000015952 - AxM - What Are The Maximum Values For 'agent.session_lifetime' and 'agent.idle_timeout'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015952
Applies ToRSA Access Manager/ClearTrust  Agents 4.x 3.x
RSA Access Manager 6.0.x /  ClearTrust 5.5.x servers
IssueAxM - What Are The Maximum Values For "agent.session_lifetime" and "agent.idle_timeout"
Customer wants to increase the session timeout and idle timeout but the maximum values are not in the documentation
Cause

When a Access Manager session cookie is created there are two embedded time stamps in the cookie.
SC_TOUCH_TIME
          The key for the last touch time of this session. This is the time that determines if a session has idled out. This timestamp is updated approximately every "cleartrust.agent.cookie_touch_window=30 Secs" as long as the user keeps the session active i.e. making browser requests.  The Current Time minus Touch Time should not exceed cleartrust.agent.idle_timeout.

If a session has been idle too long, overnight for example, then the keys needed to decrypt cookie to read these times will have expired and will simply generate a "Token Error"

SC_CREATION_TIME
          The key for the creation time of this session.    The is the time that determines if a session lifetime is exceeded.   In general , Current Time minus Creation time  should not exceed cleartrust.agent.session_lifetime.

Resolution

There is no maximum values for session time or idle time out values.

But your keys to decrypt the cookie must be set to exist longer then the idle time out.
In general the TOTAL value of the two settings below must exceed the idle timeout value.

In addition the maximum number of session keys that can be stored is 15, so the token lifetime can be no more than 15 times the session key life or 7.5 hours using the default 30 minute session key life.

The numbers below would suffice for a 1 ? hour idle timeout.  A session timeout is a active session that is always using the latest keys so these numbers don?t apply.

The following are in the keyserver.conf

# Sets the allowable idle time for a given single sign-on token.
# This setting determines how long the Key Server must hold on to
# keys that are no longer used for encryption but still are valid
# for decryption.
#
# Allowed Values:
#   Any positive integer followed by a space and one of the following
#   time identifiers: hour | mins | secs.
#
# Default Value:
#   1 hour
#
# Dependencies:
#   If using RSA ClearTrust Agents older than 4.0, the .idle_timeout parameter
#   in the webagent.conf for those Agents must be set to less than or equal to
#   the value set here. It must also be set to at least twice the value of
#   .session_key_life in order to prevent possible token decryption failure.
#
cleartrust.keyserver.token_lifetime=1 hour


# Specifies how long a session key is valid for encrypting new
# single sign-on (SSO) tokens.
#
# Allowed Values:
#   Any positive integer followed by a space and one of the following
#   time identifiers: hour | mins | secs.
#
# Default Value:
#   30 mins
#
# Dependencies:
#   See the description of .token_lifetime.
#
cleartrust.keyserver.session_key_life=30 mins

Legacy Article IDa46477

Attachments

    Outcomes