ivy.yaml

[engineDir]/configuration/reference/ivy.yaml

  1#
  2# -------------------------------------------
  3# Axon Ivy Engine Configuration
  4# -------------------------------------------
  5# 
  6# This file shows configurations of the Axon Ivy Engine and its external systems.
  7# https://developer.axonivy.com/doc/10.0/engine-guide/configuration/
  8#
  9# Copy contents of this reference file to 'configuration/ivy.yaml' before adjusting
 10# them to your needs.
 11# https://developer.axonivy.com/doc/10.0/engine-guide/configuration/files/ivy-yaml.html
 12#
 13# By default, the engine is pre-configured to run in demo mode.
 14# To run an engine in a productive environment, at least the system database
 15# has to be configured.
 16#
 17# SECRETS / PASSWORDS:
 18# Any configuration value can be encrypted just by enclosing it with "${encrypt:}".
 19# This applies a reversible encryption private to this Ivy Engine.
 20# You cannot copy the encrypted values from one engine to another.
 21# Example:
 22# * to encrypt the string "myPassword", write "${encrypt:myPassword}"
 23#   https://developer.axonivy.com/doc/10.0/engine-guide/configuration/advanced-configuration.html#passwords
 24#
 25# OVERRIDING:
 26# Any configuration value provided here can be set in alternative sources. 
 27# * environment variables: of the operating system can set app config entries. 
 28#    Their key must be prefixed with 'IVY_'. 
 29#    For instance, use 'IVY_SYSTEMDB_URL' to override the jdbc driver url.
 30#    https://developer.axonivy.com/doc/10.0/engine-guide/configuration/advanced-configuration.html#overriding-configuration
 31#
 32
 33
 34
 35# == System Database Settings == 
 36#
 37# Axon Ivy requires a System Database to store the state of running workflow applications.
 38#
 39# Unless you run the engine in Demo mode, a valid System DB driver, url and the user+password credentials
 40# that are able to connect to the database, are mandatory.
 41# 
 42# [restart required]
 43SystemDb:
 44  # JDBC URL
 45  Url: ""
 46  # Name of the technical user to connect to system database on behalf of the engine. E.g. ivy, AxonIvy, workflowengine
 47  # e.g. ivy
 48  UserName: ""
 49  # Password for above technical user.
 50  # e.g. "${encrypt:1234}"
 51  # [password]
 52  Password: ""
 53  # If the database will be created with the Engine Config CLI, these params will be respected.
 54  # This is used on LTS 10.0 in the Axon Ivy Engine Docker Image (docker-entrypoint.sh).
 55  Creation:
 56    # Tablespace which will be used (only for Oracle).
 57    Tablespace: ivy
 58    # Username which will be taken to create the system database (only for Oracle).
 59    UserName: ""
 60    # Password which will be taken to create the system database (only for Oracle).
 61    # [password]
 62    Password: ""
 63  # If set to true, the system database is automatically converted to the latest version during startup of the Axon Ivy Engine if needed.
 64  Autoconvert: false
 65  # Defines how long ivy should wait (in seconds) at startup for the db server to be available
 66  BootTimeout: 60
 67  # JDBC Driver. If not set, it is auto determined based on the JDBC URL.
 68  Driver: ""
 69  # Additional driver specific connection properties.
 70  DriverProperties: {}
 71  # Maximum number of connections to the system database.
 72  MaxConnections: 50
 73
 74
 75
 76# == Adminstrators ==
 77#
 78# Administrators can configure, monitor and manage the Axon Ivy Engine.
 79#
 80# Email is used to send info mails like license expiration
 81# FullName is used to display a nice name for this user.
 82# 
 83# For security reasons, please hash the password(s) using "${hash:mySecret}".
 84# The real password cannot be recovered from the hash.
 85#
 86# Default administrator in demo mode is 'admin' with password 'admin'
 87#Administrators:
 88#  #Example admin user with username james and password mySecret
 89#  james: 
 90#    Password: "${hash:mySecret}"
 91#    Email: info@localhost
 92#    FullName: James David
 93
 94
 95
 96# == Security Systems ==
 97#
 98# List of Security Systems. 
