Chapter 12. Setting Automated Jobs
The Certificate System provides a customizable Job Scheduler that supports various mechanisms for scheduling
cron jobs. This chapter explains how to configure Certificate System to use specific job plug-in modules for accomplishing jobs.
Note
Automated jobs are not to be confused with automated notifications. See Chapter 11, Using Automated Notifications for more on this topic.
12.1. About Automated Jobs
The Certificate Manager Console includes a Job Scheduler option that can execute specific jobs at specified times. The Job Scheduler is similar to a traditional Unix
cron daemon; it takes registered cron jobs and executes them at a pre-configured date and time. If configured, the scheduler checks at specified intervals for jobs waiting to be executed; if the specified execution time has arrived, the scheduler initiates the job automatically.
Jobs are implemented as Java™ classes, which are then registered with Certificate System as plug-in modules. One implementation of a job module can be used to configure multiple instances of the job. Each instance must have a unique name (an alphanumeric string with no spaces) and can contain different input parameter values to apply to different jobs.
12.1.1. Setting up Automated Jobs
The automated jobs feature is set up by doing the following:
- Enabling and configuring the Job Scheduler; see Section 12.2, “Setting up the Job Scheduler” for more information.
- Enabling and configuring the job modules and setting preferences for those job modules; see Section 12.3, “Setting up Specific Jobs” for more information.
- Customizing the email notification messages sent with these jobs by changing the templates associated with the types of notification. The message contents are composed of both plain text messages and HTML messages; the appearance is modified by changing the HTML templates. See Section 11.3.1, “Customizing CA Notification Messages” for more information.
12.1.2. Types of Automated Jobs
The types of automated jobs are
RenewalNotificationJob, RequestInQueueJob, PublishCertsJob, and UnpublishExpiredJob. One instance of each job type is created when Certificate System is deployed.
12.1.2.1. certRenewalNotifier (RenewalNotificationJob)
The
certRenewalNotifier job checks for certificates that are about to expire in the internal database. When it finds one, it automatically emails the certificate's owner and continues sending email reminders for a configured period of time or until the certificate is replaced. The job collects a summary of all renewal notifications and mails the summary to the configured agents or administrators.
The job determines the email address to send the notification using an email resolver. By default, the email address is found in the certificate itself or in the certificate's associated enrollment request.
12.1.2.2. requestInQueueNotifier (RequestInQueueJob)
The
requestInQueueNotifier job checks the status of the request queue at pre-configured time intervals. If any deferred enrollment requests are waiting in the queue, the job constructs an email message summarizing its findings and sends it to the specified agents.
12.1.2.3. publishCerts (PublishCertsJob)
The
publishCerts job checks for any new certificates that have been added to the publishing directory that have not yet been published. When these new certificates are added, they are automatically published to an LDAP directory or file by the publishCerts job.
Note
Most of the time, publishers immediately publish any certificates that are created matching their rules to the appropriate publishing directory.
If a certificate is successfully published when it is created, then the
publishCerts job will not re-publish the certificate. Therefore, the new certificate will not be listed in the job summary report, since the summary only lists certificates published by the publishCerts job.
12.1.2.4. unpublishExpiredCerts (UnpublishExpiredJob)
Expired certificates are not automatically removed from the publishing directory. If a Certificate Manager is configured to publish certificates to an LDAP directory, over time the directory will contain expired certificates.
The
unpublishExpiredCerts job checks for certificates that have expired and are still marked as published in the internal database at the configured time interval. The job connects to the publishing directory and deletes those certificates; it then marks those certificates as unpublished in the internal database. The job collects a summary of expired certificates that it deleted and mails the summary to the agents or administrators specified by the configuration.
Note
This job automates removing expired certificates from the directory. Expired certificates can also be removed manually; for more information on this, see Section 8.12, “Updating Certificates and CRLs in a Directory”.
