An unattended PC without the screen locked poses a security risk. Likewise, an unattended or long running E-Business Suite user session can also pose a risk. The E-Business Suite provides many configuration parameters and profile settings to control user sessions. I recommend reviewing these against your existing corporate policies and setting them according to our recommendations after testing their impact. The following sections describe those items that I recommend setting.
- ICX Timeout Profile Values
The following E-Business Suite profile options control screen timeouts for Forms, as well as Self Service sessions. Again, please note, some of the ICX profiles also control Forms Session timeouts! This can be confusing since Inter-Cartridge Exchange (ICX) is often associated with Self Service applications. This is no longer the case since the release of Framework for the ICX Profiles control the timeout functionality.
Parameter | Default | Recommendation |
ICX:Session Timeout | None | 30 (minutes) |
ICX: Limit Time | 4 (hours) | 4 (hours) |
ICX: Limit Connect | 1000 | 2000 |
· ICX:Session Timeout - This profile option determines the length of time (in minutes) of inactivity in a user's form session before the session is disabled. Note that disabled does not mean terminated or killed. The user is provided the opportunity to re-authenticate and re-enable their timed-out session. If the re-authentication is successful, the disabled session is re-enabled and no work is lost. Otherwise, the session is terminated without saving pending work. This functionality is available via Patch 2012308 (included in 11.5.7, FND.E). Note: Setting the profile value to greater than 30 minutes can drain the JVM resources and cause ‘out of memory’ errors.
· ICX: Limit time - This profile option defines the maximum connection time for a connection – regardless of user activity. If 'ICX:Session Timeout' is set to NULL, then the session will last only as long as 'ICX: Limit Time', regardless of user activity.
· ICX: Limit connect - This profile option defines the maximum number of connection requests a user can make in a single session. Note that other EBS internal checks will generate connection requests during a user session, so it is not just user activity that can increment the count.
§ CRM Application Timeout Profile Values
CRM applications use the afore-mentioned ICX timeout profiles (ICX:Session Timeout, ICX: Limit Time, and ICX: Limit Connect), but additionally, CRM also utilizes the JTF_INACTIVE_SESSION_TIMEOUT profile option.
Parameter | Default | Recommendation |
JTF_INACTIVE_SESSION_TIMEOUT | None | 30 (minutes) |
JTF_INACTIVE_SESSION_TIMEOUT - This profile option affects CRM-based products only, and serves the same purpose as the ICX:Session Timeout profile. This profile option exists for legacy reasons, and its value should be set the same as ICX:Session Timeout.
- Jserv (Java) Timeout Settings
Parameter | Recommendation |
disco4iviewer.properties:session.timeout | 5400000 (milliseconds) |
formservlet.ini:FORMS60_TIMEOUT | 55 (minutes) |
formservlet.properties:session.timeout | 5400000 (milliseconds) |
jserv.conf:ApJServVMTimeout | 360 (seconds) |
mobile.properties:session.timeout | 5400000 (milliseconds) |
zone.properties:session.timeout | 5400000 (milliseconds) |
zone.properties:servlet.framework.initArgs | 5400000 (milliseconds) |
These settings are located at: ../*ora/iAS/Apache/Jserv/etc
JServ Timeout is specified by the value of the property session.timeout in the JServ configuration file zone.properties, and represents the number of milliseconds to wait before ending an idle JServ session (the default is 30 minutes). This timeout is used by products based on Oracle Applications Framework (OAF).
- Apache HTTP Timeout Settings
The following parameter settings control timeout behavior within Apache.
Parameter | Recommendation |
httpd.conf:Timeout | 300 (seconds) |
httpd.conf:KeepAliveTimeout | 15 (seconds) |
httpd.conf:SSLSessionCacheTimeout | 300 (seconds) |
These settings are located: ../*ora/iAS/Apache/Apache/conf
- Forms 60 Environment Timeout Variables
The following parameter settings control timeout behavior within Oracle Forms.
Parameter | Recommendation |
FORMS60_TIMEOUT | 55 (minutes) |
FORMS60_CATCHTERM | 0 |
You should modify the APPL_TOP/
FORMS60_CATCHTERM=0
FORMS60_TIMEOUT=55 (minutes)
I recommend using a timeout value of 55 because it is less than the 60 minute value recommended for the web apache timeout values. Note that these values may vary depending on security policies.
- Oracle Single Sign-On Server Timeouts
The following parameter setting controls timeout behavior within Oracle Single Sign-On.
‘Single Sign-On Session Duration’ represents the number of hours a user can be logged in to the server without being timed out and having to log in again. This timeout value can be specified from the "Edit SSO Server Configuration" link on the SSO Server Administration page. When a user logs in to Release 11i via the Single Sign-On Server, an SSO login session is created and remains valid for the duration specified by this setting.
If someone ask Apps DBA to change Session Idle Time out value How & where will you change ?
In order to answer first you have to understand what kind of seesions are in Apps 11i and what is Idle timeout ?
In Apps there are two broad categories of session
- Self Service Application Session ( Server by web server Apache & Jserv, like iRecruitment, iProcurement)
-Forms session ( served by your form session, like system Administrator)
What is Session Idle time ?
If Oracle Apps client is not doing any activity for some time (when application user goes for coffee or talks over phone) session during that time is called as Idle Session & because of security reason, performance issues and to free up system resource Oracle Applications terminates client session( both forms & self service) after idle time value is reached to the one mentioned in configuration file.
From FND.G or 11.5.9 or with introduction of AppsLocalLogin.jsp to enter into application, profile option "ICX Session Timeout" is used only to determine Forms Session Idle timeout value . This might be confusing as earlier this profile option used to control forms as well as self service application(with session.timeout) session.timeout is used to control Idle session timeout for Self Service Applications ( Served by Jserv via JVM )
From where ICX : Session Timeout & session.timeout get values ?
Autoconfig determines value for profile option "ICX: Session Timeout" and "session.timeout" from entry in context file ( $APPL_TOP/admin/SID_hostname.xml ) with parameter s_sesstimeout where value mentioned is in milliseconds so profile option ICX: Session Timeout value should be s_sesstimeout/ (1000 * 60) which means here its 10 Minutes. This value is also set in zone.properties in $IAS_ORACLE_HOME/Apache/Jserv where number mentioned is in milli second i.e. 600000 ( equal to 10 Minutes)session.timeout = 600000
session.timeout mentioned in zone.properties is in milli secondsICX Session Time out mentioned in profile option ICX: Session Timeout is in minutes so ICX session timeout=30 & session.timeout= 1800,000 are same 30 minutes
P.S. ICX Session time out was introduced in FND.D so if your FND version is below D you might not see this variable.
Important Things Apps DBA should consider while setting session timeout value ?
1.. If you keep session.timeout value too high , when some oracle application user accessing Self service application terminates his session, so longer idle session will drain JVM resource & can result in Java.Lang No Memory available issues .
2. If you keep it too low, users going out for tea or sitting idle for some time have to login again into application & can be annoying .
Thumb rule is session time out usually set to 30 minutes.
HAPPY LEARNING!
Great Post Ajith, I have been searching for some time now to see if there was a way that one could restrict the number of session connects to the E-Business suite but have been unsuccessful thus far. Essentially, we would like to limit the number of connected sessions for E-Business suite to 500. This is not just the users limit such as ICX Limit connect but connections in general across all users. Is this possible? Is there a setting in the app for this or might there be setting in Apache config files that could be set? Any insight would be greatly appreciated.
ReplyDeleteThanks,
Steve