You are viewing the documentation for Blueriq 16. Documentation for other versions is available in our documentation directory.
This page described all the properties that can be set for the runtime.
The message properties are not in these lists because of the self explanatory properties in these files (default and language variants) and the sheer amount of them.
But to give you an idea, here is an example of a messages*.properties file: messages_en-GB.properties.
- Aggregates Properties
- AQ_MailService Properties
- Cluster Properties and Messages
- CMIS Properties
- Connections Properties
- Domain Schema Properties
- Export Properties
- Multi-tenancy Properties
- MVC UI Properties
- OpenID Connect Properties
- Process Module Properties
- Publisherclient Properties
- Runtime API Properties
- Security LDAP Properties
- Security Properties
- Shortcuts Properties
- Session header properties
- Webresources Properties
- Development Properties
- External Flow Properties
- Case Engine Client Properties
- Model Preloading properties
- Case Engine Properties
- Legacy Properties
- Datasources Properties
- Document Renderer Client Properties
- Miscellaneous Properties
- JWT Mapping properties
- JWT Authentication Properties
- Audit Properties
All properties
| Subject | Property | Default | Explanation | Property file | Additional information |
|---|---|---|---|---|---|
| Aggregates | blueriq.customerdata-client.list.record.limit | 10 | Maxiumum results of the search. |
| |
| blueriq.customerdata-client.url | Url for the customerdata service |
| |||
| blueriq.customerdata-client.username | Username used for authentication against the customerdata service |
| |||
| blueriq.customerdata-client.password | Password used for authentication against the customerdata service |
| |||
| blueriq.customerdata-client.preemptive-authentication | true | Use preemptive authentication |
| since 11.8 | |
| blueriq.customerdata-client.socket-timeout | 120 (seconds) | Time waiting for data – after establishing the connection; maximum time of inactivity between two data packets |
| Note: exception thrown can still cause data changes on Customer Data Service side, because connection has been established. | |
| blueriq.customerdata-client.connect-timeout | 10 (seconds) | Time to establish the connection with the remote host |
| ||
| blueriq.customerdata-client.connection-request-timeout | 10 (seconds) | Time to wait for a connection from the connection manager/pool |
| https://hc.apache.org/httpclient-legacy/preference-api.html |
| Subject | Property | Default | Explanation | Property file |
|---|---|---|---|---|
| Service call type: AQ_MailService | blueriq.mail.dkim.domain_alias.name | Specifies the domain name for dkim. |
| |
| blueriq.mail.dkim.domain_alias.enabled | false | Enable/disable dkim. |
| |
| blueriq.mail.dkim.domain_alias.selector | Specifies the DNS selector for dkim. |
| ||
| blueriq.mail.dkim.domain_alias.private-key-file | Specify the path to the private key file used for dkim in signing email messages. |
|
Properties
| Subject | Property | Default | Explanation | Property file |
|---|---|---|---|---|
| Cluster | blueriq.session.session-manager | Configures the type of session manager used. The session manager can be 'memory', 'external' or a custom implemented bean. | | |
| blueriq.session.request-ward-enabled | false | Toggle to enable request wards |
|
Messages
| Subject | Key | Explanation |
|---|---|---|
| Cluster | request-ward.invalid.title | The title of the error message when request ward validation fails |
| request-ward.invalid.message | The error message when request ward validation fails |
| Subject | Property | Explanation | |
|---|---|---|---|
| CMIS | blueriq.cmis.user | The username needed for the cmis connection. | application- |
| blueriq.cmis.password | The password needed for the cmis connection. |
| |
| blueriq.cmis.services-url | The serviceURL of the cmis connection. |
| |
| blueriq.cmis.repository-id | The repository on the filesystem the cmis connection connects to. |
| |
| blueriq.cmis.objectType-id | The kind of objectType the file is. |
| |
| blueriq.cmis.binding-type | The type of communication you desire. Currently the only supported value is atompub |
| |
| blueriq.cmis.authProviderClassName | The classname of the authProvider |
| |
| blueriq.cmis.authProviderConfiguration.jwt.ks.fileUrl | URL pointing to key store containing RSA private/public keys for JWT signing |
| |
| blueriq.cmis.authProviderConfiguration.jwt.ks.password | Key store password |
| |
blueriq.cmis.authProviderConfiguration. jwt.ks.blueriqKeyAlias | Alias of key that Blueriq should use for JWT signing |
| |
blueriq.cmis.authProviderConfiguration. jwt.ks.blueriqKeyPassword | Password for key that Blueriq should use for JWT signing |
| |
| blueriq.cmis.authProviderConfiguration.jwt.claims.iss | Standard 'issuer' claim to put in Json Web token |
| |
| blueriq.cmis.authProviderConfiguration.jwt.claims.aud | Standard 'audience' claim to put in Json Web token |
| |
| blueriq.cmis.authProviderConfiguration.jwt.claims.sub | Standard 'subject' claim to put in Json Web token |
| |
| blueriq.cmis.authProviderConfiguration.jwt.claims.idp | Custom claim to put in Json Web token |
| |
blueriq.cmis.authProviderConfiguration. jwt.blueriqUser.id.claimName | JWT claim name to put the Blueriq user id in |
| |
blueriq.cmis.authProviderConfiguration. jwt.cmisConnector.id.claimName | JWT claim name to put the CMIS connector id in |
|
| Subject | Property | Explanation | ||
|---|---|---|---|---|
| Connections | blueriq.connection.sessionHeaders | A comma-separated list of HTTP header names, stored through the blueriq.session.headers property, that should be put on outgoing requests for all HTTP and SOAP connections. More info here. |
| @since 11.6 |
| blueriq.connection.header.[headerName] | Key-value pairs of HTTP headers that should be put on all outgoing REST and SOAP requests. |
| @since 14.11 | |
| blueriq.connection.timeout | Default global timeout in milliseconds to use for all outgoing HTTP requests (SOAP or REST) when no other timeout was specified on the specific connection configuration. The value of 0 means there is no global timeout. Default is 15000 milliseconds (15 seconds). When a negative number is configured this value will fallback to the default. |
