Setting the token for Platform UI session timeout

You can adjust the session timeout for IBM Cloud Pak® for Integration in accordance with your security and compliance requirements. If a user leaves their session idle in a web browser for the specified length of time, the user is automatically logged out of the web client.

Required permissions

To complete this task, you must have one of the following roles:

  • Red Hat® OpenShift® cluster administrator

  • Red Hat OpenShift project administrator on the project where Cloud Pak for Integration is installed

About this task

By default, Cloud Pak for Integration logs users out after 12 hours. You can edit the product-configmap to adjust the following parameters:

Parameter Default value Description Optimal value Details
TOKEN_EXPIRY_TIME 12 (hours) The length of time until a user's session expires Setting the value between 0.1 and 1 provides a good balance between security and user experience. If you set TOKEN_EXPIRY_TIME: "1", a user's session expires after one hour of inactivity. If you set TOKEN_EXPIRY_TIME: "0.5", a user's session expires after 30 minutes of inactivity. When the user leaves their session idle for the specified length of time, they are automatically logged out of the web client.
TOKEN_REFRESH_PERIOD 12 (hours) The length of time that a user has to refresh their session Setting the value between 1 and 24 provides a good balance between security and user experience. If you set TOKEN_REFRESH_PERIOD: "1" and the user's session does not expire, their session is automatically refreshed during this 60 minute period. The session is extended based on the value that is set for the TOKEN_EXPIRY_TIME parameter. However, after the token refresh period passes, the user must log back into the web client when their current session expires. Tip: If you want to prevent users from extending their sessions, set the value of the TOKEN_REFRESH_PERIOD parameter to a value less than the value of the TOKEN_EXPIRY_TIME parameter.

For example, as an administrator, you can configure:

TOKEN_EXPIRY_TIME: "0.5"
TOKEN_REFRESH_PERIOD: "2"

Per this configuration example: The user must be active in the web session within 30 minutes for their token to be refreshed. For example, if a user starts work at 8 AM and logs in to the web client, they must log in by 8:30 AM if they stop at any time during that time period.

  • If the user stops using the web client at 8:10 and attempts to use the web client again at 8:41, the user must reauthenticate to the web client, because their session expired.

  • If the user remains active in their session and their token refreshes at 9:59 AM, their session will last until 10:29 AM. However, when the session expires at 10:29, the user must reauthenticate to the web client because they have already used their two refresh periods.

Procedure

  1. Log in to your OpenShift cluster:

    oc login OpenShift_URL:port
  2. Select the project where Cloud Pak for Integration is deployed:

    oc project ${PROJECT_CPD_INSTANCE}
  3. Edit the product-configmap:

    oc edit configmap product-configmap
  4. Add an entry for the TOKEN_EXPIRY_TIME parameter to the data section of the product-configmap file. For example:

    data:
      ...
      TOKEN_EXPIRY_TIME: "1"
      ...
  5. Add an entry for the TOKEN_REFRESH_PERIOD parameter to the data section of the product-configmap file. For example:

    data:
      ...
      TOKEN_REFRESH_PERIOD: "1"
      ...
  6. Save your changes to the product-configmap file. For example, if you are using vi, press esc and enter :wq.

  7. You must restart the usermgmt pods so that the changes take effect. To restart the pods, run:

    oc delete pod -l component=usermgmt