Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 14. Setting automated jobs
The Certificate System provides a customizable Job Scheduler that can execute specific jobs at specified times. This chapter explains how to configure Certificate System to use specific job plug-in modules for accomplishing jobs.
Automated jobs are not to be confused with automated notifications. See Chapter 13, Using automated notifications for more on this topic.
The job scheduler supports various mechanisms for scheduling cron jobs. It is similar to a traditional Unix cron daemon; it takes registered cron jobs and executes them at a pre-configured date and time. If configured, the scheduler checks at specified intervals for jobs waiting to be executed; if the specified execution time has arrived, the scheduler initiates the job automatically.
14.1. About automated jobs
Jobs are implemented as Java™ classes, which are then registered with Certificate System as plug-in modules. One implementation of a job module can be used to configure multiple instances of the job. Each instance must have a unique name (an alphanumeric string with no spaces) and can contain different input parameter values to apply to different jobs.
The automated jobs feature is set up by doing the following:
- Enabling and configuring the Job Scheduler; see Section 14.2, “Setting up the Job Scheduler” for more information.
- Enabling and configuring the job modules and setting preferences for those job modules; see Section 14.3, “Setting up specific jobs” for more information.
- Customizing the email notification messages sent with these jobs by changing the templates associated with the types of notification. The message contents are composed of both plain text messages and HTML messages; the appearance is modified by changing the HTML templates. See Section 13.3, “Customizing CA notification messages” for more information.
The types of automated jobs are:
-
RenewalNotificationJob -
RequestInQueueJob -
PublishCertsJob -
UnpublishExpiredJob
One instance of each job type is created when Certificate System is deployed.
14.1.1. certRenewalNotifier (RenewalNotificationJob)
The certRenewalNotifier job checks for certificates that are about to expire in the internal database. When it finds one, it automatically emails the certificate’s owner and continues sending email reminders for a configured period of time or until the certificate is replaced. The job collects a summary of all renewal notifications and mails the summary to the configured agents or administrators.
The job determines the email address to send the notification using an email resolver. By default, the email address is found in the certificate itself or in the certificate’s associated enrollment request.
14.1.2. requestInQueueNotifier (RequestInQueueJob)
The requestInQueueNotifier job checks the status of the request queue at pre-configured time intervals. If any deferred enrollment requests are waiting in the queue, the job constructs an email message summarizing its findings and sends it to the specified agents.
14.1.3. publishCerts (PublishCertsJob)
The publishCerts job checks for any new certificates that have been added to the publishing directory that have not yet been published. When these new certificates are added, they are automatically published to an LDAP directory or file by the publishCerts job.
Most of the time, publishers immediately publish any certificates that are created matching their rules to the appropriate publishing directory.
If a certificate is successfully published when it is created, then the publishCerts job will not re-publish the certificate. Therefore, the new certificate will not be listed in the job summary report, since the summary only lists certificates published by the publishCerts job.
14.1.4. unpublishExpiredCerts (UnpublishExpiredJob)
Expired certificates are not automatically removed from the publishing directory. If a Certificate Manager is configured to publish certificates to an LDAP directory, over time the directory will contain expired certificates.
The unpublishExpiredCerts job checks for certificates that have expired and are still marked as published in the internal database at the configured time interval. The job connects to the publishing directory and deletes those certificates; it then marks those certificates as unpublished in the internal database. The job collects a summary of expired certificates that it deleted and mails the summary to the agents or administrators specified by the configuration.
This job automates removing expired certificates from the directory. Expired certificates can also be removed manually; for more information on this, see Section 10.11, “Updating certificates and CRLs in a directory”.
14.2. Setting up the Job Scheduler
The Certificate Manager can execute a job only if the Job Scheduler is enabled. The job settings, such as enabling the job schedule, setting the frequency, and enabling the job modules, can be done through the Certificate System CA Console or through editing the CS.cfg file.
To turn the Job Scheduler on:
Open the Certificate Manager Console.
pkiconsole https://server.example.com:8443/ca
pkiconsole https://server.example.com:8443/caCopy to Clipboard Copied! Toggle word wrap Toggle overflow Notepkiconsoleis being deprecated.In the Configuration tab navigation tree, click Job Scheduler.
This opens the General Settings tab, which shows whether the Job Scheduler is currently enabled.
