ivy.yaml

[engineDir]/configuration/reference/ivy.yaml

  1# yaml-language-server: $schema=https://json-schema.axonivy.com/ivy/12.0.12/ivy.json
  2#
  3# -------------------------------------------
  4# Axon Ivy Engine Configuration
  5# -------------------------------------------
  6# 
  7# This file shows configurations of the Axon Ivy Engine and its external systems.
  8# https://developer.axonivy.com/doc/12.0/engine-guide/configuration/
  9#
 10# Copy contents of this reference file to 'configuration/ivy.yaml' before adjusting
 11# them to your needs.
 12# https://developer.axonivy.com/doc/12.0/engine-guide/configuration/files/ivy-yaml.html
 13#
 14# By default, the engine is pre-configured to run in demo mode.
 15# To run an engine in a productive environment, at least the system database
 16# has to be configured.
 17#
 18# SECRETS / PASSWORDS:
 19# Any configuration value can be encrypted just by enclosing it with "${encrypt:}".
 20# This applies a reversible encryption private to this Ivy Engine.
 21# You cannot copy the encrypted values from one engine to another.
 22# Example:
 23# * to encrypt the string "myPassword", write "${encrypt:myPassword}"
 24#   https://developer.axonivy.com/doc/12.0/engine-guide/configuration/advanced-configuration.html#passwords
 25#
 26# OVERRIDING:
 27# Any configuration value provided here can be set in alternative sources. 
 28# * environment variables: of the operating system can set app config entries. 
 29#    Their key must be prefixed with 'IVY_'. 
 30#    For instance, use 'IVY_SYSTEMDB_URL' to override the jdbc driver url.
 31#    https://developer.axonivy.com/doc/12.0/engine-guide/configuration/advanced-configuration.html#overriding-configuration
 32#
 33
 34# Axon Ivy requires a System Database to store the state of running workflow applications.
 35# Unless you run the engine in Demo mode, a valid System DB driver, url and the user+password credentials are mandatory.
 36# [restart required]
 37SystemDb:
 38  # JDBC URL
 39  # [examples: jdbc:postgresql://localhost:5432/AxonIvySystemDatabase, jdbc:sqlserver://localhost:1433;databaseName=AxonIvySystemDatabase, jdbc:mariadb://localhost:3306/AxonIvySystemDatabase, jdbc:mysql://localhost:3306/AxonIvySystemDatabase, jdbc:oracle:thin:@//localhost:1521/ServiceName, jdbc:oracle:thin:@localhost:1521:ServiceId, jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=ServiceName)(SERVER=DEDICATED)))]
 40  Url: ""
 41  # Name of the technical user to connect to system database on behalf of the engine.
 42  # [examples: ivy, AxonIvy, workflowengine]
 43  UserName: ""
 44  # Password for the technical user (see UserName).
 45  Password: ""
 46  # Defines how long ivy should wait (in seconds) at startup for the db server to be available
 47  BootTimeout: 60
 48  # JDBC Driver. If not set, it is auto determined based on the JDBC URL.
 49  Driver: ""
 50  # Additional driver specific connection properties.
 51  DriverProperties:
 52  # Maximum number of connections to the system database.
 53  MaxConnections: 50
 54  Creation:
 55    # If set to true, the system database will be created on startup, if it does not exist.
 56    Enabled: true
 57    # Password which will be taken to create the system database (only for Oracle).
 58    Password: ""
 59    # Tablespace which will be used (only for Oracle).
 60    Tablespace: ivy
 61    # Username which will be taken to create the system database (only for Oracle).
 62    UserName: ""
 63
 64# Administrators can configure, monitor and manage the Axon Ivy Engine.
 65# The default administrator in demo mode is 'admin' with password 'admin'.
 66Administrators:
 67#  # example Administrator
 68#  exampleAdministrator:
 69#    # Will be used to send info mails like license expiration
 70#    Email: ""
 71#    # Used to display a nice name for this user
 72#    FullName: ""
 73#    # For security reasons, please hash the password(s) using "${hash:mySecret}"
 74#    # The real password cannot be recovered from the hash.
 75#    # [examples: "${hash:mySecret}"]
 76#    Password: ""
 77#  
 78
 79SecuritySystems:
 80  # 'default' security system which exists always
 81  default:
 82    # The security system slug name which will be used in URL as prefix for all resources which are part of the security system.
 83    # If not set, then the security system name will be choosen.
 84    # Only for the default security context this is empty, by default.
 85    UrlPath:
 86    IdentityProvider:
 87      # The Security System manages the user and roles in the system database.
 88      # For the Ivy Security System, no additional configuration is needed.
 89      # For any other Security System, further configuration is need to integrate such a system.
 90      # [examples: ivy, keycloak, microsoft-active-directory, novell-edirectory, microsoft-entra-id]
 91      Name: ivy
 92    
 93    # The notification channel settings including their default subscription settings which apply to all users.
 94    Notification:
 95      # Settings for cleaning up notifications.
 96      Cleanup:
 97        # Notifications older than this will be deleted on a daily basis.
