Source Code of org.ejbca.core.model.services.workers.RenewCAWorker

/*************************************************************************
 *                                                                       *
 *  EJBCA: The OpenSource Certificate Authority                          *
 *                                                                       *
 *  This software is free software; you can redistribute it and/or       *
 *  modify it under the terms of the GNU Lesser General Public           *
 *  License as published by the Free Software Foundation; either         *
 *  version 2.1 of the License, or any later version.                    *
 *                                                                       *
 *  See terms of license at gnu.org.                                     *
 *                                                                       *
 *************************************************************************/
package org.ejbca.core.model.services.workers;

import java.security.cert.CertPathValidatorException;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.Map;

import org.apache.log4j.Logger;
import org.ejbca.core.ejb.ca.caadmin.CAAdminSessionLocal;
import org.ejbca.core.model.InternalResources;
import org.ejbca.core.model.SecConst;
import org.ejbca.core.model.authorization.AuthorizationDeniedException;
import org.ejbca.core.model.ca.caadmin.CADoesntExistsException;
import org.ejbca.core.model.ca.caadmin.CAInfo;
import org.ejbca.core.model.ca.catoken.CATokenAuthenticationFailedException;
import org.ejbca.core.model.ca.catoken.CATokenInfo;
import org.ejbca.core.model.ca.catoken.CATokenOfflineException;
import org.ejbca.core.model.ca.catoken.ICAToken;
import org.ejbca.core.model.services.BaseWorker;
import org.ejbca.core.model.services.ServiceExecutionFailedException;

/**
 * Worker renewing CA that is about to expire.
 *
 * @author Tomas Gustavsson
 *
 * @version: $Id: RenewCAWorker.java 11268 2011-01-26 23:02:58Z jeklund $
 */
public class RenewCAWorker extends BaseWorker {

  private static final Logger log = Logger.getLogger(RenewCAWorker.class);
    /** Internal localization of logs and errors */
  private static final InternalResources intres = InternalResources.getInstance();

  /** Flag is keys should be regenerated or not */
  public static final String PROP_RENEWKEYS           = "worker.renewkeys";

  /**
   * Worker that makes a query to the Certificate Store about
   * expiring certificates.
   *
   * @see org.ejbca.core.model.services.IWorker#work()
   */
  public void work(Map<Class<?>, Object> ejbs) throws ServiceExecutionFailedException {
    log.trace(">Worker started");
        final CAAdminSessionLocal caAdminSession = ((CAAdminSessionLocal)ejbs.get(CAAdminSessionLocal.class));

    // Find CAs with expire date that is less than configured number of days
    // ahead in the future
    long millistoexpire = getTimeBeforeExpire();
    long now = new Date().getTime();
    long expiretime = now + millistoexpire;

    // Renew these CAs using the CAAdminSessionBean
    // Check the "Generate new keys" checkbox so we can pass the correct parameter to CAAdminSessionBean
    Collection<Integer> caids = getCAIdsToCheck(false);
    log.debug("Checking renewal for "+caids.size()+" CAs");
    Iterator<Integer> iter = caids.iterator();
    while (iter.hasNext()) {
      Integer caid = iter.next();
      CAInfo info = caAdminSession.getCAInfo(getAdmin(), caid.intValue());
      String caname = null;
      if (info != null) {
        caname = info.getName();
        Date expire = info.getExpireTime();
        log.debug("CA "+caname+" expires on "+expire);
        if (expire.before(new Date(expiretime))) {
          try {
            // Only try to renew active CAs
            // There should be other monitoring available to check if CAs that should not be off-line are off-line (HealthCheck)
            CATokenInfo tokeninfo = info.getCATokenInfo();
            log.debug("CA status is "+info.getStatus()+", CA token status is "+tokeninfo.getCATokenStatus());
            if ( (info.getStatus() == SecConst.CA_ACTIVE) && (tokeninfo.getCATokenStatus() == ICAToken.STATUS_ACTIVE) ) {
              caAdminSession.renewCA(getAdmin(), info.getCAId(), null, isRenewKeys());
            } else {
              log.debug("Not trying to renew CA because CA and token status are not on-line.");
            }
          } catch (CADoesntExistsException e) {
            log.error("Error renewing CA: ", e);
          } catch (CATokenAuthenticationFailedException e) {
            log.error("Error renewing CA: ", e);
          } catch (CertPathValidatorException e) {
            log.error("Error renewing CA: ", e);
          } catch (CATokenOfflineException e) {
            log.error("Error renewing CA: ", e);
          } catch (AuthorizationDeniedException e) {
            log.error("Error renewing CA: ", e);
          }
        }
      } else {
        String msg = intres.getLocalizedMessage("services.errorworker.errornoca", caid, caname);
        log.error(msg);
      }
    }
    log.trace("<Worker ended");
  }

  protected boolean isRenewKeys() {
    return properties.getProperty(PROP_RENEWKEYS,"FALSE").equalsIgnoreCase("TRUE");
  }
}