@@ -84,4 +64,4 @@ function navigateToNewVersion() {
.version-selector {
margin-top: 20px;
}
-
\ No newline at end of file
+
diff --git a/docs/src/.vuepress/public/llms-full.txt b/docs/src/.vuepress/public/llms-full.txt
new file mode 100644
index 000000000..419f480a1
--- /dev/null
+++ b/docs/src/.vuepress/public/llms-full.txt
@@ -0,0 +1,11033 @@
+# Data Sharing Framework (DSF)
+
+> The Data Sharing Framework (DSF) is a secure middleware for distributing data sharing processes based on BPMN 2.0 and FHIR R4 standards. It enables biomedical researchers to extract, merge, pseudonymize, and share data across organizational boundaries. Funded by the German Federal Ministry of Research, Technology and Space within the Medical Informatics Initiative (MII). Website: https://dsf.dev
+
+---
+
+## Introduction
+Source: https://dsf.dev/explore/concepts/introduction.html
+
+The [German Federal Ministry of Research, Technology and Space](https://www.bmftr.bund.de/) is funding the [Medical Informatics Initiative](https://www.medizininformatik-initiative.de/en/start) with the aim of making routine data available digitally, reliably and quickly for medical research. University hospitals have founded consortia with partners such as research institutions and other companies to create the conditions for research and patient care to share their data across sites. Data Integration Centers (DIC) have been established at the university hospitals and partner institutions to create the technical and organizational conditions for data exchange between patient care and medical research.
+
+
+
+The **Data Sharing Framework (DSF)** was developed within the HiGHmed consortium of the Medical Informatics Initiative and is now funded as an independent project by the German Federal Ministry of Research, Technology and Space within the Medical Informatics structure as *[DSF Community](https://www.gesundheitsforschung-bmbf.de/de/dsf-medizininformatik-struktur-data-sharing-framework-community-16133.php)*.
+
+The DSF is a concept for a secure middleware to distribute data sharing processes, aiming to extract, merge, pseudonymize and provide data stored in multiple distributed DICs. A researcher can use the DSF for example to submit feasibility queries to several DICs and thus has the opportunity to obtain sufficient data from different locations for his or her research. By using international standards such as FHIR and BPMN 2.0, the problem of heterogeneous data models, primary systems, architectures and federated legislation between DICs can be solved. The aim is to enable secure and syntactically-, semantically- and process-interoperable data exchange across organisational boundaries.
+
+
+
+The DSF is a secure communication infrastructure, that (1) scales with communication relationships, (2) orchestrates processes and instances, (3) separates execution logic from program code, (4) enables automated and user-centeric process steps (5) and can be used for heterogeny structures.
+
+
+
+---
+
+## Basics
+Source: https://dsf.dev/explore/concepts/basics.html
+
+Here you can find some basic information about interoperability and the standards were using within the DSF before we go into details about the architecture. Here we only describe how the standards (FHIR and BPMN) are used within the DSF. If you want to gain a deeper knowledge of the standards, we recommend visiting these websites: [HL7 FHIR](https://www.hl7.org/fhir/) and [BPMN](https://www.bpmn.org/)
+
+## Interoperability
+Interoperability is the ability of different systems to work together as seamlessly as possible. We can divide interoperability into four levels.
+- The *foundational level* defines the basic interconnectivity requirements which are necessary for a system or application to securely transmit data to and receive data from another system or application. Techniques such as HTTPS or REST are used for this.
+- The second level is the *structural level*. It defines the format and the syntax of the data exchange. Therefore, data formats like JSON or XML can be used.
+- The *semantic level* ensures the correct interpretation of the contents of the exchanged data between the different systems. Therefore, information models as FHIR or CDA or medical terminology systems like SNOMED CT or ICD can be used.
+- The final level, the *organizational level*, includes policy, social, legal and organizational aspects that enable secure, seamless and timely communication and use of data both within and between organizations. And importantly, these components enable shared consent, trust and integrated end-user processes and workflows.
+
+
+
+
+## HL7 FHIR :fire:
+[HL7 FHIR](https://www.hl7.org/fhir/) is a standard for data exchange that can be used as an information model for communication within and between systems. The standard is based on resources, references and profiles. With this concept, FHIR offers interoperability out of the box. The resources describe data formats. 150 specified resources cover the entire health system. An example of a resource would be a patient, which consists of data such as name or gender. These resources can refer to other resources by means of references. This connects the information units into a network. For seamless exchange of information, FHIR supports RESTful architectures and web standards such as XML or JSON, which makes it easier for developers to use FHIR.
+The FHIR profiles can be understood as a set of rules. They explain, for example, which attributes must be mandatorily specified or which terminology may be used. In addition, profiles and controlled vocabulary can be validated.
+
+## BPMN
+[Business Process Modelling Notation](https://www.bpmn.org/) is a modelling language that can be used to model and implement processes. The models can be used for the documentation of processes and for communication between different stakeholders. Furthermore, BPMN forms a standardised bridge between process design and process implementation. This is because it simplifies implementation. These processes are executed by a Business Process Engine. Basically, a BPE is a server that can read and execute the business process. More about this in the section on architecture.
+
+
+
+## Why are we using FHIR and BPMN?
+On the one hand we use FHIR because of the mentioned benefits. On the other hand FHIR fits great with BPMN and these two in combination are a great fit for what we do:
+*Execute distributed data sharing Processes.*
+
+We do not need all 150 FHIR resources. The following FHIR resources are the ones we need and have implemented: *ActivityDefinition, Binary, Bundle, CodeSystem, DocumentReference, Endpoint, Group, Library, Measure, MeasureReport, NamingSystem, Organization, Questionnaire, QuestionnaireResponse, ResearchStudy, StructureDefinition, Subscription, Task and ValueSet.*
+
+Don't worry, it is not important to understand them all now. But to understand why we use FHIR and BPMN, it is important to look at the *ActivityDefinition* and *TaskResources* on the FHIR side and the *Message Events* on the BPMN side.
+In the following picture you can see parts of BPMN. These *Message Events* enable the communication between different organizations. Every time there is a *Message Event* between two business processes, there is a corresponding *TaskResource* on the FHIR side. When one organization sends a message for example “do some work” to another organization or when we send a message to ourselves to start or continue a process, we do this by creating a FHIR *TaskResource* with the status “requested”. After that the Business Process Engine starts the work and the status switches to “in-progress” and if the work is done to “completed” or if there is a problem to “failed”.
+
+The *ActivityDefinition* is needed to publish what can be done in an instance. That means the *ActivityDefinition* contains the process description with the authorisation who is allowed to send a message.
+
+
+
+---
+
+## Architecture
+Source: https://dsf.dev/explore/concepts/architecture.html
+
+The Data Sharing Framework implements a distributed business process engine based on the BPMN 2.0 and FHIR R4 standards. Every participating organisation (e.g. ORG. A) runs a FHIR endpoint accessible by other sites and a business process engine (BPE) in the local secured network. Once the DSF has been installed in an organisation, it can be used for multiple use cases.
+
+
+
+The following architecture diagram also shows three organisations, each of which has installed the DSF. The FHIR endpoint (green) is located in a demilitarised zone (DMZ) and is accessible from outside for communication with other organisations. It can be compared to a mailbox. The Business Process Engine (BPE - blue) is located in the intranet of an organisation and is responsible for the execution of processes. The metaphor: control centre helps here.
+
+
+
+
+
+## DSF FHIR Server
+As mentioned above, the externally accessible DSF FHIR server acts as a mailbox for communication. This means that an organisation creates a task resource in its DSF and drops the task resource (letters) into the mailbox of another organisation, requesting that something happen. Task resources have been explained in more detail in the section [Basics and Standards](basics).
+It is important to understand that the DSF FHIR server is not used for persisting medical data.
+
+
+
+
+
+## Business Process Engine (BPE)
+The BPE located in the secure internal network executes the processes (BPMN/Java). The BPE is deployed in the internal network and has access to the local systems, such as the organisation's own FHIR server, on which medical data is stored. These FHIR servers are not to be confused with the DSF FHIR server, on which no medical data is persisted.
+Different processes can be executed simultaneously. For this, only a new process plugin file has to be added and configured. More about this in the [Process Plugins](process-plugins).
+
+
+
+
+
+The DSF BPE uses websocket (WSS) and webservice (HTTPS) connections to communicate with the DSF FHIR server. FHIR resources are created, read, updated and deleted via HTTP requests against the FHIR webservice API. The FHIR subscription mechanism is used to communicate Task resources with status 'requested' and QuestionnaireResponse resources with status 'completed' to the BPE via websockets. When the BPE starts and before the websocket connections are established, 'requested' Task resources and 'completed' QuestionnaireResponse not seen by the BPE are read via webservice requests.
+
+## Flexible Deployment
+The deployment of the architecture is flexible. The organisations can be deployed as a *star* schema (left) or as a *mesh* schema (right). In the Star schema (left), all Data Integration Centres (DIC) are connected to a central node (CRR - Central Research Repository), which transfers the information to all nodes (DIC). For security reasons, a data transfer hub (DTH) is connected upstream, which provides additional security so that the medical data is never transferred together with the authenticating data.
+
+In the mesh scheme (right), the nodes (DIC) are all directly connected to each other and the information is transferred from node to node. Here in the FDPG (Forschungsdatenportal - Research Data Portal), the data can then be accessed for research purposes. More about this [here](/explore/use-cases/feasibility).
+
+ 
+
+## Network Setup & Additional Reverse Proxy in external DMZ
+You can find more information about the network setup [here](/explore/concepts/network-setup)
+
+---
+
+## Security
+Source: https://dsf.dev/explore/concepts/security.html
+
+## Basics Security
+The open-source Data Sharing Framework is EU-GDPR compliant and meets the highest security standards by design. DSF FHIR servers only accept certain FHIR resources from internal systems/administrators (e.g. tasks, binary resources...). In addition, the communication partners are defined via Allow Lists. This means that an organisation can only communicate with organisations that are included in the allow list of approved organisations of the participating organisations. More information about allow lists can be found in the [next chapter](allow-list).
+For transport encryption, the TLS protocol is used. Secure Web Socket (WSS) connections provide security for the connection between the DSF FHIR server (DMZ) and the BPE (internal network). In addition, the DSF is being actively developed and there is an excellent community, both of which guarantee fast security patches.
+
+
+
+
+
+## Authentication
+Authentication of organizations within the DSF is handled by the use of X.509 client and server certificates. The DSF supports a configurable whitelist of certificate authorities. All participating organizations are entered in a distributed and synchronized allow-list of valid organizations and certificates.
+
+A webserver certificate is needed to run the FHIR endpoint and a 802.1X client certificate is used to authenticate against other organizations endpoints and as a server certificate for the business process engine.
+
+More information about client and server certificates can be found [here](/operations/latest/install#client-server-certificates).
+
+---
+
+## Allow List
+Source: https://dsf.dev/explore/concepts/allow-list.html
+
+## Goal
+The main objective is to allow only authorized organizations to do what "we" allow them to do (e.g. query data).
+First, we need a list of organizations that we trust. Secondly, we need a way to ensure that the other party is a member of the parent organization. Thirdly, a list of actions we want to allow the organization to perform is needed. An organization can have different roles in different use cases.
+
+The Allow List consists of Organization-, Endpoint- and OrganisationAffiliation- resources. With these resources the allow list defines communication partners and and parent organizations like research consortia and groups as well as the roles of each organization. Each DSF FHIR server stores their own allow list. To make sure that processes can be executed, parties must allow access via their allow list.
+
+## Allow List Managment
+[Here](/operations/latest/allowList-mgm.md) you can read all the information if you want to create or update an Allow List.
+
+If you have the need for allowlist management feel free to contact us via E-Mail (dsf-gecko@hs-heilbronn.de) and we will take care of your request as soon as possible.
+
+---
+
+## Process Plugins
+Source: https://dsf.dev/explore/concepts/process-plugins.html
+
+## Overview
+It is important to understand that the DSF is *only* the silent helper in the background: a middleware. The DSF is use case agnostic. This means that process plugins make it possible to execute almost any use case you can imagine with the DSF. Process plugins provide individual functionality.
+
+However, it is possible to deploy several process plugins parallel on the same DSF instance, even the same process plugin in different versions. A process plugin is basically an archive of BPMN 2.0 models, FHIR R4 resources and Java code. This process plugin is deployed as a Jar file on the BPE.
+
+## BPMN: Example
+BPMN models can be created with [Camunda Modeler](https://camunda.com/de). The following model is a BPMN model consisting of two lanes: These are the square boxes, i.e. Organization A and B. This process is intended only as an example to illustrate the formalities.
+
+
+
+## Ping Pong Process as an example Process Plugin
+The [ping process plugin](https://github.com/datasharingframework/dsf-process-ping-pong) can be used for (periodic) connection testing between organizations that are part of your DSF allow list. The following figure shows a representation of the process.
+
+
+
+
+The ping pong process is composed of 3 different subprocesses:
+### Autostart Ping Process
+The autostart ping process is used to execute connection tests in a predefined interval. This subprocess performs the following steps:
+
+- Start a timer with a predefined interval (default 24 h)
+- Start the ping process once per interval
+- Stop the timer after the current interval completes
+
+### Ping Process
+The ping process is used to check outgoing and incoming connections to organizations in your allow-list. This subprocess performs the following steps:
+
+- Select organizations in your allow list that should receive a ping message
+- Send ping message to selected organizations
+- Receive pong message from selected organizations
+- Log status of ping/pong messages
+- Log errors if any occur
+
+### Pong Process
+The pong process is used to send a response during the connection test to the requesting organization. This subprocess performs the following steps:
+
+- Receive ping message from requesting organizations
+- Send pong message to requesting organizations
+- Log status of ping/pong message
+- Log errors if any occur
+
+
+
+---
+
+## Network Setup
+Source: https://dsf.dev/explore/concepts/network-setup.html
+
+The Data Sharing Framework consists of two components: A FHIR Endpoint Server used to except Task resources and provide resources for download by other organizations and a Business Process Engine Server run internal and not accessible by other organization to execute and coordinate processes.
+
+
+
+- FHIR Reverse Proxy: The FHIR Reverse Proxy is used to terminate incoming https connections to the FHIR App Server. The Reverse Proxy needs to be accessible on port 443 from the internet. Incoming https connection will be delegate as http on a docker internal network to the FHIR App Server.
+- FHIR App Server: The FHIR App Server is used as a FHIR Endpoint for incoming Task resources and providing resources for download by other organizations. In order to validate incoming FHIR resources the server will communicate with FHIR Servers at other organizations. Access to resources and authorization for creating or updating resources is granted based on the content of the resource and/or based on the client (identified by its client certificate) being part of an allow list. JDBC connections to the FHIR DB Server
+- FHIR DB Server: PostgreSQL database for the FHIR App Server.
+- BPE App Server: The BPE App Server is executing BPMN 2.0 business processes with the included business process engine. Automatic BPMN service tasks are used for example to check resource, access the PDP- and MPI-servers as well as the MDAT repository. The calculation of record linkage bit vectors (Record Bloom Filters) is also performed using an automatic service task. As of version 0.3.0 the BPE server does not provide any webservices for modifying an server resources.
+- BPE DB Server: PostgreSQL database for the BPE App Server.
+- PDP: IHE Policy Decision Point for deciding on patient consent.
+- MDAT Repo: Repository (e.g. openEHR) for storing medical data (MDAT).
+- MPI: IHE Master Patient Index for storing identifying patient date (IDAT) e.g. first name, last name, date of birth.
+- Cohort Browser: Example for a system to trigger patient cohort size estimations across multiple organizations.
+
+More information on Client- and Server-Certificates are available on the dedicated wiki page: [Authentication: Client/Server Certificates](Authentication)
+
+## Additional Reverse Proxy in external DMZ
+In some organizations an additional reverse proxy in an external DMZ is needed. This can be accomplished by using for example nginx or haproxy as a TCP-Proxy. Example configurations routing traffic using SNI can be found below. Configuring an additional reverse proxy to terminate the incoming TLS connection early is not recommended.
+
+
+
+
+---
+
+## Feasibility
+Source: https://dsf.dev/explore/use-cases/feasibility.html
+
+::: warning Work in progress
+
+The use cases are being reworked and are currently a work in progress. Please check back later.
+:::
+
+## Overview
+Funded by the German Federal Ministry of Research and Education, 25 [sites](https://forschen-fuer-gesundheit.de/en/locations/) have installed the DSF to execute the [Feasibility](https://github.com/medizininformatik-initiative/feasibility-dsf-process/) process. To perform feasibility queries, a researcher can register and query data on the [FDPG (Forschungsdaten Portal für Gesundheit - Research Data Portal)](https://www.forschen-fuer-gesundheit.de/) website. Basic data of hospitalizations of over 8 million patients with over 40 million diagnoses and much more such as laboratory values or drug prescriptions are available. After a successful query, the data is made available in standardized FHIR format. Further information can be found in the [flyer](https://www.medizininformatik-initiative.de/sites/default/files/2023-05/20230509_TMF_Faltflyer_A4_digital.pdf).
+
+## The Feasibility Process
+Medical routine data holds great promise for advancing research, yet its integration into a research context poses significant challenges. To address this, Medical Data Integration Centers have been established, by the medical informatics initiative to consolidate data from primary information systems into a central repository. However, relying on data from only one organization is rarely sufficient to answer complex research questions, so merging data across institutional boundaries is necessary.
+
+To enable researchers to leverage this integrated data for specific research projects, there is a critical need for the ability to query cohort sizes across institutions. The [feasibility](https://github.com/medizininformatik-initiative/feasibility-dsf-process/) process allows researchers to conduct automated and distributed feasibility queries, i.e., cohort size estimates. This process is executed according to the open standard BPMN 2.0, the underlying process data model is based on HL7 FHIR R4 resources.
+
+## Technical Information
+- [DSF Middleware Setup](https://github.com/medizininformatik-initiative/feasibility-deploy/wiki/DSF-Middleware-Setup): The DSF middleware connects your site to the central platform. This allows it to receive feasibility query requests as well as reporting back any results of these queries.
+- [Feasibility Process](https://github.com/medizininformatik-initiative/feasibility-dsf-process/): Core Feasibility Process
+- [Feasibility Triangle](https://github.com/medizininformatik-initiative/feasibility-deploy/tree/main/feasibility-triangle): The Feasibility Triangle part of this repository provides a site (data integration center) with all the necessary components to set up in order to allow feasibility queries from the central feasibility portal.
+- [Data Transfer](https://github.com/medizininformatik-initiative/mii-dsf-processes/tree/main)
+- [Data extraction after successful feasibility query](https://github.com/medizininformatik-initiative/mii-dsf-processes/blob/main/mii-dsf-processes-docker-test-setup/README-Process-Projectathon-Data-Sharing.md)
+
+---
+
+## NUM (Network University Medicine)
+Source: https://dsf.dev/explore/use-cases/num.html
+
+::: warning Work in progress
+
+The use cases are being reworked and are currently a work in progress. Please check back later.
+:::
+
+The [Network University Medicine](https://www.netzwerk-universitaetsmedizin.de/) was established in April 2020 as part of the COVID-19 pandemic crisis management. The aim of the NUM is to better coordinate COVID-19 research at all 36 university hospitals in Germany.'
+::: center
+
+:::
+
+As part of the *[CODEX | COVID-19 Data Exchange Platform](https://www.netzwerk-universitaetsmedizin.de/projekte/codex#c599)* project, a nationwide, uniform, privacy-compliant infrastructure for storing and providing COVID-19 research datasets was established. Since 2022, the work continues within the project [NUM RDP](https://www.netzwerk-universitaetsmedizin.de/projekte/num-rdp). All 36 university hospitals have installed the DSF to share Covid-19 research data.
+
+### The Data Transfer Process
+The [Data Transfer Process](https://github.com/num-codex/codex-processes-ap1) is used in NUM CODEX to send data from a Data Integration Center (DIC), via the Gecco Transfer Hub (GTH), to the Central Research Repository (CRR). The infrastructure and communincation messages on which the process is based can be seen in the following figure. All organizations use the Data Sharing Framework (DSF) for deployment and execution of the process.
+
+
+
+More technical information can be found on [GitHub](https://github.com/num-codex/codex-processes-ap1/wiki/Process-Description-v1.0.0.0).
+
+---
+
+## Internal MII Data Sharing
+Source: https://dsf.dev/explore/use-cases/internal-mii-data-sharing.html
+
+## Video
+
+
+
+
+
+## References
+
+- https://github.com/medizininformatik-initiative/mii-process-data-sharing/wiki/Process-Data-Sharing-Start-v1.0.x.x#dic-prepare-kds-fhir-store-before-answering-a-manual-user-task
+- https://dsf.dev/sprechstunde
+
+---
+
+## Get Started
+Source: https://dsf.dev/operations/get-started.html
+
+
+
+---
+
+## Installation Guide
+Source: https://dsf.dev/operations/latest/install.html
+
+In the following installation manual we will show you how you can install your own DSF instance to be part of an already existing DSF network.
+
+
+## Prerequisites
+### Virtual Machines
+* DSF FHIR VM: min. 4 GB RAM, 4 vCPU, 100 GB HDD
+* DSF BPE VM: min. 8 GB RAM, 4 vCPU, 20 GB HDD
+
+If you plan to transfer a lot of large files, we recommend a larger FHIR VM disk for temporary storage (if your largest file to transfer is 200GB in size, we recommend a disk with a size of at least 1TB).
+
+Please make sure to use a CPU with a modern instruction set with crypto acceleration enabled. We saw large performance drops on systems with inadequate hardware.
+
+### Docker / Docker-Compose
+Both VMs need latest docker and docker compose. For the latest install guide see https://docs.docker.com/engine/install.
+
+```
+sudo apt-get update
+sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+sudo apt-get update
+sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin
+sudo systemctl enable docker.service
+sudo systemctl enable containerd.service
+```
+
+The current version of docker compose is installed with the current docker version.
