Deployment Architectures

You can deploy CTS token stores in a number of deployment architectures depending on your system requirements:

Affinity CTS Token Store

Use a DS affinity deployment for the CTS token store for high availability in the same datacenter.

Site CTS Token Store

Create site deployments in different geographic locations for high availability across datacenters.

CTS Affinity Deployment

In an affinity deployment, AM balances LDAP requests across one or more directory servers. AM always routes LDAP requests for a specific CTS token to the same directory server. This prevents attempts to read a token that has been written to another directory server, but not replicated yet. Affinity deployments are well suited for deployments with many AM servers.

Use AM's Connection String(s) property on the AM console to configure server affinity without a load balancer. For more information on the Connection String(s) property, see "External Store Configuration".

A CTS Affinity Deployment
A CTS Affinity Deployment

For more information on CTS affinity deployments, see Best practice for using Core Token Service (CTS) Affinity based load balancing in AM (All versions) and OpenAM 13.5.1 in the ForgeRock Knowledge Base.

Note

The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change.

To work around this, either:

  • Manually add or remove the instances from the connection string and restart AM or the container where it runs.

  • Configure a DS proxy in front of the DS instances to distribute data across multiple DS shards, and configure the proxy's URL in the connection string.

CTS Site Deployment

CTS supports uninterrupted session availability in deployments with multiple sites if all sites use the same global underlying CTS store replicated across all sites. If an entire site fails or becomes unavailable, AM servers in another site can detect the failure of the site's load balancer and attempt to use sessions from the global Core Token Service.

In the event of a failure, client applications can connect to an AM server in an active data center as shown in "Core Token Service For Global Session Failover":

Core Token Service For Global Session Failover
Global CTS

For more information on CTS for global session high availability with DS server, see the DS documentation on Replication.

Read a different version of :