{ "$schema" : "https://json-schema.org/draft/2019-09/schema", "type" : "object", "properties" : { "SystemDb" : { "$ref" : "#/$defs/system-db.json", "description" : "Axon Ivy requires a System Database to store the state of running workflow applications.\nUnless you run the engine in Demo mode, a valid System DB driver, url and the user+password credentials are mandatory.\n[restart required]" }, "Administrators" : { "type" : "object", "additionalProperties" : { "$ref" : "#/$defs/administrator.json" }, "description" : "Administrators can configure, monitor and manage the Axon Ivy Engine.\nThe default administrator in demo mode is 'admin' with password 'admin'." }, "SecuritySystems" : { "type" : "object", "additionalProperties" : { "$ref" : "#/$defs/security-system.json" } }, "BaseUrl" : { "description" : "Web address of the Axon Ivy Engine installation, such as https://yourdomain/.\nThis value is used to let ivy know how to refer to itself, ie. to create links in emails.\nThis is necessary because ivy cannot reliably detect such a URL from within itself.", "additionalProperties" : false, "type" : "string", "examples" : [ "https://yourdomain.com/" ] }, "ReverseProxy" : { "$ref" : "#/$defs/reverse-proxy.json", "description" : "The purpose of a reverse proxy is to provide a single point of entry for\none or more services from outside the network. The reverse proxy receives all requests from the\nclients and forwards them to the Axon Ivy Engine which handles them.\n@engine.guide.url@/integration/reverse-proxy\n[restart required]" }, "SSL" : { "$ref" : "#/$defs/ssl.json" }, "Deployment" : { "$ref" : "#/$defs/deployment.json" }, "Data" : { "$ref" : "#/$defs/data-directory.json" }, "DataCache" : { "$ref" : "#/$defs/data-cache.json" }, "SearchEngine" : { "$ref" : "#/$defs/searchengine.json", "description" : "Axon Ivy uses an search engine to provide scalable full text search capabilities.\nThe bundled instance is started on demand, in a separate JVM, when an API request needs it.\nYou can operate Axon Ivy with the bundled search engine server or with your own external search engine cluster." }, "EMail" : { "$ref" : "#/$defs/mail-server.json" }, "UpdateChecker" : { "$ref" : "#/$defs/update.json", "description" : "Detection of Axon Ivy versions. Available updates are listed on the Axon Ivy Engine main web page." }, "Cluster" : { "$ref" : "#/$defs/cluster.json" }, "Errors" : { "$ref" : "#/$defs/errors.json", "description" : "When an error occurs while processing a user request, an error screen is displayed to the user.\nThe displayed error page can be customized for your needs:\n@engine.guide.url@/configuration/files/web-xml.html" }, "Persistence" : { "$ref" : "#/$defs/persistence.json" }, "ProcessEngine" : { "$ref" : "#/$defs/process-engine.json" }, "Boot" : { "$ref" : "#/$defs/boot.json" }, "Workflow" : { "$ref" : "#/$defs/workflow.json" }, "ThreadPool" : { "$ref" : "#/$defs/thread-pool.json" }, "SystemTask" : { "$ref" : "#/$defs/system-task.json" }, "REST" : { "$ref" : "#/$defs/rest.json", "description" : "Configures the RESTful services provided." }, "Session" : { "$ref" : "#/$defs/session.json" }, "WebServer" : { "$ref" : "#/$defs/webserver.json" }, "OfflineDialog" : { "$ref" : "#/$defs/offline-dialog.json" }, "Connector" : { "$ref" : "#/$defs/connector.json" }, "HealthCheck" : { "$ref" : "#/$defs/health-check.json" } }, "additionalProperties" : false, "$defs" : { "system-db.json.Creation" : { "type" : "object", "properties" : { "Enabled" : { "type" : "boolean", "description" : "If set to true, the system database will be created on startup, if it does not exist.", "default" : "true" }, "Password" : { "type" : "string", "description" : "Password which will be taken to create the system database (only for Oracle)." }, "Tablespace" : { "type" : "string", "description" : "Tablespace which will be used (only for Oracle).", "default" : "ivy" }, "UserName" : { "type" : "string", "description" : "Username which will be taken to create the system database (only for Oracle)." } }, "additionalProperties" : false }, "system-db.json.DriverProperties" : { "type" : "object" }, "system-db.json" : { "type" : "object", "properties" : { "Url" : { "description" : "JDBC URL", "additionalProperties" : false, "type" : "string", "examples" : [ "jdbc:postgresql://localhost:5432/AxonIvySystemDatabase", "jdbc:sqlserver://localhost:1433;databaseName=AxonIvySystemDatabase", "jdbc:mariadb://localhost:3306/AxonIvySystemDatabase", "jdbc:mysql://localhost:3306/AxonIvySystemDatabase", "jdbc:oracle:thin:@//localhost:1521/ServiceName", "jdbc:oracle:thin:@localhost:1521:ServiceId", "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=ServiceName)(SERVER=DEDICATED)))" ] }, "UserName" : { "description" : "Name of the technical user to connect to system database on behalf of the engine.", "additionalProperties" : false, "type" : "string", "examples" : [ "ivy", "AxonIvy", "workflowengine" ] }, "Password" : { "type" : "string", "description" : "Password for the technical user (see UserName)." }, "BootTimeout" : { "type" : "integer", "description" : "Defines how long ivy should wait (in seconds) at startup for the db server to be available", "default" : "60" }, "Driver" : { "type" : "string", "description" : "JDBC Driver. If not set, it is auto determined based on the JDBC URL." }, "DriverProperties" : { "$ref" : "#/$defs/system-db.json.DriverProperties", "description" : "Additional driver specific connection properties." }, "MaxConnections" : { "type" : "integer", "description" : "Maximum number of connections to the system database.", "default" : "50" }, "Creation" : { "$ref" : "#/$defs/system-db.json.Creation" } }, "required" : [ "Url", "UserName", "Password" ], "additionalProperties" : false }, "administrator.json.Language" : { "type" : "object", "properties" : { "Content" : { "description" : "Content is displayed in this language if the content exists in this language.", "additionalProperties" : false, "type" : "string", "examples" : [ "en", "de" ] }, "Formatting" : { "description" : "Data like numbers, dates, times and much more are formatted according to this language.", "additionalProperties" : false, "type" : "string", "examples" : [ "en", "en_GB", "en_US", "de", "de_CH", "de_AT", "de_DE" ] } }, "additionalProperties" : false }, "administrator.json" : { "type" : "object", "properties" : { "Email" : { "type" : "string", "description" : "Will be used to send info mails like license expiration" }, "FullName" : { "type" : "string", "description" : "Used to display a nice name for this user" }, "Language" : { "$ref" : "#/$defs/administrator.json.Language", "description" : "Used to define the administrator language" }, "Password" : { "description" : "For security reasons, please hash the password(s) using \"${hash:mySecret}\"\nThe real password cannot be recovered from the hash.", "additionalProperties" : false, "type" : "string", "examples" : [ "\"${hash:mySecret}\"" ] } }, "additionalProperties" : false }, "security-system.json.AllKinds-1" : { "type" : "string", "enum" : [ "enabled", "disabled" ] }, "security-system.json.AllKinds-2" : { "type" : "string", "enum" : [ "enabled", "disabled" ] }, "notification-channel-microsoft-teams.json.Proxy" : { "type" : "object", "properties" : { "Password" : { "description" : "Password to authenticate against the forward proxy", "format" : "password", "additionalProperties" : false, "type" : "string", "examples" : [ "proxyPassword" ] }, "Url" : { "description" : "Url of the forward proxy", "additionalProperties" : false, "type" : "string", "examples" : [ "https://myproxy.com" ] }, "UserName" : { "description" : "Username to authenticate against the forward proxy ", "additionalProperties" : false, "type" : "string", "examples" : [ "proxyUser" ] } }, "additionalProperties" : false }, "notification-channel-microsoft-teams.json.TechnicalUser" : { "type" : "object", "properties" : { "Mail" : { "type" : "string" }, "Password" : { "type" : "string" } }, "required" : [ "Mail", "Password" ], "additionalProperties" : false }, "notification-channel-microsoft-teams.json" : { "type" : "object", "properties" : { "ClientId" : { "type" : "string", "description" : "Client ID provided by Microsoft Entra ID when registering the application for sending messages." }, "Proxy" : { "$ref" : "#/$defs/notification-channel-microsoft-teams.json.Proxy" }, "TechnicalUser" : { "$ref" : "#/$defs/notification-channel-microsoft-teams.json.TechnicalUser", "description" : "The login credentials of the technical user used for sending messages." }, "TenantId" : { "type" : "string", "description" : "Microsoft Entra ID ID" } }, "required" : [ "ClientId", "TechnicalUser", "TenantId" ], "additionalProperties" : false }, "security-system.json.Channel" : { "type" : "object", "properties" : { "Name" : { "description" : "Name of the channel.", "additionalProperties" : false, "type" : "string", "examples" : [ "web", "mail", "microsoft-teams" ] }, "Enabled" : { "type" : "boolean", "description" : "Whether the channel is enabled or not.", "default" : "false" }, "Events" : { "$ref" : "#/$defs/security-system.json.Events-1", "description" : "The default subscription settings." } }, "if" : { "properties" : { "Name" : { "const" : "microsoft-teams" } } }, "then" : { "properties" : { "Config" : { "$ref" : "#/$defs/notification-channel-microsoft-teams.json" } } } }, "security-system.json.Cleanup" : { "type" : "object", "properties" : { "DaysUntilDeletion" : { "type" : "integer", "description" : "Notifications older than this will be deleted on a daily basis.", "default" : "90" } }, "additionalProperties" : false }, "blob-storage-local.json" : { "type" : "object", "properties" : { "UseLegacyPath" : { "type" : "boolean", "description" : "The local document storage stores the files in the local file system.\nThe root path will be calculated out of `Data.Directory` in ivy.yaml.\n\nFor the legacy file structure you can enable UseLegacyPath by setting this\nproperty to true.\n\nYou need to manually move all files to the new place if you change this\nproperty on a productive system.", "default" : "false" } }, "additionalProperties" : false }, "blob-storage-s3.json" : { "type" : "object", "properties" : { "AccessKey" : { "type" : "string", "description" : "AccessKey to access the S3 Service " }, "RegionName" : { "type" : "string", "description" : "RegionName of the S3 Service", "default" : "us-east-1" }, "SecretKey" : { "type" : "string", "description" : "SecretKey to access the S3 Service", "format" : "password" }, "Url" : { "type" : "string", "description" : "URL to S3 Service" } }, "required" : [ "AccessKey", "SecretKey", "Url" ], "additionalProperties" : false }, "security-system.json.DocumentStorage" : { "type" : "object", "properties" : { "Name" : { "description" : "The document storage defines where the workflow documents should be stored.", "default" : "local", "additionalProperties" : false, "type" : "string", "enum" : [ "local", "s3" ], "examples" : [ "local", "s3" ] } }, "allOf" : [ { "if" : { "properties" : { "Name" : { "const" : "local" } } }, "then" : { "properties" : { "Config" : { "$ref" : "#/$defs/blob-storage-local.json" } } } }, { "if" : { "properties" : { "Name" : { "const" : "s3" } } }, "then" : { "properties" : { "Config" : { "$ref" : "#/$defs/blob-storage-s3.json" } } } } ] }, "security-system.json.Events-1" : { "type" : "object", "properties" : { "AllKinds" : { "$ref" : "#/$defs/security-system.json.AllKinds-1", "description" : "Whether all events are enabled or not.", "default" : "enabled" }, "Kinds" : { "description" : "Array of subscribed events.", "type" : "array", "items" : { "type" : "string" }, "examples" : [ "new-task" ] } }, "additionalProperties" : false }, "security-system.json.Events-2" : { "type" : "object", "properties" : { "AllKinds" : { "$ref" : "#/$defs/security-system.json.AllKinds-2", "description" : "Whether all events are enabled or not.", "default" : "enabled" }, "Kinds" : { "description" : "Array of subscribed events.", "type" : "array", "items" : { "type" : "string" }, "examples" : [ "new-task" ] } }, "additionalProperties" : false }, "security-idp-keycloak.json.Proxy" : { "type" : "object", "properties" : { "Password" : { "description" : "Password to authenticate against the forward proxy", "format" : "password", "additionalProperties" : false, "type" : "string", "examples" : [ "proxyPassword" ] }, "Url" : { "description" : "Url of the forward proxy", "additionalProperties" : false, "type" : "string", "examples" : [ "https://myproxy.com" ] }, "UserName" : { "description" : "Username to authenticate against the forward proxy ", "additionalProperties" : false, "type" : "string", "examples" : [ "proxyUser" ] } }, "additionalProperties" : false }, "security-idp-keycloak.json.UserAttribute" : { "type" : "object", "properties" : { "Properties" : { "description" : "User property mapping of Keycloak attributes that are imported and available as user properties (IUser.getProperty).