Built-in job types
The following chapters describe the jobs that are included in the nevisIDM distribution.
dataPorter export job
nevisDataPorter is a flexible and extensible data migration framework by Nevis Security. In short, it can be used to extract entities (such as users) from a data source, perform transformations on the entity, and then store the entity in a data sink. See the nevisDataPorter reference guide [6] for details.
Class
ch.nevis.idm.batch.jobs.DataPorterExportJob
Configuration
| Field | Required? | Format | Description |
|---|---|---|---|
dataporter.config | true | String | Path to a dataporter XML configuration. |
dataporter.simulate | false | boolean | Specifies if dataporter should be run in simulation mode. Default value false. |
dataporter.libDir | true | String | Defines where the dataporter JAVA libraries are located. Usually installed by the separate component nevisDP at /opt/nevisdp/lib. |
Any additional config parameters defined for the job are passed as-is to the dataPorter, and can be referenced in the XML configuration (e.g., ${cfg.paramName}).
Logging
ch.nevis.idm.batch.jobs.DataPorterExportJobdataporter.configdataporter.timingdataporter.simulatedataporter.statistic
Example(s)
See chapter 5.4.3.4 "Example of a batch job configuration file".
Inactive user disabling job
This job is deprecated. Its functionality is available in the job UpdateUserStateJob. Configure UpdateUserStateJob with the following parameters to have the old behavior from DisableInactiveUserJob:
- daysNoActivity=<parameter "daysInactive" from DisableInactiveUserJob>
- considerUsersNeverLoggedIn=false
- sendWarning=false
- daysGracePeriod=0
- daysStatusArchived=1
- disableOutdatedUsers=false
- disableNotYetActiveUsers=false
- This job allows for periodically disabling users that have not logged in a configurable number of days.
Class
ch.nevis.idm.batch.jobs.DisableInactiveUsersJob
Configuration
| Field | Required? | Format | Description |
|---|---|---|---|
daysInactive | true | number | Number of days of inactivity after which a user will be disabled. |
Logging
ch.nevis.idm.batch.jobs.DisableInactiveUsersJob
Example(s)
<bean id="disableInactiveUsersJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Disables users that have not logged in for a while"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.DisableInactiveUsersJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="daysInactive" value="365"/>
</map>
</constructor-arg>
</bean>
</property>
</bean>
Recreate certificate information job
Many certificate parameters like validity dates or the fingerprint are extracted from the certificate by nevisIDM upon its upload and registration. These parameters are then stored separately in the database for performance reasons in search operations. If, for any reason, the extracted parameters become invalid or deleted, this batch job allows to completely re-extract these parameters from the certificates.
Depending on the amount of stored certificates and the configuration parameter, this job may take very long and may lock out users with certificates.
On one side, to avoid massive performance overhead by using one service call for every single certificate, the certificates are handled in groups (chunks). On the other side, if the group size is too big, the amount of concurrently locked database objects may get too large and lock out more users than required (namely all certificate users in this chunk). To find an optimal way between a vast amount of service calls and the size of concurrently locked objects on the database, chunk size may need to be adjusted. So far, a value of 100 has shown to be good for most scenarios.
Class
ch.nevis.idm.batch.jobs.RecreateCertificateInfosJob
Configuration
| Field | Required? | Format | Description |
|---|---|---|---|
certinfo.chunksize | true | number | Size of groups in which certificates are locked and updated. |
Logging
ch.nevis.idm.batch.jobs.RecreateCertificateInfosJob
Example(s)
<bean id="recreateCertificateInfosJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Recreate all certinfo from certificates"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.RecreateCertificateInfosJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="certinfo.chunksize" value="100"/>
</map>
</constructor-arg>
</bean>
</property>
</bean>
Recreate localized hierarchical name job
For performance reasons, language dependent hierarchical names are precomputed in nevisIDM upon creation or modification. Some circumstances, for example some imports and exports or direct changes to the database, may invalidate these precomputed values. This job recreates all hierarchical name elements by recursively reassembling them.
