Skip to main content
Version: 8.2

Configuration

note

Web Modeler Self-Managed is available to enterprise customers only.

The different components of Web Modeler Self-Managed can be configured using environment variables. Each component's variables are described below.

  • For a working example configuration showing how the components are correctly wired together, see the Docker Compose file for Web Modeler.
  • If you are using the Camunda 8 Helm chart to set up Web Modeler, read more about the different configuration options in the chart's values docs.

Configuration of the restapi component

Database

Web Modeler requires a PostgreSQL database as persistent data storage (other database systems are currently not supported).

Environment variableDescriptionExample value
SPRING_DATASOURCE_URLJDBC URL of the databasejdbc:postgresql://postgres.example.com:5432/modeler-db
SPRING_DATASOURCE_USERNAMEDatabase user namemodeler-user
SPRING_DATASOURCE_PASSWORDDatabase user password***
SPRING_DATASOURCE_DRIVER_CLASS_NAME[optional]
Java class name of the database driver
software.amazon.jdbc.Driver

Refer to the Advanced Database Configuration Guide for additional details on how to configure Web Modeler's database connection.

SMTP / email

Web Modeler requires an SMTP server to send notification emails to users.

Environment variableDescriptionExample valueDefault value
RESTAPI_MAIL_HOSTSMTP server host namesmtp.example.com-
RESTAPI_MAIL_PORTSMTP server port587-
RESTAPI_MAIL_USER[optional]
SMTP user name
modeler-user-
RESTAPI_MAIL_PASSWORD[optional]
SMTP user password
***-
RESTAPI_MAIL_ENABLE_TLSEnforce TLS encryption for SMTP connections (using STARTTLS).truetrue
RESTAPI_MAIL_FROM_ADDRESSEmail address used as the sender of emails sent by Web Modeler.noreply@example.com-
RESTAPI_MAIL_FROM_NAME[optional]
Name displayed as the sender of emails sent by Web Modeler.
CamundaCamunda
RESTAPI_SERVER_URLURL at which users access Web Modeler in the browser (used to construct links in notification emails).https://modeler.example.com-

WebSocket

The restapi component sends certain events (e.g. "file updated", "comment added") to the WebSocket server.

Environment variableDescriptionExample value
RESTAPI_PUSHER_HOSTInternal host name of the WebSocket server.modeler-websockets
RESTAPI_PUSHER_PORTInternal port number of the WebSocket server.8060
RESTAPI_PUSHER_APP_IDmust be the same as PUSHER_APP_IDweb-modeler
RESTAPI_PUSHER_KEYmust be the same as PUSHER_APP_KEY***
RESTAPI_PUSHER_SECRETmust be the same as PUSHER_APP_SECRET***

Identity / Keycloak

Web Modeler integrates with Identity and Keycloak for authentication and authorization (using OAuth 2.0 + OpenID Connect) as well as user management.

Environment variableDescriptionExample value
RESTAPI_OAUTH2_TOKEN_ISSUERURL of the token issuer (used for JWT validation).https://keycloak.example.com/auth/realms/camunda-platform
RESTAPI_OAUTH2_TOKEN_ISSUER_BACKEND_URL[optional]
Internal URL used to request Keycloak's OpenID Provider Configuration; if not set, RESTAPI_OAUTH2_TOKEN_ISSUER is used.
http://keycloak:8080/auth/realms/camunda-platform
RESTAPI_IDENTITY_BASE_URLInternal base URL of the Identity API (used to fetch user data).http://identity:8080

Logging

Environment variableDescriptionExample value
LOGGING_CONFIG[optional]
Path to custom logback configuration
file:/full/path/to/custom-logback-config.xml

Refer to the Advanced Logging Configuration Guide for additional details on how to customize the restapi logging output.

Configuration of the webapp component

General

Environment variableDescriptionExample valueDefault value
SERVER_URLURL at which users access Web Modeler in the browser.
Note: To use a sub path for Web Modeler, just include the path in the URL.
https://modeler.example.com,
https://example.com/modeler
-
SERVER_HTTPS_ONLYEnforce the usage of HTTPS when users access Web Modeler (by redirecting from http:// to https://).truefalse
RESTAPI_HOSTInternal host name of the restapi application.modeler-restapi-
RESTAPI_PORTInternal port number on which the restapi serves the regular API endpoints.80818081
RESTAPI_MANAGEMENT_PORTInternal port number on which the restapi serves the management API endpoints.80918091
PLAY_ENABLED[optional]
Enables the Play mode in the BPMN editor, allowing users to test processes in a playground environment.
truefalse
ZEEBE_BPMN_DEPLOYMENT_ENABLED[optional]
Enables the Deploy and Run actions in the BPMN editor.
When disabled, it prevents users from deploying and starting instances of processes via the UI. The entire functionality to hide Deploy and Run actions is available as of 8.2.5.
falsetrue
ZEEBE_DMN_DEPLOYMENT_ENABLED[optional]
Enables the Deploy action in the DMN editor.
When disabled, it prevents users from deploying decisions via the UI. The entire functionality to hide Deploy and Run actions is available as of 8.2.5.
falsetrue