 98        DaysUntilDeletion: 90
 99      
100      # Parameters to disable notifications if a user is absent.
101      # Is no property set, it will act like NotifyAbsentUser:always.
102      # If NotifyAbsentUser is set to:
103      # always: Send a notification regardless of the user’s absence.
104      # never: Does not send a notification if the user is absent.
105      # noActiveSubstitute: Send a notification only the absent user does not have an active substitute.
106      # [enum: always, never, noActiveSubstitute]
107      NotifyAbsentUser: always
108      # Settings for an individual Channel.
109      # [examples: web, mail, microsoft-teams]
110      Channels:
111        mail:
112          # Name of the channel.
113          # [examples: web, mail, microsoft-teams]
114          Name: ""
115          # Whether the channel is enabled or not.
116          Enabled: false
117          # The default subscription settings.
118          Events:
119            # Whether all events are enabled or not.
120            # [enum: enabled, disabled]
121            AllKinds: enabled
122            # Array of subscribed events.
123            # [examples: new-task]
124            Kinds:
125        
126        microsoft-teams:
127          # Name of the channel.
128          # [examples: web, mail, microsoft-teams]
129          Name: ""
130          # Whether the channel is enabled or not.
131          Enabled: false
132          # The default subscription settings.
133          Events:
134            # Whether all events are enabled or not.
135            # [enum: enabled, disabled]
136            AllKinds: enabled
137            # Array of subscribed events.
138            # [examples: new-task]
139            Kinds:
140        
141        web:
142          # Name of the channel.
143          # [examples: web, mail, microsoft-teams]
144          Name: ""
145          # Whether the channel is enabled or not.
146          Enabled: true
147          # The default subscription settings.
148          Events:
149            # Whether all events are enabled or not.
150            # [enum: enabled, disabled]
151            AllKinds: enabled
152            # Array of subscribed events.
153            # [examples: new-task]
154            Kinds:
155    
156    # Single Sign-on allows to auto login users.
157    # A reverse proxy has to be installed in front of the Axon Ivy Engine.
158    # It is responsible for authenticating the user.
159    # The name of the user must then be transmitted as a HTTP header.
160    # !! Assert exclusive access to the Axon Ivy Engine otherwise attackers can easily login as another user.
161    # https://developer.axonivy.com/doc/12.0/engine-guide/integration/single-sign-on
162    # [restart required]
163    SSO:
164      # Whether SSO is enabled
165      Enabled: false
166      # name of the HTTP header with the username that has to be provided by the reverse proxy
167      UserHeader: X-Forwarded-User
168    
169    UserSynch:
170      # Shall we synchronize a user with the Identity Provider at login?
171      # If the user does not exist yet, he will be synchronized anyway.
172      # In case of slow Identity Provider connections, it can make sense to set this to false.
173      OnLogin: true
174      OnSchedule:
175        # Unix Cron expression for the user synchronization.
176        # Format is: minutes, hours, day of month, month, day of the week. e.g. "32 13 * * *" is everyday at 13:32
177        Cron: 0 0 * * *
178        # Shall we run the daily Identity Provider user synchronization job?
179        # When the synchronization runs is defined by 'Cron'.
180        Enabled: true
181        # Shall we import NEW users with the Identity Provider on schedule?
182        # This setting does not affect synchronization of existing users.
183        # If ImportUsers is set to:
184        # true:  NEW users are imported on schedule.
185        # If a user has not yet been imported by the user synchronization job, she is also imported the first time she logs in.
186        # false: NEW users are not imported on schedule.
187        # Instead, a NEW user is only imported the first time she logs in.
188        ImportUsers: true
189    
190    DocumentStorage:
191      # The document storage defines where the workflow documents should be stored.
192      # [enum: local, s3]
193      # [examples: local, s3]
194      Name: local
195    
196    # The default language settings, which applies to all users, who have not explicitly set this in their profile settings.
197    Language:
198      # Content is displayed in this language if the content exists in this language. A locale (language[_COUNTRY])
199      # [examples: en, en_GB, en_US, de, de_CH, de_AT, de_DE, fr, vi]
200      Content: en
201      # Data like numbers, dates, times and much more are formatted according to this language. A locale (language[_COUNTRY])
202      # [examples: en, en_GB, en_US, de, de_CH, de_AT, de_DE, fr, vi]
203      Formatting: en_GB
204
205# Web address of the Axon Ivy Engine installation, such as https://yourdomain/.
206# This value is used to let ivy know how to refer to itself, ie. to create links in emails.
207# This is necessary because ivy cannot reliably detect such a URL from within itself.
208# [examples: https://yourdomain.com/]
209BaseUrl: ""
210# The purpose of a reverse proxy is to provide a single point of entry for
211# one or more services from outside the network. The reverse proxy receives all requests from the
212# clients and forwards them to the Axon Ivy Engine which handles them.
213# https://developer.axonivy.com/doc/12.0/engine-guide/integration/reverse-proxy
214# [restart required]
215ReverseProxy:
216  # HTTP headers which are interpreted by the Axon Ivy Engine to generate the correct URLs for links and redirects.