\nThe left side, e.g. phone, specifies the unique name of the user property in Axon Ivy.\nOn the right side, e.g. mobilePhone, the name of the attribute of a user in Keycloak\n[keyvalue:User Property,Keycloak Attribute Name]", "additionalProperties" : { "type" : "string" }, "type" : "object", "examples" : [ "phoneNumber: mobilePhone" ] } }, "additionalProperties" : false }, "security-idp-keycloak.json" : { "type" : "object", "properties" : { "BackendUrl" : { "type" : "string", "description" : "Keycloak backend URL is used to synchronize the users. If not set fallback to Url." }, "ClientId" : { "type" : "string", "description" : "Client ID provided by Keycloak when registering the application" }, "ClientSecret" : { "type" : "string", "description" : "Client key provided by Keycloak when registering the application" }, "Proxy" : { "$ref" : "#/$defs/security-idp-keycloak.json.Proxy" }, "Realm" : { "type" : "string", "description" : "Keycloak realm" }, "Roles" : { "description" : "Role mapping that is considered by the user synchronization.\nUsers are added to the roles to which they are assigned.\nThe left side, e.g. Manager, specifies the unique name of the role defined in Axon Ivy.\nOn the right side, e.g. 208e37b6-f34c-4026-bae5-c3aa40bec705, the UUID of the role in Keycloak.\nThe synchronization adds all users to Manager that are assigned to 208e37b6-f34c-4026-bae5-c3aa40bec705\n[keyvalue:Ivy Role,Keycloak Group ID]", "additionalProperties" : { "type" : "string" }, "type" : "object", "examples" : [ "Manager: 208e37b6-f34c-4026-bae5-c3aa40bec705" ] }, "Url" : { "type" : "string", "description" : "Keycloak URL is used to redirect the user to the login page." }, "UserAttribute" : { "$ref" : "#/$defs/security-idp-keycloak.json.UserAttribute" } }, "required" : [ "ClientId", "ClientSecret", "Realm", "Url" ], "additionalProperties" : false }, "security-idp-microsoft-entra-id.json.Proxy" : { "type" : "object", "properties" : { "Password" : { "description" : "Password to authenticate against the forward proxy", "format" : "password", "additionalProperties" : false, "type" : "string", "examples" : [ "proxyPassword" ] }, "Url" : { "description" : "Url of the forward proxy", "additionalProperties" : false, "type" : "string", "examples" : [ "https://myproxy.com" ] }, "UserName" : { "description" : "Username to authenticate against the forward proxy ", "additionalProperties" : false, "type" : "string", "examples" : [ "proxyUser" ] } }, "additionalProperties" : false }, "security-idp-microsoft-entra-id.json.UserAttribute" : { "type" : "object", "properties" : { "FullName" : { "description" : "Microsoft Entra ID property which will be mapped to the Ivy User FullName.\nYou also can concatenate multiple Microsoft Entra ID properties here, like \"surname givename\".\nAttributes are described here: https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0", "additionalProperties" : false, "type" : "string", "examples" : [ "displayName", "givenName", "givenName surname" ] }, "Language" : { "description" : "Microsoft Entra ID property which will be mapped to the Ivy User Language.\nOne single space will disable the synchronization of the language.", "additionalProperties" : false, "type" : "string", "examples" : [ "preferredLanguage", " " ] }, "Properties" : { "description" : "User property mapping of Microsoft Entra ID attributes that are imported and available as user properties (IUser.getProperty).\nThe left side, e.g. phone, specifies the unique name of the user property in Axon Ivy.\nOn the right side, e.g. mobilePhone, the name of the attribute of a user in Microsoft Entra ID. All available\nattributes are described here: https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0\n[keyvalue:User Property,Microsoft Entra ID Property]", "additionalProperties" : { "type" : "string" }, "type" : "object", "examples" : [ "phoneNumber: mobilePhone" ] } }, "additionalProperties" : false }, "security-idp-microsoft-entra-id.json" : { "type" : "object", "properties" : { "ClientId" : { "type" : "string", "description" : "Client ID provided by Microsoft Entra ID when registering the application" }, "ClientSecret" : { "type" : "string", "description" : "Client key provided by Microsoft Entra ID when registering the application" }, "GroupFilter" : { "type" : "string", "description" : "Object ID of a group which users needs to belong to" }, "Proxy" : { "$ref" : "#/$defs/security-idp-microsoft-entra-id.json.Proxy" }, "Roles" : { "description" : "Role mapping that is considered by the user synchronization.\nUsers are added to the roles to which they are assigned in.\nThe left side, e.g. Manager, specifies the unique name of the role defined in Axon Ivy.\nOn the right side, e.g. 208e37b6-f34c-4026-bae5-c3aa40bec705, the UUID of the role in Microsoft Entra ID.\nThe synchronization adds all users to Manager that are assigned to 208e37b6-f34c-4026-bae5-c3aa40bec705\n[keyvalue:Ivy Role,Microsoft Entra ID Group GUID]", "additionalProperties" : { "type" : "string" }, "type" : "object", "examples" : [ "Manager: 208e37b6-f34c-4026-bae5-c3aa40bec705" ] }, "TenantId" : { "type" : "string", "description" : "Microsoft Entra ID Tenant ID" }, "UserAttribute" : { "$ref" : "#/$defs/security-idp-microsoft-entra-id.json.UserAttribute" } }, "required" : [ "ClientId", "ClientSecret", "TenantId" ], "additionalProperties" : false }, "security-idp-msad.json.AuthKind" : { "type" : "string", "enum" : [ "none", "simple" ] }, "security-idp-msad.json.Binding" : { "type" : "object", "properties" : { "DefaultContext" : { "type" : "string", "description" : "Default Context to import from.\nThe security system only sees and can import objects below the default context.\nIf you want to see and import all users of an Identity Provider, then set the default context to the root object/domain.\nIf you want to import only users from a certain department or location, then you can set the default context to\nthe appropriate organization unit or location.\nSee also EverybodyUserGroupName and UserFilter to control/filter the users that are imported.\nFormat = LDAP Distinguished Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com" }, "ImportUsersOfGroup" : { "type" : "string", "description" : "If configured, the security system imports only the users that are members of this user group.\nSee also DefaultContext and UserFilter to control/filter the users that are imported.\nFormat = LDAP Distinguished Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com" }, "UserFilter" : { "type" : "string", "description" : "The security system only imports users that match the given filter.\nSee also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported.\nFormat = LDAP Search Filter (RFC 4515)", "default" : "(&(objectClass=user)(!(objectClass=computer)))" } }, "additionalProperties" : false }, "security-idp-msad.json.Connection" : { "type" : "object", "properties" : { "AuthenticationKind" : { "$ref" : "#/$defs/security-idp-msad.json.AuthKind", "description" : "provide a technical user for Ivy to access AD\"\nnone = no authentication (default if UserName/Password NOT configured)\"\nsimple = user name and password is used (default if UserName/Password is configured)" }, "EnableInsecureSSL" : { "type" : "boolean", "description" : "Are insecure SSL connections allowed(no server certificate verification)?\n\nNOTE: Setting EnableInsecureSSL to true will turn off server certificate verification.\nWhenever possible the LDAP server certificate (or its root certificate) should be added to the Ivy Engine trust store.\nSee SSL.Client.TrustStore in the @engine.guide.url@/configuration/files/ivy-yaml.html on how to configure the engine truststore.\n" }, "Environment" : { "$ref" : "#/$defs/security-idp-msad.json.Environment", "description" : "Here you can configure additional environment properties for the LDAP context." }, "Password" : { "type" : "string", "description" : "Password to authenticate (java.naming.security.credentials)" }, "Retry" : { "$ref" : "#/$defs/security-idp-msad.json.Retry" }, "Url" : { "description" : " Url to the Identity Provider\n - LDAP: ldap://: - port can be omitted if it is default port 389\n - LDAPS: ldaps://: - port can be omitted if it is default port 636\nNOTE: security protocol needs to be set to \"ssl\" for LDAPS (Environment.java.naming.security.protocol, see below).", "additionalProperties" : false, "type" : "string", "examples" : [ "ldap://localhost:389", "ldaps://localhost:636" ] }, "UseLdapConnectionPool" : { "type" : "boolean", "description" : "Use a connection pool to store established LDAP connections?\nThis can speed up access to the AD since the connections are established once and re-used instead of established, used, closed.\nN.B. Further configuration options for the pool have to be set in jvm.options.\nThe settings are documented in https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html" }, "UserName" : { "type" : "string", "description" : "User name to authenticate to the Identity Provider (java.naming.security.principal).\nValid formats are...\n- LDAP Distinguished Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com\n- Active Directory user name like Administrator" } }, "additionalProperties" : false }, "security-idp-msad.json.Deref" : { "type" : "string", "enum" : [ "always", "never", "finding", "searching" ] }, "security-idp-msad.json.Environment" : { "type" : "object", "properties" : { "java.naming.ldap.derefAliases" : { "$ref" : "#/$defs/security-idp-msad.json.Deref", "description" : "How to handle LDAP aliases.\nhttps://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html", "default" : "always" }, "java.naming.referral" : { "description" : "Specify how referrals received from the Identity Provider are to be processed.\nhttps://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html\n\n- follow: is the default setting, but may cause slow reading from the AD\n- ignore: does not follow the referral\n- throw: throws an error if a referral is found. It is intended mostly for identifying and debugging LDAP problems.", "default" : "follow", "additionalProperties" : false, "type" : "string", "examples" : [ "follow", "ignore", "throw" ] }, "java.naming.security.protocol" : { "description" : "Specifies connection security.\nIf this property is unspecified, the behavior is determined by the service provider.\nhttps://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html", "additionalProperties" : false, "type" : "string", "examples" : [ "", "ssl" ] } } }, "security-idp-msad.json.Lookup" : { "type" : "string", "enum" : [ "MATCHING_RULE", "DIRECT", "TRAVERSE" ] }, "security-idp-msad.json.Membership" : { "type" : "object", "properties" : { "NestedGroupsLookup" : { "$ref" : "#/$defs/security-idp-msad.json.Lookup", "description" : "This property defines how the synchronization find all users that are a member of a user group.