Configuration

Engine Configuration

The Axon.ivy engine is configured by files. Most of them are located in the /configuration directory of the engine.

Files

The “ivy.yaml” file contains the most important entries that define the environment and runtime behaviour of the Axon.ivy engine.

# sample ivy.yaml with some often used entries defined
SystemDb:
  Driver: org.mariadb.jdbc.Driver
  Url: jdbc:mariadb://myDbHost:3306/AxonIvySystemDatabase
  UserName: root
  Password: 1234
EMail:
  Server:
    Host: smtp.gmail.com
    Port: 25
Administrators:
  admin:
    Password: 1234
    Email: info@localhost
  devop:
    Password: "${encrypt:4321}"
    Email: dev@axonivy.com
Frontend:
  HostName: workflow.acme.com
  Port: 80

Template files

To craft your own configuration you would typically copy values from our template files, located under [engineDir]/configuration/defaults or the “Configuration File Reference” and adjust them according to your needs. The template files outline valid configuration attributes and document possible values. They are constantly improved by us, and are not designed to store your actual configuration.

System Database

An untouched Axon.ivy engine runs in Demo mode. In consequence workflow data is never stored, but kept in an memory database. To run a productive engine an external system database must be connected, where workflow data will be stored.

To define the database of the Axon.ivy engine, the SystemDb entries must be set.

# sample ivy.yaml that configures a MySQL database as data store
SystemDb:
  Driver: org.mysql.jdbc.Driver
  Url: jdbc:mysql://myOtherMysql:3306/AxonIvySystemDatabase
  UserName: theUser
  Password: myPassword

To run the Axon.ivy engine with a System Database a license is required. See “Installing a Licence”.

The schema of the Axon.ivy System Database must exist on the referenced database system. The Engine Config UI and “EngineConfigCli” simplify the creation of the SystemDb connection.

Users

Users are kept in a so-called security system which can be defined in “ivy.yaml”. Each application defines in “app.yaml” which security system is used. There are two types of security systems:

  • Internal Security System: Used to manage the users directly on the Axon.ivy engine. There is only one Internal Security System, which is called Ivy Security System. No further settings are available for this Security System. This is also the default Security System for application which has no security system definied.

  • External Security System: Used to synchronize users from a name and directory service such as Active Directory. The example below shows a simple connection to an Active Directory. Have a look at the configuration file reference for all supported name and directory services and further settings.

    # sample ivy.yaml that define an Active Directory as security system
    SecuritySystems:
      # Custom definied name of your security system
      ActiveDirectoryOfMyCompany:
        Provider: "Microsoft Active Directory"
        Connection:
          Url: "ldap://activedirectory.axonivy.com:389"
          UserName: "activedirectory_user@axonivy.com"
          Password: "${encrypt:1234}"
        Binding:
          DefaultContext: "DC=axonivy,DC=com"
          ImportUsersOfGroup: "CN=AXON Ivy IT,DC=axonivy,DC=com"
    

    # app.yaml located in <application-directory>/app.yaml
    SecuritySystem: ActiveDirectoryOfMyCompany

Email

The Axon.ivy engine sends emails for different purposes:

  • Emails that are sent within a process via the mail step.

  • New task assignment and daily task summaries to users.

  • License expiration reminders to the administrators.

For this you have to configure an email server in “ivy.yaml”:

# sample ivy.yaml that configures an email server:
EMail:
  Server:
    Host: mail.axonivy.com
    Port: 25
    MailAddress: noreply@axonivy.com
    User: someuser
    Password: somepassword

  DailyTaskSummary:
    # Time of day when the task summary mails will be sent.
    TriggerTime: "02:00"

You can configure task email notification settings for new task assignments and daily task summaries at application level in “app.yaml”:

# app.yaml located in <application-directory>/app.yaml
EMailNotification:  
  DailySummaryOn: monday, tuesday, wednesday, thursday, friday
  OnNewTasks: true
  Language: de

Users are able to customize their notification settings in a workflow ui like the Portal. The content of the task email notifications can be customized by providing “Standard Processes”.

Html Theme

The look and feel of Html Dialogs is defined by its theme. You can change the appearance of any dialog on several scopes:

Passwords

You may want to encrypt sensitive data like a password in your configuration files. To do this you can enclose any value with "${encrypt:}". The Axon.ivy engine will automatically encrypt and replace that value in file, when the configuration will be loaded. The system database password can be encrypted as follows:

# ivy.yaml
SystemDb:
  Password: "${encrypt:myPassword}"

There is a smooth “Secrets” integration, which is very useful in container environments such as Docker.

Overriding Configuration

Environment variables

Configuration entries of YAML files can be overridden with environment variables of the operating system. Configuration keys in YAML are hierarchic object trees separated by : characters. While the environment variable must be written uppercase and separated by _ characters. You need also to prefix the environment variable with IVY_.

So to overwrite the SystemDb:Url of the “ivy.yaml” file, the environment variable IVY_SYSTEMDB_URL must be set.

Global application values

The “app.yaml” in the /configuration folder can be used to set global application configuration values that are applied to all applications on the engine.

Docker Containers

Container technology empowers you to pull up reproducible, documented and complete isolated infrastructures. Axon.ivy fully supports container environments such as Docker, Kubernetes or OpenShift. You can easily customize the configuration of an Axon.ivy engine by using system environment variables or by providing configuration files like the “ivy.yaml” file.

The following example will override the url of the system database configuration using environment variables:

docker run -e "IVY_SYSTEMDB_URL=jdbc:mysql://db:3306/AxonIvySystemDatabase" ...

Instead of using environment variables, you can simply provide an “ivy.yaml” file.

# ivy.yaml
SystemDb:
  Url: jdbc:mysql://db:3306/AxonIvySystemDatabase

docker run -v ivy.yaml:/etc/axonivy-engine/ivy.yaml ... 

For further docker examples have a look at our docker-samples GitHub repository.

