Configuration

application.properties

Here you will find properties used to configure MTG CLM. The properties are defined in the application.properties file.

Property Required Default Description

Property	Required	Default	Description
spring.profiles.active	true	mariadb	This property defines the mode in which the application is started. Depending on the database to be used, one of `mariadb`, `postgresdb`, `oracledb` must be used. The db profile activates db specific configurations and should always be used in combination with other profiles. Normal users should not change or set this property. Example: mariadb
cara.api.url	true	-	Points to the HTTP location where the MTG CARA WS server is running. Example: cara.example.com/cara-ws-server
cara.application.name	true	-	The application name, given to MTG Certificate Lifecycle Manager Server in the context of MTG CARA. It is used to identify the MTG Certificate Lifecycle Manager Server application when communicating with MTG CARA. If no customization is present, it should be `mtg-clm`. Example: mtg-ra
cara.application.secret	true	-	The secret used by the MTG Certificate Lifecycle Manager Server application to authenticate itself when communicating with MTG CARA. It is created during the MTG CARA configuration.
cara.ws.client.truststore.path	false	The default Java CA truststore	The location of a keystore file containing certificates that are used to verify the TLS connection to MTG CARA. This can be used to overwrite the default Java CA truststore. Example: /tmp/trustore.jks
cara.ws.client.truststore.password	false	-	The password protecting the truststore (see property `cara.ws.client.truststore.path`). Must be set if `cara.ws.client.truststore.path` is set.
cara.ws.client.truststore.type	false	-	The format of the truststore (see property `cara.ws.client.truststore.path`). Valid values are `JKS`, `JCEKS` or `PKCS12`. Must be set if `cara.ws.client.truststore.path` is set.
cara.ws.client.tls.version	false	TLSv1.2	The version of the TLS protocol to use in the connection to MTG CARA. Valid values are `TLSv1.2` or `TLSv1.3`.
cara.ws.client.timeout.seconds	false	60	An integer value specifying the seconds to time out the connection to MTG CARA.
spring.datasource.url	true	-	The JDBC URL of the database. Examples: `jdbc:mariadb://localhost:3306/ra`, `jdbc:postgresql://localhost:5432/mtgra`, `jdbc:oracle:thin:@localhost:1521:mtgra`, `jdbc:postgresql://localhost:26257/defaultdb`
spring.datasource.username	true	-	The database user to connect to the database.
spring.datasource.password	true	-	The user password to connect to the database.
spring.flyway.enabled	false	true	If set to "true", then the database tables are generated automatically, as well as the future migrations by enabling the database migration tool, Flyway. If set to "false", then the database table and any migration are generated externally. IMPORTANT: Please consult the manufacturer before changing this value.
spring.quartz.properties.org.quartz.jobStore.isClustered	false	true	Boolean property, which is used to turn on the clustering features that allows multiple instances of Quartz that use the same set of database tables.
purge.token.cron.expression	false	0 0 5 * * ?	Cron expression, that is used by the application scheduler to regulate how often application tokens, like login refresh tokens, will be deleted from the database. This is a cleanup task. The property value is represented as [second minute hour day month weekday]. Example: 0 0 5 * * ? (which means that the scheduled job runs every day at 5 am)
update.cert.status.cron.expression	false	30 0 /12 ? *	Cron expression, that is used by the application scheduler to regulate how often the application checks the validity of the certificates in the database and potentially updates their status to `EXPIRED`. This is a management task and should be executed, at least daily. The property value is represented as [second minute hour day month weekday]. Example: 0 * * * * ? (which means that the scheduled job runs every minute)
notify.cert.expiring.cron.expression	false	0 0 4 * * ?	Cron expression, that is used by the application scheduler to regulate how often the application checks about sending email notifications regarding expiring certificates. This is a management task and should be executed, at least daily. The property value is represented as [second minute hour day month weekday]. Example: 0 * * * * ? (which means that the scheduled job runs every minute)
logging.file.name	false	-	Specifies the location where the application log files are stored. Names can be an exact location or relative to the current directory.
logging.level.app	false	WARN	Specifies the log level of the log messages which are created directly by the application.
logging.level.sql	false	WARN	This property sets the log level for the database layer.
logging.level.web	false	WARN	This property sets the log level for the webserver layer.
tomcat.ajp.enable	false	false	If set to true, this property enables the additional embedded tomcat ajp connector that is required by Apache HTTPd.
tomcat.ajp.port	false	8701	Specifies the port for the ajp connector. It is used only if tomcat.ajp.enable is set to true.
tomcat.ajp.secret.required	false	false	If set to true, this property specified that an ajp secret is required by the ajp connector. It is used only if tomcat.ajp.enable is set to true.
tomcat.ajp.secret	false	-	Specifies the ajp secret to be used by the ajp connector. It is used only if tomcat.ajp.enable is set to true.