| @since 15.0 | |
| blueriq.connection.[name].sql.type | The type of sql connection (ie. jdbc) |
| ||
| blueriq.connection.[name].sql.url | The url of the datasource which should be connected to. |
| ||
| blueriq.connection.[name].sql.driver | The driver that needs to be used to connect to the datasource |
| ||
| blueriq.connection.[name].sql.username | The username to login to the datasource |
| ||
| blueriq.connection.[name].sql.password | The password to login to the datasource |
| ||
| blueriq.connection.[name].filesystem.path | The path of the filesystem |
| ||
| blueriq.connection.[name].memory | Name of a memory connection. |
| ||
| blueriq.connection.[name].http.url | The URL of the REST web service. |
| ||
| blueriq.connection.[name].http.username | The username for basic authentication. |
| ||
| blueriq.connection.[name].http.password | The password for basic authentication. |
| ||
| blueriq.connection.[name].http.sessionHeaders | A comma-separated list of HTTP header names, stored through the blueriq.session.headers property, that should be put on outgoing requests for this connection. Overrides blueriq.connection.sessionHeaders. More info here. |
| @since 11.6 | |
| blueriq.connection.[name].http.header.[headerName] | Key-value pairs of HTTP headers that should be put on outgoing REST requests for this connection. Overrides blueriq.connection.header |
| @since 14.11 | |
| blueriq.connection.[name].http.timeout | The timeout in milliseconds. The value of 0 means there is no timeout. When a negative number is configured this value will fallback to the global default. |
| ||
| blueriq.connection.[name].http.authentication | If the Runtime authentication is set to openid-connect, then setting this property to 'openid-connect' will make the webservice send along a bearer Authorization header. Since Blueriq 16.3, if the Runtime authentication is set to jwt, then setting this property to 'jwt' will make the webservice send along a bearer Authorization header. Since Blueriq 13.12, it is also possible to set this property to 'oauth2' for Oauth2 authentication. The next 5 properties will configure Oauth2. |
| ||
| blueriq.connection.[name].http.oauth2-token-endpoint | The URL of the OAuth2 authentication server, where tokens can be requested(required) |
| @since 13.12 | |
| blueriq.connection.[name].http.oauth2-client-id | The id of the client that a token should be requested for (required) |
| @since 13.12 | |
| blueriq.connection.[name].http.oauth2-client-secret | The secret key of the client where a token should be requested for (required) |
| @since 13.12 | |
| blueriq.connection.[name].http.oauth2-grant-type | The value of the grant type parameter when requesting a token |
| @since 13.12 Only the grant type "client_credentials" is supported | |
| blueriq.connection.[name].http.oauth2-scope | The scope that we want to request a token for |
| @since 13.12 | |
| blueriq.connection.[name].soap.url | The URL of the SOAP web service. |
| ||
| blueriq.connection.[name].soap.username | The username for basic authentication. |
| ||
| blueriq.connection.[name].soap.password | The password for basic authentication. |
| ||
| blueriq.connection.[name].soap.interceptors | A comma separate list of security interceptors (defined using the blueriq.soap.interceptors.security.* properties, see WS-Security) |
| ||
| blueriq.connection.[name].soap.timeout | The timeout in milliseconds. |
| ||
| blueriq.connection.[name].soap.sessionHeaders | A comma-separated list of HTTP header names, stored through the blueriq.session.headers property, that should be put on outgoing requests for this connection. Overrides blueriq.connection.headers. More info here. |
| @since 11.6 | |
| blueriq.connection.[name].soap.header.[headerName] | Key-value pairs of HTTP headers that should be put on outgoing SOAP requests for this connection. |
| @since 14.11 | |
| blueriq.connection.[name].email.smtp | The hostname of the SMTP server. |
| ||
| blueriq.connection.[name].email.smtpport | The port of the SMTP server. |
| ||
| blueriq.connection.[name].email.username | The username to use when connecting to the SMTP server. |
| ||
| blueriq.connection.[name].email.password | The password to use when connecting to the SMTP server. |
| ||
| blueriq.connection.[name].email.usetls | Indicates if the SMTP server should be contacted using TLS. |
| ||
| blueriq.connection.[name].email.fromaddress | An email address from which to send the email. |
| ||
| blueriq.connection.[name].email.toaddress | An email address to which to send the email. |
| ||
| blueriq.connection.[name].email.ccaddresses | Addresses to put in cc. |
| ||
blueriq.connection.[name].email.bccaddresses | Addresses to put in bcc. |
| ||
| blueriq.connection.[name].resource.path | Defines a path to a resource. |
| ||
| blueriq.connection.[name].external-flow.project | The REQUIRED name of the project that contains the flow to be started |
| ||
| blueriq.connection.[name].external-flow.version | The REQUIRED version of the project that contains the flow to be started, e.g. 0.0-Trunk |
| ||
| blueriq.connection.[name].external-flow.flow | The REQUIRED name of the flow to be started |
| ||
| blueriq.connection.[name].external-flow.channel | The OPTIONAL name of the channel be started |
| ||
| blueriq.connection.[name].external-flow.baseurl | The OPTIONAL URL of the external host where the target project is on (if omitted the same server is assumed). |
|
For the Blueriq Runtime there are two types of datasources that you can define in your properties:
jndidatasources externaldatasources. You can only enable one type by providing the type in the property spring.profiles.active. Datasource configuration for the Customerdata Service can be found here: Customerdata service
It is possible to set the same property with a hibernate. (global) prefix and a blueriq.datasource.[name].hibernate. (datasource specific) prefix. When the same property is set with both prefixes, the property with the datasource specific prefix will have precedence over the global prefix.
