Skip to main content
Version: 8.9 (unreleased)

Property reference

As a Spring Boot application, the Orchestration Cluster supports standard Spring configuration methods.

The following configurations apply to all components within the Orchestration Cluster.

API

camunda.api.long-polling

PropertyDescriptionDefault value
camunda.api.long-polling.enabled

Enable long-polling for the Camunda gRPC API server.

true
camunda.api.long-polling.timeout

Set the timeout for long polling in milliseconds.

10000
camunda.api.long-polling.probe-timeout

Set the probe timeout for long polling in milliseconds.

10000
camunda.api.long-polling.min-empty-responses

Set the number of minimum empty responses. A minimum number of responses with jobCount of 0 infers that no jobs are available.

10s

API - gRPC

camunda.api.grpc

PropertyDescriptionDefault value
camunda.api.grpc.address

Set the address the gateway binds to.

0.0.0.0
camunda.api.grpc.port

Set the port the gateway binds to.

26500
camunda.api.grpc.min-keep-alive-interval

Set the minimum keep alive interval.

  • This setting specifies the minimum accepted interval between keep alive pings.
  • This value must be specified as a positive integer followed by 's' for seconds, 'm' for minutes or 'h' for hours.
30s
camunda.api.grpc.max-message-size

Set the maximum size of the incoming and outgoing messages (that is, commands and events).

4MB
camunda.api.grpc.management-threads

Set the number of threads the gateway will use to communicate with the broker cluster.

1

camunda.api.grpc.ssl

PropertyDescriptionDefault value
camunda.api.grpc.ssl.enabled

Enable SSL (Secure Sockets Layer) authentication for the gateway.

false
camunda.api.grpc.ssl.certificate

Set the path to the certificate chain file.

Null
camunda.api.grpc.ssl.certificate-private-key

Set the path to the private key file location.

Null
camunda.api.grpc.ssl.key-store.file-path

Configure the keystore file containing both the certificate chain and the private key. Currently only supports PKCS12 format.

/path/to/keystore
camunda.api.grpc.ssl.key-store.password

Configure the keystore password.

Null

camunda.api.grpc.interceptors

PropertyDescriptionDefault value
camunda.api.grpc.interceptors[]

This property is part of Camunda's gRPC interceptor system, which allows you to add custom processing logic to gRPC requests and responses.

The property is a list of interceptor configurations, each requiring an id, jar-path and class-name.

No entries
camunda.api.grpc.interceptors[].id

The unique identifier for a particular gRPC interceptor configuration.

Null
camunda.api.grpc.interceptors[].jar-path

The file path to a JAR file that contains a custom gRPC interceptor implementation.

Null
camunda.api.grpc.interceptors[].class-name

Set the fully qualified class name of a custom gRPC interceptor implementation that should be loaded and executed by the Camunda gRPC server.

Null

API - REST

camunda.api.rest.filters

PropertyDescriptionDefault value
camunda.api.rest.filters[]

This property is part of Camunda's REST filter system, which allows you to add filters to REST requests and responses.

The property is a list of filter configurations, each requiring an id, jar-path and class-name.

No entries
camunda.api.rest.filters[].id

The unique identifier for a particular REST filter configuration.

Null
camunda.api.rest.filters.jar-path

The file path to a JAR file that contains a custom REST filter implementation.

Null
camunda.api.rest.filters.class-name

Set the fully qualified class name of a custom REST filter implementation that should be loaded and executed by the Camunda REST server.

Null

camunda.api.rest.process-cache

PropertyDescriptionDefault value
camunda.api.rest.process-cache.max-size

Set the maximum number of entries that can be stored in the REST API's process cache.

100
camunda.api.rest.process-cache.expiration-idle

Set the idle expiration time for entries in the REST API's process cache.

null

camunda.api.rest.executor

PropertyDescriptionDefault value
camunda.api.rest.executor.core-pool-size-multiplier

Multiplier applied to the number of available processors to compute the executor's core pool size (minimum number of threads kept alive).

Effective value: corePoolSize = availableProcessors * corePoolSizeMultiplier.

Use a higher value if you have steady, continuous traffic and want to minimize cold-start latency. Keep it low to allow the pool to scale down when idle.

1
camunda.api.rest.executor.max-pool-size-multiplier

Multiplier applied to the number of available processors to compute the executor's maximum pool size (hard cap on threads).

Effective value: maxPoolSize = availableProcessors * maxPoolSizeMultiplier.

Must be >= corePoolSizeMultiplier.

Increase cautiously, as high values can cause oversubscription for CPU-bound workloads.

2
camunda.api.rest.executor.keep-alive

Time in seconds that threads above the core size may remain idle before being terminated.

Lower values reclaim resources faster after bursts. Higher values reduce thread creation/destruction churn if bursts are frequent.

60s
camunda.api.rest.executor.queue-capacity

Capacity of the executor's task queue. A small bounded queue (for example, 64) is recommended to handle short bursts while still allowing the pool to grow.

