Managing CTS Tokens

You can configure AM to encrypt or compress CTS tokens as they are stored in the token store. The following properties, disabled by default, are associated with token encryption and compression:


Supports encryption of CTS tokens. Default: false.


Enables GZip-based compression of CTS tokens. Default: false.


Supports compression over and above the GZip-based compression of CTS tokens. Default: false.


Compression can undermine the security of encryption. You should evaluate this threat depending on your use cases before enabling compression and encryption together.

To Configure AM to Encrypt and / or Compress CTS Tokens for Storage


When encryption or compression properties are changed, all previous tokens in the LDAP store will be unreadable; thus, invalidating any user's sessions. As a result, the user will be required to log in again.

  1. Navigate to Configure > Server Defaults > Advanced.

  2. Find the property you want to enable in the Property Name column.

  3. Replace the false value with true in the Property Value column.

  4. Save your changes.

  5. Enable the same property on every AM instance within the site. Failure to do so may cause unexpected issues storing and reading tokens across the environment.

  6. Restart the AM servers for the changes to take effect.


Configuring the CTS to encrypt and store tokens incurs a performance penalty for AM. If you need to encrypt the stored tokens in your environment, consider configuring the CTS token store DS instance to encrypt the data instead. For more information about encrypting a DS instance, see the ForgeRock Directory Services Security Guide.

Read a different version of :