Click the Enable Jobs Scheduler checkbox to enable or disable the Job Scheduler.
Disabling the Job Scheduler turns off all the jobs.
Set the frequency which the scheduler checks for jobs in the Check Frequency field.
The frequency is how often the Job Scheduler daemon thread wakes up and calls the configured jobs that meet the
cronspecification. By default, it is set to one minute.NOTEThe window for entering this information may be too small to see the input. Drag the corners of the Certificate Manager Console to enlarge the entire window.
- Click .
14.3. Setting up specific jobs
Automated jobs can be configured through the Certificate Manager Console or by editing the configuration file directory.
14.3.1. Configuring jobs using the console
To enable and configure an automated job using the Certificate Manager Console:
Open the Certificate Manager Console.
pkiconsole https://server.example.com:8443/ca
pkiconsole https://server.example.com:8443/caCopy to Clipboard Copied! Toggle word wrap Toggle overflow Notepkiconsoleis being deprecated.- Confirm that the Jobs Scheduler is enabled. See Section 14.2, “Setting up the Job Scheduler” for more information.
In the Configuration tab, select Job Scheduler from the navigation tree. Then select Jobs to open the Job Instance tab.
Select the job instance from the list, and click .
The Job Instance Editor opens, showing the current job configuration.
Figure 14.1. Job Configuration
- Select enabled to turn on the job.
Set the configuration settings by specifying them in the fields for this dialog.
-
For
certRenewalNotifier, see Section 14.5.1, “Configuration parameters of certRenewalNotifier”. -
For
requestInQueueNotifier, see Section 14.5.2, “Configuration parameters of requestInQueueNotifier”. -
For
publishCerts, see Section 14.5.3, “Configuration parameters of publishCerts”. -
For
unpublishExpiredCerts, see Section 14.5.4, “Configuration parameters of unpublishExpiredCerts”. -
For more information about setting the
crontime frequencies, see Section 14.5, “Frequency Settings for Automated Jobs”.
-
For
- Click .
- Click to view any changes in the main window.
- If the job is configured to send automatic messages, check that a mail server is set up correctly. See Section 13.4, “Configuring a mail server for notifications”.
- Customize the email message text and appearance.
14.3.2. Configuring Jobs by Editing the Configuration File
- Ensure that the Jobs Scheduler is enabled and configured; see Section 14.2, “Setting up the Job Scheduler”.
Stop the CA subsystem instance.
pki-server stop instance_name
# pki-server stop instance_nameCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Open the
CS.cfgfile for that server instance in a text editor. Edit all of the configuration parameters for the job module being configured.
-
To configure the
certRenewalNotifierjob, edit all parameters that begin withjobsScheduler.job.certRenewalNotifier; see Section 14.5.1, “Configuration parameters of certRenewalNotifier”. -
To configure the
requestInQueueNotifierjob, edit all parameters that begin withjobsScheduler.job.requestInQueueNotifier; see Section 14.5.2, “Configuration parameters of requestInQueueNotifier”. -
To configure the
publishCertsjob, edit all parameters that begin withjobsScheduler.job.publishCerts; see Section 14.5.3, “Configuration parameters of publishCerts”. -
To configure the
unpublishExpiredCertsjob, edit all parameters that begin withjobsScheduler.job.unpublishExpiredCerts; see Section 14.5.4, “Configuration parameters of unpublishExpiredCerts”.
-
To configure the
- Save the file.
Restart the server instance.
pki-server start instance_name
pki-server start instance_nameCopy to Clipboard Copied! Toggle word wrap Toggle overflow - If the job sends automated messages, check that the mail server is set up correctly. See Section 13.4, “Configuring a mail server for notifications”.
- Customize the automatic job messages.
14.4. Configuration parameters of jobs
This sections lists the parameters for the frequency settings and for each of the four types of jobs:
-
RenewalNotificationJob -
RequestInQueueJob -
PublishCertsJob -
UnpublishExpiredJob
14.5. Frequency Settings for Automated Jobs
The Job Scheduler uses a variation of the Unix crontab entry format to specify dates and times for checking the job queue and executing jobs. As shown in Table 14.1, “Time Values for Scheduling Jobs” and Section 14.3.1, “Configuring jobs using the console”, the time entry format consists of five fields. (The sixth field specified for the Unix crontab is not used by the Job Scheduler.) Values are separated by spaces or tabs.