64

Cluster

camunda.cluster

PropertyDescriptionDefault value
camunda.cluster.network.host

The network host for internal cluster communication.

null
camunda.cluster.node-id

Specifies the unique id of this broker node in a cluster. The id should be between 0 and number of nodes in the cluster (exclusive).

0
camunda.cluster.partition-count

The number of partitions in the cluster.

1
camunda.cluster.replication-factor

The number of replicas for each partition in the cluster. The replication factor cannot be greater than the number of nodes in the cluster.

1
camunda.cluster.size

The number of nodes in the cluster.

1

camunda.cluster.metadata

PropertyDescriptionDefault value
camunda.cluster.metadata.sync-delay

The delay between two sync requests in the ClusterConfigurationManager. A sync request is sent to another node to get the latest topology of the cluster.

10s
camunda.cluster.metadata.sync-request-timeout

The timeout for a sync request in the ClusterConfigurationManager.

2s
camunda.cluster.metadata.gossip-fanout

The number of nodes to which a cluster topology is gossiped.

2

camunda.cluster.raft

PropertyDescriptionDefault value
camunda.cluster.raft

Configuration for the Raft consensus protocol in the cluster.

This class provides settings for Raft algorithm parameters including timing, elections, and log flushing.

none
camunda.cluster.raft.priority-election-enabled

When this flag is enabled, the leader election algorithm attempts to elect the leaders based on a pre-defined priority. As a result, it tries to distribute the leaders uniformly across the brokers.

Note that it is only a best-effort strategy. It is not guaranteed to be a strictly uniform distribution.

true
camunda.cluster.raft.flush-enabled

If false, explicit flushing of the Raft log is disabled, and flushing only occurs right before a snapshot is taken. You should only disable explicit flushing if you are willing to accept potential data loss at the expense of performance. Before disabling it, try the delayed options, which provide a trade-off between safety and performance.

By default, for a given partition, data is flushed on every leader commit, and every follower append. This is to ensure consistency across all replicas. Disabling this can cause inconsistencies, and at worst, data corruption or data loss scenarios.

true
camunda.cluster.raft.flush-delay

If the delay is > 0, then flush requests are delayed by at least the given period. It is recommended that you find the smallest delay here with which you achieve your performance goals.

It's also likely that anything above 30s is not useful, as this is the typical default flush interval for the Linux OS.

The default behavior is optimized for safety, and flushing occurs on every leader commit and follower append in a synchronous fashion.

0s
camunda.cluster.raft.heartbeat-interval

The heartbeat interval for Raft. The leader sends a heartbeat to a follower every heartbeatInterval. This is an advanced setting.

250ms
camunda.cluster.raft.election-timeout

The election timeout for Raft. If a follower does not receive a heartbeat from the leader within an election timeout, it can start a new leader election.

The electionTimeout should be greater than the configured heartbeatInterval.

When the electionTimeout is large, there will be a delay in detecting a leader failure.

When the electionTimeout is small, it can lead to false positives when detecting leader failures and thus leading to unnecessary leader changes.

If the network latency between the nodes is high, it is recommended to have a higher election timeout.

This is an advanced setting.

2.5s

Data

camunda.data

PropertyDescriptionDefault value
camunda.data.snapshot-period

How often snapshots are taken of streams (in minutes).

5m
camunda.data.export.distribution-interval

Configures the rate at which exporter positions are distributed to the followers. This is useful for fail-over and taking snapshots.

The follower is able to take snapshots based on replayed and distributed export position. When a follower takes over it can recover from the snapshot, it doesn't need to replay and export everything.

For example, it can start from the last exported position it has received by the distribution mechanism.

15s
camunda.data.export.skip-records

Enable the exporters to skip record position. Allows to skip certain records by their position.

This is useful for debugging or skipping a record that is preventing processing or exporting to continue.

Record positions defined to skip in this definition will be skipped in all exporters. The value is a comma-separated list of records ids to skip. Whitespace is ignored.

[]

Data - backup

camunda.data.backup

PropertyDescriptionDefault value
camunda.data.backup.repository-name

Set the Elasticsearch/OpenSearch snapshot repository name.

Note: This setting applies to backups of secondary storage.

''
camunda.data.backup.snapshot-timeout

A backup of history data consists of multiple Elasticsearch/OpenSearch snapshots.

The snapshotTimeout controls the maximum time to wait for a snapshot operation to complete during backup creation. When set to 0, the system will wait indefinitely for snapshots to finish.

Note: This setting applies to backups of secondary storage.

0
camunda.data.backup.incomplete-check-timeout

Defines the timeout period for determining whether an incomplete backup should be considered as failed or still in progress.

This property helps distinguish between backups that are actively running versus those that may have stalled or failed silently.

Note: This setting applies to backups of secondary storage.

5m
camunda.data.backup.store

Set the backup store type.

Supported values are NONE, S3, GCS, AZURE, FILESYSTEM.

Note: This configuration applies to the backup of primary storage.

NONE

camunda.data.backup.s3

PropertyDescriptionDefault value
camunda.data.backup.s3.bucket-name

Name of the bucket where the backup will be stored.