| Subject | Property | Default | Explanation | Property file spring.profiles.active= | Property file spring.profiles.active=
|
|---|---|---|---|---|---|
| Datasources | blueriq.datasource.[name].url | The url of the datasource which should be connected to. |
| Only available when you have | |
| blueriq.datasource.[name].username | The username to login to the datasource |
| Only available when you have | ||
| blueriq.datasource.[name].password | The password to login to the datasource |
| Only available when you have | ||
| blueriq.datasource.[name].driverClassName | The driver that needs to be used to connect to the datasource |
| Only available when you have | ||
| blueriq.datasource.[name].jndiName | The name of the jndi datasource connection. | Only available when you have |
| ||
| blueriq.hibernate.[name].hbm2ddl.auto | validate | When starting server (SessionFactory) Supported values: create/update/create-drop are not supported ways to create a schema. Use the dbscripts that are provided with the release instead. |
|
| |
| blueriq.hibernate.[name].dialect | The dialect that hibernate should use. |
|
| ||
blueriq.hibernate.[name].use_nationalized_character_data | true | Enable nationalized character support on all string / clob based attributes ( string, char, clob, text etc ). Note that this property by defaults to true because 'hibernate.use_nationalized_character_data' is set in application.properties that is packaged in the default runtime WAR. When using H2 this property should be set to 'false' because H2 does not have specific nationalized data types. For more information about it's usage see: UTF8 support. |
|
| |
blueriq.hibernate.[name].globally_quoted_identifiers | false | Quotes all database identifiers.  Note that some databases treat column names as case sensitive when they are quoted, which may break the application. Blueriq requires this property to be false (which is the default). |
| ||
blueriq.hibernate.[name].globally_quoted_identifiers_skip_column_definitions | false | When blueriq.hibernate.[name].globally_quoted_identifiers is set to true, column names will be skipped. Like the previous property, Blueriq requires this property to be false (which is the default). |
| ||
| blueriq.datasource.h2.enabled | false | This property is required to be set to 'true' when any data source configures a H2 database. | Can be placed in any file. |
The development properties only apply when the profile
development-tools is added to the spring.profiles.active| Subject | Property | Explanation | Example | |
|---|---|---|---|---|
| Development | logging.file.name=C:/Deployments/logs/runtime.log | The file in which to write the log |
| |
| blueriq.development.usePasswordEncryption=true | When editing properties encrypt passwords before saving them. |
| ||
| blueriq.development.h2-console.enabled | For security reasons, the H2 Console is disabled by default. If Blueriq was installed using the installer, the H2 Console will be enabled by default. Setting is "true" or "false" |
| ||
| Studio | blueriq.studio.description | description that is used in the development dashboard flow starter. default via installer = Studio Projects |
| |
| blueriq.studio.prefix | The prefix in front of the studio project when started. default via installer = studio |
| ||
| blueriq.studio.authentication | Method of authentication that the Blueriq Studio uses. Its value always is |
| ||
| blueriq.studio.url | url where the management service of the Blueriq Studio can be reached. default via installer = http://HOSTNAME:PORT/Studio/Server/Services/ManagementService |
| ||
| blueriq.studio.domain | Network domain where the studio is in. default via installer = empty |
| ||
| blueriq.studio.username | Username for the studio management service. default via installer = runtime |
| ||
| blueriq.studio.password | Password for the studio management service default via installer = runtime |
| ||
| External | blueriq.external.themes.[name].baseUrl | URL where the external theme is can be reached. When using a custom made them which is not configured via the Runtime using an STG, but rather via a CDN or reverse proxy. An external theme can be configured so that the development dashboard can create URL's to the corresponding targets. | https://example.com/ |
|
| blueriq.external.themes.[name].template.flow | RFC-6570 URI template for creating a start flow request. By combining the baseUrl and template.flow properties a full URL is formed. The variables which can be used in the URI template are: flow - name of the flow to start project - name of the project to use version - project version to use languageCode - code of the language to use testPath - name of the test path to use The combined URL will be expanded in development dashboard. | /flow/{project}/{flow} With test path: /flow/{project}/{flow} |
| |
| blueriq.external.themes.[name].template.shortcut | RFC-6570 URI template for creating a start shortcut request. By combining the baseUrl and template.shortcut properties a full URL is formed. The variables which can be used in the URI template are: shortcut | /shortcut/{shortcut} |
| |
| blueriq.external.themes.[name].template.session | RFC-6570 URI template for creating a continue session request. By combining the baseUrl and template.session properties a full URL is formed. The variables which can be used in the URI template are: sessionId - id of the session to continue The combined URL will be expanded in development dashboard. | /session/{sessionId} |
|
| Subject | Property | Explanation | |
|---|---|---|---|
| Domain Schema | blueriq.domainschema.infinite-loop-detection-limit | Sets the limit for loops in case of domain schema in domain schema relations. |
|
| Subject | Property | Explanation | |
|---|---|---|---|
| Exports | blueriq.exports.enabled | Boolean to enable usage of exports. Default is false. |
|
| blueriq.exports.description | The group name of all the exports shown in the dev dashboard |
| |
| blueriq.exports.prefix | The prefix in front of the export project when started. |
| |
| blueriq.exports.folder | The folder in the configuration folder where the exports are. |
| |
| blueriq.exports.files | Direct location of (an) export file(s). Comma seperated. |
|
Legacy properties are properties to configure legacy behavior in specific cases. This legacy behavior is deprecated and should therefore not be used, as it will be removed in a future release. The properties exist to help during a transitioning period towards the new behavior.
| Subject | Property | Explanation | Default | Introduced in | Removed in | |
|---|---|---|---|---|---|---|
| Runtime | blueriq.legacy.legacy-rest-validation | With the introduction of reporting all errors during parsing of incoming JSON rest requests or responses, the error-message content changes. If this is not (yet) desirable the runtime reverts back to the previous implementation by setting the property to true | false | 15.12 | 17.0 | application.properties |
| Runtime | blueriq.legacy.legacy-rest-response-validation | Blueriq 15 started to also include field validations when parsing a REST response, which may result in the REST service client call failing for messages that used to be accepted in earlier versions. Setting this property to true reverts to the old behavior. | false | 16.11.4 | 18.0 |
|
| Runtime | blueriq.legacy.legacy-jwt-claims-path-expression | Setting this property to true enables the legacy, comma-separated expression format for JWT claim paths in JWT Mapping properties. The legacy format contains a comma-separated path to a claim in the JWT body. For example if the JWT body contains the following claims: {
... other claims ...
"realm_access": [
"roles": ["role1", "role2"]
]
... other claims ...
