This page explains configuration options for service components:
When accessing the Orchestrator page for the first time without it being configured, you will see the following:
Once the configuration has been completed correctly and the service has been restarted, you will see the configuration directly in the EAP.
Configuration
Follow the instructions on this page if you wish some or all of your users’ key pairs to be either rotated or their expiration extended automatically.
1. Make sure to set Automatic lifecycle actions to either on or off as desired on each of the key pairs stored by EKM. In particular, ensure that key pairs that you don’t wish to be acted on are set to off. You may do this either by manually setting it on each key pair or using the bulk modify option.
2. Run the java -jar flowcrypt-enterprise-admin-panel.jar --gen-jwk service-orchestrator command and follow the on-screen instructions to set the auth.service.orchestrator.signing.key property on EAP and auth.service.orchestrator.verification.key on EKM.
3. Set the auth.service.orchestrator.enabled=true EKM property.
4. Set the Orchestrator properties on the EAP, for example:
orchestrator.timer.enabled=true
orchestrator.timer.seconds=60
orchestrator.batch.size=50
orchestrator.key.pair.lifecycle.processor=RotateKeyPairLifecycleProcessor
orchestrator.key.pair.expiration.threshold.days=60
In this step, you should choose if you wish to use RotateKeyPairLifecycleProcessor for rotating key pairs or ExtendKeyPairExpirationLifecycleProcessor for extending key pairs’ validity. For other property descriptions, please see the Orchestrator configuration properties section.
5. Restart the EKM and EAP services.
6. Observe the EAP Orchestrator page to track progress and results, and observe individual key pairs that you expected to be acted upon for results. If you don’t see any changes or progress, such as the keypairs in the processing queue value on the Orchestrator page not decreasing, check the EAP logs for errors.
For more details about the Orchestrator see the Automatic Key Lifecycle Rotation guide.
Orchestrator configuration properties
The Orchestrator section configures the Orchestrator service, which manages key lifecycle events like rotation and expiration extension. The following parameters control key handling frequency, batch size, and lifecycle strategies. See the property-description table below for details on each property and its usage:
| Property | Description |
|---|---|
orchestrator.timer.enabled |
Enables or disables the Orchestrator service. Example: false
|
orchestrator.timer.seconds |
How frequently Orchestrator tasks are checked and potentially run. Example: 60
|
orchestrator.batch.size |
The number of items to process in a single Orchestrator run. Example: 50
|
orchestrator.key.pair.lifecycle.processor |
Type of key pair lifecycle processor. The possible values are: ExtendKeyPairExpirationLifecycleProcessor and RotateKeyPairLifecycleProcessor.Example: ExtendKeyPairExpirationLifecycleProcessor
|
orchestrator.key.pair.expiration.threshold.days |
A threshold for the number of days before key expiration, which indicates that automatic action on such a key should be taken. For example, when set to 60, keys that expire 61 days from now or later will not be acted upon, and keys expiring 60 days from now or less (including already expired keys) will be acted upon.Example: 60
|
orchestrator.key.pair.expiration.target.months |
The number of months to prolong key validity for, only set this when using ExtendKeyPairExpirationLifecycleProcessor.Example: 12
|