Skip to main content
Version: Next

Configuration

The different components of Web Modeler Self-Managed can be configured using environment variables. Each component's variables are described below.

  • For a working example configuration showing how the components are correctly wired together, see the Docker Compose file for Web Modeler.
  • If you are using the Camunda 8 Helm chart to set up Web Modeler, read more about the different configuration options in the chart's values docs.

Licensing

Camunda 8 Self-Managed only

Installations of Camunda 8 Self-Managed which require a license can provide their license key to the components as an environment variable:

Environment variableDescriptionDefault value
CAMUNDA_LICENSE_KEYYour Camunda 8 license key, if your installation requires a license.None

For Helm installations, license keys can be configured globally in your values.yaml file. See the Helm installation documentation for more details.

note

Camunda 8 components without a valid license may display Non-Production License in the navigation bar and issue warnings in the logs. These warnings have no impact on startup or functionality, with the exception that Web Modeler has a limitation of five users. To obtain a license, visit the Camunda Enterprise page.

Configuration of the restapi component

Clusters

Clusters must be configured using the following options to access the cluster from within Web Modeler. If no clusters are configured, you will not be able to perform any actions that require a cluster (for example, deploy, start an instance, or Play a process).

The Camunda 8 Helm and Docker Compose distributions provide a local Zeebe cluster configured by default.

To add additional clusters, increment the 0 value for each variable (CAMUNDA_MODELER_CLUSTERS_1_NAME).

Environment variableDescriptionExample value
CAMUNDA_MODELER_CLUSTERS_0_IDA unique identifier to use for your cluster.test-cluster-1
CAMUNDA_MODELER_CLUSTERS_0_NAMEThe name of your cluster.test cluster 1
CAMUNDA_MODELER_CLUSTERS_0_VERSIONThe Camunda version used by this cluster.8.6.0
CAMUNDA_MODELER_CLUSTERS_0_AUTHENTICATIONThe authentication to use with your cluster.OAUTH, NONE
CAMUNDA_MODELER_CLUSTERS_0_URL_ZEEBE_GRPCThe address where your cluster can be reached.grpcs://zeebe-1.example.com:26500
CAMUNDA_MODELER_CLUSTERS_0_URL_ZEEBE_RESTThe address where the Zeebe REST API can be reached.https://zeebe-1.example.com:8080
CAMUNDA_MODELER_CLUSTERS_0_URL_OPERATEThe address where Operate can be reached.https://operate-1.example.com
CAMUNDA_MODELER_CLUSTERS_0_URL_TASKLISTThe address where Tasklist can be reached.https://tasklist-1.example.com
CAMUNDA_MODELER_CLUSTERS_0_OAUTH_URLThe address of your token issuer.https://auth.example.com/token
CAMUNDA_MODELER_CLUSTERS_0_OAUTH_SCOPEA comma-separated list of the scopes to use with this cluster.test-scope
CAMUNDA_MODELER_CLUSTERS_0_OAUTH_AUDIENCE_ZEEBEThe permission name for Zeebe.zeebe-api
CAMUNDA_MODELER_CLUSTERS_0_OAUTH_AUDIENCE_OPERATEThe permission name for Operate.operate-api
CAMUNDA_MODELER_CLUSTERS_0_OAUTH_AUDIENCE_TASKLISTThe permission name for Tasklist.tasklist-api

Database

Web Modeler requires a PostgreSQL database as persistent data storage (other database systems are currently not supported).

Environment variableDescriptionExample value
SPRING_DATASOURCE_URLJDBC URL of the databasejdbc:postgresql://postgres.example.com:5432/modeler-db
SPRING_DATASOURCE_USERNAMEDatabase user namemodeler-user
SPRING_DATASOURCE_PASSWORDDatabase user password***
SPRING_DATASOURCE_DRIVER_CLASS_NAME[optional]
Java class name of the database driver
software.amazon.jdbc.Driver

Refer to the Advanced Database Configuration Guide for additional details on how to configure Web Modeler's database connection.

SMTP / email

Web Modeler requires an SMTP server to send notification emails to users.

