Symantec Access Management

Expand all | Collapse all

SiteMinder default realm timeouts

Jump to Best Answer
  • 1.  SiteMinder default realm timeouts

    Broadcom Employee
    Posted 08-22-2018 06:08 PM

    As it comes out of the box, SiteMinder uses default realm timeouts of 2 hours max and 1 hour idle.  Is there any way to change one or both of these default values... perhaps a registry setting?



  • 2.  Re: SiteMinder default realm timeouts

    Posted 08-22-2018 10:47 PM

    I believe you should be able update those default values while doing a fresh install or upgrade during the import of smpolicy.xml or smpolicy-secure.xml. below are the fields in those that need to be edited to values you like before its imported

     

     </Property>
                    <Property Name="CA.SM::Realm.IdleTimeout">
                        <NumberValue>3600</NumberValue>
                    </Property>
                    <Property Name="CA.SM::Realm.MaxTimeout">
                        <NumberValue>7200</NumberValue>
                    </Property>



  • 3.  Re: SiteMinder default realm timeouts

    Posted 08-22-2018 06:15 PM

    Rich Rich_Faust

     

    Am sure I'm missing some angle on this question, so it is not as trivial as it looks nor as trivial as my reply. 

     

    In general we change timeouts on creation of Realm OR via modification of a Realm.



  • 4.  Re: SiteMinder default realm timeouts

    Broadcom Employee
    Posted 08-23-2018 08:57 AM

    @Kaladhar,  Good thought.This should work, although not documented as such in docops.ca.com. ;-) Rgds. Vijay



  • 5.  Re: SiteMinder default realm timeouts

    Broadcom Employee
    Posted 08-23-2018 09:39 AM

    Thanks for your feedback, HubertDennis and Kaladhar.Brahmanapally.

     

    KB, following on your suggestion, I took a wider look at the snippet you posted from smpolicy.xml and retrieved the related XID in XPSExplorer:  the description of the object is "* Please do not edit this realm!  This is a global realm. *".  I think it would be possible to get a writable copy of that object and modify the max and idle timeouts without having to wait for an installation or upgrade event.  I would expect a restart of all policy servers for the change to be in effect.

     

    I have since learned that a CA Support case was opened in July 2016 time frame (00460047 [link may only work for CA employees]) wherein the response at that time was basically "no, it can't be done".  I think that speaks to Hubert's concern that any such change be "blessed by SE".  I'll open a new support case, reference the original case, and inquire whether changing the timeouts would impact the supportability of the implementation.



  • 6.  Re: SiteMinder default realm timeouts

    Broadcom Employee
    Posted 08-22-2018 06:28 PM

    Hubert, it's clear that these timeouts can be changed on a per-realm basis.  I was wondering if the defaults may be modified so that every time you create a new realm, the max and idle timeout fields are pre-populated with values controlled by the customer.  For example, a company with stringent security requirements might want those defaults to be 1 hour max and 30 minutes idle.



  • 7.  Re: SiteMinder default realm timeouts

    Posted 08-22-2018 06:49 PM

    Aha thats why I said, I'm missing an angle "I was wondering if the defaults may be modified so that every time you create a new realm, the max and idle timeout fields are pre-populated with values controlled by the customer".

     

    Automation is the one way. Automate using SDK or REST API.

     

    Through WAM UI, may be possible if we tinker the default SCHEMA definition. Need some more deep investigation as to where those values are picked from. Have you searched the SCHEMA (default XDD) and smpolicy.xml file for those values ? I do not encourage to modify them (if you find'em) unless it is blessed by SE.



  • 8.  Re: SiteMinder default realm timeouts

    Broadcom Employee
    Posted 09-25-2018 02:44 PM

    An update on the support case:  engineering's first response was that smpolicy.xml should not be modified, but I've asked a followup question and am awaiting a reply.  I'll provide more details as they become available.



  • 9.  Re: SiteMinder default realm timeouts
    Best Answer

    Broadcom Employee
    Posted 09-27-2018 10:32 AM

    Per engineering:

     

    [The default timeout values have] nothing to do with the definition and the default that coming to AdminUI, we have a provider in Policy Server that holds the value that UI will show. So we cannot change the default values without recompiling the PS code.

     

    Given the default timeout values that come out of the SiteMinder box can't be changed, you may find this tool helpful if you need to audit max and idle timeout values, or modify the idle timeout values:

    SiteMinder Idle Timeouts