  • The bucket must be already created.
  • The bucket must not be shared with other zeebe clusters.
  • The bucketName must not be empty.
Null
camunda.data.backup.s3.endpoint

Configure the URL endpoint for the store. If no endpoint is provided, it will be determined based on the configured region.

Null
camunda.data.backup.s3.region

Configure the AWS region.

If no region is provided it will be determined as documented in setting the AWS Region for the AWS SDK for Java 2.x.

Null
camunda.data.backup.s3.access-key

Configure access credentials.

If either accessKey or secretKey is not provided, the credentials will be determined as documented in using credentials providers in the AWS SDK for Java 2.x.

-
camunda.data.backup.s3.secret-key

Configure access credentials.

If either accessKey or secretKey is not provided, the credentials will be determined as documented in using credentials providers in the AWS SDK for Java 2.x.

-
camunda.data.backup.s3.api-call-timeout

Configure a maximum duration for all S3 client API calls.

Lower values will ensure that failed or slow API calls don't block other backups but may increase the risk that backups can't be stored if uploading parts of the backup takes longer than the configured timeout.

Refer to AWS Java SDK 2.x Best Practices.

180s
camunda.data.backup.s3.force-path-style-access

If enabled, forces the s3 client to use path-style access.

By default, the client will automatically choose between path-style and virtual-hosted-style.

This should only be enabled if the s3 compatible storage cannot support virtual-hosted-style.

Refer to accessing an Amazon S3 general purpose bucket.

false
camunda.data.backup.s3.compression

When set to an algorithm such as 'zstd', enables compression of backup contents.

When not set or set to 'none', backup content is not compressed.

Enabling compression reduces the required storage space for backups in S3 but also increases the impact on CPU and disk utilization while taking a backup.

-
camunda.data.backup.s3.max-concurrent-connections

Maximum number of connections allowed in a connection pool.

This is used to restrict the maximum number of concurrent uploads as to avoid connection timeouts when uploading backups with large/multiple files.

50
camunda.data.backup.s3.connection-acquisition-timeout

Timeout for acquiring an already-established connection from a connection pool to a remote service.

45s
camunda.data.backup.s3.base-path

When set, all objects in the bucket will use this prefix. Must be non-empty and not start or end with '/'.

This is useful for using the same bucket for multiple Zeebe clusters. In this scenario, the basePath must be unique.

Null
camunda.data.backup.s3.support-legacy-md5

Enable s3 md5 plugin for legacy support.

Null

camunda.data.backup.gcs

PropertyDescriptionDefault value
camunda.data.backup.gcs.bucket-name

Name of the bucket where the backup will be stored.

  • The bucket must already exist.
  • The bucket must not be shared with other Zeebe clusters unless basePath is also set.
Null
camunda.data.backup.gcs.host

When set, this overrides the host that the GCS client connects to.

By default, this is not set because the client can automatically discover the correct host to connect to.

AUTO
camunda.data.backup.gcs.basePath

When set, all blobs in the bucket will use this prefix. This is useful for using the same bucket for multiple Zeebe clusters.

In this scenario, the basePath must be unique. It should not start or end with a '/' character. It must be non-empty and not consist of only '/' characters.

Null
camunda.data.backup.gcs.auth

Configures which authentication method is used for connecting to GCS.

Can be either 'auto' or 'none'.

  • 'auto': The GCS client uses application default credentials which automatically discovers appropriate credentials from the runtime environment.

  • 'none': No authentication is attempted which is only applicable for testing with emulated GCS.

Null

camunda.data.backup.azure

PropertyDescriptionDefault value
camunda.data.backup.azure.endpoint

The Azure endpoint to connect to. Required unless a connection string is specified.

Null
camunda.data.backup.azure.account-name

The account name used to authenticate with Azure.

This can only be used in combination with an account key.

If account credentials or a connection string are not provided, authentication will use credentials from the runtime environment.

Null
camunda.data.backup.azure.account-key

The account key that is used to authenticate with Azure.

This can only be used in combination with an account name.

If account credentials or a connection string are not provided, authentication will use credentials from the runtime environment.

Null
camunda.data.backup.azure.connection-string

The connection string configures the endpoint, account name and account key all at once.

Ifa connection string or account credentials are not provided, authentication will use credentials from the runtime environment.

Null
camunda.data.backup.azure.base-path

Defines the container name where backup contents are saved.

Null
camunda.data.backup.azure.create-container

Defines the container name where backup contents are saved.

true
camunda.data.backup.azure.sas-token.type

This setting defines the SAS token to use.

These can be of user delegation, service or account type.

Note: As user delegation and service SAS tokens do not support the creation of containers, createContainer configuration will be overridden to false if sasToken is configured.

The user must make sure that the container already exists, or it will lead to a runtime error. Refer to delegate access by using a shared access signature.

Null
camunda.data.backup.azure.sas-token.value

The actual Shared Access Signature (SAS) token value used for authentication.

Null

camunda.data.backup.filesystem

PropertyDescriptionDefault value
camunda.data.backup.filesystem.base-path

Set the base path to store all related backup files in.