\nThe default should be fine for most situations.\nOnly if you have strict security settings in your directory, you may need to switch to TRAVERSE.\nThe setting TRAVERSE has a big impact on your synchronization speed if you use 'ImportUsersOfGroup'.", "default" : "MATCHING_RULE" }, "UserGroupMemberOfAttribute" : { "type" : "string", "description" : "The LDAP attribute that stores the groups a group is a member of, i.e.\nthe LDAP object of a group contains one of these attributes for each group that the group is a member of.", "default" : "memberOf" }, "UserGroupMembersAttribute" : { "type" : "string", "description" : "The LDAP attribute that stores the members (user, groups) of a group", "default" : "member" }, "UserMemberOfAttribute" : { "type" : "string", "description" : "The LDAP attribute that stores the groups a user is a member of, i.e.\nthe LDAP object of a user contains one of these attributes for each group the user is a member of.", "default" : "memberOf" }, "UserMemberOfLookupAllowed" : { "type" : "boolean", "description" : "Can the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership?\nSometimes, this LDAP attribute is not available because of security concerns.\nIf you set this to false, then the security system will import the user role membership with an alternative but slower mechanism.", "default" : "true" } }, "additionalProperties" : false }, "security-idp-msad.json.Retry" : { "type" : "object", "properties" : { "Count" : { "type" : "integer", "description" : "After a failure, how many times shall a call be retried?", "default" : "3" }, "Delay" : { "type" : "integer", "description" : "Delay in milliseconds before the next retry call, after a failure.\nWith each retry the delay time doubles.", "default" : "500" } }, "additionalProperties" : false }, "security-idp-msad.json.UserAttribute" : { "type" : "object", "properties" : { "EMail" : { "type" : "string", "description" : "The LDAP attribute that stores the mail address of a user", "default" : "mail" }, "FullName" : { "type" : "string", "description" : "The LDAP attribute that stores the full name of a user", "default" : "displayName" }, "Id" : { "type" : "string", "description" : "The LDAP attribute that stores the unique identifier of a user.\nThis identifier is used during synchronization to identify a renamed user", "default" : "objectGUID" }, "Language" : { "type" : "string", "description" : "The LDAP attribute that stores the language of a user" }, "Name" : { "type" : "string", "description" : "The LDAP attribute that stores the name of a user", "default" : "sAMAccountName" }, "Properties" : { "description" : "Here, you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty)\n\nMaps a user property to an LDAP attribute\nIn the example below 'phoneNumber' is the name of the user property.\nThe value of the property is imported from the LDAP attribute 'phone' of the user.", "additionalProperties" : { "type" : "string" }, "type" : "object", "examples" : [ "phoneNumber: phone" ] } }, "additionalProperties" : false }, "security-idp-msad.json" : { "type" : "object", "properties" : { "Binding" : { "$ref" : "#/$defs/security-idp-msad.json.Binding" }, "Connection" : { "$ref" : "#/$defs/security-idp-msad.json.Connection" }, "Membership" : { "$ref" : "#/$defs/security-idp-msad.json.Membership" }, "PageSize" : { "type" : "integer", "description" : "The number of objects the security system can read in one LDAP request", "default" : "500" }, "Roles" : { "description" : "Role mapping that is considered by the user synchronization.\nUsers are added to the roles to which they are assigned in.\n\nThe left side, e.g. Manager, specifies the unique name of the role defined in Axon Ivy.\nOn the right side, e.g. cn=manager,ou=ivyteam,dc=axonivy,dc=com the external name of the role is set.\nThe synchronization adds all users to Manager respectively Employee that are assigned to cn=manager,ou=ivyteam,dc=axonivy,dc=com\nrespectively cn=employee,ou=ivyteam,dc=axonivy,dc=com.", "additionalProperties" : { "type" : "string" }, "type" : "object", "examples" : [ "Manager: cn=manager,ou=ivyteam,dc=axonivy,dc=com", "Employee: cn=employee,ou=ivyteam,dc=axonivy,dc=com" ] }, "UserAttribute" : { "$ref" : "#/$defs/security-idp-msad.json.UserAttribute" } }, "additionalProperties" : false }, "security-idp-novell-edir.json.AuthKind" : { "type" : "string", "enum" : [ "none", "simple" ] }, "security-idp-novell-edir.json.Binding" : { "type" : "object", "properties" : { "DefaultContext" : { "type" : "string", "description" : "Default Context to import from.\nThe security system only sees and can import objects below the default context.\nIf you want to see and import all users of an Identity Provider, then set the default context to the root object/domain.\nIf you want to import only users from a certain department or location, then you can set the default context to\nthe appropriate organization unit or location.\nSee also EverybodyUserGroupName and UserFilter to control/filter the users that are imported.\nFormat = LDAP Distinguished Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com" }, "ImportUsersOfGroup" : { "type" : "string", "description" : "If configured, the security system imports only the users that are members of this user group.\nSee also DefaultContext and UserFilter to control/filter the users that are imported.\nFormat = LDAP Distinguished Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com" }, "UserFilter" : { "type" : "string", "description" : "The security system only imports users that match the given filter.\nSee also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported.\nFormat = LDAP Search Filter (RFC 4515)", "default" : "objectClass=inetOrgPerson" } }, "additionalProperties" : false }, "security-idp-novell-edir.json.Connection" : { "type" : "object", "properties" : { "AuthenticationKind" : { "$ref" : "#/$defs/security-idp-novell-edir.json.AuthKind", "description" : "provide a technical user for Ivy to access Identity Provider\"\nnone = no authentication (default if UserName/Password NOT configured)\"\nsimple = user name and password is used (default if UserName/Password is configured)" }, "EnableInsecureSSL" : { "type" : "boolean", "description" : "Are insecure SSL connections allowed(no server certificate verification)?\n\nNOTE: Setting EnableInsecureSSL to true will turn off server certificate verification.\nWhenever possible the LDAP server certificate (or its root certificate) should be added to the Ivy Engine trust store.\nSee SSL.Client.TrustStore in the @engine.guide.url@/configuration/files/ivy-yaml.html on how to configure the engine truststore.\n" }, "Environment" : { "$ref" : "#/$defs/security-idp-novell-edir.json.Environment", "description" : "Here you can configure additional environment properties for the LDAP context." }, "Password" : { "type" : "string", "description" : "Password to authenticate (java.naming.security.credentials)" }, "Retry" : { "$ref" : "#/$defs/security-idp-novell-edir.json.Retry" }, "Url" : { "description" : " Url to the Identity Provider\n - LDAP: ldap://: - port can be omitted if it is default port 389\n - LDAPS: ldaps://: - port can be omitted if it is default port 636\nNOTE: security protocol needs to be set to \"ssl\" for LDAPS (Environment.java.naming.security.protocol, see below).", "additionalProperties" : false, "type" : "string", "examples" : [ "ldap://localhost:389", "ldaps://localhost:636" ] }, "UseLdapConnectionPool" : { "type" : "boolean", "description" : "Use a connection pool to store established LDAP connections?\nThis can speed up access to the Identity Provider since the connections are established once and re-used instead of established, used, closed.\nN.B. Further configuration options for the pool have to be set in jvm.options.\nThe settings are documented in https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html" }, "UserName" : { "type" : "string", "description" : "User name to authenticate to the Identity Provider (java.naming.security.principal).\nValid formats are...\n- LDAP Distinguished Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com\n- Directory user name like 'Administrator'" } }, "additionalProperties" : false }, "security-idp-novell-edir.json.Deref" : { "type" : "string", "enum" : [ "always", "never", "finding", "searching" ] }, "security-idp-novell-edir.json.Environment" : { "type" : "object", "properties" : { "java.naming.ldap.attributes.binary" : { "type" : "string", "description" : "LDAP Attributes binary ", "default" : "guid" }, "java.naming.ldap.derefAliases" : { "$ref" : "#/$defs/security-idp-novell-edir.json.Deref", "description" : "How to handle LDAP aliases.\nhttps://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html", "default" : "always" }, "java.naming.referral" : { "description" : "Specify how referrals received from the Identity Provider are to be processed.\nhttps://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html\n\n- follow: is the default setting, but may cause slow reading from the Identity Provider\n- ignore: does not follow the referral\n- throw: throws an error if a referral is found. It is intended mostly for identifying and debugging LDAP problems.", "default" : "follow", "additionalProperties" : false, "type" : "string", "examples" : [ "follow", "ignore", "throw" ] }, "java.naming.security.protocol" : { "description" : "Specifies connection security.\nIf this property is unspecified, the behavior is determined by the service provider.\nhttps://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html", "additionalProperties" : false, "type" : "string", "examples" : [ "", "ssl" ] } } }, "security-idp-novell-edir.json.Lookup" : { "type" : "string", "enum" : [ "MATCHING_RULE", "DIRECT", "TRAVERSE" ] }, "security-idp-novell-edir.json.Membership" : { "type" : "object", "properties" : { "NestedGroupsLookup" : { "$ref" : "#/$defs/security-idp-novell-edir.json.Lookup", "description" : "This property defines how the synchronization find all users that are a member of a user group.\nThe default should be fine for most situations.\nOnly if you have strict security settings in your directory, you may need to switch to TRAVERSE.\nThe setting TRAVERSE has a big impact on your synchronization speed if you use 'ImportUsersOfGroup'.", "default" : "DIRECT" }, "UserGroupMemberOfAttribute" : { "type" : "string", "description" : "The LDAP attribute that stores the groups a group is a member of, i.e.\nthe LDAP object of a group contains one of these attributes for each group that the group is a member of.", "default" : "groupMembership" }, "UserGroupMembersAttribute" : { "type" : "string", "description" : "The LDAP attribute that stores the members (user, groups) of a group", "default" : "uniqueMember" }, "UserMemberOfAttribute" : { "type" : "string", "description" : "The LDAP attribute that stores the groups a user is a member of, i.e.\nthe LDAP object of a user contains one of these attributes for each group the user is a member of.", "default" : "groupMembership" }, "UserMemberOfLookupAllowed" : { "type" : "boolean", "description" : "Can the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership?\nSometimes, this LDAP attribute is not available because of security concerns.\nIf you set this to false, then the security system will import the user role membership with an alternative but slower mechanism.", "default" : "true" } }, "additionalProperties" : false }, "security-idp-novell-edir.json.Retry" : { "type" : "object", "properties" : { "Count" : { "type" : "integer", "description" : "After a failure, how many times shall a call be retried?", "default" : "3" }, "Delay" : { "type" : "integer", "description" : "Delay in milliseconds before the next retry call, after a failure.