217  # [restart required]
218  HttpHeaders:
219    # Name of the HTTP Header for identifying the originating IP address of a client connecting to the reverse proxy server.
220    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
221    # [examples: X-Forwarded-For]
222    ForwardedFor: X-Forwarded-For
223    # Name of the HTTP header for identifying the original host requested by the client. Not needed if the reverse proxy preserves the original host in the 'Host' HTTP Header.
224    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
225    # [examples: X-Forwarded-Host]
226    ForwardedHost: X-Forwarded-Host
227    # Name of the HTTP header used to represent the port number used by the client for the request. Not needed if your reverse proxy uses standard ports (80, 443). Only in charge when the HTTP Header of 'ForwardedProtocol' is also set on request.
228    # [examples: X-Forwarded-Port]
229    ForwardedPort: X-Forwarded-Port
230    # Name of the HTTP header for identifying the protocol used between the client and the reverse proxy server.
231    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
232    # [examples: X-Forwarded-Proto, X-Forwarded-Ssl, X-Forwarded-Protocol, Front-End-Https, X-Url-Scheme]
233    ForwardedProtocol: X-Forwarded-Proto
234    # Value of the 'ForwardedProtocol' header to indicate that it is an HTTPS request.
235    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
236    # [examples: https, "on"]
237    ForwardedProtocolHttps: https
238
239SSL:
240  Client:
241    # Manipulates the JVMs default SSLSocketFactory, so that untrusted (self signed or outdated) certificates are silently accepted.
242    # This could for instance be useful to generate a Webservice stub from an insecure WSDL location.
243    EnableInsecureSSL: false
244    # A trust store is used to specify trusted server certificates or certificates of certification authorities.
245    # An SSL client authenticates a server by using the certificates in a trust store.
246    # Self signed or signed by an unknown certification authority can be added to this trustore.
247    TrustStore:
248      Algorithm: PKIX
249      File: configuration/truststore.p12
250      # Password to access the store.
251      # [password]
252      Password: changeit
253      Provider: ""
254      Type: PKCS12
255    
256    # A key store is used to read client keys (certificates).
257    # This is only required if a remote server requests a client certificate in order to authenticate the client.
258    KeyStore:
259      Algorithm: SunX509
260      File: configuration/keystore.p12
261      # Password of the 'ivy' certificate.
262      # [password]
263      KeyPassword: changeit
264      # Password to access the store.
265      # [password]
266      Password: changeit
267      Provider: ""
268      Type: PKCS12
269      UseCustom: false
270
271Deployment:
272  # Directory where the server watches for files to deploy.
273  # You can specify a remote network location using a UNC path.
274  # https://developer.axonivy.com/doc/12.0/engine-guide/deployment
275  # [examples: //servername/share/file]
276  Directory: deploy
277  Backup:
278    # The number of backups of deployed projects that are kept on disk
279    # n < 0: infinite number of backups are kept
280    # n = 0: No backups are made or kept
281    # n > 0: Number of backups that are kept.
282    Keep: 5
283
284Data:
285  # Folder where applications are stored, unless otherwise defined in application specific configuration.
286  # 
287  # In demo mode: not configurable and set to: [Data.WorkDirectory]/demo-applicationsAbsolute and relative paths (to the engine root directory) are supported,
288  # we recommend to use locations outside the engine root directory to facilitate migrations.
289  # !! STOP YOUR ENGINE before changing this setting !!
290  # [restart required]
291  AppDirectory: applications
292  # Folder where runtime data will be stored.Absolute and relative paths (to the engine root directory) are supported,
293  # we recommend to use locations outside the engine root directory to facilitate migrations.
294  # !! STOP YOUR ENGINE before changing this setting !!
295  # [restart required]
296  Directory: data
297  # DEPRECATED: All runtime data will be stored by default in Data.Directory specified in ivy.yaml. Use Data.Directory
298  # to change the location of stored files.
299  # 
300  # Root folder where application data files are stored.
301  # A change in this setting will NOT move existing application files to the new location.
302  # You have to move existing files manually to the new directory.
303  # 
304  # If not set the files will be stored under the path Data.Directory configured in ivy.yaml.Absolute and relative paths (to the engine root directory) are supported,
305  # we recommend to use locations outside the engine root directory to facilitate migrations.
306  # !! STOP YOUR ENGINE before changing this setting !!
307  # [restart required]
308  FilesDirectory: ""
309
310DataCache:
311  # Invalidate data cache groups and entries.
312  # Checks if the lifetime of caches has ended and invalidates them.
313  # You can set the delay in milliseconds between each check.
314  # This delay has to be greater than 0.
315  InvalidationInterval: 60000
316
317# Axon Ivy uses an search engine to provide scalable full text search capabilities.
318# The bundled instance is started on demand, in a separate JVM, when an API request needs it.
319# You can operate Axon Ivy with the bundled search engine server or with your own external search engine cluster.
320SearchEngine:
321  # The bundled search engine server...
322  # - is started in a separate JVM.
323  # - reachable only on 'localhost' but the access is unprotected.
