ivy.yaml

[engineDir]/configuration/reference/ivy.yaml

  1# yaml-language-server: $schema=https://json-schema.axonivy.com/ivy/13.2.9/ivy.json
  2#
  3# -------------------------------------------
  4# Axon Ivy Engine Configuration
  5# -------------------------------------------
  6# 
  7# This file shows configurations of the Axon Ivy Engine and its external systems.
  8# https://developer.axonivy.com/doc/13.2/engine-guide/configuration/
  9#
 10# Copy contents of this reference file to 'configuration/ivy.yaml' before adjusting
 11# them to your needs.
 12# https://developer.axonivy.com/doc/13.2/engine-guide/configuration/files/ivy-yaml.html
 13#
 14# By default, the engine is pre-configured to run in demo mode.
 15# To run an engine in a productive environment, at least the system database
 16# has to be configured.
 17#
 18# SECRETS / PASSWORDS:
 19# Any configuration value can be encrypted just by enclosing it with "${encrypt:}".
 20# This applies a reversible encryption private to this Ivy Engine.
 21# You cannot copy the encrypted values from one engine to another.
 22# Example:
 23# * to encrypt the string "myPassword", write "${encrypt:myPassword}"
 24#   https://developer.axonivy.com/doc/13.2/engine-guide/configuration/advanced-configuration.html#passwords
 25#
 26# OVERRIDING:
 27# Any configuration value provided here can be set in alternative sources. 
 28# * environment variables: of the operating system can set app config entries. 
 29#    Their key must be prefixed with 'IVY_'. 
 30#    For instance, use 'IVY_SYSTEMDB_URL' to override the jdbc driver url.
 31#    https://developer.axonivy.com/doc/13.2/engine-guide/configuration/advanced-configuration.html#overriding-configuration
 32#
 33
 34# Axon Ivy requires a System Database to store the state of running workflow applications.
 35# Unless you run the engine in Demo mode, a valid System DB driver, url and the user+password credentials are mandatory.
 36# [restart required]
 37SystemDb:
 38  # JDBC URL
 39  # [examples: jdbc:postgresql://localhost:5432/AxonIvySystemDatabase, jdbc:sqlserver://localhost:1433;databaseName=AxonIvySystemDatabase, jdbc:mariadb://localhost:3306/AxonIvySystemDatabase, jdbc:mysql://localhost:3306/AxonIvySystemDatabase, jdbc:oracle:thin:@//localhost:1521/ServiceName, jdbc:oracle:thin:@localhost:1521:ServiceId, jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=ServiceName)(SERVER=DEDICATED)))]
 40  Url: ""
 41  # Name of the technical user to connect to system database on behalf of the engine.
 42  # [examples: ivy, AxonIvy, workflowengine]
 43  UserName: ""
 44  # Password for the technical user (see UserName).
 45  Password: ""
 46  # Defines how long ivy should wait (in seconds) at startup for the db server to be available
 47  BootTimeout: 60
 48  # JDBC Driver. If not set, it is auto determined based on the JDBC URL.
 49  Driver: ""
 50  # Additional driver specific connection properties.
 51  DriverProperties:
 52  # Maximum number of connections to the system database.
 53  MaxConnections: 50
 54  Creation:
 55    # If set to true, the system database will be created on startup, if it does not exist.
 56    Enabled: true
 57    # Password which will be taken to create the system database (only for Oracle).
 58    Password: ""
 59    # Tablespace which will be used (only for Oracle).
 60    Tablespace: ivy
 61    # Username which will be taken to create the system database (only for Oracle).
 62    UserName: ""
 63
 64# Administrators can configure, monitor and manage the Axon Ivy Engine.
 65# The default administrator in demo mode is 'admin' with password 'admin'.
 66Administrators:
 67#  # example Administrator
 68#  exampleAdministrator:
 69#    # Will be used to send info mails like license expiration
 70#    Email: ""
 71#    # Used to display a nice name for this user
 72#    FullName: ""
 73#    # Used to define the administrator language
 74#    Language:
 75#      # Content is displayed in this language if the content exists in this language.
 76#      # [examples: en, de]
 77#      Content: ""
 78#      # Data like numbers, dates, times and much more are formatted according to this language.
 79#      # [examples: en, en_GB, en_US, de, de_CH, de_AT, de_DE]
 80#      Formatting: ""
 81#    
 82#    # For security reasons, please hash the password(s) using "${hash:mySecret}"
 83#    # The real password cannot be recovered from the hash.
 84#    # [examples: "${hash:mySecret}"]
 85#    Password: ""
 86#  
 87
 88SecuritySystems:
 89  # 'default' security system which exists always
 90  default:
 91    # The security system slug name which will be used in URL as prefix for all resources which are part of the security system.
 92    # If not set, then the security system name will be choosen.
 93    # Only for the default security context this is empty, by default.
 94    UrlPath:
 95    IdentityProvider:
 96      # The Security System manages the user and roles in the system database.
 97      # For the Ivy Security System, no additional configuration is needed.
 98      # For any other Security System, further configuration is need to integrate such a system.
 99      # [examples: ivy, keycloak, microsoft-active-directory, novell-edirectory, microsoft-entra-id]
100      Name: ivy
101    
102    # The notification channel settings including their default subscription settings which apply to all users.
