Core Token Service (CTS)
These pages describe how to configure the Core Token Service, and how to manage the tokens stored in it.
Deployment architecture
Choose the best architecture for your deployment.
Configure a dedicated CTS store
Prepare a DS instance to host a dedicated CTS token store.
Manage tokens
Learn how to encrypt and/or compress tokens.
Manage expired CTS tokens
Configure how CTS tokens are pruned after they reach their maximum time-to-live.
Name changes for ForgeRock products
Product names changed when ForgeRock became part of Ping Identity.
The following name changes have been in effect since early 2024:
Old name | New name |
---|---|
ForgeRock Identity Cloud |
PingOne Advanced Identity Cloud |
ForgeRock Access Management |
PingAM |
ForgeRock Directory Services |
PingDS |
ForgeRock Identity Management |
PingIDM |
ForgeRock Identity Gateway |
PingGateway |
Learn more about the name changes in New names for ForgeRock products in the Knowledge Base.
CTS overview
The Core Token Service (CTS) provides generalized, persistent, and highly available storage for sessions and tokens. AM uses CTS as the authoritative source for server-side sessions and caches these sessions in its memory heap to improve performance.
CTS supports session high availability, which lets AM manage a session as long as one of the AM servers in a clustered deployment is available. After a user has successfully authenticated, AM creates a server-side session. Any AM instance that’s configured to use the same CTS can retrieve the session and allow access to it. The user doesn’t need to sign on again unless the entire deployment goes down.
CTS provides storage for the following:
-
Server-side sessions and server-side authentication sessions
-
Session denylist (if enabled for client-side sessions)
-
Authentication session allowlist (if enabled for client-side sessions)
-
SAML 2.0-related data (if enabled for Security Token Service token validation and cancellation)
-
OAuth 2.0 and UMA 2.0 server-side tokens, and OAuth 2.0 client-side token denylist
-
Push notification data during authentication
-
Site-wide notification, such as logout or session termination notifications.
Learn more about these tokens in CTS token types.
The CTS token store is created at installation time in the external configuration store.
In general, the Core Token Service causes more volatile replication traffic due to the possibility of short-lived entries compared to regular configuration data. To handle the data volatility in high-load deployments, configure an additional DS service, separate from your configuration store, to isolate session and token information.
CTS configuration recommendations
CTS helps your deployment avoid single points of failure by providing high availability to sessions and tokens stored in its token store.
For high-volume, demanding deployments, consider the following recommendations:
-
Consider separate CTS storage for high volumes. If you require a higher-level performance threshold, you can move the CTS token storage to one or more dedicated systems rather than sharing your configuration store, as CTS generally causes much more replication traffic than less volatile configuration data. The CTS token store is the primary source for session tokens and will experience both high read and write activity depending on session usage.
-
Isolate different stores for high volumes. CTS entries are large, around 5KB, but are short-lived, whereas configuration data is static and long-lived. User entries are more dynamic than configuration data but much less volatile than CTS data.
For high-volume deployments, consider putting CTS data in a separate DS data store and using different tuning and storage settings
-
Tune DS servers. For high performance, properly size and tune DS servers for your external CTS store.
In addition, you can enable token compression as discussed in Manage CTS tokens. When enabled, token compression reduces load requirements on the network connection between token stores in exchange for processing time-compressing tokens.
-
Limit DS replication traffic over slow links. DS servers replicate CTS data transmitted from AM servers. For each change to a CTS token, DS replication replays the change on all DS servers in the CTS data store. The volume of replication traffic is potentially problematic over slow links.
For high volumes when low latency is required, consider limiting the replication traffic as described in the DS documentation on standalone servers.
Deployment architectures
You can deploy CTS token stores in a number of deployment architectures, depending on your system requirements:
CTS affinity deployment
With affinity load balancing for CTS, AM balances request across available DS servers, always routing LDAP requests for the same CTS token to the same directory server. This prevents AM from reading a token before DS has replicated pending changes. Affinity is well suited for deployments with many AM servers.