324  # - JVM arguments used to start the bundled search engine server can be configured in the '[ivyEngine]/configuration/opensearch/jvm.options' file.
325  # [restart required]
326  BundledServer:
327    # Path to the directory where the bundled search engine server stores data.
328    # It is recommended to configure a data directory that is located outside of
329    # the Engine installation directory to ease the Engine migration to newer versions.
330    # [restart required]
331    DataPath: data/_/opensearch
332    # Path to the directory where the bundled search engine should log.
333    # [restart required]
334    LogPath: logs/opensearch
335    # Name of the cluster of the bundled search engine server.
336    # [restart required]
337    ClusterName: ivy-opensearch-{uid}
338    # Port to communicate with bundled search engine server
339    # AUTO: A free port in port range 19200-19299 is searched automatically.
340    # <integer>: A fixed port number that you define. We recommend to use a number > 10000.
341    # Make sure it is free.
342    # [restart required]
343    Port: AUTO
344  
345  # Configure access to your own search engine server if you want to use it instead of the bundled server.
346  # 
347  # To install your own search engine server follow these steps
348  # https://opensearch.org/docs/2.19/install-and-configure/install-opensearch/index/
349  # 
350  # Currently, Axon Ivy supports OpenSearch in version 2.19.
351  # If your OpenSearch server is running on another host, the access to that instance has to be protected.
352  # You can achieve that with a front-end webserver like NGINX that enforces basic authentication.
353  # [restart required]
354  ExternalServer:
355    # Configure the URL of your own OpenSearch server if you want to use it instead of the bundled server.
356    # [restart required]
357    Url: ""
358    # Name of the user to use to authenticate in the external OpenSearch server
359    UserName: ""
360    # Password of the user to use to authenticate in the external OpenSearch server.
361    # [examples: "${encrypt:}"]
362    # [password]
363    Password: ""
364  
365  # Settings for the indexes that are created in the search engine.
366  Index:
367    # The name prefix for the indexes.
368    # If multiple Ivy Engines use the same OpenSearch server instance, you need to define unique NamePrefixes per engine.
369    # You might add the engine host name as part of the name prefix, i.e. 'servername'
370    # [restart required]
371    NamePrefix: ivy
372    Reindex:
373      # The size of the queue that is used to store objects read from the database until they are written to the search engine
374      # [restart required]
375      QueueSize: 10000
376      # The number of objects that Ivy reads in one batch from the system database.
377      # [restart required]
378      ReadWindowSize: 1000
379      # The number of objects that Ivy writes in one batch to the search engine.
380      # [restart required]
381      WriteWindowSize: 1000
382    
383    # If BusinessData are not well modeled for OpenSearch, you may have to increase the 'total_fields.limit' of the mapping.
384    # Performance may decrease. If you change this setting, you need to reindex all business data in Engine Cockpit.
385    # [restart required]
386    TotalFieldsLimit: 4000
387  
388  # Configures the search engine client. The client is the ivy engine which communicates with the search engine.
389  Client:
390    # Maximum seconds to wait until a connection to the search engine can be established.
391    # [restart required]
392    ConnectTimeout: 10
393    # Maximum seconds to wait for data to be sent by search engine.
394    # Raise this value if large datasets are expected.
395    # [restart required]
396    ReadTimeout: 30
397
398EMail:
399  # Whether mails should be sent or not
400  Enabled: true
401  # All mails will be sent via this mail server
402  Server:
403    # Mail server host name or IP address
404    Host: ""
405    # Mail server port
406    Port: -1
407    # Email address that will be used for emails sent by the server (e.g. task notification emails)
408    MailAddress: noreply@ivyserver.local
409    User: guest
410    # The password for the mail user
411    # [password]
412    Password: ""
413    # A password provider set the password on the mail session from an external resource
414    PasswordProvider:
415      # Name of the password provider
416      # [examples: office365-oauth2]
417      Name: ""
418    
419    # [enum: NONE, START_TLS, SSL]
420    EncryptionMethod: NONE
421    # Additional properties which will be set on the mail session
422    # Read https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html
423    SessionProperties:
424      mail.smtp.auth.xoauth2.disable: false
425    
426    # Specifies the maximum number of emails that can be sent concurrently
427    # [restart required]
428    MaxConcurrentSendings: 10
429    # Certificates are to be stored in the Ivy keystore (default: configuration/keystore.p12; see below at SSL / Client), with the alias defined below.
430    SSL:
431      # Specifies the alias of the client certificate in the Ivy keystore.
432      KeyAlias: ""
433      # Specifies whetere a client certificate should be used for authentication
434      UseKey: false
435
436# Detection of Axon Ivy versions. Available updates are listed on the Axon Ivy Engine main web page.
437UpdateChecker:
438  # Shall update notification messages be shown and statistic information sent to the update server?
439  # 
440  # While checking for new versions the following statistic information is sent to the update server.
441  # This information is only used to improve the product!