103    Notification:
104      # Settings for cleaning up notifications.
105      Cleanup:
106        # Notifications older than this will be deleted on a daily basis.
107        DaysUntilDeletion: 90
108      
109      # Parameters to disable notifications if a user is absent.
110      # Is no property set, it will act like NotifyAbsentUser:always.
111      # If NotifyAbsentUser is set to:
112      # always: Send a notification regardless of the user’s absence.
113      # never: Does not send a notification if the user is absent.
114      # noActiveSubstitute: Send a notification only the absent user does not have an active substitute.
115      # [enum: always, never, noActiveSubstitute]
116      NotifyAbsentUser: always
117      # Settings for an individual Channel.
118      # [examples: web, mail, microsoft-teams]
119      Channels:
120        mail:
121          # Name of the channel.
122          # [examples: web, mail, microsoft-teams]
123          Name: ""
124          # Whether the channel is enabled or not.
125          Enabled: false
126          # The default subscription settings.
127          Events:
128            # Whether all events are enabled or not.
129            # [enum: enabled, disabled]
130            AllKinds: enabled
131            # Array of subscribed events.
132            # [examples: new-task]
133            Kinds:
134        
135        microsoft-teams:
136          # Name of the channel.
137          # [examples: web, mail, microsoft-teams]
138          Name: ""
139          # Whether the channel is enabled or not.
140          Enabled: false
141          # The default subscription settings.
142          Events:
143            # Whether all events are enabled or not.
144            # [enum: enabled, disabled]
145            AllKinds: enabled
146            # Array of subscribed events.
147            # [examples: new-task]
148            Kinds:
149        
150        web:
151          # Name of the channel.
152          # [examples: web, mail, microsoft-teams]
153          Name: ""
154          # Whether the channel is enabled or not.
155          Enabled: true
156          # The default subscription settings.
157          Events:
158            # Whether all events are enabled or not.
159            # [enum: enabled, disabled]
160            AllKinds: enabled
161            # Array of subscribed events.
162            # [examples: new-task]
163            Kinds:
164    
165    # Single Sign-on allows to auto login users.
166    # A reverse proxy has to be installed in front of the Axon Ivy Engine.
167    # It is responsible for authenticating the user.
168    # The name of the user must then be transmitted as a HTTP header.
169    # !! Assert exclusive access to the Axon Ivy Engine otherwise attackers can easily login as another user.
170    # https://developer.axonivy.com/doc/13.2/engine-guide/integration/single-sign-on
171    # [restart required]
172    SSO:
173      # Whether SSO is enabled
174      Enabled: false
175      # name of the HTTP header with the username that has to be provided by the reverse proxy
176      UserHeader: X-Forwarded-User
177    
178    UserSynch:
179      # Shall we synchronize a user with the Identity Provider at login?
180      # If the user does not exist yet, he will be synchronized anyway.
181      # In case of slow Identity Provider connections, it can make sense to set this to false.
182      OnLogin: true
183      OnSchedule:
184        # Unix Cron expression for the user synchronization.
185        # Format is: minutes, hours, day of month, month, day of the week. e.g. "32 13 * * *" is everyday at 13:32
186        Cron: 0 0 * * *
187        # Shall we run the daily Identity Provider user synchronization job?
188        # When the synchronization runs is defined by 'Cron'.
189        Enabled: true
190        # Shall we import NEW users with the Identity Provider on schedule?
191        # This setting does not affect synchronization of existing users.
192        # If ImportUsers is set to:
193        # true:  NEW users are imported on schedule.
194        # If a user has not yet been imported by the user synchronization job, she is also imported the first time she logs in.
195        # false: NEW users are not imported on schedule.
196        # Instead, a NEW user is only imported the first time she logs in.
197        ImportUsers: true
198    
199    DocumentStorage:
200      # The document storage defines where the workflow documents should be stored.
201      # [enum: local, s3]
202      # [examples: local, s3]
203      Name: local
204    
205    # The default language settings, which applies to all users, who have not explicitly set this in their profile settings.
206    Language:
207      # Content is displayed in this language if the content exists in this language. A locale (language[_COUNTRY])
208      # [examples: en, en_GB, en_US, de, de_CH, de_AT, de_DE, fr, vi]
209      Content: en
210      # Data like numbers, dates, times and much more are formatted according to this language. A locale (language[_COUNTRY])
211      # [examples: en, en_GB, en_US, de, de_CH, de_AT, de_DE, fr, vi]
212      Formatting: en_GB
213    
214    # Configurations for translation services.
215    TranslationService:
216      # The translation service used by default. For example, to provide translation suggestions in the CMS Editor.
217      # [examples: DeepL]
218      DefaultInstance: ""
219      Instances:
220        DeepL:
221          # The API key to authenticate against DeepL.
222          # [password]
223          ApiKey: ""
224          # The maximum time to wait for document translation, in seconds. If this timeout is exceeded, an error is thrown.
225          # [examples: 300]
226          DocumentTranslationTimeout: 300
227          # The URL endpoint of DeepL.
228          # [examples: https://api.deepl.com/v2, https://api-free.deepl.com/v2]
229          Endpoint: https://api.deepl.com/v2
230
231# Web address of the Axon Ivy Engine installation, such as https://yourdomain/.
