Version: 8.8 (unreleased)

Database

This page describes advanced database connection configuration for Web Modeler. For a general guide on how to set up Web Modeler's database connection, visit the configuration overview. Web Modeler supports multiple database vendors. PostgreSQL will be used by default.

Configuring SSL for the database connection

The generic way to configure an SSL connection between Web Modeler and the database is as follows:

Modify the JDBC URL SPRING_DATASOURCE_URL and customize connection parameters.
Provide SSL certificates and keys to the restapi component, if required.

Consult the PostgreSQL documentation for a description of the different SSL modes and the security provided.

For a full list of all available connection parameters, visit the PostgreSQL documentation.

Below are examples for common scenarios, increasing in the level of security they provide.

SSL mode "require"

In this mode, an SSL connection is established between Web Modeler and the database. It is still prone to person-in-the-middle attacks.

To enable this mode, modify the JDBC URL as follows: jdbc:postgresql://[DB_HOST]:[DB_PORT]/[DB_NAME]?sslmode=require

No certificates are needed in Web Modeler for this mode.

SSL mode "verify-full"

In this mode, Web Modeler requests a certificate from the database server to verify its identity. It is not prone to person-in-the-middle attacks.

To enable this mode, mount the root certificate with which the server certificate was signed and follow these steps:

Provide the root certificate at this location: myCA.crt -> ~/.postgresql/root.crt.
Modify the JDBC URL: jdbc:postgresql://[DB_HOST]:[DB_PORT]/[DB_NAME]?ssl=true.

SSL mode "verify-full" with client certificates

In this mode, Web Modeler requests a certificate from the database server to verify the server's identity, and the server requests a certificate from the client to verify the client's identity.

To enable this mode, mount the client certificates and follow these steps:

Provide client certificates at these locations:
1. myClientCertificate.pk8 -> ~/.postgresl/postgresql.pk8
2. myClientCertificate.crt -> ~/.postgresl/postgresql.crt
Provide the root certificate at this location: myCA.crt -> ~/.postgresql/root.crt.
Modify the JDBC URL: jdbc:postgresql://[DB_HOST]:[DB_PORT]/[DB_NAME]?ssl=true.

Furthermore, configure the database server to verify client certificates: PostgreSQL documentation.

Running Web Modeler on Amazon Aurora PostgreSQL

Web Modeler supports running on Amazon Aurora PostgreSQL. To connect Web Modeler with your Amazon Aurora PostgreSQL instance, make the following configuration adjustments:

Modify the SPRING_DATASOURCE_URL environment variable: jdbc:aws-wrapper:postgresql://[DB_HOST]:[DB_PORT]/[DB_NAME].
Add the environment variable SPRING_DATASOURCE_DRIVER_CLASS_NAME with the value software.amazon.jdbc.Driver.

For a full list of available driver parameters visit the AWS JDBC Driver documentation.

AWS IAM authentication

To use AWS Identity and Access Management (IAM) database authentication with your Amazon Aurora PostgreSQL instance, in addition to the adjustments described above, follow these steps:

Modify the SPRING_DATASOURCE_URL environment variable as follows: jdbc:aws-wrapper:postgresql://[DB_HOST]:[DB_PORT]/[DB_NAME]?wrapperPlugins=iam.
Modify the SPRING_DATASOURCE_USERNAME environment variable to match the database user you configured for AWS IAM authentication as described in the Amazon Aurora documentation.
Remove the SPRING_DATASOURCE_PASSWORD environment variable.

Using alternative database vendors

Oracle

As the Oracle driver is not provided by default in each of the Camunda 8 distributions, you must download the driver and supply it for the application to load.

Download the appropriate Oracle driver: https://www.oracle.com/database/technologies/appdev/jdbc-downloads.html.
If you are using Docker or Kubernetes, ensure that the folder with the library is properly mounted as a volume at this location: /driver-lib. It will be automatically loaded by the application.

To use a custom database driver, set SPRING_DATASOURCE_DRIVER_CLASS_NAME to the fully qualified class name of your driver. Otherwise, omit this variable.