Secrets

You can use Docker Secrets to store passwords. Simply create a file in /run/secrets which has the same name as the configuration entry. For example, to provide SystemDb:Password as secret file you need to create the file /run/secrets/ivy.SystemDb.Password

Configuration File Reference

ivy.yaml

[engineDir]/configuration/ivy.yaml

#
# -------------------------------------------
# Axon.ivy Engine Configuration
# -------------------------------------------
#
# This file configures the Axon.ivy engine and its external systems.
# EngineGuide/configuration.html
#
# By default the engine is pre-configured to run in demo mode.
# To run an engine in a productive environment at least the system database
# must be configured.
#
# SECRETS / PASSWORDS:
# Any configuration value can be encrypted just by enclosing it with "${encrypt:}".
# * to encrypt the string myPassword write "${encrypt:myPassword}"
#   EngineGuide/configuration.html#configuration-password
#
# OVERRIDING:
# Any configuration value provided here can be set in alternative sources. 
# * environment variables: of the operating system can set app config entries. 
#    Their key must be prefixed with 'IVY_'. 
#    E.g. use 'IVY_SYSTEMDB_URL' to override the jdbc driver url.
#    EngineGuide/configuration.html#configuration-override-env
#



# == System Database Settings == 
#
# Axon.ivy requires a System Database to store the state of running workflow applications.
#
# Unless you run the engine in Demo mode, a valid System DB driver, url and the user+password credentials
# that are able to connect to the database are mandatory.
# 
# [Restart required]
SystemDb:
  # [MySQL]
  Driver: com.mysql.jdbc.Driver
  Url: jdbc:mysql://localhost:3306/AxonIvySystemDatabase
  # > jdbc:mysql://<host>[:<port>]/<database name>

  # [MariaDB]
  Driver: org.mariadb.jdbc.Driver
  Url: jdbc:mariadb://localhost:3306/AxonIvySystemDatabase
  # > jdbc:mariadb://<host>[:<port>]/<database name>

  # [MicrosoftSQL]
  Driver: com.microsoft.sqlserver.jdbc.SQLServerDriver
  Url: jdbc:sqlserver://localhost:1433;DatabaseName=AxonIvySystemDatabase
  # > jdbc:sqlserver://<host>[:<port>];DatabaseName=<database name>

  # [PostgreSQL]
  Driver: org.postgresql.Driver
  Url: jdbc:postgresql://localhost:5432/AxonIvySystemDatabase
  # > jdbc:postgresql://<host>[:<port>]/<database system>

  # The name of the user to connect to system database. E.g. root, sa, admin, ivy, AxonIvy
  UserName: root

  # The password of the user to connect to the system database.
  Password: "${encrypt:1234}"

  # If set to true the system database is automatically converted to the latest version during startup of the Axon.ivy Engine if needed.
  Autoconvert: false

  # Defines how long ivy should wait (in seconds) at startup for the availability of the db server
  BootTimeout: 60

  # Additional driver specific connection properties.
  DriverProperties:
      # [MySQL] Very likely to set if not ssl connection is used, to prevent warn logs
      useSSL: false
      # [MicrosoftSQL] Instance name of the MSSQL Server
      instanceName: SqlServer



# == Deployment Setting ==
#
Deployment:

  # Directory where the server watches for files to deploy.
  # EngineGuide/administration.html#administration-deployment
  #
  # You may want to use a UNC path to specify a remote network location.
  Directory: deploy



# == Data Settings ==
#
Data:

  # Folder where applications are stored, unless otherwise defined in the deployment.
  # If you change this path, proceed as follows...
  #   1. Stop the engine
  #   2. Change this path and move the existing applications to this new directory
  #   3. Start the engine
  # Absolute paths and relative paths are supported
  # [Restart required] for existing apps
  AppDirectory: applications

  # Root folder where application files are stored.
  # A change in this setting will NOT automatically move existing application files to the new location.
  # A change will require to manually move existing files to the new directory.
  # Absolute and relative (to the engine root directory) paths are supported.
  # If not set the files will be stored underneath each application's file directory.
  # [Restart required] for existing apps
  FilesDirectory: 

  # Directory where the server writes temporary working files to.
  # [Restart required]
  WorkDirectory: work



# == Elasticsearch Settings ==
#
# Axon.ivy uses an Elasticsearch instance to provide a fast query interface against BusinessData.
# The bundled instance is started on demand, in a separate JVM, when an API request needs it.
#
# You can operate Axon.ivy with the bundled Elasticsearch server or with your own external Elasticsearch cluster.
#
# [Restart required] except for UserName and Password of ExternalServer
Elasticsearch:

  # The bundled Elasticsearch server...
  # - is started in a separate JVM when a feature requires BusinessData access.
  # - reachable only on 'localhost' but the access is unprotected. 
  # - JVM arguments used to start the bundled Elasticsearch server can be 
  #   configured in the 'elasticsearch/config/jvm.options' file.
  BundledServer:
    # The path to the directory where the bundled Elasticsearch server stores data.
    # It is recommend to configure a data directory that is located outsite of the Engine 
    # installation directory to ease the Engine migration to newer versions.
    DataPath: elasticsearch/data
    # The name of the cluster of the bundled Elasticsearch server.
    # Must not be defined as it is managed by the Axon.ivy Engine.
    ClusterName: 


  # Configure the URL of your own Elasticsearch server if you want to use it instead of the bundled server.
  #
  # To install your own Elastic search installation follow these steps
  # https://www.elastic.co/guide/en/elasticsearch/reference/current/setup.html
  #
  # Currently Axon.ivy supports Elasticsearch server versions in the 5.5.x range. 
  # If your Elasticsearch server is running on another host, 
  # the access to that instance has to be protected.
  # You can achieve that with a front-end webserver like NGINX that enforces basic authentication.
  ExternalServer:
    Url: 
    UserName: 
    Password: "${encrypt:}"
    # Defines how long ivy should wait (in seconds) for the availability of the external elasticsearch server while booting.
    BootTimeout: 60

  # For every business data type an Elasticsearch index will be created. E.g. for type ch.ivy.Dossier the index name is <NamePrefix>-ch.ivy.dossier.
  Index:
    # The name prefix of the index to use to store business data.
    # If multiple ivy Engines use the same Elasticsearch server instance, you need to change this property, that every ivy Engine has an unique indices.
    NamePrefix: ivy.businessdata

  # Configures the Elasticsearch client. The client is the ivy engine which communicates with Elasticsearch.
  Client:
    # Maximum seconds to wait until a connection to Elastisearch can be established.
    ConnectTimeout: 10
    
    # Maximum seconds to wait for data sent by Elastisearch. 
    # Raise this value if large datasets are expected.
    ReadTimeout: 30



# == EMail Settings ==
#
EMail:
  Server:
    Host: localhost
    Port: -1

    # Email address that will be used for emails sent by the server (e.g. task notification emails)
    MailAddress: noreply@ivyserver.local
    User: guest
    Password: "${encrypt:}"

    #EncryptionMethod: NONE
    SSL:
      KeyAlias: 
      UseKey: false

  DailyTaskSummary:
    # Time of day when the task summary mails will be sent.
    # Format is hh:mm. e.g. "02:00" or "14:15"
    TriggerTime: "00:00"



# == Show Error Messages To End Users Settings ==
#
# When an error occurs while processing a user request an error screen is displayed to the user. 
# 
# The displayed error page can be customized for your needs: 
# EngineGuide/configuration.html#configuration-file-ref-web-xml
#
Errors:
  # Whether stacktraces, detailed error reports, etc. should be shown to end users.
  #
  # By default (false) we only show a unique 'Error Id'. This 'Error Id' can be used to find the error in the log files.
  # 
  # For security reasons normal users should not see technical implementation details.
  # But in development or pre-production environments it might be save to show the full error
  # details directly to the end user.
  ShowDetailsToEndUser: false



