Scheduler
Note
This feature is not included in Community Edition and requires a valid Virtual CipherTrust Manager license. To activate your instance with a trial evaluation, or a term or perpetual license, see Licensing.
The CipherTrust Manager can periodically run key rotation, database backup, and user password expiry notification jobs in the background. These jobs can be:
Configured using the scheduler
Scheduled by creating a job configuration
A job configuration defines what job is run and when. Job configurations can be read, listed, updated, and deleted. Jobs are run after job configurations are created. The jobs that were run can also be listed.
In a clustered environment, by default the scheduled job can run on any cluster node. There is an option in the API and CLI to restrict which nodes can run the scheduled job.
This section provides examples of scheduler configurations using the ksctl utility. Refer to the CLI or API documentation for details.
Default Schedulers
There are two system-generated schedulers, system_auto_key_rotation
and system_auto_user_password_expiry_notification
.
Key Rotation Scheduler
The system-generated scheduler system_auto_key_rotation
is disabled by default. When this scheduler is enabled, it runs every day at midnight, and rotates the keys with a rotation date less than the current time. To enable the scheduler, run:
Note
The scheduler that rotates the key (system_auto_key_rotation) based on scheduledRotationDate
is one per domain and it comes disabled by default. Therefore, you need to enable this scheduler in relevant domains after migration.
Keys are rotated based on the value configured in the scheduledRotationDate
parameter. You can configure this value by setting the rotation-frequency-days
parameter during key create or key modify request.
The value of the rotation-frequency-days
parameter is defined in number of days, and should be greater than or equal to 0. The value of scheduledRotationDate
is calculated based on key creation time + rotation-frequency-days
.
When the scheduler runs, it only rotates the keys with a scheduledRotationDate
before the current time.
For example, if rotation-frequency-days
is set to 5 days for any key, the scheduler rotates that key every 5 days.
If rotation-frequency-days
is set to "0", the key is not rotated. For more details, refer to Configuring Key Rotation Frequency Days.
Syntax (Key create)
Syntax (Key modify)
User Password Expiry Notification Scheduler
system_user_password_expiry_notification
is enabled by default. It runs every day at midnight, and sends password expiry reminder emails if other conditions are met. Refer to the password policy page for details on these conditions.
Time Specification
The time that a job runs is described in the run-at
parameter using the cron expression format: "* * * * *"
These five values indicate when the job should be executed. They are in order of minute, hour, day of month, month, and day of week.
The following table lists the accepted values:
Field Name | Mandatory | Allowed Values | Allowed Special Characters |
---|---|---|---|
Minute | Yes | 0-59 | * / , - |
Hour | Yes | 0-23 | * / , - |
Day of month | Yes | 1-31 | * / , -? |
Month | Yes | 1-12 or JAN-DEC | * / , - |
Day of week | Yes | 0-6 or SUN-SAT | * / , -? |
Note
Month and Day of week field values are case insensitive. For example, "SUN", "Sun", and "sun" are equally accepted.
Note
Scheduler itself is a generic service, so it provides granularity of a minute. A job configuration should take the nature of operation information into consideration. For example, rotating the same set of multiple keys and backing up a database every minute are highly unlikely use cases.
Allowed Special Characters
The following table describes the use of special characters in the cron expression format:
Special Character | Description |
---|---|
Asterisk * | Indicate that the cron expression will match for all values of the field. For example, using an asterisk in the 5th field (month) would indicate every month. |
Slash / | Describe increments of ranges. For example, 3-59/15 in the 1st field (minutes) would indicate the 3rd minute of the hour and every 15 minutes thereafter. |
Comma , | Separate items of a list. For example, using "MON,WED,FRI" in the 5th field (day of week) would mean Mondays, Wednesdays, and Fridays. |
Hyphen - | Define ranges. For example, 9-17 would indicate every hour between 9am and 5pm inclusive, MON-WED would indicate Monday through Wednesday, and JAN-JUN would indicate every month from January through June. |
Question mark ? | Use instead of "*" for leaving either day-of-month or day-of-week blank. "?" means no specific value. For example, to run the job every 10th day of the month and not limit the job to a particular day of the week: "* * 10 * ?". |
Permissions
You require specific group memberships to manage particular job configuration types. As well, you need to be logged into the root domain.