232# This value is used to let ivy know how to refer to itself, ie. to create links in emails.
233# This is necessary because ivy cannot reliably detect such a URL from within itself.
234# [examples: https://yourdomain.com/]
235BaseUrl: ""
236# The purpose of a reverse proxy is to provide a single point of entry for
237# one or more services from outside the network. The reverse proxy receives all requests from the
238# clients and forwards them to the Axon Ivy Engine which handles them.
239# https://developer.axonivy.com/doc/13.2/engine-guide/integration/reverse-proxy
240# [restart required]
241ReverseProxy:
242  # HTTP headers which are interpreted by the Axon Ivy Engine to generate the correct URLs for links and redirects.
243  # [restart required]
244  HttpHeaders:
245    # Name of the HTTP Header for identifying the originating IP address of a client connecting to the reverse proxy server.
246    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
247    # [examples: X-Forwarded-For]
248    ForwardedFor: X-Forwarded-For
249    # Name of the HTTP header for identifying the original host requested by the client. Not needed if the reverse proxy preserves the original host in the 'Host' HTTP Header.
250    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
251    # [examples: X-Forwarded-Host]
252    ForwardedHost: X-Forwarded-Host
253    # Name of the HTTP header used to represent the port number used by the client for the request. Not needed if your reverse proxy uses standard ports (80, 443). Only in charge when the HTTP Header of 'ForwardedProtocol' is also set on request.
254    # [examples: X-Forwarded-Port]
255    ForwardedPort: X-Forwarded-Port
256    # Name of the HTTP header for identifying the protocol used between the client and the reverse proxy server.
257    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
258    # [examples: X-Forwarded-Proto, X-Forwarded-Ssl, X-Forwarded-Protocol, Front-End-Https, X-Url-Scheme]
259    ForwardedProtocol: X-Forwarded-Proto
260    # Value of the 'ForwardedProtocol' header to indicate that it is an HTTPS request.
261    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
262    # [examples: https, "on"]
263    ForwardedProtocolHttps: https
264
265SSL:
266  Client:
267    # Manipulates the JVMs default SSLSocketFactory, so that untrusted (self signed or outdated) certificates are silently accepted.
268    # This could for instance be useful to generate a Webservice stub from an insecure WSDL location.
269    EnableInsecureSSL: false
270    # A trust store is used to specify trusted server certificates or certificates of certification authorities.
271    # An SSL client authenticates a server by using the certificates in a trust store.
272    # Self signed or signed by an unknown certification authority can be added to this trustore.
273    TrustStore:
274      Algorithm: PKIX
275      File: configuration/truststore.p12
276      # Password to access the store.
277      # [password]
278      Password: changeit
279      Provider: ""
280      Type: PKCS12
281    
282    # A key store is used to read client keys (certificates).
283    # This is only required if a remote server requests a client certificate in order to authenticate the client.
284    KeyStore:
285      Algorithm: SunX509
286      File: configuration/keystore.p12
287      # Password of the 'ivy' certificate.
288      # [password]
289      KeyPassword: changeit
290      # Password to access the store.
291      # [password]
292      Password: changeit
293      Provider: ""
294      Type: PKCS12
295      UseCustom: false
296
297Deployment:
298  # Directory where the server watches for files to deploy.
299  # You can specify a remote network location using a UNC path.
300  # https://developer.axonivy.com/doc/13.2/engine-guide/deployment
301  # [examples: //servername/share/file]
302  Directory: deploy
303  Backup:
304    # The number of backups of deployed projects that are kept on disk
305    # n < 0: infinite number of backups are kept
306    # n = 0: No backups are made or kept
307    # n > 0: Number of backups that are kept.
308    Keep: 5
309
310Data:
311  # Folder where applications are stored, unless otherwise defined in application specific configuration.
312  # 
313  # In demo mode: not configurable and set to: [Data.WorkDirectory]/demo-applicationsAbsolute and relative paths (to the engine root directory) are supported,
314  # we recommend to use locations outside the engine root directory to facilitate migrations.
315  # !! STOP YOUR ENGINE before changing this setting !!
316  # [restart required]
317  AppDirectory: applications
318  # Folder where runtime data will be stored.Absolute and relative paths (to the engine root directory) are supported,
319  # we recommend to use locations outside the engine root directory to facilitate migrations.
320  # !! STOP YOUR ENGINE before changing this setting !!
321  # [restart required]
322  Directory: data
323  # DEPRECATED: All runtime data will be stored by default in Data.Directory specified in ivy.yaml. Use Data.Directory
324  # to change the location of stored files.
325  # 
326  # Root folder where application data files are stored.
327  # A change in this setting will NOT move existing application files to the new location.
328  # You have to move existing files manually to the new directory.
329  # 
330  # If not set the files will be stored under the path Data.Directory configured in ivy.yaml.Absolute and relative paths (to the engine root directory) are supported,
331  # we recommend to use locations outside the engine root directory to facilitate migrations.
332  # !! STOP YOUR ENGINE before changing this setting !!
333  # [restart required]
334  FilesDirectory: ""
335
336DataCache:
337  # Invalidate data cache groups and entries.
338  # Checks if the lifetime of caches has ended and invalidates them.
