Configuration / Environment Variables
Configuration parameters are a central aspect of setting up DMC. They control not only basic settings but also database configuration, authentication, and styling.
Parameters can be set in three ways:
- As environment variables (
DMC_...). This option is particularly relevant for deployments in Docker containers. - As parameters in a
.propertiesfile. In this case, at least the path to the file must be provided in the environment variableDMC_CONFIGURATION. - In a standalone deployment, parameters can also be passed directly on the command line:
java -jar dmc.war --DMC_LOG_LEVEL=TRACE
The configuration (environment variables / configuration file) contains sensitive data such as the credentials of the technical database user or the application administrator password. This data must be protected appropriately outside DMC as well.
For a configuration file, this may include restrictive read permissions limited to the system user under which DMC runs. For environment variables in a container, restricting access to the container itself is one option.
Example
Environment variable DMC_CONFIGURATION=C:/config/dmc.properties
DMC_LOG_LEVEL=DEBUG
DMC_LICENSE_PATH=C:/config/dmc-license.lic
DMC_SALT=someRandomStringOfArbitraryLength
# For development purposes only - see note below!
DMC_AUTH=db
DMC_ADMIN_PASSWORD.adminPassword=yourpasswordhere
DMC_DB_JDBC_URL=jdbc:sqlserver://db-host.net:1433;database=dmc-db
DMC_DB_SCHEMA=dbo
DMC_DB_USER=dmc-test-user
DMC_DB_PASSWORD=yourpasswordhere
DMC_DB_TYPE=mssql
DMC_DB_DRIVER=com.microsoft.sqlserver.jdbc.SQLServerDriver
DMC_SCHEMA_UPDATE=true
DMC_SCHEMA_CONTEXTS=schema,baseContent,adminUser
(...)
In the Docker and Compose files, some variables are already preconfigured. The remaining variables are listed in the dmc.env file.
Both the names of environment variables and the keys in a .properties file are case-sensitive and must be specified exactly as shown!
The following variables/parameters are available:
Basic Settings
| Basic Settings | |
|---|---|
DMC_SALT | Salt value (used for e.g. password hashing) |
DMC_LICENSE | DMC license key (Base64-encoded) |
DMC_LICENSE_PATH | Path to the license file (including filename) : ignored if DMC_LICENSE is set |
DMC_SECURE_COOKIE | Controls whether DMC session cookies are "secure" (i.e. HTTPS only). Defaults to true, which can cause issues when running DMC without HTTPS : in that case set this to false. |
DMC_CORS_ALLOWED_ORIGINS | Hostnames from which DMC may be accessed (e.g. an alternative frontend host or a reporting server for annotations). Multiple hostnames can be provided as a comma-separated list. Wildcards (*) are supported. Example: *.infomotion.de or test.infomotion.de,dev.infomotion.de NOTE: enabling CORS automatically sets cookies to secure : HTTPS is then mandatory! |
DMC_EXPOSE_SESSIONID_FOR_USERS | Controls for which users the server returns the session ID in plaintext to the browser upon login. Normally the session ID is only sent as a secured cookie to prevent theft via malicious browser JavaScript. In certain special cases (e.g. when DMC is integrated as an annotation backend in reporting solutions) the session ID must be accessible via JavaScript. Accepts a comma-separated list of usernames (e.g. names of technical users for annotation) or * as a wildcard for all users. |
Authentication & Authorization
| Authentication / Authorization | |
|---|---|
DMC_AUTH | Authentication method(s), comma-separated list (ad, openId, db : see note below). |
DMC_ADMIN_PASSWORD | Resets the admin user's password (if present) to the given value on application startup : the password must be provided in plain text here! |
DMC_ADMIN_GROUP | Administrator group name, defaults to "admin" |
DMC_ROLE_MAPPING | Optional fixed mapping in JSON format from external roles (AD or OpenID groups, Snowflake roles) to DMC internal user groups. |
DMC_ROLE_MAPPING_FILE | Optional path to a JSON file containing fixed role mappings (see above) |
The built-in authentication (DMC_AUTH=db) does not support password policies or multi-factor authentication.
