---
title: CTS properties
description: You can configure the Core Token Service (CTS) to store tokens in the same LDAP directory as the AM configuration or in a separate external directory server. Take note of specific requirements for indexing and replication. In particular, manage WAN replication carefully for optimum performance.
component: pingam
version: 8.1
page_id: pingam:setup:server-cts
canonical_url: https://docs.pingidentity.com/pingam/8.1/setup/server-cts.html
page_aliases: ["setup-guide:server-cts.adoc"]
section_ids:
  cts-tokenstore: CTS token store
  cts-external-tokenstore: External store configuration
---

# CTS properties

You can configure the Core Token Service (CTS) to store tokens in the same LDAP directory as the AM configuration or in a separate external directory server. Take note of specific requirements for indexing and replication. In particular, manage WAN replication carefully for optimum performance.

Tune advanced properties related to token size correctly, including `com.sun.identity.session.repository.enableEncryption`, `com.sun.identity.session.repository.enableCompression`, and `com.sun.identity.session.repository.enableAttributeCompression`. For more information, refer to [\[server-advanced\]](#server-advanced).

## CTS token store

Set the following properties on the CTS Token Store tab:

* Store Mode

  Specifies the datastore where AM stores CTS tokens. Possible values are:

  * `Default Token Store`: AM stores CTS tokens in the configuration datastore.

  * `External Token Store`: AM stores CTS tokens in an external datastore.

  If you specify `Default Token Store`, you can't access the configuration properties on the External Store Configuration tab.

* Root Suffix

  This property sets the base DN for CTS storage. For example, `cn=cts,ou=famrecords,ou=openam-session,ou=tokens`. The Root Suffix specifies a database that can be maintained and replicated separately from the standard user datastore.

* Max Connections

  The maximum number of remote connections to the external datastore. For affinity deployments, this property specifies the maximum number of remote connections to each directory server in the connection string.

  Default: `100`

  Find recommended settings in [Tune CTS store LDAP connections](../maintenance/tuning-ldap-settings.html#tuning-ldap-settings-cts).

* Page Size

  The number of results per page returned from the CTS datastore.

  If the result set is *smaller* than the page size, the number of results is never paginated. If the result set is *larger*, the number of pages returned is the result set size divided by the page size.

  Increasing the page size results in fewer round trips to the CTS datastore when retrieving large result sets.

  To return all results and disable pagination, set to `0`.

  Default: `0`

* VLV Page Size

  The number of results per page returned from the underlying CTS datastore when using virtual list views (VLVs). Larger values will result in fewer round trips to the datastore when retrieving large result sets, and VLVs are enabled on the datastore.

  Find more information on VLVs in [Virtual List View Index](https://docs.pingidentity.com/pingds/8.1/config-guide/indexing.html#configure-vlv) in the DS documentation.

  Default: `10`

## External store configuration

The External Store Configuration tab lets you set connection details to one or more external PingDS instances.

|   |                                                                                                                                  |
| - | -------------------------------------------------------------------------------------------------------------------------------- |
|   | Before you can select `External Token Store` on the CTS Token Store tab, you *must* complete the connection details on this tab. |

* SSL/TLS Enabled

  Enables a secure connection to the directory server. Connections to PingDS *must* be secure.

* mTLS Enabled

  When enabled, AM uses mutual TLS (mTLS) to authenticate to the PingDS using trusted certificates.

  When you enable mTLS, AM ignores the values of the Login Id and Password properties.

  You must also:

  * Set SSL/TLS Enabled.

  * Set a secure port in the Connection String(s) property.

  Find information on configuring certificates and keystore mappings in [Secret stores](../security/secret-stores.html).

  |   |                                                                                                                                                                                                             |
  | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | You must configure the corresponding secret mapping *before* you enable an mTLS connection to the PingDS. If you try to save an mTLS configuration before configuring the mapping, the UI returns an error. |

* Start TLS

  When enabled, AM uses startTLS to secure the connection to the external directory server.