442  # - Engine (version, up time)
443  # - Configuration (number of: cluster nodes, users, licensed users, applications, process model, process model version, deleted process model version, running workflows)
444  # - Licence information (number, organisation, individual)
445  # - Operating system information (name, version, architecture, number of processors)
446  # - Host information (host name, SHA-256 hashes of IP address and MAC address to identify the host without being able to read the original IP address and MAC address itself)
447  # - System database (product name and version, driver, identification number)
448  # - JVM (Java virtual machine) information (version, vendor, name, memory)
449  # - Used features: we collect the features you are using such as the active connector technologies (REST, SOAP, JPA, ...).
450  # You may inspect the sent information on your own, by enabling the Logger `ch.ivyteam.ivy.update.metrics` on level `DEBUG`.
451  Enabled: true
452  # Time of day when a update check will be executed
453  # The engine must be running at this time otherwise the update check will not be executed.
454  # Format is hh:mm.
455  # [daytime]
456  # [examples: 02:00, 14:15]
457  ExecutionTime: ""
458
459Cluster:
460  # The name of the cluster.
461  # It is used to find and communicate with other nodes of the same cluster.
462  # Multiple clusters located in the same network must have different cluster names.
463  # Otherwise the nodes of both clusters find each other and build one cluster instead of two.
464  # [restart required]
465  Name: IvyCluster
466  # The name of this node.
467  # If not configured, a random name is generated.
468  # The name of a node is also used as jvm route identifier that is used by some load balancers to provide sticky sessions.
469  # https://developer.axonivy.com/doc/12.0/engine-guide/integration/cluster
470  # [restart required]
471  NodeName: ""
472
473# When an error occurs while processing a user request, an error screen is displayed to the user.
474# The displayed error page can be customized for your needs:
475# https://developer.axonivy.com/doc/12.0/engine-guide/configuration/files/web-xml.html
476Errors:
477  # Shall the end user see detailed error information (stacktraces, detailed error reports, etc.)?
478  # By default (false) we only show a unique 'Error Id'. This 'Error Id' can be used to find the error in the log files.
479  # For security reasons, normal users should not see technical implementation details.
480  # But in development or pre-production environments, it might be safe to show the full error details directly to the end user.
481  ShowDetailsToEndUser: false
482
483Persistence:
484  JPA:
485    # Persist ivyScript auto initialized fields with NULL values. Affects types:
486    # - ch.ivyteam.ivy.scripting.objects.Date
487    # - ch.ivyteam.ivy.scripting.objects.DateTime
488    # - ch.ivyteam.ivy.scripting.objects.Time
489    # If this option is set to false, auto initialized values are stored as before Axon Ivy 6.4.
490    defaultInitializedAsNull: true
491
492ProcessEngine:
493  FiringStatistic:
494    # If set to true, a process element statistic is written periodically to the log directory.
495    # May impact server performance.
496    Active: false
497    # Interval in seconds the 'process element statistic' is written to the log directory
498    Interval: 300
499
500Boot:
501  # Switch to maintencance mode if a configuration problem is detected during startup.
502  # If set to DISABLED you can explicit start the engine in maintenance mode by using the command line option '-maintenance'.
503  # [enum: AUTO, DISABLED]
504  MaintenanceMode: AUTO
505
506Workflow:
507  History:
508    # Can completed cases and tasks be seen by substitutes of the user who worked on them?
509    # [enum: VISIBLE, INVISIBLE]
510    ForSubstitutes: VISIBLE
511
512ThreadPool:
513  # Executes process engine background operations like Database, WebService calls, etc.
514  BackgroundOperationExecutor:
515    # Minimum number of threads
516    CorePoolSize: 5
517    # Maximum number of threads
518    MaximumPoolSize: 200
519  
520  # Executes unscheduled jobs
521  ImmediateJobExecutor:
522    # Minimum number of threads
523    CorePoolSize: 5
524    # Maximum number of threads
525    MaximumPoolSize: 50
526  
527  # Executes scheduled jobs
528  ScheduledJobExecutor:
529    # Minimum number of threads
530    CorePoolSize: 5
531
532SystemTask:
533  Failure:
534    # Defines the behaviour in case a system task fails.
535    # [enum: FAIL_TASK_DO_RETRY, FAIL_TASK_DO_NOT_RETRY, DESTROY_TASK, DESTROY_CASE]
536    Behaviour: FAIL_TASK_DO_RETRY
537  
538  SearchJob:
539    # Interval in seconds between executions of the search job for system tasks.
540    # The job searches system tasks that were not executed because of failures.
541    Interval: 900
542
543# Configures the RESTful services provided.
544REST:
545  Servlet:
546    # Controls the REST servlet interface. If disabled no REST resources will be accessible.
547    # Calls to remote REST services are still possible.
548    # [restart required]
549    Enabled: true
550    # Controls whether the REST resources provided by the Axon Ivy Engine should be available or not
551    # [restart required]
552    API: true
553    # Controls whether the REST resource for remote deployment under '/system/api/apps/{application} is available or not
554    # [restart required]
555    Deployment: true
556    # Cross Site Request Forgery (CRSF) settings
557    # [restart required]
558    CSRF:
559      # Provides the general CSRF protection via 'X-Requested-By' header for REST services.