We strongly advise against using this authentication method outside of development or test environments!
Where possible, and especially for production environments, authentication via Active Directory/LDAP or OpenID/Entra should be used.
Standalone Deployment
The following variables are only relevant for the standalone deployment without an external Tomcat application server. They configure the embedded application server:
| Standalone Deployment | |
|---|---|
DMC_PORT | TCP port on which the embedded application server accepts connections. (Default: 8080) |
DMC_SESSION_TIMEOUT | Session timeout for the embedded application server. (Default: 20 minutes) |
DMC_SSL_ENABLE | Set to true to enable SSL/HTTPS encryption for the embedded application server. In this case it is recommended to set DMC_PORT to 443 or 8443. Certificates must also be configured (see below). |
DMC_SSL_PEM_CERTIFICATE | Public part of the server certificate. See Notes on Certificates below. |
DMC_SSL_PRIVATE_KEY | Private key of the server certificate. See Notes on Certificates below. |
DMC_SSL_PRIVATE_KEY_PASSWORD | Password for the private key, if encrypted. |
Logging
| Logging | |
|---|---|
DMC_LOG_PATH | Path to the log file : if not set, logs are written to STDOUT |
DMC_LOG_STDOUT | Set to true to enable logging to STDOUT. Automatically true if no DMC_LOG_PATH is defined, otherwise defaults to false. |
DMC_LOG_LEVEL | Log verbosity level (Default: INFO; also available: DEBUG, TRACE, WARN, ERROR) |
DMC_LOG_LEVEL_AD | Log verbosity for LDAP/AD integration (Default: same as DMC_LOG_LEVEL; also available: DEBUG, TRACE, WARN, ERROR) |
DMC_LOG_LEVEL_OPENID | Log verbosity for OpenID integration (Default: same as DMC_LOG_LEVEL; also available: DEBUG, TRACE, WARN, ERROR) |
DMC_LOG_PATTERN | Format/structure of log entries |
DMC_LOG_CHARSET | Character set for the log file (Default: UTF-8) |
DMC_LOG_BUFFER_SIZE | Buffer size for the Actuator REST endpoint log. (Default: 1000) |
When log settings (DMC_LOG_LEVEL, DMC_LOG_LEVEL_AD, DMC_LOG_LEVEL_OPENID) are set to DEBUG or TRACE, sensitive or personal data (in particular usernames and role assignments) may be logged.
In this case, appropriate measures must be taken to adequately protect the contents of the log files and/or the application or container output. If personal data is logged, data protection regulations must also be observed.
Database
| Database Configuration | |
|---|---|
DMC_DB_TYPE | Database type (mssql, oracle, postgres, h2) |
DMC_DB_DRIVER | Matching JDBC driver class |
DMC_DB_JDBC_URL | JDBC URL |
DMC_DB_USER | Database username |
DMC_DB_PASSWORD | Database password |
DMC_DB_SCHEMA | Database schema |
DMC_SCHEMA_UPDATE | Controls whether the DMC data model should be updated automatically on startup. Defaults to false, but should generally be set to true |
DMC_SCHEMA_CONTEXTS | Comma-separated list defining which content should be deployed once to the database (typically schema,baseContent; optionally adminUser to create an admin/admin user) |
DMC_TIMEZONE | Sets the database timezone for change timestamps. Default: Central European Standard Time. Note: Only relevant for MSSQL e.g. Azure SQL Databases do not support timezone configuration natively. |
DMC_DB_BULK_LOAD_STRATEGY | Load strategy for large data sets (SingleBatch, Batched, or AsyncBatched) |
DMC_DB_BULK_LOAD_BATCH_SIZE | Batch/packet size for Batched and AsyncBatched load strategies |
DMC_DB_BULK_LOAD_ASYNC_POOL_SIZE | Number of threads for parallel loading |
LDAP/AD Authentication
Only applicable when DMC_AUTH is set to ad.
