Configuring authentication session timeout

Edit online

Various settings are required in order to change the default timeout behavior for authentication sessions.

About this task

Depending on which application server you use (WebSphere® Application Server or WebSphere Application Server Liberty Profile) and the IBM® Engineering Lifecycle Management (ELM) products you have installed, there are multiple configuration options that must be set in order to control the timeout behavior.

This topic is divided into two sections:
Note: The following values are just examples and must be changed according to your organization's security policy.

Container authentication (without the use of Jazz Authorization Server/OpenID Connect

Edit online

About this task

For this task, both the LTPA token timeout in the application server and the OAuth access token timeout in the application (JTS, CCM, and QM only) must be set to the same value. The default value for LTPA token timeout is 2 hours (120 minutes).

Procedure

  1. For WebSphere Application Server Liberty Profile:
    1. Go to Jazz_Install_Dir/server/liberty/servers/clm and open server.xml file for editing.
    2. Add the following line under the <server> element to set the timeout to one hour: 
      <ltpa expiration="60m"/>
    3. Save and close the server.xml file.
  2. For WebSphere Application Server:
    1. Login to the WebSphere Application Server Integrated Solutions Console.
    2. Go to Security > Global security.
    3. Under Authentication , click LTPA.
    4. Under LTPA timeout, set the value of LTPA timeout value for forwarded credentials between servers to 60 minutes.
    5. Click OK and save your configurations.
    6. In Global security click Authentication cache settings and ensure that the Cache timeout value is less then the LTPA timeout you set in the previous step. (The default value is 10 minutes.)
  3. To set the OAuth access token timeout for JTS, CCM, and QM applications:
    1. Login to Jazz Team Server as an administrator and click Server > Advanced Properties. (For applications, click Application > Advanced Properties.)
    2. Search for com.ibm.team.repository.service.internal.oauth.OAuthServiceProvider and set the OAuth access token timeout (in seconds) value to the same value you set in your application server for LTPA timeout. For example, 3600 seconds for 60 minutes. (The default value is 21600 seconds for 6 hours.)
      Note: This property can also be added to the teamserver.properties file as com.ibm.team.repository.oauth.accessToken.timeout

OpenID Connect authentication by using Jazz Authorization Server

Edit online

About this task

For Jazz Authorization Server, you must set both LTPA token timeout and OIDC access token lifetime to the same value. (The default value is two hours.)

Procedure

  1. Go to JazzAuthServer/wlp/usr/servers/jazzop and open the appConfig.xml file for editing.
  2. Change the value of the expiration attribute in the <ltpa> element to 60m.
  3. Change the value of the access TokenLifetime attribute in the <oauthProvider> element to the same value.
  4. Save and close the appConfig.xml file.
  5. To change the SSO application session timeout for all JAF-based applications (except for LDX, LQE, and report builder), login to Jazz Team Server as an administrator and click Server > Advanced Properties. (For applications, click Application > Advanced Properties.)
  6. Search for com.ibm.team.repository.servlet.internal.oidc.JsaService and set the SSO Application Session Timeout value to the same value as the LTPA timeout. For example, 3600 seconds for 60 minutes. (The default value is 7200 seconds for 2 hours.)
    Note: This property can also be added to the teamserver.properties file as com.ibm.team.repository.server.sso.sessiontimeout
  7. To set the OAuth access token timeout for JTS, CCM, and QM applications:
    1. Login to Jazz Team Server as an administrator and click Server > Advanced Properties. (For applications, click Application > Advanced Properties.)
    2. Search for com.ibm.team.repository.service.internal.oauth.OAuthServiceProvider and set the OAuth access token timeout (in seconds) value to the same value you set in your application server for LTPA timeout. For example, 3600 seconds for 60 minutes. (The default value is 21600 seconds for 6 hours.)
      Note: This property can also be added to the teamserver.properties file as com.ibm.team.repository.oauth.accessToken.timeout