Configure AM’s Connection String(s) property using the AM admin UI to use server affinity without a load balancer. For more information on the Connection String(s) property, refer to External store configuration.
Learn more about CTS affinity deployments in the Knowledge Base article Best practice for using Core Token Service (CTS) Affinity based load balancing in PingAM.
The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change. To work around this, either:
|
CTS site deployment
CTS supports uninterrupted session availability in deployments with multiple sites when all sites use the same globally replicated CTS store. If an entire site fails or becomes unavailable, AM servers in another site detect the failure of the site’s load balancer and attempt to use sessions from the global Core Token Service.
In the event of a failure, client applications can connect to an AM server in an active data center.
For details on DS replication, refer to Replication in the PingDS documentation.
Configure CTS token stores
The following table summarizes the high-level tasks you must perform to configure a new instance of the CTS token store:
Task | Resources |
---|---|
Prepare a DS server Prepare the DS schema for CTS data. |
|
Configure AM to use the new CTS token store Configuring a new CTS data store doesn’t migrate existing data from the old store to the new one. Usually, users will need to log in again so that AM stores their sessions and tokens in the new token store. |
|
(Optional) Configure mTLS authentication to the CTS store By default, AM authenticates to the CTS store using simple (username/password) authentication. To enhance security, you can configure mutual TLS (mTLS) authentication which lets AM authenticate using a trusted certificate. |
|
Test session availability For this test, you must have a site with more than one instance. The idea is to log in a user into the first instance, shut it down, and check that the session is still available to the second instance. |
Install and configure PingDS for CTS data
Installing DS with a setup profile creates the required backend, schema, bind user, and indexes:
-
Follow the steps in Install DS for AM CTS in the DS documentation.
-
Share the CTS store certificate with the AM container to prepare for TLS/LDAPS. The CTS store should communicate over secure connections for security reasons.
DS 7 and later requires secure connections by default; therefore, share its certificate with the AM container before continuing.
Share the DS certificate with AM
-
On the DS host, export the DS CA certificate.
DS uses a deployment ID and password to generate a CA key pair. Learn more in Deployment IDs.
Use the
dskeymgr
command to export the CA certificate:$ /path/to/opendj/bin/dskeymgr \ export-ca-cert \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --outputFile /path/to/ca-cert.pem
-
Copy the
ca-cert.pem
file to an accessible location on the AM host.
-
Import the DS certificate into the AM truststore:
$ keytool \ -importcert \ -file /path/to/ca-cert.pem \ -keystore /path/to/openam/security/keystores/truststore
Learn more about configuring AM’s truststore in Prepare the truststore.
-
-
Configure the CTS store in AM.
Refer to Configure the CTS.
The bind DN of the service account to use when configuring the CTS store in AM is
uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens
.
Configure the CTS
This procedure assumes that the AM instances communicate with a single CTS instance (or load balancer),
which has an FQDN of cts.example.com
and is running on port 1636
.
If AM cannot access the CTS token store, you will be unable to log in to the AM admin UI. Back up your deployment before making any changes to your CTS token store configuration. |
Perform the following steps to configure an external CTS token store:
-
In the AM admin UI, go to Configure > Server Defaults, and click CTS.
-
On the CTS Token Store tab, set the following parameters:
CTS Token Store Parameters Parameter Value Notes Store Mode
External Token Store
Root Suffix
ou=famrecords,ou=openam-session,ou=tokens
-
On the External Store Configuration tab, configure the parameters as follows:
External Store Configuration Parameters Parameter Value Notes SSL/TLS Enabled
True
When connecting to DS 7, or a DS server in production mode, enable secure connections. When you enable SSL/TLS, make sure the AM server can trust the DS server certificate and that the certificate matches the CTS store FQDN.
Connection String(s)
cts.example.com:1636
Use the LDAPS port or the LDAP port with StartTLS (
cts.example.com:1389
).Login ID
uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens
The bind DN of the service account AM uses to connect to the directory service.
Password
5up35tr0ng
Use a strong bind password for production systems.
