Setting the idle session timeout

You can adjust the idle session timeout for IBM Cloud Pak® for Data in accordance with your security and compliance requirements. If a user leaves their session idle in a web browser for the specified length of time, the user is automatically logged out of the web client.

Before you begin

Required permissions
To complete this task, you must have one of the following roles:
  • Red Hat® OpenShift® cluster administrator
  • Red Hat OpenShift project administrator on the project where Cloud Pak for Data is installed

About this task

By default, Cloud Pak for Data logs users out after 12 hours. You can edit the Cloud Pak for Data product-configmap to adjust:
The length of time until a user's session expires (TOKEN_EXPIRY_TIME).
The default is 12 hours.

If you set TOKEN_EXPIRY_TIME: "1", a user's session will expire in after 1 hour of inactivity. If you set TOKEN_EXPIRY_TIME: "0.5", a user's session will expire after 30 minutes of inactivity. When the user leaves their session idle for the specified length of time, the user is automatically logged out of the web client.

It is recommended that you set the value between 0.1 and 1.

The length of time that a user has to refresh their session (TOKEN_REFRESH_PERIOD).
The default is 12 hours.

If you set TOKEN_REFRESH_PERIOD: "1" and the user's session does not expire, the user's session is automatically refreshed during this 60 minute period. The session is extended based on the value that is set for the TOKEN_EXPIRY_TIME parameter. However, after the token refresh period passes, the user must log back into the web client when their current session expires.

It is recommended that you set the value between 1 and 24.

If you don't want to allow users to extend their sessions, set the value of the TOKEN_REFRESH_PERIOD parameter to a value less than the value of the TOKEN_EXPIRY_TIME parameter.

For example, as an administrator, you configure:

TOKEN_EXPIRY_TIME: "0.5"
TOKEN_REFRESH_PERIOD: "2"
If a user starts work at 8 AM and logs in to the web client, the user must be active in the web session within 30 minutes for their token to be refreshed:
  • If the user stops using the web client at 8:10 and attempts to use the web client again until 8:41, the user must re-authenticate to the web client because their session expired.
  • If the user remains active in their session and their token refreshes at 9:59 AM, their session will last until 10:29 AM. However, when the session expires at 10:29, the user must re-authenticate to the web client because the token refresh period expired.

Procedure

  1. Log in to your OpenShift cluster: 
    oc login OpenShift_URL:port
  2. Change to the project where Cloud Pak for Data is deployed: 
    oc project ${PROJECT_CPD_INSTANCE}
  3. Run the following command to edit the Cloud Pak for Data product-configmap: 
    oc edit configmap product-configmap
  4. Add an entry for the TOKEN_EXPIRY_TIME parameter to the data section of the product-configmap file. For example: 
    data:
  ...
  TOKEN_EXPIRY_TIME: "1"
  ...
  5. Add an entry for the TOKEN_REFRESH_PERIOD parameter to the data section of the product-configmap file. For example: 
    data:
  ...
  TOKEN_REFRESH_PERIOD: "1"
  ...
  6. Save your changes to the product-configmap file.

    For example, if you are using vi, hit esc and enter:

    :wq
  7. You must restart the usermgmt pods for the changes to take effect. To restart the pods, run the following command: 
    oc delete pod -l component=usermgmt