+
+### Client/Server Certificates
+Two Certificates from a list of allowed certificate authorities (see [details about certificates](root-certificates.html)) are needed:
+* Certificate _A_: Server Certificate - `TLS Web Server Authentication`
+* Certificate _B_: Client Certificate - `TLS Web Client Authentication`
+
+If you use GÉANT TCS certificates, then they are configured by default with the necessary *X509v3 Extended Key Usage*s until the end of February 2026: `TLS Web Server Authentication, TLS Web Client Authentication`.
+
+For further details on supported Root Certificate Authorities click [here](root-certificates.html#list-of-default-trusted-certificate-authorities)
+
+
+### Network setup / Network access
+
+* The DSF FHIR server needs to be accessible via the internet and able to access the internet without TLS interception.
+* The BPE FHIR server should only be accessible by the internal network and able to access your DSF FHIR server via its external FQDN and the internet without TLS interception.
+
+Here is a quick overview of the expected network setup.
+
+| Source | Target | Port | Protocol |
+| ----------------------------- | ----------------------------- | ---- | ---------------------- |
+| DSF BPE (local) | DSF FHIR (local) | 443 | https, wss |
+| DSF BPE (local) | DSF FHIR (other DSF communication partners) | 443 | https |
+| DSF FHIR (local) | DSF FHIR (other DSF communication partners) | 443 | https (HTTP HEAD only) |
+| DSF BPE (other DSF communication partners) | DSF FHIR (local) | 443 | https |
+| DSF FHIR (other DSF communication partners) | DSF FHIR (local) | 443 | https (HTTP HEAD only) |
+
+ Connections to services that are used by process plugins (e.g. a fTTP, a terminology server, simplifier.net or a local FHIR server) are not listed. Please refer to the respective process plugin documentation pages for more information.
+
+
+
+## Setup
+### Prepare Certificates
+1. Server Certificate (certificate _A_)
+ _This certificate will be used as the DSF FHIR servers server certificate (ssl_certificate_file.pem, ssl_certificate_key_file.pem)_
+ * Store PEM encoded certificate as `ssl_certificate_file.pem`
+ * Store unencrypted, PEM encoded private-key as `ssl_certificate_key_file.pem`
+ * Store PEM encoded certificate chain (all intermediate CAs between the server and the root certificate, excluding root) as `ssl_certificate_chain_file.pem`
+
+1. Client Certificate (Certificate _B_)
+ _This certificate will be used as the DSF BPE servers client certificate (client_certificate.pem, client_certificate_private_key.pem) as well as the DSF FHIR servers client certificate (client_certificate.pem, client_certificate_private_key.pem)_
+ * Store PEM encoded certificate as `client_certificate.pem`
+ * Store encrypted or not encrypted, PEM encoded private-key as `client_certificate_private_key.pem`
+
+### DSF FHIR Server
+1. Add Group/User
+ Add group and user used by the DSF FHIR java application. Ubuntu compatible commands below:
+ ```
+ sudo groupadd --gid 2101 fhir
+ sudo useradd --system --no-create-home --uid 2101 --gid 2101 fhir
+ ```
+
+1. Download and Extract Config Files
+ Download and unpack the prepared DSF FHIR server config files and folder structure:
+ ```
+ cd /opt
+ wget https://dsf.dev/download/dsf_fhir_2_1_0.tar.gz
+ sudo tar --same-owner -zxvf dsf_fhir_2_1_0.tar.gz
+ ```
+ _The `tar` command will unpack the config files at `/opt/fhir` assuming you changed into the `/opt` directory._
+
+1. Verify that the `fhir` system user or group can write into the following folder
+ * `/opt/fhir/log`
+
+1. Add certificates and keys
+ * Add the server certificate (certificate _A_), the corresponding private-key and the certificate chain (one file with all intermediate certificates, excluding the root CA) to **/opt/fhir/secrets/**
+ * ssl_certificate_file.pem (chmod: 440, chown: root:4101, 4101 is the user of the fhir proxy)
+ * ssl_certificate_key_file.pem (chmod: 440, chown: root:4101)
+ * ssl_certificate_chain_file.pem (chmod: 444, chown: root:fhir)
+ * Add the client certificate (Certificate _B_) and the corresponding private-key to **/opt/fhir/secrets/**
+ * client_certificate.pem (chmod: 440, chown: root:fhir)
+ * client_certificate_private_key.pem (chmod: 440, chown: root:fhir)
+ * If the private key is encrypted, add a password file with the password as the only content to **/opt/fhir/secrets/client_certificate_private_key.pem.password**
+ * If the private key is not encrypted, remove the corresponding docker secret lines from the `docker-compose.yml` file
+ ```
+ L37: - app_client_certificate_private_key.pem.password
+ ...
+ L50: DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE: /run/secrets/app_client_certificate_private_key.pem.password
+ ...
+ L108: app_client_certificate_private_key.pem.password:
+ L109: file: ./secrets/client_certificate_private_key.pem.password
+ ```
+
+ ::: tip How to chmod / chown
+ For the example *ssl_certificate_file.pem (chmod: 440, chown: root:4101)* you must:
+
+ 1. Set the file content as requested
+ 2. Change the file permissions to 440 (allow read access to the owner of the file and the group the file belongs to, deny write access to everybody and deny read for other users):
+ `chmod 440 /opt/fhir/secrets/ssl_certificate_file.pem`
+ 3. Change the owner of the file to the user root and the group the file belongs to to the id 4101:
+ `chown fhir:docker /opt/fhir/secrets/ssl_certificate_file.pem`
+
+ :::
+
+1. Modify database passwords
+ * **/opt/fhir/secrets/db_liquibase.password**
+ * Generate a random password (min. 32 characters recommended) and replace the content of the file.
+ * **/opt/fhir/secrets/db_user.password**
+ * Generate a random password (min. 16 characters recommended) and replace the content of the file.
+ * **/opt/fhir/secrets/db_user_permanent_delete.password**
+ * Generate a random password (min. 16 characters recommended) and replace the content of the file.
+
+1. Modify the docker-compose.yml file and set environment variables to the appropriate values
+ * **services -> proxy -> environment:**
+ * **HTTPS_SERVER_NAME_PORT**: `dsf.todo.organization.com:443`
+ Set your FHIR servers external FQDN, e.g. `https://foo.bar.de` -> `foo.bar.de:443`
+ * For additional environment variables, see the FHIR Reverse Proxy [Configuration Parameters](fhir-reverse-proxy/configuration) page.
+ * **services -> app -> environment:**
+ * **DEV_DSF_FHIR_SERVER_ORGANIZATION_IDENTIFIER_VALUE**: `todo.organization.com`
+ Set your Organizations DSF identifier, aka the shortest FQDN that resolves to the main homepage of the organization, e.g. `hs-heilbronn.de`
+ * **DEV_DSF_FHIR_SERVER_BASE_URL**: `https://dsf.todo.organization.com/fhir`
+ Set your FHIR servers external FQDN, e.g. `foo.bar.de` -> `https://foo.bar.de/fhir`
+ * **DEV_DSF_FHIR_SERVER_ROLECONFIG**: `|`
+ (Optional) You can add other client certificates (e.g. personal certificates from admins) to your DSF instance. For additional information, see the FHIR server [Access Control](fhir/access-control) page.
+
+ * For additional environment variables, see the FHIR server [Configuration Parameters](fhir/configuration) page.
+
+1. Start the DSF FHIR Server
+ Start using: `docker compose up -d && docker compose logs -f` (Ctrl-C will close log, but not stop container)
+
+### DSF BPE Server
+1. Add Group/User
+ Add group and user used by the DSF BPE java application. Ubuntu compatible commands below:
+ ```
+ sudo groupadd --gid 2202 bpe
+ sudo useradd --system --no-create-home --uid 2202 --gid 2202 bpe
+ ```
+1. Download and Extract Config Files
+ Download and extract prepared DSF BPE server config files and folder structure:
+ ```
+ cd /opt
+ wget https://dsf.dev/download/dsf_bpe_2_1_0.tar.gz
+ sudo tar --same-owner -zxvf dsf_bpe_2_1_0.tar.gz
+ ```
+ _The `tar` command will unpack the config files at `/opt/bpe` assuming you changed into the `/opt` directory._
+
+1. Verify that the `bpe` system user or group can write into the following folders
+ * `/opt/bpe/log`
+
+1. Add certificates and keys
+ * Add the client certificate (Certificate _B_) and the corresponding private-key to **/opt/bpe/secrets/**
+ * client_certificate.pem (chmod: 440 chown: root:bpe)
+ * client_certificate_private_key.pem (chmod: 440 chown: root:bpe)
+ * If the private key is encrypted, add a password file with the password as the only content to **/opt/bpe/secrets/client_certificate_private_key.pem.password**
+ * If the private key is not encrypted, remove the corresponding docker secret lines from the `docker-compose.yml` file
+ ```
+ L11: - app_client_certificate_private_key.pem.password
+ ...
+ L31: DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE: /run/secrets/app_client_certificate_private_key.pem.password
+ ...
+ L82: app_client_certificate_private_key.pem.password:
+ L83: file: ./secrets/client_certificate_private_key.pem.password
+ ```
+1. Modify database passwords
+ * **/opt/bpe/secrets/db_liquibase.password**
+ * Generate a random password (min. 32 characters recommended) and replace the content of the file.
+ * **/opt/bpe/secrets/db_user.password**
+ * Generate a random password (min. 16 characters recommended) and replace the content of the file.
+ * **/opt/bpe/secrets/db_user_camunda.password**
+ * Generate a random password (min. 16 characters recommended) and replace the content of the file.
+
+1. Modify the docker-compose.yml file and set environment variables to the appropriate values
+ * **services -> app -> environment:**
+ * **DEV_DSF_BPE_FHIR_SERVER_BASE_URL**: `https://dsf.todo.organization.com/fhir`
+ Set your FHIR servers external FQDN, e.g. `foo.bar.de` -> `https://foo.bar.de/fhir`
+
+ * For additional environment variables, see the BPE server [Configuration Parameters](bpe/configuration) page.
+
+1. Start the DSF BPE Server (without process plugins)
+ Start using: `docker compose up -d && docker compose logs -f` (Ctrl-C will close log, but not stop container)
+
+1. Verify DSF BPE Startup
+ * Check that the BPE was able to download new Task resources from the DSF FHIR server during startup.
+ * Check that the BPE was able to download a Subscription resource from the DSF FHIR server during startup.
+ * Check that the BPE was able to connect to the websocket endpoint of the DSF FHIR server during startup.
+
+ If you need to debug the TLS connection to your DSF FHIR server use for example:
+ `docker run -it --rm alpine/openssl s_client your-fhir-server.fqdn:443`
+ The command above should print the server certificate of your DSF FHIR server (certificate _A_) and end with a message like `[...]tlsv13 alert certificate required[...]`
+
+
+### Logs
+By default, we will log both to the console (collected by docker) and to files in the log directory, so you can use `docker compose logs -f` in `/opt/bpe` and `/opt/fhir` to view informational, warning and error logs. If you encounter any error and the reported information is not detailed enough, you can also check the logs in the `/opt/fhir/log` and `/opt/bpe/log` directories with debugging logs. There, you will also find older log files. If you have any questions and can't resolve them by yourself please always include the latest logs from `/opt/fhir/log` and `/opt/bpe/log` in your support request.
+
+On a successful BPE start, you should see the following entries in your BPE log:
+
+```
+INFO Grizzly(1) - INFO Grizzly(1) - ClientEndpoint.onOpen(37) | Websocket open, session SOME_RANDOM_UUID1
+INFO Grizzly(1) - INFO Grizzly(1) - ClientEndpoint.onOpen(37) | Websocket open, session SOME_RANDOM_UUID2
+```
+
+### On-Boarding
+Please visit the on boarding website of your network for more information.
+
+::: tip Ideas for improvement?
+Have you found an error or is something unclear to you? Then please feel free to write to us at dsf-gecko@hs-heilbronn.de. Thank you very much!
+:::
+
+---
+
+## Release Notes
+Source: https://dsf.dev/operations/latest/release-notes.html
+
+## [Release Notes for v2.1.0](https://github.com/datasharingframework/dsf/releases/tag/v2.1.0)
+
+::: tip Release Notes
+You can access all release notes on our [GitHub](https://github.com/datasharingframework/dsf/releases).
+:::
+
+### 2.1.0 - Security and Performance
+General remarks:
+
+- This is a feature update for DSF 2.x with security and performance improvements.
+- To Update from an existing 2.x installation, please see the [2.x -> 2.1.0 Upgrade Guide](https://dsf.dev/operations/v2.1.0/upgrade-from-2.html).
+- For a fresh deployment, follow the [installation instructions](https://dsf.dev/operations/v2.1.0/install.html).
+
+Security Advisories:
+- Missing Session Timeout for OIDC Sessions: [GHSA-gj7p-595x-qwf5](https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5)
+- Inverted Time Comparison in OIDC JWKS and Token Cache: [GHSA-xmj9-7625-f634](https://github.com/datasharingframework/dsf/security/advisories/GHSA-xmj9-7625-f634)
+
+Bug Fixes:
+- In previous versions starting processes via the FHIR server front-end failed, if `Task` resources used input parameter codes (`Task.input.type`) that were substrings of other input parameter codes ([#442](https://github.com/datasharingframework/dsf/issues/442)). The front-end code was fixed to handle these edge-cases.
+- Process instances started with DSF 1.x failed to continue on DSF 2.x ([#438](https://github.com/datasharingframework/dsf/issues/438)). Fallback code was added to correctly read the old DSF 1.x Task process variables.
+- A configuration error in the `DsfClient` used by v2 process plugins via the [FHIR client connections API](https://dsf.dev/operations/v2.1.0/bpe/fhir-client-connections.html) resulted in bearer tokens and basic authentication credentials not being send ([#432](https://github.com/datasharingframework/dsf/issues/432)). The feature registration order was fixed to send authentication credentials in the `DsfClient` implementation.
+
+Feature Summary:
+- An identifier constraint rule was added to the `Task` base profile http://dsf.dev/fhir/StructureDefinition/task for resources with status `draft`. The constraint adds a rule to the base profile that was previously only enforced via the [TaskAuthorizationRule](https://github.com/datasharingframework/dsf/blob/main/dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/authorization/TaskAuthorizationRule.java#L357).
+- The DSF FHIR server front-end was improved to display the `Binary` resource content inline. This feature is enabled for `Binary` resources with content-types: `text/html` and `text/plain`.
+- The performance of allow-list and other bundle executions was improved by modifying the database schema and optimizing the FHIR server code base. A new `current` column was added to resource tables together with a number of new database indexes. A "not found" cache was added for metadata resources to reduce unnecessary database calls.
+- Other security improvements were implemented and are detailed in the [DSF 2.1.0 hardening measures](https://dsf.dev/operations/v2.1.0/hardening-measures.html) document.
+- Starting with this release our docker images are cryptographically signed. Take a look at the [Verify Image Signatures](https://dsf.dev/operations/latest/image-verification.html) document for details.
+
+Docker images for this release can be accessed via the GitHub Docker registry - ghcr.io:
+* **bpe**: [ghcr.io/datasharingframework/bpe:2.1.0](https://github.com/datasharingframework/dsf/pkgs/container/bpe/796016761?tag=2.1.0)
+ Digest: sha256:3ee7ef0ac201fc3776273fbfc2569bdc4edf724a2bb9f1b4a889eb7e13ff4049
+* **bpe_proxy**: [ghcr.io/datasharingframework/bpe_proxy:2.1.0](https://github.com/datasharingframework/dsf/pkgs/container/bpe_proxy/796013677?tag=2.1.0)
+ Digest: sha256:c67da4a1720ea75a383764db2bf25619fe70f57773b1069029f5b49588eb1ecc
+* **fhir**: [ghcr.io/datasharingframework/fhir:2.1.0](https://github.com/datasharingframework/dsf/pkgs/container/fhir/796016727?tag=2.1.0)
+ Digest: sha256:71599af143f0262a7265aa2bc4ea5a9660f11de6248a053e060b5667070203fd
+* **fhir_proxy**: [ghcr.io/datasharingframework/fhir_proxy:2.1.0](https://github.com/datasharingframework/dsf/pkgs/container/fhir_proxy/796013880?tag=2.1.0)
+ Digest: sha256:9f11a3580c970314532f5951808be6fe72f1de7d53348e625d2dd0c95bcf1d96
+
+Process Plugin API v1 on Maven Central:
+```xml
+
+ dev.dsf
+ dsf-bpe-process-api-v1
+ 2.1.0
+
+```
+Process Plugin API v2 on Maven Central:
+```xml
+
+ dev.dsf
+ dsf-bpe-process-api-v2
+ 2.1.0
+
+```
+DSF Maven Plugin on Maven Central:
+```xml
+
+ dev.dsf
+ dsf-maven-plugin
+ 2.1.0
+
+```
+
+Issues closed:
+- Security Improvements / Defense-in-Depth [#453](https://github.com/datasharingframework/dsf/issues/453)
+- Upgrade Dependencies [#448](https://github.com/datasharingframework/dsf/issues/448)
+- Improve Allow-List Bundle Execution Performance [#443](https://github.com/datasharingframework/dsf/issues/443)
+- Form.js builds invalid Task resource when submitting form [#442](https://github.com/datasharingframework/dsf/issues/442)
+- Add Identifier Constraint to Task Profile [#440](https://github.com/datasharingframework/dsf/issues/440)
+- Process Instances from DSF 1.x Fail to Continue on DSF 2.x [#438](https://github.com/datasharingframework/dsf/issues/438)
+- Start New Development Cycle [#435](https://github.com/datasharingframework/dsf/issues/435)
+- Automate Docker Image Builds and Maven Central Deploys [#434](https://github.com/datasharingframework/dsf/issues/434)
+- ClientConfig in DsfClientJersey overwrites Authentication Features [#432](https://github.com/datasharingframework/dsf/issues/432)
+
+This release contains contributions from [@EmteZogaf](https://github.com/EmteZogaf), [@hhund](https://github.com/hhund), [@jaboehri](https://github.com/jaboehri), [@schwzr](https://github.com/schwzr) and [@wetret](https://github.com/wetret).