Each field can contain either a single integer or a pair of integers separated by a hyphen (-) to indicate an inclusive range. To specify all legal values, a field can contain an asterisk rather than an integer. Day fields can contain a comma-separated list of values. The syntax of this expression is
Minute Hour Day_of_month Month_of_year Day_of_week
Minute Hour Day_of_month Month_of_year Day_of_week| Field | Value |
|---|---|
| Minute | 0-59 |
| Hour | 0-23 |
| Day of month | 1-31 |
| Month of year | 1-12 |
| Day of week | 0-6 (where 0=Sunday) |
For example, the following time entry specifies every hour at 15 minutes (1:15, 2:15, 3:15, and so on):
15 * * * *
15 * * * *The following example sets a job to run at noon on April 12:
0 12 12 4 *
0 12 12 4 *The day-of-month and day-of-week options can contain a comma-separated list of values to specify more than one day. If both day fields are specified, the specification is inclusive; that is, the day of the month is not required to fall on the day of the week to be valid. For example, the following entry specifies a job execution time of midnight on the first and fifteenth of every month and on every Monday:
0 0 1,15 * 1
0 0 1,15 * 1To specify one day type without the other, use an asterisk in the other day field. For example, the following entry runs the job at 3:15 a.m. every weekday morning:
15 3 * * 1-5
15 3 * * 1-514.5.1. Configuration parameters of certRenewalNotifier
The following table gives details for each of these parameters that can be configured for the certRenewalNotifier job, either in the CS.cfg file or in the Certificate Manager Console.
| Parameter | Description |
|---|---|
|
|
Specifies whether the job is enabled or disabled. The value |
|
| Sets the schedule when this job should be run. This sets the time at which the Job Scheduler daemon thread checks the certificates for sending renewal notifications. These settings must follow the conventions in Section 14.5, “Frequency Settings for Automated Jobs”. For example:
The job in this example is run Monday through Friday at 3:00 pm. |
|
| Sets how long (in days) before the certificate expiration date the first notification will be sent. |
|
| Sets how long (in days) after the certificate expires that notifications will continue to be sent if the certificate is not replaced. |
|
| Sets the sender of the notification messages, who will be notified of any delivery problems. |
|
| Sets the text of the subject line of the notification message. |
|
| Sets the path, including the filename, to the directory that contains the template to use to create the message content. |
|
|
Sets whether a summary report of renewal notifications should be compiled and sent. The value |
|
| Specifies the recipients of the summary message. These can be agents who need to know the status of user certificates or other users. Set more than one recipient by separating each email address with a comma. |
|
| Specifies the email address of the sender of the summary message. |
|
| Gives the subject line of the summary message. |
|
| Gives the path, including the filename, to the directory that contains the template to use to create the content and format of each item to be collected for the summary report. |
|
| Gives the path, including the filename, to the directory that contains the template to use to create the summary report email notification. |
14.5.2. Configuration parameters of requestInQueueNotifier
The following table gives details for each of these parameters that can be configured for the requestInQueueNotifier job, either in the CS.cfg file or in the Certificate Manager Console.
| Parameter | Description |
|---|---|
|
|
Sets whether the job is enabled ( |
|
| Sets the time schedule for when the job should run. This is the time at which the Job Scheduler daemon thread checks the queue for pending requests. This setting must follow the conventions in Section 14.5, “Frequency Settings for Automated Jobs”. For example:
|
|
|
Specifies the subsystem which is running the job. The only possible value is |
|
|
Specifies whether a summary of the job accomplished should be compiled and sent. The value |
|
| Sets the subject line of the summary message. |
|
| Specifies the path, including the filename, to the directory containing the template to use to create the summary report. |
|
| Specifies the sender of the notification message, who will be notified of any delivery problems. |
|
| Specifies the recipients of the summary message. These can be agents who need to process pending requests or other users. More than one recipient can be listed by separating each email address with a comma. |
14.5.3. Configuration parameters of publishCerts
The following table gives details for each of these parameters that can be configured for the publishCerts job, either in the CS.cfg file or in the Certificate Manager Console.
