Skip to main content
Version: 8.9 (unreleased)

Property reference

As a Spring Boot application, the Orchestration Cluster supports standard Spring configuration methods.

The following configurations apply to all components within the Orchestration Cluster.

API

camunda.api.long-polling

PropertyDescriptionDefault value
camunda.api.long-polling.enabled

Enable long-polling for the Camunda gRPC API server.

true
camunda.api.long-polling.timeout

Set the timeout for long polling in milliseconds.

10000
camunda.api.long-polling.probe-timeout

Set the probe timeout for long polling in milliseconds.

10000
camunda.api.long-polling.min-empty-responses

Set the number of minimum empty responses. A minimum number of responses with jobCount of 0 infers that no jobs are available.

10s

API - gRPC

camunda.api.grpc

PropertyDescriptionDefault value
camunda.api.grpc.address

Set the address the gateway binds to.

0.0.0.0
camunda.api.grpc.port

Set the port the gateway binds to.

26500
camunda.api.grpc.min-keep-alive-interval

Set the minimum keep alive interval.

  • This setting specifies the minimum accepted interval between keep alive pings.
  • This value must be specified as a positive integer followed by 's' for seconds, 'm' for minutes or 'h' for hours.
30s
camunda.api.grpc.max-message-size

Set the maximum size of the incoming and outgoing messages (that is, commands and events).

4MB
camunda.api.grpc.management-threads

Set the number of threads the gateway will use to communicate with the broker cluster.

1

camunda.api.grpc.ssl

PropertyDescriptionDefault value
camunda.api.grpc.ssl.enabled

Enable SSL (Secure Sockets Layer) authentication for the gateway.

false
camunda.api.grpc.ssl.certificate

Set the path to the certificate chain file.

Null
camunda.api.grpc.ssl.certificate-private-key

Set the path to the private key file location.

Null
camunda.api.grpc.ssl.key-store.file-path

Configure the keystore file containing both the certificate chain and the private key. Currently only supports PKCS12 format.

/path/to/keystore
camunda.api.grpc.ssl.key-store.password

Configure the keystore password.

Null

camunda.api.grpc.interceptors

PropertyDescriptionDefault value
camunda.api.grpc.interceptors[]

This property is part of Camunda's gRPC interceptor system, which allows you to add custom processing logic to gRPC requests and responses.

The property is a list of interceptor configurations, each requiring an id, jar-path and class-name.

No entries
camunda.api.grpc.interceptors[].id

The unique identifier for a particular gRPC interceptor configuration.

Null
camunda.api.grpc.interceptors[].jar-path

The file path to a JAR file that contains a custom gRPC interceptor implementation.

Null
camunda.api.grpc.interceptors[].class-name

Set the fully qualified class name of a custom gRPC interceptor implementation that should be loaded and executed by the Camunda gRPC server.

Null

API - REST

camunda.api.rest.filters

PropertyDescriptionDefault value
camunda.api.rest.filters[]

This property is part of Camunda's REST filter system, which allows you to add filters to REST requests and responses.

The property is a list of filter configurations, each requiring an id, jar-path and class-name.

No entries
camunda.api.rest.filters[].id

The unique identifier for a particular REST filter configuration.

Null
camunda.api.rest.filters.jar-path

The file path to a JAR file that contains a custom REST filter implementation.

Null
camunda.api.rest.filters.class-name

Set the fully qualified class name of a custom REST filter implementation that should be loaded and executed by the Camunda REST server.

Null

camunda.api.rest.process-cache

PropertyDescriptionDefault value
camunda.api.rest.process-cache.max-size

Set the maximum number of entries that can be stored in the REST API's process cache.

100
camunda.api.rest.process-cache.expiration-idle

Set the idle expiration time for entries in the REST API's process cache.

null

camunda.api.rest.executor

PropertyDescriptionDefault value
camunda.api.rest.executor.core-pool-size-multiplier

Multiplier applied to the number of available processors to compute the executor's core pool size (minimum number of threads kept alive).

Effective value: corePoolSize = availableProcessors * corePoolSizeMultiplier.

Use a higher value if you have steady, continuous traffic and want to minimize cold-start latency. Keep it low to allow the pool to scale down when idle.

1
camunda.api.rest.executor.max-pool-size-multiplier

Multiplier applied to the number of available processors to compute the executor's maximum pool size (hard cap on threads).

Effective value: maxPoolSize = availableProcessors * maxPoolSizeMultiplier.

Must be >= corePoolSizeMultiplier.

Increase cautiously, as high values can cause oversubscription for CPU-bound workloads.

2
camunda.api.rest.executor.keep-alive

Time in seconds that threads above the core size may remain idle before being terminated.

Lower values reclaim resources faster after bursts. Higher values reduce thread creation/destruction churn if bursts are frequent.

60s
camunda.api.rest.executor.queue-capacity

Capacity of the executor's task queue. A small bounded queue (for example, 64) is recommended to handle short bursts while still allowing the pool to grow.

64

Cluster

camunda.cluster

PropertyDescriptionDefault value
camunda.cluster.name

Set the name of the cluster.

zeebe-cluster
camunda.cluster.id

Set the cluster ID used to identify the cluster. It should be unique across clusters.

If not configured, the cluster ID will be set to a new random UUID.

camunda.cluster.network.host

The network host for internal cluster communication.

null
camunda.cluster.node-id

Specifies the unique id of this broker node in a cluster. The id should be between 0 and number of nodes in the cluster (exclusive).

0
camunda.cluster.partition-count

The number of partitions in the cluster.

1
camunda.cluster.replication-factor

The number of replicas for each partition in the cluster. The replication factor cannot be greater than the number of nodes in the cluster.

1
camunda.cluster.size

The number of nodes in the cluster.

1
camunda.cluster.compression-algorithm

Configure the compression algorithm for all messages sent between brokers, and between broker and gateway.

Available options are NONE, GZIP, and SNAPPY.

This can be useful when network latency is high (for example, across data centers), but may impact performance when latency is low.

NONE

camunda.cluster.global-listeners

PropertyDescriptionDefault value
camunda.cluster.global-listeners.user-task[]

List of configuration entries for global user task listeners (see also Global user task listeners.)

No entries
camunda.cluster.global-listeners.user-task[].event-types[]

List of user task event types that trigger the listener. Supported values are creating, assigning, updating, completing, and canceling. The shorthand all value is also available if the listener should react to all lifecycle events.

-
camunda.cluster.global-listeners.user-task[].type

The name of the job type. Used as a reference to specify which job workers request the respective task listener job. For example, order-items.

my-listener-type
camunda.cluster.global-listeners.user-task[].retries

The number of retries for the user task listener job.

3
camunda.cluster.global-listeners.user-task[].after-non-global

Boolean flag indicating whether the listener should run after model-level listeners.

false

camunda.cluster.membership

PropertyDescriptionDefault value
camunda.cluster.membership.broadcast-updates

Configure whether to broadcast member updates to all members.

If set to false, updates are gossiped among members.

If set to true, network traffic may increase but it can reduce the time to detect membership changes.

true
camunda.cluster.membership.broadcast-disputes

Configure whether to broadcast disputes to all members.

If set to true, network traffic may increase but it can reduce the time to detect membership changes.

true
camunda.cluster.membership.notify-suspect

Configure whether to notify a suspect node on state changes.

false
camunda.cluster.membership.probe-interval

Sets the interval at which to probe a random member.

1s
camunda.cluster.membership.probe-timeout

Sets the timeout for a probe response.

100ms
camunda.cluster.membership.suspect-probes

Sets the number of probes failed before declaring a member is suspect.

3
camunda.cluster.membership.failure-timeout

Sets the timeout after which a suspect member is declared dead.

10s
camunda.cluster.membership.sync-interval

Sets the interval at which this member synchronizes its membership information with a random member.

10s
camunda.cluster.membership.gossip-fanout

Sets the number of members to which membership updates are sent at each gossip interval.

2
camunda.cluster.membership.gossip-interval

Sets the interval at which the membership updates are sent to a random member.

250ms

camunda.cluster.metadata

PropertyDescriptionDefault value
camunda.cluster.metadata.sync-delay

The delay between two sync requests in the ClusterConfigurationManager. A sync request is sent to another node to get the latest topology of the cluster.

10s
camunda.cluster.metadata.sync-request-timeout

The timeout for a sync request in the ClusterConfigurationManager.

2s
camunda.cluster.metadata.gossip-fanout

The number of nodes to which a cluster topology is gossiped.

2

camunda.cluster.network

PropertyDescriptionDefault value
camunda.cluster.network.advertised-host

Controls the advertised host for cluster communication (for example, when running behind a proxy).

If not set, the default is computed based on camunda.cluster.network.host (if explicitly set) or by resolving the machine hostname/IP (falling back to the first non-loopback IP, and finally loopback).

null
camunda.cluster.network.port-offset

If set, this offset is added to all configured/default ports to avoid specifying every port individually.

The offset is applied to the second last digit, since multiple ports are used; for example, an offset of 5 increments ports by 50 (so 26500 becomes 26550).

0
camunda.cluster.network.max-message-size

Sets the maximum size of incoming and outgoing messages (commands and events).

4MB
camunda.cluster.network.socket-send-buffer

Sets the socket send buffer size (SO_SNDBUF), for example 1MB.

When not set, the operating system determines an optimal size automatically.

1MB
camunda.cluster.network.socket-receive-buffer

Sets the socket receive buffer size (SO_RCVBUF), for example 1MB.

When not set, the operating system determines an optimal size automatically.

1MB
camunda.cluster.network.heartbeat-timeout

Connections that did not receive any message within the specified timeout will be closed.

15s
camunda.cluster.network.heartbeat-interval

Sends a heartbeat when no other data is sent over an open connection within the specified timeout (to keep the connection open).

5s
camunda.cluster.network.command-api.hostOverrides the host used for gateway-to-broker communication.
camunda.cluster.network.command-api.portSets the port used for gateway-to-broker communication.
camunda.cluster.network.command-api.advertisedHost

Controls the advertised host. This is particularly useful if your broker stands behind a proxy.

If omitted, defaults to:

  • If zeebe.broker.network.commandApi.host was set, use this.
  • Use the resolved value of zeebe.broker.network.advertisedHost

camunda.cluster.network.command-api.advertisedPortControls the advertised port; if omitted defaults to the port. This is particularly useful if your broker stands behind a proxy.
camunda.cluster.initial-contact-points

Allows specifying a list of known other nodes to connect to on startup.

The contact points of the internal network configuration must be specified in the format [HOST:PORT] (for example, 192.168.1.22:26502).

To guarantee the cluster can survive network partitions, all nodes should be specified as initial contact points.

[]
camunda.cluster.network.internal-api.hostOverrides the host used for internal broker-to-broker communication.
camunda.cluster.network.internal-api.portSets the port used for internal broker-to-broker communication.
camunda.cluster.network.internal-api.advertisedHost

Controls the advertised host. This is particularly useful if your broker stands behind a proxy. If omitted, defaults to:

  • If zeebe.broker.network.internalApi.host was set, use this.
  • Use the resolved value of zeebe.broker.network.advertisedHost

camunda.cluster.network.internal-api.advertisedPortControls the advertised port; if omitted defaults to the port. This is particularly useful if your broker stands behind a proxy.

camunda.cluster.node-id-provider

PropertyDescriptionDefault value
camunda.cluster.node-id-provider.type

Set the implementation Type for dynamic node ID management.

FIXED disables dynamic node IDs (static node ID configuration).

