Setting the idle session timeout
You can adjust the idle session timeout for IBM Cloud Pak for AIOps in accordance with your security and compliance requirements. If a user leaves their session idle in a web browser for the specified length of time, the user is automatically logged out of the IBM Cloud Pak for AIOps console.
Before you begin
If you have an installation of IBM Cloud Pak for AIOps on Red Hat® OpenShift®, then you must have one of the following roles:
- Red Hat OpenShift cluster administrator.
- Red Hat OpenShift project administrator on the project (namespace) where IBM Cloud Pak for AIOps is installed.
About this task
By default, IBM Cloud Pak for AIOps logs users out of the Cloud Pak for AIOps console after 12 hours. You can edit the product-configmap to adjust the following session timeout settings:
-
The length of time until a user's session expires (TOKEN_EXPIRY_TIME). When the user leaves their session idle for the specified length of time, the user is automatically logged out of the web client. The default is 12 hours.
If you set
TOKEN_EXPIRY_TIME: "1", a user's session will expire after 1 hour of inactivity. If you setTOKEN_EXPIRY_TIME: "0.5", a user's session will expire after 30 minutes of inactivity. You are recommended to set the value between 0.1 and 1. -
The length of time that a user has to refresh their session (TOKEN_REFRESH_PERIOD). The default is 12 hours. You are recommended to set the value between 1 and 24.
If you set
TOKEN_REFRESH_PERIOD: "1"and the user's session does not expire, the user's session is automatically refreshed during this 60 minute period. The session is extended based on the value that is set for theTOKEN_EXPIRY_TIMEparameter. However, after the token refresh period passes, the user must log back into the web client when their current session expires.If you don't want to allow users to extend their sessions, set the value of the
TOKEN_REFRESH_PERIODparameter to a value less than the value of theTOKEN_EXPIRY_TIMEparameter.
For example, the following configuration shows potential values for these settings:
TOKEN_EXPIRY_TIME: "0.5"
TOKEN_REFRESH_PERIOD: "2"
If a user starts work at 8 AM and logs in to the console, the user must be active in the web session within 30 minutes for their token to be refreshed. If the user stops using the Cloud Pak for AIOps console at 8:10 and attempts to use the console again until 8:41, the user must re-authenticate to the console because their session expired.
However, if the user remains active in their session and their token refreshes at 9:59 AM, their session lasts until 10:29 AM. When the session expires at 10:29, the user must re-authenticate to the console because the token refresh period expired.
Procedure
-
Change to the project where IBM Cloud Pak for AIOps is deployed:
If you have an installation of IBM Cloud Pak for AIOps on Red Hat OpenShift, log in to your cluster and then run the following command:
oc project <project>Where
<project>is the namespace (project) that IBM Cloud Pak for AIOps is deployed in.If you have an installation of IBM Cloud Pak for AIOps on Linux, log in to a control plane node and then run the following command:
oc project aiops -
Run the following command to edit the
product-configmapfile:oc edit configmap product-configmap -
Add an entry for the
TOKEN_EXPIRY_TIMEparameter to the data section of theproduct-configmapfile. For example:data: ... TOKEN_EXPIRY_TIME: "1" ... -
Add an entry for the
TOKEN_REFRESH_PERIODparameter to the data section of theproduct-configmapfile. For example:data: ... TOKEN_REFRESH_PERIOD: "1" ... -
Save your changes to the
product-configmapfile. -
Restart the
usermgmtpods for the changes to take effect. To restart the pods, run the following command:oc delete pod -l component=usermgmt