Setting the idle session timeout

Important: IBM Cloud Pak® for Data Version 4.8 will reach end of support (EOS) on 31 July, 2025. For more information, see the Discontinuance of service announcement for IBM Cloud Pak for Data Version 4.X.

Upgrade to IBM Software Hub Version 5.1 before IBM Cloud Pak for Data Version 4.8 reaches end of support. For more information, see Upgrading from IBM Cloud Pak for Data Version 4.8 to IBM Software Hub Version 5.1.

You can adjust the idle session timeout for IBM Cloud Pak for Data in accordance with your security and compliance requirements. If a user leaves their session idle in a web browser for the specified length of time, the user is automatically logged out of the web client.

Who needs to complete this task?

To complete this task, you must have one of the following roles on the Red Hat® OpenShift® Container Platform cluster:

Cluster administrator
Instance administrator

When do you need to complete this task?

Complete this task only if you want to override the default idle session timeout for an instance of IBM Cloud Pak for Data.

Repeat as needed If you have multiple instances of Cloud Pak for Data, repeat this task for each instance where you want to override the default behavior.

About this task

By default, Cloud Pak for Data logs users out after 12 hours. You can edit the Cloud Pak for Data product-configmap to adjust:

Setting	Parameter name	Description
The length of time until a user's session expires	`TOKEN_EXPIRY_TIME`	The default is 12 hours. If you set `TOKEN_EXPIRY_TIME: "1"`, a user's session will expire in after 1 hour of inactivity. If you set `TOKEN_EXPIRY_TIME: "0.5"`, a user's session will expire after 30 minutes of inactivity. When the user leaves their session idle for the specified length of time, the user is automatically logged out of the web client. It is recommended that you set the value between `0.1` and `1`.
The length of time until an administrator's session expires	`ADMIN_TOKEN_EXPIRY_TIME`	By default, the `TOKEN_EXPIRY_TIME` setting applies to all users. You can optionally set `ADMIN_TOKEN_EXPIRY_TIME` to override the `TOKEN_EXPIRY_TIME` setting for users with the Administer platform permission. Users with the Administer platform permission have elevated permissions on the platform. You can use the `ADMIN_TOKEN_EXPIRY_TIME` setting to limit the exposure of sensitive data by setting the `ADMIN_TOKEN_EXPIRY_TIME` lower than the `TOKEN_EXPIRY_TIME`. For example, set: `TOKEN_EXPIRY_TIME: "1"` to log regular users out after 1 hour of inactivity. `ADMIN_TOKEN_EXPIRY_TIME: ".25"` to log a user with the Administer platform permission out after 15 minutes of inactivity.
The length of time that a user has to refresh their session	`TOKEN_REFRESH_PERIOD`	The default is 12 hours. If you set `TOKEN_REFRESH_PERIOD: "1"` and the user's session does not expire, the user's session is automatically refreshed during this 60 minute period. The session is extended based on the value that is set for the `TOKEN_EXPIRY_TIME` parameter. However, after the token refresh period passes, the user must log back into the web client when their current session expires. It is recommended that you set the value between `1` and `24`. If you don't want to allow users to extend their sessions, set the value of the `TOKEN_REFRESH_PERIOD` parameter to a value less than the value of the `TOKEN_EXPIRY_TIME` parameter.
The length of time that an administrator has to refresh their session	`ADMIN_TOKEN_REFRESH_PERIOD`	By default, the `TOKEN_REFRESH_PERIOD` setting applies to all users. You can optionally set the `ADMIN_TOKEN_REFRESH_PERIOD` to override the `TOKEN_REFRESH_PERIOD` setting for users with the Administer platform permission. Users with the Administer platform permission have elevated permissions on the platform. You can use the `ADMIN_TOKEN_REFRESH_PERIOD` setting to limit the exposure of sensitive data by setting the `ADMIN_TOKEN_REFRESH_PERIOD` lower than the `TOKEN_REFRESH_PERIOD`.

Use the following examples to understand how these settings work:

Sample configuration 1

In this configuration, the same settings are applied to all users.