Heartbeat
10
Tune this value for production systems.
-
Save your work.
-
Restart AM or the web container where it runs for the changes to take effect.
Test session availability
To test session availability, use two browsers: Chrome and Firefox. You can use any two browser types, or run the browsers in incognito mode. You can also view tokens using an LDAP browser.
-
In Chrome, log in to the second AM instance with the
amAdmin
user, click the realm, and click Sessions. -
In Firefox, log in to the first AM instance with a test user.
-
In Chrome, verify that the test user exists in the first AM instance’s session list and not in the second instance.
-
Shut down the first AM instance.
-
In Firefox, rewrite the URL to point to the second AM instance.
If successful, the browser won’t prompt for login.
-
Confirm the session is still available.
In Chrome, list the sessions on the second instance and observe the test user’s session.
-
Restart the first AM instance to complete the testing.
Manage CTS tokens
You can configure AM to encrypt or compress CTS tokens as they are stored in the token store. The following properties, disabled by default, are associated with token encryption and compression:
com.sun.identity.session.repository.enableEncryption
-
Supports encryption of CTS tokens. Default:
false
. com.sun.identity.session.repository.enableCompression
-
Enables GZip-based compression of CTS tokens. Default:
false
. com.sun.identity.session.repository.enableAttributeCompression
-
Supports compression over and above the GZip-based compression of CTS tokens. Default:
false
.
Compression can undermine the security of encryption. You should evaluate this threat, according to your use case, before you enable compression and encryption. |
Configure AM to encrypt and compress CTS tokens for storage
When encryption or compression properties are changed, all previous tokens in the LDAP store will be unreadable; thus, invalidating any user’s sessions. As a result, the user will be required to log in again. |
-
Go to Configure > Server Defaults > Advanced.
-
Find the property you want to enable in the Property Name column.
-
Replace the
false
value withtrue
in the Property Value column. -
Click Save Changes.
-
Enable the same property on every AM instance within the site.
Failure to do so may cause unexpected issues storing and reading tokens across the environment.
-
Restart the AM servers for the changes to take effect.
Configuring the CTS to encrypt and store tokens incurs a performance penalty for AM. If you need to encrypt the stored tokens in your environment, consider configuring the CTS token store DS instance to encrypt the data instead. For more information about encrypting a DS instance, see the Data encryption in the PingDS documentation. |
CTS backups and DS replication purge delay
Replication replays each update on all directory servers, so they eventually converge on the same directory, token, session, SAML v2.0, and OAuth 2.0 data. DS data replication ensures directory services remain available for reads and writes when a server crashes or network connection goes down.
The directory servers store historical information to replay updates in the right order.
DS servers periodically purge this historical information to prevent it from growing indefinitely.
The setting that governs how long to retain historical information is the DS replication-purge-delay
.
The default DS replication-purge-delay
is 3 days.
Although this setting is generally appropriate for most data,
it may be too long for volatile CTS data in high-volume deployments.
If you have separated your DS servers for CTS from DS servers for other data,
you can lower the replication purge delay on all DS replicas.
For example, the following command sets it to 12 hours for a single DS replica on cts.example.com
:
$ /path/to/opendj/bin/dsconfig \
set-synchronization-provider-prop \
--provider-name "Multimaster Synchronization" \
--set replication-purge-delay:12h \
--hostname cts.example.com \
--port 4444 \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--truststorepassword:file /path/to/opendj/config/keystore.pin \
--bindDN uid=admin \
--bindPassword str0ngAdm1nPa55word \
--no-prompt
You must decide whether CTS data backups are important in your deployment. It may not be worth backing up the CTS data. Losing CTS tokens may be acceptable if the worst-case scenario means users have to log in again.
For deployments with critical long-lived sessions or long-lived refresh tokens, losing tokens may not be acceptable. If losing CTS tokens is not acceptable, back up CTS data.