\nWith each retry the delay time doubles.", "default" : "500" } }, "additionalProperties" : false }, "security-idp-novell-edir.json.UserAttribute" : { "type" : "object", "properties" : { "EMail" : { "type" : "string", "description" : "The LDAP attribute that stores the mail address of a user", "default" : "mail" }, "FullName" : { "type" : "string", "description" : "The LDAP attribute that stores the full name of a user", "default" : "fullName" }, "Id" : { "type" : "string", "description" : "The LDAP attribute that stores the unique identifier of a user.\nThis identifier is used during synchronization to identify a renamed user", "default" : "GUID" }, "Language" : { "type" : "string", "description" : "The LDAP attribute that stores the language of a user" }, "Name" : { "type" : "string", "description" : "The LDAP attribute that stores the name of a user", "default" : "uid" }, "Properties" : { "description" : "Here, you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty)\n\nMaps a user property to an LDAP attribute\nIn the example below 'phoneNumber' is the name of the user property.\nThe value of the property is imported from the LDAP attribute 'phone' of the user.", "additionalProperties" : { "type" : "string" }, "type" : "object", "examples" : [ "phoneNumber: phone" ] } }, "additionalProperties" : false }, "security-idp-novell-edir.json" : { "type" : "object", "properties" : { "Binding" : { "$ref" : "#/$defs/security-idp-novell-edir.json.Binding" }, "Connection" : { "$ref" : "#/$defs/security-idp-novell-edir.json.Connection" }, "Membership" : { "$ref" : "#/$defs/security-idp-novell-edir.json.Membership" }, "PageSize" : { "type" : "integer", "description" : "The number of objects the security system can read in one LDAP request", "default" : "500" }, "Roles" : { "description" : "Role mapping that is considered by the user synchronization.\nUsers are added to the roles to which they are assigned in.\n\nThe left side, e.g. Manager, specifies the unique name of the role defined in Axon Ivy.\nOn the right side, e.g. cn=manager,ou=ivyteam,dc=axonivy,dc=com the external name of the role is set.\nThe synchronization adds all users to Manager respectively Employee that are assigned to cn=manager,ou=ivyteam,dc=axonivy,dc=com\nrespectively cn=employee,ou=ivyteam,dc=axonivy,dc=com.", "additionalProperties" : { "type" : "string" }, "type" : "object", "examples" : [ "Manager: cn=manager,ou=ivyteam,dc=axonivy,dc=com", "Employee: cn=employee,ou=ivyteam,dc=axonivy,dc=com" ] }, "UserAttribute" : { "$ref" : "#/$defs/security-idp-novell-edir.json.UserAttribute" } }, "additionalProperties" : false }, "security-system.json.IdentityProvider" : { "type" : "object", "properties" : { "Name" : { "description" : "The Security System manages the user and roles in the system database.\nFor the Ivy Security System, no additional configuration is needed.\nFor any other Security System, further configuration is need to integrate such a system.", "default" : "ivy", "additionalProperties" : false, "type" : "string", "examples" : [ "ivy", "keycloak", "microsoft-active-directory", "novell-edirectory", "microsoft-entra-id" ] } }, "allOf" : [ { "if" : { "properties" : { "Name" : { "const" : "keycloak" } } }, "then" : { "properties" : { "Config" : { "$ref" : "#/$defs/security-idp-keycloak.json" } } } }, { "if" : { "properties" : { "Name" : { "const" : "microsoft-entra-id" } } }, "then" : { "properties" : { "Config" : { "$ref" : "#/$defs/security-idp-microsoft-entra-id.json" } } } }, { "if" : { "properties" : { "Name" : { "const" : "microsoft-active-directory" } } }, "then" : { "properties" : { "Config" : { "$ref" : "#/$defs/security-idp-msad.json" } } } }, { "if" : { "properties" : { "Name" : { "const" : "novell-edirectory" } } }, "then" : { "properties" : { "Config" : { "$ref" : "#/$defs/security-idp-novell-edir.json" } } } } ] }, "security-system.json.Language" : { "type" : "object", "properties" : { "Content" : { "description" : "Content is displayed in this language if the content exists in this language. A locale (language[_COUNTRY])", "default" : "en", "additionalProperties" : false, "type" : "string", "examples" : [ "en", "en_GB", "en_US", "de", "de_CH", "de_AT", "de_DE", "fr", "vi" ] }, "Formatting" : { "description" : "Data like numbers, dates, times and much more are formatted according to this language. A locale (language[_COUNTRY])", "default" : "en_GB", "additionalProperties" : false, "type" : "string", "examples" : [ "en", "en_GB", "en_US", "de", "de_CH", "de_AT", "de_DE", "fr", "vi" ] } }, "additionalProperties" : false }, "security-system.json.Notification" : { "type" : "object", "properties" : { "Cleanup" : { "$ref" : "#/$defs/security-system.json.Cleanup", "description" : "Settings for cleaning up notifications." }, "NotifyAbsentUser" : { "$ref" : "#/$defs/security-system.json.NotifyAbsentUser", "description" : "Parameters to disable notifications if a user is absent.\nIs no property set, it will act like NotifyAbsentUser:always.\nIf NotifyAbsentUser is set to:\nalways: Send a notification regardless of the user’s absence.\nnever: Does not send a notification if the user is absent.\nnoActiveSubstitute: Send a notification only the absent user does not have an active substitute.", "default" : "always" }, "Channels" : { "description" : "Settings for an individual Channel.", "type" : "object", "properties" : { "mail" : { "$ref" : "#/$defs/security-system.json.Channel" }, "microsoft-teams" : { "$ref" : "#/$defs/security-system.json.Channel" }, "web" : { "$ref" : "#/$defs/security-system.json.WebChannel" } }, "examples" : [ "web", "mail", "microsoft-teams" ] } }, "additionalProperties" : false }, "security-system.json.NotifyAbsentUser" : { "type" : "string", "enum" : [ "always", "never", "noActiveSubstitute" ] }, "security-system.json.Schedule" : { "type" : "object", "properties" : { "Cron" : { "type" : "string", "description" : "Unix Cron expression for the user synchronization.\nFormat is: minutes, hours, day of month, month, day of the week. e.g. \"32 13 * * *\" is everyday at 13:32", "default" : "0 0 * * *" }, "Enabled" : { "type" : "boolean", "description" : "Shall we run the daily Identity Provider user synchronization job?\nWhen the synchronization runs is defined by 'Cron'.", "default" : "true" }, "ImportUsers" : { "type" : "boolean", "description" : "Shall we import NEW users with the Identity Provider on schedule?\nThis setting does not affect synchronization of existing users.\nIf ImportUsers is set to:\ntrue: NEW users are imported on schedule.\n If a user has not yet been imported by the user synchronization job, she is also imported the first time she logs in.\nfalse: NEW users are not imported on schedule.\n Instead, a NEW user is only imported the first time she logs in.", "default" : "true" } }, "additionalProperties" : false }, "security-system.json.UserSync" : { "type" : "object", "properties" : { "OnLogin" : { "type" : "boolean", "description" : "Shall we synchronize a user with the Identity Provider at login?\nIf the user does not exist yet, he will be synchronized anyway.\nIn case of slow Identity Provider connections, it can make sense to set this to false.", "default" : "true" }, "OnSchedule" : { "$ref" : "#/$defs/security-system.json.Schedule" } }, "additionalProperties" : false }, "security-system.json.WebChannel" : { "type" : "object", "properties" : { "Name" : { "description" : "Name of the channel.", "additionalProperties" : false, "type" : "string", "examples" : [ "web", "mail", "microsoft-teams" ] }, "Enabled" : { "type" : "boolean", "description" : "Whether the channel is enabled or not.", "default" : "true" }, "Events" : { "$ref" : "#/$defs/security-system.json.Events-2", "description" : "The default subscription settings." } } }, "sso.json" : { "type" : "object", "properties" : { "Enabled" : { "type" : "boolean", "description" : "Whether SSO is enabled" }, "UserHeader" : { "type" : "string", "description" : "name of the HTTP header with the username that has to be provided by the reverse proxy", "default" : "X-Forwarded-User" } }, "additionalProperties" : false }, "translation-service.json.DeepLTranslationService" : { "type" : "object", "properties" : { "ApiKey" : { "type" : "string", "description" : "The API key to authenticate against DeepL.", "format" : "password" }, "DocumentTranslationTimeout" : { "description" : "The maximum time to wait for document translation, in seconds. If this timeout is exceeded, an error is thrown.", "default" : "300", "additionalProperties" : false, "type" : "integer", "examples" : [ "300" ] }, "Endpoint" : { "description" : "The URL endpoint of DeepL.", "default" : "https://api.deepl.com/v2", "additionalProperties" : false, "type" : "string", "examples" : [ "https://api.deepl.com/v2", "https://api-free.deepl.com/v2" ] } }, "additionalProperties" : false }, "translation-service.json.Instances" : { "type" : "object", "additionalProperties" : false, "properties" : { "DeepL" : { "$ref" : "#/$defs/translation-service.json.DeepLTranslationService" } } }, "translation-service.json" : { "type" : "object", "properties" : { "DefaultInstance" : { "description" : "The translation service used by default. For example, to provide translation suggestions in the CMS Editor.", "additionalProperties" : false, "type" : "string", "examples" : [ "DeepL" ] }, "Instances" : { "$ref" : "#/$defs/translation-service.json.Instances" } }, "additionalProperties" : false }, "security-system.json" : { "type" : "object", "properties" : { "UrlPath" : { "type" : "string", "description" : "The security system slug name which will be used in URL as prefix for all resources which are part of the security system.\nIf not set, then the security system name will be choosen.\nOnly for the default security context this is empty, by default.", "default" : "null" }, "IdentityProvider" : { "$ref" : "#/$defs/security-system.json.IdentityProvider" }, "Notification" : { "$ref" : "#/$defs/security-system.json.Notification", "description" : "The notification channel settings including their default subscription settings which apply to all users." }, "SSO" : { "$ref" : "#/$defs/sso.json", "description" : "Single Sign-on allows to auto login users.\nA reverse proxy has to be installed in front of the Axon Ivy Engine.\nIt is responsible for authenticating the user.\nThe name of the user must then be transmitted as a HTTP header.\n!! Assert exclusive access to the Axon Ivy Engine otherwise attackers can easily login as another user.\n@engine.guide.url@/integration/single-sign-on\n[restart required]" }, "UserSynch" : { "$ref" : "#/$defs/security-system.json.UserSync" }, "DocumentStorage" : { "$ref" : "#/$defs/security-system.json.DocumentStorage" }, "Language" : { "$ref" : "#/$defs/security-system.json.Language", "description" : "The default language settings, which applies to all users, who have not explicitly set this in their profile settings." }, "TranslationService" : { "$ref" : "#/$defs/translation-service.json", "description" : "Configurations for translation services." } }, "additionalProperties" : false }, "reverse-proxy.json.HttpHeaders" : { "type" : "object", "properties" : { "ForwardedFor" : { "description" : "Name of the HTTP Header for identifying the originating IP address of a client connecting to the reverse proxy server.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For", "default" : "X-Forwarded-For", "additionalProperties" : false, "type" : "string", "examples" : [ "X-Forwarded-For" ] }, "ForwardedHost" : { "description" : "Name of the HTTP header for identifying the original host requested by the client. Not needed if the reverse proxy preserves the original host in the 'Host' HTTP Header.