Null

Data - secondary storage

camunda.data.secondary-storage

PropertyDescriptionDefault value
camunda.data.secondary-storage.type

Determines the type of the secondary storage database.

elasticsearch
camunda.data.secondary-storage.autoconfigure-camunda-exporter

If enabled, the default exporter camundaexporter is automatically configured using the secondary-storage properties.

Manual configuration of camundaexporter is not required.

If disabled, camundaexporter will not be configured automatically, but can still be enabled through manual configuration if required.

Manual configuration of camundaexporter is generally not recommended, and can result in unexpected behavior if not configured correctly.

true

camunda.data.secondary-storage.elasticsearch

PropertyDescriptionDefault value
camunda.data.secondary-storage.elasticsearch.url

Endpoint for the database configured as secondary storage.

http://localhost:9200
camunda.data.secondary-storage.elasticsearch.cluster-name

Name of the cluster.

elasticsearch
camunda.data.secondary-storage.elasticsearch.username

Username for the database configured as secondary storage.

''
camunda.data.secondary-storage.elasticsearch.password

Password for the database configured as secondary storage.

''
camunda.data.secondary-storage.elasticsearch.security.enabled

Enable security.

false
camunda.data.secondary-storage.elasticsearch.security.certificate-path

Path to certificate used by Elasticsearch.

''
camunda.data.secondary-storage.elasticsearch.security.verify-hostname

Should the hostname be validated.

true
camunda.data.secondary-storage.elasticsearch.security.self-signed

Certificate was self-signed.

false
camunda.data.secondary-storage.elasticsearch.index-prefix

Prefix to apply to the indexes.

''

camunda.data.secondary-storage.opensearch

PropertyDescriptionDefault value
camunda.data.secondary-storage.opensearch.url

Endpoint for the database configured as secondary storage.

http://localhost:9200
camunda.data.secondary-storage.opensearch.cluster-name

Name of the cluster.

elasticsearch
camunda.data.secondary-storage.opensearch.username

Username for the database configured as secondary storage.

''
camunda.data.secondary-storage.opensearch.password

Password for the database configured as secondary storage..

''
camunda.data.secondary-storage.opensearch.security.enabled

Enable security

false
camunda.data.secondary-storage.opensearch.security.certificate-path

Path to certificate used by OpenSearch.

''
camunda.data.secondary-storage.opensearch.security.verify-hostname

CShould the hostname be validated.

true
camunda.data.secondary-storage.opensearch.security.self-signed

Certificate was self-signed.

false
camunda.data.secondary-storage.opensearch.index-prefix

Prefix to apply to the indexes.

''

Data - primary storage

camunda.data.primary-storage

PropertyDescriptionDefault value
camunda.data.primary-storage.directory

Specify the directory in which data is stored.

'./data'
camunda.data.primary-storage.runtime-directory

Specify the directory in which runtime is stored.

  • By default, runtime is stored in directory for data.
  • If runtime-directory is configured, then the configured directory will be used. It will have a subdirectory for each partition to store its runtime.
  • There is no need to store the runtime in a persistent storage.
  • This configuration allows you to split runtime to another disk to optimize for performance and disk usage.

Note: If runtime is on a different disk than the data directory, files must be copied to the data directory while taking the snapshot. This can impact disk i/o or performance during snapshotting.

''

camunda.data.primary-storage.disk

PropertyDescriptionDefault value
camunda.data.primary-storage.disk.monitoring-interval

Sets the interval at which the disk usage is monitored.

1s
camunda.data.primary-storage.disk.monitoring-enabled

Configure disk monitoring to prevent getting into a non-recoverable state due to out of disk space.

If monitoring is enabled, the broker rejects commands and pauses replication when the required freeSpace is not available.

true
camunda.data.primary-storage.disk.free-space.processing

When the free space available is less than this value, the broker rejects all client commands and pauses processing.

2GB
camunda.data.primary-storage.disk.free-space.replication

When the free space available is less than this value, the broker stops receiving replicated events.

This value must be less than free-space.processing.

It is recommended to configure free space large enough for at least one log segment and one snapshot. This is because a partition needs enough space to take a new snapshot to be able to compact the log segments to make disk space available again.

1GB

camunda.data.primary-storage.logstream

PropertyDescriptionDefault value
camunda.data.primary-storage.logstream.log-segment-size

The size of data log segment files.

128MB
camunda.data.primary-storage.logstream.log-index-density

The density of the log index, which determines how frequently index entries are created in the log.

This value specifies the number of log entries between each index entry. A lower value increases the number of index entries (improving lookup speed but using more memory), while a higher value reduces the number of index entries (saving memory but potentially slowing lookups).

Valid values: any positive integer (recommended range: 1-1000).

100

camunda.data.primary-storage.rocksdb

PropertyDescriptionDefault value
camunda.data.primary-storage.rocksdb.statistics-enabled

Enables RocksDB statistics, which will be written to the RocksDB log file.

false
camunda.data.primary-storage.rocksdb.access-metrics

Configures which, if any, RocksDB column family access metrics are exposed. Valid values are none (the default), and fine which exposes many metrics covering the read, write, delete and iteration latency per partition and column family.

none
camunda.data.primary-storage.rocksdb.memory-limit

Configures the memory limit, which can be used by RocksDB.