Job Configuration | Required Group | Required Domain |
---|---|---|
Key rotation | Key Admin | |
System Backup | Backup Admin | |
Domain Backup | Domain Backup Admin | |
User Password Expiry Notification | admin (application administrators) |
Creating Job Configurations
To create a job configuration, run the command ksctl scheduler configs create <operation> --name <config-name> --run-at "<cron-expression-format>"
.
Here, required values are:
<operation>
: Operation to schedule. The options are:backup
: Create a job configuration for backup operation. Refer to Scheduling Backups for more details and options.key-rotation
: Create a job configuration for key rotation. Refer to Scheduling Key Rotation for more details and options.
<config-name>
: Name for the job configuration.<cron-expression-format>
: Time when the job runs. The format must have five fields. If the number of fields is not equal to five, the format becomes invalid. Refer to time specification for details.
Additional required values are specific to the operation.
Refer to Scheduling Backups for options specific to backups.
Refer to Scheduling Key Rotation for options specific to key rotation.
Viewing Existing Job Configurations
To view the list of job configurations, run the command ksctl scheduler configs list
.
Example:
The output shows existing job configurations.
Viewing Details of Job Configurations
To view the details of a job configuration, run the command ksctl scheduler configs get --id "configID"
. Here, <configID>
represents the ID of the configuration.
Example
Modifying Job Configurations
Existing job configurations can be modified when needed. To modify a job configuration, run the command: ksctl scheduler configs modify <operation> --id "<configID>" <args>
Here,
<operation>
: Operation can bebackup
orkey-rotation
.<configID>
: ID of the job configuration to be modified.<args>
: Parameters to modify.
Example Request 1
Example Response 1
Example Request 2 (update replaced-key-state
value from Deactivated
to ProtectStop
)
Example Response 2
Example Request 3 (update change-state-after-time
to some valid value(>=0))
Example Response 3
Manually Running Job Configurations
A scheduled configuration can be run manually when needed. To manually run a job configuration, run the command: ksctl scheduler configs run-now --id "<configID>"
Here, <configID>
represents the ID of the configuration. The command creates a new job and waits for the job to be posted on the job queue. The "job_id
" is returned if the job is posted within about 30 seconds.
Example:
Disabling Job Configurations
You can disable an existing job configuration to temporarily prevent future job runs. To disable job configuration, run the command: ksctl scheduler configs modify <operation> --id "<configID>" --disabled
Here,
<operation>
: Operation can bebackup
,key-rotation
, oruser-password-expiry-notification
.<configID>
: ID of the job configuration to be modified.disabled
: A boolean value indicated whether the job configuration is disabled, and will not run in the future.
Example Request
Example Response
To enable a disabled job configuration, run the command: ksctl scheduler configs modify <operation> --id "<configID>" --disabled=false
Example Request
Deleting Job Configurations
Caution
This is a permanent operation. If you wish to temporarily suspend a scheduled job, you can disable it instead.
To delete a job configuration, run the command ksctl scheduler configs delete --id "<configID>"
. Here, <configID>
is the ID of the job configuration to be deleted. The specified job configuration is deleted without any message.
After a configuration is deleted, it will no longer run jobs automatically.
Job Runs
A job is created and run automatically when a scheduler configuration is run manually (using run-now
) or automatically at a schedule defined in the job configuration. You can view the results of jobs executed in the past, including status and error count.
Viewing Job Runs
To view the list of already run jobs for the logged in account, run the command ksctl scheduler jobs list
.
Example:
The output shows that two jobs have run successfully.
Viewing Details of a Particular Job Run
To view the details of a particular job run for the logged in account, run the command ksctl scheduler jobs get --id
. Here, --id
is the ID of the job run you are searching for.
Example:
Deleting a Job
To delete a job, run the command ksctl scheduler jobs delete --id
. This command stops the job (if it is running) and deletes it without any confirmation message.