}
a value of "realm_access,roles" would indicate that the roles claim nested within the realm_access claim should be sourced. | false | 16.7 | 17.0 |
|
| Runtime | blueriq.legacy.mapping-to-same-module | If SOAP and REST clients/webservices specify a data mapping, a new profile is always created even if the webservice is defined in the entry-point module. The legacy mode reverts to the behavior where the mapping would be executed across the same profile, potentially resulting in unexpected behavior. | false | 16.8 | 17.0 |
|
| Subject | Property | Explanation | Example | |
|---|---|---|---|---|
| Misc | blueriq.production.shortcuts-only | Only possible to start flows with shortcut (instead of 'dash start url') |
| |
| blueriq.fileupload.maxuploadsize | maximum request size for the built-in file upload container, in bytes. Note: this is per request, so if you upload multiple files in one go, the total size of those files is validated against this property. Since 16.1 defaults to 10MB |
| # set the max upload size to 10 MB blueriq.fileupload.maxuploadsize=10485760 | |
| blueriq.fileupload.detect-content-type | Guesses the content type of uploaded files based on the actually uploaded data, instead of using the content type as present in the request. From a security perspective, it is advised that this option is enabled to reject malicious uploads. Available since R12.10, defaults to true. |
| ||
| blueriq.fileupload.validate-content-type | If enabled, the content type of the file is used to determine the supposed extension that is then validated against the list of allowed extensions. From a security perspective, it is advised that this option is enabled to reject malicious uploads. Available since R12.10, defaults to true. | |||
| blueriq.license | the license for blueriq (content of the license file). Property is optional. One should set either this property or place a license file in the |
| The property blueriq.license=0MtWfrubLL4Rq6TH/4TfNleRJqJHtSQIYe070... | |
| blueriq.cache.timeout | This property is used to specified the timeout that has to pass before the data in the aggregate / Process statistics container is considered not up to date and has to be reloaded. |
| ||
| blueriq.runtimekeys.enabled | The element keys created by the Runtime that are send to the browser to build the HTML are now containing the element name prefixed by the page ID. E.g. P108-C0-C0-F0 is now P108_Person_Firstname_1. This way, the pagemodel which is used to build the HTML is more stable and in turn leads to a more predictable way of testing. This functionality is enabled by default. |
| ||
| blueriq.webservices.create-empty-elements-for-unknowns | Controls whether generating empty elements for unknown relations should be enabled. This property is available in Blueriq 14. Use the Legacy Property in earlier versions. |
| ||
| blueriq.webservices.structured-input-validation | The webservice responses can be returned by Blueriq in a more structured way when input validations are triggered so those can be used in the model of the receiver. When this functionality is enabled, the error message returned for an invalid request is split up in such a way that validation messages can be handled separately and indicate the exact instance which is not valid. When this functionality is disabled, the error message is one string containing the validation message. This functionality only applies to REST services based on domain schemas. This functionality is disabled by default. |
|
Model Preloading properties
Note: these properties were introduced in Blueriq 13.8
| Subject | Property | Explanation | Default value | Property file | Example |
|---|---|---|---|---|---|
| Model preloading | blueriq.modelpreload.enabled | If true, preloading of configured application models during Runtime startup is enabled | false |
| |
| blueriq.modelpreload.before-requests | If false, preload the application models after the Runtime is ready to accept HTTP requests. Otherwise the models will be preloaded before HTTP requests are accepted. | true |
| ||
| blueriq.modelpreload.models | A map of application models (name and versions) to preload. Only application models that are in this list will be preloaded if preloading is enabled. |
| blueriq.modelpreload.models.MyApp1=0.0-Trunk,0.0-FeatureX,0.0-FeatureY blueriq.modelpreload.models.MyApp2=0.0-Trunk |
| Subject | Property | Default | Explanation | Property file |
|---|---|---|---|---|
| Multi-tenacy | blueriq.multi-tenancy.enabled | false | Toggle to enable multi-tenancy. |
|
| blueriq.multi-tenancy.allowed-tenants | List of comma separated tenant names. Tenant names can contain letters, digits and '-' (dashes). blueriq.multi-tenancy.allowed-tenants=google,apple |
| ||
| blueriq.multi-tenancy.http-header | The name of the HTTP header which the Runtime can retrieve the tenant name |
| ||
| blueriq.multi-tenancy.amqp-header | The name of the AMQP message header in which the tenant is stored |
|
| Subject | Property | Explanation | |
|---|---|---|---|
| MVC UI - deprecated | blueriq.mvc.development-mode | Turning mvc development mode on or off. |
|
| blueriq.mvc.themes.[theme].template-group-file | Path to where the stg file can be found. |
| |
| blueriq.mvc.themes.[theme].template-name | Name of the mvcui template. |
| |
| blueriq.mvc.active-themes | The themes that are active in the Runtime. The theme names listed here (as a comma separated list) must match the theme names that are used with the properties above. Not all defined themes need to be active. Only the active ones will be shown in the development dashboard. This is useful for overriding the default styling that is packaged with Blueriq. |
| |
| spring.mvc.dispatch-options-request | This is a spring mvc property that enables the dispatcher to listen to OPTIONS request methods. |
|
Example
blueriq.mvc.themes.bootstrap3.template-group-file=UI/mvc/v2/bootstrap3.stg
blueriq.mvc.themes.bootstrap3.template-name=main
blueriq.mvc.active-themes=bootstrap3
| Subject | JAVA Property | Explanation | |
|---|---|---|---|
| OpenID Connect | blueriq.security.openid-connect.use-discovery | Boolean property which enables Blueriq to read identity provider specific properties from an specific exposed location if the value is true, or to read them from application.properties if the value is false. Default: false. |
|
| blueriq.security.openid-connect.public-keys.<key id>=<key value> | Defines the <key id, public key> mappings that are loaded by Blueriq if blueriq.security.openid-connect.use-discovery is false. Note that the key value should be encoded as Base64 encoded bytes that conform to the X509EncodedKeySpec |
| |