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host", "default" : "X-Forwarded-Host", "additionalProperties" : false, "type" : "string", "examples" : [ "X-Forwarded-Host" ] }, "ForwardedPort" : { "description" : "Name of the HTTP header used to represent the port number used by the client for the request. Not needed if your reverse proxy uses standard ports (80, 443). Only in charge when the HTTP Header of 'ForwardedProtocol' is also set on request.", "default" : "X-Forwarded-Port", "additionalProperties" : false, "type" : "string", "examples" : [ "X-Forwarded-Port" ] }, "ForwardedProtocol" : { "description" : "Name of the HTTP header for identifying the protocol used between the client and the reverse proxy server.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto", "default" : "X-Forwarded-Proto", "additionalProperties" : false, "type" : "string", "examples" : [ "X-Forwarded-Proto", "X-Forwarded-Ssl", "X-Forwarded-Protocol", "Front-End-Https", "X-Url-Scheme" ] }, "ForwardedProtocolHttps" : { "description" : "Value of the 'ForwardedProtocol' header to indicate that it is an HTTPS request.\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto", "default" : "https", "additionalProperties" : false, "type" : "string", "examples" : [ "https", "\"on\"" ] } }, "additionalProperties" : false }, "reverse-proxy.json" : { "type" : "object", "properties" : { "HttpHeaders" : { "$ref" : "#/$defs/reverse-proxy.json.HttpHeaders", "description" : "HTTP headers which are interpreted by the Axon Ivy Engine to generate the correct URLs for links and redirects.\n[restart required]" } }, "additionalProperties" : false }, "ssl.json.Client" : { "type" : "object", "properties" : { "EnableInsecureSSL" : { "type" : "boolean", "description" : "Manipulates the JVMs default SSLSocketFactory, so that untrusted (self signed or outdated) certificates are silently accepted.\nThis could for instance be useful to generate a Webservice stub from an insecure WSDL location." }, "TrustStore" : { "$ref" : "#/$defs/ssl.json.TrustStore", "description" : "A trust store is used to specify trusted server certificates or certificates of certification authorities.\nAn SSL client authenticates a server by using the certificates in a trust store.\nSelf signed or signed by an unknown certification authority can be added to this trustore." }, "KeyStore" : { "$ref" : "#/$defs/ssl.json.KeyStore", "description" : "A key store is used to read client keys (certificates).\nThis is only required if a remote server requests a client certificate in order to authenticate the client." } }, "additionalProperties" : false }, "ssl.json.KeyStore" : { "type" : "object", "properties" : { "Algorithm" : { "type" : "string", "default" : "SunX509" }, "File" : { "type" : "string", "default" : "configuration/keystore.p12" }, "KeyPassword" : { "type" : "string", "description" : "Password of the 'ivy' certificate. ", "default" : "changeit", "format" : "password" }, "Password" : { "type" : "string", "description" : "Password to access the store. ", "default" : "changeit", "format" : "password" }, "Provider" : { "type" : "string" }, "Type" : { "type" : "string", "default" : "PKCS12" }, "UseCustom" : { "type" : "boolean" } }, "additionalProperties" : false }, "ssl.json.TrustStore" : { "type" : "object", "properties" : { "Algorithm" : { "type" : "string", "default" : "PKIX" }, "File" : { "type" : "string", "default" : "configuration/truststore.p12" }, "Password" : { "type" : "string", "description" : "Password to access the store. ", "default" : "changeit", "format" : "password" }, "Provider" : { "type" : "string" }, "Type" : { "type" : "string", "default" : "PKCS12" } }, "additionalProperties" : false }, "ssl.json" : { "type" : "object", "properties" : { "Client" : { "$ref" : "#/$defs/ssl.json.Client" } }, "additionalProperties" : false }, "deployment.json.Backup" : { "type" : "object", "properties" : { "Keep" : { "type" : "integer", "description" : "The number of backups of deployed projects that are kept on disk\nn < 0: infinite number of backups are kept\nn = 0: No backups are made or kept\nn > 0: Number of backups that are kept.", "default" : "5" } }, "additionalProperties" : false }, "deployment.json" : { "type" : "object", "properties" : { "Directory" : { "description" : "Directory where the server watches for files to deploy.\nYou can specify a remote network location using a UNC path.\n@engine.guide.url@/deployment", "default" : "deploy", "additionalProperties" : false, "type" : "string", "examples" : [ "//servername/share/file" ] }, "Backup" : { "$ref" : "#/$defs/deployment.json.Backup" } }, "additionalProperties" : false }, "data-directory.json" : { "type" : "object", "properties" : { "AppDirectory" : { "type" : "string", "description" : "Folder where applications are stored, unless otherwise defined in application specific configuration.\n\nIn demo mode: not configurable and set to: [Data.WorkDirectory]/demo-applicationsAbsolute and relative paths (to the engine root directory) are supported,\nwe recommend to use locations outside the engine root directory to facilitate migrations.\n!! STOP YOUR ENGINE before changing this setting !!\n[restart required]", "default" : "applications" }, "Directory" : { "type" : "string", "description" : "Folder where runtime data will be stored.Absolute and relative paths (to the engine root directory) are supported,\nwe recommend to use locations outside the engine root directory to facilitate migrations.\n!! STOP YOUR ENGINE before changing this setting !!\n[restart required]", "default" : "data" }, "FilesDirectory" : { "type" : "string", "description" : "DEPRECATED: All runtime data will be stored by default in Data.Directory specified in ivy.yaml. Use Data.Directory\nto change the location of stored files.\n\nRoot folder where application data files are stored.\nA change in this setting will NOT move existing application files to the new location.\nYou have to move existing files manually to the new directory.\n\nIf not set the files will be stored under the path Data.Directory configured in ivy.yaml.Absolute and relative paths (to the engine root directory) are supported,\nwe recommend to use locations outside the engine root directory to facilitate migrations.\n!! STOP YOUR ENGINE before changing this setting !!\n[restart required]" } }, "additionalProperties" : false }, "data-cache.json" : { "type" : "object", "properties" : { "InvalidationInterval" : { "type" : "integer", "description" : "Invalidate data cache groups and entries.\nChecks if the lifetime of caches has ended and invalidates them.\nYou can set the delay in milliseconds between each check.\nThis delay has to be greater than 0.", "default" : "60000" } }, "additionalProperties" : false }, "searchengine.json.BundledServer" : { "type" : "object", "properties" : { "DataPath" : { "type" : "string", "description" : "Path to the directory where the bundled search engine server stores data.\nIt is recommended to configure a data directory that is located outside of\nthe Engine installation directory to ease the Engine migration to newer versions.\n[restart required]", "default" : "data/_/opensearch" }, "LogPath" : { "type" : "string", "description" : "Path to the directory where the bundled search engine should log.\n[restart required]", "default" : "logs/opensearch" }, "ClusterName" : { "type" : "string", "description" : "Name of the cluster of the bundled search engine server.\n[restart required]", "default" : "ivy-opensearch-{uid}" }, "Port" : { "type" : "string", "description" : "Port to communicate with bundled search engine server\n AUTO: A free port in port range 19200-19299 is searched automatically.\n : A fixed port number that you define. We recommend to use a number > 10000.\n Make sure it is free.\n[restart required]", "default" : "AUTO" } }, "additionalProperties" : false }, "searchengine.json.Client" : { "type" : "object", "properties" : { "ConnectTimeout" : { "type" : "integer", "description" : "Maximum seconds to wait until a connection to the search engine can be established.\n[restart required]", "default" : "10" }, "ReadTimeout" : { "type" : "integer", "description" : "Maximum seconds to wait for data to be sent by search engine.\nRaise this value if large datasets are expected.\n[restart required]", "default" : "30" } }, "additionalProperties" : false }, "searchengine.json.ExternalServer" : { "type" : "object", "properties" : { "Url" : { "type" : "string", "description" : "Configure the URL of your own OpenSearch server if you want to use it instead of the bundled server.\n[restart required]" }, "UserName" : { "type" : "string", "description" : "Name of the user to use to authenticate in the external OpenSearch server" }, "Password" : { "description" : "Password of the user to use to authenticate in the external OpenSearch server.", "format" : "password", "additionalProperties" : false, "type" : "string", "examples" : [ "\"${encrypt:}\"" ] } }, "additionalProperties" : false }, "searchengine.json.Index" : { "type" : "object", "properties" : { "NamePrefix" : { "type" : "string", "description" : "The name prefix for the indexes.\nIf multiple Ivy Engines use the same OpenSearch server instance, you need to define unique NamePrefixes per engine.\nYou might add the engine host name as part of the name prefix, i.e. 'servername'\n[restart required]", "default" : "ivy" }, "Reindex" : { "$ref" : "#/$defs/searchengine.json.Reindex" }, "TotalFieldsLimit" : { "type" : "integer", "description" : "If BusinessData are not well modeled for OpenSearch, you may have to increase the 'total_fields.limit' of the mapping.\nPerformance may decrease. If you change this setting, you need to reindex all business data in Engine Cockpit.\n[restart required]", "default" : "4000" } }, "additionalProperties" : false }, "searchengine.json.Reindex" : { "type" : "object", "properties" : { "QueueSize" : { "type" : "integer", "description" : "The size of the queue that is used to store objects read from the database until they are written to the search engine\n[restart required]", "default" : "10000" }, "ReadWindowSize" : { "type" : "integer", "description" : "The number of objects that Ivy reads in one batch from the system database.\n[restart required]", "default" : "1000" }, "WriteWindowSize" : { "type" : "integer", "description" : "The number of objects that Ivy writes in one batch to the search engine.\n[restart required]", "default" : "1000" } }, "additionalProperties" : false }, "searchengine.json" : { "type" : "object", "properties" : { "BundledServer" : { "$ref" : "#/$defs/searchengine.json.BundledServer", "description" : "The bundled search engine server...\n- is started in a separate JVM.\n- reachable only on 'localhost' but the access is unprotected.\n- JVM arguments used to start the bundled search engine server can be configured in the '[ivyEngine]/configuration/opensearch/jvm.options' file.\n[restart required]" }, "ExternalServer" : { "$ref" : "#/$defs/searchengine.json.ExternalServer", "description" : "Configure access to your own search engine server if you want to use it instead of the bundled server.\n\nTo install your own search engine server follow these steps\nhttps://opensearch.org/docs/2.19/install-and-configure/install-opensearch/index/\n\nCurrently, Axon Ivy supports OpenSearch in version 2.19.\nIf your OpenSearch server is running on another host, the access to that instance has to be protected.\nYou can achieve that with a front-end webserver like NGINX that enforces basic authentication.