Setting the idle session timeout

You can adjust the idle session timeout for IBM Cloud Pak for Data in accordance with your security and compliance requirements. If a user leaves their session idle in a web browser for the specified length of time, the user is automatically logged out of the web client.

Who needs to complete this task?

To complete this task, you must have one of the following roles on the Red Hat® OpenShift® Container Platform cluster:

Cluster administrator
Instance administrator

When do you need to complete this task?

Complete this task only if you want to override the default idle session timeout for an instance of IBM Cloud Pak for Data.

Repeat as needed If you have multiple instances of Cloud Pak for Data, repeat this task for each instance where you want to override the default behavior.

About this task

By default, Cloud Pak for Data logs users out after 12 hours. You can edit the Cloud Pak for Data product-configmap to adjust:

Setting	Parameter name	Description
The length of time until a user's session expires	`TOKEN_EXPIRY_TIME`	The default is 12 hours. If you set `TOKEN_EXPIRY_TIME: "1"`, a user's session will expire in after 1 hour of inactivity. If you set `TOKEN_EXPIRY_TIME: "0.5"`, a user's session will expire after 30 minutes of inactivity. When the user leaves their session idle for the specified length of time, the user is automatically logged out of the web client. It is recommended that you set the value between `0.1` and `1`.
The length of time until an administrator's session expires	`ADMIN_TOKEN_EXPIRY_TIME`	By default, the `TOKEN_EXPIRY_TIME` setting applies to all users. You can optionally set `ADMIN_TOKEN_EXPIRY_TIME` to override the `TOKEN_EXPIRY_TIME` setting for users with the Administer platform permission. Users with the Administer platform permission have elevated permissions on the platform. You can use the `ADMIN_TOKEN_EXPIRY_TIME` setting to limit the exposure of sensitive data by setting the `ADMIN_TOKEN_EXPIRY_TIME` lower than the `TOKEN_EXPIRY_TIME`. For example, set: `TOKEN_EXPIRY_TIME: "1"` to log regular users out after 1 hour of inactivity. `ADMIN_TOKEN_EXPIRY_TIME: ".25"` to log a user with the Administer platform permission out after 15 minutes of inactivity.
The maximum length of a user's session	`TOKEN_REFRESH_PERIOD`	When a session is created, Cloud Pak for Data generates a session token. The token is valid for the length of time specified by the `TOKEN_EXPIRY_TIME` parameter. While the token is valid, the session token can be renewed. However, the session token can only be renewed within the timeframe specified by the `TOKEN_REFRESH_PERIOD` parameter. The default is 12 hours. It is recommended that you set the value between `1` and `24`. If you don't want to allow users to extend their sessions, set the value of the `TOKEN_REFRESH_PERIOD` parameter to a value less than the value of the `TOKEN_EXPIRY_TIME` parameter.
The maximum length of an administrator's session	`ADMIN_TOKEN_REFRESH_PERIOD`	By default, the `TOKEN_REFRESH_PERIOD` setting applies to all users. You can optionally set the `ADMIN_TOKEN_REFRESH_PERIOD` to override the `TOKEN_REFRESH_PERIOD` setting for users with the Administer platform permission. Users with the Administer platform permission have elevated permissions on the platform. You can use the `ADMIN_TOKEN_REFRESH_PERIOD` setting to limit the exposure of sensitive data by setting the `ADMIN_TOKEN_REFRESH_PERIOD` lower than the `TOKEN_REFRESH_PERIOD`.

Use the following examples to understand how these settings work:

Sample configuration 1

In this configuration, the same settings are applied to all users.

TOKEN_EXPIRY_TIME: "0.5"
TOKEN_REFRESH_PERIOD: "2"

When a user logs in at 8:00 AM, Cloud Pak for Data generates a session token.

If the user is not active in the web client between 8:00 and 8:30 AM, the session expires and the user is logged out.
If the user stops using the web client at 8:10 AM and attempts to use the web client again at 8:41 AM, the user must re-authenticate to the web client because their session expired.
If the user remains active in the web client, Cloud Pak for Data will automatically refresh the user's token every 30 minutes until 10:00 AM. The user's session will last until 10:30 AM. After 10:30 AM, the user must re-authenticate.