560      # [restart required]
561      Protection: true
562    
563    # Allows the service developer to get diagnostic information about request processing by Jersey.
564    # Those diagnostic/tracing information are returned in response headers (X-Jersey-Tracing-nnn).
565    # On productive environments this feature should not be turned on.
566    # [restart required]
567    # [enum: OFF, ON_DEMAND, ALL]
568    Tracing: 'OFF'
569
570Session:
571  # Session identifier will be renewed on login to prevent the 'Session Fixation' attack.
572  RenewIdOnLogin: true
573
574WebServer:
575  # HTTP Headers that are added to a server response.
576  # [restart required]
577  HttpHeaders:
578    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
579    # [restart required]
580    # [examples: unsafe-none, require-corp, credentialless]
581    Cross-Origin-Embedder-Policy: ""
582    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
583    # [restart required]
584    # [examples: unsafe-none, same-origin-allow-popups, same-origin, noopener-allow-popups]
585    Cross-Origin-Opener-Policy: ""
586    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Resource-Policy
587    # [restart required]
588    # [examples: same-site, same-origin, cross-origin]
589    Cross-Origin-Resource-Policy: ""
590    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy
591    # [restart required]
592    # [examples: no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url]
593    Referrer-Policy: strict-origin-when-cross-origin
594    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security
595    # [restart required]
596    # [examples: max-age=63072000]
597    Strict-Transport-Security: ""
598    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
599    # [restart required]
600    # [examples: nosniff]
601    X-Content-Type-Options: ""
602    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
603    # [restart required]
604    # [examples: DENY, SAMEORIGIN]
605    X-Frame-Options: ""
606  
607  # Name of the Ivy servlet context. Use a simple name without any special characters.
608  # [restart required]
609  # [examples: ivy, workflow]
610  IvyContextName: ""
611  PrimeFaces:
612    # https://primefaces.github.io/primefaces/13_0_0/#/core/contentsecuritypolicy?id=content-security-policy
613    # [restart required]
614    ContentSecurityPolicy:
615      # [examples: false, true, reportOnly]
616      Enabled: false
617      # [examples: object-src 'none'; base-uri 'none'; frame-ancestors 'self'; worker-src 'self' blob:; script-src 'strict-dynamic']
618      Policy: ""
619      ReportOnlyPolicy: ""
620
621OfflineDialog:
622  # Disable it if you don't use the Mobile Offline Dialog feature.
623  # [restart required]
624  Enabled: true
625
626Connector:
627  # https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
628  # [restart required]
629  HTTP:
630    # Whether the HTTP connector is enabled.
631    # [restart required]
632    Enabled: true
633    # The TCP port number on which this Connector will create a server socket and await incoming connections.
634    # [restart required]
635    Port: 8080
636    # The maximum length of the operating system provided queue for incoming connection requests when maxConnections has been reached.
637    # [restart required]
638    AcceptCount: 100
639    # For servers with more than one IP address, this attribute specifies which address will be used for listening
640    # on the specified port.
641    # By default, the connector will listen all local addresses.
642    # [restart required]
643    # [examples: 0.0.0.0, ::]
644    Address: ""
645    # A boolean value which can be used to enable or disable the TRACE HTTP method.
646    # [restart required]
647    AllowTrace: false
648    # The value is a comma separated list of MIME types for which HTTP compression may be used.
649    # [restart required]
650    CompressibleMimeType: text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml
651    # The Connector may use HTTP/1.1 GZIP compression in an attempt to save server bandwidth.
652    # [restart required]
653    # [examples: on, off, force]
654    Compression: 'off'
655    # The number of seconds during which the sockets used by this Connector will linger when they are closed. The default value is -1 which disables socket linger.
656    # [restart required]
657    ConnectionLinger: -1
658    # The number of milliseconds this Connector will wait, after accepting a connection, for the request URI line to be presented.
659    # [restart required]
660    ConnectionTimeout: 60000
661    # This flag allows the servlet container to use a different, usually longer connection timeout during data upload.
662    # [restart required]
663    DisableUploadTimeout: true
664    # Set to true if you want calls to request.getRemoteHost() to perform DNS lookups in order to return the actual host name of the remote client.
665    # Set to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance).
666    # [restart required]
667    EnableLookups: false
668    # Provides the default value for maxHttpRequestHeaderSize and maxHttpResponseHeaderSize.
669    # [restart required]
670    MaxHttpHeaderSize: 8192
671    # The maximum number of HTTP requests which can be pipelined until the connection is closed by the server.
672    # Setting this attribute to 1 will disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining.
673    # Setting this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP requests.
674    # [restart required]
675    MaxKeepAliveRequests: 100
676    # The maximum number of parameters (GET plus POST) which will be automatically parsed by the container. 10000 by default
677    # [restart required]
678    MaxParameterCount: 10000
679    # The maximum total number of parts permitted in a request where the
680    # content type is multipart/form-data. This limit is in
681    # addition to maxParameterCount. Requests that exceed this
682    # limit will be rejected. A value of less than 0 means no limit. If not
683    # specified, a default of -1 is used.
684    # [restart required]
685    MaxPartCount: -1
686    # The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing.