# == Persistence Setting ==
#
Persistence:
  JPA:
    # Persist ivyScript auto initialized fields with NULL values. Affects types are...
    #  - ch.ivyteam.ivy.scripting.objects.Date
    #  - ch.ivyteam.ivy.scripting.objects.DateTime
    #  - ch.ivyteam.ivy.scripting.objects.Time
    # If this option is disabled auto initialized values are stored as before Axon.ivy 6.4.
    defaultInitializedAsNull: true



# == Process Element Firing Statistic Settings ==
#
ProcessEngine:
  FiringStatistic:

    # If activated, a process element statistic is written periodically to the log-directory. If activated may slow down the server performance.
    Active: false

    # Interval in seconds the 'process element statistic' is written to the log directory
    Interval: 300



# == SSL Client Settings ==
#
SSL:
  Client:
    # A key store is used to read client keys (certificates). 
    # This is only required if a remote server requests a client certificate in order to authenticate the client. 
    KeyStore:
      UseCustom: false
      KeyPassword: "${encrypt:changeit}"
      Algorithm: SunX509
      File: configuration/keystore.jks
      Password: "${encrypt:changeit}"
      Provider: 
      Type: jks

    # A trust store is used to specify trusted server certificates or certificates of certification authorities. 
    # An SSL client autenticates a server by using the certificates in a trust store. 
    TrustStore:
      # The system trust store of the Java Runtime Environment (JRE) contains well known certification authorities
      UseSystem: true
      
      # The custom trust store contains certificates that are self signed or signed by an unknown certification authority 
      UseCustom: false
      Algorithm: PKIX
      File: configuration/truststore.jks
      Password: "${encrypt:changeit}"
      Provider: 
      Type: jks
      
      # Full qualified class name of a trust manager class that is used to validate server certificates. 
      # This manager is only considered if neither a custom nor a system trust store is used.
      ManagerClass: 



# == Failure Behaviour ==
#
SystemTask:
  # Defines the behaviour in case a system task fails. 
  # Valid behaviours are...
  # * FAIL_TASK_DO_RETRY
  # * FAIL_TASK_DO_NOT_RETRY
  # * DESTROY_TASK
  # * DESTROY_CASE
  Failure.Behaviour: FAIL_TASK_DO_RETRY

  # Interval in seconds between executions of the search job for system tasks.
  # The job searches system tasks that were not executed because of failures.
  SearchJob.Interval: 900



# == Thread Pools Settings ==
#
ThreadPool:
  # Executes process engine background operations like Database, WebService calls, etc.
  BackgroundOperationExecutor:
    # Minimum number of threads
    CorePoolSize: 5
    # Maximum number of threads
    MaximumPoolSize: 200
  
  # Executes unscheduled jobs
  ImmediateJobExecutor:
    # Minimum number of threads
    CorePoolSize: 5
    # Maximum number of threads
    MaximumPoolSize: 50
  
  # Executes scheduled jobs
  ScheduledJobExecutor:
    # Minimum number of threads
    CorePoolSize: 5



# == Update Checker Settings ==
#
# When newer Axon.ivy versions are available a message will be displayed on the Axon.ivy Engine main web page. 
# The update message contains information about the new versions and where those can be downloaded. 
#
# While checking for new versions the following statistic information are sent to the update server. 
# These information are only used to improve the product:
# - Engine (version, up time)
# - Configuration (number of: cluster nodes, users, licenced users, applications, process model, process model version, deleted process model version, running cases, running tasks)
# - Licence information (number, organisation, individual)
# - Operating system information (name, version, architecture, number of processors)
# - System database (product name and version, driver, identification number)
# - Java memory information (maximum heap memory, maximum non heap memory)
# - JVM (Java virtual machine) information (version, vendor, name)
# - Host information (host name, SHA-256 hashes of IP address and MAC address to identify the host without being able to read the original IP address and MAC address itself)
#
UpdateChecker:
  #  Whether Update notification messages are shown and statistic information are sent to the update server 
  Enabled: true



# == Admin Users ==
#
# List of adminstrators which will be created during engine startup
# Password an Email will be updated if the adminstrator already exist
# Email is used to send info mails like license expiration
# 
# Default administrator in demo mode is called admin with password admin
# [Restart required]
Administrators:

  # Example admin user with name myAdmin and password mySecret
  myAdmin:
    Password: "${encrypt:mySecret}"
    Email: info@localhost



# == Security Systems ==
# 
# List of Security Systems. 
# A security system defines how users and roles are managed.
# Security systems that are configured here can be used by applications.
# !! If you change a security system then all users that are no longer defined by the changed security system will be deleted.
# !! SecuritySystem changes are immediately reloaded and a user synchronization is executed. Wrong or incomplete configurations may lead to accidentally removing users!
# !! Switching from Microsoft Active Directory or Novell eDirectory to Axon.ivy Security System keeps all synchronized users, but requires to set new passwords for them.
# !! Tasks assigned to the deleted users are moved to the UNASSIGNED state and has to be manually reassigned later to a new user or role. 
#    
SecuritySystems:

  # Example security system with name mySecuritySystem
  mySecuritySystem:
    # [Axon.ivy Security System]    
    # The Axon.ivy Security System manages the user and roles in the system database. 
    # No additional configuration is needed. 
    Provider: "ivy Security System"
      
    # [Microsoft Active Directory]
    # The Microsoft Active Directory security system uses LDAP to import users and user role relations from AD to the system database.
    # You should also configure at least the properties Url, UserName, Password and DefaultContext.
    Provider: "Microsoft Active Directory"
     
    # ["Novell eDirectory"]
    # The Novell eDirectory security system uses LDAP to import users and user role relations from AD to the system database.
    # You should also configure at least the propertie Url, UserName, Password and DefaultContext.
    Provider: "Novell eDirectory"
    
    
    Connection:
      # Url to the naming and directory service
      Url: ldap://localhost:389
        
      # How to authenticate to the naming and directory service
      # none = no authentication (default if UserName/Password NOT configured)
      # simple = user name and password is used (default if UserName/Password is configured)
      AuthenticationKind: simple
        
      # User name to authenticate to the naming and directory service (java.naming.security.principal).
      # Valid formats are... 
      # - LDAP Distingushed Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com
      # - Active Directory user name like Administrator@axonivy.com
      UserName:
        
      # Password to authenticate to the naming and directory service (java.naming.security.credentials).
      Password: "${encrypt:}"
        
      # Use a connection pool to store established LDAP connections 
      UseLdapConnectionPool: false
      
      # Here you can configure additional environment properties for the LDAP context.
      Environment:
        # How to handle LDAP aliases. Possible values are... always, never, finding, searching
        # https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html
        "java.naming.ldap.derefAliases": always
         
        # Specifying the security protocol. If this property is unspecified, the behaviour is determined by the service provider. Possible value is... ssl
        # https://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
        "java.naming.security.protocol": 
         
