We have raised a support call for the following but thought I would post
it and keep it updated in case anybody else has the same issue.

We went live with a new implementation of NAM 4.0.1-88 two weeks ago.
Consoles and NIDPs are running on RHEL 6.4 64bit.
MAGs are 64bit Virtual appliances.
Post go live we had reports from users saying they were getting random
behaviour where after a relatively short time of inactivity (comfortably
less than 30 minutes) the users session would become useless. The
browser instance (IE 8) would be unable to re-authenticate or navigate
to any of the NAM domains.
After doing some investigation I discovered the sessions were seeing
soft timeouts occur well before they should be (Contract's
"Authentication Timeout" are set to 240 minutes).
After some further digging I located the following TID which explains
what appears to be similar behaviour to our current symptoms:


*https://www.netiq.com/support/kb/doc.php?id=7011596*


We found that the same issue applied to us were there was no TOPR values
for AuthContractTimeout and AuthContractRefreshRate.
We DID NOT apply the patch to Prod.

The contracts on new NAM were LDIF exported from the previous NAM 3.0.4
and imported to NAM 4.0.1-88. This process was provided by NetIQ
consulting.

To resolve the issue quickly on the MAGs we edited
/opt/novell/nam/mag/webapps/agm/WEB-INF/config/current/config.xml and
added to each of the problem contracts
AuthContractTimeout="240" AuthContractRefreshRate="168"

Then did a /etc/init.d/novell-ac restart and verified that
/opt/novell/nam/mag/webapps/agm/WEB-INF/config/apache2/NovellAgSettings.conf
was updated.

This solved the issue for the time being.

However after more testing in our DEV environment I have found an issue
with the Contract timeouts not updating after the initial creation and
application to a reverse proxy protected resource.
This goes for the existing and new Contracts.
Here is what we see:
1. Create new Class, Method and Contract based on Secure
Name/Password Form

2. In the Contract I set the Authentication Timeout to 60mins.

3. Apply the Contract to a Project Resource on the MAGs

4. Admin console Auditing -> Troubleshooting -> Configuration ->
Cached Access Gateway Configurations both the cluster and Nodes shows:

5. <AuthenticationProcedure
AuthProcedureID="authprocedure_Secure_Name_Passwor d___Form___Aaron"
Name="Secure Name/Password - Form - Aaron" SelectedOption="idp"
UserInterfaceID="authprocedure_Secure_Name_Passwor d___Form___Aaron"
LastModified="4294967295" LastModifiedBy="String"
*AuthContractTimeout="60" AuthContractRefreshRate="0"*>

6. [/B]ON THE MAGS THE
/OPT/NOVELL/NAM/MAG/WEBAPPS/AGM/WEB-INF/CONFIG/CURRENT/CONFIG.XML FILE
SHOWS
*AUTHCONTRACTTIMEOUT=\"60\"* *AUTHCONTRACTREFRESHRATE=\"0\"
7. An LDAP browser shows nidsACTimeout=*60*,nidsACRefreshRate=*0*

8. Change the Contracts Authentication Timeout to *_120_*mins

9. Update the NIDP and NESP

10. An LDAP browser shows nidsACTimeout=*120*,nidsACRefreshRate=*0*

11. Admin console Auditing -> Troubleshooting -> Configuration ->
Cached Access Gateway Configurations both the cluster and Nodes shows:

12. <AuthenticationProcedure
AuthProcedureID="authprocedure_Secure_Name_Passwor d___Form___Aaron"
Name="Secure Name/Password - Form - Aaron" SelectedOption="idp"
UserInterfaceID="authprocedure_Secure_Name_Passwor d___Form___Aaron"
LastModified="4294967295" LastModifiedBy="String"
*AuthContractTimeout="60" AuthContractRefreshRate="0"*>

13. On the MAGs the
/opt/novell/nam/mag/webapps/agm/WEB-INF/config/current/config.xml file
shows
AUTHCONTRACTTIMEOUT=\"60\"* [B]AUTHCONTRACTREFRESHRATE=\"0\"

This shows the Timeouts have not been applied to the MAGs.


--
aaronsayer
------------------------------------------------------------------------
aaronsayer's Profile: https://forums.netiq.com/member.php?userid=500
View this thread: https://forums.netiq.com/showthread.php?t=51895