 99# A security system defines how users and roles are managed.
100# Security systems that are configured here can be used by applications.
101# !! If you change a security system then all users that are no longer defined by the changed security system will be disabled.
102# !! Switching from an Identity Provider e.g. Azure Active Directory to Ivy Security System keeps all synchronized users, but
103#    requires that you set (new) passwords for them. Before, passwords have been managed and kept by the Identity Provider for 
104#    all managed users.
105#
106SecuritySystems:
107  
108  # 'default' security system which exists always
109  default:
110    # The Security System manages the user and roles in the system database. 
111    # For the Ivy Security System, no additional configuration is needed. 
112    # For any other Security System, further configuration is need to integrate such a system. 
113    # See https://developer.axonivy.com/doc/10.0/engine-guide/identity-provider
114    # [enum: ivy Security System, Microsoft Active Directory, Novell eDirectory, azure-active-directory]
115    Provider: "ivy Security System"
116    
117    # == EMail Notification Settings ==
118    # 
119    # These email notification settings will be applied to all users of a security system.
120    # Users still have the option to customize their e-mail notification settings for themselves.
121    # Applications can override the standard options or add their own.
122    #
123    EMailNotification:
124      # The settings here are standard values that apply for all users who do not alter their settings.
125      # Users can override these settings in the Portal menu.
126      #
127      # Shall users be notified by mail whenever a new task is assigned to them?
128      OnNewTasks: false
129      #
130      # On which weekdays shall the users receive a daily task summary?
131      # Possible values are: never, always, monday, tuesday, wednesday, thursday, friday, saturday, sunday
132      # Any combination of weekdays is allowed.
133      # You can configure when the summary email is sent in EMail:DailyTaskSummary:TriggerTime
134      DailySummaryOn: never
135      # 
136      # Standard processes are a set of predefined processes, which you can customize in your ivy project.
137      # To enable these custom processes, the library id of the ivy project must be specified here.
138      # The library id is <group-id>:<project-id> from the ivy project deployment definition.
139      # e.g the library id of the portal is "com.axonivy.portal:portal"
140      # The default is 'auto' which means auto detection of standard process in your application
141      # https://developer.axonivy.com/doc/10.0/designer-guide/user-interface/standard-processes
142      StandardProcess: auto
143    
144    # == Language Settings ==
145    # 
146    # The default language settings, which apply to all users who have not explicitly set this
147    # in their profile settings.
148    #
149    Language:
150      # Content is displayed in this language if the content exists in this language. A locale (language[_COUNTRY])
151      # must be specified for example de, de_CH, de_AT, de_DE, en, en_GB, en_US, fr, vi
152      Content: en
153      # Data like numbers, dates, times and much more are formatted according to this language. A locale (language[_COUNTRY])
154      # must be specified for example de, de_CH, de_AT, de_DE, en, en_GB, en_US, fr, vi
155      Formatting: en_GB
156
157
158
159# == Base Url ==
160#
161# Web address of the Axon Ivy Engine installation, such as https://yourdomain/.
162# This value is used to let ivy know how to refer to itself, ie. to create links in emails.
163# This is necessary because ivy cannot reliably detect such a URL from within itself.
164BaseUrl: ""
165
166
167
168# == Single Sign-on ==
169#
170# Single Sign-on allows to auto login users. A reverse proxy has to be installed 
171# in front of the Axon Ivy Engine. It is responsible for authenticating
172# the user. The name of the user must then be transmitted as a HTTP header.
173# !! Assert exclusive access to the Axon Ivy Engine otherwise
174#    attackers can easily login as another user.
175# https://developer.axonivy.com/doc/10.0/engine-guide/integration/single-sign-on
176# [restart required]
177SSO:
178  # Shall SSO be enabled?
