macma/macma-core

JDBC database connection string. MACMA Core supports MSSQL and Oracle (19+) database.

Yes

-

Username for accessing the database, must have default schema of DATASOURCE_DEFAULT_SCHEMA.

Yes

-

Password to access the database.

Yes

-

Driver class used to access the database. Valid values:

Yes

com.microsoft.sqlserver.jdbc.SQLServerDriver

Schema to use on MSSQL database.

Only for MSSQL, must be the default schema for DATASOURCE_USERNAME.

dbo

The property controls the maximum size that the pool is allowed to reach, including both idle and in-use connections. Basically this value will determine the maximum number of actual connections to the database.

No.

20

The property controls the minimum number of idle connections that HikariCP tries to maintain in the pool, including both idle and in-use connections. If the idle connections dip below this value, HikariCP will make a best effort to restore them quickly and efficiently.

No.

10

The environment’s MACMA client id.

No

macma

The environment’s MACMA client secret.

Yes

-

Cache revalidation time for application ACL.

No

30

Cache revalidation time for user ACL.

No

2

Disable TLS / HTTPS. Set to true, if LOCAL_NETWORK_BASE_URL’s protocol is HTTP

No

true

Import all default certificates from the Ubuntu ca-certificates package to Java. Custom certificates that are mounted to /certificates are imported as well. Required to enable TLS.

No

true

Number of bootstrapping attempts (initialization of root tenant and own resources). Some retries may be required until the Keycloak component is ready to accept requests.

No

50

The ID of the root tenant. Default realm for registration at portal and login.

Yes

-

The initial name of the root tenant. After the initial setup, changing this value will have no effect.

No (but highly recommended to set the correct value for the initial setup)

first customer tenant

Public URL to Keycloak instance to match the token’s issuer URL. Must not end with a slash. The base URL is the part in front of the /auth context path offered by Keycloak.

Yes

-

URL to directly connect to the auth server, ideally on the internal network for improved performance. This URL is the part in front of the /auth context path offered by Keycloak.

No

http://keycloak-22-service

URL to directly connect to the auth server management endpoints (i.e. health endpoints), ideally on the internal network for improved performance. This URL is the part in front of the /auth context path offered by Keycloak.

No

http://keycloak-22-service:9000

Client secret of the admin client in the master realm, which is required by MACMA to control Keycloak.

Yes

-

Name of the admin user created on bootstrapping.

No, but if not provided no admin user will be created.

-

Password of the admin user created on bootstrapping. Has to be changed on first login.

No, but required if MACMA_USERNAME is set.

-

Enable caching for MACMA’s own ACL.

No

true

Cache expiration time in seconds for MACMA’s own ACL cache.

No

300

Enable caching for userinfo requests.

No

true

Cache expiration time in seconds for userinfo requests.

No

5

Initial cache capacity for userinfo requests.

No

100

Maximum cache capacity for userinfo requests. Set according to expected number of concurrent users.

No

1000

Enable caching for tenant ACLs. Tenant ACLs are used to calculate the user ACL, which is requested by frontends.

No

true

Cache expiration time in seconds for tenant ACLs. Tenant ACLs are used to calculate the user ACL, which is requested by frontends.

No

300

Initial cache capacity for tenant ACLs. Tenant ACLs are used to calculate the user ACL, which is requested by frontends.

No

30

Maximum cache capacity for tenant ACLs. Tenant ACLs are used to calculate the user ACL, which is requested by frontends. For high values and/or large ACLs you need to increase macma-core.system-resources.

No

300

Enable caching for application ACLs. Applications are requesting their own cross-tenant ACL from MACMA.

No

true

Cache expiration time in seconds for other applications' ACLs. Applications are requesting their own cross-tenant ACL from MACMA.

No

300

Initial cache capacity for application ACLs. Applications are requesting their own cross-tenant ACL from MACMA.

No

30

Maximum cache capacity for application ACLs. Applications are requesting their own cross-tenant ACL from MACMA. For high values and/or large ACLs you need to increase macma-core.system-resources.

No

60

Maximum recommended cache time (in s) for introspection results sent by MACMA for user tokens (should be small).

No

5

Maximum recommended cache time (in s) for introspection results sent by MACMA for client tokens.

No

150

Maximum allowed filesize for file upload e.g. for configuration file. Increasing the value can cause OutOfMemory errors.. The value for NEXEED_MACMA_DEFAULT_MAX_BODY_SIZE_IN_MB has to be larger or equal to NEXEED_MACMA_MAX_FILE_UPLOAD_SIZE_IN_MB.

No

8

Maximum allowed request body size.

No

8

Host name of RabbitMQ.

Yes

-

Port of RabbitMQ.

no (if default is correct)

5672

Vhost setting of MACMA within RabbitMQ.

Yes

-

Enable SSL, valid values are true and false.

Yes

-

RabbitMQ user for MACMA system.

Yes

-

Password for RabbitMQ user.

Yes

-

Enable OpenTelemetry agent.

No

false

URL of the elastic APM server.