+
+---
+
+## FHIR Server Configuration
+Source: https://dsf.dev/operations/latest/fhir/configuration.html
+
+### DEV_DSF_FHIR_CLIENT_CERTIFICATE
+- **Property:** dev.dsf.fhir.client.certificate
+- **Required:** Yes
+- **Description:** PEM encoded file with local client certificate for https connections to remote DSF FHIR servers
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/app_client_certificate.pem`
+
+
+### DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY
+- **Property:** dev.dsf.fhir.client.certificate.private.key
+- **Required:** Yes
+- **Description:** Private key corresponding to the local client certificate as PEM encoded file. Use *DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD* or *DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE* if private key is encrypted
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/app_client_certificate_private_key.pem`
+
+
+### DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD or DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.fhir.client.certificate.private.key.password
+- **Required:** No
+- **Description:** Password to decrypt the local client certificate encrypted private key
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE*
+- **Example:** `/run/secrets/app_client_certificate_private_key.pem.password`
+
+
+### DEV_DSF_FHIR_CLIENT_TIMEOUT_CONNECT
+- **Property:** dev.dsf.fhir.client.timeout.connect
+- **Required:** No
+- **Description:** Timeout until a connection is established between this DSF FHIR server and a remote DSF FHIR server
+- **Recommendation:** Change default value only if timeout exceptions occur
+- **Default:** `PT2S`
+
+
+### DEV_DSF_FHIR_CLIENT_TIMEOUT_READ
+- **Property:** dev.dsf.fhir.client.timeout.read
+- **Required:** No
+- **Description:** Timeout until a reading a resource from a remote DSF FHIR server is aborted
+- **Recommendation:** Change default value only if timeout exceptions occur
+- **Default:** `PT10S`
+
+
+### DEV_DSF_FHIR_CLIENT_TRUST_SERVER_CERTIFICATE_CAS
+- **Property:** dev.dsf.fhir.client.trust.server.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted root certificates to validate server certificates for https connections to remote DSF FHIR servers
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/app_client_trust_certificates.pem`
+- **Default:** `ca/server_root_cas`
+
+
+### DEV_DSF_FHIR_CLIENT_VERBOSE
+- **Property:** dev.dsf.fhir.client.verbose
+- **Required:** No
+- **Description:** To enable verbose logging of requests to and replies from remote DSF FHIR servers, set to `true`
+- **Default:** `false`
+
+
+### DEV_DSF_FHIR_DB_LIQUIBASE_FORCEUNLOCK
+- **Property:** dev.dsf.fhir.db.liquibase.forceUnlock
+- **Required:** No
+- **Description:** To force liquibase to unlock the migration lock set to `true`
+- **Recommendation:** Only use this option temporarily to unlock a stuck DB migration step
+- **Default:** `false`
+
+
+### DEV_DSF_FHIR_DB_LIQUIBASE_LOCKWAITTIME
+- **Property:** dev.dsf.fhir.db.liquibase.lockWaitTime
+- **Required:** No
+- **Description:** Liquibase change lock wait time in minutes, default 2 minutes
+- **Default:** `2`
+
+
+### DEV_DSF_FHIR_DB_LIQUIBASE_PASSWORD or DEV_DSF_FHIR_DB_LIQUIBASE_PASSWORD_FILE
+- **Property:** dev.dsf.fhir.db.liquibase.password
+- **Required:** Yes
+- **Description:** Password to access the database from the DSF FHIR server to execute database migrations
+- **Recommendation:** Use docker secret file to configure by using *DEV_DSF_FHIR_DB_LIQUIBASE_PASSWORD_FILE*
+- **Example:** `/run/secrets/db_liquibase.password`
+
+
+### DEV_DSF_FHIR_DB_LIQUIBASE_USERNAME
+- **Property:** dev.dsf.fhir.db.liquibase.username
+- **Required:** No
+- **Description:** Username to access the database from the DSF FHIR server to execute database migrations
+- **Default:** `liquibase_user`
+
+
+### DEV_DSF_FHIR_DB_URL
+- **Property:** dev.dsf.fhir.db.url
+- **Required:** Yes
+- **Description:** Address of the database used for the DSF FHIR server
+- **Recommendation:** Change only if you don't use the provided docker-compose from the installation guide or made changes to the database settings/networking in the docker-compose
+- **Example:** `jdbc:postgresql://db/fhir`
+
+
+### DEV_DSF_FHIR_DB_USER_GROUP
+- **Property:** dev.dsf.fhir.db.user.group
+- **Required:** No
+- **Description:** Name of the user group to access the database from the DSF FHIR server
+- **Default:** `fhir_users`
+
+
+### DEV_DSF_FHIR_DB_USER_PASSWORD or DEV_DSF_FHIR_DB_USER_PASSWORD_FILE
+- **Property:** dev.dsf.fhir.db.user.password
+- **Required:** Yes
+- **Description:** Password to access the database from the DSF FHIR server
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_FHIR_DB_USER_PASSWORD_FILE*
+- **Example:** `/run/secrets/db_user.password`
+
+
+### DEV_DSF_FHIR_DB_USER_PERMANENT_DELETE_GROUP
+- **Property:** dev.dsf.fhir.db.user.permanent.delete.group
+- **Required:** No
+- **Description:** Name of the user group to access the database from the DSF FHIR server for permanent deletes
+- **Default:** `fhir_permanent_delete_users`
+
+
+### DEV_DSF_FHIR_DB_USER_PERMANENT_DELETE_PASSWORD or DEV_DSF_FHIR_DB_USER_PERMANENT_DELETE_PASSWORD_FILE
+- **Property:** dev.dsf.fhir.db.user.permanent.delete.password
+- **Required:** Yes
+- **Description:** Password to access the database from the DSF FHIR server for permanent deletes
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_FHIR_DB_USER_PERMANENT_DELETE_PASSWORD_FILE*
+- **Example:** `/run/secrets/db_user_permanent_delete.password`
+
+
+### DEV_DSF_FHIR_DB_USER_PERMANENT_DELETE_USERNAME
+- **Property:** dev.dsf.fhir.db.user.permanent.delete.username
+- **Required:** No
+- **Description:** Username to access the database from the DSF FHIR server for permanent deletes
+- **Recommendation:** Use a different user then *DEV_DSF_FHIR_DB_USER_USERNAME*
+- **Default:** `fhir_server_permanent_delete_user`
+
+
+### DEV_DSF_FHIR_DB_USER_USERNAME
+- **Property:** dev.dsf.fhir.db.user.username
+- **Required:** No
+- **Description:** Username to access the database from the DSF FHIR server
+- **Default:** `fhir_server_user`
+
+
+### DEV_DSF_FHIR_DEBUG_LOG_MESSAGE_CURRENTUSER
+- **Property:** dev.dsf.fhir.debug.log.message.currentUser
+- **Required:** No
+- **Description:** To enable logging of the currently requesting user set to `true`
+- **Recommendation:** This debug function should only be activated during development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_FHIR_DEBUG_LOG_MESSAGE_DBSTATEMENT
+- **Property:** dev.dsf.fhir.debug.log.message.dbStatement
+- **Required:** No
+- **Description:** To enable logging of DB queries set to `true`
+- **Recommendation:** This debug function should only be activated during development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_FHIR_DEBUG_LOG_MESSAGE_WEBSERVICEREQUEST
+- **Property:** dev.dsf.fhir.debug.log.message.webserviceRequest
+- **Required:** No
+- **Description:** To enable logging of webservices requests set to `true`
+- **Recommendation:** This debug function should only be activated during development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_FHIR_SERVER_BASE_URL
+- **Property:** dev.dsf.fhir.server.base.url
+- **Required:** Yes
+- **Description:** Base address of this DSF FHIR server to read/store fhir resources
+- **Example:** `https://foo.bar/fhir`
+
+
+### DEV_DSF_FHIR_SERVER_INIT_BUNDLE
+- **Property:** dev.dsf.fhir.server.init.bundle
+- **Required:** No
+- **Description:** Fhir bundle containing the initial Allow-List, loaded on startup of the DSF FHIR server
+- **Recommendation:** Change only if you don't use the provided files from the installation guide, have local changes in the Allow-List or received an Allow-List from another source
+- **Default:** `conf/bundle.xml`
+
+
+### DEV_DSF_FHIR_SERVER_ORGANIZATION_IDENTIFIER_VALUE
+- **Property:** dev.dsf.fhir.server.organization.identifier.value
+- **Required:** Yes
+- **Description:** Local identifier value used in the Allow-List
+- **Recommendation:** By convention: The shortest possible FQDN that resolve the homepage of the organization
+- **Example:** `hospital.com`
+
+
+### DEV_DSF_FHIR_SERVER_ORGANIZATION_THUMBPRINT
+- **Property:** dev.dsf.fhir.server.organization.thumbprint
+- **Required:** No
+- **Description:** The SHA-512 thumbprint of the local organization client certificate; will be calculated on startup based on the client certificate specified via *DEV_DSF_FHIR_CLIENT_CERTIFICATE*
+- **Recommendation:** Do not specify this variable when using the same client certificate for the FHIR and BPE server; the thumbprint can be calculated via `certtool --fingerprint --hash=sha512 --infile=client_certificate.pem`
+
+
+### DEV_DSF_FHIR_SERVER_PAGE_COUNT
+- **Property:** dev.dsf.fhir.server.page.count
+- **Required:** No
+- **Description:** Page size returned by the DSF FHIR server when reading/searching fhir resources
+- **Default:** `20`
+
+
+### DEV_DSF_FHIR_SERVER_ROLECONFIG
+- **Property:** dev.dsf.fhir.server.roleConfig
+- **Required:** No
+- **Description:** Role config YAML as defined in [FHIR Server: Access Control](access-control)
+
+
+### DEV_DSF_FHIR_SERVER_STATIC_RESOURCE_CACHE
+- **Property:** dev.dsf.fhir.server.static.resource.cache
+- **Required:** No
+- **Description:** To disable static resource caching, set to `false`
+- **Recommendation:** Only set to `false` for development
+- **Default:** `true`
+
+
+### DEV_DSF_FHIR_SERVER_UI_THEME
+- **Property:** dev.dsf.fhir.server.ui.theme
+- **Required:** No
+- **Description:** UI theme parameter, adds a color indicator to the ui to distinguish `dev`, `test` and `prod` environments if configured; supported values: `dev`, `test` and `prod`
+
+
+### DEV_DSF_LOG_AUDIT_CONSOLE_ERR_ENABLED
+- **Property:** dev.dsf.log.audit.console.err.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable console err output of the audit logger
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_AUDIT_CONSOLE_ERR_STYLE
+- **Property:** dev.dsf.log.audit.console.err.style
+- **Required:** No
+- **Description:** Audit logger console err style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `STYLE_TEXT`
+
+
+### DEV_DSF_LOG_AUDIT_CONSOLE_OUT_ENABLED
+- **Property:** dev.dsf.log.audit.console.out.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable console out output of the audit logger
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_AUDIT_CONSOLE_OUT_STYLE
+- **Property:** dev.dsf.log.audit.console.out.style
+- **Required:** No
+- **Description:** Audit logger console out style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `STYLE_TEXT`
+
+
+### DEV_DSF_LOG_AUDIT_FILE_ENABLED
+- **Property:** dev.dsf.log.audit.file.enabled
+- **Required:** No
+- **Description:** Set to `false` to disable log file output of the audit logger
+- **Default:** `true`
+
+
+### DEV_DSF_LOG_AUDIT_FILE_STYLE
+- **Property:** dev.dsf.log.audit.file.style
+- **Required:** No
+- **Description:** Audit logger file style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `TEXT_MDC`
+
+
+### DEV_DSF_LOG_CONFIG
+- **Property:** dev.dsf.log.config
+- **Required:** No
+- **Description:** Location of a log4j configuration xml file; if file is readable, overrides configuration specified via *DEV_DSF_LOG_...* parameters
+- **Default:** `conf/log4j2.xml`
+
+
+### DEV_DSF_LOG_CONSOLE_ERR_ENABLED
+- **Property:** dev.dsf.log.console.err.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable console err output of the standard logger
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_CONSOLE_ERR_LEVEL
+- **Property:** dev.dsf.log.console.err.level
+- **Required:** No
+- **Description:** Standard logger console err output level, one of: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`
+- **Default:** `INFO`
+
+
+### DEV_DSF_LOG_CONSOLE_ERR_STYLE
+- **Property:** dev.dsf.log.console.err.style
+- **Required:** No
+- **Description:** Standard logger console err output style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`, `TEXT_COLOR_MDC`, `TEXT_COLOR`
+- **Default:** `TEXT_COLOR`
+
+
+### DEV_DSF_LOG_CONSOLE_OUT_ENABLED
+- **Property:** dev.dsf.log.console.out.enabled
+- **Required:** No
+- **Description:** Set to `false` to disable console out output of the standard logger
+- **Default:** `true`
+
+
+### DEV_DSF_LOG_CONSOLE_OUT_LEVEL
+- **Property:** dev.dsf.log.console.out.level
+- **Required:** No
+- **Description:** Standard logger console out output level, one of: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`
+- **Default:** `INFO`
+
+
+### DEV_DSF_LOG_CONSOLE_OUT_STYLE
+- **Property:** dev.dsf.log.console.out.style
+- **Required:** No
+- **Description:** Standard logger console out output style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`, `TEXT_COLOR_MDC`, `TEXT_COLOR`
+- **Default:** `TEXT_COLOR`
+
+
+### DEV_DSF_LOG_FILE_ENABLED
+- **Property:** dev.dsf.log.file.enabled
+- **Required:** No
+- **Description:** Set to `false` to disable log file output of the standard logger
+- **Default:** `true`
+
+
+### DEV_DSF_LOG_FILE_LEVEL
+- **Property:** dev.dsf.log.file.level
+- **Required:** No
+- **Description:** Standard logger log file output level, one of: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`
+- **Default:** `DEBUG`
+
+
+### DEV_DSF_LOG_FILE_STYLE
+- **Property:** dev.dsf.log.file.style
+- **Required:** No
+- **Description:** Standard logger log file output style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `TEXT_MDC`
+
+
+### DEV_DSF_LOG_MIN_LEVEL_LOGGERS
+- **Property:** dev.dsf.log.min.level.loggers
+- **Required:** No
+- **Description:** List of logger names that are enabled to produce log output with the minimal configured log level from `DEV_DSF_LOG_CONSOLE_OUT_LEVEL`, `DEV_DSF_LOG_CONSOLE_ERR_LEVEL` and `DEV_DSF_LOG_FILE_LEVEL`
+- **Default:** `dev.dsf`
+
+
+### DEV_DSF_PROXY_NOPROXY
+- **Property:** dev.dsf.proxy.noProxy
+- **Required:** No
+- **Description:** Forward proxy no-proxy list, entries will match exactly or against (one level) sub-domains, if no port is specified - all ports are matched; comma or space separated list, YAML block scalars supported
+- **Example:** `foo.bar, test.com:8080`
+
+
+### DEV_DSF_PROXY_PASSWORD or DEV_DSF_PROXY_PASSWORD_FILE
+- **Property:** dev.dsf.proxy.password
+- **Required:** No
+- **Description:** Forward Proxy password
+- **Recommendation:** Configure password if proxy requires authentication, use docker secret file to configure using *DEV_DSF_PROXY_PASSWORD_FILE*
+
+
+### DEV_DSF_PROXY_URL
+- **Property:** dev.dsf.proxy.url
+- **Required:** No
+- **Description:** Forward (http/https) proxy url, use *DEV_DSF_BPE_PROXY_NOPROXY* to list domains that do not require a forward proxy
+- **Example:** `http://proxy.foo:8080`
+
+
+### DEV_DSF_PROXY_USERNAME
+- **Property:** dev.dsf.proxy.username
+- **Required:** No
+- **Description:** Forward proxy username
+- **Recommendation:** Configure username if proxy requires authentication
+
+
+### DEV_DSF_SERVER_API_HOST
+- **Property:** dev.dsf.server.api.host
+- **Required:** No
+- **Description:** API connector host, default in docker image: `0.0.0.0`
+- **Default:** `127.0.0.1`
+
+
+### DEV_DSF_SERVER_API_PORT
+- **Property:** dev.dsf.server.api.port
+- **Required:** No
+- **Description:** API connector port, default in docker image: `8080`
+
+
+### DEV_DSF_SERVER_AUTH_CLIENT_CERTIFICATE_HEADER
+- **Property:** dev.dsf.server.auth.client.certificate.header
+- **Required:** No
+- **Description:** Name of HTTP header with client certificate from reverse proxy
+- **Default:** `X-ClientCert`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW
+- **Property:** dev.dsf.server.auth.oidc.authorization.code.flow
+- **Required:** No
+- **Description:** Set to `true` to enable OIDC authorization code flow
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL*, *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID* and *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET* or *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE* to be specified
+- **Default:** `false`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT
+- **Property:** dev.dsf.server.auth.oidc.back.channel.logout
+- **Required:** No
+- **Description:** Set to `true` to enable OIDC back-channel logout
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* to be set to `true` (enabled), *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID* and *DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH* to be specified
+- **Default:** `false`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH
+- **Property:** dev.dsf.server.auth.oidc.back.channel.logout.path
+- **Required:** No
+- **Description:** Path called by the OIDC provide to request back-channel logout
+- **Default:** `/back-channel-logout`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN
+- **Property:** dev.dsf.server.auth.oidc.bearer.token
+- **Required:** No
+- **Description:** Set to `true` to enable OIDC bearer token authentication
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL* to be specified
+- **Default:** `false`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN_AUDIENCE
+- **Property:** dev.dsf.server.auth.oidc.bearer.token.audience
+- **Required:** No
+- **Description:** Audience (aud) value to verify before accepting OIDC bearer tokens, uses value from `DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID` by default, set blank string e.g. `''` to disable
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL* to be specified and *DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN* set tor `true`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID
+- **Property:** dev.dsf.server.auth.oidc.client.id
+- **Required:** No
+- **Description:** OIDC provider client_id, must be specified if *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* is enabled
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET or DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE
+- **Property:** dev.dsf.server.auth.oidc.client.secret
+- **Required:** No
+- **Description:** OIDC provider client_secret, must be specified if *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* is enabled
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CACHE_TIMEOUT_CONFIGURATION_RESOURCE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.cache.timeout.configuration.resource
+- **Required:** No
+- **Description:** OIDC provider client cache timeout of the 'openid-configuration' discovery resource
+- **Default:** `PT1H`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CACHE_TIMEOUT_JWKS_RESOURCE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.cache.timeout.jwks.resource
+- **Required:** No
+- **Description:** OIDC provider client cache timeout of the jwks resource
+- **Default:** `PT1H`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.certificate
+- **Required:** No
+- **Description:** PEM encoded file with client certificate for https connections to the OIDC provider
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/oidc_provider_client_certificate.pem`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY
+- **Property:** dev.dsf.server.auth.oidc.provider.client.certificate.private.key
+- **Required:** No
+- **Description:** Private key corresponding to the client certificate for the OIDC provider as PEM encoded file. Use *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD* or *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE* if private key is encrypted
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/oidc_provider_client_certificate_private_key.pem`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD or DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.certificate.private.key.password
+- **Required:** No
+- **Description:** Password to decrypt the client certificate for the OIDC provider encrypted private key
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE*
+- **Example:** `/run/secrets/oidc_provider_client_certificate_private_key.pem.password`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TIMEOUT_CONNECT
+- **Property:** dev.dsf.server.auth.oidc.provider.client.timeout.connect
+- **Required:** No
+- **Description:** OIDC provider client connect timeout
+- **Default:** `PT5S`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TIMEOUT_READ
+- **Property:** dev.dsf.server.auth.oidc.provider.client.timeout.read
+- **Required:** No
+- **Description:** OIDC provider client read timeout
+- **Default:** `PT30S`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS
+- **Property:** dev.dsf.server.auth.oidc.provider.client.trust.server.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted root certificates to validate server certificates for https connections to the OIDC provider
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/oidc_provider_trust_certificates.pem`
+- **Default:** `ca/server_root_cas`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_DISCOVERY_PATH
+- **Property:** dev.dsf.server.auth.oidc.provider.discovery.path
+- **Required:** No
+- **Description:** OIDC provider discovery path
+- **Default:** `/.well-known/openid-configuration`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL
+- **Property:** dev.dsf.server.auth.oidc.provider.realm.base.url
+- **Required:** No
+- **Description:** OIDC provider realm base url
+- **Example:** `https://keycloak.test.com:8443/realms/example-realm-name`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_SESSION_TIMEOUT
+- **Property:** dev.dsf.server.auth.oidc.session.timeout
+- **Required:** No
+- **Description:** Maximum inactivity period after which the server session for OIDC logins is invalidated; the access token may expire earlier, resulting in earlier session invalidation
+- **Default:** `PT30M`
+
+
+### DEV_DSF_SERVER_AUTH_TRUST_CLIENT_CERTIFICATE_CAS
+- **Property:** dev.dsf.server.auth.trust.client.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted full CA chains to validate client certificates for https connections from local and remote clients
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/app_client_trust_certificates.pem`
+- **Default:** `ca/client_ca_chains`
+
+
+### DEV_DSF_SERVER_CERTIFICATE
+- **Property:** dev.dsf.server.certificate
+- **Required:** No
+- **Description:** Server certificate file for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CERTIFICATE_CHAIN
+- **Property:** dev.dsf.server.certificate.chain
+- **Required:** No
+- **Description:** Server certificate chain file for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CERTIFICATE_KEY
+- **Property:** dev.dsf.server.certificate.key
+- **Required:** No
+- **Description:** Server certificate private key file for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CERTIFICATE_KEY_PASSWORD or DEV_DSF_SERVER_CERTIFICATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.server.certificate.key.password
+- **Required:** No
+- **Description:** Server certificate private key file password for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CONTEXT_PATH
+- **Property:** dev.dsf.server.context.path
+- **Required:** No
+- **Description:** Web application context path, default in `bpe` docker image: `/bpe`, default in `fhir` docker image: `/fhir`
+- **Recommendation:** Only modify for testing
+
+
+### DEV_DSF_SERVER_STATUS_HOST
+- **Property:** dev.dsf.server.status.host
+- **Required:** No
+- **Description:** Status connector host
+- **Default:** `127.0.0.1`
+
+
+### DEV_DSF_SERVER_STATUS_PORT
+- **Property:** dev.dsf.server.status.port
+- **Required:** No
+- **Description:** Status connector port, default in docker image: `10000`
+
+---
+
+## BPE Configuration
+Source: https://dsf.dev/operations/latest/bpe/configuration.html
+
+### DEV_DSF_BPE_DB_LIQUIBASE_FORCEUNLOCK
+- **Property:** dev.dsf.bpe.db.liquibase.forceUnlock
+- **Required:** No
+- **Description:** To force liquibase to unlock the migration lock set to `true`
+- **Recommendation:** Only use this option temporarily to unlock a stuck DB migration step
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DB_LIQUIBASE_LOCKWAITTIME
+- **Property:** dev.dsf.bpe.db.liquibase.lockWaitTime
+- **Required:** No
+- **Description:** Liquibase change lock wait time in minutes, default 2 minutes
+- **Default:** `2`
+
+
+### DEV_DSF_BPE_DB_LIQUIBASE_PASSWORD or DEV_DSF_BPE_DB_LIQUIBASE_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.db.liquibase.password
+- **Required:** Yes
+- **Description:** Password to access the database from the DSF BPE server to execute database migrations
+- **Recommendation:** Use docker secret file to configure by using *DEV_DSF_BPE_DB_LIQUIBASE_PASSWORD_FILE*
+- **Example:** `/run/secrets/db_liquibase.password`
+
+
+### DEV_DSF_BPE_DB_LIQUIBASE_USERNAME
+- **Property:** dev.dsf.bpe.db.liquibase.username
+- **Required:** No
+- **Description:** Username to access the database from the DSF BPE server to execute database migrations
+- **Default:** `liquibase_user`
+
+
+### DEV_DSF_BPE_DB_URL
+- **Property:** dev.dsf.bpe.db.url
+- **Required:** Yes
+- **Description:** Address of the database used for the DSF BPE server
+- **Recommendation:** Change only if you don't use the provided docker-compose from the installation guide or made changes to the database settings/networking in the docker-compose
+- **Example:** `jdbc:postgresql://db/bpe`
+
+
+### DEV_DSF_BPE_DB_USER_ENGINE_GROUP
+- **Property:** dev.dsf.bpe.db.user.engine.group
+- **Required:** No
+- **Description:** Name of the user group to access the database from the DSF BPE server workflow engine
+- **Default:** `bpe_engine_users`
+
+
+### DEV_DSF_BPE_DB_USER_ENGINE_PASSWORD or DEV_DSF_BPE_DB_USER_ENGINE_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.db.user.engine.password
+- **Required:** Yes
+- **Description:** Password to access the database from the DSF BPE server workflow engine
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_BPE_DB_USER_ENGINE_PASSWORD_FILE*
+- **Example:** `/run/secrets/db_user_engine.password`
+
+
+### DEV_DSF_BPE_DB_USER_ENGINE_USERNAME
+- **Property:** dev.dsf.bpe.db.user.engine.username
+- **Required:** No
+- **Description:** Username to access the database from the DSF BPE server workflow engine
+- **Recommendation:** Use a different user then in *DEV_DSF_BPE_DB_USER_USERNAME*
+- **Default:** `bpe_server_engine_user`
+
+
+### DEV_DSF_BPE_DB_USER_GROUP
+- **Property:** dev.dsf.bpe.db.user.group
+- **Required:** No
+- **Description:** Name of the user group to access the database from the DSF BPE server
+- **Default:** `bpe_users`
+
+
+### DEV_DSF_BPE_DB_USER_PASSWORD or DEV_DSF_BPE_DB_USER_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.db.user.password
+- **Required:** Yes
+- **Description:** Password to access the database from the DSF BPE server
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_BPE_DB_USER_PASSWORD_FILE*
+- **Example:** `/run/secrets/db_user.password`
+
+
+### DEV_DSF_BPE_DB_USER_USERNAME
+- **Property:** dev.dsf.bpe.db.user.username
+- **Required:** No
+- **Description:** Username to access the database from the DSF BPE server
+- **Default:** `bpe_server_user`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_CURRENTUSER
+- **Property:** dev.dsf.bpe.debug.log.message.currentUser
+- **Required:** No
+- **Description:** To enable logging of the currently requesting user set to `true`
+- **Recommendation:** This debug function should only be activated during development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_DBSTATEMENT
+- **Property:** dev.dsf.bpe.debug.log.message.dbStatement
+- **Required:** No
+- **Description:** To enable logging of DB queries set to `true`
+- **Recommendation:** This debug function should only be activated during development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_ONACTIVITYEND
+- **Property:** dev.dsf.bpe.debug.log.message.onActivityEnd
+- **Required:** No
+- **Description:** To enable debug log messages for every bpmn activity end, set to `true`
+- **Recommendation:** This debug function should only be activated during process plugin development
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_ONACTIVITYSTART
+- **Property:** dev.dsf.bpe.debug.log.message.onActivityStart
+- **Required:** No
+- **Description:** To enable debug log messages for every bpmn activity start, set to `true`
+- **Recommendation:** This debug function should only be activated during process plugin development
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_VARIABLES
+- **Property:** dev.dsf.bpe.debug.log.message.variables
+- **Required:** No
+- **Description:** To enable logging of bpmn variables for every bpmn activity start or end, when logging of these events is enabled, set to `true`
+- **Recommendation:** This debug function should only be activated during process plugin development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_VARIABLESLOCAL
+- **Property:** dev.dsf.bpe.debug.log.message.variablesLocal
+- **Required:** No
+- **Description:** To enable logging of local bpmn variables for every bpmn activity start or end, when logging of these events is enabled, set to `true`
+- **Recommendation:** This debug function should only be activated during process plugin development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_WEBSERVICEREQUEST
+- **Property:** dev.dsf.bpe.debug.log.message.webserviceRequest
+- **Required:** No
+- **Description:** To enable logging of webservices requests set to `true`
+- **Recommendation:** This debug function should only be activated during development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE
+- **Property:** dev.dsf.bpe.fhir.client.certificate
+- **Required:** Yes
+- **Description:** PEM encoded file with local client certificate for https connections to local and remote DSF FHIR servers
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/app_client_certificate.pem`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY
+- **Property:** dev.dsf.bpe.fhir.client.certificate.private.key
+- **Required:** Yes
+- **Description:** Private key corresponding to the local client certificate as PEM encoded file. Use DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD* or *DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE* if private key is encrypted
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/app_client_certificate_private_key.pem`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD or DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.fhir.client.certificate.private.key.password
+- **Required:** No
+- **Description:** Password to decrypt the local client certificate encrypted private key
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE*
+- **Example:** `/run/secrets/app_client_certificate_private_key.pem.password`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG
+- **Property:** dev.dsf.bpe.fhir.client.connections.config
+- **Required:** No
+- **Description:** FHIR server connections YAML config for v2 process plugins
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_ENABLE_DEBUG_LOGGING
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.enable.debug.logging
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for properties `enable-debug-logging` and `oidc-auth.enable-debug-logging`
+- **Recommendation:** To enable debug logging of requests and responses to configured FHIR servers by default set to `true`
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_OIDC_DISCOVERY_PATH
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.oidc.discovery.path
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for property `oidc-auth.discovery-path`
+- **Default:** `/.well-known/openid-configuration`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_OIDC_VERIFY_AUTHORIZED_PARTY
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.oidc.verify.authorized.party
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for property `oidc-auth.verify-authorized-party`
+- **Recommendation:** To disable verification of the authorized party (aud) claim by default set to `false`
+- **Default:** `true`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_TEST_CONNECTION_ON_STARTUP
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.test.connection.on.startup
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for properties `test-connection-on-startup` and `oidc-auth.test-connection-on-startup`
+- **Recommendation:** To perform connection tests on BPE startup to configured FHIR servers by default set to `true`
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_TIMEOUT_CONNECT
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.timeout.connect
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for properties `connect-timeout` and `oidc-auth.connect-timeout`
+- **Default:** `PT2S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_TIMEOUT_READ
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.timeout.read
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for properties `read-timeout` and `oidc-auth.read-timeout`
+- **Default:** `PT10M`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_TRUST_SERVER_CERTIFICATE_CAS
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.trust.server.certificate.cas
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for properties `trusted-root-certificates-file` and `oidc-auth.trusted-root-certificates-file`. Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted root certificates.
