The Keyfactor Command Service runs several automated tasks for maintenance, alerting, reporting and similar purpose. The below table provides details of these tasks. The schedules for some tasks are customizable.
Table 90: Keyfactor Command Jobs Services
|
Service |
Description |
Notes |
|---|---|---|
| Agent Notification Alert | Periodically runs a job that checks if an orchestrator has not checked in between job runs and sends an email notification as per settings in Application Settings: Agents Tab. | This is configurable at Application Settings: Agents Tab |
| Bulk Audit Processing | Periodically add audit log entries for large jobs. Most audit log entries are added immediately at the time the activity generating the audit log takes place. However, some large jobs that might generate heavy server load (e.g. bulk revocation) save the audit log entries in a temporary location to reduce server load and then they are added to the audit log by this periodic job. | This job runs every 10 minutes. |
| CA Health | Periodically send email alerts when a CA is not responding. | The schedule for this is user configurable (see Alert Recipients Tab). |
| CA Sync | Periodically synchronize certificates from certificate authorities. | The schedules for this are user configurable (see Certificate Authorities). |
| CA Threshold | Periodically send email alerts when a CA is issuing certificates or experiencing issuance failures outside of the established norms. | The schedule for this is user configurable (see Advanced Tab). |
| Certificate Query Alert | Periodically process for workflow any certificates found in the database cache (see QueryItems) of certificates entering or leaving a certificate collection for use by the Certificate Entered Collection and Certificate Left Collection workflow types. | This job runs every 10 minutes. |
| CRL | Periodically send email alerts for certificate revocation lists (CRLs) that are approaching expiration. | The schedule for this is user configurable (see Adding or Modifying a Revocation Monitoring Location). |
| Collection Query Alerts | Periodically update the temporary tables that store information on which certificates are in which certificate collections. These temporary tables (caches) are used to support faster processing of some systems. | This value is user configurable with an application setting (see Application Settings: Console Tab). The default is 20 minutes. |
| Concurrent Workflows | Sets the batch size used when suspended workflows are run by the Keyfactor Command service. Also used when running certificate entered collection and certificate left collection workflows to limit the number of certificates flowing through the workflow for each instance of the workflow initiated by the service. |
The default value is 1000. This value may be changed in the Keyfactor Command server appsettings file for the Keyfactor Command service |
| Endpoint History | Periodically remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion, based on the setting in Application Settings: Auditing Tab(SSL > Retain SSL Endpoint History (days)). | This job runs daily at 1:00 am. |
| Expiration Alerts |
Periodically send email alerts for certificates approaching expiration. |
The schedules for these are user configurable. See Configuring an Expiration Alert Schedule. |
| Issued Alerts | Periodically send email alerts (typically to certificate requesters) for certificate requests made using a certificate template that requires manager approval that have been approved. | The schedule for this is user configurable (see Configuring an Issued Request Alert Schedule).. |
| Metadata Generation | Periodically generate and assign metadata to certificates when they are imported into Keyfactor Command using a custom metadata extension. | This job runs every 15 minutes. |
| Pending Alerts |
Periodically send email alerts (typically to certificate approvers) for certificate requests made using a certificate template that requires manager approval. |
The schedules for these are user configurable. See Configuring a Pending Request Alert Schedule. |
| Private Key Cleanup | Periodically remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion. |
This job runs daily at 1:00 am. For more information about stored private keys, see Status Tab. |
| Purge Audit History | Periodically remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion. Retention period default value is 52 weeks, only applied to new databases (changed from 7 years). Records are deleted in batches, the default value is 10k. |
This job runs daily on the first day of the month at 2:00 am. For more information, and to change defaults, see Application Settings: Auditing Tab. Only audit logs belonging to unprotected categories are eligible for deletion. |
| Query Items | Periodically update the Keyfactor Command database cache of certificates entering or leaving a certificate collection for use by the Certificate Entered Collection and Certificate Left Collection workflow types. | This job runs every 10 minutes (see Workflow Definition Operations). |
| Reporting | Deliver regularly scheduled reports via email or saved to a file system. | The schedules for these are user configurable (see Reports). |
| Reporting Cleanup | Periodically remove records from temporary files generated while running reports. | This job runs daily at midnight. |
| Schedule SSL Jobs | Periodically identify and schedule SSL discovery and monitoring jobs. | This job runs every 5 minutes. |
| SSH Key Rotation Alerts | Periodically send email notifications to SSH key users and/or administrators when a key is nearing the end of the key lifetime. | The schedule for this is user configurable (see Configuring a Key Rotation Alert Schedule). |
| Stats Update | Periodically run the Microsoft SQL update statistics function in the Keyfactor Command database. |
This job runs monthly on the first day of the month at 1:00 am. |
| Suspended Workflows | Periodically attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts. A locking conflict may occur if two users attempt to provide input to a workflow instance (e.g. approve a request) at exactly the same time. | This job runs daily at midnight. |
| Sync Templates | Periodically synchronize certificate templates from the source (e.g. Active Directory) to pick up new templates. | This job runs every hour. |
| Undecryptable Secrets Search | Periodically scan the database for any secrets that cannot be decrypted. If any are found, an error is logged to the orchestrator logs that indicate how many secrets were undecryptable. A Management Portal alert (see System Alerts) will also be triggered flagging the issue. |
This job runs daily at midnight. |
| Workflow Cleanup | Periodically remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged X number of days past the completion date (last modified date), where X is defined by the Workflow Instance Cleanup Days application setting (see Application Settings: Console Tab). The default value is 14 days. | This job runs daily at midnight. |