Be aware that this setting only applies to RocksDB, which is used by the Zeebe's state management and that an RocksDB instance is used per partition.

512MB
camunda.data.primary-storage.rocksdb.max-open-files

Configures how many files are kept open by RocksDB. The default is unlimited (-1).

This is a performance optimization: if you set a value greater than zero, it will keep track and cap the number of open files in the TableCache.

On accessing the files it needs to look them up in the cache.

You should configure this property if the maximum open files are limited on your system, or if you have thousands of files in your RocksDB state as there is a memory overhead to keeping all of them open, and setting maxOpenFiles will bound that.

-1
camunda.data.primary-storage.rocksdb.max-write-buffer-number

Configures the maximum number of simultaneous write buffers/memtables RocksDB will have in memory.

Normally about 2/3s of the memoryLimit is used by the write buffers, and this is shared equally by each write buffers.

This means the higher maxWriteBufferNumber is, the less memory is available for each. This means you will flush less data at once, but may flush more often.

6
camunda.data.primary-storage.rocksdb.min-write-buffer-number-to-merge

Configures how many write buffers should be full before they are merged and flushed to disk.

A higher numeric value means you may flush less often, but will flush more data at once.

A lower numeric value means flushing more often, but flushing less data at once.

3
camunda.data.primary-storage.rocksdb.io-rate-bytes-per-second

Configures a rate limit for write I/O of RocksDB.

Setting any value less than or equal to 0 will disable this, which is the default setting.

Setting a rate limit on the write I/O can help achieve more stable performance by avoiding write spikes consuming all available IOPS, leading to more predictable read rates.

0
camunda.data.primary-storage.rocksdb.wal-disabled

Configures if the RocksDB write-ahead-log is used or not.

By default, every write in RocksDB goes to the active write buffer and the WAL; this helps recover a RocksDB instance should it crash before the write buffer is flushed.

Zeebe however only recovers from specific point-in-time snapshot, and never from a previously active RocksDB instance, which makes it a good candidate to disable the WAL. WAL is disabled by default as it can improve performance of Zeebe.

true
camunda.data.primary-storage.rocksdb.sst-partitioning-enabled

Configures if the RocksDB SST files should be partitioned based on some virtual column families.

By default, RocksDB will not partition the SST files, which could influence the compacting of certain key ranges.

Enabling this option gives RocksDB some good hints how to improve compaction and reduce the write amplification.

Benchmarks have shown impressive results, allowing sustained performance on larger states.

This setting will increase the general file count of runtime and snapshots.

true

Licensing

Installations of Camunda 8 Self-Managed that require a license can provide their license key to the components. See licensing.

camunda.license

PropertyDescriptionDefault value
camunda.license.key

Your Camunda 8 license key, if your installation requires a license.

Null

Security

camunda.security

PropertyDescriptionDefault value
camunda.security.id-validation-patternA Java regular expression that validates the user-defined identifiers of Identity-related entities.^[a-zA-Z0-9_@.+-]+$

camunda.security.authentication

PropertyDescriptionDefault value
camunda.security.authentication.authentication-refresh-intervalThe interval at which the memberships (groups, roles, tenants, component authorizations) are refreshed for logged in users. Find more details in webserver and security.PT30S
camunda.security.authorizations.enabledIf authorizations are enabled.true
camunda.security.authentication.methodThe authentication method to use. Options: basic, oidc.basic
camunda.security.authentication.unprotected-apiIf the API can be used without authentication.false

camunda.security.csrf

PropertyDescriptionDefault value
camunda.security.csrf.enabledEnables or disables CSRF protection. Disabling CSRF protection is not recommended for production environments as it leaves your application vulnerable to cross-site request forgery attacks.true