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/app_client_trust_certificates.pem`
+- **Default:** `ca/server_root_cas`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_OIDC_CACHE
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.oidc.cache
+- **Required:** No
+- **Description:** Set `false` to disable caching of OIDC discovery and jwks resources as well as access tokens in the 'Client Credentials Grant' client; access tokens are evicted 10 seconds before they expire
+- **Default:** `true`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_OIDC_CACHE_TIMEOUT_ACCESS_TOKEN
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.oidc.cache.timeout.access.token
+- **Required:** No
+- **Description:** OIDC 'Client Credentials Grant' client cache timeout of access tokens before they expire, duration is subtracted from the expires at value of the access token
+- **Default:** `PT10S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_OIDC_CACHE_TIMEOUT_CONFIGURATION_RESOURCE
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.oidc.cache.timeout.configuration.resource
+- **Required:** No
+- **Description:** OIDC 'Client Credentials Grant' client cache timeout of the 'openid-configuration' discovery resource
+- **Default:** `PT1H`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_OIDC_CACHE_TIMEOUT_JWKS_RESOURCE
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.oidc.cache.timeout.jwks.resource
+- **Required:** No
+- **Description:** OIDC 'Client Credentials Grant' client cache timeout of the jwks resource
+- **Default:** `PT1H`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_OIDC_TIME_VALIDATION_LEEWAY
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.oidc.time.validation.leeway
+- **Required:** No
+- **Description:** OIDC 'Client Credentials Grant' client access token time validation leeway for 'Not Before', 'Issued At' and 'Expires At' values
+- **Default:** `PT10S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_LOCAL_TIMEOUT_CONNECT
+- **Property:** dev.dsf.bpe.fhir.client.local.timeout.connect
+- **Required:** No
+- **Description:** Timeout until a connection is established with the local DSF FHIR server
+- **Recommendation:** Change default value only if timeout exceptions occur
+- **Default:** `PT2S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_LOCAL_TIMEOUT_READ
+- **Property:** dev.dsf.bpe.fhir.client.local.timeout.read
+- **Required:** No
+- **Description:** Timeout until reading a resource from the local DSF FHIR server is aborted
+- **Recommendation:** Change default value only if timeout exceptions occur
+- **Default:** `PT60S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_LOCAL_VERBOSE
+- **Property:** dev.dsf.bpe.fhir.client.local.verbose
+- **Required:** No
+- **Description:** To enable verbose logging of requests to and replies from the local DSF FHIR server, set to `true`
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_REMOTE_TIMEOUT_CONNECT
+- **Property:** dev.dsf.bpe.fhir.client.remote.timeout.connect
+- **Required:** No
+- **Description:** Timeout until a connection is established with a remote DSF FHIR server
+- **Recommendation:** Change default value only if timeout exceptions occur
+- **Default:** `PT5S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_REMOTE_TIMEOUT_READ
+- **Property:** dev.dsf.bpe.fhir.client.remote.timeout.read
+- **Required:** No
+- **Description:** Timeout until a reading a resource from a remote DSF FHIR server is aborted
+- **Recommendation:** Change default value only if timeout exceptions occur
+- **Default:** `PT60S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_REMOTE_VERBOSE
+- **Property:** dev.dsf.bpe.fhir.client.remote.verbose
+- **Required:** No
+- **Description:** To enable verbose logging of requests to and replies from remote DSF FHIR servers, set to `true`
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_TRUST_SERVER_CERTIFICATE_CAS
+- **Property:** dev.dsf.bpe.fhir.client.trust.server.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted root certificates to validate server certificates for https connections to local and remote DSF FHIR servers
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/app_client_trust_certificates.pem`
+- **Default:** `ca/server_root_cas`
+
+
+### DEV_DSF_BPE_FHIR_QUESTIONNAIRE_RESPONSE_SUBSCRIPTION_SEARCH_PARAMETER
+- **Property:** dev.dsf.bpe.fhir.questionnaire.response.subscription.search.parameter
+- **Required:** No
+- **Description:** Subscription to receive notifications about questionnaire response resources from the DSF FHIR server
+- **Default:** `?criteria:exact=QuestionnaireResponse%3Fstatus%3Dcompleted&status=active&type=websocket&payload=application/fhir%2Bjson`
+
+
+### DEV_DSF_BPE_FHIR_SERVER_BASE_URL
+- **Property:** dev.dsf.bpe.fhir.server.base.url
+- **Required:** Yes
+- **Description:** Base address of the local DSF FHIR server to read/store fhir resources
+- **Example:** `https://foo.bar/fhir`
+
+
+### DEV_DSF_BPE_FHIR_TASK_SUBSCRIPTION_RETRY_MAX
+- **Property:** dev.dsf.bpe.fhir.task.subscription.retry.max
+- **Required:** No
+- **Description:** Number of retries until a websocket connection can be established with the DSF FHIR server, `-1` means infinite number of retries
+- **Default:** `-1`
+
+
+### DEV_DSF_BPE_FHIR_TASK_SUBSCRIPTION_RETRY_SLEEP
+- **Property:** dev.dsf.bpe.fhir.task.subscription.retry.sleep
+- **Required:** No
+- **Description:** Time between two retries to establish a websocket connection with the DSF FHIR server
+- **Default:** `PT5S`
+
+
+### DEV_DSF_BPE_FHIR_TASK_SUBSCRIPTION_SEARCH_PARAMETER
+- **Property:** dev.dsf.bpe.fhir.task.subscription.search.parameter
+- **Required:** No
+- **Description:** Subscription to receive notifications about task resources from the DSF FHIR server
+- **Default:** `?criteria:exact=Task%3Fstatus%3Drequested&status=active&type=websocket&payload=application/fhir%2Bjson`
+
+
+### DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE
+- **Property:** dev.dsf.bpe.mail.client.certificate
+- **Required:** No
+- **Description:** PEM encoded file with client certificate used to authenticate against the SMTP server. Requires SMTP over TLS to be enabled via *DEV_DSF_BPE_MAIL_USESMTPS*
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/smtp_server_client_certificate.pem`
+
+
+### DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE_PRIVATE_KEY
+- **Property:** dev.dsf.bpe.mail.client.certificate.private.key
+- **Required:** No
+- **Description:** Private key corresponging to the SMTP server client certificate as PEM encoded file. Use DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD* or *DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE* if private key is encrypted. Requires SMTP over TLS to be enabled via *DEV_DSF_BPE_MAIL_USESMTPS*
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/smtp_server_client_certificate_private_key.pem`
+
+
+### DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD or DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.mail.client.certificate.private.key.password
+- **Required:** No
+- **Description:** Password to decrypt the local client certificate encrypted private key
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE*
+- **Example:** `/run/secrets/smtp_server_client_certificate_private_key.pem.password`
+
+
+### DEV_DSF_BPE_MAIL_FROMADDRESS
+- **Property:** dev.dsf.bpe.mail.fromAddress
+- **Required:** No
+- **Description:** Mail service sender address
+- **Example:** `sender@localhost`
+
+
+### DEV_DSF_BPE_MAIL_HOST
+- **Property:** dev.dsf.bpe.mail.host
+- **Required:** No
+- **Description:** SMTP server hostname
+- **Example:** `smtp.server.de`
+
+
+### DEV_DSF_BPE_MAIL_MAILONERRORLOGEVENTBUFFERSIZE
+- **Property:** dev.dsf.bpe.mail.mailOnErrorLogEventBufferSize
+- **Required:** No
+- **Description:** Number of previous INFO, WARN log messages to include in ERROR log event mails (>=0); requires send mail on ERROR log event option to be enabled to have an effect
+- **Default:** `4`
+
+
+### DEV_DSF_BPE_MAIL_MAILONERRORLOGEVENTDEBUGLOGLOCATION
+- **Property:** dev.dsf.bpe.mail.mailOnErrorLogEventDebugLogLocation
+- **Required:** No
+- **Description:** Location of the BPE debug log as displayed in the footer of ERROR log event mails, does not modify the actual location of the debug log file; requires send mail on ERROR log event option to be enabled to have an effect
+- **Default:** `/opt/bpe/log/bpe.log`
+
+
+### DEV_DSF_BPE_MAIL_PASSWORD or DEV_DSF_BPE_MAIL_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.mail.password
+- **Required:** No
+- **Description:** SMTP server authentication password
+- **Recommendation:** Configure if the SMTP server requires username/password authentication; use docker secret file to configure using *DEV_DSF_BPE_MAIL_PASSWORD_FILE*; enable SMTP over TLS via *DEV_DSF_BPE_MAIL_USESMTPS*
+
+
+### DEV_DSF_BPE_MAIL_PORT
+- **Property:** dev.dsf.bpe.mail.port
+- **Required:** No
+- **Description:** SMTP server port
+- **Example:** `465`
+- **Default:** `0`
+
+
+### DEV_DSF_BPE_MAIL_REPLYTOADDRESSES
+- **Property:** dev.dsf.bpe.mail.replyToAddresses
+- **Required:** No
+- **Description:** Mail service reply to addresses; comma or space separated list, YAML block scalars supported
+- **Example:** `reply.to@localhost`
+
+
+### DEV_DSF_BPE_MAIL_SENDMAILONERRORLOGEVENT
+- **Property:** dev.dsf.bpe.mail.sendMailOnErrorLogEvent
+- **Required:** No
+- **Description:** To enable mails being send for every ERROR logged, set to `true`; requires SMTP server to be configured
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_MAIL_SENDTESTMAILONSTARTUP
+- **Property:** dev.dsf.bpe.mail.sendTestMailOnStartup
+- **Required:** No
+- **Description:** To enable a test mail being send on startup of the BPE, set to `true`; requires SMTP server to be configured
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_MAIL_SMIME_P12KEYSTORE
+- **Property:** dev.dsf.bpe.mail.smime.p12Keystore
+- **Required:** No
+- **Description:** PKCS12 encoded file with S/MIME certificate, private key and certificate chain to enable send mails to be S/MIME signed
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/smime_certificate.p12`
+
+
+### DEV_DSF_BPE_MAIL_SMIME_P12KEYSTORE_PASSWORD or DEV_DSF_BPE_MAIL_SMIME_P12KEYSTORE_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.mail.smime.p12Keystore.password
+- **Required:** No
+- **Description:** Password to decrypt the PKCS12 encoded S/MIMIE certificate file
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_BPE_MAIL_SMIME_P12KEYSTORE_PASSWORD_FILE*
+- **Example:** `/run/secrets/smime_certificate.p12.password`
+
+
+### DEV_DSF_BPE_MAIL_TOADDRESSES
+- **Property:** dev.dsf.bpe.mail.toAddresses
+- **Required:** No
+- **Description:** Mail service recipient addresses, configure at least one; comma or space separated list, YAML block scalars supported
+- **Example:** `recipient@localhost`
+
+
+### DEV_DSF_BPE_MAIL_TOADDRESSESCC
+- **Property:** dev.dsf.bpe.mail.toAddressesCc
+- **Required:** No
+- **Description:** Mail service CC recipient addresses; comma or space separated list, YAML block scalars supported
+- **Example:** `cc.recipient@localhost`
+
+
+### DEV_DSF_BPE_MAIL_TRUST_SERVER_CERTIFICATE_CAS
+- **Property:** dev.dsf.bpe.mail.trust.server.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted root certificates to validate the server certificate of the SMTP server. Requires SMTP over TLS to be enabled via *DEV_DSF_BPE_MAIL_USESMTPS*
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/smtp_server_trust_certificates.pem`
+- **Default:** `ca/server_root_cas`
+
+
+### DEV_DSF_BPE_MAIL_USERNAME
+- **Property:** dev.dsf.bpe.mail.username
+- **Required:** No
+- **Description:** SMTP server authentication username
+- **Recommendation:** Configure if the SMTP server requires username/password authentication; enable SMTP over TLS via *DEV_DSF_BPE_MAIL_USESMTPS*
+
+
+### DEV_DSF_BPE_MAIL_USESMTPS
+- **Property:** dev.dsf.bpe.mail.useSmtps
+- **Required:** No
+- **Description:** To enable SMTP over TLS (smtps), set to `true`
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_PROCESS_API_ALLOWED_BPE_CLASSES
+- **Property:** dev.dsf.bpe.process.api.allowed.bpe.classes
+- **Required:** No
+- **Description:** Map with files containing qualified class names allowed to be loaded by plugins for api versions; map key must match v([1-9]+[0-9]*)
+- **Recommendation:** Change only during development
+- **Example:** `{v1: 'some/example.file', v2: 'other.file'}`
+- **Default:** `{:}`
+
+
+### DEV_DSF_BPE_PROCESS_API_ALLOWED_BPE_RESOURCE
+- **Property:** dev.dsf.bpe.process.api.allowed.bpe.resource
+- **Required:** No
+- **Description:** Map with files containing resources allowed to be loaded by plugins for api versions; map key must match v([1-9]+[0-9]*)
+- **Recommendation:** Change only during development
+- **Example:** `{v1: 'some/example.file', v2: 'other.file'}`
+- **Default:** `{:}`
+
+
+### DEV_DSF_BPE_PROCESS_API_DIRECTORY
+- **Property:** dev.dsf.bpe.process.api.directory
+- **Required:** No
+- **Description:** Directory containing the DSF BPE process plugin api jar files
+- **Recommendation:** Change only during development
+- **Default:** `api`
+
+
+### DEV_DSF_BPE_PROCESS_API_RESOURCES_WITH_PRIORITY
+- **Property:** dev.dsf.bpe.process.api.resources.with.priority
+- **Required:** No
+- **Description:** Map with files containing api/plugin resource with priority over bpe resources for plugins for api versions; map key must match v([1-9]+[0-9]*)
+- **Recommendation:** Change only during development
+- **Example:** `{v1: 'some/example.file', v2: 'other.file'}`
+- **Default:** `{:}`
+
+
+### DEV_DSF_BPE_PROCESS_ENGINE_COREPOOLSIZE
+- **Property:** dev.dsf.bpe.process.engine.corePoolSize
+- **Required:** No
+- **Description:** Process engine job executor core pool size
+- **Default:** `4`
+
+
+### DEV_DSF_BPE_PROCESS_ENGINE_MAXPOOLSIZE
+- **Property:** dev.dsf.bpe.process.engine.maxPoolSize
+- **Required:** No
+- **Description:** Process engine job executor max pool size, additional threads until max pool size are created if the queue is full
+- **Default:** `10`
+
+
+### DEV_DSF_BPE_PROCESS_ENGINE_QUEUESIZE
+- **Property:** dev.dsf.bpe.process.engine.queueSize
+- **Required:** No
+- **Description:** Process engine job executor queue size, jobs are added to the queue if all core pool threads are busy
+- **Default:** `40`
+
+
+### DEV_DSF_BPE_PROCESS_EXCLUDED
+- **Property:** dev.dsf.bpe.process.excluded
+- **Required:** No
+- **Description:** List of process names that should be excluded from deployment during startup of the DSF BPE server; comma or space separated list, YAML block scalars supported
+- **Recommendation:** Only deploy processes that can be started depending on your organization's roles in the Allow-List
+- **Example:** `dsfdev_updateAllowList|1.0, another_process|x.y`
+
+
+### DEV_DSF_BPE_PROCESS_FHIR_SERVER_RETRY_MAX
+- **Property:** dev.dsf.bpe.process.fhir.server.retry.max
+- **Required:** No
+- **Description:** Number of retries until a connection can be established with the local DSF FHIR server during process deployment, `-1` means infinite number of retries
+- **Default:** `-1`
+
+
+### DEV_DSF_BPE_PROCESS_FHIR_SERVER_RETRY_SLEEP
+- **Property:** dev.dsf.bpe.process.fhir.server.retry.sleep
+- **Required:** No
+- **Description:** Time between two retries to establish a connection with the local DSF FHIR server during process deployment
+- **Default:** `PT5S`
+
+
+### DEV_DSF_BPE_PROCESS_FHIR_VALIDATION_ENABLED
+- **Property:** dev.dsf.bpe.process.fhir.validation.enabled
+- **Required:** No
+- **Description:** Set to true to enable FHIR validation feature for process plugins, not implemented for DSF version 2.0.x
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_PROCESS_PLUGIN_DIRECTORY
+- **Property:** dev.dsf.bpe.process.plugin.directory
+- **Required:** No
+- **Description:** Directory containing the DSF BPE process plugins for deployment on startup of the DSF BPE server
+- **Recommendation:** Change only if you don't use the provided directory structure from the installation guide or made changes to tit
+- **Default:** `process`
+
+
+### DEV_DSF_BPE_PROCESS_PLUGIN_EXPLODED
+- **Property:** dev.dsf.bpe.process.plugin.exploded
+- **Required:** No
+- **Description:** Directories containing exploded DSF BPE process plugins for deployment on startup of the DSF BPE server; comma or space separated list, YAML block scalars supported
+- **Recommendation:** Only for testing
+
+
+### DEV_DSF_BPE_PROCESS_RETIRED
+- **Property:** dev.dsf.bpe.process.retired
+- **Required:** No
+- **Description:** List of already deployed process names that should be retired during startup of the DSF BPE server; comma or space separated list, YAML block scalars supported
+- **Recommendation:** Retire processes that where deployed previously but are not anymore available
+- **Example:** `old_process|x.y`
+
+
+### DEV_DSF_BPE_PROCESS_THREADS
+- **Property:** dev.dsf.bpe.process.threads
+- **Required:** No
+- **Description:** Number of parallel Task / QuestionnaireResponse threads to start new or continue existing processes, a value `<= 0` means number of cpu cores
+- **Default:** `-1`
+
+
+### DEV_DSF_BPE_SERVER_BASE_URL
+- **Property:** dev.dsf.bpe.server.base.url
+- **Required:** No
+- **Description:** Base address of the BPE server, configure when exposing the web-ui
+- **Example:** `https://foo.bar/bpe`
+- **Default:** `https://localhost/bpe`
+
+
+### DEV_DSF_BPE_SERVER_ROLECONFIG
+- **Property:** dev.dsf.bpe.server.roleConfig
+- **Required:** No
+- **Description:** Role config YAML as defined in [BPE Server: Access Control](access-control)
+
+
+### DEV_DSF_BPE_SERVER_STATIC_RESOURCE_CACHE
+- **Property:** dev.dsf.bpe.server.static.resource.cache
+- **Required:** No
+- **Description:** To disable static resource caching, set to `false`
+- **Recommendation:** Only set to `false` for development
+- **Default:** `true`
+
+
+### DEV_DSF_BPE_SERVER_UI_THEME
+- **Property:** dev.dsf.bpe.server.ui.theme
+- **Required:** No
+- **Description:** UI theme parameter, adds a color indicator to the ui to distinguish `dev`, `test` and `prod` environments if configured; supported values: `dev`, `test` and `prod`
+
+
+### DEV_DSF_LOG_CONFIG
+- **Property:** dev.dsf.log.config
+- **Required:** No
+- **Description:** Location of a log4j configuration xml file; if file is readable, overrides configuration specified via *DEV_DSF_LOG_...* parameters
+- **Default:** `conf/log4j2.xml`
+
+
+### DEV_DSF_LOG_CONSOLE_ERR_ENABLED
+- **Property:** dev.dsf.log.console.err.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable console err output of the standard logger
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_CONSOLE_ERR_LEVEL
+- **Property:** dev.dsf.log.console.err.level
+- **Required:** No
+- **Description:** Standard logger console err output level, one of: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`
+- **Default:** `INFO`
+
+
+### DEV_DSF_LOG_CONSOLE_ERR_STYLE
+- **Property:** dev.dsf.log.console.err.style
+- **Required:** No
+- **Description:** Standard logger console err output style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`, `TEXT_COLOR_MDC`, `TEXT_COLOR`
+- **Default:** `TEXT_COLOR`
+
+
+### DEV_DSF_LOG_CONSOLE_OUT_ENABLED
+- **Property:** dev.dsf.log.console.out.enabled
+- **Required:** No
+- **Description:** Set to `false` to disable console out output of the standard logger
+- **Default:** `true`
+
+
+### DEV_DSF_LOG_CONSOLE_OUT_LEVEL
+- **Property:** dev.dsf.log.console.out.level
+- **Required:** No
+- **Description:** Standard logger console out output level, one of: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`
+- **Default:** `INFO`
+
+
+### DEV_DSF_LOG_CONSOLE_OUT_STYLE
+- **Property:** dev.dsf.log.console.out.style
+- **Required:** No
+- **Description:** Standard logger console out output style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`, `TEXT_COLOR_MDC`, `TEXT_COLOR`
+- **Default:** `TEXT_COLOR`
+
+
+### DEV_DSF_LOG_DATA_CONSOLE_ERR_ENABLED
+- **Property:** dev.dsf.log.data.console.err.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable console err output of the special data logger; the data logger can be used by process plugins to log sensitive data
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_DATA_CONSOLE_ERR_STYLE
+- **Property:** dev.dsf.log.data.console.err.style
+- **Required:** No
+- **Description:** Special data logger console err style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `TEXT`
+
+
+### DEV_DSF_LOG_DATA_CONSOLE_OUT_ENABLED
+- **Property:** dev.dsf.log.data.console.out.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable console out output of the special data logger; the data logger can be used by process plugins to log sensitive data
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_DATA_CONSOLE_OUT_STYLE
+- **Property:** dev.dsf.log.data.console.out.style
+- **Required:** No
+- **Description:** Special data logger console out style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `TEXT`
+
+
+### DEV_DSF_LOG_DATA_FILE_ENABLED
+- **Property:** dev.dsf.log.data.file.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable log file output of the special data logger; the data logger can be used by process plugins to log sensitive data
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_DATA_FILE_STYLE
+- **Property:** dev.dsf.log.data.file.style
+- **Required:** No