        # Specifying how referrals encountered by the service provider are to be processed. Possible values are... follow, ignore, throw
        # https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html
        "java.naming.referral": follow
    
    
    Binding:
      # Default Context to import from. 
      # The security system only sees and can import objects below the default context. 
      # Normally, you want to see and import all users of a security system then set the default context to the root object/domain.
      # If you want to import only users from a certain department or location, then you can set the default context to the appropriate organization unit or location.
      # See also EverybodyUserGroupName and UserFilter to control/filter the users that are imported.
      # Format = LDAP Distingushed Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com
      DefaultContext:
        
      # If configured, then the security system imports only the users that are members of this user group.
      # See also DefaultContext and UserFilter to control/filter the users that are imported.
      # Format = LDAP Distingushed Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com
      ImportUsersOfGroup: 
        
      # The security system only imports users that match the given filter.
      # See also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported.
      # Format = LDAP Search Filter (RFC 4515)
      # [Microsoft Active Directory]
      UserFilter: "(&(objectClass=user)(!(objectClass=computer)))"
      # [Novell eDirectory]
      UserFilter: "objectClass=inetOrgPerson"


    UserAttribute:
      # The LDAP attribute that stores the name of a user
      # [Microsoft Active Directory]
      Name: sAMAccountName
      # [Novell eDirectory]
      Name: uid
        
      # The LDAP attribute that stores the full name of a user
      # [Microsoft Active Directory]
      FullName: displayName
      # [Novell eDirectory]
      FullName: fullName
        
      # The LDAP attribute that stores the mail address of a user
      EMail: mail
        
      # The LDAP attribute that stores the langauge of a user
      Language: 
      
      # Here you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty)
      Properties:
        # Maps a user property to an LDAP attribute
        # In the example below 'phoneNumber' is the name of the user property. 
        # The value of the property is imported from the LDAP attribute 'phone' of the user.
        phoneNumber: phone
    
    
    Membership:
      # The LDAP attribute that stores the user groups a user is member of
      # [Microsoft Active Directory]
      UserMemberOfAttribute: memberOf
      # [Novell eDirectory]
      UserMemberOfAttribute: groupMembership
      
      # Should the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership.
      # Sometimes this LDAP attribute is not available because of security concerns. 
      # If you set this to false, then the security system will import the user role membership with an alternative but slower mechanism.
      # [Microsoft Active Directory]
      UseUserMemberOfForUserRoleMembership: true
      # [Novell eDirectory]
      UseUserMemberOfForUserRoleMembership: false
      
      # The LDAP attribute that stores the user groups a user group is member of
      # [Microsoft Active Directory]
      UserGroupMemberOfAttribute: memberOf
      # [Novell eDirectory]
      UserGroupMemberOfAttribute: groupMembership
      
      # The LDAP attribute that stores the members (user, user groups) of a user group
      # [Microsoft Active Directory]
      UserGroupMembersAttribute: member
      # [Novell eDirectory]
      UserGroupMembersAttribute: uniqueMember
      
      # Does the security system has to traverse nested groups (groups that are members of a group) to find all users that are member of a user group?
      # Some external security systems provide all users on the member attribute of a user group even those that are members of nested groups.
      # [Microsoft Active Directory]
      TraverseNestedGroups: true
      # [Novell eDirectory]
      TraverseNestedGroups: false
    
    
    # The number of objects the security system can read in one LDAP request
    PageSize: 500
      
    # Time of day when the security system will synchronize the users.
    # Format is hh:mm. e.g. "02:00" or "14:15"
    UpdateTime: "00:00"

app.yaml

[engineDir]/configuration/app.yaml

#
# -------------------------------------------
# Axon.ivy Application Configuration
# -------------------------------------------
# 
# This files defines the configuration for its application.
# EngineGuide/configuration.html#configuration-file-ref-app-yaml
# 
# By default applications are pre-configured to run without any dependencies.
# However in productive enviroments applications often interact with many 
# external system such a Mail Servers (SMTP) or Directory services (LDAP). 
# 
# The 'defaults/app.yaml' serves as template that can be copied into
# an application directory as 'app.yaml' file.
# However 'app.yaml' can be deployed as part of the application projects. 
# EngineGuide/administration.html#administration-deployment
#
# SECRETS / PASSWORDS:
# Any configuration value can be encrypted just by enclosing it with "${encrypt:}".
# * to encrypt the string myPassword write "${encrypt:myPassword}"
#   EngineGuide/configuration.html#configuration-password
#
# OVERRIDING:
# Any configuration value provided here can be set in alternative sources. 
# * environment variables: of the operating system can set app config entries. 
#    Their key must be prefixed with 'IVY_APPLICATIONS_MYAPPNAME_'. 
#    E.g. use 'IVY_APPLICATIONS_MYAPPNAME_SECURITYSYSTEM' to override the security system.
#    EngineGuide/configuration.html#configuration-override-env
# * ivy.yaml: can contain app specific entries, by placing them under the 'Applications' node.
#    Applications:
#      myAppName:
#        SecuritySystem: mySecuritySystem
#    EngineGuide/configuration.html#configuration-file-ref-ivy-yaml
#



# == Data Settings ==
#
Data:

  # Application folder where application files are stored. It overrides the root file folder setting.
  # A change in this setting will NOT automatically move existing application files to the new location.
  # A change will require to manually move existing files to the new directory.
  # Absolute and relative (to the engine root directory) paths are supported.
  # If not set the files will be stored in an application specific directory underneath the root file folder.
  # [Restart required] for existing apps
  FilesDirectory: 



# == Security System ==
# 
# A security system manages users and roles and must be defined in ivy.yaml with a name.
# Here you can reference those security system by its name. If no security system is defined the 'ivy Security System' is in charge.
# EngineGuide/configuration.html#configuration-users
# !! If you change the security system of an application then all users that are no longer defined by the new security system will be deleted. 
# !! Tasks assigned to the deleted users are moved to the UNASSIGNED state and has to be manually reassigned later to a new user or role.
#
SecuritySystem: 



# == Environment ==
#
# Environments can be defined in ivy projects. Here you can activate a specific environment.
#
ActiveEnvironment: Default



# == EMail Notification Settings ==
# 
# These email notification settings will be applied to all users of an application.
# Users still have the option to customize their e-mail notification settings for themselves.
#
EMailNotification:
  # Whether users should receive a mail when a new task is assigned. Possible values are: true, false
  OnNewTasks: false

  # On which days of the week the users should receive a daily task summary.
  # Possible values are: never, always, monday, tuesday, wednesday, thursday, friday, saturday, sunday
  # Any combination of weekdays is allowed.
  # In ivy.yaml you can configure when the email is sent EMail:DailyTaskSummary:TriggerTime
  DailySummaryOn: never

  # Language of the emails. You can specify a locale. e.g. de, de_CH, de_AT, de_DE, en, en_GB, en_US, fr, vi
  Language: en