687    # The limit can be disabled by setting this attribute to a value less than zero.
688    # [restart required]
689    MaxPostSize: 2097152
690    # The maximum size in bytes of the request body which will be saved/buffered by
691    # the container during FORM or CLIENT-CERT authentication or during HTTP/1.1 upgrade.
692    # [restart required]
693    MaxSavePostSize: 4096
694    # The maximum number of request processing threads to be created by this Connector, which therefore determines the maximum number of simultaneous requests that can be handled.
695    # [restart required]
696    MaxThreads: 200
697    # The minimum number of threads always kept running. This includes both active and idle threads.
698    # [restart required]
699    MinSpareThreads: 10
700    # The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients
701    # for which compression should not be used.
702    # [restart required]
703    NoCompressionUserAgents: ""
704    # If this Connector is being used in a proxy configuration, configure this attribute to specify the server name to be returned for calls to request.getServerName().
705    # [restart required]
706    ProxyName: ""
707    # If this Connector is being used in a proxy configuration, configure this attribute to specify the server port to be returned for calls to request.getServerPort().
708    # [restart required]
709    ProxyPort:
710    # If this Connector is supporting non-SSL requests, and a request is received for which a matching <security-constraint> requires SSL transport, Catalina will automatically redirect the request to the port number specified here.
711    # [restart required]
712    RedirectPort: 8443
713    # The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients
714    # for which HTTP/1.1 or HTTP/1.0 keep alive should not be used, even if the clients advertise support for these features.
715    # [restart required]
716    RestrictedUserAgents: ""
717    # Overrides the Server header for the http response.
718    # If set, the value for this attribute overrides any Server header set by a web application.
719    # If not set, any value specified by the application is used.
720    # If the application does not specify a value then no Server header is set.
721    # [restart required]
722    Server: ""
723    # If set to true, the TCP_NO_DELAY option will be set on the server socket, which improves performance under most circumstances.
724    # [restart required]
725    TcpNoDelay: true
726    # The priority of the request processing threads within the JVM.
727    # [restart required]
728    ThreadPriority: 5
729    # This specifies the character encoding used to decode the URI bytes, after %xx decoding the URL.
730    # [restart required]
731    URIEncoding: UTF-8
732    # This specifies if the encoding specified in contentType should be used for URI query parameters, instead of using the URIEncoding.
733    # [restart required]
734    UseBodyEncodingForURI: false
735    # Set this attribute to true to cause Tomcat to use the IP address that the request was received on to determine the Host to send the request to.
736    # [restart required]
737    UseIPVHosts: false
738    # Set this attribute to true to cause Tomcat to advertise support for the Servlet specification using the header recommended in the specification.
739    # [restart required]
740    XpoweredBy: false
741  
742  # https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
743  # [restart required]
744  HTTPS:
745    # Whether the HTTPS connector is enabled.
746    # [restart required]
747    Enabled: false
748    # The TCP port number on which this Connector will create a server socket and await incoming connections.
749    # [restart required]
750    Port: 8443
751    # The maximum length of the operating system provided queue for incoming connection requests when maxConnections has been reached.
752    # [restart required]
753    AcceptCount: 100
754    # For servers with more than one IP address, this attribute specifies which address will be used for listening
755    # on the specified port.
756    # By default, the connector will listen all local addresses.
757    # [restart required]
758    # [examples: 0.0.0.0, ::]
759    Address: ""
760    # A boolean value which can be used to enable or disable the TRACE HTTP method.
761    # [restart required]
762    AllowTrace: false
763    # 
764    # [restart required]
765    ClientAuth: NONE
766    # The value is a comma separated list of MIME types for which HTTP compression may be used.
767    # [restart required]
768    CompressibleMimeType: text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml
769    # The Connector may use HTTP/1.1 GZIP compression in an attempt to save server bandwidth.
770    # [restart required]
771    # [examples: on, off, force]
772    Compression: 'off'
773    # The number of seconds during which the sockets used by this Connector will linger when they are closed. The default value is -1 which disables socket linger.
774    # [restart required]
775    ConnectionLinger: -1
776    # The number of milliseconds this Connector will wait, after accepting a connection, for the request URI line to be presented.
777    # [restart required]
778    ConnectionTimeout: 60000
779    # This flag allows the servlet container to use a different, usually longer connection timeout during data upload.
780    # [restart required]
781    DisableUploadTimeout: true
782    # Set to true if you want calls to request.getRemoteHost() to perform DNS lookups in order to return the actual host name of the remote client.
783    # Set to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance).
784    # [restart required]
785    EnableLookups: false
786    # Provides the default value for maxHttpRequestHeaderSize and maxHttpResponseHeaderSize.
787    # [restart required]
788    MaxHttpHeaderSize: 8192
789    # The maximum number of HTTP requests which can be pipelined until the connection is closed by the server.
790    # Setting this attribute to 1 will disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining.
791    # Setting this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP requests.