| blueriq.security.openid-connect.client-id | The client-id of the Runtime, as defined at the identity provider. |
| |
| blueriq.security.openid-connect.client-secret | The client secret of the Runtime, as defined at the identity provider. This value is used, for example, to complete the OpenID Connect Authorization Code Flow, when exchanging the authorization code for ID and access tokens. |
| |
| blueriq.security.openid-connect.scopes | The OpenID Connect scopes used when starting the Authorization Code flow. The scopes must include the value "openid" in order for the identity provider to recognize that the OpenID Connect Authorization Code flow must be initiated. If "openid" is not specified as a scope, the identity provider may instead initiate the OAuth2 Authorization Code flow (depends on the identity provider in use). Multiple scopes can be specified separated with coma. |
| |
| blueriq.security.openid-connect.token-endpoint | the URL of the endpoint where access codes can be exchanged for ID and access tokens. Example for Keycloak: http://<host>:<port>/auth/realms/<realm name>/protocol/openid-connect/token |
| |
| blueriq.security.openid-connect.token-endpoint-parameters.<name>=<value> | Additional custom parameters to be sent to the token endpoint. For example; blueriq.security.openid-connect.token-endpoint-parameters.audience=https://example.eu.auth0.com/api/v2/ |
| |
| blueriq.security.openid-connect.authorization-endpoint | the URL where the OpenID Connect Authorization Code flow can be started. Example for Keycloak: http://<host>:<port>/auth/realms/<realm name>/protocol/openid-connect/auth |
| |
| blueriq.security.openid-connect.authorization-endpoint-parameters.<name>=<value> | Additional custom parameters to be sent to the authorization endpoint. For example; blueriq.security.openid-connect.authorization-endpoint-parameters.audience=https://example.eu.auth0.com/api/v2/ |
| |
| blueriq.security.openid-connect.token-issuer | The expected issuer in the "iss" claim of JWT tokens. A received JWT which does not have this exact, case-sensitive value in its "iss" claim will be rejected as invalid. |
| |
| blueriq.security.openid-connect.check-audience | Boolean indicating whether the audience claim should be checked. If true, the audience claim must contain the Runtime's client-id. All JWTs which do not contain the Runtime's client-id in the audience claim are rejected as invalid. When false, the audience claim is not checked. Default: false. |
| |
| blueriq.security.openid-connect.sso-logout | Boolean indicating whether when logging out of Blueriq the user should be logged out of the Single-Sign-On session as well. Default: false |
| |
| blueriq.security.openid-connect.end-session-endpoint | When sso-logout is true, the Runtime redirects to this URL at the identity provider in order to log out of the Single-Sign-On session. |
| |
| blueriq.security.openid-connect.post-logout-redirect-uri | Optional URI that the OpenID Connect provider should redirect to after logging out. This property will be taken account both when using discovery and when using manual configuration through properties. Since Blueriq 16.0.1 |
| |
| blueriq.security.openid-connect.user-info-endpoint | the URL of the OpenID Connect UserInfo endpoint. This endpoint provides information about the user associated with an access token. It is used when the access token is not a JWT. |
| |
| blueriq.security.openid-connect.user-info-endpoint-parameters.<name>=<value> | Additional custom parameters to be sent to the user info endpoint. For example; blueriq.security.openid-connect.user-info-endpoint-parameters.audience=https://example.eu.auth0.com/api/v2/ |
|
| Subject | JAVA Property | Explanation | |
|---|---|---|---|
| blueriq.security.jwt-claims.roles-path | A JsonPath expression to the roles claim in the JWT body. For example, if the JWT body contains below claims, this property should be set to {
... other claims ...
"realm_access": [
"roles": ["role1", "role2"]
]
... other claims ...
}
Before Blueriq 16.7, the expression was a comma-separated list of path segments. Please refer to the Legacy Properties for more information on the legacy format and how to enable it. |
| |
| blueriq.security.jwt-claims.teams-path | A JsonPath expression to the teams claim in the JWT body. See roles-path above for more information. |
| |
| blueriq.security.jwt-claims.role-mapping.<role-claim> | Maps a role claim to zero, one or multiple Blueriq roles. If a role claim does not have a mapping, it is considered to have an implicit identity mapping. Example: blueriq.security.jwt-claims.role-mapping.employee=authenticated_user,vu_employee (all users which have the employee role at the identity provider will have the authenticated_user and vu_employee roles in Blueriq) |
| |
| blueriq.security.jwt-claims.team-mapping.<team-claim> | Maps a team claim to zero, one or multiple Blueriq teams. If a team claim does not have a mapping, it is considered to have an implicit identity mapping. Example: blueriq.security.jwt-claims.team-mapping.amsterdam=europe,netherlands (all users which have the amsterdam team at the identity provider will have the europe and netherlands teams in Blueriq) |
| |
| blueriq.security.jwt-claims.username-path | A JsonPath expression to the usernameclaim in the JWT body. See roles-path above for more information. If no value is specified, the default value is used: |
| |
blueriq.security.jwt-claims.claim-mapping.<key-id>=<value> | Additional optional custom parameter to retrieve a claim from the JWT and place it in the Authentication under the specified key. The value should be a JsonPath expression to the claim in the JWT body. Only (lists of) strings, numbers and booleans are supported. These values will all be converted to strings. See roles-path above for more information. These claims can be retrieved to the profile using the GetAuthenticationClaims service. |
|
The property retain-required-tasks has been added
| Subject | JAVA Property | Explanation | |
|---|---|---|---|
| Processes and DCM | blueriq.timer.interval | Timer interval of when to check timed tasks - (values must now be MINUTE, HOUR or NEVER, caps are required) |
|
blueriq.scheduler-quartz.advanced-scheduler | Property to enable the advanced scheduler Default: false |
| |
| blueriq.migrate.displaynames.endpoint.enabled | Activates the migration endpoint for processing and updating the cases and tasks display names |
| |
