Managing CTS Tokens
You can configure AM to encrypt or compress CTS tokens as they are stored in the token store. The following properties, disabled by default, are associated with token encryption and compression:
com.sun.identity.session.repository.enableEncryption
Supports encryption of CTS tokens. Default:
false
.com.sun.identity.session.repository.enableCompression
Enables GZip-based compression of CTS tokens. Default:
false
.com.sun.identity.session.repository.enableAttributeCompression
Supports compression over and above the GZip-based compression of CTS tokens. Default:
false
.
Important
Compression can undermine the security of encryption. You should evaluate this threat depending on your use cases before enabling compression and encryption together.
Warning
When encryption or compression properties are changed, all previous tokens in the LDAP store will be unreadable; thus, invalidating any user's sessions. As a result, the user will be required to log in again.
Navigate to Configure > Server Defaults > Advanced.
Find the property you want to enable in the Property Name column.
Replace the
false
value withtrue
in the Property Value column.Save your changes.
Enable the same property on every AM instance within the site. Failure to do so may cause unexpected issues storing and reading tokens across the environment.
Restart the AM servers for the changes to take effect.
Tip
Configuring the CTS to encrypt and store tokens incurs a performance penalty for AM. If you need to encrypt the stored tokens in your environment, consider configuring the CTS token store DS instance to encrypt the data instead. For more information about encrypting a DS instance, see the ForgeRock Directory Services Security Guide.