179  Enabled: false
180  # name of the HTTP header with the username that has to be provided by the reverse proxy
181  UserHeader: X-Forwarded-User
182
183
184
185# == Deployment Setting ==
186#
187Deployment:
188  # Directory where the server watches for files to deploy.
189  # https://developer.axonivy.com/doc/10.0/engine-guide/deployment
190  #
191  # You can speficy a remote network location using a UNC path:
192  # Linux: //servername/share/file
193  # Windows: \\servername\share\file
194  #
195  Directory: deploy
196  
197  Backup:
198    # The number of backups of deployed projects that are kept on disk 
199    # n < 0: infinite number of backups are kept
200    # n = 0: No backups are made or kept
201    # n > 0: Number of backups that are kept.
202    Keep: 5
203
204
205
206# == Data Settings ==
207#
208Data:
209  #-----------------------------------------------------------------------------------------------
210  # !! STOP YOUR ENGINE before changing these settings !!
211  #
212  # For all paths below, 
213  # - absolute and relative paths (to the engine root directory) are supported
214  # - we recommend to use locations outside the engine root directory to facilitate migrations.
215  #-----------------------------------------------------------------------------------------------
216  #
217  # Folder where runtime data will be stored.
218  #
219  # [restart required]
220  Directory: data
221  #
222  # Folder where applications are stored, unless otherwise defined in application specific configuration. 
223  #
224  # In demo mode: not configurable and set to: [Data.WorkDirectory]/demo-applications
225  #
226  # [restart required]
227  AppDirectory: applications
228  #
229  # Root folder where application data files are stored.
230  #
231  # A change in this setting will NOT move existing application files to the new location.
232  # You have to move existing files manually to the new directory.
233  #
234  # If not set, the files will be stored beneath each application's file directory.
235  #
236  # [restart required]
237  FilesDirectory: ""
238  #
239  # Directory where the server writes temporary working files to.
240  #
241  # [restart required]
242  WorkDirectory: work
243
244
245# == Data Cache Settings ==
246#
247DataCache:
248  # Invalidate data cache groups and entries. Checks if the lifetime of caches has ended and invalidates them.
249  # You can set the delay in milliseconds between each check. This delay has to be greater than 0.
250  #
251  InvalidationInterval: 60000
252
253
254# == Elasticsearch Settings ==
255#
256# Axon Ivy uses an Elasticsearch instance to provide a fast query interface against BusinessData.
257# The bundled instance is started on demand, in a separate JVM, when an API request needs it.
258#
259# You can operate Axon Ivy with the bundled Elasticsearch server or with your own external Elasticsearch cluster.
260#
261# [restart required] except for UserName and Password of ExternalServer
262Elasticsearch:
263  # The bundled Elasticsearch server...
264  # - is started in a separate JVM when a feature requires BusinessData access.
265  # - reachable only on 'localhost' but the access is unprotected. 
266  # - JVM arguments used to start the bundled Elasticsearch server can be 
267  #   configured in the 'elasticsearch/config/jvm.options' file.
268  BundledServer:
269    #
270    # Path to the directory where the bundled Elasticsearch server stores data.
271    # It is recommended to configure a data directory that is located outsite of the Engine 
272    # installation directory to ease the Engine migration to newer versions.
273    DataPath: elasticsearch/data
274    #
275    # Name of the cluster of the bundled Elasticsearch server.
276    ClusterName: ivy-elasticsearch-{uid}
277    #
278    # Start the bundled Elasticsearch server lazy (on demand)?
279    # If true, the bundled Elasticsearch server will be started on first usage
280    # If false, the Elasticsearch server will be started on engine startup.
281    #
282    LazyStart: false
283    #
284    # Port to communicate with bundled Elasticsearch server
285    #
286    # AUTO: A free port in port range 19200-19299 is searched automatically.
287    # <integer>: A fixed port number that you define. We recommend to use a number > 10000. 
288    #            Make sure it is free.
289    #
290    Port: AUTO
291  
292  #
293  # Configure access to your own Elasticsearch server if you want to use it instead of the bundled server.
