Adjusting the console timeout value

Edit online
When you start the Cloud APM console, an LTPA (Lightweight Third-Party Authentication) token and an OIDC (OpenID Connect) ID token are granted during the logon process. The LTPA token has a default expiration timeout of 200 minutes after which you are automatically logged off. You can adjust the timeout value to accommodate your work requirements.

Before you begin

The OIDC ID token has an expiration of 120 minutes after which you are presented with the login page. The expiration time of the LTPA token is configurable but the expiration time of the OIDC ID token is not configurable, which has the following implications:
  • If OIDC is enabled for Cloud APM, which is the default behavior, setting the LTPA token expiration to a value greater than 120 minutes has no effect since that is when the OIDC ID token expires and console users are presented with the login page. Thus, when OIDC is enabled, you can configure the console to time out before the OIDC ID token expires by setting the LTPA token expiration to a value below 120 minutes.
  • You can disable OIDC so that you can extend the console timeout. Complete the steps in Disabling OpenID Connect authentication for the Cloud APM console followed by step 9 (specify the domain name of the Cloud APM server for the ssoDomainNames attribute) through step 13 of Enabling single sign-on between Cloud APM and Tivoli Common Reporting. You can perform these steps even if you are not integrating with another product such as Tivoli Common Reporting or Dashboard Application Services Hub.
Note: You must install the Cloud APM server V8.1.4.0 interim fix 9 or later if you perform this procedure so that the timeout value in the user-exit.xml files is used. (The user-exit.xml file is an override file for server.xml.) You can either install the interim fix before or after performing the procedure. You can download the interim fix for Cloud APM server V8.1.4 from IBM Fix Central.

Procedure

Complete these steps on the system where the Cloud APM server is installed to change the LTPA token expiration and httpSession values in the user-exit.xml files:

  1. Open the install_dir/wlp/usr/servers/apmui/user-exit.xml file in a text editor.
  2. If the <ltpa expiration> xml element does not exist in the user-exit.xml file, copy this element from server.xml to user-exit.xml.
  3. Edit the <ltpa expiration="200m" /> parameter and change the LTPA expiration value to a positive integer followed by a unit of time, which can be hours (h) or minutes (m).
    For example, "8h" specifies 8 hours.
    The maximum value supported for the timeout is 35,791 minutes (m) or 596 hours (h), which is about 24 days. Use lower case "h" or "m". If you use a capital letter (such as "H") or a different letter (such as "d"), your connection will be dropped by the Liberty component of the Cloud APM server without warning.
  4. Remove the <ltpa> xml element from the install_dir/wlp/usr/servers/apmui/server.xml file.
  5. Open the install_dir/wlp/usr/servers/uview/user-exit.xml file in a text editor.
    1. Add the <ltpa expiration> xml element if it does not exist, and set the value to match the expiration value in the install_dir/wlp/usr/servers/apmui/user-exit.xml file (step 3).
    2. Add the <authCache> xml element below if it does not exist and set the timeout attribute to the same value as the LTPA expiration time from step 5a. For example: 
      <authCache timeout="300m"/>
    3. Add the <httpSession> xml element below if it does not exist, and set the invalidationTimeout attribute to the same value as the LTPA expiration time from step 5a.
      For example: <httpSession invalidateOnUnauthorizedSessionRequestException="true" cookieSecure="true" invalidationTimeout="300m" />
  6. Remove the <ltpa>, <authCache>, and <httpSession> xml elements from the install_dir/wlp/usr/servers/uview/server.xml file.
  7. Save and close both user-exit.xml files.

Results

The next time users log in to the Cloud APM server, they are logged out after the timeout period is passed.