Bug 1658293
| Summary: | CC: Simplifying Web UI session timeout configuration | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Endi Sukma Dewata <edewata> | |
| Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.7 | CC: | akahat, mharmsen, msauton, rpattath | |
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | pki-core-10.5.16-2.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
Previously configuring HTTP session timeout for PKI Web UI was complicated since the <session-timeout> parameter was stored in multiple web.xml files owned by the RPM package.
The <session-timeout> parameter has now been removed from the package-owned web.xml files, so the HTTP session can be configured more easily in the instance's default web.xml file at /etc/pki/<instance>/web.xml.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1659939 (view as bug list) | Environment: | ||
| Last Closed: | 2019-08-06 13:07:19 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1659939 | |||
Fixed in DOGTAG_10_5_BRANCH: * https://github.com/dogtagpki/pki/commit/30a47907af087a9d2f7739e8d577d7cdd28de18b * https://github.com/dogtagpki/pki/commit/359c05060953cd9124e616067ed545b3b32cb943 Steps to verify: 1. Install CA. 2. Configure access banner as described here: https://www.dogtagpki.org/wiki/Access_Banner 3. Set TLS session timeout to 1 minute and HTTP session timeout to 2 minutes as described here: https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/docs/admin/Session_Timeout.md 4. Open a secure page in the Web UI. It should create multiple TLS connections and a new HTTP session. The audit log should show ACCESS_SESSION_ESTABLISH events. The Web UI should show the access banner. 5. Wait for one minute. The TLS connections should close. The audit log should show ACCESS_SESSION_TERMINATED events. 6. Click something in Web UI. It should create new TLS connections. The audit log should show ACCESS_SESSION_ESTABLISH events. The Web UI should not show the access banner since the HTTP session is still active. 7. Wait for one minute. The TLS connections should close. The audit log should show ACCESS_SESSION_TERMINATED events. 8. Wait for one more minute. The HTTP session should expire. The audit log should not show anything for this event. 9. Click something in Web UI. It should create new TLS connections and a new HTTP session. The audit log should show ACCESS_SESSION_ESTABLISH. events. The Web UI should show the access banner again. 10. Wait for one minute. The TLS connections should close. The audit log should show ACCESS_SESSION_TERMINATED events. 11. Wait for one more minute. The HTTP session should expire. The audit log should not show anything for this event. I tested this bugzilla on verion 10.5.16-2.el7. I followed steps as mentioned in the comment #3. - Configured banner - I setup TLS & HTTP session timeout for 1 and 2 mins resp. - Restarted instance. Access CA EE and Agent page and I could see ACCESS_SESSION_ESTABLISHED events in audit logs. - Waiting for TLS session to get expired, I'm able to see ACCESS_SESSION_TERMINATED logs. - Waited 1 more min to get HTTP session expired. As expected it showed the banner. Verifying this bugzilla. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2228 |
The session timeout for PKI Web UI can be configured with the <session-timeout> parameter in web.xml: <session-config> <session-timeout>30</session-timeout> </session-config> However, there are multiple instances of web.xml within the server: * Global configuration: /etc/pki/<instance>/web.xml * PKI main webapp: /usr/share/pki/server/webapps/pki/WEB-INF/web.xml * PKI subsystem webapps: /usr/share/pki/<subsystem>/webapps/<subsystem>/WEB-INF/web.xml Currently each of the above files defines its own <session-timeout> parameter. The parameters in the webapps will override the parameter in the global configuration but currently they are all set to the same value (i.e. 30 minutes). The web.xml files in the webapps are actually shared files owned by PKI package which are not supposed to be modified, so to change the session timeout the admin would have to customize each webapp first, which requires a number of steps (see https://www.dogtagpki.org/wiki/Customization), then modify the web.xml of the customized webapps. Also, once the webapps are customized, they will no longer be upgraded automatically in future PKI updates, so the admin would have to maintain them manually. To simplify the process and avoid future issues, the <session-timeout> should be removed from the webapps, so by default PKI Web UI will use the global configuration which can be edited directly since it doesn't require customization and easily since it's only one file.