339  # You can set the delay in milliseconds between each check.
340  # This delay has to be greater than 0.
341  InvalidationInterval: 60000
342
343# Axon Ivy uses an search engine to provide scalable full text search capabilities.
344# The bundled instance is started on demand, in a separate JVM, when an API request needs it.
345# You can operate Axon Ivy with the bundled search engine server or with your own external search engine cluster.
346SearchEngine:
347  # The bundled search engine server...
348  # - is started in a separate JVM.
349  # - reachable only on 'localhost' but the access is unprotected.
350  # - JVM arguments used to start the bundled search engine server can be configured in the '[ivyEngine]/configuration/opensearch/jvm.options' file.
351  # [restart required]
352  BundledServer:
353    # Path to the directory where the bundled search engine server stores data.
354    # It is recommended to configure a data directory that is located outside of
355    # the Engine installation directory to ease the Engine migration to newer versions.
356    # [restart required]
357    DataPath: data/_/opensearch
358    # Path to the directory where the bundled search engine should log.
359    # [restart required]
360    LogPath: logs/opensearch
361    # Name of the cluster of the bundled search engine server.
362    # [restart required]
363    ClusterName: ivy-opensearch-{uid}
364    # Port to communicate with bundled search engine server
365    # AUTO: A free port in port range 19200-19299 is searched automatically.
366    # <integer>: A fixed port number that you define. We recommend to use a number > 10000.
367    # Make sure it is free.
368    # [restart required]
369    Port: AUTO
370  
371  # Configure access to your own search engine server if you want to use it instead of the bundled server.
372  # 
373  # To install your own search engine server follow these steps
374  # https://opensearch.org/docs/2.19/install-and-configure/install-opensearch/index/
375  # 
376  # Currently, Axon Ivy supports OpenSearch in version 2.19.
377  # If your OpenSearch server is running on another host, the access to that instance has to be protected.
378  # You can achieve that with a front-end webserver like NGINX that enforces basic authentication.
379  # [restart required]
380  ExternalServer:
381    # Configure the URL of your own OpenSearch server if you want to use it instead of the bundled server.
382    # [restart required]
383    Url: ""
384    # Name of the user to use to authenticate in the external OpenSearch server
385    UserName: ""
386    # Password of the user to use to authenticate in the external OpenSearch server.
387    # [examples: "${encrypt:}"]
388    # [password]
389    Password: ""
390  
391  # Settings for the indexes that are created in the search engine.
392  Index:
393    # The name prefix for the indexes.
394    # If multiple Ivy Engines use the same OpenSearch server instance, you need to define unique NamePrefixes per engine.
395    # You might add the engine host name as part of the name prefix, i.e. 'servername'
396    # [restart required]
397    NamePrefix: ivy
398    Reindex:
399      # The size of the queue that is used to store objects read from the database until they are written to the search engine
400      # [restart required]
401      QueueSize: 10000
402      # The number of objects that Ivy reads in one batch from the system database.
403      # [restart required]
404      ReadWindowSize: 1000
405      # The number of objects that Ivy writes in one batch to the search engine.
406      # [restart required]
407      WriteWindowSize: 1000
408    
409    # If BusinessData are not well modeled for OpenSearch, you may have to increase the 'total_fields.limit' of the mapping.
410    # Performance may decrease. If you change this setting, you need to reindex all business data in Engine Cockpit.
411    # [restart required]
412    TotalFieldsLimit: 4000
413  
414  # Configures the search engine client. The client is the ivy engine which communicates with the search engine.
415  Client:
416    # Maximum seconds to wait until a connection to the search engine can be established.
417    # [restart required]
418    ConnectTimeout: 10
419    # Maximum seconds to wait for data to be sent by search engine.
420    # Raise this value if large datasets are expected.
421    # [restart required]
422    ReadTimeout: 30
423
424EMail:
425  # Whether mails should be sent or not
426  Enabled: true
427  # All mails will be sent via this mail server
428  Server:
429    # Mail server host name or IP address
430    Host: ""
431    # Mail server port
432    Port: -1
433    # Email address that will be used for emails sent by the server (e.g. task notification emails)
434    MailAddress: noreply@ivyserver.local
435    User: guest
436    # The password for the mail user
437    # [password]
438    Password: ""
439    # A password provider set the password on the mail session from an external resource
440    PasswordProvider:
441      # Name of the password provider
442      # [examples: office365-oauth2]
443      Name: ""
444    
445    # [enum: NONE, START_TLS, SSL]
446    EncryptionMethod: NONE
447    # Additional properties which will be set on the mail session
448    # Read https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html
449    SessionProperties:
450      mail.smtp.auth.xoauth2.disable: false
451    
452    # Specifies the maximum number of emails that can be sent concurrently
453    # [restart required]
454    MaxConcurrentSendings: 10
455    # Certificates are to be stored in the Ivy keystore (default: configuration/keystore.p12; see below at SSL / Client), with the alias defined below.
456    SSL:
457      # Specifies the alias of the client certificate in the Ivy keystore.
458      KeyAlias: ""
459      # Specifies whetere a client certificate should be used for authentication
460      UseKey: false
461
462# Detection of Axon Ivy versions. Available updates are listed on the Axon Ivy Engine main web page.