\n[restart required]" }, "Index" : { "$ref" : "#/$defs/searchengine.json.Index", "description" : "Settings for the indexes that are created in the search engine." }, "Client" : { "$ref" : "#/$defs/searchengine.json.Client", "description" : "Configures the search engine client. The client is the ivy engine which communicates with the search engine." } }, "additionalProperties" : false }, "mail-server.json.MailEncryption" : { "type" : "string", "enum" : [ "NONE", "START_TLS", "SSL" ] }, "mail-password-provider-office365-oauth2.json" : { "type" : "object", "properties" : { "ClientId" : { "type" : "string", "description" : "Client ID provided by Microsoft Entra ID when registering the application" }, "ClientSecret" : { "type" : "string", "description" : "Client key provided by Microsoft Entra ID when registering the application" }, "TenantId" : { "type" : "string", "description" : "Microsoft Entra ID Tenant ID" } }, "required" : [ "ClientId", "ClientSecret", "TenantId" ], "additionalProperties" : false }, "mail-server.json.PasswordProvider" : { "type" : "object", "properties" : { "Name" : { "description" : "Name of the password provider", "additionalProperties" : false, "type" : "string", "examples" : [ "office365-oauth2" ] } }, "if" : { "properties" : { "Name" : { "const" : "office365-oauth2" } } }, "then" : { "properties" : { "Config" : { "$ref" : "#/$defs/mail-password-provider-office365-oauth2.json" } } } }, "mail-server.json.Server" : { "type" : "object", "properties" : { "Host" : { "type" : "string", "description" : "Mail server host name or IP address" }, "Port" : { "type" : "integer", "description" : "Mail server port", "default" : "-1" }, "MailAddress" : { "type" : "string", "description" : "Email address that will be used for emails sent by the server (e.g. task notification emails)", "default" : "noreply@ivyserver.local" }, "User" : { "type" : "string", "default" : "guest" }, "Password" : { "type" : "string", "description" : "The password for the mail user", "format" : "password" }, "PasswordProvider" : { "$ref" : "#/$defs/mail-server.json.PasswordProvider", "description" : "A password provider set the password on the mail session from an external resource" }, "EncryptionMethod" : { "$ref" : "#/$defs/mail-server.json.MailEncryption", "default" : "NONE" }, "SessionProperties" : { "$ref" : "#/$defs/mail-server.json.SessionProperties", "description" : "Additional properties which will be set on the mail session\nRead https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html" }, "MaxConcurrentSendings" : { "type" : "integer", "description" : "Specifies the maximum number of emails that can be sent concurrently\n[restart required]", "default" : "10" }, "SSL" : { "$ref" : "#/$defs/mail-server.json.Ssl", "description" : "Certificates are to be stored in the Ivy keystore (default: configuration/keystore.p12; see below at SSL / Client), with the alias defined below." } }, "additionalProperties" : false }, "mail-server.json.SessionProperties" : { "type" : "object", "properties" : { "mail.smtp.auth.xoauth2.disable" : { "type" : "boolean" } } }, "mail-server.json.Ssl" : { "type" : "object", "properties" : { "KeyAlias" : { "type" : "string", "description" : "Specifies the alias of the client certificate in the Ivy keystore." }, "UseKey" : { "type" : "boolean", "description" : "Specifies whetere a client certificate should be used for authentication" } }, "additionalProperties" : false }, "mail-server.json" : { "type" : "object", "properties" : { "Enabled" : { "type" : "boolean", "description" : "Whether mails should be sent or not", "default" : "true" }, "Server" : { "$ref" : "#/$defs/mail-server.json.Server", "description" : "All mails will be sent via this mail server" } }, "additionalProperties" : false }, "update.json" : { "type" : "object", "properties" : { "Enabled" : { "type" : "boolean", "description" : "Shall update notification messages be shown and statistic information sent to the update server?\n\nWhile checking for new versions the following statistic information is sent to the update server.\nThis information is only used to improve the product!\n- Engine (version, up time)\n- Configuration (number of: cluster nodes, users, licensed users, applications, process model, process model version, deleted process model version, running workflows)\n- Licence information (number, organisation, individual)\n- Operating system information (name, version, architecture, number of processors)\n- Host information (host name, SHA-256 hashes of IP address and MAC address to identify the host without being able to read the original IP address and MAC address itself)\n- System database (product name and version, driver, identification number)\n- JVM (Java virtual machine) information (version, vendor, name, memory)\n- Used features: we collect the features you are using such as the active connector technologies (REST, SOAP, JPA, ...).\nYou may inspect the sent information on your own, by enabling the Logger `ch.ivyteam.ivy.update.metrics` on level `DEBUG`.\n", "default" : "true" }, "ExecutionTime" : { "description" : "Time of day when a update check will be executed\nThe engine must be running at this time otherwise the update check will not be executed.\nFormat is hh:mm.\n[daytime]", "additionalProperties" : false, "type" : "string", "examples" : [ "02:00", "14:15" ] } }, "additionalProperties" : false }, "cluster.json" : { "type" : "object", "properties" : { "Name" : { "type" : "string", "description" : "The name of the cluster.\nIt is used to find and communicate with other nodes of the same cluster.\nMultiple clusters located in the same network must have different cluster names.\nOtherwise the nodes of both clusters find each other and build one cluster instead of two.\n[restart required]", "default" : "IvyCluster" }, "NodeName" : { "type" : "string", "description" : "The name of this node.\nIf not configured, a random name is generated.\nThe name of a node is also used as jvm route identifier that is used by some load balancers to provide sticky sessions.\n@engine.guide.url@/integration/cluster\n[restart required]" } }, "additionalProperties" : false }, "errors.json" : { "type" : "object", "properties" : { "ShowDetailsToEndUser" : { "type" : "boolean", "description" : "Shall the end user see detailed error information (stacktraces, detailed error reports, etc.)?\nBy default (false) we only show a unique 'Error Id'. This 'Error Id' can be used to find the error in the log files.\nFor security reasons, normal users should not see technical implementation details.\nBut in development or pre-production environments, it might be safe to show the full error details directly to the end user.", "default" : "false" } }, "additionalProperties" : false }, "persistence.json.Jpa" : { "type" : "object", "properties" : { "defaultInitializedAsNull" : { "type" : "boolean", "description" : "Persist ivyScript auto initialized fields with NULL values. Affects types:\n- ch.ivyteam.ivy.scripting.objects.Date\n- ch.ivyteam.ivy.scripting.objects.DateTime\n- ch.ivyteam.ivy.scripting.objects.Time\nIf this option is set to false, auto initialized values are stored as before Axon Ivy 6.4.", "default" : "true" } }, "additionalProperties" : false }, "persistence.json" : { "type" : "object", "properties" : { "JPA" : { "$ref" : "#/$defs/persistence.json.Jpa" } }, "additionalProperties" : false }, "process-engine.json.FiringStatistic" : { "type" : "object", "properties" : { "Active" : { "type" : "boolean", "description" : "If set to true, a process element statistic is written periodically to the log directory.\nMay impact server performance." }, "Interval" : { "type" : "integer", "description" : "Interval in seconds the 'process element statistic' is written to the log directory", "default" : "300" } }, "additionalProperties" : false }, "process-engine.json" : { "type" : "object", "properties" : { "FiringStatistic" : { "$ref" : "#/$defs/process-engine.json.FiringStatistic" } }, "additionalProperties" : false }, "boot.json.BootMode" : { "type" : "string", "enum" : [ "AUTO", "DISABLED" ] }, "boot.json" : { "type" : "object", "properties" : { "MaintenanceMode" : { "$ref" : "#/$defs/boot.json.BootMode", "description" : "Switch to maintencance mode if a configuration problem is detected during startup.\nIf set to DISABLED you can explicit start the engine in maintenance mode by using the command line option '-maintenance'.", "default" : "AUTO" } }, "additionalProperties" : false }, "workflow.json.History" : { "type" : "object", "properties" : { "ForSubstitutes" : { "$ref" : "#/$defs/workflow.json.Visibility", "description" : "Can completed cases and tasks be seen by substitutes of the user who worked on them?", "default" : "VISIBLE" } }, "additionalProperties" : false }, "workflow.json.Visibility" : { "type" : "string", "enum" : [ "VISIBLE", "INVISIBLE" ] }, "workflow.json" : { "type" : "object", "properties" : { "History" : { "$ref" : "#/$defs/workflow.json.History" } }, "additionalProperties" : false }, "thread-pool.json.BackgroundOperationExecutor" : { "type" : "object", "properties" : { "CorePoolSize" : { "type" : "integer", "description" : "Minimum number of threads", "default" : "5" }, "MaximumPoolSize" : { "type" : "integer", "description" : "Maximum number of threads", "default" : "200" } }, "additionalProperties" : false }, "thread-pool.json.ImmediateJobExecutor" : { "type" : "object", "properties" : { "CorePoolSize" : { "type" : "integer", "description" : "Minimum number of threads", "default" : "5" }, "MaximumPoolSize" : { "type" : "integer", "description" : "Maximum number of threads", "default" : "50" } }, "additionalProperties" : false }, "thread-pool.json.MinSized" : { "type" : "object", "properties" : { "CorePoolSize" : { "type" : "integer", "description" : "Minimum number of threads", "default" : "5" } }, "additionalProperties" : false }, "thread-pool.json" : { "type" : "object", "properties" : { "BackgroundOperationExecutor" : { "$ref" : "#/$defs/thread-pool.json.BackgroundOperationExecutor", "description" : "Executes process engine background operations like Database, WebService calls, etc." }, "ImmediateJobExecutor" : { "$ref" : "#/$defs/thread-pool.json.ImmediateJobExecutor", "description" : "Executes unscheduled jobs" }, "ScheduledJobExecutor" : { "$ref" : "#/$defs/thread-pool.json.MinSized", "description" : "Executes scheduled jobs" } }, "additionalProperties" : false }, "system-task.json.Failure" : { "type" : "object", "properties" : { "Behaviour" : { "$ref" : "#/$defs/system-task.json.SystemTaskFailureBehaviour", "description" : "Defines the behaviour in case a system task fails.", "default" : "FAIL_TASK_DO_RETRY" } }, "additionalProperties" : false }, "system-task.json.SearchJob" : { "type" : "object", "properties" : { "Interval" : { "type" : "integer", "description" : "Interval in seconds between executions of the search job for system tasks.\nThe job searches system tasks that were not executed because of failures.", "default" : "900" } }, "additionalProperties" : false }, "system-task.json.SystemTaskFailureBehaviour" : { "type" : "string", "enum" : [ "FAIL_TASK_DO_RETRY", "FAIL_TASK_DO_NOT_RETRY", "DESTROY_TASK", "DESTROY_CASE" ] }, "system-task.json" : { "type" : "object", "properties" : { "Failure" : { "$ref" : "#/$defs/system-task.json.Failure" }, "SearchJob" : { "$ref" : "#/$defs/system-task.json.SearchJob" } }, "additionalProperties" : false }, "rest.json.Csrf" : { "type" : "object", "properties" : { "Protection" : { "type" : "boolean", "description" : "Provides the general CSRF protection via 'X-Requested-By' header for REST services.\n[restart required]", "default" : "true" } }, "additionalProperties" : false }, "rest.json.Servlet" : { "type" : "object", "properties" : { "Enabled" : { "type" : "boolean", "description" : "Controls the REST servlet interface. If disabled no REST resources will be accessible.\nCalls to remote REST services are still possible.