792    # [restart required]
793    MaxKeepAliveRequests: 100
794    # The maximum number of parameters (GET plus POST) which will be automatically parsed by the container. 10000 by default
795    # [restart required]
796    MaxParameterCount: 10000
797    # The maximum total number of parts permitted in a request where the
798    # content type is multipart/form-data. This limit is in
799    # addition to maxParameterCount. Requests that exceed this
800    # limit will be rejected. A value of less than 0 means no limit. If not
801    # specified, a default of -1 is used.
802    # [restart required]
803    MaxPartCount: -1
804    # The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing.
805    # The limit can be disabled by setting this attribute to a value less than zero.
806    # [restart required]
807    MaxPostSize: 2097152
808    # The maximum size in bytes of the request body which will be saved/buffered by
809    # the container during FORM or CLIENT-CERT authentication or during HTTP/1.1 upgrade.
810    # [restart required]
811    MaxSavePostSize: 4096
812    # The maximum number of request processing threads to be created by this Connector, which therefore determines the maximum number of simultaneous requests that can be handled.
813    # [restart required]
814    MaxThreads: 200
815    # The minimum number of threads always kept running. This includes both active and idle threads.
816    # [restart required]
817    MinSpareThreads: 10
818    # The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients
819    # for which compression should not be used.
820    # [restart required]
821    NoCompressionUserAgents: ""
822    # If this Connector is being used in a proxy configuration, configure this attribute to specify the server name to be returned for calls to request.getServerName().
823    # [restart required]
824    ProxyName: ""
825    # If this Connector is being used in a proxy configuration, configure this attribute to specify the server port to be returned for calls to request.getServerPort().
826    # [restart required]
827    ProxyPort:
828    # If this Connector is supporting non-SSL requests, and a request is received for which a matching <security-constraint> requires SSL transport, Catalina will automatically redirect the request to the port number specified here.
829    # [restart required]
830    RedirectPort: 8443
831    # The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients
832    # for which HTTP/1.1 or HTTP/1.0 keep alive should not be used, even if the clients advertise support for these features.
833    # [restart required]
834    RestrictedUserAgents: ""
835    # Overrides the Server header for the http response.
836    # If set, the value for this attribute overrides any Server header set by a web application.
837    # If not set, any value specified by the application is used.
838    # If the application does not specify a value then no Server header is set.
839    # [restart required]
840    Server: ""
841    # The name of the protocol to support when communicating with clients.
842    # If you need a fine granular selection of multiple protocols, use the 'SslHostConfig.Protocols' property.
843    # [restart required]
844    # [examples: TLS, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
845    SslProtocol: TLS
846    SslHostConfig:
847      # The names of the protocols to support when communicating with clients.
848      # Multiple protocols can be enabled by separating them with a comma.
849      # [restart required]
850      # [examples: SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3, all]
851      Protocols: all
852    
853    # 
854    # [restart required]
855    KeyAlias: ""
856    # [password]
857    # [restart required]
858    KeyPass: ""
859    # 
860    # [restart required]
861    KeystoreFile: configuration/keystore.p12
862    # [password]
863    # [restart required]
864    KeystorePass: changeit
865    # 
866    # [restart required]
867    KeystoreType: pkcs12
868    # If set to true, the TCP_NO_DELAY option will be set on the server socket, which improves performance under most circumstances.
869    # [restart required]
870    TcpNoDelay: true
871    # The priority of the request processing threads within the JVM.
872    # [restart required]
873    ThreadPriority: 5
874    # 
875    # [restart required]
876    TruststoreFile: ""
877    # [password]
878    # [restart required]
879    TruststorePass: ""
880    # 
881    # [restart required]
882    TruststoreType: JKS
883    # This specifies the character encoding used to decode the URI bytes, after %xx decoding the URL.
884    # [restart required]
885    URIEncoding: UTF-8
886    # This specifies if the encoding specified in contentType should be used for URI query parameters, instead of using the URIEncoding.
887    # [restart required]
888    UseBodyEncodingForURI: false
889    # Set this attribute to true to cause Tomcat to use the IP address that the request was received on to determine the Host to send the request to.
890    # [restart required]
891    UseIPVHosts: false
892    # Set this attribute to true to cause Tomcat to advertise support for the Servlet specification using the header recommended in the specification.
893    # [restart required]
894    XpoweredBy: false
895
896HealthCheck:
897  # Whether health check is enabled
898  Enabled:
899  Checks:
900    DatabasesConnectionPoolCheck:
901      Enabled: true
902    
903    EngineModeCheck:
904      Enabled: true
905    
906    HeapMemoryCheck:
907      Enabled: true
908    
909    ReleaseCandidateCheck:
910      Enabled: true
911    
912    RestartRequiredCheck:
913      Enabled: true
914    
915    RestClientsConnectionPoolCheck:
916      Enabled: true
917    
918    SysDbConnectionPoolCheck:
919      Enabled: true
920    
921    SystemCpuLoadCheck:
922      Enabled: true
923    
924    SystemMemoryCheck:
925      Enabled: true
926
927Cockpit:
928  # Hide restart button in the Cockpit toolbar.
929  # [enum: Enabled, Disabled]
930  Restart: Enabled