463UpdateChecker:
464  # Shall update notification messages be shown and statistic information sent to the update server?
465  # 
466  # While checking for new versions the following statistic information is sent to the update server.
467  # This information is only used to improve the product!
468  # - Engine (version, up time)
469  # - Configuration (number of: cluster nodes, users, licensed users, applications, process model, process model version, deleted process model version, running workflows)
470  # - Licence information (number, organisation, individual)
471  # - Operating system information (name, version, architecture, number of processors)
472  # - Host information (host name, SHA-256 hashes of IP address and MAC address to identify the host without being able to read the original IP address and MAC address itself)
473  # - System database (product name and version, driver, identification number)
474  # - JVM (Java virtual machine) information (version, vendor, name, memory)
475  # - Used features: we collect the features you are using such as the active connector technologies (REST, SOAP, JPA, ...).
476  # You may inspect the sent information on your own, by enabling the Logger `ch.ivyteam.ivy.update.metrics` on level `DEBUG`.
477  Enabled: true
478  # Time of day when a update check will be executed
479  # The engine must be running at this time otherwise the update check will not be executed.
480  # Format is hh:mm.
481  # [daytime]
482  # [examples: 02:00, 14:15]
483  ExecutionTime: ""
484
485Cluster:
486  # The name of the cluster.
487  # It is used to find and communicate with other nodes of the same cluster.
488  # Multiple clusters located in the same network must have different cluster names.
489  # Otherwise the nodes of both clusters find each other and build one cluster instead of two.
490  # [restart required]
491  Name: IvyCluster
492  # The name of this node.
493  # If not configured, a random name is generated.
494  # The name of a node is also used as jvm route identifier that is used by some load balancers to provide sticky sessions.
495  # https://developer.axonivy.com/doc/13.2/engine-guide/integration/cluster
496  # [restart required]
497  NodeName: ""
498
499# When an error occurs while processing a user request, an error screen is displayed to the user.
500# The displayed error page can be customized for your needs:
501# https://developer.axonivy.com/doc/13.2/engine-guide/configuration/files/web-xml.html
502Errors:
503  # Shall the end user see detailed error information (stacktraces, detailed error reports, etc.)?
504  # By default (false) we only show a unique 'Error Id'. This 'Error Id' can be used to find the error in the log files.
505  # For security reasons, normal users should not see technical implementation details.
506  # But in development or pre-production environments, it might be safe to show the full error details directly to the end user.
507  ShowDetailsToEndUser: false
508
509Persistence:
510  JPA:
511    # Persist ivyScript auto initialized fields with NULL values. Affects types:
512    # - ch.ivyteam.ivy.scripting.objects.Date
513    # - ch.ivyteam.ivy.scripting.objects.DateTime
514    # - ch.ivyteam.ivy.scripting.objects.Time
515    # If this option is set to false, auto initialized values are stored as before Axon Ivy 6.4.
516    defaultInitializedAsNull: true
517
518ProcessEngine:
519  FiringStatistic:
520    # If set to true, a process element statistic is written periodically to the log directory.
521    # May impact server performance.
522    Active: false
523    # Interval in seconds the 'process element statistic' is written to the log directory
524    Interval: 300
525
526Boot:
527  # Switch to maintencance mode if a configuration problem is detected during startup.
528  # If set to DISABLED you can explicit start the engine in maintenance mode by using the command line option '-maintenance'.
529  # [enum: AUTO, DISABLED]
530  MaintenanceMode: AUTO
531
532Workflow:
533  History:
534    # Can completed cases and tasks be seen by substitutes of the user who worked on them?
535    # [enum: VISIBLE, INVISIBLE]
536    ForSubstitutes: VISIBLE
537
538ThreadPool:
539  # Executes process engine background operations like Database, WebService calls, etc.
540  BackgroundOperationExecutor:
541    # Minimum number of threads
542    CorePoolSize: 5
543    # Maximum number of threads
544    MaximumPoolSize: 200
545  
546  # Executes unscheduled jobs
547  ImmediateJobExecutor:
548    # Minimum number of threads
549    CorePoolSize: 5
550    # Maximum number of threads
551    MaximumPoolSize: 50
552  
553  # Executes scheduled jobs
554  ScheduledJobExecutor:
555    # Minimum number of threads
556    CorePoolSize: 5
557
558SystemTask:
559  Failure:
560    # Defines the behaviour in case a system task fails.
561    # [enum: FAIL_TASK_DO_RETRY, FAIL_TASK_DO_NOT_RETRY, DESTROY_TASK, DESTROY_CASE]
562    Behaviour: FAIL_TASK_DO_RETRY
563  
564  SearchJob:
565    # Interval in seconds between executions of the search job for system tasks.
566    # The job searches system tasks that were not executed because of failures.
567    Interval: 900
568
569# Configures the RESTful services provided.
570REST:
571  Servlet:
572    # Controls the REST servlet interface. If disabled no REST resources will be accessible.
573    # Calls to remote REST services are still possible.
574    # [restart required]
575    Enabled: true
576    # Controls whether the REST resources provided by the Axon Ivy Engine should be available or not
577    # [restart required]
578    API: true
579    # Controls whether the REST resource for remote deployment under '/system/api/apps/{application} is available or not
580    # [restart required]
581    Deployment: true
582    # Cross Site Request Forgery (CRSF) settings
583    # [restart required]
584    CSRF:
585      # Provides the general CSRF protection via 'X-Requested-By' header for REST services.