| Parameter | Description |
|---|---|
|
|
Sets whether the job is enabled. The value |
|
| Sets the time schedule for when the job runs. This is the time the Job Scheduler daemon thread checks the certificates to removing expired certificates from the publishing directory. This setting must follow the conventions in Section 14.5, “Frequency Settings for Automated Jobs”. For example:
|
|
|
Specifies whether a summary of the certificates published by the job should be compiled and sent. The value |
|
| Gives the subject line of the summary message. |
|
| Specifies the path, including the filename, to the directory containing the template to use to create the summary report. |
|
| Specifies the path, including the filename, to the directory containing the template to use to create the content and format of each item collected for the summary report. |
|
| Specifies the sender of the summary message, who will be notified of any delivery problems. |
|
| Specifies the recipients of the summary message. These can be agents who need to know the status of user certificates or other users. More than one recipient can be set by separating each email address with a comma. |
14.5.4. Configuration parameters of unpublishExpiredCerts
The following table gives details for each of these parameters that can be configured for the unpublishedExpiresCerts job, either in the CS.cfg file or in the Certificate Manager Console.
| Parameter | Description |
|---|---|
|
|
Sets whether the job is enabled. The value |
|
| Sets the time schedule for when the job runs. This is the time the Job Scheduler daemon thread checks the certificates to removing expired certificates from the publishing directory. This setting must follow the conventions in Section 14.5, “Frequency Settings for Automated Jobs”. For example:
|
|
|
Specifies whether a summary of the certificates published by the job should be compiled and sent. The value |
|
| Gives the subject line of the summary message. |
|
| Specifies the path, including the filename, to the directory containing the template to use to create the summary report. |
|
| Specifies the path, including the filename, to the directory containing the template to use to create the content and format of each item collected for the summary report. |
|
| Specifies the sender of the summary message, who will be notified of any delivery problems. |
|
| Specifies the recipients of the summary message. These can be agents who need to know the status of user certificates or other users. More than one recipient can be set by separating each email address with a comma. |
14.6. Registering a job module
You can register custom job plug-ins through the Certificate Manager Console. Registering a new module involves specifying the name of the module and the full name of the Java™ class that implements the module.
To register a new job module:
-
Create the custom job class. For this example, the custom job plug-in is called
MyJob.java. Compile the new class.
javac -d . -classpath $CLASSPATH MyJob.java
javac -d . -classpath $CLASSPATH MyJob.javaCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create a directory in the CA’s
WEB-INFweb directory to hold the custom classes, so that the CA can access them.mkdir /var/lib/pki/ instance_name/ca/webapps/ca/WEB-INF/classes
mkdir /var/lib/pki/ instance_name/ca/webapps/ca/WEB-INF/classesCopy to Clipboard Copied! Toggle word wrap Toggle overflow Copy the new plug-in files into the new
classesdirectory, and set the owner to the Certificate System system user (pkiuser).cp -pr com /var/lib/pki/ instance_name/ca/webapps/ca/WEB-INF/classes chown -R pkiuser:pkiuser /var/lib/pki/ instance_name/ca/webapps/ca/WEB-INF/classes
cp -pr com /var/lib/pki/ instance_name/ca/webapps/ca/WEB-INF/classes chown -R pkiuser:pkiuser /var/lib/pki/ instance_name/ca/webapps/ca/WEB-INF/classesCopy to Clipboard Copied! Toggle word wrap Toggle overflow Register the plug-in.
Log into the Certificate Manager Console.
pkiconsole https://server.example.com:8443/ca
pkiconsole https://server.example.com:8443/caCopy to Clipboard Copied! Toggle word wrap Toggle overflow Notepkiconsoleis being deprecated.In the Configuration tab, select Job Scheduler in the left navigation tree. Select Jobs.
The Job Instance tab opens, which lists any currently configured jobs. Select the Job Plugin Registration tab.
- Click to add the new module.
In the Register Job Scheduler Plugin Implementation window, supply the following information:
- Plugin name. Type a name for the plug-in module.
-
Class name. Type the full name of the class for this module; this is the path to the implementing Java™ class. If this class is part of a package, include the package name. For example, to register a class named
customJobthat is in a package namedcom.customplugins, typecom.customplugins.customJob.
- Click .
It is also possible to delete job modules, but this is not recommended.
If it is necessary to delete a module, open the Job Plugin Registration tab as when registering a new module, select the module to delete, and click . When prompted, confirm the deletion.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}