Depending on the amount of hierarchical levels, this job may take very long.
Class
ch.nevis.idm.batch.jobs.RecreateLocalizedHnamesJob
Logging
ch.nevis.idm.batch.jobs.RecreateLocalizedHnamesJob
Example(s)
<bean id="recreateLocalizedHnamesJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Recreate all hierarchical names"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.RecreateLocalizedHnamesJob"/>
<property name="durability" value="true"/>
</bean>
Remove all failed printing jobs from the persistent queue
This is a clean-up job which removes all failed printing jobs currenlty stored in the persistent queue. Possible reasons why a printing job has failed are:
- missing template in the template store
- no value found for a mandatory placeholder
The failed printing jobs are kept in the queue to allow a manual retriggering for them. As soon as an administrator as handled the failed jobs, they can be removed by means of this batch job.
Class
ch.nevis.idm.batch.jobs.DeleteAllFailedPrintingEventsJob
Configuration
| Field | Required? | Format | Description |
|---|---|---|---|
days | true | number | Defines that all printing events older than the defined number of days are deleted. |
Logging
ch.nevis.idm.batch.jobs.DeleteAllFailedPrintingEventsJob
Example(s)
<bean id="deleteFailedPrintingEventsJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Delete failed printing events from event queue"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.DeleteAllFailedPrintingEventsJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="days" value="90"/>
</map>
</constructor-arg>
</bean>
</property>
</bean>
Prune history data job
On every add/update/delete action in the nevisIDM database, nevisIDM writes history entries so that the modifications can be tracked. It is a complete audit of modifications done by users or by nevisIDM (upon authentication processes, batch job executions, etc). With this batch job, very old history data can automatically be pruned to save space on the DB as well as speed up nevisIDM features that are based on the history data. The batch job deletes old records from history/versioning tables, leaving a single event. If the original entity is not there anymore, the job removes all history records.
Class
ch.nevis.idm.batch.jobs.PruneHistoryJob
Configuration
| Field | Required? | Format | Description |
|---|---|---|---|
days | true | number | Defines that all data older than the defined number of days is deleted. |
skipList | false | String | Comma-separated list of versioned tables to be ignored by the prune history job. |
Logging
ch.nevis.idm.batch.jobs.PruneHistoryJob
Example(s)
<bean id="pruneHistoryJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean>
<property name="description" value="History cleanup job"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.PruneHistoryJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="days" value="365"/>
<!-- deletes the entries in all tables except TIDMA_CRED_LOGIN_INFO_V
and TIDMA_USER_LOGIN_INFO_V -->
<entry key="skipList" value="TIDMA_CRED_LOGIN_INFO_V,TIDMA_USER_LOGIN_INFO_V" />
</map>
</constructor-arg>
</bean>
</property>
</bean>
UpdateUserStateJob
This batch job is used to degrade the user's status due to inactivity. The degradation is gradually (from disabled to archived, from archived to deleted) and intervals between degradation can be configured. Furthermore, the job can send a warning per e-mail to the user before the user is disabled. To use this feature, make sure that e-mail templates of the event "DeactivationWarning" have been defined in nevisIDM.