FIXED
camunda.cluster.node-id-provider.s3.lease-duration

Lease duration before expiry.

camunda.cluster.node-id-provider.s3.bucket-name

Name of the bucket where the leases will be stored.

  • The bucket must be already created.
  • The bucket must not be shared with other Zeebe clusters.
  • bucketName must not be empty.
camunda.cluster.node-id-provider.s3.task-id

The task ID to use when registering to a lease.

camunda.cluster.node-id-provider.s3.endpoint

Configure the URL endpoint for the store.

If no endpoint is provided, it will be determined based on the configured region.

camunda.cluster.node-id-provider.s3.region

Configure the AWS region.

If no region is provided, it will be determined automatically (see AWS SDK region selection documentation).

camunda.cluster.node-id-provider.s3.access-key

Configure access credentials.

If either accessKey or secretKey is not provided, the credentials will be determined automatically (see AWS SDK credential provider chain documentation).

camunda.cluster.node-id-provider.s3.secret-key

Configure access credentials.

If either accessKey or secretKey is not provided, the credentials will be determined automatically (see AWS SDK credential provider chain documentation).

camunda.cluster.node-id-provider.s3.api-call-timeout

Configure a maximum duration for all S3 client API calls.

10s
camunda.cluster.node-id-provider.fixed.node-id

Static node ID used when camunda.cluster.node-id-provider.type is set to FIXED.

0

camunda.cluster.partitioning

PropertyDescriptionDefault value
camunda.cluster.partitioning.scheme

Configures how partitions are distributed across brokers (the partitioning scheme).

When using FIXED, the broker-to-partition mapping must be specified under camunda.cluster.partitioning.fixed.

ROUND_ROBIN
camunda.cluster.partitioning.fixed[].partition-id

Partition ID entry used when camunda.cluster.partitioning.scheme is set to FIXED.

1
camunda.cluster.partitioning.fixed[].nodes[].nodes-id

Broker node ID for a fixed partition mapping entry (used when camunda.cluster.partitioning.scheme is FIXED).

0
camunda.cluster.partitioning.fixed[].nodes[].priority

Priority value associated with a broker node in the fixed partitioning configuration.

1

camunda.cluster.raft

PropertyDescriptionDefault value
camunda.cluster.raft

Configuration for the Raft consensus protocol in the cluster.

This class provides settings for Raft algorithm parameters including timing, elections, and log flushing.

none
camunda.cluster.raft.priority-election-enabled

When this flag is enabled, the leader election algorithm attempts to elect the leaders based on a pre-defined priority. As a result, it tries to distribute the leaders uniformly across the brokers.

Note that it is only a best-effort strategy. It is not guaranteed to be a strictly uniform distribution.

true
camunda.cluster.raft.flush-enabled

If false, explicit flushing of the Raft log is disabled, and flushing only occurs right before a snapshot is taken. You should only disable explicit flushing if you are willing to accept potential data loss at the expense of performance. Before disabling it, try the delayed options, which provide a trade-off between safety and performance.

By default, for a given partition, data is flushed on every leader commit, and every follower append. This is to ensure consistency across all replicas. Disabling this can cause inconsistencies, and at worst, data corruption or data loss scenarios.

true
camunda.cluster.raft.flush-delay

If the delay is > 0, then flush requests are delayed by at least the given period. It is recommended that you find the smallest delay here with which you achieve your performance goals.

It's also likely that anything above 30s is not useful, as this is the typical default flush interval for the Linux OS.

The default behavior is optimized for safety, and flushing occurs on every leader commit and follower append in a synchronous fashion.

0s
camunda.cluster.raft.heartbeat-interval

The heartbeat interval for Raft. The leader sends a heartbeat to a follower every heartbeatInterval. This is an advanced setting.

250ms
camunda.cluster.raft.election-timeout

The election timeout for Raft. If a follower does not receive a heartbeat from the leader within an election timeout, it can start a new leader election.

The electionTimeout should be greater than the configured heartbeatInterval.

When the electionTimeout is large, there will be a delay in detecting a leader failure.

When the electionTimeout is small, it can lead to false positives when detecting leader failures and thus leading to unnecessary leader changes.

If the network latency between the nodes is high, it is recommended to have a higher election timeout.

This is an advanced setting.

2.5s
camunda.cluster.raft.max-appends-per-follower

Sets the maximum number of append requests which are sent per follower.

6
camunda.cluster.raft.max-appends-batch-size

Sets the maximum batch size sent per append request to a follower.

32KB
camunda.cluster.raft.request-timeout

Sets the timeout for all requests sent by Raft leaders and followers.

When modifying request-timeout, it might also be useful to update snapshot-request-timeout.

2.5s
camunda.cluster.raft.snapshot-request-timeout

Sets the timeout for all snapshot requests sent by Raft leaders to followers.

If network latency between brokers is high, consider setting a higher timeout.

2.5s
camunda.cluster.raft.snapshot-chunk-size

Sets the maximum size of snapshot chunks sent by Raft leaders to followers.

1GB
camunda.cluster.raft.configuration-change-timeout

Sets the timeout for configuration change requests (for example, joining or leaving).

Since changes are usually a multi-step process with multiple commits, a higher timeout than request-timeout is recommended.

10s
camunda.cluster.raft.max-quorum-response-timeout

Defines the maximum time the leader waits for quorum responses before stepping down (in combination with min-step-down-failure-count).

If set to 0, the effective default is election-timeout * 2.

0s
camunda.cluster.raft.min-step-down-failure-count

Defines the number of failed quorum requests after which a leader may step down (in combination with max-quorum-response-timeout).

3
camunda.cluster.raft.prefer-snapshot-replicationThreshold

Threshold (in number of records) used by the leader to decide between replicating a snapshot or records.

If the follower lags behind by at least this many records, the leader prefers replicating snapshots instead of records.

100
camunda.cluster.raft.preallocate-segment-files

Defines whether segment files are pre-allocated to their full size on creation.

If enabled, disk space is reserved for the full maximum segment size when a new segment is created, which can help avoid out-of-disk-space errors (especially with memory-mapped files or network storage).

Disable if your system does not support efficient file allocation, or if you observe an I/O penalty when creating segments.

true

Data

camunda.data

PropertyDescriptionDefault value
camunda.data.snapshot-period

How often snapshots are taken of streams (in minutes).

5m
camunda.data.export.distribution-interval

Configures the rate at which exporter positions are distributed to the followers. This is useful for fail-over and taking snapshots.

The follower is able to take snapshots based on replayed and distributed export position. When a follower takes over it can recover from the snapshot, it doesn't need to replay and export everything.

For example, it can start from the last exported position it has received by the distribution mechanism.

15s
camunda.data.export.skip-records

Enable the exporters to skip record position. Allows to skip certain records by their position.

This is useful for debugging or skipping a record that is preventing processing or exporting to continue.

Record positions defined to skip in this definition will be skipped in all exporters. The value is a comma-separated list of records ids to skip. Whitespace is ignored.

[]

camunda.data.audit-log

PropertyDescriptionDefault value
camunda.data.audit-log.enabled

Enable or disable the audit log.

true
camunda.data.audit-log.user.categories

List of audit log categories to include for user-initiated actions.

[OPERATOR, USER_TASK, ADMIN]
camunda.data.audit-log.user.excludes

List of users to exclude from audit logging.

camunda.data.audit-log.client.categories

List of audit log categories to include for client-initiated actions (API clients).

[OPERATOR, USER_TASK, ADMIN]
camunda.data.audit-log.client.excludes

List of clients to exclude from audit logging.

Data - primary storage

camunda.data.primary-storage

PropertyDescriptionDefault value
camunda.data.primary-storage.directory

Specify the directory in which data is stored.

'data'
camunda.data.primary-storage.runtime-directory

Specify the directory in which runtime is stored.

  • By default, runtime is stored in directory for data.
  • If runtime-directory is configured, then the configured directory will be used. It will have a subdirectory for each partition to store its runtime.
  • There is no need to store the runtime in a persistent storage.
  • This configuration allows you to split runtime to another disk to optimize for performance and disk usage.

Note: If runtime is on a different disk than the data directory, files must be copied to the data directory while taking the snapshot. This can impact disk i/o or performance during snapshotting.

''

camunda.data.primary-storage.disk

PropertyDescriptionDefault value
camunda.data.primary-storage.disk.monitoring-interval

Sets the interval at which the disk usage is monitored.

1s
camunda.data.primary-storage.disk.monitoring-enabled

Configure disk monitoring to prevent getting into a non-recoverable state due to out of disk space.

If monitoring is enabled, the broker rejects commands and pauses replication when the required freeSpace is not available.

true
camunda.data.primary-storage.disk.free-space.processing

When the free space available is less than this value, the broker rejects all client commands and pauses processing.

2GB
camunda.data.primary-storage.disk.free-space.replication

When the free space available is less than this value, the broker stops receiving replicated events.

This value must be less than free-space.processing.

It is recommended to configure free space large enough for at least one log segment and one snapshot. This is because a partition needs enough space to take a new snapshot to be able to compact the log segments to make disk space available again.

1GB

camunda.data.primary-storage.logstream

PropertyDescriptionDefault value
camunda.data.primary-storage.logstream.log-segment-size

The size of data log segment files.

128MB
camunda.data.primary-storage.logstream.log-index-density

The density of the log index, which determines how frequently index entries are created in the log.

This value specifies the number of log entries between each index entry. A lower value increases the number of index entries (improving lookup speed but using more memory), while a higher value reduces the number of index entries (saving memory but potentially slowing lookups).

Valid values: any positive integer (recommended range: 1-1000).

100

camunda.data.primary-storage.rocksdb

PropertyDescriptionDefault value
camunda.data.primary-storage.rocksdb.statistics-enabled

Enables RocksDB statistics, which will be written to the RocksDB log file.

false
camunda.data.primary-storage.rocksdb.access-metrics

Configures which, if any, RocksDB column family access metrics are exposed. Valid values are none (the default), and fine which exposes many metrics covering the read, write, delete and iteration latency per partition and column family.

none
camunda.data.primary-storage.rocksdb.memory-limit

Configures the memory limit, which can be used by RocksDB.

Be aware that this setting only applies to RocksDB, which is used by the Zeebe's state management and that an RocksDB instance is used per partition.

512MB
camunda.data.primary-storage.rocksdb.max-open-files

Configures how many files are kept open by RocksDB. The default is unlimited (-1).

This is a performance optimization: if you set a value greater than zero, it will keep track and cap the number of open files in the TableCache.

On accessing the files it needs to look them up in the cache.

You should configure this property if the maximum open files are limited on your system, or if you have thousands of files in your RocksDB state as there is a memory overhead to keeping all of them open, and setting maxOpenFiles will bound that.

-1
camunda.data.primary-storage.rocksdb.max-write-buffer-number

Configures the maximum number of simultaneous write buffers/memtables RocksDB will have in memory.

Normally about 2/3s of the memoryLimit is used by the write buffers, and this is shared equally by each write buffers.

This means the higher maxWriteBufferNumber is, the less memory is available for each. This means you will flush less data at once, but may flush more often.

6
camunda.data.primary-storage.rocksdb.min-write-buffer-number-to-merge

Configures how many write buffers should be full before they are merged and flushed to disk.

A higher numeric value means you may flush less often, but will flush more data at once.

A lower numeric value means flushing more often, but flushing less data at once.

3
camunda.data.primary-storage.rocksdb.io-rate-bytes-per-second

Configures a rate limit for write I/O of RocksDB.

