Setting the session idle time limits for Platform UI (Zen)

You can adjust the session time limit for users of Zen in accordance with your security and compliance requirements. If a user leaves a session idle in a web browser for the specified length of time, the user is automatically logged out.

About this task

By default, Cloud Pak for Business Automation logs out any user after 12 hours. You can edit the product-configmap of the Zen service to adjust the values of the following parameters.

TOKEN_EXPIRY_TIME

The TOKEN_EXPIRY_TIME parameter determines the length of time for a session to expire. The default is 12 hours.

If you set TOKEN_EXPIRY_TIME: "1", a session expires after 1 hour of inactivity. If you set TOKEN_EXPIRY_TIME: "0.5", a session expires after 30 minutes of inactivity. When the user leaves a session idle for the specified length of time, the user is automatically logged out.

Set the value between 0.1 (6 minutes) and 1 (60 minutes) for the time that a session can be idle.

TOKEN_REFRESH_PERIOD

The TOKEN_REFRESH_PERIOD parameter determines the length of time after which a user must refresh a session. The default is 12 hours.

If you set TOKEN_REFRESH_PERIOD: "1" and the session does not expire, the session is automatically refreshed during the 60 minutes. The session is extended based on the value that is set for the TOKEN_EXPIRY_TIME parameter. However, after the token refresh period passes, the user must log back into the web client when the current session expires.

Set the value between 1 and 24 hours for the maximum inactive time to refresh the tokens.

If you do not want to allow users to extend sessions, set the value of the TOKEN_REFRESH_PERIOD parameter to a value less than the value of the TOKEN_EXPIRY_TIME parameter.

If you set the TOKEN_EXPIRY_TIME shorter than the TOKEN_REFRESH_PERIOD, a user who logs in to a web client must be active within the time that is specified for their token to be refreshed.

For example, suppose a user who starts a web client at 8:00 AM when the following parameter values are set.

TOKEN_EXPIRY_TIME: "0.5"
TOKEN_REFRESH_PERIOD: "2"
Expect the following behavior:
  • If the user stops working in the web client at 8:10 AM and then attempts to use the web client again at 8:41 AM, the user must re-authenticate.
  • If the user remains active in the session for 2 hours, the token refreshes at 9:59 AM, and the session does not expire until 10:29 AM. If the session expires at 10:29 AM, the user must then re-authenticate in the web client because the token refresh period expired.

Procedure

  1. Log in to your OpenShift cluster as the cluster administrator or administrator of the project where you installed Cloud Pak for Business Automation:
    oc login OpenShift_URL:port
  2. Change to the project where the Zen Service is installed:
    oc project <cpfs-project>

    Where <cpfs-project> is the namespace of your foundational services instance, which is usually the same namespace as your Cloud Pak for Business Automation deployment (cp4ba-project).

  3. Run the following command to edit the Zen Service product-configmap.
    oc edit configmap product-configmap
  4. Add an entry for the TOKEN_EXPIRY_TIME parameter to the data section of the product-configmap file.

    For example, set the value to 1 hour:

    data:
      ...
      TOKEN_EXPIRY_TIME: "1"
      ...
  5. Add an entry for the TOKEN_REFRESH_PERIOD parameter to the data section of the product-configmap file.

    For example, set the value to 1 hour:

    data:
      ...
      TOKEN_REFRESH_PERIOD: "1"
      ...
  6. Save your changes to the product-configmap file.

    For example, if you are using vi, press esc and enter:

    :wq
  7. Restart the usermgmt pods for the changes to take effect. To restart the pods, run the following command:
    oc delete pod -l component=usermgmt