Yes (if enabled by OTEL_ENABLED)

-

Logs exporter to be used.

No

none

Metrics exporter to be used.

No

none

Traces exporter to be used.

No

none

The transport protocol of OpenTelemetry Exporter.

No

grpc

Specifies the Sampler used to sample traces by the OpenTelemetry SDK.

No

parentbased_always_on

Specifies argument for the trace smapler. Each Sampler type defines its own expected input.

No

-

Key-value pairs to be used as resource attributes for OpenTelemetry SDK, containing e.g. service.name, service.version, deployment.environment.

Yes (if enabled by OTEL_ENABLED)

-

Header of OpenTelemetry exporter including authentication at the APM server.

Yes (if enabled by OTEL_ENABLED)

-

Key to identify the Azure Insights resource.

No

-

If present activates azure ApplicationsInsightsAppender.

Yes

-

Default loglevel except for the following explicit settings.

No

WARN

Loglevel for everything Spring (but not Spring Boot).

No

WARN

Loglevel for everything Spring Boot.

No

WARN

Loglevel for everything Spring SECURITY.

No

WARN

Loglevel for Bosch Components.

No

WARN

Loglevel for Netty.

No

WARN

Loglevel for Hibernate.

No

WARN

Loglevel for Liquibase.

No

INFO

Loglevel for security logger.

No

INFO

Enable '/health' endpoint, to expose application health information.

No

true

When to show full health details. Valid values: never, when_authorized, always.

No

when_authorized

Enable liveness and readiness probes. Use in combination with MANAGEMENT_HEALTH_LIVENESSSTATE_ENABLED and MANAGEMENT_HEALTH_READINESSSTATE_ENABLED to enable '/health/liveness' and '/health/readiness' endpoints

No

true

Enable liveness state health check. Use in combination with MANAGEMENT_ENDPOINT_HEALTH_PROBES_ENABLED to enable '/health/liveness' endpoint

No

true

Enable readiness state health check. Use in combination with MANAGEMENT_ENDPOINT_HEALTH_PROBES_ENABLED to enable '/health/readiness' endpoint

No

true

Comma separated list of health indicator IDs that should be included for the liveness probe (or '*' for all).

No

livenessState

Comma separated list of health indicator IDs that should be included for the readiness probe (or '*' for all).

No

readinessState,db,keycloak

Enable RabbitMQ Health Indicator. If enabled, use 'rabbit' as the health indicator ID to include it in the liveness or readiness health group (see MANAGEMENT_ENDPOINT_HEALTH_GROUP_LIVENESS_INCLUDE and MANAGEMENT_ENDPOINT_HEALTH_GROUP_READINESS_INCLUDE)

No

true

Enable Database Health Indicator. If enabled, use 'db' as the health indicator ID to include it in the liveness or readiness health group (see MANAGEMENT_ENDPOINT_HEALTH_GROUP_LIVENESS_INCLUDE and MANAGEMENT_ENDPOINT_HEALTH_GROUP_READINESS_INCLUDE)

No

No

true

Enable Keycloak Health Indicator. If enabled, use 'keycloak' as the health indicator ID to include it in the liveness or readiness health group (see MANAGEMENT_ENDPOINT_HEALTH_GROUP_LIVENESS_INCLUDE and MANAGEMENT_ENDPOINT_HEALTH_GROUP_READINESS_INCLUDE)

No

No

true

Timeout in seconds for the shutdown of any phase (group of SmartLifecycle beans with the same 'phase' value), when the shutdown mode is set to graceful

No

45

Whether the executor should wait for scheduled tasks to complete on shutdown, when the shutdown mode is set to graceful

No

true

Maximum time in seconds the executor should wait for remaining tasks to complete, when the shutdown mode is set to graceful

No

45

Whether the scheduler should wait for scheduled tasks to complete on shutdown, when the shutdown mode is set to graceful

No

true

Maximum time in seconds the scheduler should wait for remaining tasks to complete, when the shutdown mode is set to graceful

No

45

Allowed values: graceful or immediate

No

graceful

Activity Logs Retention time in days

No

90

Delay (in minutes) after application startup when the Activity Logs Clean-up task is started

No

1

Scheduled period (in hours) when the Activity Logs Clean-up task is executed

No

24

Retention time (in hours) after incomplete access configuration jobs are deleted. Incomplete jobs are in state PARSED or UPLOADED.

No

4

Initial delay (in minutes) after application startup when the access configuration cleanup task is started.

No

30

Fixed delay (in hours) between executions of the access configuration cleanup task.

No

2

Autodetected domains that are used to setup Entra ID identity providers. The domains need to be separated by a comma. Defaults are taken from the official Microsoft documentation.

No

login.microsoftonline.com,login.partner.microsoftonline.cn,login.microsoftonline.us

Specify the schedule to run the cleanup of deleted tenants. The value is a cron-like expression, extending the usual UN*X definition to include triggers on the second, minute, hour, day of month, month, and day of week. The special value "-" indicates a disabled cron trigger. See also CronExpression parsing.

No

@weekly