Setting any value less than or equal to 0 will disable this, which is the default setting.

Setting a rate limit on the write I/O can help achieve more stable performance by avoiding write spikes consuming all available IOPS, leading to more predictable read rates.

0
camunda.data.primary-storage.rocksdb.wal-disabled

Configures if the RocksDB write-ahead-log is used or not.

By default, every write in RocksDB goes to the active write buffer and the WAL; this helps recover a RocksDB instance should it crash before the write buffer is flushed.

Zeebe however only recovers from specific point-in-time snapshot, and never from a previously active RocksDB instance, which makes it a good candidate to disable the WAL. WAL is disabled by default as it can improve performance of Zeebe.

true
camunda.data.primary-storage.rocksdb.sst-partitioning-enabled

Configures if the RocksDB SST files should be partitioned based on some virtual column families.

By default, RocksDB will not partition the SST files, which could influence the compacting of certain key ranges.

Enabling this option gives RocksDB some good hints how to improve compaction and reduce the write amplification.

Benchmarks have shown impressive results, allowing sustained performance on larger states.

This setting will increase the general file count of runtime and snapshots.

true

camunda.data.primary-storage.backup

PropertyDescriptionDefault value
camunda.data.primary-storage.backup.store

Set the backup store type.

Supported values are NONE, S3, GCS, AZURE, FILESYSTEM.

Note: This configuration applies to the backup of primary storage.

NONE

camunda.data.primary-storage.backup.s3

PropertyDescriptionDefault value
camunda.data.primary-storage.backup.s3.bucket-name

Name of the bucket where the backup will be stored.

  • The bucket must be already created.
  • The bucket must not be shared with other zeebe clusters.
  • The bucketName must not be empty.
Null
camunda.data.primary-storage.backup.s3.endpoint

Configure the URL endpoint for the store. If no endpoint is provided, it will be determined based on the configured region.

Null
camunda.data.primary-storage.backup.s3.region

Configure the AWS region.

If no region is provided it will be determined as documented in setting the AWS Region for the AWS SDK for Java 2.x.

Null
camunda.data.primary-storage.backup.s3.access-key

Configure access credentials.

If either accessKey or secretKey is not provided, the credentials will be determined as documented in using credentials providers in the AWS SDK for Java 2.x.

-
camunda.data.primary-storage.backup.s3.secret-key

Configure access credentials.

If either accessKey or secretKey is not provided, the credentials will be determined as documented in using credentials providers in the AWS SDK for Java 2.x.

-
camunda.data.primary-storage.backup.s3.api-call-timeout

Configure a maximum duration for all S3 client API calls.

Lower values will ensure that failed or slow API calls don't block other backups but may increase the risk that backups can't be stored if uploading parts of the backup takes longer than the configured timeout.

Refer to AWS Java SDK 2.x Best Practices.

180s
camunda.data.primary-storage.backup.s3.force-path-style-access

If enabled, forces the s3 client to use path-style access.

By default, the client will automatically choose between path-style and virtual-hosted-style.

This should only be enabled if the s3 compatible storage cannot support virtual-hosted-style.

Refer to accessing an Amazon S3 general purpose bucket.

false
camunda.data.primary-storage.backup.s3.compression

When set to an algorithm such as 'zstd', enables compression of backup contents.

When not set or set to 'none', backup content is not compressed.

Enabling compression reduces the required storage space for backups in S3 but also increases the impact on CPU and disk utilization while taking a backup.

-
camunda.data.primary-storage.backup.s3.max-concurrent-connections

Maximum number of connections allowed in a connection pool.

This is used to restrict the maximum number of concurrent uploads as to avoid connection timeouts when uploading backups with large/multiple files.

50
camunda.data.primary-storage.backup.s3.connection-acquisition-timeout

Timeout for acquiring an already-established connection from a connection pool to a remote service.

45s
camunda.data.primary-storage.backup.s3.base-path

When set, all objects in the bucket will use this prefix. Must be non-empty and not start or end with '/'.

This is useful for using the same bucket for multiple Zeebe clusters. In this scenario, the basePath must be unique.

Null
camunda.data.primary-storage.backup.s3.support-legacy-md5

Enable s3 md5 plugin for legacy support.

Null

camunda.data.primary-storage.backup.gcs

PropertyDescriptionDefault value
camunda.data.primary-storage.backup.gcs.bucket-name

Name of the bucket where the backup will be stored.

  • The bucket must already exist.
  • The bucket must not be shared with other Zeebe clusters unless basePath is also set.
Null
camunda.data.primary-storage.backup.gcs.endpoint

When set, all blobs in the bucket will use this prefix. This is useful for using the same bucket for multiple Zeebe clusters.

In this scenario, the basePath must be unique. It should not start or end with a '/' character. It must be non-empty and not consist of only '/' characters.

Null
camunda.data.primary-storage.backup.gcs.host

When set, this overrides the host that the GCS client connects to.

By default, this is not set because the client can automatically discover the correct host to connect to.

AUTO
camunda.data.primary-storage.backup.gcs.auth

Configures which authentication method is used for connecting to GCS.

Can be either 'auto' or 'none'.

  • 'auto': The GCS client uses application default credentials which automatically discovers appropriate credentials from the runtime environment.

  • 'none': No authentication is attempted which is only applicable for testing with emulated GCS.

Null

camunda.data.primary-storage.backup.azure

PropertyDescriptionDefault value
camunda.data.primary-storage.backup.azure.endpoint

The Azure endpoint to connect to. Required unless a connection string is specified.

Null
camunda.data.primary-storage.backup.azure.account-name

The account name used to authenticate with Azure.

This can only be used in combination with an account key.

If account credentials or a connection string are not provided, authentication will use credentials from the runtime environment.

Null
camunda.data.primary-storage.backup.azure.account-key

The account key that is used to authenticate with Azure.

This can only be used in combination with an account name.

If account credentials or a connection string are not provided, authentication will use credentials from the runtime environment.

Null
camunda.data.primary-storage.backup.azure.connection-string

The connection string configures the endpoint, account name and account key all at once.

Ifa connection string or account credentials are not provided, authentication will use credentials from the runtime environment.

Null
camunda.data.primary-storage.backup.azure.base-path

Defines the container name where backup contents are saved.

Null
camunda.data.primary-storage.backup.azure.create-container

Defines the container name where backup contents are saved.

true
camunda.data.primary-storage.backup.azure.sas-token.type

This setting defines the SAS token to use.

These can be of user delegation, service or account type.

Note: As user delegation and service SAS tokens do not support the creation of containers, createContainer configuration will be overridden to false if sasToken is configured.

The user must make sure that the container already exists, or it will lead to a runtime error. Refer to delegate access by using a shared access signature.

Null
camunda.data.primary-storage.backup.azure.sas-token.value

The actual Shared Access Signature (SAS) token value used for authentication.

Null

camunda.data.primary-storage.backup.filesystem

PropertyDescriptionDefault value
camunda.data.primary-storage.backup.filesystem.base-path

Set the base path to store all related backup files in.

Null

Data - secondary storage

Review secondary storage management for guidance on best practices, ensuring data integrity and performance optimization.

warning

When Elasticsearch/OpenSearch Exporter indices and Orchestration Cluster indices share the same Elasticsearch or OpenSearch cluster, they must use different index prefixes. One prefix must not be the beginning of the other (for example, avoid custom and custom-zeebe together because custom* matches both). Do not use operate, tasklist, or camunda as the full exporter prefix, and do not use zeebe-record as the Orchestration Cluster index prefix, as zeebe-record is the default prefix for Elasticsearch/OpenSearch Exporter indices.

The Orchestration Cluster prefix is configured via camunda.data.secondary-storage.{elasticsearch|opensearch}.index-prefix (or CAMUNDA_DATA_SECONDARYSTORAGE_{ELASTICSEARCH|OPENSEARCH}_INDEXPREFIX).

For detailed requirements, configuration examples, and common mistakes, see index prefix configuration.

camunda.data.secondary-storage

PropertyDescriptionDefault value
camunda.data.secondary-storage.type

Type of secondary storage to use.

Example: elasticsearch, opensearch, h2, or none.

  • elasticsearch (orchestration default).

  • h2 (Camunda 8 Run default as of 8.9-alpha3)

camunda.data.secondary-storage.autoconfigure-camunda-exporter

If enabled, the default exporter camundaexporter is automatically configured using the secondary-storage properties.

Manual configuration of camundaexporter is not required.

If disabled, camundaexporter will not be configured automatically, but can still be enabled through manual configuration if required.

Manual configuration of camundaexporter is generally not recommended, and can result in unexpected behavior if not configured correctly.

true
camunda.data.secondary-storage.retention.enabledIf true, the ILM Policy is created and applied to the index templates.true
camunda.data.secondary-storage.retention.minimum-ageDefines how old the data must be before the data is deleted, set as a duration.30d

camunda.data.secondary-storage.elasticsearch

PropertyDescriptionDefault value
camunda.data.secondary-storage.elasticsearch.url

Endpoint for the database configured as secondary storage. Use the variable matching the selected type. Mutually exclusive with urls - configure only one.

http://localhost:9200
camunda.data.secondary-storage.elasticsearch.urls

List of endpoints for the database configured as secondary storage. Use for multi-node clusters. Mutually exclusive with url - configure only one.

[]
camunda.data.secondary-storage.elasticsearch.cluster-name

Secondary storage cluster name. Use the variable matching the selected type.

elasticsearch
camunda.data.secondary-storage.elasticsearch.date-format

The date format for the database configured as secondary storage.

yyyy-MM-dd'T'HH:mm:ss.SSSZZ
camunda.data.secondary-storage.elasticsearch.socket-timeout

The socket timeout for the database connector.

-
camunda.data.secondary-storage.elasticsearch.connection-timeout

The connection timeout for the database connector.

-
camunda.data.secondary-storage.elasticsearch.username

Username for the database configured as secondary storage.

''
camunda.data.secondary-storage.elasticsearch.password

Password for the database configured as secondary storage.

''
camunda.data.secondary-storage.elasticsearch.security.enabled

Enables HTTPS and related SSL/TLS handling for the secondary storage connection.

false
camunda.data.secondary-storage.elasticsearch.security.certificate-path

Path to the trusted root or CA certificate file when using a custom or self-signed certificate.

''
camunda.data.secondary-storage.elasticsearch.security.verify-hostname

Whether the hostname in the certificate must match the endpoint. Disable only for troubleshooting.

true
camunda.data.secondary-storage.elasticsearch.security.self-signed

Indicates the certificate is self-signed (enables relaxed trust handling when supported).

false
camunda.data.secondary-storage.elasticsearch.interceptor-plugins.id

To do

-
camunda.data.secondary-storage.elasticsearch.interceptor-plugins.class-name

To do

-
camunda.data.secondary-storage.elasticsearch.interceptor-plugins.jar-path

To do

-
camunda.data.secondary-storage.elasticsearch.index-prefix

Prefix to apply to the indexes.

Set only if you need to separate Orchestration Cluster indices from other indices in the same cluster (for example, when multiple Camunda environments share one cluster). Leave blank (-) to use the default.

''
camunda.data.secondary-storage.elasticsearch.number-of-shards

Default number of primary shards for new indices.

1
camunda.data.secondary-storage.elasticsearch.number-of-replicas

Default number of replicas for new indices.

0
camunda.data.secondary-storage.elasticsearch.template-priority

Priority applied to index templates created by the platform. Higher values override provider defaults.

0
camunda.data.secondary-storage.elasticsearch.number-of-shards-per-index

Map overriding shard count per index (key=index name, value=shards).