+- **Description:** Special data logger file style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `TEXT`
+
+
+### DEV_DSF_LOG_FILE_ENABLED
+- **Property:** dev.dsf.log.file.enabled
+- **Required:** No
+- **Description:** Set to `false` to disable log file output of the standard logger
+- **Default:** `true`
+
+
+### DEV_DSF_LOG_FILE_LEVEL
+- **Property:** dev.dsf.log.file.level
+- **Required:** No
+- **Description:** Standard logger log file output level, one of: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`
+- **Default:** `DEBUG`
+
+
+### DEV_DSF_LOG_FILE_STYLE
+- **Property:** dev.dsf.log.file.style
+- **Required:** No
+- **Description:** Standard logger log file output style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `TEXT_MDC`
+
+
+### DEV_DSF_LOG_MIN_LEVEL_LOGGERS
+- **Property:** dev.dsf.log.min.level.loggers
+- **Required:** No
+- **Description:** List of logger names that are enabled to produce log output with the minimal configured log level from `DEV_DSF_LOG_CONSOLE_OUT_LEVEL`, `DEV_DSF_LOG_CONSOLE_ERR_LEVEL` and `DEV_DSF_LOG_FILE_LEVEL`
+- **Default:** `dev.dsf, de.medizininformatik_initiative.processes.common`
+
+
+### DEV_DSF_PROXY_NOPROXY
+- **Property:** dev.dsf.proxy.noProxy
+- **Required:** No
+- **Description:** Forward proxy no-proxy list, entries will match exactly or against (one level) sub-domains, if no port is specified - all ports are matched; comma or space separated list, YAML block scalars supported
+- **Example:** `foo.bar, test.com:8080`
+
+
+### DEV_DSF_PROXY_PASSWORD or DEV_DSF_PROXY_PASSWORD_FILE
+- **Property:** dev.dsf.proxy.password
+- **Required:** No
+- **Description:** Forward Proxy password
+- **Recommendation:** Configure password if proxy requires authentication, use docker secret file to configure using *DEV_DSF_PROXY_PASSWORD_FILE*
+
+
+### DEV_DSF_PROXY_URL
+- **Property:** dev.dsf.proxy.url
+- **Required:** No
+- **Description:** Forward (http/https) proxy url, use *DEV_DSF_BPE_PROXY_NOPROXY* to list domains that do not require a forward proxy
+- **Example:** `http://proxy.foo:8080`
+
+
+### DEV_DSF_PROXY_USERNAME
+- **Property:** dev.dsf.proxy.username
+- **Required:** No
+- **Description:** Forward proxy username
+- **Recommendation:** Configure username if proxy requires authentication
+
+
+### DEV_DSF_SERVER_API_HOST
+- **Property:** dev.dsf.server.api.host
+- **Required:** No
+- **Description:** API connector host, default in docker image: `0.0.0.0`
+- **Default:** `127.0.0.1`
+
+
+### DEV_DSF_SERVER_API_PORT
+- **Property:** dev.dsf.server.api.port
+- **Required:** No
+- **Description:** API connector port, default in docker image: `8080`
+
+
+### DEV_DSF_SERVER_AUTH_CLIENT_CERTIFICATE_HEADER
+- **Property:** dev.dsf.server.auth.client.certificate.header
+- **Required:** No
+- **Description:** Name of HTTP header with client certificate from reverse proxy
+- **Default:** `X-ClientCert`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW
+- **Property:** dev.dsf.server.auth.oidc.authorization.code.flow
+- **Required:** No
+- **Description:** Set to `true` to enable OIDC authorization code flow
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL*, *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID* and *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET* or *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE* to be specified
+- **Default:** `false`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT
+- **Property:** dev.dsf.server.auth.oidc.back.channel.logout
+- **Required:** No
+- **Description:** Set to `true` to enable OIDC back-channel logout
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* to be set to `true` (enabled), *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID* and *DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH* to be specified
+- **Default:** `false`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH
+- **Property:** dev.dsf.server.auth.oidc.back.channel.logout.path
+- **Required:** No
+- **Description:** Path called by the OIDC provide to request back-channel logout
+- **Default:** `/back-channel-logout`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN
+- **Property:** dev.dsf.server.auth.oidc.bearer.token
+- **Required:** No
+- **Description:** Set to `true` to enable OIDC bearer token authentication
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL* to be specified
+- **Default:** `false`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN_AUDIENCE
+- **Property:** dev.dsf.server.auth.oidc.bearer.token.audience
+- **Required:** No
+- **Description:** Audience (aud) value to verify before accepting OIDC bearer tokens, uses value from `DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID` by default, set blank string e.g. `''` to disable
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL* to be specified and *DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN* set tor `true`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID
+- **Property:** dev.dsf.server.auth.oidc.client.id
+- **Required:** No
+- **Description:** OIDC provider client_id, must be specified if *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* is enabled
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET or DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE
+- **Property:** dev.dsf.server.auth.oidc.client.secret
+- **Required:** No
+- **Description:** OIDC provider client_secret, must be specified if *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* is enabled
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CACHE_TIMEOUT_CONFIGURATION_RESOURCE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.cache.timeout.configuration.resource
+- **Required:** No
+- **Description:** OIDC provider client cache timeout of the 'openid-configuration' discovery resource
+- **Default:** `PT1H`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CACHE_TIMEOUT_JWKS_RESOURCE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.cache.timeout.jwks.resource
+- **Required:** No
+- **Description:** OIDC provider client cache timeout of the jwks resource
+- **Default:** `PT1H`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.certificate
+- **Required:** No
+- **Description:** PEM encoded file with client certificate for https connections to the OIDC provider
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/oidc_provider_client_certificate.pem`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY
+- **Property:** dev.dsf.server.auth.oidc.provider.client.certificate.private.key
+- **Required:** No
+- **Description:** Private key corresponding to the client certificate for the OIDC provider as PEM encoded file. Use *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD* or *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE* if private key is encrypted
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/oidc_provider_client_certificate_private_key.pem`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD or DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.certificate.private.key.password
+- **Required:** No
+- **Description:** Password to decrypt the client certificate for the OIDC provider encrypted private key
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE*
+- **Example:** `/run/secrets/oidc_provider_client_certificate_private_key.pem.password`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TIMEOUT_CONNECT
+- **Property:** dev.dsf.server.auth.oidc.provider.client.timeout.connect
+- **Required:** No
+- **Description:** OIDC provider client connect timeout
+- **Default:** `PT5S`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TIMEOUT_READ
+- **Property:** dev.dsf.server.auth.oidc.provider.client.timeout.read
+- **Required:** No
+- **Description:** OIDC provider client read timeout
+- **Default:** `PT30S`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS
+- **Property:** dev.dsf.server.auth.oidc.provider.client.trust.server.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted root certificates to validate server certificates for https connections to the OIDC provider
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/oidc_provider_trust_certificates.pem`
+- **Default:** `ca/server_root_cas`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_DISCOVERY_PATH
+- **Property:** dev.dsf.server.auth.oidc.provider.discovery.path
+- **Required:** No
+- **Description:** OIDC provider discovery path
+- **Default:** `/.well-known/openid-configuration`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL
+- **Property:** dev.dsf.server.auth.oidc.provider.realm.base.url
+- **Required:** No
+- **Description:** OIDC provider realm base url
+- **Example:** `https://keycloak.test.com:8443/realms/example-realm-name`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_SESSION_TIMEOUT
+- **Property:** dev.dsf.server.auth.oidc.session.timeout
+- **Required:** No
+- **Description:** Maximum inactivity period after which the server session for OIDC logins is invalidated; the access token may expire earlier, resulting in earlier session invalidation
+- **Default:** `PT30M`
+
+
+### DEV_DSF_SERVER_AUTH_TRUST_CLIENT_CERTIFICATE_CAS
+- **Property:** dev.dsf.server.auth.trust.client.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted full CA chains to validate client certificates for https connections from local and remote clients
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/app_client_trust_certificates.pem`
+- **Default:** `ca/client_ca_chains`
+
+
+### DEV_DSF_SERVER_CERTIFICATE
+- **Property:** dev.dsf.server.certificate
+- **Required:** No
+- **Description:** Server certificate file for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CERTIFICATE_CHAIN
+- **Property:** dev.dsf.server.certificate.chain
+- **Required:** No
+- **Description:** Server certificate chain file for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CERTIFICATE_KEY
+- **Property:** dev.dsf.server.certificate.key
+- **Required:** No
+- **Description:** Server certificate private key file for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CERTIFICATE_KEY_PASSWORD or DEV_DSF_SERVER_CERTIFICATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.server.certificate.key.password
+- **Required:** No
+- **Description:** Server certificate private key file password for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CONTEXT_PATH
+- **Property:** dev.dsf.server.context.path
+- **Required:** No
+- **Description:** Web application context path, default in `bpe` docker image: `/bpe`, default in `fhir` docker image: `/fhir`
+- **Recommendation:** Only modify for testing
+
+
+### DEV_DSF_SERVER_STATUS_HOST
+- **Property:** dev.dsf.server.status.host
+- **Required:** No
+- **Description:** Status connector host
+- **Default:** `127.0.0.1`
+
+
+### DEV_DSF_SERVER_STATUS_PORT
+- **Property:** dev.dsf.server.status.port
+- **Required:** No
+- **Description:** Status connector port, default in docker image: `10000`
+
+---
+
+## FHIR Reverse Proxy
+Source: https://dsf.dev/operations/latest/fhir-reverse-proxy/configuration.html
+
+### APP_SERVER_IP
+- **Required:** Yes
+- **Description:** Hostname or IP-Address of the DSF FHIR server application container, the reverse proxy target
+- **Example:** `app`, `172.28.1.3`
+
+
+### HTTPS_SERVER_NAME_PORT
+- **Required:** Yes
+- **Description:** External FQDN of your DSF FHIR server with port, typically `443`
+- **Example:** `my-external.fqdn:443`
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_WS
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### PROXY_PASS_TIMEOUT_WS
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### SERVER_CONTEXT_PATH
+- **Required:** No
+- **Description:** Reverse proxy context path that delegates to the app server, `/` character at start, no `/` character at end, use `''` (empty string) to configure root as context path
+- **Default:** `/fhir`
+
+
+### SSL_CA_CERTIFICATE_FILE
+- **Required:** No
+- **Description:** Certificate chain file including all issuing, intermediate and root certificates used to validate client certificates, PEM encoded, sets the apache httpd parameter `SSLCACertificateFile`; not used by default, overrides *SSL_CA_CERTIFICATE_PATH* if not empty
+
+
+### SSL_CA_CERTIFICATE_PATH
+- **Required:** No
+- **Description:** Folder with trusted full CA chains for validating client certificates
+- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
+- **Default:** `ca/client_ca_chains`
+
+
+### SSL_CA_DN_REQUEST_FILE
+- **Required:** No
+- **Description:** File containing all signing certificates excepted, will be used to specify the `Acceptable client certificate CA names` send to the client, during TLS handshake, sets the apache httpd parameter `SSLCADNRequestFile`; if omitted all entries from *SSL_CA_CERTIFICATE_FILE* are used; not used by default, overrides *SSL_CA_DN_REQUEST_PATH* if not empty
+
+
+### SSL_CA_DN_REQUEST_PATH
+- **Required:** No
+- **Description:** Folder with trusted client certificate issuing CAs, modifies the "Acceptable client certificate CA names" send to the client, uses all from *SSL_CA_CERTIFICATE_FILE* or *SSL_CA_CERTIFICATE_PATH* if not set or empty
+- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
+- **Default:** `ca/client_issuing_cas`
+
+
+### SSL_CERTIFICATE_CHAIN_FILE
+- **Required:** No
+- **Description:** Certificate chain file, PEM encoded, must contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate), sets the apache httpd parameter `SSLCertificateChainFile`; can be omitted if either no chain is needed (self signed server certificate) or the file specified via *SSL_CERTIFICATE_FILE* contains the certificate chain
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_chain_file.pem`
+
+
+### SSL_CERTIFICATE_CHAIN_FILE
+- **Required:** No
+- **Description:** Certificate chain file, PEM encoded, must contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate), sets the apache httpd parameter `SSLCertificateChainFile`; can be omitted if either no chain is needed (self signed server certificate) or the file specified via *SSL_CERTIFICATE_FILE* contains the certificate chain
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_chain_file.pem`
+
+
+### SSL_CERTIFICATE_FILE
+- **Required:** Yes
+- **Description:** Server certificate file, PEM encoded, sets the apache httpd parameter `SSLCertificateFile`, may contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate). Omit *SSL_CERTIFICATE_CHAIN_FILE* if chain included
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_file.pem`
+
+
+### SSL_CERTIFICATE_KEY_FILE
+- **Required:** Yes
+- **Description:** Server certificate private key file, PEM encoded, unencrypted, sets the apache httpd parameter `SSLCertificateKeyFile`
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_key_file.pem`
+
+
+### SSL_EXPECTED_CLIENT_S_DN_C_VALUES
+- **Required:** No
+- **Description:** Expected client certificate subject DN country `C` values, must be a comma-separated list of strings in single quotation marks, e.g. `'DE', 'FR'`. If a client certificate with a not configured subject country `C` value is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'DE'`
+
+
+### SSL_EXPECTED_CLIENT_I_DN_CN_VALUES
+- **Required:** No
+- **Description:** Expected client certificate issuer DN common-name `CN` values, must be a comma-separated list of strings in single quotation marks. If a client certificate from a not configured issuing ca common-name is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'GEANT TLS ECC 1', 'HARICA OV TLS ECC', 'GEANT TLS RSA 1', 'HARICA OV TLS RSA', 'GEANT S/MIME ECC 1', 'HARICA Client Authentication ECC', 'HARICA S/MIME ECC', 'GEANT S/MIME RSA 1', 'HARICA Client Authentication RSA', 'HARICA S/MIME RSA', 'DFN-Verein Global Issuing CA', 'Fraunhofer User CA - G02', 'D-TRUST SSL Class 3 CA 1 2009', 'Sectigo RSA Organization Validation Secure Server CA', 'GEANT OV RSA CA 4', 'GEANT Personal CA 4', 'GEANT eScience Personal CA 4', 'Sectigo ECC Organization Validation Secure Server CA', 'GEANT OV ECC CA 4', 'GEANT Personal ECC CA 4', 'GEANT eScience Personal ECC CA 4', 'D-TRUST Limited Basic CA 1-2 2019', 'D-TRUST Limited Basic CA 1-3 2019'`
+
+
+### SSL_VERIFY_CLIENT
+- **Required:** No
+- **Description:** Modifies the apache mod_ssl config parameter `SSLVerifyClient`
+- **Recommendation:** Set to `optional` when using OIDC authentication
+- **Default:** `require`
+
+---
+
+## BPE Reverse Proxy
+Source: https://dsf.dev/operations/latest/bpe-reverse-proxy/configuration.html
+
+### APP_SERVER_IP
+- **Required:** Yes
+- **Description:** Hostname or IP-Address of the DSF BPE server application container, the reverse proxy target
+- **Example:** `app`, `172.28.1.3`
+
+
+### HTTPS_SERVER_NAME_PORT
+- **Required:** Yes
+- **Description:** FQDN of your DSF BPE server with port, typically `443`
+- **Example:** `my-external.fqdn:443`
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_WS
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### PROXY_PASS_TIMEOUT_WS
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### SERVER_CONTEXT_PATH
+- **Required:** No
+- **Description:** Reverse proxy context path that delegates to the app server, `/` character at start, no `/` character at end, use `''` (empty string) to configure root as context path
+- **Default:** `/bpe`
+
+
+### SSL_CA_CERTIFICATE_FILE
+- **Required:** No
+- **Description:** Certificate chain file including all issuing, intermediate and root certificates used to validate client certificates, PEM encoded, sets the apache httpd parameter `SSLCACertificateFile`; not used by default, overrides *SSL_CA_CERTIFICATE_PATH* if not empty
+
+
+### SSL_CA_CERTIFICATE_PATH
+- **Required:** No
+- **Description:** Folder with trusted full CA chains for validating client certificates
+- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
+- **Default:** `ca/client_ca_chains`
+
+
+### SSL_CA_DN_REQUEST_FILE
+- **Required:** No
+- **Description:** File containing all signing certificates excepted, will be used to specify the `Acceptable client certificate CA names` send to the client, during TLS handshake, sets the apache httpd parameter `SSLCADNRequestFile`; if omitted all entries from *SSL_CA_CERTIFICATE_FILE* are used; not used by default, overrides *SSL_CA_DN_REQUEST_PATH* if not empty
+
+
+### SSL_CA_DN_REQUEST_PATH
+- **Required:** No
+- **Description:** Folder with trusted client certificate issuing CAs, modifies the "Acceptable client certificate CA names" send to the client, uses all from *SSL_CA_CERTIFICATE_FILE* or *SSL_CA_CERTIFICATE_PATH* if not set or empty
+- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
+- **Default:** `ca/client_issuing_cas`
+
+
+### SSL_CERTIFICATE_CHAIN_FILE
+- **Required:** No
+- **Description:** Certificate chain file, PEM encoded, must contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate), sets the apache httpd parameter `SSLCertificateChainFile`; can be omitted if either no chain is needed (self signed server certificate) or the file specified via *SSL_CERTIFICATE_FILE* contains the certificate chain
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_chain_file.pem`
+
+
+### SSL_CERTIFICATE_FILE
+- **Required:** Yes
+- **Description:** Server certificate file, PEM encoded, sets the apache httpd parameter `SSLCertificateFile`, may contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate). Omit *SSL_CERTIFICATE_CHAIN_FILE* if chain included
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_file.pem`
+
+
+### SSL_CERTIFICATE_KEY_FILE
+- **Required:** Yes
+- **Description:** Server certificate private key file, PEM encoded, unencrypted, sets the apache httpd parameter `SSLCertificateKeyFile`
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_key_file.pem`
+
+
+### SSL_EXPECTED_CLIENT_S_DN_C_VALUES
+- **Required:** No
+- **Description:** Expected client certificate subject DN country `C` values, must be a comma-separated list of strings in single quotation marks, e.g. `'DE', 'FR'`. If a client certificate with a not configured subject country `C` value is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'DE'`
+
+
+### SSL_EXPECTED_CLIENT_I_DN_CN_VALUES
+- **Required:** No
+- **Description:** Expected client certificate issuer DN common-name `CN` values, must be a comma-separated list of strings in single quotation marks. If a client certificate from a not configured issuing ca common-name is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'GEANT TLS ECC 1', 'HARICA OV TLS ECC', 'GEANT TLS RSA 1', 'HARICA OV TLS RSA', 'GEANT S/MIME ECC 1', 'HARICA Client Authentication ECC', 'HARICA S/MIME ECC', 'GEANT S/MIME RSA 1', 'HARICA Client Authentication RSA', 'HARICA S/MIME RSA', 'DFN-Verein Global Issuing CA', 'Fraunhofer User CA - G02', 'D-TRUST SSL Class 3 CA 1 2009', 'Sectigo RSA Organization Validation Secure Server CA', 'GEANT OV RSA CA 4', 'GEANT Personal CA 4', 'GEANT eScience Personal CA 4', 'Sectigo ECC Organization Validation Secure Server CA', 'GEANT OV ECC CA 4', 'GEANT Personal ECC CA 4', 'GEANT eScience Personal ECC CA 4', 'D-TRUST Limited Basic CA 1-2 2019', 'D-TRUST Limited Basic CA 1-3 2019'`
+
+
+### SSL_VERIFY_CLIENT
+- **Required:** No
+- **Description:** Modifies the apache mod_ssl config parameter `SSLVerifyClient`
+- **Recommendation:** Set to `optional` when using OIDC authentication
+- **Default:** `require`
+
+---
+
+## Allow List Management
+Source: https://dsf.dev/operations/latest/allowList-mgm.html
+
+You can read all about the concept of Allow Lists [in our introduction](/explore/concepts/allow-list.md).
