Data Protection - iConsole session timeouts

Document ID : KB000010032
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

The iConsole is a lightweight, browser-based application providing event searching and auditing features.  The iConsole resides on a Microsoft IIS Server and comprises of a Front End Webserver and a Back End Application Server (both components can reside on the same IIS host).

 

The end users browser (client) connects to a Front End Webserver which accesses the Back End Application which provides the web service that connects to the CMS.  While the client is active on the Front End Web Server the session is maintained. 

 

By default, if the iConsole detects no user activity (such as running a search or auditing an event) for 20 minutes, it displays a warning that the current session is about to expire. Clicking Cancel enables you to reset the session timeout for a further 20 minutes. The warning message itself will timeout after 20 seconds if no action is taken and the user is redirected to the Reconnect screen.

 

Background:

The automatic session timeout ensures that disconnections are handled efficiently and ensures that hung sessions do not remain on the iConsole application server, where they can consume system resources.

 

For example, a session will fail to terminate correctly if a user quits the iConsole by clicking the browser Close button instead of clicking the Logoff button in the iConsole. If this happens, the session will persist on the application server. The automatic timeout ensures that the residual session left after clicking the Close button is eventually terminated when the timeout expires. 

Environment:
CA Data Protection (DataMinder)
Instructions:

The CA Data Protection iConsole uses the IIS "System.Web.SessionState" class to maintain the HttpSessionState. The configurable timeout value is assigned to the current session state.

 

 

To lengthen or shorten the automatic session timeout, or to adjust how long the session timeout warning is displayed, you need to modify values in the Web registry key on the front-end Web server.  

computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ComputerAssociates\CA DataMinder\CurrentVersion\Web

 

Within this registry key, modify the following values:

 

SessionTimeoutWarningSeconds

Type: REG_DWORD

Data: Defaults to 20. Specifies how long (in seconds) the session timeout warning is displayed before the user is redirected to the Reconnect screen.

 

SessionTimeoutMinutes

Type: REG_DWORD

 

Data: Defaults to 20. Specifies the session timeout (in minutes) for the iConsole. The timeout countdown begins as soon as the user logs on to a CMS and restarts each time CA Data Protection detects user activity.  If the timeout expires and no user activity was detected, CA Data Protection terminates the current session and displays the iConsole Logon screen.

Additional Information:

Some deployment scenarios will require special consideration.  

 

For example,

  • Each front-end web server can only connect to a single, specific application server, but it is possible to connect multiple front-end web servers to a single application server.  This is called load balancing.  It is essential that load balanced deployments are configured for a single infinity "sticky sessions" instance to ensure that the session persists between the client accessing a front end server and the back end server.  If this is not configured the session can timeout prematurely.
  • Secure authentication tools like IBM WebSEAL (which provides single sign-on solutions which incorporate back-end IIS Web application server resources in its security policy), should be configured to access the session URL before the application session timeout value is met (i.e. 20 minutes).  If this is not configured correctly the users session will terminate and the user will be logged off the iConsole.

 

Please refer to the individual product guides for specific configuration details.