1658293 – CC: Simplifying Web UI session timeout configuration

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1658293 - CC: Simplifying Web UI session timeout configuration

Summary: CC: Simplifying Web UI session timeout configuration

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Endi Sukma Dewata
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1659939
TreeView+	depends on / blocked

Reported:	2018-12-11 17:10 UTC by Endi Sukma Dewata
Modified:	2020-10-04 21:45 UTC (History)
CC List:	4 users (show)
Fixed In Version:	pki-core-10.5.16-2.el7
Doc Type:	Bug Fix
Doc Text:	Previously configuring HTTP session timeout for PKI Web UI was complicated since the <session-timeout> parameter was stored in multiple web.xml files owned by the RPM package. The <session-timeout> parameter has now been removed from the package-owned web.xml files, so the HTTP session can be configured more easily in the instance's default web.xml file at /etc/pki/<instance>/web.xml.
Clone Of:
Clones:	1659939 (view as bug list)
Environment:
Last Closed:	2019-08-06 13:07:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 3201	0	None	closed	Simplifying Web UI session timeout configuration	2021-01-28 14:01:11 UTC
Red Hat Product Errata	RHBA-2019:2228	0	None	None	None	2019-08-06 13:07:40 UTC

Description Endi Sukma Dewata 2018-12-11 17:10:12 UTC

The session timeout for PKI Web UI can be configured with the
<session-timeout> parameter in web.xml:

<session-config>
    <session-timeout>30</session-timeout>
</session-config>

However, there are multiple instances of web.xml within the server:

* Global configuration: /etc/pki/<instance>/web.xml
* PKI main webapp: /usr/share/pki/server/webapps/pki/WEB-INF/web.xml
* PKI subsystem webapps: /usr/share/pki/<subsystem>/webapps/<subsystem>/WEB-INF/web.xml

Currently each of the above files defines its own <session-timeout>
parameter. The parameters in the webapps will override the parameter
in the global configuration but currently they are all set to the same
value (i.e. 30 minutes).

The web.xml files in the webapps are actually shared files owned by PKI
package which are not supposed to be modified, so to change the session
timeout the admin would have to customize each webapp first, which
requires a number of steps (see https://www.dogtagpki.org/wiki/Customization), then modify the web.xml of the customized webapps. Also, once the webapps
are customized, they will no longer be upgraded automatically in future
PKI updates, so the admin would have to maintain them manually.

To simplify the process and avoid future issues, the <session-timeout>
should be removed from the webapps, so by default PKI Web UI will use
the global configuration which can be edited directly since it doesn't
require customization and easily since it's only one file.

Comment 2 Endi Sukma Dewata 2018-12-14 18:33:06 UTC

Fixed in DOGTAG_10_5_BRANCH:
* https://github.com/dogtagpki/pki/commit/30a47907af087a9d2f7739e8d577d7cdd28de18b
* https://github.com/dogtagpki/pki/commit/359c05060953cd9124e616067ed545b3b32cb943

Comment 3 Endi Sukma Dewata 2018-12-14 19:09:36 UTC

Steps to verify:
1. Install CA.
2. Configure access banner as described here:
   https://www.dogtagpki.org/wiki/Access_Banner
3. Set TLS session timeout to 1 minute and HTTP session
   timeout to 2 minutes as described here:
   https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/docs/admin/Session_Timeout.md
4. Open a secure page in the Web UI. It should create multiple
   TLS connections and a new HTTP session. The audit log should
   show ACCESS_SESSION_ESTABLISH events. The Web UI should show
   the access banner.
5. Wait for one minute. The TLS connections should close. The audit
   log should show ACCESS_SESSION_TERMINATED events.
6. Click something in Web UI. It should create new TLS connections.
   The audit log should show ACCESS_SESSION_ESTABLISH events. The
   Web UI should not show the access banner since the HTTP session
   is still active.
7. Wait for one minute. The TLS connections should close. The audit
   log should show ACCESS_SESSION_TERMINATED events.
8. Wait for one more minute. The HTTP session should expire. The
   audit log should not show anything for this event.
9. Click something in Web UI. It should create new TLS connections
   and a new HTTP session. The audit log should show
   ACCESS_SESSION_ESTABLISH. events. The Web UI should show the
   access banner again.
10. Wait for one minute. The TLS connections should close. The audit
    log should show ACCESS_SESSION_TERMINATED events.
11. Wait for one more minute. The HTTP session should expire. The
    audit log should not show anything for this event.

Comment 6 Amol K 2019-06-18 07:55:56 UTC

I tested this bugzilla on verion 10.5.16-2.el7.

I followed steps as mentioned in the comment #3.

 - Configured banner
 - I setup TLS & HTTP session timeout for 1 and 2 mins resp.
 - Restarted instance. Access CA EE and Agent page and I could see ACCESS_SESSION_ESTABLISHED events in audit logs.
 - Waiting for TLS session to get expired, I'm able to see ACCESS_SESSION_TERMINATED logs.
 - Waited 1 more min to get HTTP session expired. As expected it showed the banner.


Verifying this bugzilla.

Comment 8 errata-xmlrpc 2019-08-06 13:07:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2228

Note You need to log in before you can comment on or make changes to this bug.