server.servlet.context-path	false	/	Context path of the application.
server.port	false	8501	Server HTTP port.
mtg.clm.client.basic.client-id	true	-	The associated with the MTG Certificate Lifecycle Manager Server Keycloak client id.
mtg.clm.client.basic.client-secret	true	-	The associated with the MTG Certificate Lifecycle Manager Server Keycloak client secret.
mtg.clm.client.admin.base-url	true	-	Keycloak ADMIN REST API base url. Example: example.com/auth/admin/realms/mtg-ers
spring.security.oauth2.resourceserver.jwt.issuer-uri	true	-	Keycloak OPENID base url. Example: example.com/auth/realms/mtg-ers.
spring.security.oauth2.resourceserver.jwt.jwk-set-uri	true	-	Keycloak public key endpoint, that returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Example: example.com/auth/realms/mtg-ers/protocol/openid-connect/certs
mtg.clm.client.trustStore.path	false	-	The location of a keystore file containing trusted certificates that are used to verify all TLS connections that the application is initiating. This can be used to overwrite the default Java CA truststore.
mtg.clm.client.trustStore.password	false	-	The secret used for the keystore file above.
mtg.clm.client.trustStore.type	false	-	The format of the truststore (see property mtg.clm.client.truststore.path). Valid values are JKS, JCEKS or PKCS12. Must be set if mtg.clm.client.truststore.path is set.
mtg.clm.client.timeout-in-seconds	false	120	An integer value specifying the seconds after which to timeout in all HTTP client connections.
openid.client.truststore.path	false	Defaults to the value of `mtg.clm.client.truststore.path`	The location of a keystore file containing certificates that are used to verify the TLS connection to Keycloak. This can be used to overwrite the default Java CA truststore.
openid.client.truststore.password	false	Defaults to the value of `mtg.clm.client.truststore.password`	The secret used by the MTG Certificate Lifecycle Manager Server application to authenticate itself when communicating with Keycloak.
openid.client.truststore.type	false	Defaults to the value of `mtg.clm.client.truststore.type`	The format of the truststore (see property openid.client.truststore.path). Valid values are JKS, JCEKS or PKCS12.
mtg.clm.client.admin.timeout-in-seconds	false	Defaults to the value of `mtg.clm.client.timeout-in-seconds`	An integer value specifying the seconds to time out the connection to Keycloak admin client.
mtg.clm.client.basic.timeout-in-seconds	false	Defaults to the value of `mtg.clm.client.timeout-in-seconds`	An integer value specifying the seconds to time out the connection to Keycloak client.
mtg.clm.dbStartupValidator.intervalInSec	false	1	An integer value specifying the interval in seconds between validation of running database.
mtg.clm.dbStartupValidator.timeoutInSec	false	60	An integer value specifying the timeout in second for the unsuccessful validation.
billing.endpoints.enabled	false	false	This property defines whether the billing endpoint(s) are available through the application
management.elastic.metrics.export.enabled	false	false	If set to true then metrics are sent to an OpenSearch server. Can be left empty.
management.elastic.metrics.export.host	false	-	Specifies the URL where the OpenSearch server can be accessed. Can be left empty.
management.elastic.metrics.export.user-name	false	-	Specifies the user who has access to the OpenSearch server. Can be left empty.
management.elastic.metrics.export.password	false	-	Specifies the password of the user of the OpenSearch server. Can be left empty.
spring.profiles.include	false	-	If set to value `json-file-logging`, then it activates the additional logging of the log data in JSON format. This support the sending of the log data to an OpenSearch server. It should not be used, if this is not required. If set to value `audit-logging` then, it activates the additional audit logging of the API calls. The logs are protected using MAC. It should not be used, if this is not required. These values can be placed together separated by comma, to allow simultaneous use of different logging possibilities.
crypto.module.builtin.default	false	false	If set to true, then once the first crypto module is created automatically by CLM, the creation of the built-in crypto module is preferred over a CARA-based crypto module.
crypto.module.builtin.password	false	-	The password that protects the private key of the built-in crypto module.
frontend.base.url	true	-	Base URL for CLM UI - does not need to contain locale.
notifications.creation.maxAttempts	false	24	Times the notification creation jobs will execute in case of failures.
notifications.creation.intervalInHours	false	1	The interval, in hours, between a failed execution of a notification creation job and its next execution.
notifications.processing.maxAttempts	false	50	Times the notification processing jobs will execute in case of failures.
notifications.processing.intervalInHours	false	1	The interval, in hours, between a failed execution of a notification processing job and its next execution.

spring.profiles.active

true

mariadb

This property defines the mode in which the application is started. Depending on the database to be used, one of mariadb, postgresdb, oracledb must be used. The db profile activates db specific configurations and should always be used in combination with other profiles. Normal users should not change or set this property.