| blueriq.processengine.cancel-started-tasks | Will cancel all started tasks when the runtime starts. This property does not work as intended for production environments where the runtime is installed on multiple nodes. Starting a new (or restarting a running node) might cancel tasks that are in use. For that scenario we recommend to use the Reopening Tasks endpoint exposed by the CancelAllStartedTasks from the Scheduler Maintenance REST API or the Backend REST API V1 Default: false |
| |
| blueriq.processengine.retain-required-tasks | If true, ad-hoc tasks for which the precondition becomes false will not be automatically canceled (pre R11 behaviour). Defaults to false. |
| |
| blueriq.processengine.worklist.limit | Limit of amount of items shown in the worklist Default: 1000 |
| |
| blueriq.processengine.caselist.limit | Limit of amount of items shown in the caselist Default: 1000 | ||
| blueriq.processengine.default-app-id-ignore-mode | To influence the behavior of models that normally make use of the application Id for whole server (Control applicationId behavior) Default: none |
| |
| blueriq.processengine.app-id-ignore-modes.[app-id] | To influence the behavior of models that normally make use of the application Id, but per project. |
| |
| blueriq.processengine.default-ignore-unknown-attributes | Indicates whether attributes stored in the process database which are no longer in the model should be ignored. By default, these attributes are not ignored and an error is raised when such an attribute is found in the database. To ignore the attributes, set this property to true. |
| |
| blueriq.processengine.ignore-unknown-attributes.[app-name] | Same as blueriq.processengine.default-ignore-unknown-attributes, but allows enabling this setting on a per-application basis. The application-specific setting takes precedence over the global setting. |
| |
| blueriq.processengine.default-ignore-unknown-entities | Indicates whether entity instances stored in the process database which are no longer in the model should be ignored. By default, these entity instances are not ignored and an error is raised when such an entity instance is found in the database. To ignore the entity instances, set this property to true. |
| |
| blueriq.processengine.ignore-unknown-entities.[app-name] | Same as blueriq.processengine.default-ignore-unknown-attributes, but allows enabling this setting on a per-application basis. The application-specific setting takes precedence over the global setting. |
| |
| blueriq.processlist.default-app-id-ignore-mode |
| ||
| blueriq.processlist.app-id-ignore-modes.[app-id] |
| ||
| blueriq.process-sql-store.oracle.case-insensitive-search-enabled | This property enables case insensitive searching for oracle. For more information see: How to enable case insensitive search on case data for Oracle |
|
| Subject | Property | Explanation | |
|---|---|---|---|
| Publisherclient | blueriq.hibernate.publisher-client.main.hbm2ddl.auto=validate | Specifies the hibernate property for publisherclient connection. |
|
| blueriq.hibernate.publisher-client.dialect=org.hibernate.dialect.Oracle12cDialect | Example: blueriq.hibernate.publisherclient.dialect=org.hibernate.dialect.Oracle12cDialect |
| |
| blueriq.datasource.publisher-client.database.url=jdbc:oracle:{host}:{port}:{servicename} | The url of the publisher database. |
| |
blueriq.datasource.publisher-client.database.driverClassName=oracle.jdbc.driver.OracleDriver | The driverclassname of the publisher database. |
| |
| blueriq.datasource.publisher-client.database.username={Username} | The username to log in the database. |
| |
| blueriq.datasource.publisher-client.database.password={password} | The password to log in the database. |
| |
| blueriq.publisher-client.environmentName=Test |
|
| Subject | Property | Explanation | |
|---|---|---|---|
| Runtime API | blueriq.runtime.name | name of the runtime in the REST API |
|
| Subject | Property | Explanation | |
|---|---|---|---|
| Security LDAP | blueriq.security.auth-providers.ldap01.type | What type of provider is used, in this case it always is 'ldap' |
|
| blueriq.security.auth-providers.ldap01.connectionUrl | The connection url to the LDAP server |
| |
| blueriq.security.auth-providers.ldap01.userDn | The userDn to connect with the ldap; format should look something like 'cn=LDAP reader,ou=something,dc=company,dc=nl' |
| |
| blueriq.security.auth-providers.ldap01.password | Password to connect to the LDAP |
| |
| blueriq.security.auth-providers.ldap01.useTls | boolean to either use TLS or not for the LDAP connection; this setting is not required |
| |
| blueriq.security.auth-providers.ldap01.tls.trustStoreUrl | Only required if useTls is true; the location to the truststore file |
| |
| blueriq.security.auth-providers.ldap01.tls.trustStorePassword | Only required if useTls is true; The password used to login to the keystore |
| |
| blueriq.security.auth-providers.ldap01.tls.trustStoreType | Only required if useTls is true; what type of keystore is used, like 'jks' or 'pkcs12' |
| |
| blueriq.security.auth-providers.ldap01.referralStrategy | Can be 'ignore' or 'follow' |
| |
| blueriq.security.auth-providers.ldap01.searchSubtree | Used for searching in LDAP; boolean value if set to true, not only the current directory will be search, but also underlaying directories. |
| |
| blueriq.security.auth-providers.ldap01.userSearchBaseDn | Used for searching in LDAP; Should look something like 'OU=Gebruikers,DC=company,DC=nl'; points to the directory to where the user search should happen. |
| |
| blueriq.security.auth-providers.ldap01.userSearchAttribute | Used for searching in LDAP; What attribute to use to iddentify as a user, common use is : 'sAMAccountName' |
| |
| blueriq.security.auth-providers.ldap01.groupSearchBaseDn | Used for searching in LDAP; Should look something like 'OU=Groepen,DC=company,DC=nl'; points to the directory to where the group search should happen. Important for the roles for the user |
| |
| blueriq.security.auth-providers.ldap01.groupSearchFilterAttribute | Used for searching groups in ldap; What attribute to use to to filter groups on; This property is not required |
| |
| blueriq.security.auth-providers.ldap01.groupSearchFilterPattern | Used for searching groups in ldap; What pattern to use to to filter groups on;This property is not required; Should look something like this: 'BQ_*, EVE_*,PRO - *,PRO -*' Results in: ((<attribute>=BQ_*)(<attribute>=EVE_*)(<attribute>=PRO -*)) |
| |
| blueriq.security.auth-providers.ldap01.role-mapping | Used for mapping LDAP groups to Blueriq roles, in the form ..role-mapping.<ldap group 1>=<blueriq role 1>[,<blueriq role 2>,...,<blueriq role n>] ..role-mapping.<ldap group n>=<blueriq role 1>[,<blueriq role 2>,...,<blueriq role n>] |
|
| Subject | JAVA Property | Explanation | Type | Default | |
|---|---|---|---|---|---|
