Configuring authentication session timeout

Various settings are required in order to change the default timeout behavior for authentication sessions.

About this task

Depending on which application server you use (WebSphere® Application Server or WebSphere Liberty) and the IBM® Engineering Lifecycle Management (ELM) products you have installed, there are multiple configuration options that must be set in order to control the timeout behavior.

Note: The following values are just examples and must be changed according to your organization's security policy.

Container authentication (without the use of Jazz Authorization Server /OpenID Connect

About this task

For this task, both the LTPA token timeout in the application server and the OAuth access token timeout in the application (JTS, CCM, and QM only) must be set to the same value. The default value for LTPA token timeout is 2 hours (120 minutes).

Procedure

  1. For WebSphere Liberty:
    1. Go to Jazz_Install_Dir/server/liberty/servers/clm and open server.xml file for editing.
    2. Add the following line under the <server> element to set the timeout to one hour:
      <ltpa expiration="60m"/>
    3. Save and close the server.xml file.
  2. To set the OAuth access token timeout for JTS, CCM, and QM applications:
    1. Login to Jazz Team Server as an administrator and click Server > Advanced Properties. (For applications, click Application > Advanced Properties.)
    2. Search for com.ibm.team.repository.service.internal.oauth.OAuthServiceProvider and set the OAuth access token timeout (in seconds) value to the same value you set in your application server for LTPA timeout. For example, 3600 seconds for 60 minutes. (The default value is 21600 seconds for 6 hours.)
      Note: This property can also be added to the teamserver.properties file as com.ibm.team.repository.oauth.accessToken.timeout

OpenID Connect authentication by using Jazz Authorization Server

About this task

For Jazz Authorization Server , you must set both LTPA token timeout and OIDC access token lifetime to the same value. (The default value is two hours.)

Procedure

  1. Go to JazzAuthServer/wlp/usr/servers/jazzop and open the appConfig.xml file for editing.
  2. Change the value of the access TokenLifetime attribute in the <oauthProvider> element to the same value.
  3. Save and close the appConfig.xml file.
  4. To change the SSO application session timeout for a JAF-based application (except for LDX, LQE, and report builder), login to that application as an administrator and, click Application > Advanced Properties.
    Note: You need to repeat this step of other JAF-based applications for which you want to update the session timeout.
  5. Search for com.ibm.team.repository.servlet.internal.oidc.JsaService and set the SSO Application Session Timeout value to the same value as the LTPA timeout. For example, 3600 seconds for 60 minutes. (The default value is 7200 seconds for 2 hours.)
    Note: This property can also be added to the teamserver.properties file as com.ibm.team.repository.server.sso.sessiontimeout
  6. To set the OAuth access token timeout for JTS, CCM, and QM applications:
    1. Login to Jazz Team Server as an administrator and click Server > Advanced Properties. (For applications, click Application > Advanced Properties.)
    2. Search for com.ibm.team.repository.service.internal.oauth.OAuthServiceProvider and set the OAuth access token timeout (in seconds) value to the same value you set in your application server for LTPA timeout. For example, 3600 seconds for 60 minutes. (The default value is 21600 seconds for 6 hours.)
      Note: This property can also be added to the teamserver.properties file as com.ibm.team.repository.oauth.accessToken.timeout