PingAM

CTS properties

You can configure the Core Token Service (CTS) to store tokens in the same LDAP directory as the AM configuration or in a separate external directory server. Take note of specific requirements for indexing and replication. In particular, manage WAN replication carefully for optimum performance.

Tune advanced properties related to token size correctly, including com.sun.identity.session.repository.enableEncryption, com.sun.identity.session.repository.enableCompression, and com.sun.identity.session.repository.enableAttributeCompression. For more information, refer to [server-advanced].

CTS token store

Set the following properties on the CTS Token Store tab:

Store Mode

Specifies the datastore where AM stores CTS tokens. Possible values are:

  • Default Token Store: AM stores CTS tokens in the configuration datastore.

  • External Token Store: AM stores CTS tokens in an external datastore.

If you specify Default Token Store, you can’t access the configuration properties on the External Store Configuration tab.

Root Suffix

This property sets the base DN for CTS storage. For example, cn=cts,ou=famrecords,ou=openam-session,ou=tokens. The Root Suffix specifies a database that can be maintained and replicated separately from the standard user datastore.

Max Connections

The maximum number of remote connections to the external datastore. For affinity deployments, this property specifies the maximum number of remote connections to each directory server in the connection string.

Default: 100

Find recommended settings in Tune CTS store LDAP connections.

Page Size

The number of results per page returned from the CTS datastore.

If the result set is smaller than the page size, the number of results is never paginated. If the result set is larger, the number of pages returned is the result set size divided by the page size.

Increasing the page size results in fewer round trips to the CTS datastore when retrieving large result sets.

To return all results and disable pagination, set to 0.

Default: 0

VLV Page Size

The number of results per page returned from the underlying CTS datastore when using virtual list views (VLVs). Larger values will result in fewer round trips to the datastore when retrieving large result sets, and VLVs are enabled on the datastore.

Find more information on VLVs in Virtual List View Index in the DS documentation.

Default: 10

External store configuration

The External Store Configuration tab lets you set connection details to one or more external PingDS instances.

Before you can select External Token Store on the CTS Token Store tab, you must complete the connection details on this tab.
SSL/TLS Enabled

Enables a secure connection to the directory server. Connections to PingDS must be secure.

mTLS Enabled

When enabled, AM uses mutual TLS (mTLS) to authenticate to the PingDS using trusted certificates.

When you enable mTLS, AM ignores the values of the Login Id and Password properties.

You must also:

  • Set SSL/TLS Enabled.

  • Set a secure port in the Connection String(s) property.

Find information on configuring certificates and keystore mappings in Secret stores.

You must configure the corresponding secret mapping before you enable an mTLS connection to the PingDS. If you try to save an mTLS configuration before configuring the mapping, the UI returns an error.
Start TLS

When enabled, AM uses startTLS to secure the connection to the external directory server.

Connection String(s)

An ordered list of connection strings for external DS servers. The format is HOST:PORT[|SERVERID[|SITEID]], where HOST:PORT are the DS FQDN and its port. SERVERID and SITEID are optional parameters to specify an AM instance that prioritizes the particular connection. This doesn’t exclude other AM instances from using that connection, although they must have no remaining priority connections available to them before they use it.

Multiple connection strings must be comma-separated, for example, cts1.example.com:1636, cts2.example.com:1636.

AM uses the first connection string in the list unless the server is unreachable. In this case, it tries the next connection strings in the order in which they’re defined.

In production environments, you should specify more than one connection string for failover purposes.

Examples for active/passive deployments
cts-ds1.example.com:1636,cts-ds2.example.com:1636

Every AM instance accesses cts-ds1.example.com:1636 for all CTS operations. If that server goes down, they access cts-ds2.example.com:1636.

Each AM opens new connections to cts-ds1.example.com:1636 when that directory server becomes available.

cts-ds1.example.com:1636|1|1,cts-ds2.example.com:1636|2|1

Server 1 site 1 gives priority to cts-ds1.example.com:1636. Server 2 site 1 gives priority to cts-ds2.example.com:1636. Any server not specified accesses the first server on the list, while it is available.

If cts-ds1.example.com:1636 goes down, server 1 site 1 accesses cts-ds2.example.com:1636. Any server not specified accesses the second server on the list.

If cts-ds2.example.com:1636 goes down, server 2 site 1 accesses cts-ds1.example.com:1636. Any server not specified still accesses the first server on the list.

Server 1 site 1 and any server not specified opens new connections to cts-ds1.example.com:1636 when it becomes available. Only server 2 site 1 opens new connections to cts-ds2.example.com:1636 when it becomes available.

cts-ds1.example.com:1636|1|1,cts-ds2.example.com:1636|1|1,cts-ds3.example.com:1636|1|2

Server 1 site 1 gives priority to cts-ds1.example.com:1636. Any server not specified accesses the first server on the list, while it is available.

If cts-ds1.example.com goes down, server 1 site 1 accesses cts-ds2.example.com:1636. Any server not specified accesses the second server on the list.

If both cts-ds1.example.com and cts-ds2.example.com go down, server 1 site 1 accesses cts-ds3.example.com:1636 in site 2. Any server not specified accesses the third server on the list.

Server 1 site 1 and any server not specified opens new connections to any server in site 1 when they become available, with cts-ds1.example.com being the preferred server.

Example for affinity deployments
cts-ds1.example.com:1636,cts-ds2.example.com:1636,cts-ds3.example.com:1636,cts-ds4.example.com:1636

Access CTS tokens from one of the four servers listed in the connection string. For any given CTS token, AM determines the token’s affinity for one of the four servers, and always accesses the token from that same server. Tokens are distributed equally across the four servers.

Login Id

The DN of the user who authenticates to the external datastore. This user needs sufficient privileges to read and write to the root suffix of the external PingDS.

Password

The password associated with the login ID.

If you enable mTLS, AM ignores the values of the Login Id and Password properties.

Heartbeat

The interval, in seconds, that AM should send a heartbeat request to the PingDS to ensure that the connection isn’t idle. Configure the heartbeat to ensure that network hardware, such as routers and firewalls, doesn’t drop the connection between AM and the directory server.

Default: 10

Affinity Enabled

When enabled, AM accesses the CTS token store in multiple DS instances in an affinity deployment rather than a single PingDS instance in an active/passive deployment.

If you enable this option, make sure that the value of the Connection String(s) property is identical for every server in multi-server deployments.

Default: Disabled