Configuration
note
Web Modeler Self-Managed is available to enterprise customers only.
The different components of Web Modeler Self-Managed can be configured using environment variables. Each component's variables are described below.
- For a working example configuration showing how the components are correctly wired together, see the Docker Compose file for Web Modeler.
- If you are using the Camunda 8 Helm chart to set up Web Modeler, read more about the different configuration options in the chart's values docs.
Configuration of the restapi component
Database
Web Modeler requires a PostgreSQL database as persistent data storage (other database systems are currently not supported).
| Environment variable | Description | Example value |
|---|---|---|
SPRING_DATASOURCE_URL | JDBC URL of the database | jdbc:postgresql://postgres.example.com:5432/modeler-db |
SPRING_DATASOURCE_USERNAME | Database user name | modeler-user |
SPRING_DATASOURCE_PASSWORD | Database user password | *** |
SPRING_DATASOURCE_DRIVER_CLASS_NAME | [optional] Java class name of the database driver | software.amazon.jdbc.Driver |
Refer to the Advanced Database Configuration Guide for additional details on how to configure Web Modeler's database connection.
SMTP / email
Web Modeler requires an SMTP server to send notification emails to users.
| Environment variable | Description | Example value | Default value |
|---|---|---|---|
RESTAPI_MAIL_HOST | SMTP server host name | smtp.example.com | - |
RESTAPI_MAIL_PORT | SMTP server port | 587 | - |
RESTAPI_MAIL_USER | [optional] SMTP user name | modeler-user | - |
RESTAPI_MAIL_PASSWORD | [optional] SMTP user password | *** | - |
RESTAPI_MAIL_ENABLE_TLS | Enforce TLS encryption for SMTP connections (using STARTTLS). | true | true |
RESTAPI_MAIL_FROM_ADDRESS | Email address used as the sender of emails sent by Web Modeler. | noreply@example.com | - |
RESTAPI_MAIL_FROM_NAME | [optional] Name displayed as the sender of emails sent by Web Modeler. | Camunda | Camunda |
RESTAPI_SERVER_URL | URL at which users access Web Modeler in the browser (used to construct links in notification emails). | https://modeler.example.com | - |
WebSocket
The restapi component sends certain events (e.g. "file updated", "comment added") to the WebSocket server.
| Environment variable | Description | Example value |
|---|---|---|
RESTAPI_PUSHER_HOST | Internal host name of the WebSocket server. | modeler-websockets |
RESTAPI_PUSHER_PORT | Internal port number of the WebSocket server. | 8060 |
RESTAPI_PUSHER_APP_ID | must be the same as PUSHER_APP_ID | web-modeler |
RESTAPI_PUSHER_KEY | must be the same as PUSHER_APP_KEY | *** |
RESTAPI_PUSHER_SECRET | must be the same as PUSHER_APP_SECRET | *** |
Identity / Keycloak
Web Modeler integrates with Identity and Keycloak for authentication and authorization (using OAuth 2.0 + OpenID Connect) as well as user management.
| Environment variable | Description | Example value |
|---|---|---|
RESTAPI_OAUTH2_TOKEN_ISSUER | URL of the token issuer (used for JWT validation). | https://keycloak.example.com/auth/realms/camunda-platform |
RESTAPI_OAUTH2_TOKEN_ISSUER_BACKEND_URL | [optional] Internal URL used to request Keycloak's OpenID Provider Configuration; if not set, RESTAPI_OAUTH2_TOKEN_ISSUER is used. | http://keycloak:8080/auth/realms/camunda-platform |
RESTAPI_IDENTITY_BASE_URL | Internal base URL of the Identity API (used to fetch user data). | http://identity:8080 |
Logging
| Environment variable | Description | Example value |
|---|---|---|
LOGGING_CONFIG | [optional] Path to custom logback configuration | file:/full/path/to/custom-logback-config.xml |
Refer to the Advanced Logging Configuration Guide for additional details on how to customize the restapi logging output.