# == Standard Processes ==
# 
# Standard processes are a set of predefined processes, which you can customize in your ivy project.
# To enable these custom processes, the library id of the ivy project must be specified here.
# The library id is <group-id>:<project-id> from the ivy project deployment defintion.
# e.g the library id of the portal template is "ch.ivyteam.ivy.project.portal:portalTemplate"
#
StandardProcess: 
 
  # EngineGuide/administration.html#administration-standardprocess-defaultpages
  DefaultPages: 

  # EngineGuide/administration.html#administration-standardprocess-emailnotifications
  MailNotification: 



# == Properties ==
# 
# Application properties can be queried by ivy projects and allows ivy developers to make their projects configurable.
#
Properties:

  # JSF Primeface Theme that is used by HTML Dialogs.
  # Available themes:
  #  ivy, modena-ivy, afterdark, afternoon, afterwork, aristo, black-tie blitzer, bluesky, bootstrap, casablanca, cupertino, cruze, dark-hive,
  #  delta, dot-luv, ggplant, excite-bike, flick, glass-x, home, hot-sneaks, humanity, le-frog, midnight, mint-choc, overcast, pepper-grinder,
  #  redmond, rocket, sam, smoothness, south-street, start, sunny, swanky-purse, trontastic, ui-darkness, ui-lightness, vader, modena
  jsf.primefaces.theme: modena-ivy



# == Global Variables ==
# 
# Global variables are defined in ivy projects.
# All of those can be overridden independently of the environment.
#
GlobalVariables:
  myGlobalVariable: value



# == Databases ==
# 
# Databases are defined in ivy projects with a name.
# Connection details from those databases can be overridden independently of the environment by addressing the database with its name.
#
Databases:

  # This is an example configuration for the database with the name myDb.
  myDb:
    Url: "jdbc:mysql://localhost:3306/myDbName"
    Driver: com.mysql.jdbc.Driver
    UserName: admin
    Password: "${encrypt:1234}"
    MaxConnections: 5

    # Properties are merged with higher priority with those from the project.
    Properties:
      name: value



# == RestClients ==
#
# Rest Clients are defined in ivy projects with a name.
# Any configuration from those clients can be overriden independently of the environment by addressing the client with its name.
#
RestClients:

  # This is an example configuration for the rest client with the name myRestClient.
  myRestClient:
    Url: "http://localhost:8080"

    # If defined, all features from the project will be completely replaced.
    Features:
      - ch.ivyteam.ivy.rest.client.mapper.JsonFeature
      - ch.ivyteam.ivy.rest.client.authentication.HttpBasicAuthenticationFeature

    # Properties are merged with higher priority with those from the project.
    Properties:
      username: admin
      password: "${encrypt:1234}"
      name: value



# == WebServiceClients ==
#
# Web Service Clients are defined in ivy projects with a name.
# Any configuration from those clients can be overriden independently of the environment by addressing the client with its name.
#
WebServiceClients:

  # This is an example configuration for the soap web service client with the name myWebService.
  myWebService:
  
    # If definied, endpoint urls will be completely replaced per port type with those from the project.
    Endpoints:

      # name of the port type, which is defined in the project.
      myPortType:
        - "http://localhost:8088"
        - "http://webservice/api/soap"
    
    # If defined, all features from the project will be completely replaced.
    Features:
      - ch.ivyteam.ivy.webservice.exec.cxf.feature.HttpBasicAuthenticationFeature
      - ch.ivyteam.ivy.webservice.exec.cxf.feature.ProxyFeature

    # Properties are merged with higher priority with those from the project.
    Properties:
      username: admin
      password: "${encrypt:1234}"
      name: value
      
      # Authentication property for the legacy axis stack
      # Possible values for axis 1: NONE, HTTP_BASIC
      # Possible values for axis 2: NONE, HTTP_BASIC, HTTP_DIGEST, NTLM
      authType: NONE

ivy.webserver.yaml

[engineDir]/configuration/defaults/ivy.webserver.yaml

#
# -------------------------------------------
# Axon.ivy Web Server Configuration
# -------------------------------------------
#
# This file is a template to configure the internal Web Server of the Axon.ivy engine.
# EngineGuide/configuration.html
# 
# Copy contents of this template to 'configuration/ivy.yaml' before adjusting them to your needs.
# EngineGuide/configuration.html#configuration-file-ref-ivy-yaml
#
# By default this configuration enables all available features 
# of the Axon.ivy engine so that all capabilities that might are used
# by a workflow project are accessible.
#
# 
# OVERRIDING:
# Any configuration value of this file can be set in alternative sources. 
# * environment variables: of the operating system can set app config entries. 
#    Their key must be prefixed with 'IVY_'. 
#    E.g. use 'IVY_FRONTEND_PORT' to override the front-end webserver port.
#    EngineGuide/configuration.html#configuration-override-env
# 



# == Front-end Web Server (Reverse Proxy, IIS, Apache, Load balancer, ...) Settings ==
#
# Links generated by Axon.ivy often contain absolute links to the ivy server (e.g. for mails).
# If your Axon.ivy engine is only accessible for clients trough a front-end webserver, 
# its host, port and protocol of it must be specified.
Frontend:
  # Hostname of the accessible web server
  HostName: localhost
  
  # Port of the accessible web server
  Port: 443
  
  # Protocol of the accessible web server
  Protocol: https



# == REST Service Settings ==
#
# Configures the RESTful services provided.
# [Restart required]
REST.Servlet:
  # Controls the REST servlet interface. If disabled no REST resources will be accessible. 
  # Calls to remote REST services are still possible.
  Enabled: true

  # Provides the general CSRF protection via 'X-Requested-By' header for REST services.
  CSRF.Protection: true
      
  # Provide the REST resources for the mobile app under '{application}/api/workflow'.
  MobileWorkflow.API: true
      
  # Allows the service developer to get diagnostic information about request processing by Jersey. 
  # Those diagnostic/tracing information are returned in response headers (X-Jersey-Tracing-nnn). 
  # On productive environments this feature should not be turned on.
  # Valid values are either "OFF", "ON_DEMAND" or "ALL"
  Tracing: "OFF"



# == Miscellaneous Settings ==

# Session identifier will be renewed on login to prevent the 'Session Fixation' attack.
Session.RenewIdOnLogin: true
    
# Name of the Ivy servlet context. Use a simple name without any special characters (e.g. ivy).
# [Restart required]
WebServer.IvyContextName: ivy