+
+## Overview
+To simplify the DSF Allow List Management we have built a portal for administration. The portal is managed by the GECKO Institute at Heilbronn University. You as an DSF administrator can create or update your Allow List information. The information you provide on this portal will be transferred to us and will be used to built Allow List bundles that get distributed to the communication partners of the distributed processes.
+
+The DSF Allow List management tool uses client certificates for authentication. You can either use a personal client certificate or the client certificate from your DSF BPE, which needs to be added to your web-browsers certificate store.
+
+
+## Prerequisites
+1. Deployed DSF instance (test or production infrastructure)
+ 1.1 If none exists yet, read [the installation guide](install)
+2. Certificate
+ 2.1 If none exists yet, read [the certificate requirements](install#client-server-certificates)
+3. Organization identifier, shortest FQDN of your organizations website, e.g. `my-hospital.de`
+4. FHIR endpoint URL, e.g. `https://dsf.my-hospital.de/fhir`
+5. Contact details from a responsible person of your organization
+6. Access to the E-Mail address from your organization for verification
+
+
+## Start here
+When you have fulfilled all the prerequisites, you can start managing your Allow Lists via the environment specific Allow List Management Tool:
+
+- [**Test** infrastructure](https://allowlist-test.gecko.hs-heilbronn.de)
+- [**Production** infrastructure](https://allowlist.gecko.hs-heilbronn.de)
+
+We use different highlight colors for the DSF Allow List Management Tool: Green for the **Test** environment and blue for the **Production** infrastructure. To access the site, you have to authenticate yourself with a client certificate. Your web-browser will show a dialog to choose a valid certificate.
+
+::: tip Ideas for improvement?
+Have you found an error or is something unclear to you? Then please feel free to contact us on the MII-Zulip Channel or write us at dsf-gecko@hs-heilbronn.de. Thank you very much!
+:::
+
+---
+
+## Process Plugin Deployment
+Source: https://dsf.dev/operations/process-plugin-deployment.html
+
+
+
+---
+
+## Passwords and Secrets
+Source: https://dsf.dev/operations/latest/passwords-secrets.html
+
+Environment variables ending in `_PASSWORD` or `_SECRET` can be configured using plain-text files. To achieve this, environment variable should be defined with `_FILE` appended to the name with the value defined as the location of the file. For all variables ending in `_PASSWORD_FILE` or `_SECRET_FILE` the DSF FHIR and DSF BPE applications will read the content of the fist line of the referenced file and dynamically define the corresponding `_PASSWORD` or `_SECRET` environment variables with the read values.
+
+### Example Environment Variables
+- **DEV_DSF_BPE_DB_USER_PASSWORD_FILE**: If set to `/run/secrets/db_user_password`, the application will read the contents of the `/run/secrets/db_user_password` file and set the `DEV_DSF_BPE_DB_USER_PASSWORD` environment variable with the content from that file.
+- **DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE**: If set to `/run/secrets/oidc_client_secret`, the application will read the contents of the referenced file and set the `DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET` environment variable accordingly.
+
+### Docker Secrets
+
+It is recommended to use [docker secrets](https://docs.docker.com/compose/how-tos/use-secrets) as files for these environment variables. Docker secrets are mounted as files in `/run/secrets/` inside the container.
+
+#### Example docker-compose
+```yaml
+services:
+ app:
+ image: ghcr.io/datasharingframework/fhir
+ secrets:
+ - db_user_password
+ - oidc_client_secret
+ environment:
+ DEV_DSF_BPE_DB_USER_PASSWORD_FILE: /run/secrets/db_user_password
+ DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE: /run/secrets/oidc_client_secret
+
+secrets:
+ db_user_password:
+ file: ./secrets/db_user.password
+ api_key:
+ file: ./secrets/oidc_client.secret
+```
+
+---
+
+## Root Certificates
+Source: https://dsf.dev/operations/latest/root-certificates.html
+
+A number of trusted certificate authorities (CAs) are included in the DSF docker images [fhir_proxy](https://github.com/datasharingframework/dsf/pkgs/container/fhir_proxy), [fhir](https://github.com/datasharingframework/dsf/pkgs/container/fhir), [bpe_proxy](https://github.com/datasharingframework/dsf/pkgs/container/bpe_proxy) and [bpe](https://github.com/datasharingframework/dsf/pkgs/container/bpe) by default. Root and intermediate certificates as well as the configured usage of issuing CAs as either **server**, **client** oder **server and client** CA are listed at the end.
+
+:::info
+Please ensure that you are using an organization-validated certificate (OV). We check for the presence of certain elements in the FHIR proxy. These are not set for domain-validated (DV) certificates. DV-validated certificates cannot be used in the standard setup.
+:::
+
+## Extending or Replacing Trusted Certificate Authorities
+X.509 certificates of default trusted CAs are stored as individual .pem files containing one certificate each in the docker images and can be replaced by either using docker [bind mounts](https://docs.docker.com/engine/storage/bind-mounts) or configuring appropriate environment variables with different targets.
+
+### FHIR Reverse Proxy
+Defaults are configured for the list of issuing, intermediate and root CAs used for validating client certificates (Apache httpd mod_ssl configuration option [SSLCACertificatePath](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcacertificatepath)) as well as the CA Certificates for defining acceptable CA names (option [SSLCADNRequestPath](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcadnrequestpath)). The default values of the following environment variables point to folders containing .pem files with one file per trusted CA:
+* [SSL_CA_CERTIFICATE_PATH](fhir-reverse-proxy/configuration.html#ssl-ca-certificate-path)
+ Default Value: `ca/client_ca_chains`
+ Default Folder Content: [client_ca_chains.zip](/download/2.1.0/client_ca_chains.zip)
+* [SSL_CA_DN_REQUEST_PATH](fhir-reverse-proxy/configuration.html#ssl-ca-dn-request-path)
+ Default Value: `ca/client_issuing_cas`
+ Default Folder Content: [client_issuing_cas.zip](/download/2.1.0/client_issuing_cas.zip)
+
+Use docker bind mounts to replace all default files or add additional CAs to the folders.
+
+**Note:** Default file location are relative to the docker image work directory `/usr/local/apache2`.
+**Also Note:** Using non default .pem files for the environment variables above may require also modifying the default values of the environment variables [SSL_EXPECTED_CLIENT_S_DN_C_VALUES](fhir-reverse-proxy/configuration.html#ssl-expected-client-s-dn-c-values) and [SSL_EXPECTED_CLIENT_I_DN_CN_VALUES](fhir-reverse-proxy/configuration.html#ssl-expected-client-i-dn-cn-values).
+
+### FHIR Server
+Defaults are configured for the list of issuing, intermediate and root CAs used for validating client certificates as well as root CAs used for validating server certificates of remote DSF FHIR servers and the OIDC provider when using [OpenID Connect](fhir/oidc.html) for authenticating local users.
+
+**Note:** Default file location are relative to the docker image work directory `/opt/fhir`.
+
+You can add an additional certificate authority (e.g., your hospital CA) for
+
+- server certificates by creating a bind-mount of the CA file into the `/opt/fhir/ca/server_root_cas/` directory
+- client certificates by creating bind-mounts of the intermediate CA files and their root CA file into the `/opt/fhir/ca/client_ca_chains/` directory.
+
+See the [BPE Server configuration](#bpe-server) for an example.
+
+If you can't override the default configuration with bind-mounts, you can use the following environment variables to configure non default .pem file directories or .pem file:
+* [DEV_DSF_SERVER_AUTH_TRUST_CLIENT_CERTIFICATE_CAS](fhir/configuration.html#dev-dsf-server-auth-trust-client-certificate-cas)
+ Default Value: `ca/client_ca_chains`
+ Default Folder Content: [client_ca_chains.zip](/download/2.1.0/client_ca_chains.zip)
+* [DEV_DSF_FHIR_CLIENT_TRUST_SERVER_CERTIFICATE_CAS](fhir/configuration.html#dev-dsf-fhir-client-trust-server-certificate-cas)
+ Default Value: `ca/server_root_cas`
+ Default Folder Content: [server_root_cas.zip](/download/2.1.0/server_root_cas.zip)
+* [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS](fhir/configuration.html#dev-dsf-server-auth-oidc-provider-client-trust-server-certificate-cas)
+ Default Value: `ca/server_root_cas`
+ Default Folder Content: [server_root_cas.zip](/download/2.1.0/server_root_cas.zip)
+
+### BPE Reverse Proxy
+Defaults are configured for the list of issuing, intermediate and root CAs used for validating client certificates (Apache httpd mod_ssl configuration option [SSLCACertificatePath](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcacertificatepath)) as well as the CA Certificates for defining acceptable CA names (option [SSLCADNRequestPath](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcadnrequestpath)). The default values of the following environment variables point to folders containing .pem files with one file per trusted CA:
+* [SSL_CA_CERTIFICATE_PATH](bpe-reverse-proxy/configuration.html#ssl-ca-certificate-path)
+ Default Value: `ca/client_ca_chains`
+ Default Folder Content: [client_ca_chains.zip](/download/2.1.0/client_ca_chains.zip)
+* [SSL_CA_DN_REQUEST_PATH](bpe-reverse-proxy/configuration.html#ssl-ca-dn-request-path)
+ Default Value: `ca/client_issuing_cas`
+ Default Folder Content: [client_issuing_cas.zip](/download/2.1.0/client_issuing_cas.zip)
+
+Use docker bind mounts to replace all default files or add additional CAs to the folders.
+
+**Note:** Default file location are relative to the docker image work directory `/usr/local/apache2`.
+**Also Note:** Using non default .pem files for the environment variables above may require also modifying the default values of the environment variables [SSL_EXPECTED_CLIENT_S_DN_C_VALUES](bpe-reverse-proxy/configuration.html#ssl-expected-client-s-dn-c-values) and [SSL_EXPECTED_CLIENT_I_DN_CN_VALUES](bpe-reverse-proxy/configuration.html#ssl-expected-client-i-dn-cn-values).
+
+### BPE Server
+Defaults are configured for the list of issuing, intermediate and root CAs used for validating client certificates as well as root CAs used for validating server certificates of local and remote DSF FHIR servers, the local mail server (if configured and SMTP over TLS required) and the OIDC provider when using [OpenID Connect](fhir/oidc.html) for authenticating local users.
+
+**Note:** Default file location are relative to the docker image work directory `/opt/bpe`.
+
+You can add an additional certificate authority (e.g., your hospital CA) for
+
+- server certificates by creating a bind-mount of the CA file into the `/opt/bpe/ca/server_root_cas/` directory
+- client certificates by creating bind-mounts of the intermediate CA files and their root CA file into the `/opt/bpe/ca/client_ca_chains/` directory.
+
+If you have an additional certificate authority (e.g., your hospital CA) as `hospital-root-ca.pem` in your `/opt/bpe/secrets` directory, you can add it by adding the following entry in your docker-compose.yml file:
+
+```diff
+services:
+ app:
+...
+ volumes:
++ - type: bind
++ source: ./secrets/hospital-root-ca.pem
++ target: /opt/bpe/ca/server_root_cas/hospital-root-ca.pem
++ read_only: true
+```
+
+Use the following environment variable to configure non default .pem files or override the existing files using docker bind mounts:
+* [DEV_DSF_SERVER_AUTH_TRUST_CLIENT_CERTIFICATE_CAS](bpe/configuration.html#dev-dsf-server-auth-trust-client-certificate-cas)
+ Default Value: `ca/client_ca_chains`
+ Default Folder Content: [client_ca_chains.zip](/download/2.1.0/client_ca_chains.zip)
+* [DEV_DSF_BPE_FHIR_CLIENT_TRUST_SERVER_CERTIFICATE_CAS](bpe/configuration.html#dev-dsf-bpe-fhir-client-trust-server-certificate-cas)
+ Default Value: `ca/server_root_cas`
+ Default Folder Content: [server_root_cas.zip](/download/2.1.0/server_root_cas.zip)
+ [DEV_DSF_BPE_MAIL_TRUST_SERVER_CERTIFICATE_CAS](bpe/configuration.html#dev-dsf-bpe-mail-trust-server-certificate-cas)
+ Default Value: `ca/server_root_cas`
+ Default Folder Content: [server_root_cas.zip](/download/2.1.0/server_root_cas.zip)
+* [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS](bpe/configuration.html#dev-dsf-server-auth-oidc-provider-client-trust-server-certificate-cas)
+ Default Value: `ca/server_root_cas`
+ Default Folder Content: [server_root_cas.zip](/download/2.1.0/server_root_cas.zip)
+
+## List of Default Trusted Certificate Authorities
+If not mentioned explicitly, issuing CAs listed will sign X.509 certificates with [Extended Key Usage](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12) entries `TLS WWW server authentication` and `TLS WWW client authentication`.
+
+* Root CA: **HARICA TLS ECC Root CA 2021**
+ Info: https://crt.sh/?caid=202185
+ X509 Certificate: https://crt.sh/?id=4147045948
+ Not after: Feb 13 11:01:09 2045 GMT
+ * Issuing CA: **GEANT TLS ECC 1**
+ Info: https://crt.sh/?caid=390050
+ X509 Certificate: https://crt.sh/?id=16099180990
+ Not after: Dec 31 11:14:20 2039 GMT
+ * Issuing CA: **HARICA OV TLS ECC**
+ Info: https://crt.sh/?caid=207661
+ X509 Certificate: https://crt.sh/?id=4442848530
+ Not after: Mar 15 09:33:51 2036 GMT
+* Root CA: **HARICA TLS RSA Root CA 2021**
+ Info: https://crt.sh/?caid=202184
+ X509 Certificate: https://crt.sh/?id=4147041876
+ Not after: Feb 13 10:55:37 2045 GMT
+ * Issuing CA: **GEANT TLS RSA 1**
+ Info: https://crt.sh/?caid=390054
+ X509 Certificate: https://crt.sh/?id=16099180997
+ Not after: Dec 31 11:14:59 2039 GMT
+ * Issuing CA: **HARICA OV TLS RSA**
+ Info: https://crt.sh/?caid=207660
+ X509 Certificate: https://crt.sh/?id=4442848529
+ Not after: Mar 15 09:34:16 2036 GMT
+* Root CA: **HARICA Client ECC Root CA 2021** [client certificates only]
+ Info: https://crt.sh/?caid=202189
+ X509 Certificate: https://crt.sh/?id=4147052292
+ Not after: Feb 13 11:03:33 2045 GMT
+ * Issuing CA: **GEANT S/MIME ECC 1** [client certificates only]
+ Info: https://crt.sh/?caid=390048
+ X509 Certificate: https://crt.sh/?id=16099180988
+ Not after: Dec 31 11:11:39 2039 GMT
+ * Issuing CA: **HARICA S/MIME ECC** [client certificates only]
+ Info: https://crt.sh/?caid=207659
+ X509 Certificate: https://crt.sh/?id=4442848523
+ Not after: Mar 15 09:36:57 2036 GMT
+ * Issuing CA: **HARICA Client Authentication ECC** [client certificates only]
+ Info: https://crt.sh/?caid=207671
+ X509 Certificate: https://crt.sh/?id=4442848518
+ Not after: Mar 15 09:17:38 2036 GMT
+* Root CA: **HARICA Client RSA Root CA 2021** [client certificates only]
+ Info: https://crt.sh/?caid=202188
+ X509 Certificate: https://crt.sh/?id=4147049674
+ Not after: Feb 13 10:58:45 2045 GMT
+ * Issuing CA: **GEANT S/MIME RSA 1** [client certificates only]
+ Info: https://crt.sh/?caid=390049
+ X509 Certificate: https://crt.sh/?id=16099180989
+ Not after: Dec 31 11:13:07 2039 GMT
+ * Issuing CA: **HARICA S/MIME RSA** [client certificates only]
+ Info: https://crt.sh/?caid=207658
+ X509 Certificate: https://crt.sh/?id=4442848517
+ Not after: Mar 15 09:37:37 2036 GMT
+ * Issuing CA: **HARICA Client Authentication RSA** [client certificates only]
+ Info: https://crt.sh/?caid=207670
+ X509 Certificate: https://crt.sh/?id=4442848531
+ Not after: Mar 15 09:19:36 2036 GMT
+* Root CA: **T-TeleSec GlobalRoot Class 2** [client certificates only, will be removed in a future release, incl. derived CAs]
+ Info: https://crt.sh/?caid=6068
+ X509 Certificate: https://crt.sh/?id=8733622
+ Not after: Oct 1 23:59:59 2033 GMT
+ * Intermediate Root CA: **DFN-Verein Certification Authority 2** [client certificates only, will be removed in a future release, incl. derived CAs]
+ Info: https://crt.sh/?caid=22818
+ X509 Certificate: https://crt.sh/?id=23908438
+ Not after: Feb 22 23:59:59 2031 GMT
+ * Issuing CA: **DFN-Verein Global Issuing CA** [client certificates only, no new certificates]
+ Info: https://crt.sh/?caid=23770
+ X509 Certificate: https://crt.sh/?id=25484751
+ Not after: Feb 22 23:59:59 2031 GMT
+ * Issuing CA: **Fraunhofer User CA - G02** [client certificates only, no new certificates]
+ Info: https://crt.sh/?caid=23772
+ X509 Certificate: https://crt.sh/?id=25484789
+ Not after: Feb 22 23:59:59 2031 GMT
+* Root CA: **D-TRUST Root Class 3 CA 2 2009**
+ Info: https://crt.sh/?caid=712
+ X509 Certificate: https://crt.sh/?id=133226
+ Not after: Nov 5 08:35:58 2029 GMT
+ * Issuing CA: **D-TRUST SSL Class 3 CA 1 2009** [server certificates via TMF e.V.]
+ Info: https://crt.sh/?caid=713
+ X509 Certificate: https://crt.sh/?id=133227
+ Not after: Nov 5 08:35:58 2029 GMT
+* Root CA: **D-TRUST BR Root CA 1 2020 (ECC)**, optionally crosssigned by D-TRUST Root Class 3 CA 2 2009 [server only]
+ Info: https://crt.sh/?caid=192951
+ X509 Certificate: https://crt.sh/?id=3699642382 and https://crt.sh/?id=19754747817
+ Not after: Feb 11 09:44:59 2035
+* Root CA: **D-TRUST BR Root CA 2 2023 (RSA)**, optionally crosssigned by D-TRUST Root Class 3 CA 2 2009 [server only]
+ Info: https://crt.sh/?caid=266681
+ X509 Certificate: https://crt.sh/?id=9609658147 and https://crt.sh/?id=19754898942
+ Not after: May 9 08:56:30 2038 GMT
+
+* Root CA: **USERTrust ECC Certification Authority** [will be removed in a future release, incl. derived CAs]
+ Info: https://crt.sh/?caid=1390
+ X509 Certificate: https://crt.sh/?id=2841410
+ Not after: Jan 18 23:59:59 2038 GMT
+ * Issuing CA: **Sectigo ECC Organization Validation Secure Server CA**
+ Info: https://crt.sh/?caid=105483
+ X509 Certificate: https://crt.sh/?id=924467859
+ Not after: Dec 31 23:59:59 2030 GMT
+ * Issuing CA: **GEANT OV ECC CA 4**
+ Info: https://crt.sh/?caid=160140
+ X509 Certificate: https://crt.sh/?id=2475254970
+ * Issuing CA: **GEANT Personal ECC CA 4** [client certificates only]
+ Info: https://crt.sh/?caid=160136
+ X509 Certificate: https://crt.sh/?id=2475254903
+ Not after: May 1 23:59:59 2033 GMT
+ * Issuing CA: **GEANT eScience Personal ECC CA 4** [client certificates only]
+ Info: https://crt.sh/?caid=160138
+ X509 Certificate: https://crt.sh/?id=2475254888
+ Not after: May 1 23:59:59 2033 GMT
+* Root CA: **USERTrust RSA Certification Authority** [will be removed in a future release, incl. derived CAs]
+ Info: https://crt.sh/?caid=1167
+ X509 Certificate: https://crt.sh/?id=1199354
+ Not after: Jan 18 23:59:59 2038 GMT
+ * Issuing CA: **Sectigo RSA Organization Validation Secure Server CA**
+ Info: https://crt.sh/?caid=105487
+ X509 Certificate: https://crt.sh/?id=924467857
+ Not after: Dec 31 23:59:59 2030 GMT
+ * Issuing CA: **GEANT OV RSA CA 4**
+ Info: https://crt.sh/?caid=160137
+ X509 Certificate: https://crt.sh/?id=2475254782
+ Not after: May 1 23:59:59 2033 GMT
+ * Issuing CA: **GEANT Personal CA 4** [client certificates only]
+ Info: https://crt.sh/?caid=160144
+ X509 Certificate: https://crt.sh/?id=2475255043
+ Not after: May 1 23:59:59 2033 GMT
+ * Issuing CA: **GEANT eScience Personal CA 4** [client certificates only]
+ Info: https://crt.sh/?caid=160134
+ X509 Certificate: https://crt.sh/?id=2475253350
+ Not after: May 1 23:59:59 2033 GMT
+* Root CA: **D-TRUST Limited Basic Root CA 1 2019** [client certificates only]
+ X509 Certificate: https://www.d-trust.net/cgi-bin/D-TRUST_Limited_Basic_Root_CA_1_2019.crt
+ Not after: Jun 19 08:15:51 2034 GMT
+ * Issuing CA: **D-TRUST Limited Basic CA 1-2 2019** [client certificates via TMF e.V.]