* Connection String(s)

  An ordered list of connection strings for external DS servers. The format is `HOST:PORT[|SERVERID[|SITEID]]`, where `HOST:PORT` are the DS FQDN and its port. `SERVERID` and `SITEID` are optional parameters to specify an AM instance that prioritizes the particular connection. This doesn't exclude other AM instances from using that connection, although they must have no remaining priority connections available to them before they use it.

  Multiple connection strings must be comma-separated, for example, `cts1.example.com:1636, cts2.example.com:1636`.

  AM uses the first connection string in the list unless the server is unreachable. In this case, it tries the next connection strings in the order in which they're defined.

  In production environments, you should specify more than one connection string for failover purposes.

  > **Collapse: Examples for active/passive deployments**
  >
  > * `cts-ds1.example.com:1636,cts-ds2.example.com:1636`
  >
  >   Every AM instance accesses `cts-ds1.example.com:1636` for all CTS operations. If that server goes down, they access `cts-ds2.example.com:1636`.
  >
  >   Each AM opens new connections to `cts-ds1.example.com:1636` when that directory server becomes available.
  >
  > * `cts-ds1.example.com:1636|1|1,cts-ds2.example.com:1636|2|1`
  >
  >   Server 1 site 1 gives priority to `cts-ds1.example.com:1636`. Server 2 site 1 gives priority to `cts-ds2.example.com:1636`. Any server not specified accesses the first server on the list, while it is available.
  >
  >   If `cts-ds1.example.com:1636` goes down, server 1 site 1 accesses `cts-ds2.example.com:1636`. Any server not specified accesses the second server on the list.
  >
  >   If `cts-ds2.example.com:1636` goes down, server 2 site 1 accesses `cts-ds1.example.com:1636`. Any server not specified still accesses the first server on the list.
  >
  >   Server 1 site 1 and any server not specified opens new connections to `cts-ds1.example.com:1636` when it becomes available. Only server 2 site 1 opens new connections to `cts-ds2.example.com:1636` when it becomes available.
  >
  > * `cts-ds1.example.com:1636|1|1,cts-ds2.example.com:1636|1|1,cts-ds3.example.com:1636|1|2`
  >
  >   Server 1 site 1 gives priority to `cts-ds1.example.com:1636`. Any server not specified accesses the first server on the list, while it is available.
  >
  >   If `cts-ds1.example.com` goes down, server 1 site 1 accesses `cts-ds2.example.com:1636`. Any server not specified accesses the second server on the list.
  >
  >   If both `cts-ds1.example.com` and `cts-ds2.example.com` go down, server 1 site 1 accesses `cts-ds3.example.com:1636` in site 2. Any server not specified accesses the third server on the list.
  >
  >   Server 1 site 1 and any server not specified opens new connections to any server in site 1 when they become available, with `cts-ds1.example.com` being the preferred server.

  > **Collapse: Example for affinity deployments**
  >
  > * `cts-ds1.example.com:1636,cts-ds2.example.com:1636,cts-ds3.example.com:1636,cts-ds4.example.com:1636`
  >
  >   Access CTS tokens from one of the four servers listed in the connection string. For any given CTS token, AM determines the token's affinity for one of the four servers, and always accesses the token from that same server. Tokens are distributed equally across the four servers.

* Login Id

  The DN of the user who authenticates to the external datastore. This user needs sufficient privileges to read and write to the root suffix of the external PingDS.

* Password

  The password associated with the login ID.

  If you enable mTLS, AM ignores the values of the Login Id and Password properties.

* Heartbeat

  The interval, in seconds, that AM should send a heartbeat request to the PingDS to ensure that the connection isn't idle. Configure the heartbeat to ensure that network hardware, such as routers and firewalls, doesn't drop the connection between AM and the directory server.

  Default: `10`

* Affinity Enabled

  When enabled, AM accesses the CTS token store in multiple DS instances in an affinity deployment rather than a single PingDS instance in an active/passive deployment.

  If you enable this option, make sure that the value of the Connection String(s) property is identical for every server in multi-server deployments.

  Default: Disabled