# Disable it if you don't use the Mobile Offline Dialog feature.
# [Restart required]
OfflineDialog.Enabled: true



# == Web Server Connector Settings ==
# https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
Connector:
  # [Restart required]
  HTTP:
    Enabled: true
    Port: 8080
    AcceptCount: 100
    Address: 
    AllowTrace: false
    BufferSize: 2048
    CompressableMimeType: text/html,text/xml,text/plain
    Compression: off
    ConnectionLinger: -1
    ConnectionTimeout: 60000
    DisableUploadTimeout: true
    EmptySessionPath: false
    EnableLookups: false
    MaxHttpHeaderSize: 8192
    MaxKeepAliveRequests: 100
    MaxPostSize: 2097152
    MaxSavePostSize: 4096
    MaxSpareThreads: 50
    MaxThreads: 200
    MinSpareThreads: 4
    NoCompressionUserAgents: 
    ProxyName: 
    ProxyPort: 
    RedirectPort: 8443
    RestrictedUserAgents: 
    Server: 
    SocketBuffer: 9000
    Strategy: lf
    TcpNoDelay: true
    ThreadPriority: 5
    URIEncoding: UTF-8
    UseBodyEncodingForURI: false
    UseIPVHosts: false
    XpoweredBy: false
  
  # [Restart required]
  HTTPS:
    Enabled: true
    Port: 8443
    AcceptCount: 1000
    Address: 
    Algorithm: 
    AllowTrace: false
    BufferSize: 2048
    Ciphers: 
    ClientAuth: false
    CompressableMimeType: text/html,text/xml,text/plain
    Compression: off
    ConnectionLinger: -1
    ConnectionTimeout: 60000
    DisableUploadTimeout: true
    EmptySessionPath: false
    EnableLookups: false
    KeyAlias: 
    KeystoreFile: configuration/keystore.jks
    KeystorePass: 
    KeystoreType: 
    MaxHttpHeaderSize: 8192
    MaxKeepAliveRequests: 100
    MaxPostSize: 2097152
    MaxSavePostSize: 4096
    MaxSpareThreads: 50
    MaxThreads: 200
    MinSpareThreads: 4
    NoCompressionUserAgents: 
    ProxyName: 
    ProxyPort: 
    RedirectPort: 8443
    RestrictedUserAgents: 
    Server: 
    SocketBuffer: 9000
    SslProtocol: TLS
    Strategy: lf
    TcpNoDelay: true
    ThreadPriority: 5
    TruststoreFile: 
    TruststorePass: 
    TruststoreType: 
    URIEncoding: UTF-8
    UseBodyEncodingForURI: false
    UseIPVHosts: false
    XpoweredBy: false
    
  # [Restart required]
  AJP:
    Enabled: true
    Port: 8009
    Address: 
    AllowTrace: false
    BackLog: 100
    BufferSize: 2048
    ConnectionTimeout: 60000
    EmptySessionPath: false
    EnableLookups: false
    MaxPostSize: 2097152
    MaxSavePostSize: 4096
    MaxSpareThreads: 50
    MaxThreads: 200
    MinSpareThreads: 4
    PacketSize: 8192
    ProxyName: 
    ProxyPort: 
    RedirectPort: 8443
    TcpNoDelay: true
    ThreadPriority: 5
    TomcatAuthentication: false
    URIEncoding: UTF-8
    UseBodyEncodingForURI: false
    UseIPVHosts: false
    XpoweredBy: false

ivy.cache.properties

[engineDir]/configuration/ivy.cache.properties

#
# -------------------------------------------
# Axon.ivy System Database Cache
# -------------------------------------------
#
# This file configures how data, loaded from the internal system database, are cached in the memory.
# https://dev.axonivy.com/doc/latest/EngineGuideHtml/configuration.html
# 
# This file rarely has to be adjusted if a concrete performance issue has been identified.
#
#
# OVERRIDING:
# Any configuration value provided here can be set in alternative sources. 
# * environment variables: of the operating system can set cache entries. 
#    Their key must be prefixed with 'IVY_SYSTEMDB_CACHE_'. 
#    E.g. use 'IVY_SYSTEMDB_CACHE_CH_IVYTEAM_IVY_CASEMAP_INTERNAL_DATA_CASEMAPBUSINESSCASEDATA_COUNTLIMIT' to raise a count limit.
#    https://dev.axonivy.com/doc/latest/EngineGuideHtml/configuration.html#configuration-override-env
#



# == System Database Cache Settings ==
 
# ch.ivyteam.ivy.casemap.internal.data.CaseMapBusinessCaseData.CountLimit=1000
# ch.ivyteam.ivy.casemap.internal.data.CaseMapBusinessCaseData.UsageLimit=57600
# ch.ivyteam.ivy.casemap.internal.data.CaseMapEventData.CountLimit=1000
# ch.ivyteam.ivy.casemap.internal.data.CaseMapEventData.UsageLimit=57600
# ch.ivyteam.ivy.cm.internal.data.BinaryContentData.CountLimit=30000
# ch.ivyteam.ivy.cm.internal.data.BinaryContentData.UsageLimit=360000
# ch.ivyteam.ivy.cm.internal.data.ContentObjectData.CountLimit=10000
# ch.ivyteam.ivy.cm.internal.data.ContentObjectData.UsageLimit=360000
# ch.ivyteam.ivy.cm.internal.data.ContentObjectValueData.CountLimit=30000
# ch.ivyteam.ivy.cm.internal.data.ContentObjectValueData.UsageLimit=360000
# ch.ivyteam.ivy.cm.internal.data.StringContentData.CountLimit=30000
# ch.ivyteam.ivy.cm.internal.data.StringContentData.UsageLimit=360000
# ch.ivyteam.ivy.cm.internal.data.TextContentData.CountLimit=30000
# ch.ivyteam.ivy.cm.internal.data.TextContentData.UsageLimit=360000
# ch.ivyteam.ivy.security.internal.data.AccessControlData.CountLimit=1000
# ch.ivyteam.ivy.security.internal.data.AccessControlData.UsageLimit=57600
# ch.ivyteam.ivy.security.internal.data.RichDialogUserContextData.CountLimit=1000
# ch.ivyteam.ivy.security.internal.data.RichDialogUserContextData.UsageLimit=57600
# ch.ivyteam.ivy.security.internal.data.RolePropertyData.CountLimit=1000
# ch.ivyteam.ivy.security.internal.data.RolePropertyData.UsageLimit=57600
# ch.ivyteam.ivy.security.internal.data.UserAbsenceData.CountLimit=1000
# ch.ivyteam.ivy.security.internal.data.UserAbsenceData.UsageLimit=57600
# ch.ivyteam.ivy.security.internal.data.UserData.CountLimit=1000
# ch.ivyteam.ivy.security.internal.data.UserData.UsageLimit=57600
# ch.ivyteam.ivy.security.internal.data.UserLocationData.CountLimit=1000
# ch.ivyteam.ivy.security.internal.data.UserLocationData.UsageLimit=57600
# ch.ivyteam.ivy.security.internal.data.UserPropertyData.CountLimit=1000
# ch.ivyteam.ivy.security.internal.data.UserPropertyData.UsageLimit=57600
# ch.ivyteam.ivy.security.internal.data.UserSubstituteData.CountLimit=1000
# ch.ivyteam.ivy.security.internal.data.UserSubstituteData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.AdditionalPropertyData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.AdditionalPropertyData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.BusinessCaseDataData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.BusinessCaseDataData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.CaseData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.CaseData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.EventLogCaseHistoryData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.EventLogCaseHistoryData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.EventLogData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.EventLogData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.EventLogDataData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.EventLogDataData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.EventLogStatusData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.EventLogStatusData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.EventLogTaskHistoryData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.EventLogTaskHistoryData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.IntermediateEventData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.IntermediateEventData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.IntermediateEventDataData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.IntermediateEventDataData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.IntermediateEventElementData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.IntermediateEventElementData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.NoteData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.NoteData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.PageArchiveData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.PageArchiveData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.PageElementData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.PageElementData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.SignaledTaskData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.SignaledTaskData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.SignalEventData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.SignalEventData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.SignalEventDataData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.SignalEventDataData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.StartElementData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.StartElementData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.StartEventElementData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.StartEventElementData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.StartSignalEventElementData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.StartSignalEventElementData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.StartTaskDataData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.StartTaskDataData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.TaskBoundarySignalEventReceiverData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.TaskBoundarySignalEventReceiverData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.TaskData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.TaskData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.TaskDataData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.TaskDataData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.TaskElementData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.TaskElementData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.TaskEndData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.TaskEndData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.TaskLocationData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.TaskLocationData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.TaskStartData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.TaskStartData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.TaskSwitchEventData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.TaskSwitchEventData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.WebServiceProcessData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.WebServiceProcessData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.WebServiceProcStartElementData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.WebServiceProcStartElementData.UsageLimit=57600
# ch.ivyteam.ivy.workflow.internal.data.WorkflowEventData.CountLimit=1000
# ch.ivyteam.ivy.workflow.internal.data.WorkflowEventData.UsageLimit=57600