Environment variableDescriptionExample valueDefault value
RESTAPI_MAIL_HOSTSMTP server host namesmtp.example.com-
RESTAPI_MAIL_PORTSMTP server port587-
RESTAPI_MAIL_USER[optional]
SMTP user name
modeler-user-
RESTAPI_MAIL_PASSWORD[optional]
SMTP user password
***-
RESTAPI_MAIL_ENABLE_TLSEnforce TLS encryption for SMTP connections (using STARTTLS).truetrue
RESTAPI_MAIL_FROM_ADDRESSEmail address used as the sender of emails sent by Web Modeler.noreply@example.com-
RESTAPI_MAIL_FROM_NAME[optional]
Name displayed as the sender of emails sent by Web Modeler.
CamundaCamunda
RESTAPI_SERVER_URLURL at which users access Web Modeler in the browser (used to construct links in notification emails).https://modeler.example.com-

WebSocket

The restapi component sends certain events (e.g. "file updated", "comment added") to the WebSocket server.

Environment variableDescriptionExample value
RESTAPI_PUSHER_HOSTInternal host name of the WebSocket server.modeler-websockets
RESTAPI_PUSHER_PORTInternal port number of the WebSocket server.8060
RESTAPI_PUSHER_APP_IDmust be the same as PUSHER_APP_IDweb-modeler
RESTAPI_PUSHER_KEYmust be the same as PUSHER_APP_KEY***
RESTAPI_PUSHER_SECRETmust be the same as PUSHER_APP_SECRET***

Identity / Keycloak

Web Modeler integrates with Identity and Keycloak for authentication and authorization (using OAuth 2.0 + OpenID Connect) as well as user management.

Environment variableDescriptionExample value
CAMUNDA_IDENTITY_BASEURLInternal base URL of the Identity API (used to fetch user data).http://identity:8080
RESTAPI_OAUTH2_TOKEN_ISSUER_BACKEND_URL[optional]
Internal URL used to request Keycloak's OpenID Provider Configuration; if not set, SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI is used.
http://keycloak:8080/auth/realms/camunda-platform
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URIURL of the token issuer (used for JWT validation).https://keycloak.example.com/auth/realms/camunda-platform
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI[optional] URL of the JWK Set endpoint (used for JWT validation). Only necessary if URL cannot be derived from the OIDC configuration endpoint.https://keycloak.example.com/auth/realms/camunda-platform/protocol/openid-connect/certs
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWS_ALGORITHMS[optional] List of trusted JWS algorithms used for JWT validation. Only necessary if the algorithms cannot be derived from the JWK Set response.ES256

Refer to the advanced Identity configuration guide for additional details on how to connect a custom OpenID Connect (OIDC) authentication provider.

Zeebe Client

Web Modeler uses the Zeebe Java client to connect to Zeebe. To customize the client configuration, you can provide optional environment variables.

Environment variableDescriptionExample valueDefault Value
ZEEBE_CA_CERTIFICATE_PATH[optional]
Path to a root CA certificate to be used instead of the certificate in the default store.
/path/to/certificate-
ZEEBE_CLIENT_CONFIG_PATH[optional]
Path to the client's OAuth credential cache.
/path/to/credentials/cache.txt$HOME/.camunda/credentials
ZEEBE_CLIENT_REQUESTTIMEOUT[optional]
The request timeout used when communicating with a target Zeebe cluster.
6000010000
ZEEBE_AUTH_CONNECT_TIMEOUT[optional]
The connection timeout for requests to the OAuth server.
300005000
ZEEBE_AUTH_READ_TIMEOUT[optional]
The data read timeout for requests to the OAuth server.
300005000

For more details, see the Zeebe connection troubleshooting section.

Logging

Environment variableDescriptionExample value
LOGGING_CONFIG[optional]
Path to custom logback configuration
file:/full/path/to/custom-logback-config.xml

Refer to the advanced logging configuration guide for additional details on how to customize the restapi logging output.

SSL

Environment variableDescriptionExample valueDefault value
SERVER_SSL_ENABLED[optional]
Whether to enable SSL support.
truefalse
SERVER_SSL_CERTIFICATE[optional]
Path to a PEM-encoded SSL certificate file.
file:/full/path/to/certificate.pem-
SERVER_SSL_CERTIFICATE_PRIVATE_KEY[optional]
Path to a PEM-encoded private key file for the SSL certificate.
file:/full/path/to/key.pem-
MANAGEMENT_SERVER_SSL_ENABLED[optional]
Whether to enable SSL support for the management server routes.
truefalse
MANAGEMENT_SERVER_SSL_CERTIFICATE[optional]
Path to a PEM-encoded SSL certificate file.
file:/full/path/to/certificate.pem-
MANAGEMENT_SERVER_SSL_CERTIFICATE_PRIVATE_KEY[optional]
Path to a PEM-encoded private key file for the SSL certificate.
file:/full/path/to/key.pem-
RESTAPI_PUSHER_SSL_ENABLED[optional]
Whether to enable communication via SSL to the websocket component.
truefalse

Refer to the advanced SSL configuration guide for additional details on how to set up secure connections (incoming & outgoing) to the Web Modeler components.

