Follow the instructions on this page if you wish some or all of your users’ key pairs to be either rotated or their expiration extended automatically.
1. Make sure to set automatic lifecycle actions to either on or off as desired on each of the key pairs stored by EKM. In particular, ensure that key-pairs that you don’t wish to be acted on are set to off. You may do this either by manually setting it on each key pair or using the bulk modify option.
2. Run the java -jar flowcrypt-enterprise-admin-panel.jar --gen-jwk=service-orchestrator command and follow the on-screen instructions to set the auth.service.orchestrator.signing.key property on EAP and auth.service.orchestrator.verification.key on EKM.
3. Set the auth.service.orchestrator.enabled=true EKM property.
4. Set the Orchestrator properties on the EAP, for example:
orchestrator.timer.enabled=true
orchestrator.timer.seconds=60
orchestrator.batch.size=50
orchestrator.key.pair.lifecycle.processor=RotateKeyPairLifecycleProcessor
orchestrator.key.pair.expiration.threshold.days=60
In this step, you should choose if you wish to use RotateKeyPairLifecycleProcessor for rotating key pairs or ExtendKeyPairExpirationLifecycleProcessor for extending key pairs’ validity. For other property descriptions, please see the EAP orchestrator section.
5. Restart the EKM and EAP services.
6. Observe the EAP Orchestrator page to track progress and results, and observe individual key pairs that you expected to be acted upon for results. If you don’t see any changes or progress, such as the keypairs in the processing queue value on the Orchestrator page not decreasing, check the EAP logs for errors.