586      # [restart required]
587      Protection: true
588    
589    # Allows the service developer to get diagnostic information about request processing by Jersey.
590    # Those diagnostic/tracing information are returned in response headers (X-Jersey-Tracing-nnn).
591    # On productive environments this feature should not be turned on.
592    # [restart required]
593    # [enum: OFF, ON_DEMAND, ALL]
594    Tracing: 'OFF'
595
596Session:
597  # Session identifier will be renewed on login to prevent the 'Session Fixation' attack.
598  RenewIdOnLogin: true
599  # Defines the amount of time in minutes after which an inactive user session will be closed.
600  # [restart required]
601  Timeout: 30
602
603WebServer:
604  # HTTP Headers that are added to a server response.
605  # [restart required]
606  HttpHeaders:
607    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
608    # [restart required]
609    # [examples: unsafe-none, require-corp, credentialless]
610    Cross-Origin-Embedder-Policy: ""
611    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
612    # [restart required]
613    # [examples: unsafe-none, same-origin-allow-popups, same-origin, noopener-allow-popups]
614    Cross-Origin-Opener-Policy: ""
615    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Resource-Policy
616    # [restart required]
617    # [examples: same-site, same-origin, cross-origin]
618    Cross-Origin-Resource-Policy: ""
619    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy
620    # [restart required]
621    # [examples: no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url]
622    Referrer-Policy: strict-origin-when-cross-origin
623    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security
624    # [restart required]
625    # [examples: max-age=63072000]
626    Strict-Transport-Security: ""
627    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
628    # [restart required]
629    # [examples: nosniff]
630    X-Content-Type-Options: nosniff
631    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
632    # [restart required]
633    # [examples: DENY, SAMEORIGIN]
634    X-Frame-Options: SAMEORIGIN
635  
636  # Name of the Ivy servlet context. Use a simple name without any special characters.
637  # [restart required]
638  # [examples: ivy, workflow]
639  IvyContextName: ""
640  PrimeFaces:
641    # https://primefaces.github.io/primefaces/13_0_0/#/core/contentsecuritypolicy?id=content-security-policy
642    # [restart required]
643    ContentSecurityPolicy:
644      # [examples: false, true, reportOnly]
645      Enabled: false
646      # [examples: object-src 'none'; base-uri 'none'; frame-ancestors 'self'; worker-src 'self' blob:; script-src 'strict-dynamic']
647      Policy: ""
648      ReportOnlyPolicy: ""
649
650OfflineDialog:
651  # Disable it if you don't use the Mobile Offline Dialog feature.
652  # [restart required]
653  Enabled: true
654
655Connector:
656  # https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
657  # [restart required]
658  HTTP:
659    # Whether the HTTP connector is enabled.
660    # [restart required]
661    Enabled: true
662    # The TCP port number on which this Connector will create a server socket and await incoming connections.
663    # [restart required]
664    Port: 8080
665    # The maximum length of the operating system provided queue for incoming connection requests when maxConnections has been reached.
666    # [restart required]
667    AcceptCount: 100
668    # For servers with more than one IP address, this attribute specifies which address will be used for listening
669    # on the specified port.
670    # By default, the connector will listen all local addresses.
671    # [restart required]
672    # [examples: 0.0.0.0, ::]
673    Address: ""
674    # A boolean value which can be used to enable or disable the TRACE HTTP method.
675    # [restart required]
676    AllowTrace: false
677    # The value is a comma separated list of MIME types for which HTTP compression may be used.
678    # [restart required]
679    CompressibleMimeType: text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml
680    # The Connector may use HTTP/1.1 GZIP compression in an attempt to save server bandwidth.
681    # [restart required]
682    # [examples: on, off, force]
683    Compression: 'off'
684    # The number of seconds during which the sockets used by this Connector will linger when they are closed. The default value is -1 which disables socket linger.
685    # [restart required]
686    ConnectionLinger: -1
687    # The number of milliseconds this Connector will wait, after accepting a connection, for the request URI line to be presented.
688    # [restart required]
689    ConnectionTimeout: 60000
690    # This flag allows the servlet container to use a different, usually longer connection timeout during data upload.
691    # [restart required]
692    DisableUploadTimeout: true
693    # Set to true if you want calls to request.getRemoteHost() to perform DNS lookups in order to return the actual host name of the remote client.
694    # Set to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance).
695    # [restart required]
696    EnableLookups: false
697    # Provides the default value for maxHttpRequestHeaderSize and maxHttpResponseHeaderSize.
698    # [restart required]
699    MaxHttpHeaderSize: 8192
700    # The maximum number of HTTP requests which can be pipelined until the connection is closed by the server.
701    # Setting this attribute to 1 will disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining.
702    # Setting this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP requests.
703    # [restart required]
704    MaxKeepAliveRequests: 100
705    # The maximum number of parameters (GET plus POST) which will be automatically parsed by the container. 10000 by default
706    # [restart required]
707    MaxParameterCount: 10000
708    # The maximum total number of parts permitted in a request where the
709    # content type is multipart/form-data. This limit is in
710    # addition to maxParameterCount. Requests that exceed this
711    # limit will be rejected. A value of less than 0 means no limit. If not
712    # specified, a default of -1 is used.
