With my new fangled REST API Python scripts, I collect stats every 5 minutes for each machine electrical power Watts and Temperature plus Shared Storage Pool disk I/O.  Then I noted the the HMC "Manage Users and Tasks" shows 3000+ HMC sessions and growing a few every five minutes.  I add 5 and 5 and get "oops" so the REST API calls are creating sessions that are not closed or timing out.  Eventually your HMC will refuse further REST API calls - mine certainly did and it requires a reboot at that point.  You can't try Disconnect the session via the User Interface - it is actually a fun game to try - 3000 would take you about 3 hours!  I guess my HMC script guru could find a way using the HM CLI but it is best to not create ll these sessions in the first place.

Strategy 1: Reuse

1. When the Python script Logons on to the HMC, we can save the Session Token to a file - it is roughly 200 character so text long..
2. The next time the script runs it checks if there is a "token" files read the Session Token back in and uses it.
3. Trouble is the token should eventually time out (a few weeks time) so we have to test is works with a REST API call.
4. If it fails we should remove the token file - so we don't try that again.
5. Then perform a proper HMC Logon to get another fresh Session Token and save it.
6. It is getting a little complicated but workable.

Good news: we don't create 100's of sessions.

Bad news that token file is a security risk = allowing others to access the HMC without a user and password.

Strategy 2: Logoff

• Log off from the HMC once the stats gathering script finishes.  
• One slight wrinkle in that idea - The HMC REST API Logoff is not documented !!
• Some REST API geniuses might be able to guess how to do that - but that rules me out!
• The HMC guys agreed to add the documentation to KnowledgeCenter by that does take time and updating the documentation scheduled.

In the mean time, for Python programmers follow this below example. Curl programmers can work it out from here too.

The core is using the session token and the Logon URL (with no extra trimming like the username and password) and
use the DELETE request operation - it is a sort of a deleting the Logon request.

With REST API's we use GET, PUT and POST requests all the time. DELETE was new to me.

import sys

def disconnect(hmc, token):
    headers = {'X-API-Session' : token }
    url =  'https://'+hmc+':12443/rest/api/web/Logon'
    ret = requests.delete(url,headers=headers,verify=False)
    rcode = ret.status_code
    # REST API delete officially can respond with these three good values
    if rcode == 200 or rcode == 202 or rcode == 204:
        print("Successfully disconnected from the HMC")
        sys.exit(0)
    else:
        print("Logoff failed code=%d url=%s data=%s" %(rcode, url, ret.text))
        sys.exit(rcode)

The HMC actually returns 204 = "No Content"