+ X509 Certificate: https://www.d-trust.net/cgi-bin/D-TRUST_Limited_Basic_CA_1-2_2019.crt
+ Not after: Jun 19 08:15:51 2034 GMT
+ * Issuing CA: **D-TRUST Limited Basic CA 1-3 2019** [client certificates via TMF e.V.]
+ X509 Certificate: https://www.d-trust.net/cgi-bin/D-TRUST_Limited_Basic_CA_1-3_2019.crt
+ Not after: Jun 19 08:15:51 2034 GMT
+* Root CA: **DFN-Verein Community Root CA 2022** [client certificates only]
+ X509 Certificate: https://doku.tid.dfn.de/_media/de:dfnpki:ca:dfn-verein_community_root_ca_2022.pem
+ Not after: Jan 21 14:08:41 2042 GMT
+ * Issuing CA: **DFN-Verein Community Issuing CA 2022** [client certificates only]
+ X509 Certificate: https://doku.tid.dfn.de/_media/de:dfnpki:ca:dfn-verein_community_issuing_ca_2022.pem
+ Not after: Jan 21 14:08:41 2042 GMT
+ * Issuing CA: **Fraunhofer Service CA 2022** [client certificates only]
+ X509 Certificate: https://doku.tid.dfn.de/_media/de:dfnpki:ca:fraunhofer_service_ca_2022.pem
+ Not after: Jan 21 14:08:41 2042 GMT
+ * Issuing CA: **Fraunhofer User CA 2022** [client certificates only]
+ X509 Certificate: https://doku.tid.dfn.de/_media/de:dfnpki:ca:fraunhofer_user_ca_2022.pem
+ Not after: Jan 21 14:08:41 2042 GMT
+ * Issuing CA: **MPG Community CA** [client certificates only]
+ X509 Certificate: https://doku.tid.dfn.de/_media/de:dfnpki:ca:mpg_community_ca.pem
+ Not after: Jan 21 14:08:41 2042 GMT
+
+---
+
+## Image Verification
+Source: https://dsf.dev/operations/latest/image-verification.html
+
+# How to Verify Image Signatures
+
+Starting with DSF 2.1.0, all official Docker images published to [ghcr.io/datasharingframework](https://github.com/orgs/datasharingframework/packages) are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with [keyless signing](https://docs.sigstore.dev/cosign/signing/overview/) backed by GitHub's OIDC identity provider. Each image additionally has a CycloneDX SBOM attached to the registry, which is signed the same way.
+
+Verifying signatures before pulling images into production is strongly recommended. It ensures that the image was built and published by the official DSF GitHub Actions release workflow and has not been tampered with.
+
+## Prerequisites
+
+- [Cosign](https://docs.sigstore.dev/cosign/installation/) v2.0 or newer installed on the host running the verification.
+- Network access to `ghcr.io` and the public Sigstore transparency log (`rekor.sigstore.dev`).
+- The exact image digest (`sha256:...`) of the image you want to verify. The digest can be looked up on the [GitHub package page](https://github.com/orgs/datasharingframework/packages) of the respective image or via:
+
+ ```bash
+ docker buildx imagetools inspect ghcr.io/datasharingframework/:
+ ```
+
+::: warning Always pin the digest
+Verifying by tag alone (`:2.1.0`) is not sufficient — tags can be reassigned. Always include the immutable `@sha256:` in the verification command and in your production `docker-compose.yml`.
+:::
+
+## Verify the Image Signature
+
+A successful verification prints the verified claims to stdout and exits with status `0`. The certificate identity confirms the signature was created by a workflow inside the `datasharingframework/dsf` repository, the OIDC issuer confirms it was a GitHub Actions run.
+
+The commands below are pre-filled with the correct image tag for this release. Replace `` with the digest you looked up for the image you intend to deploy.
+
+### FHIR Server (`fhir`)
+
+- Image: [`ghcr.io/datasharingframework/fhir`](https://github.com/datasharingframework/dsf/pkgs/container/fhir)
+
+```bash
+cosign verify \
+ ghcr.io/datasharingframework/fhir:2.1.0@sha256:71599af143f0262a7265aa2bc4ea5a9660f11de6248a053e060b5667070203fd \
+ --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+### FHIR Reverse Proxy (`fhir_proxy`)
+
+- Image: [`ghcr.io/datasharingframework/fhir_proxy`](https://github.com/datasharingframework/dsf/pkgs/container/fhir_proxy)
+
+```bash
+cosign verify \
+ ghcr.io/datasharingframework/fhir_proxy:2.1.0@sha256:9f11a3580c970314532f5951808be6fe72f1de7d53348e625d2dd0c95bcf1d96 \
+ --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+### BPE Server (`bpe`)
+
+- Image: [`ghcr.io/datasharingframework/bpe`](https://github.com/datasharingframework/dsf/pkgs/container/bpe)
+
+```bash
+cosign verify \
+ ghcr.io/datasharingframework/bpe:2.1.0@sha256:3ee7ef0ac201fc3776273fbfc2569bdc4edf724a2bb9f1b4a889eb7e13ff4049 \
+ --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+### BPE Reverse Proxy (`bpe_proxy`)
+
+- Image: [`ghcr.io/datasharingframework/bpe_proxy`](https://github.com/datasharingframework/dsf/pkgs/container/bpe_proxy)
+
+```bash
+cosign verify \
+ ghcr.io/datasharingframework/bpe_proxy:2.1.0@sha256:c67da4a1720ea75a383764db2bf25619fe70f57773b1069029f5b49588eb1ecc \
+ --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+## Verify the SBOM Attestation
+
+Each image has a signed CycloneDX SBOM attached. Substitute `` with one of `fhir`, `fhir_proxy`, `bpe`, `bpe_proxy` and `` with the digest of the image you are verifying:
+
+```bash
+cosign verify-attestation \
+ --type cyclonedx \
+ ghcr.io/datasharingframework/:2.1.0@sha256: \
+ --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+To extract the SBOM payload for further processing (e.g. dependency or vulnerability analysis):
+
+```bash
+cosign download attestation \
+ --predicate-type https://cyclonedx.org/bom \
+ ghcr.io/datasharingframework/:2.1.0@sha256: \
+ | jq -r .payload | base64 -d | jq .predicate > sbom.cdx.json
+```
+
+## Troubleshooting
+
+- **`no matching signatures`** — The image was not signed by the official DSF release workflow. Do not use it in production. Re-check the registry path (`ghcr.io/datasharingframework/...`) and the digest.
+- **`certificate identity ... did not match`** — The signature exists but was produced by a different repository or workflow. Verify you are pulling from the official `datasharingframework/dsf` org.
+- **Network errors against `rekor.sigstore.dev`** — Cosign queries the public transparency log during verification. In air-gapped environments, pre-fetch and cache the log entries, or run cosign with `--insecure-ignore-tlog=true` only after carefully assessing the security implications.
+
+## Further Reading
+
+- [Cosign documentation](https://docs.sigstore.dev/cosign/overview/)
+- [Sigstore keyless signing](https://docs.sigstore.dev/cosign/signing/overview/)
+- [CycloneDX SBOM specification](https://cyclonedx.org/specification/overview/)
+
+---
+
+## Hardening Measures
+Source: https://dsf.dev/operations/latest/hardening-measures.html
+
+# Defense-in-Depth Hardening Measures
+
+For DSF 2.1.0 we performed a number of IT security hardening measures. The following changes follow security best practices. They reduce risk for non-standard deployments, protect against future code changes that could introduce new attack paths, and align with common security audit expectations.
+
+Each entry describes the change and why we consider it not exploitable in the standard DSF deployment model.
+
+## Deployment Context
+
+The standard DSF deployment uses:
+
+- **Apache2 reverse proxy** with `mod_ssl` performing TLS termination and client certificate validation (`SSLVerifyClient require`, DN checks against trusted CA list)
+- **Docker containers** with network isolation (frontend / backend / inter-service networks)
+- **Jetty application** on internal port 8080, not directly reachable from outside
+- **Status port** on `127.0.0.1:10000` (localhost only), separate Jetty connector
+- **Configuration** via Docker environment variables / secrets, only admin-writable
+- **PostgreSQL** not exposed to host, only accessible from the application container
+
+The assessments below consider this standard deployment. Non-standard deployments (e.g., Jetty directly exposed, no reverse proxy) may have different risk profiles.
+
+## Improved XML Transformer Configuration
+
+Disabled external entity resolution and enabled secure processing on `TransformerFactory` instances in `ProcessService`, `ThymeleafTemplateServiceImpl`, and `BundleGenerator`. We consider this not exploitable because although external organizations and authorized users can create FHIR resources (e.g., Tasks), the content never reaches the TransformerFactory as raw XML. The data path is: user input is parsed by HAPI FHIR into a Java object model (stripping any XML-level constructs like DOCTYPE/ENTITY declarations), stored as JSONB in PostgreSQL, and then re-serialized to well-formed XML by HAPI's serializer when displayed. The TransformerFactory only pretty-prints HAPI's serialized output, where all text content is properly XML-escaped. `BundleGenerator` is a Maven build-time tool, not a runtime component. Hardening against CWE-611 (XXE).
+
+Commit: [`b89c512dc`](https://github.com/datasharingframework/dsf/commit/b89c512dc)
+
+## Database Username/Group Validation
+
+Added regex validation (`^[a-zA-Z_][a-zA-Z0-9_$]{0,62}$`) for PostgreSQL identifier config parameters used in DDL statements. We consider this not exploitable because these values come exclusively from admin-managed config files and Docker environment variables — an attacker with write access to these already has full system control. Hardening against CWE-89.
+
+Commit: [`7e2de0ed8`](https://github.com/datasharingframework/dsf/commit/7e2de0ed8)
+
+## HTTPS Enforcement for OIDC Endpoints
+
+Added explicit check that OIDC token and JWKS endpoints use HTTPS. We consider this not exploitable because a compromised OIDC provider can already issue arbitrary tokens directly, making HTTP interception redundant. In the MITM scenario (legitimate provider, network attacker), the provider URL is admin-configured as HTTPS and legitimate providers always return HTTPS endpoints in their discovery documents. In both cases, obtained tokens are constrained by the admin-managed `roleConfig` — no privilege escalation beyond configured roles is possible. Hardening against CWE-918 / CWE-319.
+
+Commit: [`bdeddf308`](https://github.com/datasharingframework/dsf/commit/bdeddf308)
+
+## JWKS Minimum Key Size and `use=sig` Filtering
+
+Added 2048-bit minimum RSA key length and `use=sig` check for JWKS keys used in JWT verification. We consider this not exploitable because no mainstream OIDC provider (Keycloak, etc.) publishes RSA keys below 2048 bits. Even if an attacker could forge tokens via weak keys, privileges are constrained by the admin-managed `roleConfig` — the same limitation as with a compromised OIDC provider. Hardening against CWE-326 / CWE-347.
+
+Commit: [`31c2e974d`](https://github.com/datasharingframework/dsf/commit/31c2e974d)
+
+## Removed Access Token Claim Logging
+
+Removed DEBUG-level logging of token claims (groups, roles) in `AbstractIdentityProvider` and `BearerTokenAuthenticator`. We consider this not exploitable because DEBUG logging is disabled in production by default, and the logged data (group memberships, roles) is operational metadata — not secrets like passwords or signing keys. Hardening against CWE-532.
+
+Commit: [`cc0bb71ef`](https://github.com/datasharingframework/dsf/commit/cc0bb71ef)
+
+## Session Cookie Security Attributes
+
+Added `Secure`, `HttpOnly`, and `SameSite=LAX` flags to session cookies. We consider this not exploitable because TLS is terminated at the Apache HTTP Server reverse proxy (clients only communicate over HTTPS), the `HttpOnly` flag is only relevant if an XSS vulnerability exists (none is exploitable, see `th:utext` below), and `SameSite` has limited impact since primary authentication uses mTLS, not cookies. Hardening against CWE-614 / CWE-1004.
+
+Commit: [`5cc00611b`](https://github.com/datasharingframework/dsf/commit/5cc00611b)
+
+## JSON Serialization in JSONB Query Parameters
+
+Replaced string concatenation with Jackson `ObjectMapper` serialization for JSONB query parameters in all DAO classes and search filters. We consider this not exploitable because user-controlled values are bound via `PreparedStatement.setString()`, which transmits query template and parameter values separately to PostgreSQL — the parameter value is never parsed as SQL and there is no way to inject `JOIN`, `UNION`, or subqueries. Within the JSONB domain, the identity filter (access control) operates as a separate `AND` condition with server-side parameters that cannot be influenced by search parameter manipulation, the `@>` containment operator becomes more restrictive with additional injected elements (not less), and result sets are always a subset of authorized resources — no enumeration of unauthorized data is possible. Hardening against CWE-89.
+
+Commit: [`37c0282c6`](https://github.com/datasharingframework/dsf/commit/37c0282c6)
+
+## Client Certificate Expiration Check
+
+Added explicit certificate expiration check and changed auth type from `"RSA"` to `"UNKNOWN"` in `ClientCertificateAuthenticator`. We consider this not exploitable because the Apache HTTP Server reverse proxy performs TLS termination with `SSLVerifyClient require` and validates certificate expiration, chain trust, and revocation before requests reach Jetty. The Jetty-level check is a redundant second validation. Hardening against CWE-295 / CWE-324.
+
+Commit: [`c6d369828`](https://github.com/datasharingframework/dsf/commit/c6d369828)
+
+## Safe YAML Deserialization
+
+Replaced `new Yaml()` with `new Yaml(new SafeConstructor(new LoaderOptions()))` in `RoleConfigReader`. We consider this not exploitable because the YAML content comes exclusively from admin-managed config files (`config.properties`) and Docker environment variables — an attacker with write access to these can already execute arbitrary code through simpler means. Hardening against CWE-502.
+
+Commit: [`e0b6cf00a`](https://github.com/datasharingframework/dsf/commit/e0b6cf00a)
+
+## Thymeleaf `th:utext` Replaced with `th:text`
+
+Replaced `th:utext` (unescaped HTML output) with `th:text` / `th:each` for page headings built from URL segments. We consider this not exploitable because the old code applied `HtmlUtils.htmlEscape()` to all user inputs before concatenation — this escapes `& < > " '`, preventing tag injection (`<` `>` escaped to `<` `>`) and attribute breakout (`"` escaped to `"`, which per HTML spec does not terminate double-quoted attributes). The fix makes XSS structurally impossible and removes reliance on manual escaping — a future developer could have forgotten the `htmlEscape()` call when adding new URL segments. Hardening against CWE-79.
+
+Commit: [`58edc26c5`](https://github.com/datasharingframework/dsf/commit/58edc26c5)
+
+## Error Message Removed from Status Endpoint
+
+Removed database exception messages from the status endpoint error response body. We consider this not exploitable because the status endpoint runs on a separate Jetty connector (port 10000, bound to `127.0.0.1` only) with role-based access control (`STATUS_PORT_ROLE`) — it is not reachable through the Apache HTTP Server reverse proxy or from outside the Docker container. Hardening against CWE-209.
+
+Commit: [`5103d0e9d`](https://github.com/datasharingframework/dsf/commit/5103d0e9d)
+
+## Content Security Policy and Binary Inline Display
+
+Introduced a new inline display mode for `Binary` resources with a strict CSP (`script-src 'none'`), a media type policy, and `ContentTypeSanitizer`. We consider this not a vulnerability fix because the old code served all `Binary` resources with `Content-Disposition: attachment` (forced download, never rendered in browser), so the old `unsafe-inline` CSP was never reachable. This commit implements a new feature with secure defaults. Hardening against CWE-1021.
+
+Commit: [`454c1197b`](https://github.com/datasharingframework/dsf/commit/454c1197b)
+
+---
+
+## Upgrade from DSF v1
+Source: https://dsf.dev/operations/latest/upgrade-from-1.html
+
+Upgrading the DSF from 1.9.0 to 2.1.0 involves modifying the docker-compose.yml files and recreating the containers.
+
+::: warning Update to DSF 1.9.0 first
+When upgrading from DSF version < 1.9.0 it is important to migrate to [DSF 1.9.0 first](../v1.9.0/upgrade-from-1).
+:::
+
+For DSF 2, we refined the [system requirements](install.md#prerequisites). If your current DSF 1 setup works, it should also work with DSF 2. As DSF 2 is designed to support large file transfers, you might need to increase the storage on the DSF FHIR Server instance.
+
+::: info Non-standard configuration changes
+
+Most non-standard configuration changes working in DSF 1 will continue to work in DSF 2. If you have set custom timeout options in the DSF configuration (starting with `DEV_DSF_...`) please change them to the ISO 8601 standard. `120000` (Milliseconds) must be changed to `PT2M`. The configuration options for process plugins (e.g., starting with `DE_...`) remain unchanged.
+
+- You can now use more advanced [logging options](./fhir/logging.md).
+- If you use your own certificate authority, the [configuration](root-certificates.md) will be easier.
+- More granular control in [access control / role config settings](./fhir/access-control.md).
+:::
+
+We recommend upgrading the PostgreSQL DBMS from version 15 to version 18. At present, it is possible to use PostgreSQL version 15, but we exclusively support PostgreSQL version 18 and test the DSF solely with version 18.
+The DBMS upgrade is described below in the update instructions.
+
+DSF 2 was designed to run DSF 1 (APIv1) process plugins, but due to stricter validation rules in DSF 2 we strongly recommend using the latest compatible plugin versions. Updates within the same major and minor version (e.g., from 1.2.3.4 to 1.2.9.9) are generally safe. An overview of the recommended MII/NUM versions can be found [here](./install-plugins.md).
+
+## Modify DSF FHIR Server Setup
+1. Preparation / Backup
+ * We recommend to create a backup of the `/opt/fhir` directory before proceeding with the upgrade.
+ For example using: `sudo cp -rp /opt/fhir /opt/fhir_backup_pre_2.1.0_upgrade`
+
+2. Modify the DSF FHIR docker-compose.yml file, replace the version number with 2.1.0.
+```diff
+ version: '3.8'
+ services:
+ proxy:
+- image: ghcr.io/datasharingframework/fhir_proxy:1.9.0
++ image: ghcr.io/datasharingframework/fhir_proxy:2.1.0
+ restart: on-failure
+...
+ app:
+- image: ghcr.io/datasharingframework/fhir:1.9.0
++ image: ghcr.io/datasharingframework/fhir:2.1.0
+ restart: on-failure
+...
+ environment:
+- DEV_DSF_FHIR_SERVER_ORGANIZATION_THUMBPRINT: f4344032fe77bffb...
+...
+
+```
+The environment variable `DEV_DSF_FHIR_SERVER_ORGANIZATION_THUMBPRINT` does not need to be specified starting version 2.0.0. The thumbprint is now calculated based on the client certificate specified via `DEV_DSF_FHIR_CLIENT_CERTIFICATE`.
+
+
+3. Upgrade the DSF FHIR containers
+ From `/opt/fhir` execute
+ ```
+ docker compose up -d && docker compose logs -f
+ ```
+
+## Modify DSF BPE Server Setup
+1. Preparation / Backup
+ * We recommend to create a backup of the `/opt/bpe` directory before proceeding with the upgrade.
+ For example using: `sudo cp -rp /opt/bpe /opt/bpe_backup_pre_2.1.0_upgrade`
+
+2. Modify the DSF BPE docker-compose.yml file, replace the version number with 2.1.0.
+```diff
+ version: '3.8'
+ services:
+ app:
+- image: ghcr.io/datasharingframework/bpe:1.9.0
++ image: ghcr.io/datasharingframework/bpe:2.1.0
+ restart: on-failure
+...
+ environment:
+- DEV_DSF_BPE_DB_USER_CAMUNDA_PASSWORD_FILE: /run/secrets/db_user_camunda.password
++ DEV_DSF_BPE_DB_USER_ENGINE_PASSWORD_FILE: /run/secrets/db_user_camunda.password
+...