\n[restart required]", "default" : "true" }, "API" : { "type" : "boolean", "description" : "Controls whether the REST resources provided by the Axon Ivy Engine should be available or not\n[restart required]", "default" : "true" }, "Deployment" : { "type" : "boolean", "description" : "Controls whether the REST resource for remote deployment under '/system/api/apps/{application} is available or not\n[restart required]", "default" : "true" }, "CSRF" : { "$ref" : "#/$defs/rest.json.Csrf", "description" : "Cross Site Request Forgery (CRSF) settings\n[restart required]" }, "Tracing" : { "$ref" : "#/$defs/rest.json.TracingHeaders", "description" : "Allows the service developer to get diagnostic information about request processing by Jersey.\nThose diagnostic/tracing information are returned in response headers (X-Jersey-Tracing-nnn).\nOn productive environments this feature should not be turned on.\n[restart required]", "default" : "'OFF'" } }, "additionalProperties" : false }, "rest.json.TracingHeaders" : { "type" : "string", "enum" : [ "OFF", "ON_DEMAND", "ALL" ] }, "rest.json" : { "type" : "object", "properties" : { "Servlet" : { "$ref" : "#/$defs/rest.json.Servlet" } }, "additionalProperties" : false }, "session.json" : { "type" : "object", "properties" : { "RenewIdOnLogin" : { "type" : "boolean", "description" : "Session identifier will be renewed on login to prevent the 'Session Fixation' attack.", "default" : "true" }, "Timeout" : { "type" : "integer", "description" : "Defines the amount of time in minutes after which an inactive user session will be closed.\n[restart required]", "default" : "30" } }, "additionalProperties" : false }, "webserver.json.ContentSecurityPolicy" : { "type" : "object", "properties" : { "Enabled" : { "default" : "false", "additionalProperties" : false, "type" : "string", "examples" : [ "false", "true", "reportOnly" ] }, "Policy" : { "type" : "string", "examples" : [ "object-src 'none'; base-uri 'none'; frame-ancestors 'self'; worker-src 'self' blob:; script-src 'strict-dynamic'" ] }, "ReportOnlyPolicy" : { "type" : "string" } }, "additionalProperties" : false }, "webserver.json.HttpHeaders" : { "type" : "object", "properties" : { "Cross-Origin-Embedder-Policy" : { "description" : "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy\n[restart required]", "additionalProperties" : false, "type" : "string", "examples" : [ "unsafe-none", "require-corp", "credentialless" ] }, "Cross-Origin-Opener-Policy" : { "description" : "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy\n[restart required]", "additionalProperties" : false, "type" : "string", "examples" : [ "unsafe-none", "same-origin-allow-popups", "same-origin", "noopener-allow-popups" ] }, "Cross-Origin-Resource-Policy" : { "description" : "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Resource-Policy\n[restart required]", "additionalProperties" : false, "type" : "string", "examples" : [ "same-site", "same-origin", "cross-origin" ] }, "Referrer-Policy" : { "description" : "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy\n[restart required]", "default" : "strict-origin-when-cross-origin", "additionalProperties" : false, "type" : "string", "examples" : [ "no-referrer", "no-referrer-when-downgrade", "origin", "origin-when-cross-origin", "same-origin", "strict-origin", "strict-origin-when-cross-origin", "unsafe-url" ] }, "Strict-Transport-Security" : { "description" : "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security\n[restart required]", "additionalProperties" : false, "type" : "string", "examples" : [ "max-age=63072000" ] }, "X-Content-Type-Options" : { "description" : "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options\n[restart required]", "default" : "nosniff", "additionalProperties" : false, "type" : "string", "examples" : [ "nosniff" ] }, "X-Frame-Options" : { "description" : "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options\n[restart required]", "default" : "SAMEORIGIN", "additionalProperties" : false, "type" : "string", "examples" : [ "DENY", "SAMEORIGIN" ] } } }, "webserver.json.PrimeFaces" : { "type" : "object", "properties" : { "ContentSecurityPolicy" : { "$ref" : "#/$defs/webserver.json.ContentSecurityPolicy", "description" : "https://primefaces.github.io/primefaces/13_0_0/#/core/contentsecuritypolicy?id=content-security-policy\n[restart required]" } }, "additionalProperties" : false }, "webserver.json" : { "type" : "object", "properties" : { "HttpHeaders" : { "$ref" : "#/$defs/webserver.json.HttpHeaders", "description" : "HTTP Headers that are added to a server response.\n[restart required]" }, "IvyContextName" : { "description" : "Name of the Ivy servlet context. Use a simple name without any special characters.\n[restart required]", "additionalProperties" : false, "type" : "string", "examples" : [ "ivy", "workflow" ] }, "PrimeFaces" : { "$ref" : "#/$defs/webserver.json.PrimeFaces" } }, "additionalProperties" : false }, "offline-dialog.json" : { "type" : "object", "properties" : { "Enabled" : { "type" : "boolean", "description" : "Disable it if you don't use the Mobile Offline Dialog feature.\n[restart required]", "default" : "true" } }, "additionalProperties" : false }, "connector.json.HTTPConnector" : { "type" : "object", "properties" : { "Enabled" : { "type" : "boolean", "description" : "Whether the HTTP connector is enabled.\n[restart required]", "default" : "true" }, "Port" : { "type" : "integer", "description" : "The TCP port number on which this Connector will create a server socket and await incoming connections. \n[restart required]", "default" : "8080" }, "AcceptCount" : { "type" : "integer", "description" : "The maximum length of the operating system provided queue for incoming connection requests when maxConnections has been reached. \n[restart required]", "default" : "100" }, "Address" : { "description" : "For servers with more than one IP address, this attribute specifies which address will be used for listening\non the specified port.\nBy default, the connector will listen all local addresses.\n[restart required]", "additionalProperties" : false, "type" : "string", "examples" : [ "0.0.0.0", "::" ] }, "AllowTrace" : { "type" : "boolean", "description" : "A boolean value which can be used to enable or disable the TRACE HTTP method. \n[restart required]" }, "CompressibleMimeType" : { "type" : "string", "description" : "The value is a comma separated list of MIME types for which HTTP compression may be used.\n[restart required]", "default" : "text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml" }, "Compression" : { "description" : "The Connector may use HTTP/1.1 GZIP compression in an attempt to save server bandwidth.\n[restart required]", "default" : "'off'", "additionalProperties" : false, "type" : "string", "examples" : [ "on", "off", "force" ] }, "ConnectionLinger" : { "type" : "integer", "description" : "The number of seconds during which the sockets used by this Connector will linger when they are closed. The default value is -1 which disables socket linger.\n[restart required]", "default" : "-1" }, "ConnectionTimeout" : { "type" : "integer", "description" : "The number of milliseconds this Connector will wait, after accepting a connection, for the request URI line to be presented.\n[restart required]", "default" : "60000" }, "DisableUploadTimeout" : { "type" : "boolean", "description" : "This flag allows the servlet container to use a different, usually longer connection timeout during data upload.\n[restart required]", "default" : "true" }, "EnableLookups" : { "type" : "boolean", "description" : "Set to true if you want calls to request.getRemoteHost() to perform DNS lookups in order to return the actual host name of the remote client.\nSet to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance).\n[restart required]" }, "MaxHttpHeaderSize" : { "type" : "integer", "description" : "Provides the default value for maxHttpRequestHeaderSize and maxHttpResponseHeaderSize.\n[restart required]", "default" : "8192" }, "MaxKeepAliveRequests" : { "type" : "integer", "description" : "The maximum number of HTTP requests which can be pipelined until the connection is closed by the server.\nSetting this attribute to 1 will disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining.\nSetting this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP requests.\n[restart required]", "default" : "100" }, "MaxParameterCount" : { "type" : "integer", "description" : "The maximum number of parameters (GET plus POST) which will be automatically parsed by the container. 10000 by default\n[restart required]", "default" : "10000" }, "MaxPartCount" : { "type" : "integer", "description" : "The maximum total number of parts permitted in a request where the\ncontent type is multipart/form-data. This limit is in\naddition to maxParameterCount. Requests that exceed this\nlimit will be rejected. A value of less than 0 means no limit. If not\nspecified, a default of -1 is used.\n[restart required]", "default" : "-1" }, "MaxPostSize" : { "type" : "integer", "description" : "The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing.\nThe limit can be disabled by setting this attribute to a value less than zero.\n[restart required]", "default" : "2097152" }, "MaxSavePostSize" : { "type" : "integer", "description" : "The maximum size in bytes of the request body which will be saved/buffered by\nthe container during FORM or CLIENT-CERT authentication or during HTTP/1.1 upgrade.\n[restart required]", "default" : "4096" }, "MaxThreads" : { "type" : "integer", "description" : "The maximum number of request processing threads to be created by this Connector, which therefore determines the maximum number of simultaneous requests that can be handled.\n[restart required]", "default" : "200" }, "MinSpareThreads" : { "type" : "integer", "description" : "The minimum number of threads always kept running. This includes both active and idle threads.\n[restart required]", "default" : "10" }, "NoCompressionUserAgents" : { "type" : "string", "description" : "The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients\nfor which compression should not be used.\n[restart required]" }, "ProxyName" : { "type" : "string", "description" : "If this Connector is being used in a proxy configuration, configure this attribute to specify the server name to be returned for calls to request.getServerName(). \n[restart required]" }, "ProxyPort" : { "type" : "integer", "description" : "If this Connector is being used in a proxy configuration, configure this attribute to specify the server port to be returned for calls to request.getServerPort(). \n[restart required]" }, "RedirectPort" : { "type" : "integer", "description" : "If this Connector is supporting non-SSL requests, and a request is received for which a matching requires SSL transport, Catalina will automatically redirect the request to the port number specified here. \n[restart required]", "default" : "8443" }, "RestrictedUserAgents" : { "type" : "string", "description" : "The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients\nfor which HTTP/1.1 or HTTP/1.0 keep alive should not be used, even if the clients advertise support for these features.\n[restart required]" }, "Server" : { "type" : "string", "description" : "Overrides the Server header for the http response.\nIf set, the value for this attribute overrides any Server header set by a web application.\nIf not set, any value specified by the application is used.\nIf the application does not specify a value then no Server header is set.\n[restart required]" }, "TcpNoDelay" : { "type" : "boolean", "description" : "If set to true, the TCP_NO_DELAY option will be set on the server socket, which improves performance under most circumstances.\n[restart required]", "default" : "true" }, "ThreadPriority" : { "type" : "integer", "description" : "The priority of the request processing threads within the JVM.\n[restart required]", "default" : "5" }, "URIEncoding" : { "type" : "string", "description" : "This specifies the character encoding used to decode the URI bytes, after %xx decoding the URL.