12.3. Setting up Specific Jobs
Automated jobs can be configured through the Certificate Manager Console or by editing the configuration file directory. It is recommended that these changes be made through the Certificate Manager Console.
12.3.1. Configuring Specific Jobs Using the Certificate Manager Console
To enable and configure an automated job using the Certificate Manager Console:
- Open the Certificate Manager Console.
pkiconsole https://server.example.com:8443/ca
- Confirm that the Jobs Scheduler is enabled. See Section 12.2, “Setting up the Job Scheduler” for more information.
- In the Configuration tab, select Job Scheduler from the navigation tree. Then select Jobs to open the Job Instance tab.
Select the job instance from the list, and click .The Job Instance Editor opens, showing the current job configuration.
Figure 12.1. Job Configuration
- Select enabled to turn on the job.
- Set the configuration settings by specifying them in the fields for this dialog.
- For
certRenewalNotifier, see Section 12.3.3, “Configuration Parameters of certRenewalNotifier”. - For
requestInQueueNotifier, see Section 12.3.4, “Configuration Parameters of requestInQueueNotifier”. - For
publishCerts, see Section 12.3.5, “Configuration Parameters of publishCerts”. - For
unpublishExpiredCerts, see Section 12.3.6, “Configuration Parameters of unpublishExpiredCerts”. - For more information about setting the
crontime frequencies, see Section 12.3.7, “Frequency Settings for Automated Jobs”.
- Click .
- Click to view any changes in the main window.
- If the job is configured to send automatic messages, check that a mail server is set up correctly. See Section 11.4, “Configuring a Mail Server for Certificate System Notifications”.
- Customize the email message text and appearance.
12.3.2. Configuring Jobs by Editing the Configuration File
- Ensure that the Jobs Scheduler is enabled and configured; see Section 12.2, “Setting up the Job Scheduler”.
- Stop the CA subsystem instance.
systemctl stop pki-tomcatd@instance_name.service
- Open the
CS.cfgfile for that server instance in a text editor. - Edit all of the configuration parameters for the job module being configured.
- To configure the
certRenewalNotifierjob, edit all parameters that begin withjobsScheduler.job.certRenewalNotifier; see Section 12.3.3, “Configuration Parameters of certRenewalNotifier”. - To configure the
requestInQueueNotifierjob, edit all parameters that begin withjobsScheduler.job.requestInQueueNotifier; see Section 12.3.4, “Configuration Parameters of requestInQueueNotifier”. - To configure the
publishCertsjob, edit all parameters that begin withjobsScheduler.job.publishCerts; see Section 12.3.5, “Configuration Parameters of publishCerts”. - To configure the
unpublishExpiredCertsjob, edit all parameters that begin withjobsScheduler.job.unpublishExpiredCerts; see Section 12.3.6, “Configuration Parameters of unpublishExpiredCerts”.
- Save the file.
- Restart the server instance.
systemctl start pki-tomcatd@instance_name.service
- If the job will send automated messages, check that the mail server is set up correctly. See Section 11.4, “Configuring a Mail Server for Certificate System Notifications”.
- Customize the automatic job messages.
12.3.3. Configuration Parameters of certRenewalNotifier
Table 12.1, “certRenewalNotifier Parameters” gives details for each of these parameters that can be configured for the
certRenewalNotifier job, either in the CS.cfg file or in the Certificate Manager Console.
Table 12.1. certRenewalNotifier Parameters
| Parameter | Description |
|---|---|
enabled | Specifies whether the job is enabled or disabled. The value true enables the job; false disables it. |
cron |
Sets the schedule when this job should be run. This sets the time at which the Job Scheduler daemon thread checks the certificates for sending renewal notifications. These settings must follow the conventions in Section 12.3.7, “Frequency Settings for Automated Jobs”. For example:
0 3 * * 1-5
The job in the example is run Monday through Friday at 3:00 pm.
|
notifyTriggerOffset | Sets how long (in days) before the certificate expiration date the first notification will be sent. |
notifyEndOffset | Sets how long (in days) after the certificate expires that notifications will continue to be sent if the certificate is not replaced. |
senderEmail | Sets the sender of the notification messages, who will be notified of any delivery problems. |
emailSubject | Sets the text of the subject line of the notification message. |
emailTemplate | Sets the path, including the filename, to the directory that contains the template to use to create the message content. |
summary.enabled | Sets whether a summary report of renewal notifications should be compiled and sent. The value true enables sending the summary; false disables it. If enabled, set the remaining summary parameters; these are required by the server to send the summary report. |
summary.recipientEmail | Specifies the recipients of the summary message. These can be agents who need to know the status of user certificates or other users. Set more than one recipient by separating each email address with a comma. |
summary.senderEmail | Specifies the email address of the sender of the summary message. |
summary.emailSubject | Gives the subject line of the summary message. |
summary.itemTemplate | Gives the path, including the filename, to the directory that contains the template to use to create the content and format of each item to be collected for the summary report. |
summary.emailTemplate | Gives the path, including the filename, to the directory that contains the template to use to create the summary report email notification. |
12.3.4. Configuration Parameters of requestInQueueNotifier
Table 12.2, “requestInQueueNotifier Parameters” gives details for each of these parameters that can be configured for the
requestInQueueNotifier job, either in the CS.cfg file or in the Certificate Manager Console.
