3. CTS : Core Token Service
● CTS Overview
– provides persistent and highly available token
storage
– dedicated to store OAuth 2.0, SAML v2.0, and UMA
tokens
● Requirements
– OpenDJ only, not compatible with any other ldap
● Recommendation
– Configure external CTS for high Volume
4. Architectural Considerations (1)
● 2 configuration models available
– Active/passive
● OpenAM's connection to the CTS token store is limited to
a single master instance with failover instances
– Affinity
● CTS token have an affinity for a given directory server
instance
● OpenAM connects to one or more writable directory
server instances. Each instance acts as the master for a
subset of CTS tokens
●
6. Steps to configure CTS
● Architectural configuration
– Choose configuration deployment : Active/passive or affinity
● OpenDJ
– Install and configure opendj in a replicated topology
● CTS setup
– Prepare the OpenDJ Directory Service for CTS
– Import CTS Files
– Non-Admin User Creation and ACI Import
– CTS Index Import and Build
– OpenAM CTS Configuration
–
8. CTS monitoring
● SNMP monitoring available
– Dedicated cts mib avaialable : FORGEROCK-OPENAM-CTS.mib
– Can be integrated within supervision tools
9. Pointers
● OPENAM Documentation
– CTS presentation:
https://backstage.forgerock.com/docs/openam/13.5/install-guide/#chap-c
ts
– CTS monitoring
https://backstage.forgerock.com/docs/openam/13.5/admin-guide/#snmp-p
olicy-evaluation
● Knowledge base articles
– FAQ: Core Token Service (CTS) and session high availability in
OpenAM/AM
https://backstage.forgerock.com/knowledge/kb/article/a23093000
– Best practice for configuring an external OpenDJ/DS instance for the
Core Token Service (CTS) in OpenAM 12.x, 13.x and AM (All versions)
https://backstage.forgerock.com/knowledge/kb/article/a46985800