TOKEN_EXPIRY_TIME: "0.5"
TOKEN_REFRESH_PERIOD: "2"

If a user starts work at 8 AM and logs in to the web client, the user must be active in the web session within 30 minutes for their token to be refreshed:

If the user stops using the web client at 8:10 and attempts to use the web client again until 8:41, the user must re-authenticate to the web client because their session expired.
If the user remains active in their session and their token refreshes at 9:59 AM, their session will last until 10:29 AM. However, when the session expires at 10:29, the user must re-authenticate to the web client because the token refresh period expired.

Sample configuration 2

In this configuration, more restrictive settings are applied to users with the Administer platform permission.

TOKEN_EXPIRY_TIME: "0.5"
ADMIN_TOKEN_EXPIRY_TIME: "0.25"
TOKEN_REFRESH_PERIOD: "2"
ADMIN_TOKEN_REFRESH_PERIOD: "0.1"

If a user without the Administer platform permission starts work at 8 AM and logs in to the web client, the user must be active in the web session within 30 minutes for their token to be refreshed:

If the user stops using the web client at 8:10 and attempts to use the web client again until 8:41, the user must re-authenticate to the web client because their session expired.
If the user remains active in their session and their token refreshes at 9:59 AM, their session will last until 10:29 AM. However, when the session expires at 10:29, the user must re-authenticate to the web client because the token refresh period expired.

If another user with the Administer platform permission starts work at 8 AM and logs in to the web client, the user's session will automatically expire a 8:15 AM, even if the user is active in the web client.

Procedure

Log in to Red Hat OpenShift Container Platform as a user with sufficient permissions to complete the task.
```
${OC_LOGIN}
```
To change the TOKEN_EXPIRY_TIME setting:
1. Set the USER_EXPIRY_TIME environment value to the length of time, in hours, until the session expires. Use a decimal, such as 0.5 to specify a fraction of an hour.
```
export USER_EXPIRY_TIME=<time-in-hours>
```
2. Set the TOKEN_EXPIRY_TIME parameter in the product-configmap ConfigMap:
```
oc patch configmap product-configmap \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch="{\"data\": {\"TOKEN_EXPIRY_TIME\": \"${USER_EXPIRY_TIME}\"}}"
```
To change the ADMIN_TOKEN_EXPIRY_TIME setting:
1. Set the ADMIN_EXPIRY_TIME environment value to the length of time, in hours, until the session expires. Use a decimal, such as 0.5 to specify a fraction of an hour.
```
export ADMIN_EXPIRY_TIME=<time-in-hours>
```
2. Set the ADMIN_TOKEN_EXPIRY_TIME parameter in the product-configmap ConfigMap:
```
oc patch configmap product-configmap \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch="{\"data\": {\"ADMIN_TOKEN_EXPIRY_TIME\": \"${ADMIN_EXPIRY_TIME}\"}}"
```
To change the TOKEN_REFRESH_PERIOD setting:
1. Set the USER_REFRESH_PERIOD environment value to the length of time, in hours, that a user has to refresh their session. Use a decimal, such as 0.5 to specify a fraction of an hour.
```
export USER_REFRESH_PERIOD=<time-in-hours>
```
2. Set the TOKEN_REFRESH_PERIOD parameter in the product-configmap ConfigMap:
```
oc patch configmap product-configmap \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch="{\"data\": {\"TOKEN_REFRESH_PERIOD\": \"${USER_REFRESH_PERIOD}\"}}"
```
To change the ADMIN_TOKEN_REFRESH_PERIOD setting:
1. Set the ADMIN_REFRESH_PERIOD environment value to the length of time, in hours, that an administator has to refresh their session. Use a decimal, such as 0.5 to specify a fraction of an hour.
```
export ADMIN_REFRESH_PERIOD=<time-in-hours>
```
2. Set the ADMIN_TOKEN_REFRESH_PERIOD parameter in the product-configmap ConfigMap:
```
oc patch configmap product-configmap \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch="{\"data\": {\"ADMIN_TOKEN_REFRESH_PERIOD\": \"${ADMIN_REFRESH_PERIOD}\"}}"
```

Restart the usermgmt pods for the changes to take effect:

oc delete pods \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
-l component=usermgmt