294  #
295  # To install your own Elasticsearch server follow these steps
296  # https://www.elastic.co/guide/en/elasticsearch/reference/7.17/setup.html
297  #
298  # Currently, Axon Ivy supports Elasticsearch server versions in the 7.17.x range. 
299  # If your Elasticsearch server is running on another host, the access to that instance has to be protected.
300  # You can achieve that with a front-end webserver like NGINX for Elasticsearch that enforces basic authentication.
301  #
302  ExternalServer:
303    # Configure the URL of your own Elasticsearch server if you want to use it instead of the bundled server.
304    Url: ""
305    # Name of the user to use to authenticate in the external Elasticsearch server
306    UserName: ""
307    # Password of the user to use to authenticate in the external Elasticsearch server.
308    # e.g. "${encrypt:}"
309    # [password]
310    Password: ""
311    # Defines how long ivy should wait (in seconds) for the availability of the external Elasticsearch server while booting.
312    BootTimeout: 60
313  #
314  # For every business data type an Elasticsearch index will be created. 
315  Index:
316    # The name prefix of the index to use to store business data.
317    # Example: for type ch.ivy.Dossier the index name is <NamePrefix>-ch.ivy.dossier.
318    # If multiple Ivy Engines use the same Elasticsearch server instance, you need to define unique NamePrefixes per engine.
319    # You might add the engine host name as part of the name prefix, i.e. "servername.ivy.businessdata", or "servername.data"
320    NamePrefix: ivy.businessdata
321    Reindex:
322      # The number of business data objects that Ivy reads in one batch from the system database
323      ReadWindowSize: 1000
324      # The number of business data objects that Ivy writes in one batch to Elasticsearch
325      WriteWindowSize: 1000
326      # The size of the queue that is used to store business data objects read from the database 
327      # until they are written to the Elasticsearch
328      QueueSize: 10000
329    # If BusinessData are not well modeled for Elasticsearch, you may have to increase the 'total_fields.limit' of the mapping.
330    # Performance may decrease. If you change this setting, you need to shutdown the Axon Ivy Engine and delete the data directory of Elasticsearch.
331    TotalFieldsLimit: 4000
332  #
333  # Configures the Elasticsearch client. The client is the ivy engine which communicates with Elasticsearch.
334  Client:
335    # Maximum seconds to wait until a connection to Elasticsearch can be established.
336    ConnectTimeout: 10
337    # Maximum seconds to wait for data to be sent by Elasticsearch. 
338    # Raise this value if large datasets are expected.
339    ReadTimeout: 30
340
341
342
343# == EMail Settings ==
344#
345EMail:
346  Server:
347    Host: ""
348    Port: -1
349    # Email address that will be used for emails sent by the server (e.g. task notification emails)
350    MailAddress: noreply@ivyserver.local
351    User: guest
352    # [password]
353    Password: ""
354    # [enum: NONE, START_TLS, SSL]
355    EncryptionMethod: NONE
356    #
357    # certificates are to be stored in the Ivy keystore (default: configuration/keystore.p12; see below at SSL / Client), with the alias defined below.
358    SSL:
359      KeyAlias: ""
360      UseKey: false
361    # Specifies the maximum number of emails that can be sent concurrently
362    # [restart required]
363    MaxConcurrentSendings: 10
364  DailyTaskSummary:
365    # Time of day when the task summary mails will be sent.
366    # The engine must be running at this time otherwise the daily task summary mails will not be sent.
367    # Format is hh:mm. e.g. "02:00" or "14:15"
368    # [daytime]
369    TriggerTime: "00:00"
370
371
372
373# == Show Error Messages To End Users Settings ==
374#
375# When an error occurs while processing a user request, an error screen is displayed to the user. 
376# 
377# The displayed error page can be customized for your needs: 
378# https://developer.axonivy.com/doc/10.0/engine-guide/configuration/files/web-xml.html
379#
380Errors:
381  #
382  # Shall the end user see detailed error information (stacktraces, detailed error reports, etc.)?
