTS Presensation ● CTS architectural presentation ● CTS setup ● Managing CTS tokens ● CTS monitoring ● pointers
- 3. CTS : Core Token Service ● CTS Overview – provides persistent and highly available token storage – dedicated to store OAuth 2.0, SAML v2.0, and UMA tokens ● Requirements – OpenDJ only, not compatible with any other ldap ● Recommendation – Configure external CTS for high Volume
- 4. Architectural Considerations (1) ● 2 configuration models available – Active/passive ● OpenAM's connection to the CTS token store is limited to a single master instance with failover instances – Affinity ● CTS token have an affinity for a given directory server instance ● OpenAM connects to one or more writable directory server instances. Each instance acts as the master for a subset of CTS tokens ●
- 5. Architectural Considerations (2) ● Load Balancer – Do not put a load balancer in front of the CTS Stores ● Example :
- 6. Steps to configure CTS ● Architectural configuration – Choose configuration deployment : Active/passive or affinity ● OpenDJ – Install and configure opendj in a replicated topology ● CTS setup – Prepare the OpenDJ Directory Service for CTS – Import CTS Files – Non-Admin User Creation and ACI Import – CTS Index Import and Build – OpenAM CTS Configuration –
- 7. Managing CTS Tokens ● CTS Token properties – encryption of CTS tokens – GZip-based compression of CTS tokens – minimum CTS token lifetime (token erased, if no activity) ● Tuning consideration – Default queue size (5000) – Default timeout activity (120s)
- 8. CTS monitoring ● SNMP monitoring available – Dedicated cts mib avaialable : FORGEROCK-OPENAM-CTS.mib – Can be integrated within supervision tools
- 9. Pointers ● OPENAM Documentation – CTS presentation: https://backstage.forgerock.com/docs/openam/13.5/install-guide/#chap-c ts – CTS monitoring https://backstage.forgerock.com/docs/openam/13.5/admin-guide/#snmp-p olicy-evaluation ● Knowledge base articles – FAQ: Core Token Service (CTS) and session high availability in OpenAM/AM https://backstage.forgerock.com/knowledge/kb/article/a23093000 – Best practice for configuring an external OpenDJ/DS instance for the Core Token Service (CTS) in OpenAM 12.x, 13.x and AM (All versions) https://backstage.forgerock.com/knowledge/kb/article/a46985800