12.3. Setting up Specific Jobs

Automated jobs can be configured through the Certificate Manager Console or by editing the configuration file directory. It is recommended that these changes be made through the Certificate Manager Console.

12.3.1. Configuring Specific Jobs Using the Certificate Manager Console

To enable and configure an automated job using the Certificate Manager Console:
  1. Open the Certificate Manager Console.
    pkiconsole https://server.example.com:8443/ca
  2. Confirm that the Jobs Scheduler is enabled. See Section 12.2, “Setting up the Job Scheduler” for more information.
  3. In the Configuration tab, select Job Scheduler from the navigation tree. Then select Jobs to open the Job Instance tab.
    Select the job instance from the list, and click Edit/View.
    The Job Instance Editor opens, showing the current job configuration.
    Job Configuration

    Figure 12.1. Job Configuration

  4. Select enabled to turn on the job.
  5. Set the configuration settings by specifying them in the fields for this dialog.
  6. Click OK.
  7. Click Refresh to view any changes in the main window.
  8. If the job is configured to send automatic messages, check that a mail server is set up correctly. See Section 11.4, “Configuring a Mail Server for Certificate System Notifications”.
  9. Customize the email message text and appearance.

12.3.2. Configuring Jobs by Editing the Configuration File

  1. Ensure that the Jobs Scheduler is enabled and configured; see Section 12.2, “Setting up the Job Scheduler”.
  2. Stop the CA subsystem instance.
    systemctl stop pki-tomcatd@instance_name.service
  3. Open the CS.cfg file for that server instance in a text editor.
  4. Edit all of the configuration parameters for the job module being configured.
  5. Save the file.
  6. Restart the server instance.
    systemctl start pki-tomcatd@instance_name.service
  7. If the job will send automated messages, check that the mail server is set up correctly. See Section 11.4, “Configuring a Mail Server for Certificate System Notifications”.
  8. Customize the automatic job messages.

12.3.3. Configuration Parameters of certRenewalNotifier

Table 12.1, “certRenewalNotifier Parameters” gives details for each of these parameters that can be configured for the certRenewalNotifier job, either in the CS.cfg file or in the Certificate Manager Console.

Table 12.1. certRenewalNotifier Parameters

Parameter Description
enabled Specifies whether the job is enabled or disabled. The value true enables the job; false disables it.
cron
Sets the schedule when this job should be run. This sets the time at which the Job Scheduler daemon thread checks the certificates for sending renewal notifications. These settings must follow the conventions in Section 12.3.7, “Frequency Settings for Automated Jobs”. For example:
0 3 * * 1-5
The job in the example is run Monday through Friday at 3:00 pm.
notifyTriggerOffset Sets how long (in days) before the certificate expiration date the first notification will be sent.
notifyEndOffset Sets how long (in days) after the certificate expires that notifications will continue to be sent if the certificate is not replaced.
senderEmail Sets the sender of the notification messages, who will be notified of any delivery problems.
emailSubject Sets the text of the subject line of the notification message.
emailTemplate Sets the path, including the filename, to the directory that contains the template to use to create the message content.
summary.enabled Sets whether a summary report of renewal notifications should be compiled and sent. The value true enables sending the summary; false disables it. If enabled, set the remaining summary parameters; these are required by the server to send the summary report.
summary.recipientEmail Specifies the recipients of the summary message. These can be agents who need to know the status of user certificates or other users. Set more than one recipient by separating each email address with a comma.
summary.senderEmail Specifies the email address of the sender of the summary message.
summary.emailSubject Gives the subject line of the summary message.
summary.itemTemplate Gives the path, including the filename, to the directory that contains the template to use to create the content and format of each item to be collected for the summary report.
summary.emailTemplate Gives the path, including the filename, to the directory that contains the template to use to create the summary report email notification.

12.3.4. Configuration Parameters of requestInQueueNotifier

Table 12.2, “requestInQueueNotifier Parameters” gives details for each of these parameters that can be configured for the requestInQueueNotifier job, either in the CS.cfg file or in the Certificate Manager Console.

Table 12.2. requestInQueueNotifier Parameters

Parameter Description
enabled Sets whether the job is enabled (true) or disabled (false).
cron
Sets the time schedule for when the job should run. This is the time at which the Job Scheduler daemon thread checks the queue for pending requests. This setting must follow the conventions in Section 12.3.7, “Frequency Settings for Automated Jobs”. For example:
0 0 * * 0
subsystemid Specifies the subsystem which is running the job. The only possible value is ca, for the Certificate Manager.
summary.enabled Specifies whether a summary of the job accomplished should be compiled and sent. The value true enables the summary reports; false disables them. If enabled, set the remaining summary parameters; these are required by the server to send the summary report.
summary.emailSubject Sets the subject line of the summary message.
summary.emailTemplate Specifies the path, including the filename, to the directory containing the template to use to create the summary report.
summary.senderEmail Specifies the sender of the notification message, who will be notified of any delivery problems.
summary.recipientEmail Specifies the recipients of the summary message. These can be agents who need to process pending requests or other users. More than one recipient can be listed by separating each email address with a comma.