383  #
384  # By default (false) we only show a unique 'Error Id'. This 'Error Id' can be used to find the error in the log files.
385  # 
386  # For security reasons, normal users should not see technical implementation details.
387  # But in development or pre-production environments, it might be safe to show the full error
388  # details directly to the end user.
389  # 
390  ShowDetailsToEndUser: false
391
392
393
394# == Persistence Settings ==
395#
396Persistence:
397  JPA:
398    # Persist ivyScript auto initialized fields with NULL values. Affects types:
399    #  - ch.ivyteam.ivy.scripting.objects.Date
400    #  - ch.ivyteam.ivy.scripting.objects.DateTime
401    #  - ch.ivyteam.ivy.scripting.objects.Time
402    # If this option is set to false, auto initialized values are stored as before Axon Ivy 6.4.
403    defaultInitializedAsNull: true
404
405
406
407# == Process Element Firing Statistic Settings ==
408#
409ProcessEngine:
410  FiringStatistic:
411    #
412    # If set to true, a process element statistic is written periodically to the log directory. 
413    #                 May impact server performance.
414    Active: false
415    #
416    # Interval in seconds the 'process element statistic' is written to the log directory
417    #
418    Interval: 300
419
420
421
422# == SSL Client Settings ==
423#
424SSL:
425  Client:
426    #
427    # A key store is used to read client keys (certificates). 
428    # This is only required if a remote server requests a client certificate in order to authenticate the client. 
429    KeyStore:
430      UseCustom: false
431      # [password]
432      KeyPassword: changeit
433      Algorithm: SunX509
434      File: configuration/keystore.p12
435      # [password]
436      Password: changeit
437      Provider: ""
438      Type: pkcs12
439    #
440    # A trust store is used to specify trusted server certificates or certificates of certification authorities. 
441    # An SSL client autenticates a server by using the certificates in a trust store. 
442    # Self signed or signed by an unknown certification authority can be added to this trustore. 
443    TrustStore:
444      File: configuration/truststore.p12
445      Algorithm: PKIX
446      # [password]
447      Password: changeit
448      Provider: ""
449      Type: pkcs12
450      # Fully qualified class name of a trust manager class that is used to validate server certificates. 
451      # If configured, the system trustore of the JVM and the trustore configured above are not used.
452      ManagerClass: ""
453
454
455
456# == Workflow Settings ==
457#
458Workflow:
459  # Can completed cases and tasks be seen by substitutes of the user who worked on them?
460  # [enum: VISIBLE, INVISIBLE]
461  History.ForSubstitutes: VISIBLE
462
463
464# == Failure Behaviour ==
465#
466SystemTask:
467  #
468  # Defines the behaviour in case a system task fails. 
469  #
470  # [enum: FAIL_TASK_DO_RETRY, FAIL_TASK_DO_NOT_RETRY, DESTROY_TASK, DESTROY_CASE]
471  Failure.Behaviour: FAIL_TASK_DO_RETRY
472  #
473  # Interval in seconds between executions of the search job for system tasks.
474  # The job searches system tasks that were not executed because of failures.
475  #
476  SearchJob.Interval: 900
477
478
479
480# == Thread Pools Settings ==
481#
482ThreadPool:
483  #
484  # Executes process engine background operations like Database, WebService calls, etc.
485  BackgroundOperationExecutor:
486    # Minimum number of threads
487    CorePoolSize: 5
488    # Maximum number of threads
489    MaximumPoolSize: 200
490  # Executes unscheduled jobs
491  ImmediateJobExecutor:
492    # Minimum number of threads
493    CorePoolSize: 5
494    # Maximum number of threads
495    MaximumPoolSize: 50
496  # Executes scheduled jobs
497  ScheduledJobExecutor:
498    # Minimum number of threads
499    CorePoolSize: 5
500
501
502
503# == Update Checker Settings ==
504#
505# When newer Axon Ivy versions are available, a message will be displayed on the Axon Ivy Engine main web page. 