| Security | blueriq.security.click-jacking-protection.enabled | Turn clickjack protection on/off. For more information go to Security: Clickjacking protection. | Boolean | true |
|
| blueriq.security.click-jacking-protection.content-security-policy.default-src | Set the location where content can be loaded from, if no more specific value (for example font for where fonts can be loaded from) is given there is a fallback to this value. For more information see Security: Clickjacking protection. | String | 'self' |
| |
| blueriq.security.click-jacking-protection.content-security-policy.script-src | Set the location where scripts can be loaded from. For more information see Security: Clickjacking protection. | String | 'self' |
| |
| blueriq.security.click-jacking-protection.content-security-policy.style-src | Set the location where stylesheets can be loaded from. For more information see Security: Clickjacking protection. | String | 'self' |
| |
| blueriq.security.click-jacking-protection.content-security-policy.font-src | Set the location where fonts can be loaded from. For more information see Security: Clickjacking protection. | String | 'self' |
| |
| blueriq.security.click-jacking-protection.content-security-policy.img-src | Set the location where images can be loaded from. For more information see Security: Clickjacking protection. | String | 'self' |
| |
| blueriq.security.click-jacking-protection.content-security-policy.frame-ancestors | Set the valid parent hosts that may embed Blueriq using <frame>, <iframe>, <object>, <embed> or <applet>. For more information see Security: Clickjacking protection. Available since Blueriq 14.4. Note that Content Security Policy is not supported by Internet Explorer, so this setting will not have an effect on users that still use Internet Explorer. | String | 'self' |
| |
| blueriq.security.csrf-protection.enabled | Turn Cross Site Request Forgery protection on/off. For more information go to Security: Cross-site scripting protection. | Boolean | true |
| |
| blueriq.security.strict-transport-protection.enabled | Enables HTTP Strict Transport Security (HSTS). For more information go to Security: HTTP Strict Transport Security. | Boolean | true |
| |
| blueriq.security.x-content-type-protection.enabled | Add the X-Content-Type-Options header to responses to protect against MIME type sniffing. For more information go to Security: Content sniffing protection. | Boolean | true |
| |
| blueriq.security.xss-protection.enabled | Turn cross site scripting protection protection on/off. For more information go to Security: Cross-site scripting protection. | Boolean | true |
| |
| blueriq.security.xss-protection.header.enabled | Turn the X-XSS-Protection HTTP header on/off. | Boolean | true |
| |
| blueriq.security.xss-protection.request-body-validation.enabled | Enable the X-XSS-Protection on request body. | Boolean | true |
| |
| blueriq.security.xss-protection.request-parameter-validation.enabled | Enable the X-XSS-Protection on request parameters. | Boolean | true |
| |
| blueriq.security.xss-protection.request-url-validation.enabled | Enable the X-XSS-Protection on request url. | Boolean | true |
| |
| blueriq.security.xss-protection.multipart-request-validation.enabled | Enable the X-XSS-Protection on multipart request. | Boolean | true |
| |
| blueriq.security.xss-protection.blacklist.enabled | Turn the XSS blacklist on/off. | Boolean | true |
| |
| blueriq.security.xss-protection.whitelist.enabled | Turn the XSS whitelist on/off. | Boolean | true |
| |
| blueriq.security.xss-protection.whitelist.allowed-protocols | Set the whitelisted protocols in URI attributes. Example value: 'http,https,mailto' | Comma separated string | empty |
| |
| blueriq.security.xss-protection.whitelist.allowed-tags | Set the whitelisted HTML tags. Example value: 'b,img' | Comma separated string | empty |
| |
| blueriq.security.xss-protection.whitelist.allowed-global-attributes | Set the whitelisted attributes allowed on any whitelisted HTML tag. Example value: 'class,title' | Comma separated string | empty |
| |
| blueriq.security.xss-protection.whitelist.allowed-attributes.<tag> | Set the whitelist attributes allowed on a specific whitelisted HTML tag. Example key: 'blueriq.security.xss-protection.whitelist.allowed-attributes.h1' Example value: 'class' | Key: string Value: comma separated string | empty |
| |
| blueriq.security.xss-protection.whitelist.uri-attributes.<tag>=<attr1>,<attr2> | Mark which attributes are URI attributes and are subject to the allowed protocols rule. In Java, URI attributes can be defined per tag. In .NET, URI attributes can be defined only globally. | Key: string Value: comma separated string | empty |
| |
| blueriq.security.xss-protection.whitelist.max-loop-count | Define a limit on the number of sanitization iterations. | Integer | 5 |
| |
| blueriq.security.xxe-protection.enabled | Enable XML External Entity (XXE) protection. | Boolean | true |
| |
| blueriq.security.xxe-protection.disallow-doctype-decl | Disallow doctype declaration processing in XML-files. Protection is enabled when set to: true. | Boolean | true |
| |
| blueriq.security.xxe-protection.load-external-dtd | Enable loading external DTDs in XML-files. Protection is enabled when set to: false. | Boolean | false |
| |
| blueriq.security.xxe-protection.external-general-entities | Enable processing external general entities in XML-files. Protection is enabled when set to: false. | Boolean | false |
| |
| blueriq.security.xxe-protection.external-parameter-entities | Enable processing external parameter entities in XML-files. Protection is enabled when set to: false. | Boolean | false |
| |
| blueriq.security.xxe-protection.xinclude-aware | Enable processing of XML Inclusions (XInclude) in XML-files. Protection is enabled when set to: false. | Boolean | false |
| |
| blueriq.security.xxe-protection.expand-entity-references | Enable expansion of entity references in XML-files. Protection is enabled when set to: false. | Boolean | false |
| |
| blueriq.security.http.restricted-methods | Specify the methods that should not be allowed while doing HTTP calls. For more information go to Security: Block HTTP Methods. Example value: 'head,get,post,options' | Comma separated string | empty |
| |
| blueriq.security.http.runtime.enabled | This property if true enables the default secured access to the runtime interactions. | Boolean | true |
| |
| blueriq.security.login-type | Defines the login type used in Blueriq. If openid-connect is chosen, openid-connect properties have to be defined as well. | One of:
| 'form-login' |
| |
