Explanation of the various controls available to TIP administrators for managing how long a user can stay logged in, and when unused sessions are cleaned up.
Lightweight Third Party Authentication (LTPA) token timeout
The LTPA token timeout is the duration the WebSphere Application Server (WAS) trusts the user's credentials. After the token times out, the user is logged out and prompted to login again. The default value for this timeout is 2 hours. Products based on the Tivoli Integrated Portal (TIP) running on the Embedded WebSphere Application Server (EWAS) typically have a default LTPA token timeout of 24 hours. Valid timeout values range from 5 minutes to several years. See the WAS documentation for details on checking and setting this value. http://pic.dhe.ibm.com/infocenter/tivihelp/v15r1/index.jsp?topic=%2Fcom.ibm.tip.doc%2Fttip_config_lpta_adjust.html
Session Inactivity Timeout
A session is established for each user upon login. That session is automatically destroyed and cleaned up if there is no user activity during the timeout period. Each web application typically has independent sessions, with independent "last accessed" values. Once the session is invalidated, the next user request will be redirected to the login page. Avoid setting extremely long session timeouts. When a user closes the browser window without actually logging out, the session inactivity timeout is responsible for automatic logoff and cleanup after the timeout.
Session Keep Alive
The Tivoli Integrated Portal (TIP) ships with a feature to keep the TIP session active for a given user as long as the user's browser is open. This feature accesses the TIP web application once per keepalive interval. The default keepalive interval is 20 minutes, and can be set to any number of minutes or -1 to disable. The value must be less than the session timeout to be effective. The feature is useful in environments where users spend long periods using certain applications framed by TIP, such as the OMNIbus WebGUI Active Event List (AEL), without interacting directly with TIP. Change the keepalive interval by stopping the server and editing the "ISC.KEEPALIVE.INTERVAL" value in the file: console_profile_dir/config/cells/cell_name/applications/isc.ear/deployments/isc/isclite.war/WEB-INF/consoleProperties.xml
Sample scenarios and the settings recommended to support them:
Scenario: I want to project my system on a big screen for weeks on end without requiring someone to authenticate every day.
Configuration: Set your LTPA token timeout to a value greater than your typical server maintenance window. Do not modify session timeout or keepalive values, the default values satisfy this scenario.
Consideration: Any computer left logged in and unattended will behave like the projected user dashboard.
Scenario: My administrators are on for a very short period of time and then off to something else. I want to be sure they do not inadvertently leave themselves logged on somewhere.
Configuration: Set your LTPA token to approximately twice the time you expect your admins to be logged on, say 30 minutes. Shorten the session timeout to 15 minutes, and the keepalive to 10 minutes.
Consideration: Any user needing to use the console longer than the LTPA token timeout will be logged out, and must login again.