Sample configuration 2

In this configuration, more restrictive settings are applied to users with the Administer platform permission.

TOKEN_EXPIRY_TIME: "0.5"
ADMIN_TOKEN_EXPIRY_TIME: "0.25"
TOKEN_REFRESH_PERIOD: "2"
ADMIN_TOKEN_REFRESH_PERIOD: "0.1"

When a user without the Administer platform permission logs in at 8:00 AM, Cloud Pak for Data generates a session token.

If the user is not active in the web client between 8:00 and 8:30 AM, the session expires and the user is logged out.
If the user stops using the web client at 8:10 AM and attempts to use the web client again at 8:41 AM, the user must re-authenticate to the web client because their session expired.
If the user remains active in the web client, Cloud Pak for Data will automatically refresh the user's token every 30 minutes until 10:00 AM. The user's session will last until 10:30 AM. After 10:30 AM, the user must re-authenticate.

When a user with the Administer platform permission logs in at 8:00 AM, Cloud Pak for Data generates a session token. The user's session will automatically expire at 8:15 AM even if the user is active in the web client.

Procedure

Log in to Red Hat OpenShift Container Platform as a user with sufficient permissions to complete the task.
```
${OC_LOGIN}
```
To change the TOKEN_EXPIRY_TIME setting:
1. Set the USER_EXPIRY_TIME environment value to the length of time, in hours, until the session expires. Use a decimal, such as 0.5 to specify a fraction of an hour.
```
export USER_EXPIRY_TIME=<time-in-hours>
```
2. Set the TOKEN_EXPIRY_TIME parameter in the product-configmap ConfigMap:
```
oc patch configmap product-configmap \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch="{\"data\": {\"TOKEN_EXPIRY_TIME\": \"${USER_EXPIRY_TIME}\"}}"
```
To change the ADMIN_TOKEN_EXPIRY_TIME setting:
1. Set the ADMIN_EXPIRY_TIME environment value to the length of time, in hours, until the session expires. Use a decimal, such as 0.5 to specify a fraction of an hour.
```
export ADMIN_EXPIRY_TIME=<time-in-hours>
```
2. Set the ADMIN_TOKEN_EXPIRY_TIME parameter in the product-configmap ConfigMap:
```
oc patch configmap product-configmap \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch="{\"data\": {\"ADMIN_TOKEN_EXPIRY_TIME\": \"${ADMIN_EXPIRY_TIME}\"}}"
```
To change the TOKEN_REFRESH_PERIOD setting:
1. Set the USER_REFRESH_PERIOD environment value to the length of time, in hours, that a user has to refresh their session. Use a decimal, such as 0.5 to specify a fraction of an hour.
```
export USER_REFRESH_PERIOD=<time-in-hours>
```
2. Set the TOKEN_REFRESH_PERIOD parameter in the product-configmap ConfigMap:
```
oc patch configmap product-configmap \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch="{\"data\": {\"TOKEN_REFRESH_PERIOD\": \"${USER_REFRESH_PERIOD}\"}}"
```
To change the ADMIN_TOKEN_REFRESH_PERIOD setting:
1. Set the ADMIN_REFRESH_PERIOD environment value to the length of time, in hours, that an administrator has to refresh their session. Use a decimal, such as 0.5 to specify a fraction of an hour.
```
export ADMIN_REFRESH_PERIOD=<time-in-hours>
```
2. Set the ADMIN_TOKEN_REFRESH_PERIOD parameter in the product-configmap ConfigMap:
```
oc patch configmap product-configmap \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch="{\"data\": {\"ADMIN_TOKEN_REFRESH_PERIOD\": \"${ADMIN_REFRESH_PERIOD}\"}}"
```

Restart the usermgmt pods for the changes to take effect:

oc delete pods \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
-l component=usermgmt