This présentation to share knowledge about OpenAM 13.5 Core Token Services ( aka CTS). We will talk about:

  • CTS Presensation
  • CTS architectural presentation
  • CTS setup
  • Managing CTS tokens
  • CTS monitoring

Transcript :

– – – OPENAM 13.5 – CTS  by Olivier Rivat – Janua’s CTO

  1.   Agenda ● CTS Presensation ● CTS architectural presentation ● CTS setup ● Managing CTS tokens ● CTS monitoring ● pointers
  2.   CTS : Core Token Service ● CTS Overview – provides persistent and highly available token storage – dedicated to store OAuth 2.0, SAML v2.0, and UMA tokens ● Requirements – OpenDJ only, not compatible with any other ldap ● Recommendation – Configure external CTS for high Volume
  3.   Architectural Considerations (1) ● 2 configuration models available – Active/passive ● OpenAM’s connection to the CTS token store is limited to a single master instance with failover instances – Affinity ● CTS token have an affinity for a given directory server instance ● OpenAM connects to one or more writable directory server instances. Each instance acts as the master for a subset of CTS tokens ●
  4.  Architectural Considerations (2) ● Load Balancer – Do not put a load balancer in front of the CTS Stores ● Example :
  5. . Steps to configure CTS ● Architectural configuration – Choose configuration deployment : Active/passive or affinity ● OpenDJ – Install and configure opendj in a replicated topology ● CTS setup – Prepare the OpenDJ Directory Service for CTS – Import CTS Files – Non-Admin User Creation and ACI Import – CTS Index Import and Build – OpenAM CTS Configuration –
  6.  Managing CTS Tokens ● CTS Token properties – encryption of CTS tokens – GZip-based compression of CTS tokens – minimum CTS token lifetime (token erased, if no activity) ● Tuning consideration – Default queue size (5000) – Default timeout activity (120s)
  7.   CTS monitoring ● SNMP monitoring available – Dedicated cts mib avaialable : FORGEROCK-OPENAM-CTS.mib – Can be integrated within supervision tools
  8.  Pointers ● OPENAM Documentation – CTS presentation: https://backstage.forgerock.com/docs/openam/13.5/install-guide/#chap-c ts – CTS monitoring https://backstage.forgerock.com/docs/openam/13.5/admin-guide/#snmp-p olicy-evaluation ● Knowledge base articles – FAQ: Core Token Service (CTS) and session high availability in OpenAM/AM https://backstage.forgerock.com/knowledge/kb/article/a23093000 – Best practice for configuring an external OpenDJ/DS instance for the Core Token Service (CTS) in OpenAM 12.x, 13.x and AM (All versions) https://backstage.forgerock.com/knowledge/kb/article/a46985800

janua

Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
janua