EJBCA has a modular support for Publishers. A publisher can be any external source where you want to send issued certificates and CRLs to be stored.
The Publisher architecture is modular, and it is possible to implement custom publishers that can be integrated and set up in the Admin GUI.
Publisher Access Rules
The presumed administrator of publishers is the built in CA Administrator role, or more specifically a role with access to /ca_functionality/edit_publishers. Besides that, only the following publishers will be available for a given role:
- Publishers assigned to a CA that the role has access to.
- Publishers not assigned to any CA.
- ENTERPRISE EDITION Validation Authority Peer Publishers, given that the role has access to
The following covers the built-in publishers.
Publisher Queue and Failures
To achieve robust publishing there is a publisher queue. When a publisher fails the published data is stored in a separate table in the database, the PublisherQueueData. This queue can then be processed by a service, see Publisher Queue Process Service.
Publishers can also be configured not to publish directly at all, but to store everything in the queue, which is later processed. The benefit of this approach is that publishing is instant. When issuing certificates the CA does not have to wait for all publishers to finish. If there are many publishers, this might delay the issuing process slightly.
With the setting Safe direct publishing enabled the behavior is similar to direct publishing. However, the entry will be stored to the queue before publishing, until the enrollment transaction has been verified as successful. This ensures data integrity between local and target machines in the event of a transaction rollback or other unexpected interruptions. Compared to plain direct publishing, this comes with a slight cost in enrollment performance.
The following lists available Publisher Settings:
Displays the number of new entries in the queue in the intervals <1 min, 1-10 min, 10-60 min and >60 min.
No direct publishing, only use queue
When enabled, the publisher does not try to publish directly but instead pushes the update to the queue for later processing by a Publish Queue Process Service.
|Use safe direct publishing||When enabled, the publisher temporarily stores the entry to publisher queue until the transaction has been verified as successful, before publishing.|
Keep successfully published items in database
When enabled, items stored in the publisher queue will not be removed when real publishing has been done, status will merely be changed from PENDING to SUCCESS.
Use queue for CRLs
Determines if the publisher queue should handle CRLs or not for this publisher.
Use queue for certificates
Determines if the publisher queue should handle certificates or not for this publisher.
Failed publishing attempts are not removed from the queue, but will remain there, and up to 20,000 attempts will be made per call to the Publisher Queue Process service, in batches of 100 queue entries at the time.