Configuration of the webapp component

General

Environment variableDescriptionExample valueDefault value
SERVER_URLURL at which users access Web Modeler in the browser.
Note: To use a sub path for Web Modeler, just include the path in the URL.
https://modeler.example.com,
https://example.com/modeler
-
SERVER_HTTPS_ONLYEnforce the usage of HTTPS when users access Web Modeler (by redirecting from http:// to https://).truefalse
RESTAPI_HOSTInternal host name of the restapi application.modeler-restapi-
RESTAPI_PORTInternal port number on which the restapi serves the regular API endpoints.80818081
RESTAPI_MANAGEMENT_PORTInternal port number on which the restapi serves the management API endpoints.80918091

Proxy

These settings are useful when the application needs to make outgoing network requests in environments that require traffic to pass through a proxy server.

Environment variableDescriptionExample valueDefault value
http_proxySpecifies the proxy server to be used for outgoing HTTP requests.http://proxy.example.com:8080-
https_proxySpecifies the proxy server to be used for outgoing HTTPS requests.https://secureproxy.example.com:443-
no_proxyA comma-separated list of domain names or IP addresses for which the proxy should be bypassed.localhost,127.0.0.1,.example.com-
note

The proxy-related environment variables are lowercase because they follow a widely accepted convention used in many system environments and tools.

Feature Flags

Environment variableDescriptionExample valueDefault value
PLAY_ENABLED[optional]
Enables the Play mode in the BPMN editor, allowing users to test processes in a playground environment.
truetrue
ZEEBE_BPMN_DEPLOYMENT_ENABLED[optional]
Enables the Deploy and Run actions in the BPMN editor.
When disabled, it prevents users from deploying and starting instances of processes via the UI.
falsetrue
ZEEBE_DMN_DEPLOYMENT_ENABLED[optional]
Enables the Deploy action in the DMN editor.
When disabled, it prevents users from deploying decisions via the UI.
falsetrue
MARKETPLACE_ENABLED[optional]
Enables the integration of the Camunda Marketplace. If enabled, users can browse the Marketplace and download resources directly inside Web Modeler.
falsetrue

Identity / Keycloak

Environment variableDescriptionExample valueDefault value
OAUTH2_CLIENT_IDClient ID of the Web Modeler application configured in Identity;
must be set to web-modeler.
web-modeler-
OAUTH2_CLIENT_FETCH_REQUEST_CREDENTIALS[optional]
Configuration whether credentials should be sent along with requests to the OIDC provider, see documentation. Use this if you are using a proxy that requires cookies.
include-
OAUTH2_JWKS_URLInternal URL used to request Keycloak's JSON Web Key Set (for JWT verification).http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/certs-
OAUTH2_TOKEN_AUDIENCEExpected token audience (used for JWT validation);
must be set to web-modeler.
web-modeler-
OAUTH2_TOKEN_ISSUERURL of the token issuer (used for JWT validation).https://keycloak.example.com/auth/realms/camunda-platform-
IDENTITY_BASE_URLInternal base URL of the Identity API (used to fetch user data).http://identity:8080-

Refer to the advanced Identity configuration guide for additional details on how to connect a custom OpenID Connect (OIDC) authentication provider.

WebSocket

The webapp component sends certain events (e.g. "user opened diagram", "user left diagram") to the WebSocket server and can also react to such events (e.g. show a notification in the UI that a user left the diagram).