When backing up CTS data, be aware that DS backups older than the replication purge delay are useless. DS replication can only bring a replica up to date when it has the historical information to replay changes in the right order. If you restore a DS server from data older than the replication purge delay, the other DS servers will have already purged the historical information needed to replay the pending changes. For details, refer to Backup and restore in the PingDS documentation.
Manage expired CTS tokens
Tokens in the CTS store have a limited time to live, after which they expire and must be pruned. By default, AM manages expired tokens by using its own reaper. You can, however, delegate this task to DS.
Although both solutions work equally well, using DS to manage token expiration instead of AM’s reaper frees up resources in AM servers that can then be used for policy or authorization requests.
The following topics explain the two methods of managing expired CTS tokens in detail.
Manage expired tokens with the AM CTS reaper
When an AM server modifies a token in the CTS token store, it takes responsibility for managing that token when it expires. Each AM server maintains a local cache of expired tokens to delete, and when to delete them.
Using the local reaper cache reduces the number of searches to the CTS store to determine expired tokens to delete. This improves overall cluster performance. Servers still search the CTS store for expired tokens occasionally, to ensure expired tokens aren’t missed when a server in the cluster goes down.
The AM CTS reaper is enabled by default and requires no extra configuration. If you’ve configured the DS expiration and deletion feature instead, and then want to re-enable the AM CTS reaper, read Re-enable the AM reaper.
Manage expired tokens using DS
If you disable the AM CTS reaper, AM relies on DS capabilities to delete expired tokens.
DS doesn’t reap its contents by default–you must configure DS to expire and delete entries. Entry expiration and deletion uses an ordering index to find CTS tokens that have reached their time to live then expire and delete them.
Before you configure DS to manage CTS token expiration, consider the following points:
-
DS doesn’t replicate entry deletion across servers. You must make sure all CTS store replicas are configured in the same way. For details, refer to Entry expiration in the DS documentation.
-
Disabling the AM reaper impacts session-related functionality, such as sending notifications about session expiration or timeouts to agents.
When you completely disable the AM reaper, the following session functionality becomes unavailable:
-
Implementations of
org.forgerock.openam.cts.reaper.TokenDeletionStrategy
, responsible for deleting expiring tokens.Custom logic for specific token types (unrelated to simply deleting tokens) no longer works.
-
Implementations of
org.forgerock.openam.cts.continuous.watching.ContinuousListener
andorg.forgerock.openam.cts.continuous.watching.ContinuousWatcher
no longer receive deletion notifications in case of session timeout.Active logout is not impacted.
-
Code built on top of
com.iplanet.dpro.session.service.SessionEventListener
no longer receivesIDLE_TIMEOUT
orMAX_TIMEOUT
events. This affects:-
Session timeout monitoring
-
Session timeout auditing
-
Session timeout logging
-
Session timeout notifications for agents (PLL, WebSockets)
-
Timeout handlers configured through the
openam-session-timeout-handler-list
-
Session web hooks registered during authentication
-
-
Code built on top of
com.iplanet.dpro.session.watchers.listeners.SessionDeletionListener
no longer receives notifications when the session idle or maximum lifetime is exceeded (common usage includes caches). -
Listeners built on top of
com.sun.identity.plugin.session.SessionListener
no longer receive notifications on active logout or when the maximum session time is reached (idle timeout is ignored).
If you don’t need these session capabilities, refer to Let DS manage CTS tokens (ignore session capabilities).
If you do need these session capabilities, refer to Let DS manage CTS tokens (retain session capabilities).
-
A common CTS token management strategy is to configure AM to reap session tokens only, and to use DS to manage non-session tokens. This configuration lets you retain session-related functionality, while benefiting from DS’s token management capabilities. If your environment requires it, you can also configure the AM reaper to manage different subsets of tokens other than session tokens. |
Let DS manage CTS tokens (ignore session capabilities)
These steps assume you don’t need the session capabilities impacted by disabling the AM CTS reaper. They configure DS to manage expiration and deletion of all CTS tokens in your environment. |
-
Perform one of the following steps, depending on whether you’re installing a new DS instance for CTS, or modifying an existing instance:
-
If you’re installing a new DS instance, use the CTS setup profile.
