Symantec Access Management

As it comes out of the box, SiteMinder uses default realm timeouts of 2 hours max and 1 hour idle.  Is there any way to change one or both of these default values... perhaps a registry setting?

Rich Rich_Faust

Am sure I'm missing some angle on this question, so it is not as trivial as it looks nor as trivial as my reply. 

In general we change timeouts on creation of Realm OR via modification of a Realm.

Hubert, it's clear that these timeouts can be changed on a per-realm basis.  I was wondering if the defaults may be modified so that every time you create a new realm, the max and idle timeout fields are pre-populated with values controlled by the customer.  For example, a company with stringent security requirements might want those defaults to be 1 hour max and 30 minutes idle.

Aha thats why I said, I'm missing an angle "I was wondering if the defaults may be modified so that every time you create a new realm, the max and idle timeout fields are pre-populated with values controlled by the customer".

Automation is the one way. Automate using SDK or REST API.

Through WAM UI, may be possible if we tinker the default SCHEMA definition. Need some more deep investigation as to where those values are picked from. Have you searched the SCHEMA (default XDD) and smpolicy.xml file for those values ? I do not encourage to modify them (if you find'em) unless it is blessed by SE.

I believe you should be able update those default values while doing a fresh install or upgrade during the import of smpolicy.xml or smpolicy-secure.xml. below are the fields in those that need to be edited to values you like before its imported

 </Property>
                <Property Name="CA.SM::Realm.IdleTimeout">
                    <NumberValue>3600</NumberValue>
                </Property>
                <Property Name="CA.SM::Realm.MaxTimeout">
                    <NumberValue>7200</NumberValue>
                </Property>

@Kaladhar,  Good thought.This should work, although not documented as such in docops.ca.com. ;-) Rgds. Vijay

Thanks for your feedback, HubertDennis and Kaladhar.Brahmanapally.

KB, following on your suggestion, I took a wider look at the snippet you posted from smpolicy.xml and retrieved the related XID in XPSExplorer:  the description of the object is "* Please do not edit this realm!  This is a global realm. *".  I think it would be possible to get a writable copy of that object and modify the max and idle timeouts without having to wait for an installation or upgrade event.  I would expect a restart of all policy servers for the change to be in effect.

I have since learned that a CA Support case was opened in July 2016 time frame (00460047 [link may only work for CA employees]) wherein the response at that time was basically "no, it can't be done".  I think that speaks to Hubert's concern that any such change be "blessed by SE".  I'll open a new support case, reference the original case, and inquire whether changing the timeouts would impact the supportability of the implementation.

An update on the support case:  engineering's first response was that smpolicy.xml should not be modified, but I've asked a followup question and am awaiting a reply.  I'll provide more details as they become available.

Per engineering:

[The default timeout values have] nothing to do with the definition and the default that coming to AdminUI, we have a provider in Policy Server that holds the value that UI will show. So we cannot change the default values without recompiling the PS code.

Given the default timeout values that come out of the SiteMinder box can't be changed, you may find this tool helpful if you need to audit max and idle timeout values, or modify the idle timeout values:

SiteMinder Idle Timeouts