\n[restart required]", "default" : "UTF-8" }, "UseBodyEncodingForURI" : { "type" : "boolean", "description" : "This specifies if the encoding specified in contentType should be used for URI query parameters, instead of using the URIEncoding.\n[restart required]" }, "UseIPVHosts" : { "type" : "boolean", "description" : "Set this attribute to true to cause Tomcat to use the IP address that the request was received on to determine the Host to send the request to.\n[restart required]" }, "XpoweredBy" : { "type" : "boolean", "description" : "Set this attribute to true to cause Tomcat to advertise support for the Servlet specification using the header recommended in the specification. \n[restart required]" } }, "additionalProperties" : false }, "connector.json.HTTPSConnector" : { "type" : "object", "properties" : { "Enabled" : { "type" : "boolean", "description" : "Whether the HTTPS connector is enabled.\n[restart required]", "default" : "false" }, "Port" : { "type" : "integer", "description" : "The TCP port number on which this Connector will create a server socket and await incoming connections. \n[restart required]", "default" : "8443" }, "AcceptCount" : { "type" : "integer", "description" : "The maximum length of the operating system provided queue for incoming connection requests when maxConnections has been reached. \n[restart required]", "default" : "100" }, "Address" : { "description" : "For servers with more than one IP address, this attribute specifies which address will be used for listening\non the specified port.\nBy default, the connector will listen all local addresses.\n[restart required]", "additionalProperties" : false, "type" : "string", "examples" : [ "0.0.0.0", "::" ] }, "AllowTrace" : { "type" : "boolean", "description" : "A boolean value which can be used to enable or disable the TRACE HTTP method. \n[restart required]" }, "ClientAuth" : { "type" : "string", "description" : "\n[restart required]", "default" : "NONE" }, "CompressibleMimeType" : { "type" : "string", "description" : "The value is a comma separated list of MIME types for which HTTP compression may be used.\n[restart required]", "default" : "text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml" }, "Compression" : { "description" : "The Connector may use HTTP/1.1 GZIP compression in an attempt to save server bandwidth.\n[restart required]", "default" : "'off'", "additionalProperties" : false, "type" : "string", "examples" : [ "on", "off", "force" ] }, "ConnectionLinger" : { "type" : "integer", "description" : "The number of seconds during which the sockets used by this Connector will linger when they are closed. The default value is -1 which disables socket linger.\n[restart required]", "default" : "-1" }, "ConnectionTimeout" : { "type" : "integer", "description" : "The number of milliseconds this Connector will wait, after accepting a connection, for the request URI line to be presented.\n[restart required]", "default" : "60000" }, "DisableUploadTimeout" : { "type" : "boolean", "description" : "This flag allows the servlet container to use a different, usually longer connection timeout during data upload.\n[restart required]", "default" : "true" }, "EnableLookups" : { "type" : "boolean", "description" : "Set to true if you want calls to request.getRemoteHost() to perform DNS lookups in order to return the actual host name of the remote client.\nSet to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance).\n[restart required]" }, "MaxHttpHeaderSize" : { "type" : "integer", "description" : "Provides the default value for maxHttpRequestHeaderSize and maxHttpResponseHeaderSize.\n[restart required]", "default" : "8192" }, "MaxKeepAliveRequests" : { "type" : "integer", "description" : "The maximum number of HTTP requests which can be pipelined until the connection is closed by the server.\nSetting this attribute to 1 will disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining.\nSetting this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP requests.\n[restart required]", "default" : "100" }, "MaxParameterCount" : { "type" : "integer", "description" : "The maximum number of parameters (GET plus POST) which will be automatically parsed by the container. 10000 by default\n[restart required]", "default" : "10000" }, "MaxPartCount" : { "type" : "integer", "description" : "The maximum total number of parts permitted in a request where the\ncontent type is multipart/form-data. This limit is in\naddition to maxParameterCount. Requests that exceed this\nlimit will be rejected. A value of less than 0 means no limit. If not\nspecified, a default of -1 is used.\n[restart required]", "default" : "-1" }, "MaxPostSize" : { "type" : "integer", "description" : "The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing.\nThe limit can be disabled by setting this attribute to a value less than zero.\n[restart required]", "default" : "2097152" }, "MaxSavePostSize" : { "type" : "integer", "description" : "The maximum size in bytes of the request body which will be saved/buffered by\nthe container during FORM or CLIENT-CERT authentication or during HTTP/1.1 upgrade.\n[restart required]", "default" : "4096" }, "MaxThreads" : { "type" : "integer", "description" : "The maximum number of request processing threads to be created by this Connector, which therefore determines the maximum number of simultaneous requests that can be handled.\n[restart required]", "default" : "200" }, "MinSpareThreads" : { "type" : "integer", "description" : "The minimum number of threads always kept running. This includes both active and idle threads.\n[restart required]", "default" : "10" }, "NoCompressionUserAgents" : { "type" : "string", "description" : "The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients\nfor which compression should not be used.\n[restart required]" }, "ProxyName" : { "type" : "string", "description" : "If this Connector is being used in a proxy configuration, configure this attribute to specify the server name to be returned for calls to request.getServerName(). \n[restart required]" }, "ProxyPort" : { "type" : "integer", "description" : "If this Connector is being used in a proxy configuration, configure this attribute to specify the server port to be returned for calls to request.getServerPort(). \n[restart required]" }, "RedirectPort" : { "type" : "integer", "description" : "If this Connector is supporting non-SSL requests, and a request is received for which a matching requires SSL transport, Catalina will automatically redirect the request to the port number specified here. \n[restart required]", "default" : "8443" }, "RestrictedUserAgents" : { "type" : "string", "description" : "The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients\nfor which HTTP/1.1 or HTTP/1.0 keep alive should not be used, even if the clients advertise support for these features.\n[restart required]" }, "Server" : { "type" : "string", "description" : "Overrides the Server header for the http response.\nIf set, the value for this attribute overrides any Server header set by a web application.\nIf not set, any value specified by the application is used.\nIf the application does not specify a value then no Server header is set.\n[restart required]" }, "SslProtocol" : { "description" : "The name of the protocol to support when communicating with clients.\nIf you need a fine granular selection of multiple protocols, use the 'SslHostConfig.Protocols' property.\n[restart required]", "default" : "TLS", "additionalProperties" : false, "type" : "string", "examples" : [ "TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" ] }, "SslHostConfig" : { "$ref" : "#/$defs/connector.json.SslHostConfig" }, "KeyAlias" : { "type" : "string", "description" : "\n[restart required]" }, "KeyPass" : { "type" : "string", "description" : "[password]\n[restart required]" }, "KeystoreFile" : { "type" : "string", "description" : "\n[restart required]", "default" : "configuration/keystore.p12" }, "KeystorePass" : { "type" : "string", "description" : "[password]\n[restart required]", "default" : "changeit" }, "KeystoreType" : { "type" : "string", "description" : "\n[restart required]", "default" : "pkcs12" }, "TcpNoDelay" : { "type" : "boolean", "description" : "If set to true, the TCP_NO_DELAY option will be set on the server socket, which improves performance under most circumstances.\n[restart required]", "default" : "true" }, "ThreadPriority" : { "type" : "integer", "description" : "The priority of the request processing threads within the JVM.\n[restart required]", "default" : "5" }, "TruststoreFile" : { "type" : "string", "description" : "\n[restart required]" }, "TruststorePass" : { "type" : "string", "description" : "[password]\n[restart required]" }, "TruststoreType" : { "type" : "string", "description" : "\n[restart required]", "default" : "JKS" }, "URIEncoding" : { "type" : "string", "description" : "This specifies the character encoding used to decode the URI bytes, after %xx decoding the URL.\n[restart required]", "default" : "UTF-8" }, "UseBodyEncodingForURI" : { "type" : "boolean", "description" : "This specifies if the encoding specified in contentType should be used for URI query parameters, instead of using the URIEncoding.\n[restart required]" }, "UseIPVHosts" : { "type" : "boolean", "description" : "Set this attribute to true to cause Tomcat to use the IP address that the request was received on to determine the Host to send the request to.\n[restart required]" }, "XpoweredBy" : { "type" : "boolean", "description" : "Set this attribute to true to cause Tomcat to advertise support for the Servlet specification using the header recommended in the specification. \n[restart required]" } }, "additionalProperties" : false }, "connector.json.SslHostConfig" : { "type" : "object", "properties" : { "Protocols" : { "description" : "The names of the protocols to support when communicating with clients.\nMultiple protocols can be enabled by separating them with a comma.\n[restart required]", "default" : "all", "additionalProperties" : false, "type" : "string", "examples" : [ "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3", "all" ] } }, "additionalProperties" : false }, "connector.json" : { "type" : "object", "properties" : { "HTTP" : { "$ref" : "#/$defs/connector.json.HTTPConnector", "description" : "https://tomcat.apache.org/tomcat-9.0-doc/config/http.html\n[restart required]" }, "HTTPS" : { "$ref" : "#/$defs/connector.json.HTTPSConnector", "description" : "https://tomcat.apache.org/tomcat-9.0-doc/config/http.html\n[restart required]" } }, "additionalProperties" : false }, "health-check.json.AllChecks" : { "type" : "object", "additionalProperties" : false, "properties" : { "ConfigurationCheck" : { "$ref" : "#/$defs/health-check.json.Check" }, "DatabasesConnectionPoolCheck" : { "$ref" : "#/$defs/health-check.json.Check" }, "EngineModeCheck" : { "$ref" : "#/$defs/health-check.json.Check" }, "HeapMemoryCheck" : { "$ref" : "#/$defs/health-check.json.Check" }, "ReleaseCandidateCheck" : { "$ref" : "#/$defs/health-check.json.Check" }, "RestartRequiredCheck" : { "$ref" : "#/$defs/health-check.json.Check" }, "RestClientsConnectionPoolCheck" : { "$ref" : "#/$defs/health-check.json.Check" }, "SysDbConnectionPoolCheck" : { "$ref" : "#/$defs/health-check.json.Check" }, "SystemCpuLoadCheck" : { "$ref" : "#/$defs/health-check.json.Check" }, "SystemMemoryCheck" : { "$ref" : "#/$defs/health-check.json.Check" } } }, "health-check.json.Check" : { "type" : "object", "properties" : { "Enabled" : { "type" : "boolean", "default" : "true" } }, "additionalProperties" : false }, "health-check.json" : { "type" : "object", "properties" : { "Enabled" : { "type" : "boolean", "description" : "Whether health check is enabled", "default" : "null" }, "Checks" : { "$ref" : "#/$defs/health-check.json.AllChecks" } }, "additionalProperties" : false } } }