Configure the LTPA token expiry interval

LTPA tokens can be used to avoid needing a user to provide username and password credentials on each request to WebSphere Application Server Liberty. You can configure the expiry interval for LTPA authentication tokens.


Before you begin

You must be a privileged user to complete this procedure.

From Version 9.0.4, we can view the current configuration of the token expiry by using the dspmqweb properties command with the -a flag. For more information, see dspmqweb. We can reset the value of the token expiry by using the setmqweb properties command with the -k and -d flags. For more information, see setmqweb.

Note: If you are using both the IBM MQ Console, and token authentication with the REST API, the expiry interval is shared.

Attention:

Before issuing either the setmqweb or dspmqweb commands on z/OSĀ®, you must set the WLP_USER_DIR environment variable, so that the variable points to your mqweb server configuration.

To do this, issue the following command:
export WLP_USER_DIR=WLP_user_directory
where WLP_user_directory is the name of the directory that is passed to crtmqweb.sh. For example:
export WLP_USER_DIR=/var/mqm/web/installation1

For more information, see Create the Liberty server definition.


About this task

When users log in to the IBM MQ Console, an LTPA token is generated. If we use token based authentication with the REST API, an LTPA token is generated when the user logs in using the /login REST API resource with the HTTP POST method. The token is used to authenticate the user without the user being required to log in again with their user ID and password, until the token expires. The default expiry interval is 120 minutes. From Version 9.0.4, we can configure when the tokens expire by using the setmqweb command. In IBM MQ Version 9.0.3, and earlier, we can configure when the tokens expire by editing the mqwebuser.xml file.


Procedure

Use one of the following methods to configure token expiry:

  • From Version 9.0.4, use the setmqweb properties command:

    setmqweb properties -k ltpaExpiration -v time

    where time specifies the time, in minutes, before the LTPA token expires and the user is logged out. The default value is 120 minutes.

  • For Version 9.0.3 and earlier, edit the mqwebuser.xml file:
    1. Open the mqwebuser.xml file.The mqwebuser.xml file can be found in one of the following directories:

      • On UNIX, Linux , and Windows: MQ_DATA_DIRECTORY/web/installations/installationName/servers/mqweb
      • On z/OS: WLP_user_directory/servers/mqweb

        where WLP_user_directory is the directory that was specified when the crtmqweb.sh script ran to create the mqweb server definition.

    2. Configure the LTPA token expiry interval by adding or editing the following line in the mqwebuser.xml file, within the <server> tags:

      <variable name="ltpaExpiration" value="time" />

      where time specifies the time, in minutes, before the LTPA token expires and the user is logged out. The default value is 120 minutes.