{}
camunda.data.secondary-storage.elasticsearch.number-of-replicas-per-index

JSON map overriding replica count per index (key=index name, value=replicas).

{}
camunda.data.secondary-storage.elasticsearch.variable-size-threshold

Variable size threshold for the database configured as secondary storage.

8191
camunda.data.secondary-storage.elasticsearch.bulk.delay

Delay before forced flush (in seconds).

'5s'
camunda.data.secondary-storage.elasticsearch.bulk.size

Bulk size before flush.

1000
camunda.data.secondary-storage.elasticsearch.bulk.memory-limit

Bulk memory usage before flush (in MB).

'20MB'
camunda.data.secondary-storage.elasticsearch.process-cache.max-cache-size

Process cache max size.

1000
camunda.data.secondary-storage.elasticsearch.form-cache.max-cache-size

Form cache max size.

1000
camunda.data.secondary-storage.elasticsearch.batch-operation-cache.max-cache-size

Batch operations cache max size.

1000
camunda.data.secondary-storage.elasticsearch.create-schema

Whether to create the schema automatically.

true
camunda.data.secondary-storage.elasticsearch.post-export.batch-size

Defines the default number of records processed in each batch during post-export operations from secondary storage.

100
camunda.data.secondary-storage.elasticsearch.post-export.delay-between-runs

Defines the default time interval between successive post-export processing runs for secondary storage.

'2s'
camunda.data.secondary-storage.elasticsearch.post-export.max-delay-between-runs

Defines the default maximum time interval between successive post-export processing runs for secondary storage.

'60s'
camunda.data.secondary-storage.elasticsearch.post-export.ignore-missing-data

Defines default error handling behavior when post-export processing encounters missing data in secondary storage.

false
camunda.data.secondary-storage.elasticsearch.incident-notifier.auth0-protocol

To do

'https'
camunda.data.secondary-storage.elasticsearch.incident-notifier.webhook

To do

''
camunda.data.secondary-storage.elasticsearch.incident-notifier.m2m-client-id

To do

''
camunda.data.secondary-storage.elasticsearch.incident-notifier.m2m-client-secret

To do

''
camunda.data.secondary-storage.elasticsearch.incident-notifier.m2m-audience

To do

''
camunda.data.secondary-storage.elasticsearch.batch-operations.export-items-on-creation

To do

true
camunda.data.secondary-storage.elasticsearch.history.process-instance-enabled

If true, enables the archiving of the completed process instances and their related objects.

true
camunda.data.secondary-storage.elasticsearch.history.els-rollover-date-format

Date format for historical indices in Java DateTimeFormatter syntax.

date
camunda.data.secondary-storage.elasticsearch.history.rollover-interval

Time range for creating dated indices. For example, 1d creates daily indices.

'1d'
camunda.data.secondary-storage.elasticsearch.history.rollover-batch-size

Maximum number of process instances per archiving batch.

100
camunda.data.secondary-storage.elasticsearch.history.wait-period-before-archiving

Grace period before archiving completed processes. Processes finished within this window are not yet archived.

'1h'
camunda.data.secondary-storage.elasticsearch.history.delay-between-runs

Time interval between archiver runs.

'2s'
camunda.data.secondary-storage.elasticsearch.history.max-delay-between-runs

Maximum time interval between archiver runs due to failure backoffs.

'60s'
camunda.data.secondary-storage.elasticsearch.history.policy-name

Defines the name of the created and applied ILM policy.

'camunda-history-retention-policy'
camunda.data.secondary-storage.elasticsearch.proxy.enabled

Enable proxy for connecting to Elasticsearch.

false
camunda.data.secondary-storage.elasticsearch.proxy.host

Proxy host. Required if proxy is enabled.

''
camunda.data.secondary-storage.elasticsearch.proxy.port

Proxy port. Required if proxy is enabled.

''
camunda.data.secondary-storage.elasticsearch.proxy.ssl-enabled

Enable SSL for the proxy connection.

false
camunda.data.secondary-storage.elasticsearch.proxy.username

Username for proxy authentication.

''
camunda.data.secondary-storage.elasticsearch.proxy.password

Password for proxy authentication.

''
camunda.data.secondary-storage.elasticsearch.backup.repository-name

Set the Elasticsearch snapshot repository name.

Note: This setting applies to backups of secondary storage.

''
camunda.data.secondary-storage.elasticsearch.backup.snapshot-timeout

A backup of history data consists of multiple Elasticsearch snapshots.

The snapshotTimeout controls the maximum time to wait for a snapshot operation to complete during backup creation. When set to 0, the system will wait indefinitely for snapshots to finish.

Note: This setting applies to backups of secondary storage.

0
camunda.data.secondary-storage.elasticsearch.backup.incomplete-check-timeout

Defines the timeout period for determining whether an incomplete backup should be considered as failed or still in progress.

This property helps distinguish between backups that are actively running versus those that may have stalled or failed silently.

Note: This setting applies to backups of secondary storage.

5m

camunda.data.secondary-storage.opensearch

PropertyDescriptionDefault value
camunda.data.secondary-storage.opensearch.url

Endpoint for the database configured as secondary storage. Use the variable matching the selected type. Mutually exclusive with urls - configure only one.

http://localhost:9200
camunda.data.secondary-storage.opensearch.urls

List of endpoints for the database configured as secondary storage. Use for multi-node clusters. Mutually exclusive with url - configure only one.

[]
camunda.data.secondary-storage.opensearch.cluster-name

Secondary storage cluster name. Use the variable matching the selected type.

elasticsearch
camunda.data.secondary-storage.opensearch.date-format

The date format for the database configured as secondary storage.

yyyy-MM-dd'T'HH:mm:ss.SSSZZ
camunda.data.secondary-storage.opensearch.socket-timeout

The socket timeout for the database connector.

-
camunda.data.secondary-storage.opensearch.connection-timeout

The connection timeout for the database connector.

-
camunda.data.secondary-storage.opensearch.username

Username for accessing the secondary storage REST API (leave blank if not secured).

''
camunda.data.secondary-storage.opensearch.password

Password for accessing the secondary storage REST API.

''
camunda.data.secondary-storage.opensearch.security.enabled

Enables HTTPS and related SSL/TLS handling for the secondary storage connection.

false
camunda.data.secondary-storage.opensearch.security.certificate-path

Path to the trusted root or CA certificate file when using a custom or self-signed certificate.

''
camunda.data.secondary-storage.opensearch.security.verify-hostname

Whether the hostname in the certificate must match the endpoint. Disable only for troubleshooting.

true
camunda.data.secondary-storage.opensearch.security.self-signed

Indicates the certificate is self-signed (enables relaxed trust handling when supported).

false
camunda.data.secondary-storage.opensearch.interceptor-plugins.id

To do

-
camunda.data.secondary-storage.opensearch.interceptor-plugins.class-name

To do

-
camunda.data.secondary-storage.opensearch.interceptor-plugins.jar-path

To do

-
camunda.data.secondary-storage.opensearch.index-prefix

Prefix to apply to the indexes.

Set only if you need to separate Orchestration Cluster indices from other indices in the same cluster (for example, when multiple Camunda environments share one cluster). Leave blank (-) to use the default.

''
camunda.data.secondary-storage.opensearch.number-of-shards

Default number of primary shards for new indices.

1
camunda.data.secondary-storage.opensearch.number-of-replicas

Default number of replicas for new indices.

0
camunda.data.secondary-storage.opensearch.template-priority

Priority applied to index templates created by the platform. Higher values override provider defaults.

0
camunda.data.secondary-storage.opensearch.number-of-shards-per-index

Map overriding shard count per index (key=index name, value=shards).

{}
camunda.data.secondary-storage.opensearch.number-of-replicas-per-index

JSON map overriding replica count per index (key=index name, value=replicas).

{}
camunda.data.secondary-storage.opensearch.variable-size-threshold

Variable size threshold for the database configured as secondary storage.

8191
camunda.data.secondary-storage.opensearch.bulk.delay

Delay before forced flush (in seconds).

'5s'
camunda.data.secondary-storage.opensearch.bulk.size

Bulk size before flush.

1000
camunda.data.secondary-storage.opensearch.bulk.memory-limit

Bulk memory usage before flush (in MB).

'20MB'
camunda.data.secondary-storage.opensearch.process-cache.max-cache-size

Process cache max size.

1000
camunda.data.secondary-storage.opensearch.form-cache.max-cache-size

Form cache max size.

1000
camunda.data.secondary-storage.opensearch.batch-operation-cache.max-cache-size

Batch operations cache max size.

1000
camunda.data.secondary-storage.opensearch.create-schema

Whether to create the schema automatically.

true
camunda.data.secondary-storage.opensearch.post-export.batch-size

Defines the default number of records processed in each batch during post-export operations from secondary storage.

100
camunda.data.secondary-storage.opensearch.post-export.delay-between-runs

Defines the default time interval between successive post-export processing runs for secondary storage.

'2s'
camunda.data.secondary-storage.opensearch.post-export.max-delay-between-runs

Defines the default maximum time interval between successive post-export processing runs for secondary storage.

'60s'
camunda.data.secondary-storage.opensearch.post-export.ignore-missing-data

Defines default error handling behavior when post-export processing encounters missing data in secondary storage.

false
camunda.data.secondary-storage.opensearch.incident-notifier.auth0-protocol

To do

'https'
camunda.data.secondary-storage.opensearch.incident-notifier.webhook

To do

''
camunda.data.secondary-storage.opensearch.incident-notifier.m2m-client-id

To do

''
camunda.data.secondary-storage.opensearch.incident-notifier.m2m-client-secret

To do

''
camunda.data.secondary-storage.opensearch.incident-notifier.m2m-audience

To do

''
camunda.data.secondary-storage.opensearch.batch-operations.export-items-on-creation

To do

true
camunda.data.secondary-storage.opensearch.history.process-instance-enabled

If true, enables the archiving of the completed process instances and their related objects.

true
camunda.data.secondary-storage.opensearch.history.els-rollover-date-format

Date format for historical indices in Java DateTimeFormatter syntax.

date
camunda.data.secondary-storage.opensearch.history.rollover-interval

Time range for creating dated indices. For example, 1d creates daily indices.

'1d'
camunda.data.secondary-storage.opensearch.history.rollover-batch-size

Maximum number of process instances per archiving batch.

100
camunda.data.secondary-storage.opensearch.history.wait-period-before-archiving

Grace period before archiving completed processes. Processes finished within this window are not yet archived.

'1h'
camunda.data.secondary-storage.opensearch.history.delay-between-runs

Time interval between archiver runs.

'2s'
camunda.data.secondary-storage.opensearch.history.max-delay-between-runs

Maximum time interval between archiver runs due to failure backoffs.

'60s'
camunda.data.secondary-storage.opensearch.history.policy-name

Defines the name of the created and applied ILM policy.

'camunda-history-retention-policy'
camunda.data.secondary-storage.opensearch.proxy.enabled

Enable proxy for connecting to OpenSearch.

false
camunda.data.secondary-storage.opensearch.proxy.host

Proxy host. Required if proxy is enabled.

''
camunda.data.secondary-storage.opensearch.proxy.port

Proxy port. Required if proxy is enabled.

''
camunda.data.secondary-storage.opensearch.proxy.ssl-enabled

Enable SSL for the proxy connection.

false
camunda.data.secondary-storage.opensearch.proxy.username

Username for proxy authentication.

''
camunda.data.secondary-storage.opensearch.proxy.password

Password for proxy authentication.