| LDAP/AD Authentication | |
|---|---|
DMC_LDAP_URL | URL of the LDAP server (e.g. ldap://ldap.example.com:389 or ldaps://ldap.example.com:663) |
DMC_LDAP_USERNAME | Username with read access to the LDAP server (for querying groups) |
DMC_LDAP_PASSWORD | Password for the LDAP user |
DMC_LDAP_SEARCH_BASE | DN of the starting point for user searches (e.g. ou=Users,dc=example,dc=com) |
DMC_LDAP_SEARCH_FILTER | Filter for user searches, defaults to (&(objectClass=user)(sAMAccountName=%s)) |
DMC_LDAP_USERNAME_ATTRIBUTE | Attribute containing the username, defaults to sAMAccountName for Active Directory |
DMC_LDAP_DEFAULT_DOMAIN | Default domain for usernames |
DMC_LDAP_PEM_CERTIFICATE | Public certificate of the LDAP/AD server or its issuing CA. See Notes on Certificates below. |
DMC_LDAP_BIND_DN_TEMPLATE | If an LDAP server (unlike AD) requires a full DN for login, this template can be used to construct a DN from the username. Example: cn=%s,ou=users,dc=example,dc=com |
OpenID Authentication
Only applicable when DMC_AUTH is set to openId.
| OpenID Authentication | |
|---|---|
DMC_OPENID_ISSUER | For Microsoft: https://login.microsoftonline.com/{Tenant}/v2.0 |
DMC_OPENID_DISCOVERY_URL | For Microsoft: https://login.microsoftonline.com/{Tenant}/v2.0/.well-known/openid-configuration |
DMC_OPENID_CLIENT_ID | The client ID of the app registration |
DMC_OPENID_JWKS_URL | For Microsoft: https://login.microsoftonline.com/{Tenant}/discovery/v2.0/keys |
DMC_OPENID_USER_INFO_URL | For Microsoft: https://graph.microsoft.com/oidc/userinfo |
DMC_OPENID_USERNAME_CLAIM | Defaults to preferred_username |
DMC_OPENID_ROLES_CLAIM | For Microsoft: groups |
DMC_OPENID_SCOPE | Defaults to openid email profile (without quotes) |
DMC_OPENID_KEEP_CLAIM_ROLES | Adopt roles/groups from OpenID directly as DMC roles without mapping, defaults to false |
DMC_OPENID_MAP_CLAIM_ROLES | Map roles/groups from OpenID to DMC roles via role mapping, defaults to true |
DMC_OPENID_LOGIN_LABEL | The label shown for the OpenID login option in the UI. Defaults to "OpenId" |
Mail Settings
Settings for outgoing email, for example sent by QS mail tasks.
| Mail Settings | |
|---|---|
DMC_MAIL_HOSTNAME | Hostname of the mail server (SMTP) |
DMC_MAIL_PORT | Port of the mail server (SMTP), defaults to 25 |
DMC_MAIL_TLS | Set to true to contact the mail server via TLS, defaults to false |
DMC_MAIL_USERNAME | Username for the mail server |
DMC_MAIL_PASSWORD | Password for the mail server |
DMC_MAIL_FROM_ADDRESS | Sender address for emails sent by DMC |
Deployment Settings
These settings relate to Deployment. They allow extensive customization of the folder and file structure generated when exporting DMC content.