| blueriq.security.redirect-url-whitelist | Define a whitelist of URLs where the user can be redirected to. If the If the list is empty, any URL is accepted up to version 14.x. From 15.0 onwards, no URLs are accepted when an empty list is provided. | Comma separated list | empty |
| |
| blueriq.security.keystore.location | The path to the keystore file to be used as repository for security certificates. | Spring Resource | empty |
| |
| blueriq.security.keystore.password | The password of the keystore. | String | empty |
| |
| blueriq.security.keystore.default-certificate | Default certificate used to verify signatures when no KeyInfo is provided in the request. | String | empty | ||
| blueriq.security.truststore.location | The path to the trust store containing the public keys/certificates of external hosts that should be trusted. | Spring Resource | empty |
| |
| blueriq.security.truststore.password | The password for the truststore file. | String | empty |
| |
| blueriq.security.truststore.default-certificate | Default certificate used to verify signatures when no KeyInfo is provided in the request. | String | empty | ||
| blueriq.security.bcrypt-strength | Define the BCrypt strength for password hashing. BCrypt is the default encoder in Blueriq. Applicable values: number between 4-30 Performance impact The higher the number the higher the hashing complexity but also the work to calculate the hash. Each increment is twice as much work. Introduced in version 12.13. | Integer | 10 |
| |
| blueriq.security.session-fixation-protection.enabled | Turn session fixation on/off. For more information, see Security: Session Fixation protection. Introduced in versions 14.11, 13.13.18 and 12.13.39. | Boolean | true |
| |
| blueriq.security.cors.enabled | Enable response headers related to Cross-Origin Resource Sharing. When disabled, the Same-origin policy implemented in web browsers does not allow scripts with a different origin to call Runtime endpoints. This is the secure default. | Boolean | false |
| |
| blueriq.security.cors.allowed-origins | Specify origins for the Access-Control-Allow-Origin response header. | Comma separated string | empty |
| |
| blueriq.security.cors.allowed-methods | Specify methods for the Access-Control-Allow-Methods response header. | Comma separated string | empty |
| |
| blueriq.security.cors.allowed-headers | Specify headers for the Access-Control-Allow-Headers response header. | Comma separated string | empty |
| |
blueriq.security.cookie-same-site.enabled | Turn on the same site attribute for the cookies in blueriq. for more information see: Security: SameSite. Introduced in version 15.0. | Boolean | true |
| |
blueriq.security.cookie-same-site.value | Define the value for the same site attribute for the cookies in blueriq. for more information see: Security: SameSite. Introduced in version 15.0. | String | 'strict' |
|
| Subject | Property | Default | Explanation | Property file |
|---|---|---|---|---|
| blueriq.shortcut.[name].flow | The flow of the project that is started |
| ||
| blueriq.shortcut.[name].languageCode | The languagecode of the project that is started |
| ||
| blueriq.shortcut.[name].project | The name project that is started |
| ||
| blueriq.shortcut.[name].theme | The theme of the project that is started |
| ||
| blueriq.shortcut.[name].ui | The ui of the project that is started |
| ||
| blueriq.shortcut.[name].version | The version of the project that is started |
| ||
| blueriq.shortcut.[name].channel | The device channel of the project that is started | |||
blueriq.shortcut.[name].privateAccess | This property indicates if the project reference that is specified in the shortcut is private or not. Read also Security: Shortcuts and AQ_GetRequestParameters |
|
| Subject | Property | Default | Explanation | Property file |
|---|---|---|---|---|
| Webresources | blueriq.web-resources.source-location | The location (URL) of additional or overridden web resources. For example |
| |
| blueriq.web-resources.cache-key-seed | The seed used to generate a cacheKey for static resources. Set this property if you want to be responsible for invalidating the cache. This probably means you must change the cacheKeySeed every time you change one or more of your custom web resources. Please note that when this property is not set, the cacheKey is changed every time the Blueriq Runtime is restarted |
| ||
| blueriq.web-resources.cache-period-seconds | 31536000 | The cache period for all static web resources. When null, default behavior is to rely only on 'Last-Modified' header. When 0, caching is disabled. When > 0 is number of seconds to cache a resource client-side (browser). (31536000 seconds = 365 days) |
|
This component is part of an ongoing effort to separate the Process Engine from the Runtime. As this component is still in active development, it's not ready for use in production scenarios. Behavior and interfaces are subject to change.
| Subject | Property | Explanation | Property file | Additional information |
|---|---|---|---|---|
blueriq.dcm.rabbitmq.host | Settings for the RabbitMQ instance used to communicate with the Case Engine. |
| ||
| blueriq.dcm.rabbitmq.port | ||||
| blueriq.dcm.rabbitmq.username | ||||
| blueriq.dcm.rabbitmq.password | ||||
| blueriq.dcm.rabbitmq.exchangeName | Exchange to which events to the Case Engine should be published | |||
| blueriq.dcm.rabbitmq.queueNames | Queue from which events from the Case Engine should be consumed | |||
| blueriq.dcm.rabbitmq.virtualHost | ||||
| blueriq.dcm.concurrency.concurrent-consumers | RabbitMQ consumer concurrency settings, used to be able to process multiple messages at the same time. For more information on concurrent consumers see Configuring RabbitMQ. | |||
| blueriq.dcm.concurrency.max-concurrent-consumers | ||||
| blueriq.dcm.case-engine.url | URL and credentials for the Case Engine. | |||
| blueriq.dcm.case-engine.username | ||||
| blueriq.dcm.case-engine.password | ||||
| blueriq.dcm.execute-automatic-tasks | Should this runtime execute automatic tasks? (default = true) | If this property is set to false, the blueriq.dcm.rabbitmq.queueNames property can be left empty, as this is the queue from which automatic tasks are read. |
Common used properties
server.servlet.contextPath=/runtime
# do not use spring default multipart configuration
spring.http.multipart.enabled=false
spring.cloud.config.overrideSystemProperties=false
hibernate.use_nationalized_character_data=true
Java Third Party properties
For part of the features we rely on third party libraries. These library's have their own properties like: logging.level.com.aquima=DEBUG. you can find an overview or the Spring properties here: spring-common-application-properties.
Overview
Content Tools