''
camunda.data.secondary-storage.opensearch.backup.repository-name

Set the OpenSearch snapshot repository name.

Note: This setting applies to backups of secondary storage.

''
camunda.data.secondary-storage.opensearch.backup.snapshot-timeout

A backup of history data consists of multiple OpenSearch snapshots.

The snapshotTimeout controls the maximum time to wait for a snapshot operation to complete during backup creation. When set to 0, the system will wait indefinitely for snapshots to finish.

Note: This setting applies to backups of secondary storage.

0
camunda.data.secondary-storage.opensearch.backup.incomplete-check-timeout

Defines the timeout period for determining whether an incomplete backup should be considered as failed or still in progress.

This property helps distinguish between backups that are actively running versus those that may have stalled or failed silently.

Note: This setting applies to backups of secondary storage.

5m

camunda.data.secondary-storage.rdbms

PropertyDescriptionDefault value
camunda.data.secondary-storage.rdbms.url

Endpoint for the database configured as secondary storage.

''
camunda.data.secondary-storage.rdbms.username

Username for accessing the secondary storage REST API (leave blank if not secured).

''
camunda.data.secondary-storage.rdbms.password

Password for the database configured as secondary storage.

''
camunda.data.secondary-storage.rdbms.prefix

The prefix to use for all database artifacts such as tables, indexes, and so on.

''
camunda.data.secondary-storage.rdbms.flush-interval

The interval at which the exporters execution queue is flushed.

'PT0.5S'
camunda.data.secondary-storage.rdbms.queue-size

The maximum size of the exporters execution queue before it is flushed to the database.

1000
camunda.data.secondary-storage.rdbms.queue-memory-limit

The maximum memory (in MB) that the execution queue can consume before it is flushed to the database. This helps prevent OOM when processing large processes with large variables.

20
camunda.data.secondary-storage.rdbms.auto-ddl

To do

true
camunda.data.secondary-storage.rdbms.database-vendor-id

To do

''
camunda.data.secondary-storage.rdbms.history.default-history-ttl

The default time to live for all camunda entities that support history time to live. Specified in Java Duration format.

'P30D'
camunda.data.secondary-storage.rdbms.history.default-batch-operation-history-ttl

The default time to live for all batch operations. Specified in Java Duration format.

'P5D'
camunda.data.secondary-storage.rdbms.history.batch-operation-cancel-process-instance-history-ttl

The default time to live for cancel process instance batch operations. Specified in Java Duration format.

'P5D'
camunda.data.secondary-storage.rdbms.history.batch-operation-migrate-process-instance-history-ttl

The default time to live for migrate process instance batch operations. Specified in Java Duration format.

'P5D'
camunda.data.secondary-storage.rdbms.history.batch-operation-modify-process-instance-history-ttl

The default time to live for modify process instance batch operations. Specified in Java Duration format.

'P5D'
camunda.data.secondary-storage.rdbms.history.batch-operation-resolve-incident-history-ttl

The default time to live for resolve incident batch operations. Specified in Java Duration format.

'P5D'
camunda.data.secondary-storage.rdbms.history.usage-metrics-cleanup

Interval how often usage metrics cleanup is performed. Specified in Java Duration format.

'P1D'
camunda.data.secondary-storage.rdbms.history.usage-metrics-ttl

The default time to live for usage metrics. Specified in Java Duration format.

'P730D'
camunda.data.secondary-storage.rdbms.history.min-history-cleanup-interval

The min interval between two history cleanup runs. This will be reached when the system is constantly finding data to clean up. Specified in Java Duration format.

'PT1M'
camunda.data.secondary-storage.rdbms.history.max-history-cleanup-interval

The max interval between two history cleanup runs. This will be reached when the system is constantly finding no data to clean up. Specified in Java Duration format.

'PT1H'
camunda.data.secondary-storage.rdbms.history.history-cleanup-batch-size

The number of history records to delete in one batch.

1000
camunda.data.secondary-storage.rdbms.process-cache.max-size

The maximum number of entries the process cache may contain. When the size of the cache exceeds this, the oldest entries are removed.

1000
camunda.data.secondary-storage.rdbms.batch-operation-cache.max-size

The maximum number of batch operations entries the cache may contain. When the size of the cache exceeds this, the oldest entries are removed.

1000
camunda.data.secondary-storage.rdbms.export-batch-operation-items-on-creation

If true, batch operation items are exported to the database when the batch operation is created (status = ACTIVE). If false, the items are created on demand when they have been processed.

When set to true, this ensures that the items are available when the batch operation is created, but it may lead to a delay in the creation of the batch operation if there are many items to create.

true
camunda.data.secondary-storage.rdbms.batch-operation-item-inserts-block-size

The number of batch operation items to insert in a single batched SQL when creating the items for a batch operation. This is only relevant when exportBatchOperationItemsOnCreation is set to true.

1000
camunda.data.secondary-storage.rdbms.connection-pool.maximum-pool-size

To do

10
camunda.data.secondary-storage.rdbms.connection-pool.minimum-idle

To do

10
camunda.data.secondary-storage.rdbms.connection-pool.idle-timeout

To do

600000
camunda.data.secondary-storage.rdbms.connection-pool.max-lifetime

To do

1800000
camunda.data.secondary-storage.rdbms.connection-pool.connection-timeout

To do

30000
note

Durations support ISO-8601 (P30D) or simplified suffix formats (30d, 12h). Use simplified suffix formats unless strict ISO-8601 compliance is required.

Secure connection (HTTPS / TLS)

To connect to a secured (https) Elasticsearch or OpenSearch cluster for secondary storage:

  • Change the URL protocol from http to https.
  • Provide username and password if the cluster requires authentication.
  • Use additional security properties to handle custom certificates or strict hostname verification:
    • Set security.enabled=true (or simply use an https URL if auto-detection applies) to activate SSL/TLS handling.
    • Use security.certificatePath when the server certificate is signed by a custom CA or is self-signed so the JVM can trust it.
    • Set security.selfSigned=true if the certificate is self-signed and the client logic requires this hint.
    • Keep security.verifyHostname=true for production. Disable it only temporarily to diagnose hostname/certificate mismatch issues.
note
  • Import the certificate (or its issuing CA) into the JVM trust store if it is not already trusted.
  • For Kubernetes-based deployments, mount a trust store and point certificatePath to it.

Index & retention settings

Properties such as camunda.data.secondary-storage.elasticsearch.number-of-shards control index creation characteristics (shards, replicas, template priority) and retention/lifecycle policies for Orchestration Cluster indices.

note

Shards/replicas and template priority overrides are not currently exposed as Helm values. Configure these via environment variables or application.yaml properties if supported by your runtime version.

Replica count changes (number-of-replicas and per-index overrides`)

  • For newer versions (8.8+), changes are applied to existing indices on the next application restart, with settings updated in place.
  • These are also written to the index templates so that newly created indices inherit the updated replica configuration.

Shard count changes (number-of-shards and per-index overrides`)

  • These are only applied to index templates, affecting indices created after the change.
  • Existing indices retain their original shard layout.

Template priority changes

  • Adjusts which template is applied when multiple patterns match.
  • The effect is only for indices created after the change.
note

Some Elasticsearch and OpenSearch deployments may ship predefined wildcard (* pattern) index templates with their own priorities. Assign a strictly higher priority to the Camunda index templates to ensure Camunda's mappings and settings take precedence when multiple templates match the same index name. If the priority is not higher, provider wildcard templates may override shard/replica defaults, analyzers, or field mappings, leading to unexpected index behavior.

note

Maps (for example, shards/replicas overrides) are key-value objects:

camunda.data.secondary-storage.elasticsearch.number-of-shards-per-index:
  list-view: 3
  task: 2

Data - exporters

warning

When Elasticsearch/OpenSearch Exporter indices and Orchestration Cluster indices share the same Elasticsearch or OpenSearch cluster, they must use different index prefixes. One prefix must not be the beginning of the other (for example, avoid custom and custom-zeebe together because custom* matches both). Do not use operate, tasklist, or camunda as the full exporter prefix, and do not use zeebe-record as the Orchestration Cluster index prefix, as zeebe-record is the default prefix for Elasticsearch/OpenSearch Exporter indices.

The exporter prefix is configured via camunda.data.exporters.elasticsearch.args.index-prefix (or CAMUNDA_DATA_EXPORTERS_{ELASTICSEARCH|OPENSEARCH}_ARGS_INDEX_PREFIX).

For detailed requirements, configuration examples, and common mistakes, see index prefix configuration.

camunda.data.exporters

PropertyDescriptionDefault value
camunda.data.exporters.elasticsearch.class-name

Fully qualified class name pointing to the class implementing the exporter interface.

'io.camunda.zeebe.exporter.ElasticsearchExporter'
camunda.data.exporters.elasticsearch.jar-path

Path to the JAR file containing the exporter class

Optional field: if missing, will lookup the class in the zeebe classpath.

-
camunda.data.exporters.elasticsearch.argsMap of arguments to use when instantiating the exporter.-

Expression

See expressions.

camunda.expression

PropertyDescriptionDefault value
camunda.expression.timeout

The timeout for expression evaluation. If an expression takes longer to evaluate than this timeout, the evaluation will be interrupted. An incident is raised if the expression is evaluated for a process instance.

Setting a lower value avoids the expression evaluation blocking the execution of other process instances on the same partition for too long. We recommend keeping this below five seconds to avoid unhealthy partitions due to 'actor appears blocked'.

5s

Licensing

Installations of Camunda 8 Self-Managed that require a license can provide their license key to the components. See licensing.

camunda.license

PropertyDescriptionDefault value
camunda.license.key

Your Camunda 8 license key, if your installation requires a license.

Null

camunda.security

PropertyDescriptionDefault value
camunda.security.id-validation-patternA Java regular expression that validates the user-defined identifiers of Identity-related entities.^[a-zA-Z0-9_@.+-]+$

camunda.security.authentication

PropertyDescriptionDefault value
camunda.security.authentication.authentication-refresh-intervalThe interval at which the memberships (groups, roles, tenants, component authorizations) are refreshed for logged in users. Find more details in webserver and security.PT30S
camunda.security.authorizations.enabledEnables authorization checks for Orchestration Cluster resources.true
camunda.security.authentication.methodThe authentication method to use. Options: basic, oidc.basic
camunda.security.authentication.unprotected-apiIf the API can be used without authentication.false

camunda.security.csrf

PropertyDescriptionDefault value
camunda.security.csrf.enabledEnables or disables CSRF protection. Disabling CSRF protection is not recommended for production environments as it leaves your application vulnerable to cross-site request forgery attacks.true
caution

Disabling CSRF protection is not recommended for production environments as it leaves your application vulnerable to cross-site request forgery attacks.