713    # [restart required]
714    MaxPartCount: -1
715    # The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing.
716    # The limit can be disabled by setting this attribute to a value less than zero.
717    # [restart required]
718    MaxPostSize: 2097152
719    # The maximum size in bytes of the request body which will be saved/buffered by
720    # the container during FORM or CLIENT-CERT authentication or during HTTP/1.1 upgrade.
721    # [restart required]
722    MaxSavePostSize: 4096
723    # The maximum number of request processing threads to be created by this Connector, which therefore determines the maximum number of simultaneous requests that can be handled.
724    # [restart required]
725    MaxThreads: 200
726    # The minimum number of threads always kept running. This includes both active and idle threads.
727    # [restart required]
728    MinSpareThreads: 10
729    # The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients
730    # for which compression should not be used.
731    # [restart required]
732    NoCompressionUserAgents: ""
733    # If this Connector is being used in a proxy configuration, configure this attribute to specify the server name to be returned for calls to request.getServerName().
734    # [restart required]
735    ProxyName: ""
736    # If this Connector is being used in a proxy configuration, configure this attribute to specify the server port to be returned for calls to request.getServerPort().
737    # [restart required]
738    ProxyPort:
739    # If this Connector is supporting non-SSL requests, and a request is received for which a matching <security-constraint> requires SSL transport, Catalina will automatically redirect the request to the port number specified here.
740    # [restart required]
741    RedirectPort: 8443
742    # The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients
743    # for which HTTP/1.1 or HTTP/1.0 keep alive should not be used, even if the clients advertise support for these features.
744    # [restart required]
745    RestrictedUserAgents: ""
746    # Overrides the Server header for the http response.
747    # If set, the value for this attribute overrides any Server header set by a web application.
748    # If not set, any value specified by the application is used.
749    # If the application does not specify a value then no Server header is set.
750    # [restart required]
751    Server: ""
752    # If set to true, the TCP_NO_DELAY option will be set on the server socket, which improves performance under most circumstances.
753    # [restart required]
754    TcpNoDelay: true
755    # The priority of the request processing threads within the JVM.
756    # [restart required]
757    ThreadPriority: 5
758    # This specifies the character encoding used to decode the URI bytes, after %xx decoding the URL.
759    # [restart required]
760    URIEncoding: UTF-8
761    # This specifies if the encoding specified in contentType should be used for URI query parameters, instead of using the URIEncoding.
762    # [restart required]
763    UseBodyEncodingForURI: false
764    # Set this attribute to true to cause Tomcat to use the IP address that the request was received on to determine the Host to send the request to.
765    # [restart required]
766    UseIPVHosts: false
767    # Set this attribute to true to cause Tomcat to advertise support for the Servlet specification using the header recommended in the specification.
768    # [restart required]
769    XpoweredBy: false
770  
771  # https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
772  # [restart required]
773  HTTPS:
774    # Whether the HTTPS connector is enabled.
775    # [restart required]
776    Enabled: false
777    # The TCP port number on which this Connector will create a server socket and await incoming connections.
778    # [restart required]
779    Port: 8443
780    # The maximum length of the operating system provided queue for incoming connection requests when maxConnections has been reached.
781    # [restart required]
782    AcceptCount: 100
783    # For servers with more than one IP address, this attribute specifies which address will be used for listening
784    # on the specified port.
785    # By default, the connector will listen all local addresses.
786    # [restart required]
787    # [examples: 0.0.0.0, ::]
788    Address: ""
789    # A boolean value which can be used to enable or disable the TRACE HTTP method.
790    # [restart required]
791    AllowTrace: false
792    # 
793    # [restart required]
794    ClientAuth: NONE
795    # The value is a comma separated list of MIME types for which HTTP compression may be used.
796    # [restart required]
797    CompressibleMimeType: text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml
798    # The Connector may use HTTP/1.1 GZIP compression in an attempt to save server bandwidth.
799    # [restart required]
800    # [examples: on, off, force]
801    Compression: 'off'
802    # The number of seconds during which the sockets used by this Connector will linger when they are closed. The default value is -1 which disables socket linger.
803    # [restart required]
804    ConnectionLinger: -1
805    # The number of milliseconds this Connector will wait, after accepting a connection, for the request URI line to be presented.
806    # [restart required]
807    ConnectionTimeout: 60000
808    # This flag allows the servlet container to use a different, usually longer connection timeout during data upload.
809    # [restart required]
810    DisableUploadTimeout: true
811    # Set to true if you want calls to request.getRemoteHost() to perform DNS lookups in order to return the actual host name of the remote client.
812    # Set to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance).
813    # [restart required]
814    EnableLookups: false
815    # Provides the default value for maxHttpRequestHeaderSize and maxHttpResponseHeaderSize.
816    # [restart required]
817    MaxHttpHeaderSize: 8192
818    # The maximum number of HTTP requests which can be pipelined until the connection is closed by the server.
819    # Setting this attribute to 1 will disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining.
820    # Setting this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP requests.