Identity / Keycloak

Environment variableDescriptionExample valueDefault value
OAUTH2_CLIENT_IDClient ID of the Web Modeler application configured in Identity;
must be set to web-modeler.
web-modeler-
OAUTH2_TOKEN_AUDIENCEExpected token audience (used for JWT validation);
must be set to web-modeler.
web-modeler-
OAUTH2_TOKEN_ISSUERURL of the token issuer (used for JWT validation).https://keycloak.example.com/auth/realms/camunda-platform-
KEYCLOAK_BASE_URLBase URL of the Keycloak instance.https://keycloak.example.com-
KEYCLOAK_CONTEXT_PATH[optional]
Context path Keycloak serves resources on.
Note: With Keycloak 17, the default path was changed from /auth to /.
//auth
KEYCLOAK_REALMKeycloak realm used for Camunda.camunda-platform-
KEYCLOAK_JWKS_URLInternal URL used to request Keycloak's JSON Web Key Set (for JWT verification).http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/certs-
IDENTITY_BASE_URLInternal base URL of the Identity API (used to fetch user data).http://identity:8080-

WebSocket

The webapp component sends certain events (e.g. "user opened diagram", "user left diagram") to the WebSocket server and can also react to such events (e.g. show a notification in the UI that a user left the diagram).

Environment variableDescriptionExample valueDefault value
PUSHER_HOSTInternal host name of the WebSocket server.modeler-websockets-
PUSHER_PORTInternal port number of the WebSocket server.8060-
PUSHER_APP_IDmust be the same as PUSHER_APP_IDweb-modeler-
PUSHER_KEYmust be the same as PUSHER_APP_KEY***-
PUSHER_SECRETmust be the same as PUSHER_APP_SECRET***-
CLIENT_PUSHER_HOSTExternal host name on which the Web Modeler client accesses the WebSocket server from the browser.ws.example.com-
CLIENT_PUSHER_PORTExternal port number on which the Web Modeler client accesses the WebSocket server from the browser.443-
CLIENT_PUSHER_PATH[optional]
must be the same as PUSHER_APP_PATH
/modeler-ws/
CLIENT_PUSHER_KEYmust be the same as PUSHER_APP_KEY***-
CLIENT_PUSHER_FORCE_TLSEnable TLS encryption for WebSocket connections initiated by the browser.truefalse

Zeebe Client

Web Modeler uses the Zeebe Java client to connect to Zeebe. To customize the client configuration, you can provide optional environment variables.

Environment variableDescriptionExample valueDefault Value
ZEEBE_CA_CERTIFICATE_PATH[optional]
Path to a root CA certificate to be used instead of the certificate in the default store.
/path/to/certificate-
ZEEBE_CLIENT_CONFIG_PATH[optional]
Path to the client's OAuth credential cache.
/path/to/credentials/cache.txt$HOME/.camunda/credentials
ZEEBE_CLIENT_REQUESTTIMEOUT[optional]
The request timeout used when communicating with a target Zeebe cluster.
6000010000
ZEEBE_AUTH_CONNECT_TIMEOUT[optional]
The connection timeout for requests to the OAuth server.
300005000
ZEEBE_AUTH_READ_TIMEOUT[optional]
The data read timeout for requests to the OAuth server.
300005000

For more details, see the Zeebe connection troubleshooting section.

Logging

Environment variableDescriptionExample value
LOG_FILE_PATH[optional]
Path to log file output
/full/path/to/log/file.log

Refer to the Advanced Logging Configuration Guide for additional details on how to customize the webapp logging output.

Configuration of the websocket component

The WebSocket server shipped with Web Modeler Self-Managed is based on the laravel-websockets open source package and implements the Pusher Channels Protocol.

Environment variableDescriptionExample valueDefault value
PUSHER_APP_IDID of the single application/tenant configured for Web Modeler.web-modeler-
PUSHER_APP_KEYA unique key used for authentication. Provide a random alphanumeric string of at least 20 characters.***-
PUSHER_APP_SECRETA unique secret used for authentication. Provide a random alphanumeric string of at least 20 characters.***-
PUSHER_APP_PATH[optional]
Base path of the WebSocket endpoint. Can be used to expose the endpoint on a sub path instead of the domain root (e.g. https://example.com/modeler-ws).
/modeler-ws/

Logging

Environment variableDescriptionExample valueDefault Value
LOG_CHANNEL[optional]
Log channel driver, see Laravel documentation
singlestack

Refer to the Advanced Logging Configuration Guide for additional details on how to customize the websocket logging output.

Notes on host names and port numbers

  • Internal refers to host names and port numbers that are only used inside a Docker Compose network or Kubernetes cluster for backend-to-backend communication.
  • External refers to host names and port numbers that are exposed to the outside and can be reached from a web browser.