Choose the option "DS manages all token expiration".
-
If you have an existing DS instance that you’re using as a CTS store, configure the DS entry expiration and deletion feature for the
coreTokenExpirationDate
attribute.This attribute is already indexed, but you must enable the TTL-related properties: $ /path/to/opendj/bin/dsconfig set-backend-index-prop \ --hostname 'ds.example.com' \ --port 4444 \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --truststorepassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword str0ngAdm1nPa55word \ --backend-name amCts \ --index-name coreTokenExpirationDate \ --set ttl-enabled:true \ --set ttl-age:10s \ --no-prompt
DS doesn’t replicate entry deletion across servers. You must configure all CTS store replicas in the same way. Learn more in Entry expiration in the DS documentation.
-
-
Disable the AM CTS reaper.
Go to Configure > Server Defaults > Advanced and set the
org.forgerock.services.cts.store.reaper.enabled
property tofalse
.This change doesn’t require a server restart. Learn more about this advanced server property in Advanced properties.
Perform this step on all AM servers in your deployment.
Let DS manage CTS tokens (retain session capabilities)
These steps assume you need the session capabilities that would be impacted by disabling the AM CTS reaper. They configure AM to reap SESSION tokens, while using DS capabilities to manage other tokens. |
-
Perform one of the following steps, depending on whether you’re installing a new DS instance for CTS, or modifying an existing instance:
-
If you’re installing a new DS instance, use the CTS setup profile.
Choose the option "AM reaper manages only SESSION token expiration".
-
If you’re modifying an existing DS instance, follow these steps:
-
Copy the value of the
coreTokenExpirationDate
attribute to thecoreTokenTtlDate
for all existing tokens except forSESSION
tokens.AM will manage the
SESSION
tokens separately.If you don’t perform this step, neither the AM reaper nor the DS expiration feature will delete these tokens. They’ll remain in the CTS store until you remove them manually.
-
Create an ordering index for the
coreTokenTtlDate
attribute:$ /path/to/opendj/bin/dsconfig create-backend-index \ --hostname 'ds.example.com' \ --port 4444 \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --truststorepassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword str0ngAdm1nPa55word \ --backend-name amCts \ --index-name coreTokenTtlDate \ --set index-type:ordering \ --no-prompt
-
Rebuild the new index using the
rebuild-index
command:$ /path/to/opendj/bin/rebuild-index \ --hostname 'ds.example.com' \ --clearDegradedState \ --port 4444 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --truststorepassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword str0ngAdm1nPa55word \ --baseDN "dc=cts,dc=example,dc=com" \ --index coreTokenTtlDate
-
Configure entry expiration and deletion for the
coreTokenTtlDate
index you created in the previous step:$ /path/to/opendj/bin/dsconfig set-backend-index-prop \ --hostname 'ds.example.com' \ --port 4444 \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --truststorepassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword str0ngAdm1nPa55word \ --index-name coreTokenTtlDate \ --backend-name amCts \ --set ttl-enabled:true \ --set ttl-age:10s \ --no-prompt
DS doesn’t replicate deletion of entries across servers. You must configure all CTS store replicas in the same way. For more information, refer to Entry expiration in the DS documentation.
-
-
-
In the AM admin UI, go to Configure > Server Defaults > Advanced and configure the following advanced server properties for each AM server that shares the CTS store cluster:
-
Set
org.forgerock.services.cts.store.ttlsupport.enabled
totrue
. -
Set
org.forgerock.services.cts.store.ttlsupport.exclusionlist
toSESSION
. -
Set
org.forgerock.services.cts.store.reaper.enabled
totrue
.
The changes are effective immediately. Learn more about these advanced server properties in Advanced properties.
-
Re-enable the AM reaper
Follow these steps if you previously enabled the DS expiration and deletion feature but want to disable it and re-enable the AM reaper.
