AM 7.2.0

Deployment architectures

You can deploy CTS token stores in a number of deployment architectures, depending on your system requirements:

CTS affinity deployment

In an affinity deployment, AM balances LDAP requests across one or more directory servers. AM always routes LDAP requests for a specific CTS token to the same directory server. This prevents attempts to read a token that has been written to another directory server, but not replicated yet. Affinity deployments are well suited for deployments with many AM servers.

Use AM’s Connection String(s) property on the AM admin UI to configure server affinity without a load balancer. For more information on the Connection String(s) property, see External Store Configuration.

Depicts an Affinity Configuration for CTS.
Figure 1. A CTS affinity deployment

For more information on CTS affinity deployments, see Best practice for using Core Token Service (CTS) Affinity based load balancing in AM (All versions) and OpenAM 13.5.1 in the ForgeRock Knowledge Base.

The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change.

To work around this, either:

  • Manually add or remove the instances from the connection string and restart AM or the container where it runs.

  • Configure a DS proxy in front of the DS instances to distribute data across multiple DS shards, and configure the proxy’s URL in the connection string.

CTS site deployment

CTS supports uninterrupted session availability in deployments with multiple sites if all sites use the same global underlying CTS store replicated across all sites. If an entire site fails or becomes unavailable, AM servers in another site can detect the failure of the site’s load balancer and attempt to use sessions from the global Core Token Service.

In the event of a failure, client applications can connect to an AM server in an active data center:

Shows a globally replicated Core Token Service with two data centers
Figure 2. Core token service for global session failover

For more information on global session availability for the CTS, see Replication in the Directory Services documentation.

Copyright © 2010-2022 ForgeRock, all rights reserved.