LTPA token cushion period
Within the LTPA token expiration, there is a cushion period used to validate the tokens before a request is sent to the downstream application servers. This helps prevent the expiration of the tokens in a downstream server. The cushion period is twenty percent of the LTPA token expiration period, and has a maximum default time out value of ten minutes. However, this period should not be lower than the ORB request time out value, which is three minutes.
There are three custom properties used to configure the timeout value for the cushion period.
- com.ibm.ws.security.cacheCushionMax: configures the maximum timeout value for the cushion period.
- The default is ten minutes.
- The time unit for this custom property is in minutes.
- com.ibm.ws.security.cacheCushionMin: configures the minimum expiration value for the cushion period. Please note that the value for this custom property should not be less than the ORB request time out value, which is three minutes.
- The default value for this is three minutes.
- The time unit for this custom property is in minutes.
- com.ibm.ws.security.authCacheCushionTime: configures the cushion expiration time. If the cacheCushionMax property is also in use, then in order to use this property, its value must be less than cacheCushionMax.
- The time unit for this custom property is in minutes.
Security considerations when in a multi-node WAS WAS ND environment