How do I configure session timeouts in AM (All versions)?
The purpose of this article is to provide information on setting session timeouts in AM. There are a number of different session timeouts you can set; this article focuses on setting session timeouts at a global level.
1 reader recommends this article
Overview
There are a number of different session timeouts you can set; this article focuses on setting session timeouts at a global level.
Note
It is not possible to set global session timeouts in AM 7.x via ssoadm; this is a known issue: OPENAM-18304 (Cannot set session-max-session-time with ssoadm using set-attr-defs). You can either use the AM admin UI to set global session timeouts or set them at the realm level as detailed in How do I configure realm level session timeouts in AM (All versions)?
Configuring global session timeouts
There are two global session timeouts: Maximum Session Time, which is the maximum number of minutes that a session can remain active before a user is required to re-authenticate and Maximum Idle Time, which is the maximum number of minutes that a session can be idle before a user must re-authenticate.
You can configure the global session timeouts using either the AM admin UI or ssoadm:
- AM admin UI: navigate to: Configure > Global Services > Session > Dynamic Attributes and enter the required number of minutes for the maximum session time and / or maximum idle time.
- ssoadm: enter the following command for maximum session time: $ ./ssoadm set-attr-defs -s iPlanetAMSessionService -t dynamic -u [adminID] -f [passwordfile] -a iplanet-am-session-max-session-time=[minutes]replacing [adminID], [passwordfile] and [minutes] with appropriate values.
- ssoadm: enter the following command for maximum idle time: $ ./ssoadm set-attr-defs -s iPlanetAMSessionService -t dynamic -u [adminID] -f [passwordfile] -a iplanet-am-session-max-idle-time=[minutes]replacing [adminID], [passwordfile] and [minutes] with appropriate values.
Note
There is no recommended value for these session timeouts as they depend on your requirements and configuration. For a combination of security and convenience, you should consider setting the maximum session time to a higher value and the maximum idle time to a relatively low value. From a performance perspective, the maximum session time has to be considered when setting the maximum number of sessions. Unless your sessions expire quickly, you will probably need to set a higher limit for active sessions; the number of sessions is relative to the amount of memory being used, which means you need to adjust the Java™ Virtual Machines (JVM) heap size accordingly.
See Also
How do I configure realm level session timeouts in AM (All versions)?
How do I configure user-level session timeouts in AM (All versions)?
How do I change the JVM heap size for AM?
Best practice for JVM Tuning with G1 GC
Best practice for JVM Tuning with CMS GC
Related Training
N/A
Related Issue Tracker IDs
N/A