Users being logged out from NetOps Portal unexpectedly

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Seeing an issue where the CookieTimeout doesn't appear to be working. Users getting logged out before that time cycles.

Able to log in again but something odd is going on.

Why are users being logged out before the SsoCookieTimeoutMinutes setting is reached?

Why are users being logged out before the Single Sign-On (SSO) Cookie Timeout Minutes setting is reached?

Why are users logged out after 30 minutes?

There are only three things that should trigger a User to be logged out.

If the NetOps Portal SSO (caperfcenter_sso) service is restarted all Users are logged out.
A User logs out manually.
The SsoCookieTimeoutMinutes value is reached.

Environment

All supported DX NetOps Performance Management NetOps Portal releases r20.2.1 and newer

Cause

A code defect causes the SsoCookieTimeoutMinutes value when configured with a value > 30 minutes, to be ignored.

Resolution

This issue was reported to engineering which is resolved via code change in the r21.2.6 release. Upgrade to release r21.2.6 or newer to resolve this issue.

To resolve this until a fix is available in a new release, follow these steps. It allows longer timeouts to work properly by setting the Jetty session to match the cookie timeout. Without this change the jetty session ignores the SsoCookieTimeoutMinutes value if set to > 30 minutes.

Open a terminal to the NetOps Portal host.
Go to the (default path) /opt/CA/PerformanceCenter/PC/webapps/pc/WEB-INF directory.
Make a copy of the web.xml file as a backup with the command:
- cp web.xml web.xml.backup
Open the working web.xml file for editing.
Make the following changes.
1. Change this section:
  - ```
  <session-config>
      <cookie-config>
          <name>JSESSIONID</name>
          <http-only>true</http-only>
      </cookie-config>
  </session-config>
```
2. To look like this.
  - ```
  <session-config>
      <cookie-config>
          <name>JSESSIONID</name>
          <http-only>true</http-only>
      </cookie-config>
      <session-timeout>SSOCONFIG_VALUE</session-timeout>
  </session-config>
```
- Note the addition of the session-timeout entry and where it is placed. Place it in the same location.
- Replace SSOCONFIG_VALUE with the same value your SsoCookieTimeoutMinutes is set to.
  - See Additional Information below re: how to check the current setting via the SsoConfig command.
3. Save the changes to the file.
4. After editing the web.xml file restart the PC console service.
  1. Stop the service:
    1. RH 6.x: system caperfcenter_console stop
    2. RH 7.x: systemctl stop caperfcenter_console
  2. Start the service:
    1. RH 6.x: system caperfcenter_console start
    2. RH 7.x: systemctl start caperfcenter_console

After this change the User should not be logged out automatically until the SsoCookieTimeoutMinutes value is reached.

Additional Information

Any upgrade will reset/replace the existing web.xml file. Be sure to make the changes to web.xml, adding session-timeout, after any upgrade.
What is my current SsoCookieTimeoutMinutes value? How do I check?
1. Open a terminal to the Performance Center Portal host.
2. Go to the (default path) /opt/CA/PerformanceCenter directory
3. Run: ./SsoConfig
4. Enter 1 for DX NetOps
5. Enter 4 for Single Sign-On
6. The "Cookie Timeout Minutes" entry represents the SsoCookieTimeoutMinutes value.
Running 21.2.5 and earlier releases?
- Make the above changes as well as the changes in the below referenced Knowledge Base article.
- How to change the session timer to prevent auto-logout
Running 21.2.6 and newer releases?
- Do not edit the web.xml file.
- Only make the changes recommended via SsoConfig tool per the following Knowledge Base article.
- How to change the session timer to prevent auto-logout