Difference between the 'Login' & 'Applet' timeouts and way they work
search cancel

Difference between the 'Login' & 'Applet' timeouts and way they work

book

Article ID: 12712

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

What is the difference between the 'Login' & 'Applet' timeouts and how do they work?

Environment

Release:  PAM

Resolution

There are 2 timeout options available in CA PAM under Global Settings, "Login Timeout" & "Applet Timeout". 



Login Timeout refers to a user's login session with PAM. When this timeout is reached the user session is killed. The user is logged out of the appliance and presented with the a message saying "Your session has timed out."



Applet Timeout refers to the connections made through PAM from the end user to a target device. When this timeout is reached the server connection is closed and the user is presented with a message saying "Applet Timed Out due to user inactivity". Monitored items include: Built-in applets & TCP/UDP services.



Both timeouts are defined in minutes. The number 0 can be used to effectively disable them, however this is not recommended in a production environment due to possible security concerns. It should also be noted that there is a hard coded Login timeout of 48 hours, regardless of this setting. It is possible to view the state of the login timeout by checking Sessions > Manage Sessions. This will usually display a countdown timer to the login timeout under the 'Timeout' column, however if the user is connected to an applet it will instead say "SUSPENDED". This is because the login timer is suspended while working in an applet. Once the applet is closed (by the user or applet timeout) the login timeout will be reset and start counting down again.

Additional Information

Note: For SSH type sessions STDIN is monitored for activity. This means that long running scripts & executables won't allow the connection to stay open. The session will close after the set amount of time has passed since the last received STDIN.