log4jconfig.xml

[engineDir]/configuration/log4jconfig.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
<!--
  ===========================================
  Axon.ivy Logging Configuration
  ===========================================

  This is the logging configuration file for Axon.ivy Engine.
  It defines which log messages are logged (category/priority) and where the logs are written to. 
   
  Logging in Axon.ivy Engine is based on a 3rd party library called Log4J.
  http://logging.apache.org/log4j

-->
<log4j:configuration debug="false" xmlns:log4j="http://jakarta.apache.org/log4j/">

  <!-- appender that writes log messages to 'logs/ivy.log' -->
  <appender name="FileLog" class="org.apache.log4j.DailyRollingFileAppender">
    <param name="Threshold" value="INFO"/>
    <param name="File" value="${user.dir}/logs/ivy.log"/>
    <param name="DatePattern" value="'.'yyyy-MM-dd"/>
    <layout class="ch.ivyteam.log.layout.IvyLog4jLayout">
      <param name="DateFormat" value="yyyy-MM-dd HH:mm:ss.SSS"/>
    </layout>
  </appender>

  <!-- appender that writes log messages with priority WARN or higher to the console -->
  <appender name="ConsoleAppender" class="org.apache.log4j.ConsoleAppender">
    <param name="Threshold" value="WARN"/>
    <layout class="ch.ivyteam.log.layout.IvyLog4jLayout">
      <param name="DateFormat" value="HH:mm:ss.SSS"/>
      <param name="ContextPrinting" value="false"/>
      <param name="FixedCategoryLength" value="40"/>
    </layout>
  </appender>

  <!-- appender that writes configuration changes to 'logs/config.log' -->
  <appender name="ConfigLog" class="org.apache.log4j.DailyRollingFileAppender">
    <param name="File" value="${user.dir}/logs/config.log"/>
    <param name="DatePattern" value="'.'yyyy-MM-dd"/>
    <layout class="ch.ivyteam.log.layout.IvyLog4jLayout">
      <param name="DateFormat" value="yyyy-MM-dd HH:mm:ss.SSS"/>
      <param name="ContextPrinting" value="false"/>
    </layout>
  </appender>
  
  <!-- appender that writes log messages to 'logs/runtime.log' -->
  <appender name="RuntimeLog" class="org.apache.log4j.DailyRollingFileAppender">
    <param name="File" value="${user.dir}/logs/runtime.log"/>
    <param name="DatePattern" value="'.'yyyy-MM-dd"/>
    <layout class="ch.ivyteam.log.layout.IvyLog4jLayout">
      <param name="DateFormat" value="yyyy-MM-dd HH:mm:ss.SSS"/>
    </layout>
  </appender>

  <!-- prevent "ClientAbortException: java.io.IOException: Broken pipe" from filling the log -->
  <category name="org.apache.myfaces.application.ResourceHandlerImpl" class="ch.ivyteam.log.Logger">
    <priority value="FATAL"/>
  </category>

  <!-- disable deprecated integer API warnings -->
  <!--
  <category name="ch.ivyteam.ivy.persistence.restricted.TableKeyCompatibilityConvertor" class="ch.ivyteam.log.Logger">
    <priority value="ERROR"/>
  </category>
  -->

  <!-- 
    Enables web service client SOAP message logging for a certain application and process model.
    Replace {application} and {process_model} in the logger name below with the name of the application and process model you want to enable the logging. 
  -->
  <!-- 
  <category name="runtimelog.{application}.{process_model}.web_service" class="ch.ivyteam.log.Logger" additivity="false">
    <priority value="DEBUG"/>
    <appender-ref ref="RuntimeLog"/>
  </category>
  -->

  <!-- 
    Enables Rest client message logging for a certain application and process model.
    Replace {application} and {process_model} in the logger name below with the name of the application and process model you want to enable the logging. 
  -->
  <!-- 
  <category name="runtimelog.{application}.{process_model}.rest_client" class="ch.ivyteam.log.Logger" additivity="false">
    <priority value="DEBUG"/>
    <appender-ref ref="RuntimeLog"/>
  </category>
  -->

  <!--
    Config Monitoring: Writes an audit log that allows to track configuration changes over time.
    These logs are not passed to the root logger (additivity="false")
  -->
  <logger name="ch.ivyteam.ivy.audit.config" additivity="false">
    <level value="INFO"/>
    <appender-ref ref="ConfigLog"/>
  </logger>

  <!-- every log message with priority INFO or higher is passed to the file and console appender -->
  <root>
    <level value ="INFO" />
    <appender-ref ref="FileLog"/>
    <appender-ref ref="ConsoleAppender"/>
  </root>
  
</log4j:configuration>

web.xml

[engineDir]/webapps/ivy/WEB-INF/web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
  ========================================================================
   Configures the embedded Tomcat Webserver of Axon.ivy
  ========================================================================

  Please keep the web.xml file on the designer and engine synchronous
  to have the same settings on designer and engine,
  because this file is not deployed from the designer to the engine.

  See apache tomcat documentation for more information about this configuration:
  http://tomcat.apache.org/tomcat-8.5-doc/config/
  
  After a change in the web.xml a restart of Axon.ivy is required 
  to apply the new configuration.
  