Environment variables
values.yaml
application.yaml

SPRING_DATASOURCE_URL="jdbc:oracle:thin:@//[DB_HOST]:[DB_PORT]/[DB_NAME]"
SPRING_DATASOURCE_USERNAME="[DB_USER]"
SPRING_DATASOURCE_PASSWORD="[DB_PASSWORD]"
SPRING_DATASOURCE_DRIVER_CLASS_NAME="[YOUR_CUSTOM_DRIVER]" # Optional; omit to use default Oracle driver

webModeler:
  restapi:
    externalDatabase:
      enabled: true
      url: "jdbc:oracle:thin:@//[DB_HOST]:[DB_PORT]/[DB_NAME]"
      user: "[DB_USER]"
      password: "[DB_PASSWORD]"
    env:
      - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME # Optional; omit to use default Oracle driver
        value: "[YOUR_CUSTOM_DRIVER]"
    extraVolumeMounts:
      - name: oracle-driver
        mountPath: /driver-lib
    extraVolumes:
      - name: oracle-driver
        emptyDir: {}
    initContainers:
      - name: fetch-jdbc-drivers
        image: alpine:3.22.1
        imagePullPolicy: "Always"
        command:
          [
            "sh",
            "-c",
            "wget https://download.oracle.com/otn-pub/otn_software/jdbc/237/ojdbc17.jar -O /driver-lib/ojdbc.jar",
          ]
        volumeMounts:
          - name: oracle-driver
            mountPath: /driver-lib
        securityContext:
          runAsUser: 1001

spring:
  datasource:
    url: jdbc:oracle:thin:@//[DB_HOST]:[DB_PORT]/[DB_NAME]
    username: [DB_USER]
    password: [DB_PASSWORD]
    driver-class-name: [YOUR_CUSTOM_DRIVER] # Optional; omit to use default Oracle driver

MSSQL

The MSSQL driver is provided by default, so no additional steps are necessary to provide the driver.

To use a custom database driver, set SPRING_DATASOURCE_DRIVER_CLASS_NAME to the fully qualified class name of your driver. Otherwise, omit this variable.

Environment variables
values.yaml
application.yaml

SPRING_DATASOURCE_URL="jdbc:sqlserver://[DB_HOST]:[DB_PORT];databaseName=[DB_NAME]"
SPRING_DATASOURCE_USERNAME="[DB_USER]"
SPRING_DATASOURCE_PASSWORD="[DB_PASSWORD]"
SPRING_DATASOURCE_DRIVER_CLASS_NAME="[YOUR_CUSTOM_DRIVER]" # Optional; omit to use default MSSQL driver

webModeler:
  restapi:
    externalDatabase:
      enabled: true
      url: "jdbc:sqlserver://[DB_HOST]:[DB_PORT];databaseName=[DB_NAME]"
      user: "[DB_USER]"
      password: "[DB_PASSWORD]"
    env:
      - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME # Optional; omit to use default MSSQL driver
        value: "[YOUR_CUSTOM_DRIVER]"

spring:
  datasource:
    url: jdbc:sqlserver://[DB_HOST]:[DB_PORT];databaseName=[DB_NAME]
    username: [DB_USER]
    password: [DB_PASSWORD]
    driver-class-name: [YOUR_CUSTOM_DRIVER] # Optional; omit to use default MSSQL driver

Case sensitivity

MSSQL is case-insensitive by default. To enable case sensitivity, set the database collation to a case-sensitive one. We recommend using Latin1_General_CS_AS.

Not doing so may lead to unexpected behavior. The only known restriction currently is that extraction fields in IDP extraction will not be case-sensitive. This means that if you have a field named amount, you can't create another field named Amount as the database will treat them as the same.

Configuring SSL for the database connection​

SSL mode "require"​

SSL mode "verify-full"​

SSL mode "verify-full" with client certificates​

Running Web Modeler on Amazon Aurora PostgreSQL​

AWS IAM authentication​

Using alternative database vendors​

Oracle​

MSSQL​

Case sensitivity​