Class
ch.nevis.idm.batch.jobs.UpdateUserStateJob
Configuration
| Field | Required? | Format | Description |
|---|---|---|---|
daysNoActivity | true | number | Days of inactivity before warning. -1 and 0 mean: Do not care about inactive users. |
daysNoActivitySinceReactivation | false | number | Days of inactivity of a reactivated user. After these number of inactivity days, the reactivated user is considered in the automatic deactivation procedure. -1 and 0 are not set, which means that the reactivated users do not get special treatment. |
neverLoggedInDaysNoActivity | false | number | Days of inactivity before warning for users who have never logged in. -1 and 0 mean: Do not care about inactive users. |
neverLoggedInGracePeriod | false | number | Days of inactivity of a user who has never logged in, but already been warned. After these number of inactive days, the user is considered in the automatic deactivation procedure. |
considerUsersNeverLoggedIn | true | boolean | When true, the job will also find users, who have never logged in, but were created more than daysNoActivity days ago. |
sendWarning | true | boolean | Whether or not to send a warning. |
sendingMethod | false | String | Describes a fallback list of different communication methods. The value has to be a subset of those predefined values: None, Print, Email, PDFstore, SMS_SMTP, HTMLemail, PDFemail. Default is Email. When one of the list members is not recognized as a valid sendingMethod, the default Email will be used. The communication event is DeactivationWarning. |
daysGracePeriod | true | number | Days of inactivity between warning and disabling the user. |
daysStatusDisabled | true | number | Days between disabling and archiving the user (0 means archive all disabled users immediately, -1 means do not touch disabled users). |
daysStatusArchived | true | number | Days between archiving and deletion (0 means delete all archived users immediately, -1 means do not touch archived users). |
disableOutdatedUsers | true | boolean | Whether or not to disable users after validity period. |
disableNotYetActiveUsers | false | boolean | Whether or not to disable users before validity period. |
excludeUsers | false | String | The users listed here are protected from the job's actions. The three technical users (bootstrap, batchjob, nevisauth) are always excluded, even if not listed here. Format: 111/222, 112/223 (comma-separated list of <clientExtId>/<userExtId>) |
excludeTechnicalUsers | false | number | Defines whether technical users are excluded from the update process. Default value true. |
excludeMainUsers | false | number | Defines whether main users (users who have deputies) are excluded from the update process. Default value: true. |
excludeUnits | false | number | List of units to be excluded. Format: comma-separated list of <clientExtId>/<unitExtId> Example: excludeUnits=111/222,112/223 Users who belong to one of these units or one of their subunits, will not be processed. The subunits of the listed units will be automatically excluded too. |
excludeRoles | false | number | Comma-separated list of role extIds. Users with one of these roles will not be processed. |
restrictToClients | false | String | Format: comma-separated list of clientExtIds. If not set, the job will act on all clients. Otherwise, it is restricted to the specified clients. |
restrictToUnits | false | String | List of units to be included. Format: comma-separated list of <clientExtId>/<unitExtId> Example: restrictToUnits=111/222,112/223O Only users who belong to one of these units or one of their subunits will be processed. If the parameter is empty, users from all units will be processed. The subunits of the listed units will be automatically included too. |
restrictToEnterpriseRoles | false | String | List of enterprise roles to be included. Format: comma-separated list of <clientExtId>/<enterpriseRoleExtId> Example: restrictToEnterpriseRoles =100/12223,100/1223 Only users which have one or more of the listed enterprise roles will be processed. If the parameter is empty, there will be no filtering by enterprise roles. |
changeReasonCode | false | number | Code of the change reason to be used when the state of a user is changed. If the parameter is set, the stateChangeReasonCd attribute of the user entity will be set to the given code. If the value of the changeReasonCode is invalid (not a number or no change reason exists with the given code), the parameter will be ignored. |
When a user is in its original state, and the state is DISABLED or ARCHIVED, the job will degrade the user status without checking daysStatusDisabled or daysStatusArchived parameters.