Configuration of the webapp component
General
| Environment variable | Description | Example value | Default value |
|---|---|---|---|
SERVER_URL | URL at which users access Web Modeler in the browser. Note: To use a sub path for Web Modeler, just include the path in the URL. | https://modeler.example.com,https://example.com/modeler | - |
SERVER_HTTPS_ONLY | Enforce the usage of HTTPS when users access Web Modeler (by redirecting from http:// to https://). | true | false |
RESTAPI_HOST | Internal host name of the restapi application. | modeler-restapi | - |
RESTAPI_PORT | Internal port number on which the restapi serves the regular API endpoints. | 8081 | 8081 |
RESTAPI_MANAGEMENT_PORT | Internal port number on which the restapi serves the management API endpoints. | 8091 | 8091 |
PLAY_ENABLED | [optional] Enables the Play mode in the BPMN editor, allowing users to test processes in a playground environment. | true | false |
ZEEBE_BPMN_DEPLOYMENT_ENABLED | [optional] Enables the Deploy and Run actions in the BPMN editor. When disabled, it prevents users from deploying and starting instances of processes via the UI. The entire functionality to hide Deploy and Run actions is available as of 8.2.5. | false | true |
ZEEBE_DMN_DEPLOYMENT_ENABLED | [optional] Enables the Deploy action in the DMN editor. When disabled, it prevents users from deploying decisions via the UI. The entire functionality to hide Deploy and Run actions is available as of 8.2.5. | false | true |
Identity / Keycloak
| Environment variable | Description | Example value | Default value |
|---|---|---|---|
OAUTH2_CLIENT_ID | Client ID of the Web Modeler application configured in Identity; must be set to web-modeler. | web-modeler | - |
OAUTH2_TOKEN_AUDIENCE | Expected token audience (used for JWT validation); must be set to web-modeler. | web-modeler | - |
OAUTH2_TOKEN_ISSUER | URL of the token issuer (used for JWT validation). | https://keycloak.example.com/auth/realms/camunda-platform | - |
KEYCLOAK_BASE_URL | Base URL of the Keycloak instance. | https://keycloak.example.com | - |
KEYCLOAK_CONTEXT_PATH | [optional] Context path Keycloak serves resources on. Note: With Keycloak 17, the default path was changed from /auth to /. | / | /auth |
KEYCLOAK_REALM | Keycloak realm used for Camunda. | camunda-platform | - |
KEYCLOAK_JWKS_URL | Internal URL used to request Keycloak's JSON Web Key Set (for JWT verification). | http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/certs | - |
IDENTITY_BASE_URL | Internal base URL of the Identity API (used to fetch user data). | http://identity:8080 | - |
WebSocket
The webapp component sends certain events (e.g. "user opened diagram", "user left diagram") to the WebSocket server and can also react to such events (e.g. show a notification in the UI that a user left the diagram).
| Environment variable | Description | Example value | Default value |
|---|---|---|---|
PUSHER_HOST | Internal host name of the WebSocket server. | modeler-websockets | - |
PUSHER_PORT | Internal port number of the WebSocket server. | 8060 | - |
PUSHER_APP_ID | must be the same as PUSHER_APP_ID | web-modeler | - |
PUSHER_KEY | must be the same as PUSHER_APP_KEY | *** | - |
PUSHER_SECRET | must be the same as PUSHER_APP_SECRET | *** | - |
CLIENT_PUSHER_HOST | External host name on which the Web Modeler client accesses the WebSocket server from the browser. | ws.example.com | - |
CLIENT_PUSHER_PORT | External port number on which the Web Modeler client accesses the WebSocket server from the browser. | 443 | - |
CLIENT_PUSHER_PATH | [optional] must be the same as PUSHER_APP_PATH | /modeler-ws | / |
CLIENT_PUSHER_KEY | must be the same as PUSHER_APP_KEY | *** | - |
CLIENT_PUSHER_FORCE_TLS | Enable TLS encryption for WebSocket connections initiated by the browser. | true | false |
Zeebe Client
Web Modeler uses the Zeebe Java client to connect to Zeebe. To customize the client configuration, you can provide optional environment variables.
| Environment variable | Description | Example value | Default Value |
|---|---|---|---|
ZEEBE_CA_CERTIFICATE_PATH | [optional] Path to a root CA certificate to be used instead of the certificate in the default store. | /path/to/certificate | - |
ZEEBE_CLIENT_CONFIG_PATH | [optional] Path to the client's OAuth credential cache. | /path/to/credentials/cache.txt | $HOME/.camunda/credentials |
ZEEBE_CLIENT_REQUESTTIMEOUT | [optional] The request timeout used when communicating with a target Zeebe cluster. | 60000 | 10000 |
ZEEBE_AUTH_CONNECT_TIMEOUT | [optional] The connection timeout for requests to the OAuth server. | 30000 | 5000 |
ZEEBE_AUTH_READ_TIMEOUT | [optional] The data read timeout for requests to the OAuth server. | 30000 | 5000 |
For more details, see the Zeebe connection troubleshooting section.
Logging
| Environment variable | Description | Example value |
|---|---|---|
LOG_FILE_PATH | [optional] Path to log file output | /full/path/to/log/file.log |
Refer to the Advanced Logging Configuration Guide for additional details on how to customize the webapp logging output.
Configuration of the websocket component
The WebSocket server shipped with Web Modeler Self-Managed is based on the laravel-websockets open source package and implements the Pusher Channels Protocol.
| Environment variable | Description | Example value | Default value |
|---|---|---|---|
PUSHER_APP_ID | ID of the single application/tenant configured for Web Modeler. | web-modeler | - |
PUSHER_APP_KEY | A unique key used for authentication. Provide a random alphanumeric string of at least 20 characters. | *** | - |
PUSHER_APP_SECRET | A unique secret used for authentication. Provide a random alphanumeric string of at least 20 characters. | *** | - |
PUSHER_APP_PATH | [optional] Base path of the WebSocket endpoint. Can be used to expose the endpoint on a sub path instead of the domain root (e.g. https://example.com/modeler-ws). | /modeler-ws | / |
Logging
| Environment variable | Description | Example value | Default Value |
|---|---|---|---|
LOG_CHANNEL | [optional] Log channel driver, see Laravel documentation | single | stack |
Refer to the Advanced Logging Configuration Guide for additional details on how to customize the websocket logging output.
Notes on host names and port numbers
- Internal refers to host names and port numbers that are only used inside a Docker Compose network or Kubernetes cluster for backend-to-backend communication.
- External refers to host names and port numbers that are exposed to the outside and can be reached from a web browser.