camunda.security.http-headers

PropertyDescriptionRelated HeaderDefault value
camunda.security.http-headers.cache-control.enabledEnables or disables cache prevention headers. Default values: Cache-Control: no-cache, no-store, max-age=0, must-revalidate, Pragma: no-cache, Expires: 0.Cache-Control, Pragma, Expirestrue
camunda.security.http-headers.content-security-policy.enabledEnables or disables CSP headers.Content-Security-Policytrue
camunda.security.http-headers.content-security-policy.policy-directivesCustom CSP directives. If not set, default values applied. If set, overrides default CSP policies.Content-Security-Policy
camunda.security.http-headers.content-security-policy.report-onlyEnables reporting mode without enforcing policies.Content-Security-Policy-Report-Onlyfalse
camunda.security.http-headers.content-type-options.enabledEnables or disables X-Content-Type-Options header with nosniff value.X-Content-Type-Optionstrue
camunda.security.http-headers.cross-origin-embedder-policy.valueRestricts embedded cross-origin resources. Options: REQUIRE_CORP, UNSAFE_NONE.Cross-Origin-Embedder-PolicyUNSAFE_NONE
camunda.security.http-headers.cross-origin-opener-policy.valueIsolates windows from cross-origin openers. Options: UNSAFE_NONE, SAME_ORIGIN_ALLOW_POPUPS, SAME_ORIGIN.Cross-Origin-Opener-PolicySAME_ORIGIN_ALLOW_POPUPS
camunda.security.http-headers.cross-origin-resource-policy.valueDeclares whether resources can be loaded cross-origin. Options: SAME_ORIGIN, SAME_SITE, CROSS_ORIGIN.Cross-Origin-Resource-PolicySAME_SITE
camunda.security.http-headers.frame-options.enabledEnables or disables X-Frame-Options header. Default value is SAMEORIGIN.X-Frame-Optionstrue
camunda.security.http-headers.frame-options.modeFrame options mode. Options: DENY, SAMEORIGIN.X-Frame-OptionsSAMEORIGIN
camunda.security.http-headers.hsts.enabledEnables or disables Strict-Transport-Security header.Strict-Transport-Securitytrue
camunda.security.http-headers.hsts.include-subdomainsApplies HSTS to all subdomains.Strict-Transport-Securityfalse
camunda.security.http-headers.hsts.max-age-in-secondsHSTS max age in seconds.Strict-Transport-Security31536000
camunda.security.http-headers.hsts.preloadEnables HSTS preloading.Strict-Transport-Securityfalse
camunda.security.http-headers.permissions-policy.valueRestricts access to browser capabilities.Permissions-PolicyDisables all features by default
camunda.security.http-headers.referrer-policy.valueControls referrer information sharing. See available values below.Referrer-PolicySTRICT_ORIGIN_WHEN_CROSS_ORIGIN

Default Content Security Policy

This is default value of the Content Security Policy when enabled:

default-src 'self';
base-uri 'self';
script-src 'self' https: *.chargebee.com *.mixpanel.com ajax.cloudflare.com static.cloudflareinsights.com;
script-src-elem 'self' cdn.jsdelivr.net ;
connect-src 'self' https: *.mixpanel.com cloudflareinsights.com *.appcues.net wss://api.appcues.net cdn.jsdelivr.net;
style-src 'self' https: 'unsafe-inline' cdn.jsdelivr.net *.googleapis.com *.chargebee.com;
img-src data: 'self';
form-action 'self';
frame-ancestors 'self';
frame-src 'self' https: *.chargebee.com blob: ;
object-src 'self' blob:;
font-src 'self' data: fonts.camunda.io cdn.jsdelivr.net;
worker-src 'self' blob:;
child-src;
script-src-attr 'none'.

camunda.security.authentication.oidc

PropertyDescriptionDefault value
camunda.security.authentication.oidc.client-idThe client ID for OIDC authentication.
camunda.security.authentication.oidc.client-secretThe client secret for OIDC authentication.
camunda.security.authentication.oidc.issuer-uriThe issuer URI for OIDC authentication. If set, the individual endpoints of your OIDC provider will be fetched from its well-known configuration endpoint. In this case, any individually configured token, authorization, and JWKS URIs do not take effect.
camunda.security.authentication.oidc.redirect-uriThe URI for redirects from the OIDC provider to the Orchestration Cluster after user login.http://localhost:8080/sso-callback
camunda.security.authentication.oidc.username-claimThe JWT claim that identifies a user. Extracted from a token, this claim value becomes the user's username. This setting is evaluated on any token-based access, regardless of the underying OIDC/OAuth flow.sub
camunda.security.authentication.oidc.groups-claimThe JWT claim that contains a user's or client's groups. Expects an array of String values. If not set, groups can be managed in the Orchestration Cluster through its REST APIs.
camunda.security.authentication.oidc.client-id-claimThe JWT claim that identifies a client. Extracted from a token, this claim value becomes the clients's ID. This setting is evaluated on any token-based access, regardless of the underying OIDC/OAuth flow.
camunda.security.authentication.oidc.audiencesComma-separated list of audiences to validate in the OIDC token.
camunda.security.authentication.oidc.scopeComma-separated list of scopes to request in the OIDC token.openid, profile
camunda.security.authentication.oidc.jwk-set-uriSets the OIDC provider's JWK Set URI explicitly. Only takes effect if camunda.security.authentication.oidc.issuer-uri is not set.
camunda.security.authentication.oidc.authorization-uriSets the OIDC provider's authorization URI explicitly. Only takes effect if camunda.security.authentication.oidc.issuer-uri is not set.
camunda.security.authentication.oidc.token-uriSets the OIDC provider's token URI explicitly. Only takes effect if camunda.security.authentication.oidc.issuer-uri is not set.

camunda.security.initialization.default-roles

PropertyDescriptionDefault value
camunda.security.initialization.default-roles.<role>.clients.[0]Clients assigned to the <role> role.
camunda.security.initialization.default-roles.<role>.groups.[0]Groups assigned to the <role> role.
camunda.security.initialization.default-roles.<role>.mappingrules.[0]Mapping rules assigned to the <role> role.
camunda.security.initialization.default-roles.<role>.users.[0]Users assigned to the <role> role.