Example: mariadb

cara.api.url

true

Points to the HTTP location where the MTG CARA WS server is running.

Example: cara.example.com/cara-ws-server

cara.application.name

true

The application name, given to MTG Certificate Lifecycle Manager Server in the context of MTG CARA. It is used to identify the MTG Certificate Lifecycle Manager Server application when communicating with MTG CARA. If no customization is present, it should be mtg-clm.

Example: mtg-ra

cara.application.secret

true

The secret used by the MTG Certificate Lifecycle Manager Server application to authenticate itself when communicating with MTG CARA. It is created during the MTG CARA configuration.

cara.ws.client.truststore.path

false

The default Java CA truststore

The location of a keystore file containing certificates that are used to verify the TLS connection to MTG CARA. This can be used to overwrite the default Java CA truststore.

Example: /tmp/trustore.jks

cara.ws.client.truststore.password

false

The password protecting the truststore (see property cara.ws.client.truststore.path). Must be set if cara.ws.client.truststore.path is set.

cara.ws.client.truststore.type

false

The format of the truststore (see property cara.ws.client.truststore.path). Valid values are JKS, JCEKS or PKCS12. Must be set if cara.ws.client.truststore.path is set.

cara.ws.client.tls.version

false

TLSv1.2

The version of the TLS protocol to use in the connection to MTG CARA. Valid values are TLSv1.2 or TLSv1.3.

cara.ws.client.timeout.seconds

false

An integer value specifying the seconds to time out the connection to MTG CARA.

spring.datasource.url

true

The JDBC URL of the database.

Examples: jdbc:mariadb://localhost:3306/ra, jdbc:postgresql://localhost:5432/mtgra, jdbc:oracle:thin:@localhost:1521:mtgra, jdbc:postgresql://localhost:26257/defaultdb

spring.datasource.username

true

The database user to connect to the database.

spring.datasource.password

true

The user password to connect to the database.

spring.flyway.enabled

false

true

If set to "true", then the database tables are generated automatically, as well as the future migrations by enabling the database migration tool, Flyway. If set to "false", then the database table and any migration are generated externally.

IMPORTANT: Please consult the manufacturer before changing this value.

spring.quartz.properties.org.quartz.jobStore.isClustered

false

true

Boolean property, which is used to turn on the clustering features that allows multiple instances of Quartz that use the same set of database tables.

purge.token.cron.expression

false

0 0 5 * * ?

Cron expression, that is used by the application scheduler to regulate how often application tokens, like login refresh tokens, will be deleted from the database. This is a cleanup task. The property value is represented as [second minute hour day month weekday].

Example: 0 0 5 * * ? (which means that the scheduled job runs every day at 5 am)

update.cert.status.cron.expression

false

30 0 */12 ? * *

Cron expression, that is used by the application scheduler to regulate how often the application checks the validity of the certificates in the database and potentially updates their status to EXPIRED. This is a management task and should be executed, at least daily. The property value is represented as [second minute hour day month weekday].

Example: 0 * * * * ? (which means that the scheduled job runs every minute)

notify.cert.expiring.cron.expression

false

0 0 4 * * ?

Cron expression, that is used by the application scheduler to regulate how often the application checks about sending email notifications regarding expiring certificates. This is a management task and should be executed, at least daily. The property value is represented as [second minute hour day month weekday].

Example: 0 * * * * ? (which means that the scheduled job runs every minute)

logging.file.name

false

Specifies the location where the application log files are stored. Names can be an exact location or relative to the current directory.

logging.level.app

false

WARN

Specifies the log level of the log messages which are created directly by the application.

logging.level.sql

false

WARN

This property sets the log level for the database layer.

logging.level.web

false

WARN

This property sets the log level for the webserver layer.

tomcat.ajp.enable

false

If set to true, this property enables the additional embedded tomcat ajp connector that is required by Apache HTTPd.

tomcat.ajp.port

false

8701

Specifies the port for the ajp connector. It is used only if tomcat.ajp.enable is set to true.

tomcat.ajp.secret.required

false

If set to true, this property specified that an ajp secret is required by the ajp connector. It is used only if tomcat.ajp.enable is set to true.