camunda.security.http-headers

PropertyDescriptionRelated HeaderDefault value
camunda.security.http-headers.cache-control.enabledEnables or disables cache prevention headers. Default values: Cache-Control: no-cache, no-store, max-age=0, must-revalidate, Pragma: no-cache, Expires: 0.Cache-Control, Pragma, Expirestrue
camunda.security.http-headers.content-security-policy.enabledEnables or disables CSP headers.Content-Security-Policytrue
camunda.security.http-headers.content-security-policy.policy-directivesCustom CSP directives. If not set, default values applied. If set, overrides default CSP policies.Content-Security-Policy
camunda.security.http-headers.content-security-policy.report-onlyEnables reporting mode without enforcing policies.Content-Security-Policy-Report-Onlyfalse
camunda.security.http-headers.content-type-options.enabledEnables or disables X-Content-Type-Options header with nosniff value.X-Content-Type-Optionstrue
camunda.security.http-headers.cross-origin-embedder-policy.valueRestricts embedded cross-origin resources. Options: REQUIRE_CORP, UNSAFE_NONE.Cross-Origin-Embedder-PolicyUNSAFE_NONE
camunda.security.http-headers.cross-origin-opener-policy.valueIsolates windows from cross-origin openers. Options: UNSAFE_NONE, SAME_ORIGIN_ALLOW_POPUPS, SAME_ORIGIN.Cross-Origin-Opener-PolicySAME_ORIGIN_ALLOW_POPUPS
camunda.security.http-headers.cross-origin-resource-policy.valueDeclares whether resources can be loaded cross-origin. Options: SAME_ORIGIN, SAME_SITE, CROSS_ORIGIN.Cross-Origin-Resource-PolicySAME_SITE
camunda.security.http-headers.frame-options.enabledEnables or disables X-Frame-Options header. Default value is SAMEORIGIN.X-Frame-Optionstrue
camunda.security.http-headers.frame-options.modeFrame options mode. Options: DENY, SAMEORIGIN.X-Frame-OptionsSAMEORIGIN
camunda.security.http-headers.hsts.enabledEnables or disables Strict-Transport-Security header.Strict-Transport-Securitytrue
camunda.security.http-headers.hsts.include-subdomainsApplies HSTS to all subdomains.Strict-Transport-Securityfalse
camunda.security.http-headers.hsts.max-age-in-secondsHSTS max age in seconds.Strict-Transport-Security31536000
camunda.security.http-headers.hsts.preloadEnables HSTS preloading.Strict-Transport-Securityfalse
camunda.security.http-headers.permissions-policy.valueRestricts access to browser capabilities.Permissions-PolicyDisables all features by default
camunda.security.http-headers.referrer-policy.valueControls referrer information sharing. See available values below.Referrer-PolicySTRICT_ORIGIN_WHEN_CROSS_ORIGIN

Default Content Security Policy

This is default value of the Content Security Policy when enabled:

default-src 'self';
base-uri 'self';
script-src 'self' https: *.chargebee.com *.mixpanel.com ajax.cloudflare.com static.cloudflareinsights.com;
script-src-elem 'self' cdn.jsdelivr.net ;
connect-src 'self' https: *.mixpanel.com cloudflareinsights.com *.appcues.net wss://api.appcues.net cdn.jsdelivr.net;
style-src 'self' https: 'unsafe-inline' cdn.jsdelivr.net *.googleapis.com *.chargebee.com;
img-src data: 'self';
form-action 'self';
frame-ancestors 'self';
frame-src 'self' https: *.chargebee.com blob: ;
object-src 'self' blob:;
font-src 'self' data: fonts.camunda.io cdn.jsdelivr.net;
worker-src 'self' blob:;
child-src;
script-src-attr 'none'.

camunda.security.authentication.oidc

PropertyDescriptionDefault value
camunda.security.authentication.oidc.client-idThe client ID for OIDC authentication.
camunda.security.authentication.oidc.client-secretThe client secret for OIDC authentication. Only takes effect if camunda.security.authentication.oidc.client-authentication-method is set to client_secret_basic or left default.
camunda.security.authentication.oidc.issuer-uriThe issuer URI for OIDC authentication. If set, the individual endpoints of your OIDC provider will be fetched from its well-known configuration endpoint. In this case, any individually configured token, authorization, and JWKS URIs do not take effect.
camunda.security.authentication.oidc.redirect-uriThe URI for redirects from the OIDC provider to the Orchestration Cluster after user login.http://localhost:8080/sso-callback
camunda.security.authentication.oidc.username-claimThe JWT claim that identifies a user. Extracted from a token, this claim value becomes the user's username. This setting is evaluated on any token-based access, regardless of the underying OIDC/OAuth flow.sub
camunda.security.authentication.oidc.groups-claimThe JWT claim that contains a user's or client's groups. Expects an array of String values. If not set, groups can be managed in the Orchestration Cluster through its REST APIs.
camunda.security.authentication.oidc.client-id-claimThe JWT claim that identifies a client. Extracted from a token, this claim value becomes the clients's ID. This setting is evaluated on any token-based access, regardless of the underying OIDC/OAuth flow.
camunda.security.authentication.oidc.prefer-username-claimDetermines if a token that contains both, the configured username claim and the configured client id claim, is treated as a user or a client. If set to true, it is treated as a user. If set to false, it is treated as a client.false
camunda.security.authentication.oidc.audiencesComma-separated list of audiences to validate in the OIDC token.
camunda.security.authentication.oidc.scopeComma-separated list of scopes to request in the OIDC token.openid, profile
camunda.security.authentication.oidc.jwk-set-uriSets the OIDC provider's JWK Set URI explicitly. Only takes effect if camunda.security.authentication.oidc.issuer-uri is not set.
camunda.security.authentication.oidc.authorization-uriSets the OIDC provider's authorization URI explicitly. Only takes effect if camunda.security.authentication.oidc.issuer-uri is not set.
camunda.security.authentication.oidc.token-uriSets the OIDC provider's token URI explicitly. Only takes effect if camunda.security.authentication.oidc.issuer-uri is not set.
camunda.security.authentication.oidc.client-authentication-methodSets the client authentication method to use. Options: client_secret_basic, private_key_jwt.client_secret_basic
camunda.security.authentication.oidc.clock-skewSets the allowed clock skew when validating JWT issuance and expiration. Format: ISO 8601 duration (PnDTnHnMn.nS).60S
camunda.security.authentication.oidc.id-token-algorithmSets the ID token signature algorithm.RS256

camunda.security.authentication.oidc.assertion

Configuration options for the client assertion used in Bearer JWT client authentication.

note

These properties apply only when camunda.security.authentication.oidc.client-authentication-method is set to private_key_jwt. The key value refers to the private key ID used to sign the client assertion JWT.

PropertyDescriptionDefault value
camunda.security.authentication.oidc.assertion.kid-sourceSource for generating the key ID. Options: CERTIFICATE, PUBLIC_KEY.PUBLIC_KEY
camunda.security.authentication.oidc.assertion.kid-digest-algorithmHash algorithm used to generate the key ID. Options: SHA256, SHA1.SHA256
camunda.security.authentication.oidc.assertion.kid-encodingKey ID encoding. Options: BASE64URL, HEX.BASE64URL
camunda.security.authentication.oidc.assertion.kid-caseKey ID case. Only applicable to HEX encoding. Options: UPPER, LOWER.

camunda.security.authentication.oidc.assertion.keystore

Configuration of the keystore used to build the client assertion for Bearer JWT client authentication.

note

These properties apply only when camunda.security.authentication.oidc.client-authentication-method is set to private_key_jwt.

PropertyDescriptionDefault value
camunda.security.authentication.oidc.assertion.keystore.pathPath to the PKCS12 keystore.
camunda.security.authentication.oidc.assertion.keystore.passwordKeystore password.
camunda.security.authentication.oidc.assertion.keystore.key-aliasAlias of the private key to be used to sign the client assertion.
camunda.security.authentication.oidc.assertion.keystore.key-passwordPassword of the private key.

camunda.security.initialization.default-roles

PropertyDescriptionDefault value
camunda.security.initialization.default-roles.<role>.clients.[0]Clients assigned to the <role> role.
camunda.security.initialization.default-roles.<role>.groups.[0]Groups assigned to the <role> role.
camunda.security.initialization.default-roles.<role>.mappingrules.[0]Mapping rules assigned to the <role> role.
camunda.security.initialization.default-roles.<role>.users.[0]Users assigned to the <role> role.

camunda.security.initialization.users

PropertyDescriptionDefault value
camunda.security.initialization.users.[0].emailThe email address of the first user.
camunda.security.initialization.users.[0].nameThe name of the first user.
camunda.security.initialization.users.[0].passwordThe password of the first user.
camunda.security.initialization.users.[0].usernameThe username of the first user.

camunda.security.initialization.mappingrules

PropertyDescriptionDefault value
camunda.security.initialization.mappingrules.[0].claim-nameThe claim of the first mapping rule.
camunda.security.initialization.mappingrules.[0].claim-valueThe claim's value of the first mapping rule.
camunda.security.initialization.mappingrules.[0].mapping-rule-idThe id of the first mapping rule.

camunda.security.multi-tenancy

PropertyDescriptionDefault value
camunda.security.multi-tenancy.api-enabledEnables the multi-tenancy API and UI independently from multi-tenancy checks.true
camunda.security.multi-tenancy.checks-enabledEnables multi-tenancy checks. This requires the API to be protected.false

camunda.persistent.sessions

PropertyDescriptionDefault value
camunda.persistent.sessions.enabledStores session data in secondary storage so users stay logged in across cluster nodes.false

spring.profiles

PropertyDescriptionDefault value
spring.profiles.activeNote: This property will be deprecated as additional authentication methods become available.consolidated-auth

CAMUNDA_SECURITY

PropertyDescriptionDefault value
CAMUNDA_SECURITY_IDVALIDATIONPATTERNA Java regular expression that validates the user-defined identifiers of Identity-related entities.^[a-zA-Z0-9_@.+-]+$

CAMUNDA_SECURITY_AUTHENTICATION

PropertyDescriptionDefault value
CAMUNDA_SECURITY_AUTHENTICATION_AUTHENTICATIONREFRESHINTERVALThe interval at which the memberships (groups, roles, tenants, component authorizations) are refreshed for logged in users. Find more details in webserver and security.PT30S
CAMUNDA_SECURITY_AUTHORIZATIONS_ENABLEDEnables authorization checks for Orchestration Cluster resources.true
CAMUNDA_SECURITY_AUTHENTICATION_METHODThe authentication method to use. Options: basic, oidc.basic
CAMUNDA_SECURITY_AUTHENTICATION_UNPROTECTEDAPIIf the API can be used without authentication.false

CAMUNDA_SECURITY_AUTHENTICATION_OIDC

PropertyDescriptionDefault value
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_CLIENTIDThe client ID for OIDC authentication.
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_CLIENTSECRETThe client secret for OIDC authentication. Only takes effect if CAMUNDA_SECURITY_AUTHENTICATION_OIDC_CLIENT_AUTHENTICATION_METHOD is set to client_secret_basic or left default.
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ISSUERURIThe issuer URI for OIDC authentication. If set, the individual endpoints of your OIDC provider will be fetched from its well-known configuration endpoint. In this case, any individually configured token, authorization, and JWKS URIs do not take effect.
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_REDIRECTURIThe URI for redirects from the OIDC provider to the Orchestration Cluster after user login.http://localhost:8080/sso-callback
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_USERNAMECLAIMThe JWT claim that identifies a user. Extracted from a token, this claim value becomes the user's username. This setting is evaluated on any token-based access, regardless of the underying OIDC/OAuth flow.sub
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_GROUPSCLAIMThe JWT claim that contains a user's or client's groups. Expects an array of String values. If not set, groups can be managed in the Orchestration Cluster through its REST APIs.
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_CLIENTIDCLAIMThe JWT claim that identifies a client. Extracted from a token, this claim value becomes the clients's id. This setting is evaluated on any token-based access, regardless of the underying OIDC/OAuth flow.
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_PREFERUSERNAMECLAIMDetermines if a token that contains both, the configured username claim and the configured client id claim, is treated as a user or a client. If set to true, it is treated as a user. If set to false, it is treated as a client.false
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_AUDIENCESComma-separated list of audiences to validate in the OIDC token.
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_SCOPEComma-separated list of scopes to request in the OIDC token.openid, profile
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_JWKSETURISets the OIDC provider's JWK Set URI explicitly. Only takes effect if CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ISSUERURI is not set.
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_AUTHORIZATIONURISets the OIDC provider's authorization URI explicitly. Only takes effect if CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ISSUERURI is not set.
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_TOKENURISets the OIDC provider's token URI explicitly. Only takes effect if CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ISSUERURI is not set.
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_CLIENT_AUTHENTICATION_METHODSets the client authentication method to use. Options: client_secret_basic, private_key_jwt.client_secret_basic
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_CLOCK_SKEWSets the allowed clock skew when validating JWT issuance and expiration. Format: ISO 8601 duration (PnDTnHnMn.nS).60S
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ID_TOKEN_ALGORITHMSets the ID token signature algorithm.RS256

CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ASSERTION

Configuration options for the client assertion used in Bearer JWT client authentication.

note

These properties apply only when CAMUNDA_SECURITY_AUTHENTICATION_OIDC_CLIENT_AUTHENTICATION_METHOD is set to private_key_jwt. The key value refers to the private key ID used to sign the client assertion JWT.