12.3.5. Configuration Parameters of publishCerts

Table 12.3, “publishCerts Parameters” gives details for each of these parameters that can be configured for the publishCerts job, either in the CS.cfg file or in the Certificate Manager Console.

Table 12.3. publishCerts Parameters

Parameter Description
enabled Sets whether the job is enabled. The value true is enabled; false is disabled.
cron
Sets the time schedule for when the job runs. This is the time the Job Scheduler daemon thread checks the certificates to removing expired certificates from the publishing directory. This setting must follow the conventions in Section 12.3.7, “Frequency Settings for Automated Jobs”. For example:
0 0 * * 6
summary.enabled Specifies whether a summary of the certificates published by the job should be compiled and sent. The value true enables the summaries; false disables them. If enabled, set the remaining summary parameters; these are required by the server to send the summary report.
summary.emailSubject Gives the subject line of the summary message.
summary.emailTemplate Specifies the path, including the filename, to the directory containing the template to use to create the summary report.
summary.itemTemplate Specifies the path, including the filename, to the directory containing the template to use to create the content and format of each item collected for the summary report.
summary.senderEmail Specifies the sender of the summary message, who will be notified of any delivery problems.
summary.recipientEmail Specifies the recipients of the summary message. These can be agents who need to know the status of user certificates or other users. More than one recipient can be set by separating each email address with a comma.

12.3.6. Configuration Parameters of unpublishExpiredCerts

Table 12.4, “unpublishExpiredCerts Parameters” gives details for each of these parameters that can be configured for the unpublishedExpiresCerts job, either in the CS.cfg file or in the Certificate Manager Console.

Table 12.4. unpublishExpiredCerts Parameters

Parameter Description
enabled Sets whether the job is enabled. The value true is enabled; false is disabled.
cron
Sets the time schedule for when the job runs. This is the time the Job Scheduler daemon thread checks the certificates to removing expired certificates from the publishing directory. This setting must follow the conventions in Section 12.3.7, “Frequency Settings for Automated Jobs”. For example:
0 0 * * 6
summary.enabled Specifies whether a summary of the certificates published by the job should be compiled and sent. The value true enables the summaries; false disables them. If enabled, set the remaining summary parameters; these are required by the server to send the summary report.
summary.emailSubject Gives the subject line of the summary message.
summary.emailTemplate Specifies the path, including the filename, to the directory containing the template to use to create the summary report.
summary.itemTemplate Specifies the path, including the filename, to the directory containing the template to use to create the content and format of each item collected for the summary report.
summary.senderEmail Specifies the sender of the summary message, who will be notified of any delivery problems.
summary.recipientEmail Specifies the recipients of the summary message. These can be agents who need to know the status of user certificates or other users. More than one recipient can be set by separating each email address with a comma.

12.3.7. Frequency Settings for Automated Jobs

The Job Scheduler uses a variation of the Unix crontab entry format to specify dates and times for checking the job queue and executing jobs. As shown in Table 12.5, “Time Values for Scheduling Jobs” and Figure 12.1, “Job Configuration”, the time entry format consists of five fields. (The sixth field specified for the Unix crontab is not used by the Job Scheduler.) Values are separated by spaces or tabs.
Each field can contain either a single integer or a pair of integers separated by a hyphen (-) to indicate an inclusive range. To specify all legal values, a field can contain an asterisk rather than an integer. Day fields can contain a comma-separated list of values. The syntax of this expression is
Minute Hour Day_of_month Month_of_year Day_of_week

Table 12.5. Time Values for Scheduling Jobs

Field Value
Minute 0-59
Hour 0-23
Day of month 1-31
Month of year 1-12
Day of week 0-6 (where 0=Sunday)
For example, the following time entry specifies every hour at 15 minutes (1:15, 2:15, 3:15, and so on):
15 * * * *
The following example sets a job to run at noon on April 12:
0 12 12 4 *
The day-of-month and day-of-week options can contain a comma-separated list of values to specify more than one day. If both day fields are specified, the specification is inclusive; that is, the day of the month is not required to fall on the day of the week to be valid. For example, the following entry specifies a job execution time of midnight on the first and fifteenth of every month and on every Monday:
0 0 1,15 * 1
To specify one day type without the other, use an asterisk in the other day field. For example, the following entry runs the job at 3:15 a.m. every weekday morning:
15 3 * * 1-5