-
If you enabled the DS expiration and deletion feature following the steps in Let DS manage CTS tokens (ignore session capabilities), follow these steps to enable the AM CTS reaper for all tokens:
-
Disable DS entry expiration and deletion for the
coreTokenExpirationDate
index:$ /path/to/opendj/bin/dsconfig set-backend-index-prop \ --hostname 'ds.example.com' \ --port 4444 \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --truststorepassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword str0ngAdm1nPa55word \ --backend-name amCts \ --index-name coreTokenExpirationDate \ --set ttl-enabled:false \ --no-prompt
Don’t delete the index. Configure all CTS store replicas in the same way. -
Re-enable the AM CTS reaper:
On each AM server in your deployment, go to Configure > Server Defaults > Advanced and set the
org.forgerock.services.cts.store.reaper.enabled
property totrue
.
-
-
If you enabled the DS expiration and deletion feature following the steps in Let DS manage CTS tokens (retain session capabilities), follow these steps to enable the AM CTS reaper for all tokens:
-
Disable the DS entry expiration and deletion feature for the
coreTokenTtlDate
index. For example:$ /path/to/opendj/bin/dsconfig set-backend-index-prop \ --hostname 'ds.example.com' \ --port 4444 \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --truststorepassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword str0ngAdm1nPa55word \ --index-name coreTokenTtlDate \ --backend-name amCts \ --set ttl-enabled:false
Configure all CTS store replicas in the same way. -
Delete the index created for the
coreTokenTtlDate
attribute. For example:$ /path/to/opendj/bin/dsconfig delete-backend-index \ --hostname 'ds.example.com' \ --port 4444 \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --truststorepassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword str0ngAdm1nPa55word \ --backend-name amCts \ --index-name coreTokenTtlDate \ --no-prompt
Configure all CTS store replicas in the same way. -
Go to Configure > Server Defaults > Advanced and configure the following advanced server properties in all of the AM servers sharing the CTS store cluster:
-
Set
org.forgerock.services.cts.store.ttlsupport.enabled
tofalse
. -
Remove the
org.forgerock.services.cts.store.ttlsupport.exclusionlist
property from the configuration. -
Set
org.forgerock.services.cts.store.reaper.enabled
totrue
.
-
The changes are effective immediately. For more information about these advanced server properties, see Advanced properties.
-
Tune the CTS
There are several tuning considerations for the efficient processing of your CTS token store:
Task | Resources |
---|---|
Configure the reaper cache size The reaper process prunes tokens in the store that have reached their maximum time-to-live. |
|
Manage the reaper search size In addition to the cache, the reaper also uses a search to find expired tokens. You can tune the maximum amount of tokens that the reaper can find and delete in a single invocation. |
|
Change the OAuth 2.0 Storage Scheme If the CTS token store was created on a version of AM earlier than 6.5,
configure the |
|
Set the poll interval for the logout user cache In a multi-server deployment, servers poll the CTS at a specified interval to update their logout user token cache with the tokens from other servers. |
Reaper cache size
The size of the AM reaper cache is controlled by
the org.forgerock.services.cts.reaper.cache.size
advanced property.
The default size is 500000
tokens.
If an AM server is under sustained heavy load, the reaper cache may reach capacity,
causing degraded performance due to the additional slower searches of the CTS store.
If the reaper cache is full, messages are logged in the Session
debug log, such as the following:
The CTS token reaper cache is full. This will result in degraded performance. You should increase the cache size by setting the advanced server property 'org.forgerock.services.cts.reaper.cache.size' to a number higher than 500000.
If this debug message appears frequently in the debug logs,
increase the value of the org.forgerock.services.cts.reaper.cache.size
property.
To alter the value, in the AM admin UI, go to Configure > Server Defaults > Advanced,
and add the property and increased value to the list.
Increasing the size of the reaper cache causes higher memory usage on the AM server. If a cache of the default size of 500000 entries is nearly full, the server memory used could be up to approximately 100 megabytes.
Tune the AM reaper cache size only if
the |
Reaper search size
The reaper uses its cache to ensure that expired tokens are removed from the CTS token store, but it also has a built-in mechanism to search for expired tokens that may have not been purged. This could happen, for example, due to an AM instance crash.