tomcat.ajp.secret

false

Specifies the ajp secret to be used by the ajp connector. It is used only if tomcat.ajp.enable is set to true.

server.servlet.context-path

false

Context path of the application.

server.port

false

8501

Server HTTP port.

mtg.clm.client.basic.client-id

true

The associated with the MTG Certificate Lifecycle Manager Server Keycloak client id.

mtg.clm.client.basic.client-secret

true

The associated with the MTG Certificate Lifecycle Manager Server Keycloak client secret.

mtg.clm.client.admin.base-url

true

Keycloak ADMIN REST API base url. Example: example.com/auth/admin/realms/mtg-ers

spring.security.oauth2.resourceserver.jwt.issuer-uri

true

Keycloak OPENID base url. Example: example.com/auth/realms/mtg-ers.

spring.security.oauth2.resourceserver.jwt.jwk-set-uri

true

Keycloak public key endpoint, that returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Example: example.com/auth/realms/mtg-ers/protocol/openid-connect/certs

mtg.clm.client.trustStore.path

false

The location of a keystore file containing trusted certificates that are used to verify all TLS connections that the application is initiating. This can be used to overwrite the default Java CA truststore.

mtg.clm.client.trustStore.password

false

The secret used for the keystore file above.

mtg.clm.client.trustStore.type

false

The format of the truststore (see property mtg.clm.client.truststore.path). Valid values are JKS, JCEKS or PKCS12. Must be set if mtg.clm.client.truststore.path is set.

mtg.clm.client.timeout-in-seconds

false

120

An integer value specifying the seconds after which to timeout in all HTTP client connections.

openid.client.truststore.path

false

Defaults to the value of mtg.clm.client.truststore.path

The location of a keystore file containing certificates that are used to verify the TLS connection to Keycloak. This can be used to overwrite the default Java CA truststore.

openid.client.truststore.password

false

Defaults to the value of mtg.clm.client.truststore.password

The secret used by the MTG Certificate Lifecycle Manager Server application to authenticate itself when communicating with Keycloak.

openid.client.truststore.type

false

Defaults to the value of mtg.clm.client.truststore.type

The format of the truststore (see property openid.client.truststore.path). Valid values are JKS, JCEKS or PKCS12.

mtg.clm.client.admin.timeout-in-seconds

false

Defaults to the value of mtg.clm.client.timeout-in-seconds

An integer value specifying the seconds to time out the connection to Keycloak admin client.

mtg.clm.client.basic.timeout-in-seconds

false

Defaults to the value of mtg.clm.client.timeout-in-seconds

An integer value specifying the seconds to time out the connection to Keycloak client.

mtg.clm.dbStartupValidator.intervalInSec

false

An integer value specifying the interval in seconds between validation of running database.

mtg.clm.dbStartupValidator.timeoutInSec

false

An integer value specifying the timeout in second for the unsuccessful validation.

billing.endpoints.enabled

false

This property defines whether the billing endpoint(s) are available through the application

management.elastic.metrics.export.enabled

false

If set to true then metrics are sent to an OpenSearch server. Can be left empty.

management.elastic.metrics.export.host

false

Specifies the URL where the OpenSearch server can be accessed. Can be left empty.

management.elastic.metrics.export.user-name

false

Specifies the user who has access to the OpenSearch server. Can be left empty.

management.elastic.metrics.export.password

false

Specifies the password of the user of the OpenSearch server. Can be left empty.

spring.profiles.include

false

If set to value json-file-logging, then it activates the additional logging of the log data in JSON format. This support the sending of the log data to an OpenSearch server. It should not be used, if this is not required.

If set to value audit-logging then, it activates the additional audit logging of the API calls. The logs are protected using MAC. It should not be used, if this is not required.

These values can be placed together separated by comma, to allow simultaneous use of different logging possibilities.

crypto.module.builtin.default

false

If set to true, then once the first crypto module is created automatically by CLM, the creation of the built-in crypto module is preferred over a CARA-based crypto module.

crypto.module.builtin.password

false

The password that protects the private key of the built-in crypto module.

frontend.base.url

true

Base URL for CLM UI - does not need to contain locale.

notifications.creation.maxAttempts

false

Times the notification creation jobs will execute in case of failures.

notifications.creation.intervalInHours

false

The interval, in hours, between a failed execution of a notification creation job and its next execution.

notifications.processing.maxAttempts

false

Times the notification processing jobs will execute in case of failures.

notifications.processing.intervalInHours

false

The interval, in hours, between a failed execution of a notification processing job and its next execution.

Additional properties that can be configured can be found here: docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html