camunda.security.initialization.users

PropertyDescriptionDefault value
camunda.security.initialization.users.[0].emailThe email address of the first user.
camunda.security.initialization.users.[0].nameThe name of the first user.
camunda.security.initialization.users.[0].passwordThe password of the first user.
camunda.security.initialization.users.[0].usernameThe username of the first user.

camunda.security.initialization.mappingrules

PropertyDescriptionDefault value
camunda.security.initialization.mappingrules.[0].claim-nameThe claim of the first mapping rule.
camunda.security.initialization.mappingrules.[0].claim-valueThe claim's value of the first mapping rule.
camunda.security.initialization.mappingrules.[0].mapping-rule-idThe id of the first mapping rule.

camunda.security.multi-tenancy

PropertyDescriptionDefault value
camunda.security.multi-tenancy.api-enabledEnables the multi-tenancy API and UI independently from multi-tenancy checks.true
camunda.security.multi-tenancy.checks-enabledEnables multi-tenancy checks. This requires the API to be protected.false

camunda.persistent.sessions

PropertyDescriptionDefault value
camunda.persistent.sessions.enabledStores session data in secondary storage so users stay logged in across cluster nodes.false

spring.profiles

PropertyDescriptionDefault value
spring.profiles.activeNote: This property will be deprecated as additional authentication methods become available.consolidated-auth
caution

Disabling CSRF protection is not recommended for production environments as it leaves your application vulnerable to cross-site request forgery attacks.

Secondary storage

Review secondary storage management for guidance on best practices, ensuring data integrity and performance optimization.

Connection

Environment variableDescriptionDefault value
CAMUNDA_DATA_SECONDARYSTORAGE_TYPEType of secondary storage to use. Must match either elasticsearch or opensearch.elasticsearch
CAMUNDA_DATA_SECONDARYSTORAGE_ELASTICSEARCH_URL

CAMUNDA_DATA_SECONDARYSTORAGE_OPENSEARCH_URL		Secondary storage host URL. Use the variable matching the selected type.http://localhost:9200
CAMUNDA_DATA_SECONDARYSTORAGE_ELASTICSEARCH_CLUSTERNAME

CAMUNDA_DATA_SECONDARYSTORAGE_OPENSEARCH_CLUSTERNAME		Secondary storage cluster name. Use the variable matching the selected type.elasticsearch
CAMUNDA_DATA_SECONDARYSTORAGE_ELASTICSEARCH_USERNAME

CAMUNDA_DATA_SECONDARYSTORAGE_OPENSEARCH_USERNAME		Username for accessing the secondary storage REST API (leave blank if not secured).-
CAMUNDA_DATA_SECONDARYSTORAGE_ELASTICSEARCH_PASSWORD

CAMUNDA_DATA_SECONDARYSTORAGE_OPENSEARCH_PASSWORD		Password for accessing the secondary storage REST API.-
CAMUNDA_DATA_SECONDARYSTORAGE_ELASTICSEARCH_SECURITY_ENABLED

CAMUNDA_DATA_SECONDARYSTORAGE_OPENSEARCH_SECURITY_ENABLED		Enables HTTPS and related SSL/TLS handling for the secondary storage connection.false
CAMUNDA_DATA_SECONDARYSTORAGE_ELASTICSEARCH_SECURITY_CERTIFICATEPATH

CAMUNDA_DATA_SECONDARYSTORAGE_OPENSEARCH_SECURITY_CERTIFICATEPATH		Path to the trusted root or CA certificate file when using a custom or self-signed certificate.-
CAMUNDA_DATA_SECONDARYSTORAGE_ELASTICSEARCH_SECURITY_VERIFYHOSTNAME

CAMUNDA_DATA_SECONDARYSTORAGE_OPENSEARCH_SECURITY_VERIFYHOSTNAME		Whether the hostname in the certificate must match the endpoint. Disable only for troubleshooting.true
CAMUNDA_DATA_SECONDARYSTORAGE_ELASTICSEARCH_SECURITY_SELFSIGNED

CAMUNDA_DATA_SECONDARYSTORAGE_OPENSEARCH_SECURITY_SELFSIGNED		Indicates the certificate is self-signed (enables relaxed trust handling when supported).false
CAMUNDA_DATA_SECONDARYSTORAGE_ELASTICSEARCH_INDEXPREFIX

CAMUNDA_DATA_SECONDARYSTORAGE_OPENSEARCH_INDEXPREFIX		Optional prefix for secondary storage index names.-
CAMUNDA_DATABASE_AWSENABLED

Use basic authentication or AWS credentials to log in.

  • Set to false to use basic authentication for OpenSearch, adhering to the global AWS OpenSearch configuration settings.

  • Set to true to log in with AWS credentials.

false
note

Set indexPrefix only if you need to separate secondary storage indices from other indices in the same cluster (for example, when multiple Camunda environments share one cluster). Leave blank (-) to use the default.