When the reaper searches for expired tokens, DS returns a page of records, and the reaper deletes these tokens.
To configure the maximum number of records that DS returns,
use the org.forgerock.services.cts.reaper.search.tokenLimit
advanced server property.
The default is 5000
.
To configure how often the search runs, and the grace period for the tokens the reaper deletes, configure the following properties:
-
org.forgerock.services.cts.reaper.search.pollFrequencyMilliseconds
.Specifies how often to perform a search for expired tokens. The default is
5000
milliseconds.The value of this setting should never be higher than a few seconds, as the goal is to launch the search frequently so that the expired tokens do not pile up.
-
org.forgerock.services.cts.reaper.search.gracePeriodMilliseconds
.Specifies the grace period used when searching for expired tokens. Any tokens that expired more than the specified duration ago are returned. The default is
300000
milliseconds.Set the grace period larger than the value controlled by the
org.forgerock.services.cts.reaper.cache.pollFrequencyMilliseconds
advanced property. This allows an AM instance sufficient time to delete the token using its cache, rather than search.Deleting from the cache is preferred because it avoids expensive searches against the CTS store.
To tune the reaper searches, run load tests in your environment with the default reaper parameters, and then watch if the expired tokens build up. If there is no token build-up, then the reaper is sufficiently tuned. If you see token build-up, tune the reaper cache first, as it is the less expensive of the two reaping mechanisms.
It is fine if there is a small amount of expired tokens left on each iteration of the reaper search as long as tokens are cleared up during lower activity periods.
Keeping a large number of expired tokens in the CTS store results in increased disk space usage, and in AM not sending expiration notifications in a timely fashion.
Setting the token limit too high could negatively affect the performance of the DS instance. It is better to launch more runs of the reaper search with smaller amounts of records, than fewer runs with larger amounts of records.
OAuth 2.0 CTS storage scheme
AM 6.5 introduced a new scheme for storing OAuth 2.0 tokens in the CTS store, called the grant-set scheme.
The grant-set
scheme groups multiple authorizations for a given OAuth 2.0 client and resource owner pair
and stores them in a single CTS OAUTH2_GRANT_SET
entry.
This implementation reduces the size and quantity of entries stored,
as well as the number of calls required to perform OAuth 2.0 operations.
The one-to-one
scheme stores the state of multiple authorizations
for a given OAuth 2.0 client and resource owner pair across multiple OAUTH
and OAUTH2_STATELESS_GRANT
entries and is more resource intensive.
You should upgrade to the grant-set
scheme after all the servers in your environment
have been upgraded to AM 6.5 or later.
The grant-set
scheme is backwards-compatible with existing entries stored in the CTS store.
Therefore, any access or refresh token issued before configuring the grant-set
scheme is still valid.
The CTS store retains an existing token in its original form until the refresh token expires
or the token is actively revoked.
Users do not notice any change in the tokens they receive. There is no change to the OAuth 2.0 endpoints.
Learn more about these tokens in CTS token types.
To enable the grant-set
scheme:
-
Go to Configure > Global Services > OAuth2 Provider > Global Attributes.
-
In the CTS Storage Scheme drop-down, choose Grant-Set Storage Scheme.
-
Click Save Changes.
New OAuth 2.0 tokens stored in the CTS after the change use the new scheme automatically.
CTS poll interval
If client-side session logout is enabled, AM stores the logout user tokens in a local cache. In a multi-server deployment, servers poll the CTS at a specified interval to update their logout user token cache with the tokens from other servers.
The poll interval is specified by the global session property Enable Invalidation of Sessions
Based on User Identifier, and is set to 60
seconds by default.
A very long polling interval gives malicious users time to connect to other AM servers within a site and use stolen session cookies. A very short polling interval improves security by invalidating user sessions across servers in a shorter timeframe, but can incur a performance cost.
A value of 0
disables polling of the CTS. Do not disable polling in a multi-server site, as this prevents logoutByUser
session invalidation data from being shared between servers.