821    # [restart required]
822    MaxKeepAliveRequests: 100
823    # The maximum number of parameters (GET plus POST) which will be automatically parsed by the container. 10000 by default
824    # [restart required]
825    MaxParameterCount: 10000
826    # The maximum total number of parts permitted in a request where the
827    # content type is multipart/form-data. This limit is in
828    # addition to maxParameterCount. Requests that exceed this
829    # limit will be rejected. A value of less than 0 means no limit. If not
830    # specified, a default of -1 is used.
831    # [restart required]
832    MaxPartCount: -1
833    # The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing.
834    # The limit can be disabled by setting this attribute to a value less than zero.
835    # [restart required]
836    MaxPostSize: 2097152
837    # The maximum size in bytes of the request body which will be saved/buffered by
838    # the container during FORM or CLIENT-CERT authentication or during HTTP/1.1 upgrade.
839    # [restart required]
840    MaxSavePostSize: 4096
841    # The maximum number of request processing threads to be created by this Connector, which therefore determines the maximum number of simultaneous requests that can be handled.
842    # [restart required]
843    MaxThreads: 200
844    # The minimum number of threads always kept running. This includes both active and idle threads.
845    # [restart required]
846    MinSpareThreads: 10
847    # The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients
848    # for which compression should not be used.
849    # [restart required]
850    NoCompressionUserAgents: ""
851    # If this Connector is being used in a proxy configuration, configure this attribute to specify the server name to be returned for calls to request.getServerName().
852    # [restart required]
853    ProxyName: ""
854    # If this Connector is being used in a proxy configuration, configure this attribute to specify the server port to be returned for calls to request.getServerPort().
855    # [restart required]
856    ProxyPort:
857    # If this Connector is supporting non-SSL requests, and a request is received for which a matching <security-constraint> requires SSL transport, Catalina will automatically redirect the request to the port number specified here.
858    # [restart required]
859    RedirectPort: 8443
860    # The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients
861    # for which HTTP/1.1 or HTTP/1.0 keep alive should not be used, even if the clients advertise support for these features.
862    # [restart required]
863    RestrictedUserAgents: ""
864    # Overrides the Server header for the http response.
865    # If set, the value for this attribute overrides any Server header set by a web application.
866    # If not set, any value specified by the application is used.
867    # If the application does not specify a value then no Server header is set.
868    # [restart required]
869    Server: ""
870    # The name of the protocol to support when communicating with clients.
871    # If you need a fine granular selection of multiple protocols, use the 'SslHostConfig.Protocols' property.
872    # [restart required]
873    # [examples: TLS, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
874    SslProtocol: TLS
875    SslHostConfig:
876      # The names of the protocols to support when communicating with clients.
877      # Multiple protocols can be enabled by separating them with a comma.
878      # [restart required]
879      # [examples: SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3, all]
880      Protocols: all
881    
882    # 
883    # [restart required]
884    KeyAlias: ""
885    # [password]
886    # [restart required]
887    KeyPass: ""
888    # 
889    # [restart required]
890    KeystoreFile: configuration/keystore.p12
891    # [password]
892    # [restart required]
893    KeystorePass: changeit
894    # 
895    # [restart required]
896    KeystoreType: pkcs12
897    # If set to true, the TCP_NO_DELAY option will be set on the server socket, which improves performance under most circumstances.
898    # [restart required]
899    TcpNoDelay: true
900    # The priority of the request processing threads within the JVM.
901    # [restart required]
902    ThreadPriority: 5
903    # 
904    # [restart required]
905    TruststoreFile: ""
906    # [password]
907    # [restart required]
908    TruststorePass: ""
909    # 
910    # [restart required]
911    TruststoreType: JKS
912    # This specifies the character encoding used to decode the URI bytes, after %xx decoding the URL.
913    # [restart required]
914    URIEncoding: UTF-8
915    # This specifies if the encoding specified in contentType should be used for URI query parameters, instead of using the URIEncoding.
916    # [restart required]
917    UseBodyEncodingForURI: false
918    # Set this attribute to true to cause Tomcat to use the IP address that the request was received on to determine the Host to send the request to.
919    # [restart required]
920    UseIPVHosts: false
921    # Set this attribute to true to cause Tomcat to advertise support for the Servlet specification using the header recommended in the specification.
922    # [restart required]
923    XpoweredBy: false
924
925HealthCheck:
926  # Whether health check is enabled
927  Enabled:
928  Checks:
929    ConfigurationCheck:
930      Enabled: true
931    
932    DatabasesConnectionPoolCheck:
933      Enabled: true
934    
935    EngineModeCheck:
936      Enabled: true
937    
938    HeapMemoryCheck:
939      Enabled: true
940    
941    ReleaseCandidateCheck:
942      Enabled: true
943    
944    RestartRequiredCheck:
945      Enabled: true
946    
947    RestClientsConnectionPoolCheck:
948      Enabled: true
949    
950    SysDbConnectionPoolCheck:
951      Enabled: true
952    
953    SystemCpuLoadCheck:
954      Enabled: true
955    
956    SystemMemoryCheck:
957      Enabled: true
958
959Cockpit:
960  # Hide restart button in the Cockpit toolbar.
961  # [enum: Enabled, Disabled]
962  Restart: Enabled