PropertyDescriptionDefault value
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ASSERTION_KID_SOURCESource for generating the key ID. Options: CERTIFICATE, PUBLIC_KEY.PUBLIC_KEY
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ASSERTION_KID_DIGEST_ALGORITHMHash algorithm used to generate the key ID. Options: SHA256, SHA1.SHA256
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ASSERTION_KID_ENCODINGKey ID encoding. Options: BASE64URL, HEX.BASE64URL
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ASSERTION_KID_CASEKey ID case. Only applicable to HEX encoding. Options: UPPER, LOWER.

CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ASSERTION_KEYSTORE

Configuration of the keystore used to build the client assertion for Bearer JWT client authentication.

note

These properties apply only when CAMUNDA_SECURITY_AUTHENTICATION_OIDC_CLIENT_AUTHENTICATION_METHOD is set to private_key_jwt.

PropertyDescriptionDefault value
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ASSERTION_KEYSTORE_PATHPath to the PKCS12 keystore.
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ASSERTION_KEYSTORE_PASSWORDKeystore password.
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ASSERTION_KEYSTORE_KEY_ALIASAlias of the private key to be used to sign the client assertion.
CAMUNDA_SECURITY_AUTHENTICATION_OIDC_ASSERTION_KEYSTORE_KEY_PASSWORDPassword of the private key.

CAMUNDA_SECURITY_CSRF

PropertyDescriptionDefault value
CAMUNDA_SECURITY_CSRF_ENABLEDEnables or disables CSRF protection. Disabling CSRF protection is not recommended for production environments as it leaves your application vulnerable to cross-site request forgery attacks.true

CAMUNDA_SECURITY_HTTP_HEADERS

PropertyDescriptionRelated HeaderDefault value
CAMUNDA_SECURITY_HTTP_HEADERS_CACHE_CONTROL_ENABLEDEnables or disables cache prevention headers. Default values: Cache-Control: no-cache, no-store, max-age=0, must-revalidate, Pragma: no-cache, Expires: 0.Cache-Control, Pragma, Expirestrue
CAMUNDA_SECURITY_HTTP_HEADERS_CONTENT_SECURITY_POLICY_ENABLEDEnables or disables CSP headers.Content-Security-Policytrue
CAMUNDA_SECURITY_HTTP_HEADERS_CONTENT_SECURITY_POLICY_POLICY_DIRECTIVESCustom CSP directives. If not set, default values applied. If set, overrides default CSP policies.Content-Security-Policy
CAMUNDA_SECURITY_HTTP_HEADERS_CONTENT_SECURITY_POLICY_REPORT_ONLYEnables reporting mode without enforcing policies.Content-Security-Policy-Report-Onlyfalse
CAMUNDA_SECURITY_HTTP_HEADERS_CONTENT_TYPE_OPTIONS_ENABLEDEnables or disables X-Content-Type-Options header with nosniff value.X-Content-Type-Optionstrue
CAMUNDA_SECURITY_HTTP_HEADERS_CROSS_ORIGIN_EMBEDDER_POLICY_VALUERestricts embedded cross-origin resources. Options: REQUIRE_CORP, UNSAFE_NONE.Cross-Origin-Embedder-PolicyUNSAFE_NONE
CAMUNDA_SECURITY_HTTP_HEADERS_CROSS_ORIGIN_OPENER_POLICY_VALUEIsolates windows from cross-origin openers. Options: UNSAFE_NONE, SAME_ORIGIN_ALLOW_POPUPS, SAME_ORIGIN.Cross-Origin-Opener-PolicySAME_ORIGIN_ALLOW_POPUPS
CAMUNDA_SECURITY_HTTP_HEADERS_CROSS_ORIGIN_RESOURCE_POLICY_VALUEDeclares whether resources can be loaded cross-origin. Options: SAME_ORIGIN, SAME_SITE, CROSS_ORIGIN.Cross-Origin-Resource-PolicySAME_SITE
CAMUNDA_SECURITY_HTTP_HEADERS_FRAME_OPTIONS_ENABLEDEnables or disables X-Frame-Options header. Default value is SAMEORIGIN.X-Frame-Optionstrue
CAMUNDA_SECURITY_HTTP_HEADERS_FRAME_OPTIONS_MODEFrame options mode. Options: DENY, SAMEORIGIN.X-Frame-OptionsSAMEORIGIN
CAMUNDA_SECURITY_HTTP_HEADERS_HSTS_ENABLEDEnables or disables Strict-Transport-Security header.Strict-Transport-Securitytrue
CAMUNDA_SECURITY_HTTP_HEADERS_HSTS_INCLUDE_SUBDOMAINSApplies HSTS to all subdomains.Strict-Transport-Securityfalse
CAMUNDA_SECURITY_HTTP_HEADERS_HSTS_MAX_AGE_IN_SECONDSHSTS max age in seconds.Strict-Transport-Security31536000
CAMUNDA_SECURITY_HTTP_HEADERS_HSTS_PRELOADEnables HSTS preloading.Strict-Transport-Securityfalse
CAMUNDA_SECURITY_HTTP_HEADERS_PERMISSIONS_POLICY_VALUERestricts access to browser capabilities.Permissions-PolicyDisables all features by default
CAMUNDA_SECURITY_HTTP_HEADERS_REFERRER_POLICY_VALUEControls referrer information sharing. See available values below.Referrer-PolicySTRICT_ORIGIN_WHEN_CROSS_ORIGIN

Default Content Security Policy

This is default value of the Content Security Policy when enabled:

default-src 'self';
base-uri 'self';
script-src 'self' https: *.chargebee.com *.mixpanel.com ajax.cloudflare.com static.cloudflareinsights.com;
script-src-elem 'self' cdn.jsdelivr.net ;
connect-src 'self' https: *.mixpanel.com cloudflareinsights.com *.appcues.net wss://api.appcues.net cdn.jsdelivr.net;
style-src 'self' https: 'unsafe-inline' cdn.jsdelivr.net *.googleapis.com *.chargebee.com;
img-src data: 'self';
form-action 'self';
frame-ancestors 'self';
frame-src 'self' https: *.chargebee.com blob: ;
object-src 'self' blob:;
font-src 'self' data: fonts.camunda.io cdn.jsdelivr.net;
worker-src 'self' blob:;
child-src;
script-src-attr 'none'.

CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS

PropertyDescriptionDefault value
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_OWNER_TYPEThe owner type to assign to this authorization.
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_OWNER_IDThe owner ID to assign to this authorization.
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_RESOURCE_TYPEThe resource type that this authorization applies to.
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_RESOURCE_IDThe resource ID that this authorization applies to.
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_PERMISSIONSPermissions to assign to this authorization. The available permissions vary by resource type.

CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES

PropertyDescriptionDefault value
CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_<ROLE>_CLIENTS_0Clients assigned to the <role> role.
CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_<ROLE>_GROUPS_0Groups assigned to the <role> role.
CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_<ROLE>_MAPPINGRULES_0Mapping rules assigned to the <role> role.
CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_<ROLE>_USERS_0Users assigned to the <role> role.

CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES

PropertyDescriptionDefault value
CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_0_CLAIMNAMEThe claim of the first mapping rule.
CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_0_CLAIMVALUEThe claim's value of the first mapping rule.
CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_0_MAPPINGRULEIDThe id of the first mapping rule.

CAMUNDA_SECURITY_INITIALIZATION_USERS

PropertyDescriptionDefault value
CAMUNDA_SECURITY_INITIALIZATION_USERS_0_EMAILThe email address of the first user.
CAMUNDA_SECURITY_INITIALIZATION_USERS_0_NAMEThe name of the first user.
CAMUNDA_SECURITY_INITIALIZATION_USERS_0_PASSWORDThe password of the first user.
CAMUNDA_SECURITY_INITIALIZATION_USERS_0_USERNAMEThe username of the first user.

CAMUNDA_SECURITY_MULTITENANCY

PropertyDescriptionDefault value
CAMUNDA_SECURITY_MULTITENANCY_APIENABLEDEnables the multi-tenancy API and UI independently from multi-tenancy checks.true
CAMUNDA_SECURITY_MULTITENANCY_CHECKSENABLEDEnables multi-tenancy checks. This requires the API to be protected.false

CAMUNDA_PERSISTENT_SESSIONS

PropertyDescriptionDefault value
CAMUNDA_PERSISTENT_SESSIONS_ENABLEDStores session data in secondary storage so users stay logged in across cluster nodes.false

SPRING_PROFILES

PropertyDescriptionDefault value
SPRING_PROFILES_ACTIVENote: This property will be deprecated as additional authentication methods become available.consolidated-auth