-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                      http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
  version="3.0"
  metadata-complete="false">

	<!-- ====================== Html Dialog Configuration =================== -->
	
	<!--
	THEME:
	To set the primefaces theme (default is 'modena-ivy', was 'ivy' with 5.1)
	remove the comment markers from around the context-param below
	See available themes: http://primefaces.org/themes.html
		-->
	<!--
	<context-param>
		<param-name>primefaces.THEME</param-name>
		<param-value>#{ivyPrimefacesThemeResolver.getTheme('modena-ivy')}</param-value>
	</context-param>
	-->
	 
	<!--
	#{ivyThemeResolver.getThemes()} returns a list of all by default available themes. 
	If additional customer specific themes are installed they can be configured as comma separated list in the context-param below.
	#{ivyThemeResolver.getThemes()} will then additionally also return the configured customer specific themes.
	-->
	<!--
	<context-param>
		<param-name>primefaces.customer.themes</param-name>
		<param-value></param-value>
	</context-param>
	-->  


	<!-- ======================= Error pages ================================ -->
	<!-- 
	    Custom error pages can be added with error-page elements bellow. 
	    The referenced error-page must be placed in the folder 'webapps/ivy'.
	    
	    The pre-configured default error page is: 
	    
		<error-page>
			<location>/ivy-error-page.xhtml </location>
		</error-page>
	    
	    By adding the <exception-type> tag to the <error-page> configuration 
	    it is also possible to configure a specific error page for status codes 
	    or kind of exceptions:
	    
		<error-page>
			<exception-type>java.lang.Throwable</exception-type>
			<location>/custom-exception-error-page.xhtml</location>
		</error-page>
		<error-page>
			<error-code>404</error-code>
			<location>/custom-404-error-page.xhtml</location>
		</error-page>
	    
		Implementation:
		Use the 'ErrorPageMBean' to retrieve information about the thrown exception and the environment: 
		https://developer.axonivy.com/doc/latest/PublicAPI/ch/ivyteam/ivy/webserver/ErrorPageMBean.html 
	-->
	<!--
	<error-page>
		<error-code>404</error-code>
		<location>/custom-404-error-page.xhtml</location>
	</error-page>
	-->


	<!-- ==================== Default Session Configuration ================= -->
	<session-config>
		<!-- 
		session-timeout: [default=30]
		
		Defines the amount of time in minutes after which an inactive user session will be closed. 
		Closing sessions means that server side state (e.g. Html Dialog instance) is flushed.
		      -->
		<session-timeout>30</session-timeout>
		
		<!--
		cookie-config/secure: [default=false]
		
	 	Enable the secure flag when accessing the Webserver over HTTPS (strongly recommended).
		When enabled the session cookie is only transmitted over HTTPS and not over HTTP.
		-->
		<!-- 
		<cookie-config>
			<secure>true</secure>
		</cookie-config>
		-->
	</session-config>


	<!-- ==================== Security Headers ============================== -->
	<!--                                                                      -->
	<!-- Some commonly recommended HTTP Security Headers are configured here  -->
	<!-- for the /ivy web application.                                        -->
	<!-- These Security Headers are added on the HTTP Responses               -->
	<!-- to the Client Browser.                                               -->
	<!-- But not all Security Headers are supported by all Web browsers.      -->
	<!-- See: https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html     -->
	<!--                                                                      -->
	<!-- |=========================|===============|                          -->
	<!-- | HEADER                  | VALUE         |                          -->
	<!-- |=========================|===============|                          -->
	<!-- | X-Frame-Options         | SAMEORIGIN    |                          -->
	<!-- | X-XSS-Protection        | 1; mode=block |                          -->
	<!-- | X-Content-Type-Options  | nosniff       |                          -->
	<!-- |=========================|===============|                          -->
	<!--                                                                      -->
	<filter-mapping>
		<filter-name>httpSecurityHeaders</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
	</filter-mapping>
	<filter>
		<filter-name>httpSecurityHeaders</filter-name>
		<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
		<init-param>
			<param-name>antiClickJackingOption</param-name>
			<param-value>SAMEORIGIN</param-value>
		</init-param>
		<init-param>
			<param-name>xssProtectionEnabled</param-name>
			<param-value>true</param-value>
		</init-param>
		<init-param>
			<param-name>blockContentTypeSniffingEnabled</param-name>
			<param-value>true</param-value>
		</init-param>
	</filter>
</web-app>

context.xml

[engineDir]/webapps/ivy/META-INF/context.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
 ========================================================================
  Configures Valves and Realms of the embedded Tomcat Webserver
 ========================================================================

 Please keep the context.xml file on the designer and engine in sync
 to have the same settings on designer and engine
 as this file is not deployed from the designer to the engine

 See apache tomcat documentation for more information about context configuration:
 https://tomcat.apache.org/tomcat-8.5-doc/config/context.html

-->
<Context antiResourceLocking="false" privileged="true" >


	<!-- ====================== Tomcat Valves ====================== -->
	
	<!--
	  Limits the access to the ivy application to clients connecting from localhost.
	-->
	<!--
	<Valve className="org.apache.catalina.valves.RemoteAddrValve"
	       allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
	-->
	
	<!--
	  Creates an access log entry for each request against the ivy application.
	-->
	<!--
	<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
	       prefix="access_log." suffix=".txt"
	       pattern="%h %l %u %t &quot;%r&quot; %s %b" />
	-->
  
    
    
	<!-- ====================== Axon.ivy Valves ==================== -->
	   
	<!--
	  SingleSignOnValve:
	  
	  Enables single sign on of the user given in a request header field.  
	  The name of the request header field can be configured in the attribute 'userNameHeader'.
	  
	  !! Only use this Valve if you exclusively access Axon.ivy over the WebApplication Firewall. !! 
	  !! Otherwise this will be a security issue.                                                 !!                     
	
	  This Valve is useful if Axon.ivy is protected by a WebApplication Firewall (WAF) with an integrated 
	  Identity and Access Management (IAM). Those systems will authenticate and authorize users. 
	  The identified user is then sent from the WAF to Axon.ivy using a HTTP request header.
	
	  WebBrowser ==> WAF ==> Axon.ivy
	                   
	                  ^          |
	                  |          |
	                  v          v	
	
	                 IAM ==> Active Directory
	                 
	  https://developer.axonivy.com/doc/latest/EngineGuideHtml/integration.html#integration.waf.sso
	 -->
	<!-- 
	<Valve className="ch.ivyteam.ivy.webserver.security.SingleSignOnValve" userNameHeader="user"/>
	 -->



	<!-- ====================== Custom Valves ====================== -->
	
	<!-- 
	You can configure any third party valve or even your own implementation of a valve. 
	A full valve sample implementation can be found on GitHub: 
	
	https://github.com/ivy-samples/ivy-extension-demos/tree/master/ProcessingValve
	
	-->
	 
</Context>