| Deployment Settings | |
|---|---|
DMC_EXPORT_INCLUDE_UUID_IN_PATH | Whether to include the UUID in filenames when exporting objects (Default: true) |
DMC_EXPORT_PATH_DOMAIN | Path for value lists within an exported deployment set |
DMC_EXPORT_PATH_CATEGORY | Path for categories within an exported deployment set |
DMC_EXPORT_PATH_TABLE | Path for tables within an exported deployment set |
DMC_EXPORT_PATH_COMMAND | Path for commands within an exported deployment set |
DMC_EXPORT_PATH_QS_RULE | Path for QS rules within an exported deployment set |
DMC_EXPORT_PATH_DEPLOYMENT_SET | Path for deployment sets within an exported deployment set |
DMC_EXPORT_PATH_TASK | Path for tasks within an exported deployment set |
DMC_EXPORT_PATH_DELETED_DOMAIN | Path for deleted value lists within an exported deployment set |
DMC_EXPORT_PATH_DELETED_CATEGORY | Path for deleted categories within an exported deployment set |
DMC_EXPORT_PATH_DELETED_TABLE | Path for deleted tables within an exported deployment set |
DMC_EXPORT_PATH_DELETED_COMMAND | Path for deleted commands within an exported deployment set |
DMC_EXPORT_PATH_DELETED_QS_RULE | Path for deleted QS rules within an exported deployment set |
DMC_EXPORT_PATH_DELETED_DEPLOYMENT_SET | Path for deleted deployment sets within an exported deployment set |
DMC_EXPORT_PATH_DELETED_TASKS | Path for deleted tasks within an exported deployment set |
DMC_DEPLOY_TABLE_USER_PERMISSIONS | Whether to export user permissions together with tables (Default: true) |
DMC_DEPLOY_TABLE_ROLE_PERMISSIONS | Whether to export role permissions together with tables (Default: true) |
DMC_SNAPSHOTS_PATH | Path of the ZIP file when creating a snapshot |
DMC_IMPORT_DEMO_CONTENT | Whether to load demo content into DMC on startup (Default: false). Note: currently only compatible with MSSQL. |
DMC_IMPORT_ADDITIONAL_CONTENT_PATH | Path to additional content that should be loaded on the initial DMC startup |
Theme Settings
The frontend only accepts six-digit hexadecimal color values (e.g. #fafafa). Any other format will be ignored.
| Theme Settings | |
|---|---|
DMC_THEME_PRIMARY | Primary theme color |
DMC_THEME_ACCENT | Accent color |
DMC_THEME_MAIN_BG | Main background color |
DMC_THEME_SEC_BG | Secondary background color |
DMC_THEME_ERROR | Color for errors |
DMC_THEME_WARN | Color for warnings |
DMC_THEME_INFO | Color for informational messages |
DMC_THEME_VALID | Color for valid input |
DMC_THEME_HEAD1 | Heading color 1 |
DMC_THEME_HEAD2 | Heading color 2 |
DMC_THEME_HEAD3 | Heading color 3 |
DMC_THEME_NAV_TEXT | Color of navigation entries |
DMC_THEME_ICON | Color of special icons (controls use DMC_THEME_PRIMARY) |
DMC_THEME_CONTRAST_LIGHT | Light contrast color |
DMC_THEME_CONTRAST_DARK | Dark contrast color |
DMC_THEME_LOGO_PATH | Path to the logo file |
DMC_THEME_ICON_PATH | Path to the icon file |
DMC_THEME_TITLE | Application title |
Tasks & Triggers
| Tasks & Triggers | |
|---|---|
DMC_TASKS_CRON_POOL_SIZE | Number of threads used for scheduled task execution |
DMC_TASKS_QS_MAIL_TEMPLATE_FILE | Path to the template file for QS mail tasks |
Additional Variables
| Additional Variables | |
|---|---|
DMC_TRIM_ALL_PKS | Set to true to automatically trim leading/trailing whitespace from values in primary key columns. (Default: false) |
DMC_TRIM_ALL_NON_PKS | Set to true to automatically trim leading/trailing whitespace from values in non-primary-key columns. (Default: false) |
DMC_TRIM_ALL | Set to true to automatically trim leading/trailing whitespace from values in all columns. (Default: false) |
DMC_APP_EXPORT_TECHNICAL_COLUMN_NAMES | Whether to use technical column names instead of DMC column names in CSV/XLSX exports (Default: false) |
DMC_APP_UPLOAD_PATH | Temporary folder for CSV/XLSX uploads |
DMC_DB_SQL_PER_BYTE_CHAR | Divisor for converting bytes per character to the allowed character length (Default: 1) |
DMC_ENABLE_ACTUATOR_ENV | Set to false to disable the Actuator REST endpoint env. |
DMC_ENABLE_ACTUATOR_LOG | Set to false to disable the Actuator REST endpoint log. |
DMC_ENABLE_OPENAPI | Set to true to enable the built-in API documentation (/api/docs.yaml, /swagger-ui) |
Snowflake
Only relevant for DMC on Snowflake/Snowpark deployments.
