When
you start the Cloud APM console, an LTPA (Lightweight
Third-Party Authentication) token and an OIDC (OpenID Connect) ID token are granted during the logon
process. The LTPA token has a default expiration timeout of 200 minutes after which you
are automatically logged off. You can adjust the timeout value to accommodate your work
requirements.
Before you begin
The OIDC ID token has an expiration of 120 minutes after which you are presented with the
login page. The expiration time of the LTPA token is configurable but the expiration time of the
OIDC ID token is not configurable, which has the following implications:
- If OIDC is enabled for Cloud
APM, which is
the default behavior, setting the LTPA token expiration to a value greater than 120 minutes has no
effect since that is when the OIDC ID token expires and console users are presented with the login
page. Thus, when OIDC is enabled, you can configure the console to time out before the OIDC ID token
expires by setting the LTPA token expiration to a value below 120 minutes.
- You can disable OIDC so that you can extend the console
timeout. Complete the steps in Disabling OpenID Connect authentication for the Cloud APM console followed by step 9
(specify the domain name of the Cloud
APM server for the
ssoDomainNames attribute) through step 13 of Enabling single sign-on between Cloud APM and Tivoli Common Reporting. You can perform these steps even if you are not integrating with
another product such as Tivoli Common
Reporting or Dashboard
Application Services Hub.
Note: You must install the
Cloud
APM server
V8.1.4.0 interim fix 9 or later if you perform this procedure so that the timeout value in the
user-exit.xml files is used. (The
user-exit.xml file is an
override file for
server.xml.) You can either install the interim fix before or
after performing the procedure. You can download the interim fix for
Cloud
APM server V8.1.4 from
IBM Fix
Central.
Procedure
Complete these steps on the system where the Cloud
APM server is installed to change the LTPA token expiration
and httpSession values in the user-exit.xml files:
-
Open the install_dir/wlp/usr/servers/apmui/user-exit.xml file in a text editor.
-
If the
<ltpa expiration>
xml element does not exist in the
user-exit.xml file, copy this element from server.xml to
user-exit.xml.
-
Edit the
<ltpa expiration="200m" />
parameter and change the LTPA
expiration value to a positive integer followed by a unit of time, which can be hours (h) or minutes
(m).
For example, "8h"
specifies 8 hours.
The maximum value supported for the timeout is 35,791 minutes
(m) or 596 hours (h), which is about 24 days. Use lower case "h" or "m". If you use a capital letter
(such as "H") or a different letter (such as "d"), your connection will be dropped by the Liberty
component of the Cloud
APM server without warning.
-
Remove
the
<ltpa>
xml element from the install_dir/wlp/usr/servers/apmui/server.xml
file.
-
Open the install_dir/wlp/usr/servers/uview/user-exit.xml
file in a text editor.
- Add the
<ltpa expiration>
xml element if it does not
exist, and set the value to match the expiration value in the install_dir/wlp/usr/servers/apmui/user-exit.xml
file (step 3).
- Add the
<authCache>
xml element below if it does not exist and
set the timeout attribute to the same value as the LTPA expiration time from step 5a. For example:
<authCache timeout="300m"/>
- Add the
<httpSession>
xml element below if it does not exist,
and set the invalidationTimeout attribute to the same value as the LTPA expiration time from step
5a. For example: <httpSession
invalidateOnUnauthorizedSessionRequestException="true" cookieSecure="true"
invalidationTimeout="300m" />
-
Remove the
<ltpa>
, <authCache>
, and
<httpSession>
xml elements from the install_dir/wlp/usr/servers/uview/server.xml
file.
-
Save and close both user-exit.xml files.
Results
The next time users log in to the Cloud
APM server, they are logged out after the timeout period is passed.