Logging
ch.nevis.idm.batch.jobs.UpdateUserStateJob
Example(s)
Disable outdated users
<bean id="updateUserStateJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Degrade status when user is inactive or validity period expired"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.UpdateUserStateJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="daysNoActivity" value="0"/>
<entry key="considerUsersNeverLoggedIn" value="false"/>
<entry key="sendWarning" value="false"/>
<entry key="daysGracePeriod" value="0"/>
<entry key="daysStatusDisabled" value="-1"/>
<entry key="daysStatusArchived" value="-1"/>
<entry key="disableOutdatedUsers" value="true"/>
<entry key="disableNotYetActiveUsers" value="true"/>
</map>
</constructor-arg>
</bean>
</property>
</bean>
Deprecated inactive user disabling job replacement
<bean id="updateUserStateJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Degrade status when user is inactive or validity period expired"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.UpdateUserStateJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="daysNoActivity" value="365"/>
<entry key="considerUsersNeverLoggedIn" value="false"/>
<entry key="sendWarning" value="false"/>
<entry key="daysGracePeriod" value="0"/>
<entry key="daysStatusDisabled" value="-1"/>
<entry key="daysStatusArchived" value="-1"/>
<entry key="disableOutdatedUsers" value="false"/>
<entry key="disableNotYetActiveUsers" value="false"/>
</map>
</constructor-arg>
</bean>
</property>
</bean>
Full functionality
<bean id="updateUserStateJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Degrade status when user is inactive or validity period expired"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.UpdateUserStateJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="daysNoActivity" value="365"/>
<entry key="considerUsersNeverLoggedIn" value="true"/>
<entry key="sendWarning" value="true"/>
<entry key="sendingMethod" value="HTMLemail, Email"/>
<entry key="daysGracePeriod" value="30"/>
<entry key="daysStatusDisabled" value="90"/>
<entry key="daysStatusArchived" value="300"/>
<entry key="disableOutdatedUsers" value="true"/>
<entry key="disableNotYetActiveUsers" value="true"/>
<entry key="excludeUsers" value="100/12345, 100/1002"/>
<entry key="restrictToClients" value="100, 1001"/>
<entry key="excludeTechnicalUsers" value="true" />
<entry key="excludeMainUsers" value="true" />
</map>
</constructor-arg>
</bean>
</property>
</bean>
UpdateCredentialStateJob
This batch job runs the process described below on credentials in an asynchronous way, i.e., independent of any authorization process.
- It disables/deletes any expired credentials (referenced as House-keeping from here).
- It changes the credentials state according to the policy parameters and Job Configuration.
It can be used for explicitly disabling (all types of) expired credentials and for credential- and policy-specific credential updates. Currently, only OTP card and ticket credentials are processed in this policy-aware manner.
Class
ch.nevis.idm.batch.jobs.UpdateCredentialStateJob
Configuration
Following parameters are not applied to house-keeping, but only to the credential-specific updates.
| Field | Required? | Format | Description |
|---|---|---|---|
restrictToClients | false | String | comma-separated list of clientExtIds. If not set, the job will act on all clients. Otherwise, it is restricted to the specified clients. |
enableDoubleRenewOfOTP | false | boolean | If true: old OTP card is renewed even if there is a new card already. If false: renewal process not triggered if there is a new card already. Default value false. |
sendingMethod | false | String | Describes a fallback list of different communication methods. The value has to be a subset of those predefined values: None, Print, Email, PDFstore, SMS_SMTP, HTMLemail, PDFemail. Default is Email. When one of the list members is not recognized as a valid sendingMethod, the default Email will be used. The communication event is OTPExpirationWarning or TicketExpirationWarning. |
credentialTypes | false | String | Defines the credential types which are affected during the processing. Format: comma-separated list of credential type names. If not set, OTP will be used as a fallback. The following restrictions apply. For disabling credentials, the credential types need to have a policy type defined, therefore currently only credential types, except for sending out warnings, the credential types need to have a communication event type defined, therefore currently only the types: OTP, TICKET, CERTIFICATE are supported. |
expireAction | false | String | Defines the action taken on expired credentials. Possible values: disable, delete. Note that state change reason code of the disabled credentials will be "Credential changed by batch job". Default value disable. |
Logging
ch.nevis.idm.batch.jobs.UpdateCredentialStateJob
Example(s)
Disable outdated users
<bean id="updateCredentialStateJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Update credential state job"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.UpdateCredentialStateJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="restrictToClients" value="100"/>
<entry key="enableDoubleRenewOfOTP" value="true" />
<entry key="sendingMethod" value="HTMLemail, Email"/>
<entry key="credentialTypes" value="OTP, TICKET, CERTIFICATE" />
<entry key="expireAction" value="disable" />
</map>
</constructor-arg>
</bean>
</property>
</bean>
The UpdateCredentialStateJob is supposed to run daily. If run more often, some events could be triggered more than once.