Environment variableDescriptionExample valueDefault value
PUSHER_HOSTInternal host name of the WebSocket server.modeler-websockets-
PUSHER_PORTInternal port number of the WebSocket server.8060-
PUSHER_APP_IDmust be the same as PUSHER_APP_IDweb-modeler-
PUSHER_KEYmust be the same as PUSHER_APP_KEY***-
PUSHER_SECRETmust be the same as PUSHER_APP_SECRET***-
CLIENT_PUSHER_HOSTExternal host name on which the Web Modeler client accesses the WebSocket server from the browser.ws.example.com-
CLIENT_PUSHER_PORTExternal port number on which the Web Modeler client accesses the WebSocket server from the browser.443-
CLIENT_PUSHER_PATH[optional]
must be the same as PUSHER_APP_PATH
/modeler-ws/
CLIENT_PUSHER_KEYmust be the same as PUSHER_APP_KEY***-
CLIENT_PUSHER_FORCE_TLSEnable TLS encryption for WebSocket connections initiated by the browser.truefalse

Logging

Environment variableDescriptionExample value
LOG_FILE_PATH[optional]
Path to log file output
/full/path/to/log/file.log
LOG_LEVEL_CLIENT[optional]
Log level for the client
DEBUG
LOG_LEVEL_WEBAPP[optional]
Log level for the Node.js server
DEBUG

The LOG_LEVEL_* options can be found here. Refer to the Advanced Logging Configuration Guide for additional details on how to customize the webapp logging output.

SSL

Environment variableDescriptionExample valueDefault value
SSL_ENABLED[optional]
Whether to enable SSL support.
truefalse
SSL_CERT[optional]
Path to a PEM-encoded SSL certificate file.
/full/path/to/certificate.pem-
SSL_KEY[optional]
Path to a PEM-encoded private key file for the SSL certificate.
/full/path/to/key.pem-
SSL_PASSPHRASE[optional]
Passphrase for the private key file.
change-me-
MANAGEMENT_SSL_ENABLED[optional]
Whether to enable SSL support for management server routes.
truefalse
MANAGEMENT_SSL_CERT[optional]
Path to a PEM-encoded SSL certificate file.
/full/path/to/certificate.pem-
MANAGEMENT_SSL_KEY[optional]
Path to a PEM-encoded private key file for the SSL certificate.
/full/path/to/key.pem-
MANAGEMENT_SSL_PASSPHRASE[optional]
Passphrase for the private key file.
change-me-
RESTAPI_SSL_ENABLED[optional]
Whether to enable communication via SSL to the restapi component.
truefalse
RESTAPI_MANAGEMENT_SSL_ENABLED[optional]
Whether to enable communication via SSL to the restapi component's management routes.
truefalse

Refer to the advanced SSL configuration guide for additional details on how to set up secure connections (incoming & outgoing) to the Web Modeler components.

Configuration of the websocket component

The WebSocket server shipped with Web Modeler Self-Managed is based on the laravel-websockets open source package and implements the Pusher Channels Protocol.

Environment variableDescriptionExample valueDefault value
PUSHER_APP_IDID of the single application/tenant configured for Web Modeler.web-modeler-
PUSHER_APP_KEYA unique key used for authentication. Provide a random alphanumeric string of at least 20 characters.***-
PUSHER_APP_SECRETA unique secret used for authentication. Provide a random alphanumeric string of at least 20 characters.***-
PUSHER_APP_PATH[optional]
Base path of the WebSocket endpoint. Can be used to expose the endpoint on a sub path instead of the domain root (e.g. https://example.com/modeler-ws).
/modeler-ws/

Logging

Environment variableDescriptionExample valueDefault Value
LOG_CHANNEL[optional]
Log channel driver, see Laravel documentation
singlestack

Refer to the Advanced Logging Configuration Guide for additional details on how to customize the websocket logging output.

SSL

Environment variableDescriptionExample valueDefault Value
PUSHER_SSL_CERT[optional]
Path to a PEM-encoded SSL certificate file.
/full/path/to/certificate.pem-
PUSHER_SSL_KEY[optional]
Path to a PEM-encoded private key file for the SSL certificate.
/full/path/to/key.pem-
PUSHER_SSL_PASSPHRASE[optional]
Passphrase for the private key file.
change-me-

Refer to the advanced SSL configuration guide for additional details on how to set up secure connections (incoming & outgoing) to the Web Modeler components.

Notes on host names and port numbers

  • Internal refers to host names and port numbers that are only used inside a Docker Compose network or Kubernetes cluster for backend-to-backend communication.
  • External refers to host names and port numbers that are exposed to the outside and can be reached from a web browser.