Secure connection (HTTPS / TLS)

To connect to a secured (https) Elasticsearch or OpenSearch cluster for secondary storage:

  • Change the URL protocol from http to https.
  • Provide username and password if the cluster requires authentication.
  • Use additional security properties to handle custom certificates or strict hostname verification:
    • Set security.enabled=true (or simply use an https URL if auto-detection applies) to activate SSL/TLS handling.
    • Use security.certificatePath when the server certificate is signed by a custom CA or is self-signed so the JVM can trust it.
    • Set security.selfSigned=true if the certificate is self-signed and the client logic requires this hint.
    • Keep security.verifyHostname=true for production. Disable it only temporarily to diagnose hostname/certificate mismatch issues.
note

Import the certificate (or its issuing CA) into the JVM trust store if it is not already trusted.
For Kubernetes-based deployments, mount a trust store and point certificatePath to it.

Index & retention settings

The following properties control index creation characteristics (shards, replicas, template priority) and retention/lifecycle policies for secondary storage indices.

Environment variableDescriptionDefault value
CAMUNDA_DATABASE_INDEX_NUMBEROFSHARDSDefault number of primary shards for new indices.1
CAMUNDA_DATABASE_INDEX_SHARDSBYINDEXNAMEJSON map overriding shard count per index (key=index name, value=shards).-
CAMUNDA_DATABASE_INDEX_NUMBEROFREPLICASDefault number of replicas for new indices.0
CAMUNDA_DATABASE_INDEX_REPLICASBYINDEXNAMEJSON map overriding replica count per index (key=index name, value=replicas).-
CAMUNDA_DATABASE_INDEX_TEMPLATEPRIORITYPriority applied to index templates created by the platform. Higher values override provider defaults.-
CAMUNDA_DATABASE_RETENTION_ENABLEDEnables creation and application of retention/ILM policies.false
CAMUNDA_DATABASE_RETENTION_MINIMUMAGEMinimum age before data is eligible for deletion.30d
CAMUNDA_DATABASE_RETENTION_POLICYNAMEName of the retention policy applied to standard indices.camunda-retention-policy
CAMUNDA_DATABASE_RETENTION_USAGEMETRICSMINIMUMAGEMinimum age before usage metrics indices are deleted.730d
CAMUNDA_DATABASE_RETENTION_USAGEMETRICSPOLICYNAMEName of the retention policy applied to usage metrics indices.camunda-usage-metrics-retention-policy
note

Durations support ISO-8601 (P30D) or simplified suffix formats (30d, 12h).
Use simplified suffix formats unless strict ISO-8601 compliance is required.

Replica count changes (number-of-replicas and per-index overrides`)

  • For newer versions (8.8+), changes are applied to existing indices on the next application restart—their settings are updated in place.
  • Also written to the index templates so that newly created indices inherit the updated replica configuration.

Shard count changes (number-of-shards and per-index overrides`)

  • Only applied to index templates, affecting indices created after the change.
  • Existing indices retain their original shard layout.

Template priority changes

  • Adjust which template is applied when multiple patterns match.
  • The effect is only for indices created after the change.
note

Some Elasticsearch and OpenSearch deployments may ship predefined wildcard (* pattern) index templates with their own priorities. Assign a strictly higher priority to the Camunda index templates to ensure Camunda's mappings and settings take precedence when multiple templates match the same index name. If the priority is not higher, provider wildcard templates may override shard/replica defaults, analyzers, or field mappings, leading to unexpected index behavior.

note

Maps (for example, shards/replicas overrides) are key-value objects:

camunda.database.index.shards-by-index-name:
  list-view: 3
  task: 2

System

camunda.system

PropertyDescriptionDefault value
camunda.system.cpu-thread-count

Controls the number of non-blocking CPU threads to be used

Warning: You should never specify a value that is larger than the number of physical cores available.

Good practice is to leave 1-2 cores for IO threads and the operating system (it has to run somewhere).

For example, when running Zeebe on a machine which has 4 cores, a good value would be 2.

2
camunda.system.io-thread-count

Controls the number of io threads to be used.

These threads are used for workloads that write data to disk. While writing, these threads are blocked which means that they yield the CPU.

2
camunda.system.clock-controlled

Controls whether the system clock or mutable one.

If enabled, time progression can be controlled programmatically for testing purposes.

false

camunda.system.actor.idle

PropertyDescriptionDefault value
camunda.system.actor.idle.max-spins

The maximum number of busy-wait spins that an idle actor thread will perform before transitioning to a different idle state in Camunda's actor system.

Null
camunda.system.actor.idle.max-yields

The maximum number of yield operations that an idle actor thread will perform before transitioning to the next idle state in Camunda's actor system.

Null
camunda.system.actor.idle.max-park-period

The maximum duration that an idle actor thread will remain in the parked state in Camunda's actor system.

Null

camunda.system.upgrade

PropertyDescriptionDefault value
camunda.system.upgrade.enable-version-check

Toggles the version check restriction, used for migration.

This is useful for testing migration logic on snapshot or alpha versions.

The default value True means it is not allowed to migrate to an incompatible version such as: SNAPSHOT or alpha.

true