Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Agent and IG session numbers keep growing in the CTS store in AM (All versions)

Last updated Feb 23, 2023

The purpose of this article is to provide assistance if you see increasing Agent and IG session numbers in the Core Token Service (CTS) store, where the sessions have an expiration date of 42 years.

2 readers recommend this article

Symptoms

You see a huge amount of Agent or IG-related sessions in the CTS, where the sessions aren't removed because they have a lifetime of 42 years. However, user sessions are created with the correct lifetime per your session settings and are cleaned up when they expire.

The following behavior may also be seen when this occurs:

  • Re-authenticating (for example, by refreshing an Agent-protected page or authenticating to AM via IG) creates a new token while the old one persists in the CTS.
  • Increased response times from the CTS.
  • The DS changelog grows more than anticipated, which in turn may cause you to run out of disk space.

Example application tokens

The coreTokenUserID seen in the application session token matches the name of the agent profile, for example:

  • coreTokenUserId: id=apache24,ou=agent,dc=am,dc=forgerock,dc=com (Apache web agent example)
  • coreTokenUserId: id=ig_agent,ou=agent,ou=am-config (IG example)

Recent Changes

N/A

Causes

The Agent or IG application tokens created by repeated authentication requests are not deleted when unused for a period of time because they have a lifetime of 42 years. This is a known issue: OPENAM-10377 (Agent creates unexpired tokens which are not deleted from CTS).

Solution

This issue can be resolved by setting the com.iplanet.am.session.agentSessionIdleTime property appropriately to force idle Agent and IG sessions to expire so they can be cleaned up by the reaper. Changing this setting only applies to new Agent and IG sessions; if you need to clean up old sessions, see How do I delete all or some of the tokens in the CTS store in AM (All versions)? for further information.

The default is 0 (sessions never expire) but you can also set it to a value of 30 or above (no maximum) to indicate the number of minutes a session can be idle.

You can set this property using either the AM admin UI, Amster or ssoadm:

  • AM admin UI: navigate to: Configure > Server Defaults > Advanced > com.iplanet.am.session.agentSessionIdleTime and amend the required number of minutes.
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: DefaultAdvancedProperties
    • Property: com.iplanet.am.session.agentSessionIdleTime
  • ssoadm: enter the following command: $ ./ssoadm update-server-cfg -s default -u [adminID] -f [passwordfile] -a com.iplanet.am.session.agentSessionIdleTime=[minutes]replacing [adminID], [passwordfile] and [minutes] with appropriate values.
Note

You must restart both the web application container in which AM runs, and the server where the Agent or IG is installed to apply these configuration changes.

See Also

Best practice for configuring sessions in AM (All versions) to reduce the impact on the CTS store

How do I configure session timeouts in AM (All versions)?

Understanding CTS token types in AM

Advanced Properties

Related Training

N/A

Related Issue Tracker IDs

OPENAM-10377 (Agent creates unexpired tokens which are not deleted from CTS)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.