506# The update message contains information about the new versions and where those can be downloaded. 
507#
508# While checking for new versions the following statistic information is sent to the update server. 
509# This information is only used to improve the product!
510# - Engine (version, up time)
511# - Configuration (number of: cluster nodes, users, licenced users, applications, process model, process model version, deleted process model version, running cases, running tasks)
512# - Licence information (number, organisation, individual)
513# - Operating system information (name, version, architecture, number of processors)
514# - System database (product name and version, driver, identification number)
515# - Java memory information (maximum heap memory, maximum non heap memory)
516# - JVM (Java virtual machine) information (version, vendor, name)
517# - Host information (host name, SHA-256 hashes of IP address and MAC address to identify the host without being able to read the original IP address and MAC address itself)
518#
519UpdateChecker:
520  #
521  #  Shall update notification messages be shown and statistic information sent to the update server?
522  Enabled: true
523  #
524  # Time of day when a update check will be executed
525  # The engine must be running at this time otherwise the update check will not be executed.
526  # Format is hh:mm. e.g. "02:00" or "14:15"
527  # [daytime]
528  ExecutionTime: ""
529
530
531Boot:
532  # Switch to maintencance mode if a configuration problem is detected during startup.
533  # If set to DISABLED you can explicit start the engine in maintenance mode by using the command line option '-maintenance'.
534  # [enum: AUTO, DISABLED]
535  MaintenanceMode: AUTO
536
537
538Cluster:
539  #
540  # The name of this node. 
541  # If not configured, a random name is generated.
542  # The name of a node is also used as jvm route identifier that is used by some load balancers to provide sticky sessions.
543  # https://developer.axonivy.com/doc/10.0/engine-guide/integration/cluster
544  # [restart required] 
545  NodeName: ""
546  #
547  # The name of the cluster. 
548  # It is used to find and communicate with other nodes of the same cluster.
549  # Multiple clusters located in the same network must have different cluster names. 
550  # Otherwise the nodes of both clusters find each other and build one cluster instead of two.  
551  # [restart required]
552  Name: "IvyCluster"
553
554
555# The purpose of a reverse proxy is to provide a single point of entry for
556# one or more services from outside the network. The reverse proxy receives all requests from the
557# clients and forwards them to the Axon Ivy Engine which handles them.
558# https://developer.axonivy.com/doc/10.0/engine-guide/integration/reverse-proxy
559# [restart required]
560ReverseProxy:
561  # HTTP headers which are interpreted by the Axon Ivy Engine to generate the correct URLs for links and redirects.
562  # [restart required]
563  HttpHeaders:
564    # Name of the HTTP Header for identifying the originating IP address of a client connecting to the reverse proxy server.
565    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
566    # [examples: X-Forwarded-For]
567    ForwardedFor: X-Forwarded-For
568    # Name of the HTTP header for identifying the original host requested by the client. Not needed if the reverse proxy preserves the original host in the 'Host' HTTP Header.
569    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
570    # [examples: X-Forwarded-Host]
571    ForwardedHost: X-Forwarded-Host
572    # Name of the HTTP header used to represent the port number used by the client for the request. Not needed if your reverse proxy uses standard ports (80, 443). Only in charge when the HTTP Header of 'ForwardedProtocol' is also set on request.
573    # [examples: X-Forwarded-Port]
574    ForwardedPort: X-Forwarded-Port
575    # Name of the HTTP header for identifying the protocol used between the client and the reverse proxy server.
576    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
577    # [examples: X-Forwarded-Proto, X-Forwarded-Ssl, X-Forwarded-Protocol, Front-End-Https, X-Url-Scheme]
578    ForwardedProtocol: X-Forwarded-Proto
579    # Value of the 'ForwardedProtocol' header to indicate that it is an HTTPS request.
580    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
581    # [examples: https, "on"]
582    ForwardedProtocolHttps: https