Setting the LTPA token timeout value for application servers

Active users can be logged out of OpenPages® without warning even though the OpenPages session inactivity timeout period did not elapse.

If the LTPA token expires, the user is logged off and a message is written to the log. The OpenPages Application Server uses the Lightweight Third Party Authentication (LTPA) of WebSphere® Liberty Profile (WLP). The default LTPA token timeout is set to 12 hours. This value is an absolute time that is not based on user activity.

You can increase the LTPA token timeout value for OpenPages application servers so that users are less likely to be logged off unexpectedly.

Before you begin

Ensure that you consider the following information before you set the LTPA token timeout.

  • Increasing the LTPA token timeout presents a security risk. The longer a user's token is valid, the more time is available to a malicious actor to gain access to your OpenPages application server.
  • Try to strike a balance between usability and security with the LTPA token timeout value.
  • Use other security policies, such as the session inactivity timeout.

For more information about LTPA, see LTPA or LTPA Token (ltpa).

About this task

Repeat the following steps on each administrative and nonadministrative application server in your OpenPages deployment to change the LTPA token timeout.

Procedure

  1. Prepare your environment.
    1. Log on to the IBM OpenPages application server as a user with administrative permissions.
    2. Stop all OpenPages services. For more information, see Stopping application servers.
  2. Go to the overrides directory.

    <OP_HOME>/wlp-usr/servers/<server_name>Server<#>/configDropins/overrides/ where <server_name> is the name of the application server.

  3. In a text editor, open the op-apps.xml file and search for the following lines: 
    <!-- LTPA security token default expiration 12h -->
    <ltpa expiration="720"/>
  4. Set the expiration parameter to the value in minutes, by entering just the number of minutes, or hours, by entering an "h" after the number of hours. Save and close the file.
  5. Do the following steps:
    1. Restart all OpenPages services. For more information, see Starting application servers.
    2. If the environment is load-balanced, repeat this procedure for each application server in the load-balanced environment.