Configuring CTS Token Stores
The following table summarizes the high-level tasks you need to perform to configure a new instance of the CTS token store:
Task | Resources |
---|---|
Prepare a DS Server Prepare the DS schema for CTS data. | "To Install and Configure Directory Services for CTS Data" |
Configure AM to Use the New CTS Token Store Configuring a new CTS data store does not migrate existing data from the old store to the new one. In most cases, this will mean that users will need to log in again so that AM stores their sessions and tokens in the new token store. | "To Configure CTS" |
Test Session High-Availability For this test, you need to have a site with more than one instance. The idea is to log in a user into the first instance, shut it down, and check that the session is still available to the second instance. | "To Test Session High Availability" |
Directory Services 6.5 added support for setup profiles to greatly simplify initial configuration.
Using a setup profile will create the backend, schema, bind user, and indexes required for use with CTS data.
To install DS using a setup profile, follow the steps in "DS for AM CTS" in the Directory Services 7 Installation Guide.
Share the CTS store certificate with the AM container to prepare for TLS/LDAPS. The CTS store should communicate over secure connections for security reasons.
DS 7 or later is configured to require secure connections by default; therefore, share its certificate with the AM container before continuing.
Export the DS server certificate:
$
/path/to/opendj/bin/dskeymgr export-ca-cert \ --deploymentKey $DEPLOYMENT_KEY \ --deploymentKeyPassword password \ --alias ds-ca-cert \ --outputFile ds-ca-cert.pem
Note that
$DEPLOYMENT_KEY
is a Unix variable that contains the DS deployment key, so that it is not logged in the user's command history.The default DS server certificate only has the hostname you supplied at setup time, and
localhost
, as the value of theSubjectAlternativeName
attribute; however, certificate hostname validation is strict.Ensure that the certificate matches the hostname (or the FQDN) of the DS server before continuing.
Import the DS certificate into the AM truststore:
$
keytool \ -importcert \ -alias ds-ca-cert \ -file ds-ca-cert.pem \ -keystore /path/to/openam/security/keystores/truststore
For more information on configuring AM's truststore, see "Preparing a Truststore".
Proceed to configuring the CTS store in AM. See "To Configure CTS".
The bind DN of the service account to use when configuring the CTS store in AM is
uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens
.
This procedure assumes that the AM instances communicate with a single CTS instance (or load balancer), which has an FQDN of cts.example.com
and is running on port 1636
.
Important
If AM cannot access the CTS token store, you will be unable to log in to the AM console.
Back up your deployment before making any changes to your CTS token store configuration.
Perform the following steps to configure an external CTS token store:
Open the AM console and navigate to Configure > Server Defaults, and then click CTS.
On the CTS Token Store tab, configure the parameters as follows:
CTS Token Store ParametersParameter Value Notes Store Mode External Token Store
Root Suffix ou=famrecords,ou=openam-session,ou=tokens
Max Connections 17
For production, this value needs to be tuned. Consider 2^n+1, where n=4, 5, 6, and so on. For example, try setting this to 17, 33, 65, and test performance under load. On the External Store Configuration tab, configure the parameters as follows:
External Store Configuration ParametersParameter Value Notes SSL/TLS Enabled True When connecting to DS 7, or a DS server in production mode, enable secure connections. When you enable SSL/TLS, make sure the AM server can trust the DS server certificate and that the certificate matches the CTS store FQDN. Connection String(s) cts.example.com:1636
Use the LDAPS port. Alternatively, use the LDAP port with StartTLS, as in cts.example.com:1389
.Login ID uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens
The bind DN of the service account AM uses to connect to the directory service. Password 5up35tr0ng Use a strong bind password for production systems. Heartbeat 10
For production, this value needs to be tuned. Click Save Changes.
Restart AM or the web container where it runs for the changes to take effect.
To test session high availability, use two browsers: Chrome and Firefox. You can use any two browser types, or run the browsers in incognito mode. You can also view tokens using an LDAP browser.
In Chrome, log in to the second AM instance with the
amAdmin
user, select the realm, and then click onsessions
.In Firefox, log in to the first AM instance with a test user.
In Chrome, verify that the test user exists in the first AM instance's session list and not in the second instance.
Shut down the first AM instance.
In Firefox, rewrite the URL to point to the second AM instance. If successful, the browser should not prompt for login.
Confirm the session is still available. In Chrome, list the sessions on the second instance, the test user's session should be present.
Restart the first AM instance to complete the testing.