This présentation to share knowledge about OpenAM 13.5 Core Token Services ( aka CTS). We will talk about:
- CTS Presensation
- CTS architectural presentation
- CTS setup
- Managing CTS tokens
- CTS monitoring
Transcript :
– – – OPENAM 13.5 – CTS by Olivier Rivat – Janua’s CTO
- Agenda ● CTS Presensation ● CTS architectural presentation ● CTS setup ● Managing CTS tokens ● CTS monitoring ● pointers
- CTS : Core Token Service ● CTS Overview – provides persistent and highly available token storage – dedicated to store OAuth 2.0, SAML v2.0, and UMA tokens ● Requirements – OpenDJ only, not compatible with any other ldap ● Recommendation – Configure external CTS for high Volume
- Architectural Considerations (1) ● 2 configuration models available – Active/passive ● OpenAM’s connection to the CTS token store is limited to a single master instance with failover instances – Affinity ● CTS token have an affinity for a given directory server instance ● OpenAM connects to one or more writable directory server instances. Each instance acts as the master for a subset of CTS tokens ●
- Architectural Considerations (2) ● Load Balancer – Do not put a load balancer in front of the CTS Stores ● Example :
- . Steps to configure CTS ● Architectural configuration – Choose configuration deployment : Active/passive or affinity ● OpenDJ – Install and configure opendj in a replicated topology ● CTS setup – Prepare the OpenDJ Directory Service for CTS – Import CTS Files – Non-Admin User Creation and ACI Import – CTS Index Import and Build – OpenAM CTS Configuration –
- Managing CTS Tokens ● CTS Token properties – encryption of CTS tokens – GZip-based compression of CTS tokens – minimum CTS token lifetime (token erased, if no activity) ● Tuning consideration – Default queue size (5000) – Default timeout activity (120s)
- CTS monitoring ● SNMP monitoring available – Dedicated cts mib avaialable : FORGEROCK-OPENAM-CTS.mib – Can be integrated within supervision tools
- Pointers ● OPENAM Documentation – CTS presentation: https://backstage.forgerock.com/docs/openam/13.5/install-guide/#chap-c ts – CTS monitoring https://backstage.forgerock.com/docs/openam/13.5/admin-guide/#snmp-p olicy-evaluation ● Knowledge base articles – FAQ: Core Token Service (CTS) and session high availability in OpenAM/AM https://backstage.forgerock.com/knowledge/kb/article/a23093000 – Best practice for configuring an external OpenDJ/DS instance for the Core Token Service (CTS) in OpenAM 12.x, 13.x and AM (All versions) https://backstage.forgerock.com/knowledge/kb/article/a46985800
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Les derniers articles par janua (tout voir)
- New Keycloak online training - 19 janvier 2022
- Sizing Keycloak or Redhat SSO projects - 8 juin 2021
- Keycloak.X Distribution - 28 janvier 2021