Table 12.2. requestInQueueNotifier Parameters
| Parameter | Description |
|---|---|
enabled | Sets whether the job is enabled (true) or disabled (false). |
cron |
Sets the time schedule for when the job should run. This is the time at which the Job Scheduler daemon thread checks the queue for pending requests. This setting must follow the conventions in Section 12.3.7, “Frequency Settings for Automated Jobs”. For example:
0 0 * * 0 |
subsystemid | Specifies the subsystem which is running the job. The only possible value is ca, for the Certificate Manager. |
summary.enabled | Specifies whether a summary of the job accomplished should be compiled and sent. The value true enables the summary reports; false disables them. If enabled, set the remaining summary parameters; these are required by the server to send the summary report. |
summary.emailSubject | Sets the subject line of the summary message. |
summary.emailTemplate | Specifies the path, including the filename, to the directory containing the template to use to create the summary report. |
summary.senderEmail | Specifies the sender of the notification message, who will be notified of any delivery problems. |
summary.recipientEmail | Specifies the recipients of the summary message. These can be agents who need to process pending requests or other users. More than one recipient can be listed by separating each email address with a comma. |
12.3.5. Configuration Parameters of publishCerts
Table 12.3, “publishCerts Parameters” gives details for each of these parameters that can be configured for the
publishCerts job, either in the CS.cfg file or in the Certificate Manager Console.
Table 12.3. publishCerts Parameters
| Parameter | Description |
|---|---|
enabled | Sets whether the job is enabled. The value true is enabled; false is disabled. |
cron |
Sets the time schedule for when the job runs. This is the time the Job Scheduler daemon thread checks the certificates to removing expired certificates from the publishing directory. This setting must follow the conventions in Section 12.3.7, “Frequency Settings for Automated Jobs”. For example:
0 0 * * 6 |
summary.enabled | Specifies whether a summary of the certificates published by the job should be compiled and sent. The value true enables the summaries; false disables them. If enabled, set the remaining summary parameters; these are required by the server to send the summary report. |
summary.emailSubject | Gives the subject line of the summary message. |
summary.emailTemplate | Specifies the path, including the filename, to the directory containing the template to use to create the summary report. |
summary.itemTemplate | Specifies the path, including the filename, to the directory containing the template to use to create the content and format of each item collected for the summary report. |
summary.senderEmail | Specifies the sender of the summary message, who will be notified of any delivery problems. |
summary.recipientEmail | Specifies the recipients of the summary message. These can be agents who need to know the status of user certificates or other users. More than one recipient can be set by separating each email address with a comma. |
12.3.6. Configuration Parameters of unpublishExpiredCerts
Table 12.4, “unpublishExpiredCerts Parameters” gives details for each of these parameters that can be configured for the
unpublishedExpiresCerts job, either in the CS.cfg file or in the Certificate Manager Console.
Table 12.4. unpublishExpiredCerts Parameters
| Parameter | Description |
|---|---|
enabled | Sets whether the job is enabled. The value true is enabled; false is disabled. |
cron |
Sets the time schedule for when the job runs. This is the time the Job Scheduler daemon thread checks the certificates to removing expired certificates from the publishing directory. This setting must follow the conventions in Section 12.3.7, “Frequency Settings for Automated Jobs”. For example:
0 0 * * 6 |
summary.enabled | Specifies whether a summary of the certificates published by the job should be compiled and sent. The value true enables the summaries; false disables them. If enabled, set the remaining summary parameters; these are required by the server to send the summary report. |
summary.emailSubject | Gives the subject line of the summary message. |
summary.emailTemplate | Specifies the path, including the filename, to the directory containing the template to use to create the summary report. |
summary.itemTemplate | Specifies the path, including the filename, to the directory containing the template to use to create the content and format of each item collected for the summary report. |
summary.senderEmail | Specifies the sender of the summary message, who will be notified of any delivery problems. |
summary.recipientEmail | Specifies the recipients of the summary message. These can be agents who need to know the status of user certificates or other users. More than one recipient can be set by separating each email address with a comma. |
12.3.7. Frequency Settings for Automated Jobs
The Job Scheduler uses a variation of the Unix
crontab entry format to specify dates and times for checking the job queue and executing jobs. As shown in Table 12.5, “Time Values for Scheduling Jobs” and Figure 12.1, “Job Configuration”, the time entry format consists of five fields. (The sixth field specified for the Unix crontab is not used by the Job Scheduler.) Values are separated by spaces or tabs.
Each field can contain either a single integer or a pair of integers separated by a hyphen (
-) to indicate an inclusive range. To specify all legal values, a field can contain an asterisk rather than an integer. Day fields can contain a comma-separated list of values. The syntax of this expression is
Minute Hour Day_of_month Month_of_year Day_of_week
Table 12.5. Time Values for Scheduling Jobs
| Field | Value |
|---|---|
| Minute | 0-59 |
| Hour | 0-23 |
| Day of month | 1-31 |
| Month of year | 1-12 |
| Day of week | 0-6 (where 0=Sunday) |
For example, the following time entry specifies every hour at 15 minutes (1:15, 2:15, 3:15, and so on):
15 * * * *
The following example sets a job to run at noon on April 12:
0 12 12 4 *
The day-of-month and day-of-week options can contain a comma-separated list of values to specify more than one day. If both day fields are specified, the specification is inclusive; that is, the day of the month is not required to fall on the day of the week to be valid. For example, the following entry specifies a job execution time of midnight on the first and fifteenth of every month and on every Monday:
0 0 1,15 * 1
To specify one day type without the other, use an asterisk in the other day field. For example, the following entry runs the job at 3:15 a.m. every weekday morning:
15 3 * * 1-5