zowe / api-layer

The API Mediation Layer provides a single point of access for mainframe service REST APIs.
Eclipse Public License 2.0
56 stars 64 forks source link

LTPA token expires every day #3812

Open bobbydixon opened 8 months ago

bobbydixon commented 8 months ago

Describe the bug The LTPA token expires every 8-hours even though the client has specified that the token should be valid for 30-days on the server side.

We has one of our WebSphere colleagues mentioned the LTPAToken2 is stored as a cookie in the browser after login. He opened a developer console and said it looks like Zowe does not appear to be using an LTPA token at all. He suggested narrowing down which cookie is storing the authentication information. Then focus on how to trace that cookie. He said Liberty does have the following setting that can invalidate an LTPA token on a session timeout, but he confirm what he saw in the trace showed it's set to "false":

logoutOnHttpSessionExpire="true"

He said it is as if the product manages its own authentication.

The client is using Zowe Explorer in VS Code to look at datasets.

To try avoid the LTPA token expiring, they changed SESSION_EXPIRE(43200) in the zOSMF config on host. But it still expires after 8-hours.

They see the following message when it starts:

IZUG018W The property LTPA_EXPIRE is set to 43205 WARNING: The value specified for SESSION_EXPIRE must be less than LTPA_EXPIRE.

For IBMers, this relates to case TS014904922

Steps to Reproduce

I've reached out to the client for details

Expected behavior The client expects the LTPA token to on be renewed after 30-days

Screenshots If applicable, add screenshots to help explain your problem.

Logs If applicable, add server logs collected at the time of your problem.

Details

Web Browser Details (if the bug relates to Zowe Desktop usage):

REST API client (in case of REST API issue):

Shell Environment Details (if the bug relates to CLI):

Additional context Add any other context about the problem here.

balhar-jakub commented 8 months ago

Do you know whether they use API Mediation Layer to access the z/OS APIs?

1000TurquoisePogs commented 8 months ago

Just wondering, do they observe that zosmf when used directly lasts longer than 8 hours?

I found this about configuring LTPA timeout, maybe that's what was already done judging by the logs. https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-configuring-ltpa-in

bobbydixon commented 6 months ago

@balhar-jakub - how do they check if they're using the API Mediation Layer to access the z/OS APIs?

bobbydixon commented 6 months ago

@1000TurquoisePogs - the client logged onto the z/OSMF Desktop on two different LPARs, one where the parameter was changed and one where it was not. Some 8 hours later he got the logon prompt for the LPAR where the parameter was not changed - but not for the LPAR where the parameter was changed. So the setting seems to work for z/OSMF Desktop.

balhar-jakub commented 6 months ago

@bobbydixon - Within the browser, there will be cookie names - apimlAuthenticationToken