Connection
| Connection | |
|---|---|
SNOWFLAKE_ACCOUNT | Snowflake account identifier (required) |
SNOWFLAKE_HOST | Snowflake host (required) |
SNOWFLAKE_DATABASE | Snowflake database (required) |
SNOWFLAKE_SCHEMA | Snowflake schema (required) |
SNOWFLAKE_USERNAME | Snowflake username (required except for OAuth) |
SNOWFLAKE_WAREHOUSE | Snowflake warehouse to use |
SNOWFLAKE_QUERY_TAG | Query tag attached to Snowflake queries. (Default: DMC) |
SNOWFLAKE_TRACING | Tracing level for the Snowflake JDBC driver. (Default: OFF) |
Authentication
DMC supports three authentication methods against Snowflake. The method is selected automatically based on which variables are set:
- JWT: if
SNOWFLAKE_PRIVATE_KEY_FILEis set - OAuth: if neither
SNOWFLAKE_PRIVATE_KEY_FILEnorSNOWFLAKE_PASSWORDare set - Password: if
SNOWFLAKE_PASSWORDis set (and no private key file)
| Authentication | |
|---|---|
SNOWFLAKE_PASSWORD | Snowflake password (password authentication) |
SNOWFLAKE_PRIVATE_KEY_FILE | Path to the private key file (JWT authentication) |
SNOWFLAKE_PRIVATE_KEY_PWD | Password for the private key file, if encrypted (JWT authentication) |
Synchronization
| Synchronization | |
|---|---|
DMC_SNOWFLAKE_REPLICATION | Enables data synchronization into the Snowflake schema. Must be set to true. |
DMC_SNOWFLAKE_MAX_DELAY | Maximum replication delay in milliseconds. (Default: 10000) |
DMC_SNOWFLAKE_MERGE_INLINE_THRESHOLD | Number of terminated records below which an inline merge is used instead of a temp-table merge. (Default: 1000) |
DMC_SNOWFLAKE_INSERT_CHUNK_SIZE | Batch size for streaming new records into Snowflake during synchronization. (Default: 250000) |
Notes on Certificates
Certificates can be provided as a path to a PEM file. Alternatively, the file content (i.e. the certificate itself) can be passed directly as a multi-line value:
DMC_SSL_PEM_CERTIFICATE=file:/path/to/pem.crt
## or
DMC_SSL_PEM_CERTIFICATE="-----BEGIN CERTIFICATE-----
(...)
-----BEGIN CERTIFICATE-----"
If the certificate was signed by a custom CA, the PEM file must contain the full chain (server certificate + CA certificate):
-----BEGIN CERTIFICATE-----
(... server certificate ...)
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(... CA certificate ...)
-----BEGIN CERTIFICATE-----
Private Keys
Private keys can also be provided either as a path to a PEM file or directly (multi-line) as a variable value:
DMC_SSL_PRIVATE_KEY=/path/to/pem.key
## or
DMC_SSL_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
(...)
-----BEGIN PRIVATE KEY-----"
Optionally, the private key can be protected with a passphrase : however, DMC must also have access to it:
DMC_SSL_PRIVATE_KEY="-----BEGIN ENCRYPTED PRIVATE KEY-----
(...)
-----BEGIN ENCRYPTED PRIVATE KEY-----"
DMC_SSL_PRIVATE_KEY_PASSWORD="(...)"