OTP-specific credential updates
When the OTP card policy parameter sendWarningWhenCloseToExpiration is set to true and closeToExpirationThreshold is under run, the job generates an OTPExpirationWarning communication event.
When the OTP card policy renewWhenCloseToExpiration is set to true and closeToExpirationThreshold is under run, the job generates a new OTP card, and the old (but not yet expired) card will act as a fallback until the new card is used.
Ticket and certificate-specific credential updates
When the ticket or the certificate credential policy parameter sendWarningWhenCloseToExpiration is set to true and closeToExpirationThreshold is under run, the job generates a TicketExpirationWarning or CertificateExpirationWarning communication event.
Currently, automatic renewal is not supported for ticket and certificate credentials.
SingleClientDataConsistencyJob
The goal of the SingleClientDataConsistencyJob batch job is to restore data consistency in the single-client mode.
The batch job performs the following actions:
- In the single-client mode, each application should be assigned to the default client. The job assigns the default client to any application without an assigned client.
- In the single-client mode, each authorization of a nevisIDM role without global client data room must be assigned to the default client data room. The job adds the default client data room to any authorization of a nevisIDM role that has no global client data room and no client data room assigned. The special roles
SelfAdminandTechUserare not considered in the check.
The SingleClientDataConsistencyJob can only be executed in single-client mode. The execution of the job has no effect in the multi-client mode.
Class
ch.nevis.idm.batch.jobs.SingleClientDataConsistencyJob
Logging
ch.nevis.idm.batch.jobs.SingleClientDataConsistencyJob
Example(s)
<bean id="singleClientDataConsistencyJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Single client data consistency job"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.SingleClientDataConsistencyJob"/>
<property name="durability" value="true"/>
</bean>
EncryptionFallbackCorrectorJob
The goal of the EncryptionFallbackCorrectorJob batch job is to re-encrypt the credentials and property values originally encrypted with the default encryption key.
This job is only to run once in the maintenance period if the database already has mixed data, and it should be migrated to the new encryption key. Start the script from admin console only.
To run this job, set security.properties.fallback.enabled to false.
Class
ch.nevis.idm.batch.jobs.SingleClientDataConsistencyJob
Configuration
| Field | Required? | Format | Description |
|---|---|---|---|
oldIv | false | String | IV defined for the old encryption, the default value is the setting for the default IV. |
oldKey | false | String | Key defined for the old encryption, the default value is the setting for the default key. |
oldPaddingLength | false | number | Padding length defined for the old encryption, the default value is the setting for the default key. |
oldAlgorithm | false | String | Algorithm defined for the old encryption, the default value is the setting for the default key. |
oldCipher | false | String | Cipher defined for the old encryption, the default value is the setting for the default key. |
forceUpdate | false | boolean | true means, that the job should re-encrypt the encrypted value even if the credential or property value currently violates a policy. |
updateDate | true | Date | Date when the new encryption key was set for the system. This is used to determine if some values were encrypted with the new encryption key, so they will not be re-encrypted as if they were still encrypted with the old key. Format: yyyy-MM-dd'T'HH:mm:ss.SSS'Z' |
Logging
ch.nevis.idm.batch.jobs.SingleClientDataConsistencyJobch.nevis.idm.batch.jobs.encryptionconverter.AbstractEncryptionConverter
Example(s)
<bean id="encrpytionFallBackCorrectorJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Upgrade all default encryption entities to new key"/>
<property name="name" value="EncrpytionFallBackCorrectorJob"/>
<property name="group" value="ExportGroup"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.EncryptionFallbackCorrectorJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="updateDate" value="2022-08-05T11:50:00.000Z"/>
<entry key="forceUpdate" value="true"/>
</map>
</constructor-arg>
</bean>
</property>
</bean>