Security

camunda.security

PropertyDescriptionDefault value
camunda.security.id-validation-patternA Java regular expression that validates the user-defined identifiers of Identity-related entities.^[a-zA-Z0-9_@.+-]+$

camunda.security.authentication

PropertyDescriptionDefault value
camunda.security.authentication.authentication-refresh-intervalThe interval at which the memberships (groups, roles, tenants, component authorizations) are refreshed for logged in users. Find more details in webserver and security.PT30S
camunda.security.authorizations.enabledIf authorizations are enabled.true
camunda.security.authentication.methodThe authentication method to use. Options: basic, oidc.basic
camunda.security.authentication.unprotected-apiIf the API can be used without authentication.false

camunda.security.csrf

PropertyDescriptionDefault value
camunda.security.csrf.enabledEnables or disables CSRF protection. Disabling CSRF protection is not recommended for production environments as it leaves your application vulnerable to cross-site request forgery attacks.true

camunda.security.http-headers

PropertyDescriptionRelated HeaderDefault value
camunda.security.http-headers.cache-control.enabledEnables or disables cache prevention headers. Default values: Cache-Control: no-cache, no-store, max-age=0, must-revalidate, Pragma: no-cache, Expires: 0.Cache-Control, Pragma, Expirestrue
camunda.security.http-headers.content-security-policy.enabledEnables or disables CSP headers.Content-Security-Policytrue
camunda.security.http-headers.content-security-policy.policy-directivesCustom CSP directives. If not set, default values applied. If set, overrides default CSP policies.Content-Security-Policy
camunda.security.http-headers.content-security-policy.report-onlyEnables reporting mode without enforcing policies.Content-Security-Policy-Report-Onlyfalse
camunda.security.http-headers.content-type-options.enabledEnables or disables X-Content-Type-Options header with nosniff value.X-Content-Type-Optionstrue
camunda.security.http-headers.cross-origin-embedder-policy.valueRestricts embedded cross-origin resources. Options: REQUIRE_CORP, UNSAFE_NONE.Cross-Origin-Embedder-PolicyUNSAFE_NONE
camunda.security.http-headers.cross-origin-opener-policy.valueIsolates windows from cross-origin openers. Options: UNSAFE_NONE, SAME_ORIGIN_ALLOW_POPUPS, SAME_ORIGIN.Cross-Origin-Opener-PolicySAME_ORIGIN_ALLOW_POPUPS
camunda.security.http-headers.cross-origin-resource-policy.valueDeclares whether resources can be loaded cross-origin. Options: SAME_ORIGIN, SAME_SITE, CROSS_ORIGIN.Cross-Origin-Resource-PolicySAME_SITE
camunda.security.http-headers.frame-options.enabledEnables or disables X-Frame-Options header. Default value is SAMEORIGIN.X-Frame-Optionstrue
camunda.security.http-headers.frame-options.modeFrame options mode. Options: DENY, SAMEORIGIN.X-Frame-OptionsSAMEORIGIN
camunda.security.http-headers.hsts.enabledEnables or disables Strict-Transport-Security header.Strict-Transport-Securitytrue
camunda.security.http-headers.hsts.include-subdomainsApplies HSTS to all subdomains.Strict-Transport-Securityfalse
camunda.security.http-headers.hsts.max-age-in-secondsHSTS max age in seconds.Strict-Transport-Security31536000
camunda.security.http-headers.hsts.preloadEnables HSTS preloading.Strict-Transport-Securityfalse
camunda.security.http-headers.permissions-policy.valueRestricts access to browser capabilities.Permissions-PolicyDisables all features by default
camunda.security.http-headers.referrer-policy.valueControls referrer information sharing. See available values below.Referrer-PolicySTRICT_ORIGIN_WHEN_CROSS_ORIGIN

Default Content Security Policy

This is default value of the Content Security Policy when enabled:

default-src 'self';
base-uri 'self';
script-src 'self' https: *.chargebee.com *.mixpanel.com ajax.cloudflare.com static.cloudflareinsights.com;
script-src-elem 'self' cdn.jsdelivr.net ;
connect-src 'self' https: *.mixpanel.com cloudflareinsights.com *.appcues.net wss://api.appcues.net cdn.jsdelivr.net;
style-src 'self' https: 'unsafe-inline' cdn.jsdelivr.net *.googleapis.com *.chargebee.com;
img-src data: 'self';
form-action 'self';
frame-ancestors 'self';
frame-src 'self' https: *.chargebee.com blob: ;
object-src 'self' blob:;
font-src 'self' data: fonts.camunda.io cdn.jsdelivr.net;
worker-src 'self' blob:;
child-src;
script-src-attr 'none'.

camunda.security.authentication.oidc

PropertyDescriptionDefault value
camunda.security.authentication.oidc.client-idThe client ID for OIDC authentication.
camunda.security.authentication.oidc.client-secretThe client secret for OIDC authentication. Only takes effect if camunda.security.authentication.oidc.client-authentication-method is set to client_secret_basic or left default.
camunda.security.authentication.oidc.issuer-uriThe issuer URI for OIDC authentication. If set, the individual endpoints of your OIDC provider will be fetched from its well-known configuration endpoint. In this case, any individually configured token, authorization, and JWKS URIs do not take effect.
camunda.security.authentication.oidc.redirect-uriThe URI for redirects from the OIDC provider to the Orchestration Cluster after user login.http://localhost:8080/sso-callback
camunda.security.authentication.oidc.username-claimThe JWT claim that identifies a user. Extracted from a token, this claim value becomes the user's username. This setting is evaluated on any token-based access, regardless of the underlying OIDC/OAuth flow.sub
camunda.security.authentication.oidc.groups-claimThe JWT claim that contains a user's or client's groups. Expects an array of String values. If not set, groups can be managed in the Orchestration Cluster through its REST APIs.
camunda.security.authentication.oidc.client-id-claimThe JWT claim that identifies a client. Extracted from a token, this claim value becomes the client ID. This setting is evaluated on any token-based access, regardless of the underlying OIDC/OAuth flow.
camunda.security.authentication.oidc.prefer-username-claimDetermines if a token that contains both, the configured username claim and the configured client id claim, is treated as a user or a client. If set to true, it is treated as a user. If set to false, it is treated as a client.false
camunda.security.authentication.oidc.audiencesComma-separated list of audiences to validate in the OIDC token.
camunda.security.authentication.oidc.scopeComma-separated list of scopes to request in the OIDC token.openid, profile
camunda.security.authentication.oidc.jwk-set-uriSets the OIDC provider's JWK Set URI explicitly. Only takes effect if camunda.security.authentication.oidc.issuer-uri is not set.
camunda.security.authentication.oidc.authorization-uriSets the OIDC provider's authorization URI explicitly. Only takes effect if camunda.security.authentication.oidc.issuer-uri is not set.
camunda.security.authentication.oidc.token-uriSets the OIDC provider's token URI explicitly. Only takes effect if camunda.security.authentication.oidc.issuer-uri is not set.
camunda.security.authentication.oidc.client-authentication-methodSets the client authentication method to use. Options: client_secret_basic, private_key_jwt.client_secret_basic
camunda.security.authentication.oidc.user-info-enabledIf enabled, will enrich the access token with information from the /userinfo endpoint. See section 5.3 of the OIDC specification.. Generally safe to leave true, but can be safely disabled if you do not need additional claims from this endpoint (e.g. in case you are rate-limited by your provider).true

camunda.security.authentication.oidc.assertion

Configuration options for the client assertion used in Bearer JWT client authentication.

note

These properties apply only when camunda.security.authentication.oidc.client-authentication-method is set to private_key_jwt. The key value refers to the private key ID used to sign the client assertion JWT.

PropertyDescriptionDefault value
camunda.security.authentication.oidc.assertion.kid-sourceSource for generating the key ID. Options: CERTIFICATE, PUBLIC_KEY.PUBLIC_KEY
camunda.security.authentication.oidc.assertion.kid-digest-algorithmHash algorithm used to generate the key ID. Options: SHA256, SHA1.SHA256
camunda.security.authentication.oidc.assertion.kid-encodingKey ID encoding. Options: BASE64URL, HEX.BASE64URL
camunda.security.authentication.oidc.assertion.kid-caseKey ID case. Only applicable to HEX encoding. Options: UPPER, LOWER.

camunda.security.authentication.oidc.assertion.keystore

Configuration of the keystore used to build the client assertion for Bearer JWT client authentication.

note

These properties apply only when camunda.security.authentication.oidc.client-authentication-method is set to private_key_jwt.

PropertyDescriptionDefault value
camunda.security.authentication.oidc.assertion.keystore.pathPath to the PKCS12 keystore.
camunda.security.authentication.oidc.assertion.keystore.passwordKeystore password.
camunda.security.authentication.oidc.assertion.keystore.key-aliasAlias of the private key to be used to sign the client assertion.
camunda.security.authentication.oidc.assertion.keystore.key-passwordPassword of the private key.

camunda.security.initialization.default-roles

PropertyDescriptionDefault value
camunda.security.initialization.default-roles.<role>.clients.[0]Clients assigned to the <role> role.
camunda.security.initialization.default-roles.<role>.groups.[0]Groups assigned to the <role> role.
camunda.security.initialization.default-roles.<role>.mappingrules.[0]Mapping rules assigned to the <role> role.
camunda.security.initialization.default-roles.<role>.users.[0]Users assigned to the <role> role.

camunda.security.initialization.users

PropertyDescriptionDefault value
camunda.security.initialization.users.[0].emailThe email address of the first user.
camunda.security.initialization.users.[0].nameThe name of the first user.
camunda.security.initialization.users.[0].passwordThe password of the first user.
camunda.security.initialization.users.[0].usernameThe username of the first user.

camunda.security.initialization.mappingrules

PropertyDescriptionDefault value
camunda.security.initialization.mappingrules.[0].claim-nameThe claim of the first mapping rule.
camunda.security.initialization.mappingrules.[0].claim-valueThe claim's value of the first mapping rule.
camunda.security.initialization.mappingrules.[0].mapping-rule-idThe id of the first mapping rule.

camunda.security.multi-tenancy

PropertyDescriptionDefault value
camunda.security.multi-tenancy.api-enabledEnables the multi-tenancy API and UI independently from multi-tenancy checks.true
camunda.security.multi-tenancy.checks-enabledEnables multi-tenancy checks. This requires the API to be protected.false

camunda.security.transport-layer-security.cluster

PropertyDescriptionDefault value
camunda.security.transport-layer-security.cluster.enabled

Enables TLS authentication for internal cluster (broker-to-broker) communication.

false
camunda.security.transport-layer-security.cluster.certificate-chain-path

Sets the path to the certificate chain file.

camunda.security.transport-layer-security.cluster.certificate-private-key-path

Sets the path to the private key file location.

camunda.security.transport-layer-security.cluster.key-store.file-path

Configures the keystore file containing both the certificate chain and the private key. Currently only supports PKCS12 format.

'./cluster.jks'
camunda.security.transport-layer-security.cluster.key-store.password

Configures the keystore password.

${CLUSTER_KEY_STORE_PW}

camunda.persistent.sessions

PropertyDescriptionDefault value
camunda.persistent.sessions.enabledStores session data in secondary storage so users stay logged in across cluster nodes.false

spring.profiles

PropertyDescriptionDefault value
spring.profiles.activeNote: This property will be deprecated as additional authentication methods become available.consolidated-auth
caution

Disabling CSRF protection is not recommended for production environments as it leaves your application vulnerable to cross-site request forgery attacks.

System

camunda.system

PropertyDescriptionDefault value
camunda.system.cpu-thread-count

Controls the number of non-blocking CPU threads to be used

Warning: You should never specify a value that is larger than the number of physical cores available.

Good practice is to leave 1-2 cores for IO threads and the operating system (it has to run somewhere).

For example, when running Zeebe on a machine which has 4 cores, a good value would be 2.

2
camunda.system.io-thread-count

Controls the number of io threads to be used.

These threads are used for workloads that write data to disk. While writing, these threads are blocked which means that they yield the CPU.

2
camunda.system.clock-controlled

Controls whether the system clock or mutable one.

If enabled, time progression can be controlled programmatically for testing purposes.

false

camunda.system.restore

PropertyDescriptionDefault value
camunda.system.restore.validate-configtrue
camunda.system.restore.ignore-files-in-targetlost + found

camunda.system.actor.idle

PropertyDescriptionDefault value
camunda.system.actor.idle.max-spins

The maximum number of busy-wait spins that an idle actor thread will perform before transitioning to a different idle state in Camunda's actor system.

Null
camunda.system.actor.idle.max-yields

The maximum number of yield operations that an idle actor thread will perform before transitioning to the next idle state in Camunda's actor system.

Null
camunda.system.actor.idle.max-park-period

The maximum duration that an idle actor thread will remain in the parked state in Camunda's actor system.

Null

camunda.system.upgrade

PropertyDescriptionDefault value
camunda.system.upgrade.enable-version-check

Toggles the version check restriction, used for migration.

This is useful for testing migration logic on snapshot or alpha versions.

The default value True means it is not allowed to migrate to an incompatible version such as: SNAPSHOT or alpha.

true