During application startup we expect the database and audit log protection mechanism to be available.
If this is not the case, the application will fail hard and there is no recovery to a good state.
Note that we can already largely tolerate that the database is unavailable for throw away CA mode with audit loggin only to the server log (no database writes).
- We should redesign database interactions to allow for delayed activation of the application when the database is not available.
- When the database is available, but the database protection mechanism is not, we should allow an admin (perhaps with a certificate issued by the trust anchor for the Admin GUI or a CLI admin) to activate the database protection HSM slot.
- Make sure that health check is down for maintenance (or similar) when EJBCA is not operational
Design meeting required. (This probably should be done together with redesign of our object caches.)