+
+```
+
+3. Upgrade the DSF BPE containers
+ From `/opt/bpe` execute
+ ```
+ docker compose up -d && docker compose logs -f
+ ```
+
+5. Verify your upgrade:
+ * Verify the DSF FHIR server is running in version 2.1.0. The log should contain a message:
+ `INFO main - BuildInfoReaderImpl.logBuildInfo(137) | Artifact: dsf-fhir-server-jetty, version: 2.1.0, [...]`
+ * Verify the DSF FHIR server started without errors
+ * Verify the DSF FHIR server is accessible via https, for example by browsing to https://your-dsf-endpoint.de/fhir/ (authentication with your client-certificate)
+ * Verify the DSF BPE server is running in version 2.1.0. The log should contain a message:
+ `INFO main - BuildInfoReaderImpl.logBuildInfo(137) | Artifact: dsf-bpe-server-jetty, version: 2.1.0, [...]`
+ * Verify the DSF BPE server started without errors
+ * Verify your install with a ping/pong test
+
+
+## Upgrade PostgreSQL from 15 to 18
+To upgrade your DSF databases, you have to stop the application, dump your database, recreate the bind mount directory, update the version, start it, restore the backup and start the application again.
+
+### On the DSF FHIR Server
+
+1. Stop the application
+ From `/opt/fhir` execute
+ ```
+ docker compose down app
+ ```
+2. Dump the database
+ From `/opt/fhir` execute
+ ```
+ docker compose exec db pg_dumpall -U liquibase_user > dump.sql
+ ```
+3. Stop the database
+ From `/opt/fhir` execute
+ ```
+ docker compose down db
+ ```
+4. Recreate the database bind mount directory
+ From `/opt/fhir` execute
+ ```
+ mv postgres-data postgres-data-psql-15
+ mkdir postgres-data
+ ```
+5. Update the version and change the bind mount target to respect the [PostgreSQL best practices](https://github.com/docker-library/postgres/pull/1259) in `/opt/fhir/docker-compose.yml`
+ ```diff
+ db:
+ - image: postgres:15
+ + image: postgres:18
+ restart: always
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U liquibase_user -d fhir"]
+ interval: 10s
+ timeout: 5s
+ retries: 5
+ volumes:
+ - type: bind
+ source: ./postgres-data
+ - target: /var/lib/postgresql/data
+ + target: /var/lib/postgresql
+ ```
+6. Start the new database
+ From `/opt/fhir` execute
+ ```
+ docker compose up -d db
+ ```
+7. Restore the database dump
+ From `/opt/fhir` execute
+ ```
+ cat dump.sql | docker compose exec -T db psql -U liquibase_user fhir
+ ```
+8. Start the application
+ From `/opt/fhir` execute
+ ```
+ docker compose up -d && docker compose logs -f app
+ ```
+
+### On the DSF BPE Server
+
+1. Stop the application
+ From `/opt/bpe` execute
+ ```
+ docker compose down app
+ ```
+2. Dump the database
+ From `/opt/bpe` execute
+ ```
+ docker compose exec db pg_dumpall -U liquibase_user > dump.sql
+ ```
+3. Stop the database
+ From `/opt/bpe` execute
+ ```
+ docker compose down db
+ ```
+4. Recreate the database bind mount directory
+ From `/opt/bpe` execute
+ ```
+ mv postgres-data postgres-data-psql-15
+ mkdir postgres-data
+ ```
+5. Update the version and change the bind mount target to respect the [PostgreSQL best practices](https://github.com/docker-library/postgres/pull/1259) in `/opt/bpe/docker-compose.yml`
+ ```diff
+ db:
+ - image: postgres:15
+ + image: postgres:18
+ restart: always
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U liquibase_user -d bpe"]
+ interval: 10s
+ timeout: 5s
+ retries: 5
+ volumes:
+ - type: bind
+ source: ./postgres-data
+ - target: /var/lib/postgresql/data
+ + target: /var/lib/postgresql
+ ```
+6. Start the new database
+ From `/opt/bpe` execute
+ ```
+ docker compose up -d db
+ ```
+7. Restore the database dump
+ From `/opt/bpe` execute
+ ```
+ cat dump.sql | docker compose exec -T db psql -U liquibase_user bpe
+ ```
+8. Start the application
+ From `/opt/bpe` execute
+ ```
+ docker compose up -d && docker compose logs -f app
+ ```
+
+Once you have ensured that DSF is working successfully with the new database, you can remove the dump.sql file and the postgres-data-psql-15 directory. As a precaution, we recommend keeping the postgres-data-psql-15 directory for some time.
+
+---
+
+## Upgrade within DSF v2
+Source: https://dsf.dev/operations/latest/upgrade-from-2.html
+
+Upgrading the DSF from 2.0.2 to 2.1.0 involves modifying the image versions in the docker-compose.yml files and recreating the containers.
+
+
+DSF 2 was designed to run DSF 1 (APIv1) process plugins, but due to stricter validation rules in DSF 2 we strongly recommend using the latest compatible plugin versions. Updates within the same major and minor version (e.g., from 1.2.3.4 to 1.2.9.9) are generally safe. An overview of the recommended MII/NUM versions can be found [here](./install-plugins.md).
+
+If you have installed the NUM Dashboard Process Plugin, you can [remove the workaround](./install-plugins.md).
+
+## Modify DSF FHIR Server Setup
+1. Preparation / Backup
+ * We recommend to create a backup of the `/opt/fhir` directory before proceeding with the upgrade.
+ For example using: `sudo cp -rp /opt/fhir /opt/fhir_backup_pre_2.1.0_upgrade`
+
+2. Modify the DSF FHIR docker-compose.yml file, replace the version number with 2.1.0.
+```diff
+ version: '3.8'
+ services:
+ proxy:
+- image: ghcr.io/datasharingframework/fhir_proxy:2.0.2
++ image: ghcr.io/datasharingframework/fhir_proxy:2.1.0
+ restart: on-failure
+...
+ app:
+- image: ghcr.io/datasharingframework/fhir:2.0.2
++ image: ghcr.io/datasharingframework/fhir:2.1.0
+ restart: on-failure
+...
+
+```
+
+
+
+3. Upgrade the DSF FHIR containers
+ From `/opt/fhir` execute
+ ```
+ docker compose up -d && docker compose logs -f
+ ```
+
+## Modify DSF BPE Server Setup
+1. Preparation / Backup
+ * We recommend to create a backup of the `/opt/bpe` directory before proceeding with the upgrade.
+ For example using: `sudo cp -rp /opt/bpe /opt/bpe_backup_pre_2.1.0_upgrade`
+
+2. Modify the DSF BPE docker-compose.yml file, replace the version number with 2.1.0.
+```diff
+ version: '3.8'
+ services:
+ app:
+- image: ghcr.io/datasharingframework/bpe:2.0.2
++ image: ghcr.io/datasharingframework/bpe:2.1.0
+ restart: on-failure
+...
+
+
+```
+
+3. Upgrade the DSF BPE containers
+ From `/opt/bpe` execute
+ ```
+ docker compose up -d && docker compose logs -f
+ ```
+
+5. Verify your upgrade:
+ * Verify the DSF FHIR server is running in version 2.1.0. The log should contain a message:
+ `INFO main - BuildInfoReaderImpl.logBuildInfo(137) | Artifact: dsf-fhir-server-jetty, version: 2.1.0, [...]`
+ * Verify the DSF FHIR server started without errors
+ * Verify the DSF FHIR server is accessible via https, for example by browsing to https://your-dsf-endpoint.de/fhir/ (authentication with your client-certificate)
+ * Verify the DSF BPE server is running in version 2.1.0. The log should contain a message:
+ `INFO main - BuildInfoReaderImpl.logBuildInfo(137) | Artifact: dsf-bpe-server-jetty, version: 2.1.0, [...]`
+ * Verify the DSF BPE server started without errors
+ * Verify your install with a ping/pong test
+
+---
+
+## OIDC Configuration (FHIR)
+Source: https://dsf.dev/operations/latest/fhir/oidc.html
+
+## Overview
+Access to the DSF FHIR server REST API and user interface can be configured via [access control roles](access-control). By default users are only authenticated using X.509 client certificates, but authentication for local users via OAuth 2.0 OpenID Connect can also be enabled.
+
+The DSF FHIR server supports [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) for the user interface as well as [Bearer Token Authentication](https://datatracker.ietf.org/doc/html/rfc6750) for the REST API. [Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html) is also supported.
+
+
+::: tip FHIR Reverse Proxy
+The DSF FHIR reverse proxy requires client certificates by default. To use OpenID Connect authentication the configuration parameter [SSL_VERIFY_CLIENT](../fhir-reverse-proxy/configuration.html#ssl-verify-client) needs to be set to `optional`.
+:::
+
+
+## Authorization Code Flow
+
+To enable authentication via OpenID Connect authorization code flow, set the configuration parameter [DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW](configuration#dev-dsf-server-auth-oidc-authorization-code-flow) to `true` and specify the following parameters:
+
+- [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL](configuration#dev-dsf-server-auth-oidc-provider-realm-base-url)
+- [DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID](configuration#dev-dsf-server-auth-oidc-client-id)
+- [DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET](configuration#dev-dsf-server-auth-oidc-client-secret)
+
+Optionally, back channel logout can be enabled by setting [DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT](configuration#dev-dsf-server-auth-oidc-back-channel-logout) to `true`. The DSF FHIR server accepts logout tokens at [DEV_DSF_FHIR_SERVER_BASE_URL](configuration#dev-dsf-fhir-server-base-url) + `/back-channel-logout`. The path can be modified via [DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH](configuration#dev-dsf-server-auth-oidc-back-channel-logout-path).
+
+
+## Bearer Token Authentication
+
+To enable bearer token authentication, set the configuration parameter [DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN](configuration#dev-dsf-server-auth-oidc-bearer-token) to `true` and specify the following parameter:
+- [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL](configuration#dev-dsf-server-auth-oidc-provider-realm-base-url)
+
+
+## Additional ODIC Configuration Parameter
+
+A number of additional `DEV_DSF_SERVER_AUTH_OIDC ...` configuration parameter are specify on the DSF FHIR server [configuration parameter page](configuration).
+
+For example the configuration parameter [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS](configuration#dev-dsf-server-auth-oidc-provider-client-trust-server-certificate-cas) can be used to specify a PEM encoded file with trusted root certificates to be used when accessing the OpenID Connect provider. If not specify the JVM default trusted root certificates are used for this connection.
+
+
+## Example
+```yaml
+services:
+ app:
+ image: ghcr.io/datasharingframework/fhir:1.5.2
+ # ...
+ secrets:
+ - keycloak_root_ca.pem
+ # ...
+ environment:
+ # ...
+ DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW: 'true'
+ DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT: 'true'
+ DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN: 'true'
+ DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL: https://keycloak.test.org/realms/dsf
+ DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS: /run/secrets/keycloak_root_ca.pem
+ DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID: dsf-fhir
+ DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET: n9bCMtjugv3Y_.szktXyQ2RH5se+J%o3
+ # ...
+secrets:
+ keycloak_root_ca.pem:
+ file: ./secrets/keycloak_root_ca.pem
+```
+
+---
+
+## OIDC Configuration (BPE)
+Source: https://dsf.dev/operations/latest/bpe/oidc.html
+
+## Overview
+Access to the DSF BPE server user interface can be configured via [access control roles](access-control). By default users are only authenticated using X.509 client certificates, but authentication for local users via OAuth 2.0 OpenID Connect can also be enabled.
+
+The DSF BPE server supports [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) for the user interface. [Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html) is also supported.
+
+
+::: tip BPE Reverse Proxy
+The DSF BPE reverse proxy requires client certificates by default. To use OpenID Connect authentication the configuration parameter [SSL_VERIFY_CLIENT](../bpe-reverse-proxy/configuration.html#ssl-verify-client) needs to be set to `optional`.
+:::
+
+
+## Authorization Code Flow
+
+To enable authentication via OpenID Connect authorization code flow, set the configuration parameter [DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW](configuration#dev-dsf-server-auth-oidc-authorization-code-flow) to `true` and specify the following parameters:
+
+- [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL](configuration#dev-dsf-server-auth-oidc-provider-realm-base-url)
+- [DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID](configuration#dev-dsf-server-auth-oidc-client-id)
+- [DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET](configuration#dev-dsf-server-auth-oidc-client-secret)
+
+Optionally, back channel logout can be enabled by setting [DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT](configuration#dev-dsf-server-auth-oidc-back-channel-logout) to `true`. The DSF BPE server accepts logout tokens at [DEV_DSF_BPE_SERVER_BASE_URL](configuration#dev-dsf-bpe-server-base-url) + `/back-channel-logout`. The path can be modified via [DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH](configuration#dev-dsf-server-auth-oidc-back-channel-logout-path).
+
+## Additional ODIC Configuration Parameter
+
+A number of additional `DEV_DSF_SERVER_AUTH_OIDC ...` configuration parameter are specify on the DSF BPE server [configuration parameter page](configuration).
+
+For example the configuration parameter [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS](configuration#dev-dsf-server-auth-oidc-provider-client-trust-server-certificate-cas) can be used to specify a PEM encoded file with trusted root certificates to be used when accessing the OpenID Connect provider. If not specify the JVM default trusted root certificates are used for this connection.
+
+
+## Example
+```yaml
+services:
+ app:
+ image: ghcr.io/datasharingframework/bpe:1.5.2
+ # ...
+ secrets:
+ - keycloak_root_ca.pem
+ # ...
+ environment:
+ # ...
+ DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW: 'true'
+ DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT: 'true'
+ DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN: 'true'
+ DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL: https://keycloak.test.org/realms/dsf
+ DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS: /run/secrets/keycloak_root_ca.pem
+ DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID: dsf-bpe
+ DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET: n9bCMtjugv3Y_.szktXyQ2RH5se+J%o3
+ # ...
+secrets:
+ keycloak_root_ca.pem:
+ file: ./secrets/keycloak_root_ca.pem
+```
+
+---
+
+## Access Control (FHIR)
+Source: https://dsf.dev/operations/latest/fhir/access-control.html
+
+## Overview
+
+The DSF FHIR server implements a subset of the FHIR R4 [REST API](http://hl7.org/fhir/R4/http.html). When accessing the API with a web browser a limited graphical user interface is shown. Without any additional configuration the API and user interface is only accessible with the X.509 client certificate configured for the organization via the client certificate configuration parameter [DEV_DSF_FHIR_CLIENT_CERTIFICATE](configuration##dev-dsf-fhir-client-certificate) or the manual override option [DEV_DSF_FHIR_SERVER_ORGANIZATION_THUMBPRINT](configuration#dev-dsf-fhir-server-organization-thumbprint).
+
+::: tip OpenID Connect
+To enable OpenID Connect authentication of local user, see the DSF FHIR server OpenID Connect [configuration page](oidc).
+:::
+
+Access to the API and user interface can be enabled for additional client certificates and local users authenticating via OAuth 2.0 OpenID Connect. Access can be configured for so called roles, with all roles specified using the configuration parameter [DEV_DSF_FHIR_SERVER_ROLECONFIG](configuration#dev-dsf-fhir-server-roleconfig). The value for this environment variable is specified as YAML using the block scalar `|`.
+
+The listing below shows a minimal configuration to enable read access for all resources for a specific client-certificate:
+
+```yaml
+ DEV_DSF_FHIR_SERVER_ROLECONFIG: |
+ - example_read_only_role:
+ thumbprint: 00474993fa261b0225f93c5a66aa6fcc... [a-f0-9]{128}
+ dsf-role:
+ - READ
+ - SEARCH
+ - HISTORY
+```
+
+The list of user roles above contains a single rule-entry `example_read_only_role`, matching the user via a client certificate SHA-512 thumbprint and assigning three DSF roles. Any string can be used as the name for the rule-entry.
+
+With DSF 2, you can now restrict the granted priviledges to specific resource types. If you want to restrict the rule-entry `example_read_only_role` to Organization resources, you can specify the resource type per dsf-role ("action"):
+
+```yaml
+ DEV_DSF_FHIR_SERVER_ROLECONFIG: |
+ - example_read_only_organization_role:
+ thumbprint: 00474993fa261b0225f93c5a66aa6fcc... [a-f0-9]{128}
+ dsf-role:
+ - READ: [Organization]
+ - SEARCH: [Organization]
+ - HISTORY: [Organization]
+```
+
+::: tip Certificate Thumbprints
+SHA-512 certificate thumbprints in HEX form `[a-f0-9]{128}` can be calculated using:
+```sh
+certtool --fingerprint --hash=sha512 --infile=certificate.pem
+```
+:::
+
+Multiple user roles can be specified and all matching roles will be applied to an authenticated users. Use an empty string `""` or a single block scalar `|` character as the value for the configuration parameter [DEV_DSF_FHIR_SERVER_ROLECONFIG](configuration#dev-dsf-fhir-server-roleconfig) if no roles should be configured.
+
+## Matching Users
+
+To apply roles, users can be matched via the `thumbprint`, `email`, `token-role` or `token-group` properties. A single value or a list of values can be specified.
+
+#### thumbprint
+
+The property `thumbprint` can used to specify one or multiple SHA-512 certificate thumbprints. Roles from this rule are applied to the authenticating user if the certificate matches one of the specified thumbprints.
+
+#### email
+
+Using the property `email` users can be matched against e-mail addresses specified in X.509 client certificates and in OpenID Connect access tokens. Values will be matched against e-mail addresses specified in the subject DN (via PKCS#9 extension 1.2.840.113549.1.9.1) and RFC-822 Name entries of the Subject Alternative Name field. If the user authenticates via OpenID Connect, the `email` [claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) from the access token will be matched against the property values.
+
+#### token-role and token-group
+
+With the properties `token-role` and `token-group` role and group names can be specified to match against role and group claims within OAuth 2.0 access tokens.
+
+
+## DSF and Practitioner Roles
+
+Two types of roles can be applied to matched users.
+
+#### dsf-role
+
+DSF roles specified via the `dsf-role` property define general access to the REST API and user interface. Allowed values are:
+
+`CREATE`, `READ`, `UPDATE`, `DELETE`, `SEARCH`, `HISTORY`, `PERMANENT_DELETE` and `WEBSOCKET`.
+
+
+#### practitioner-role
+
+In order to allow users to start processes, the property `practitioner-role` can be used to assign codes from FHIR [CodeSystem](http://hl7.org/fhir/R4/codesystem.html) resources. Codes are specified in the form `system-url|code`.
+If the uses has a code specified here that match with a `requester` extension within the process plugin's [ActivityDefinition](http://hl7.org/fhir/R4/activitydefinition.html) resource, the user can start the process if he also has the `dsf-role` `CREATE`.
+
+Process plugins can define and use their own code-systems. However, the DSF specifies a standard set of practitioner roles within the CodeSystem `http://dsf.dev/fhir/CodeSystem/practitioner-role`:
+
+`UAC_USER`, `COS_USER`, `CRR_USER`, `DIC_USER`, `DMS_USER`, `DTS_USER`, `HRP_USER`, `TTP_USER`, `AMS_USER`, `ASP_USER`, `SPR_USER`, `TSP_USER`, `PPH_USER`, `BIO_USER`, and `DSF_ADMIN`.
+
+
+## Examples
+
+The first example defines a group of DSF administrators. Two client certificates match against this role:
+
+```yaml
+ DEV_DSF_FHIR_SERVER_ROLECONFIG: |
+ - certificate-admins:
+ thumbprint:
+ - afb68b1d9d47e691b8b3d50fd9848467cada8b1c76f5f4b45f00c9f8432d505361a3ee27805f4aa06799d9ac8dace94b3f1942fce44d84866961259b13be825d
+ - 2441bfddcad97eeb83c8c31fe181b90652787b8b59bf4e569219da7db4429e389479cb7c4a2f311e34217357d594ecad7d58ccfeef2a9e93c6fcf8d98897d88c
+ dsf-role:
+ - CREATE
+ - READ
+ - UPDATE
+ - DELETE
+ - SEARCH
+ - HISTORY
+ practitioner-role:
+ - http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN
+
+```
+
+
+The second example defines an administrator group consisting of all users with the OAuth role admin plus two additional administrators identified by their client-certificate thumbprints. These administrators may perform the basic DSF tasks: starting and continuing of new process instances (by creating tasks and answering QuestionnaireResponses) and reading all resources on the DSF FHIR server.
+
+```yaml
+ DEV_DSF_FHIR_SERVER_ROLECONFIG: |
+ - example_minimal_admin:
+ thumbprint:
+ - 0123...cdef
+ - abcd...6789
+ token-role: admin
+ dsf-role:
+ - CREATE: [Task]
+ - READ
+ - UPDATE: [QuestionnaireResponse]
+ - SEARCH
+ - HISTORY
+ practitioner-role:
+ - http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN
+
+```
+
+
+The third example allows read-only access, restricted to QuestionnaireResponse resources only. Two e-mail addresses are used to match this role. E-mail addresses from X.509 client certificates and OAuth 2.0 access tokens are matched:
+
+```yaml
+ DEV_DSF_FHIR_SERVER_ROLECONFIG: |
+ - read-only:
+ email:
+ - first.user@test.org
+ - second.user@test.org
+ dsf-role:
+ - READ: [QuestionnaireResponse]
+ - UPDATE: [QuestionnaireResponse]
+ - SEARCH: [QuestionnaireResponse]
+ - HISTORY: [QuestionnaireResponse]
+```
+
+---
+
+## Access Control (BPE)
+Source: https://dsf.dev/operations/latest/bpe/access-control.html
+
+## Overview
+
+The DSF BPE server provides a user interface for administrators. Without any additional configuration the user interface is not accessible with the organizations X.509 client certificate or any other certificate or OpenID Connect authenticated user.
+
+::: tip OpenID Connect
+To enable OpenID Connect authentication of local user, see the DSF BPE server OpenID Connect [configuration page](oidc).
+:::
+
+Access to the user interface can be enabled for client certificates and local users authenticating via OAuth 2.0 OpenID Connect. Access can be configured for so called roles, with all roles specified using the configuration parameter [DEV_DSF_BPE_SERVER_ROLECONFIG](configuration#dev-dsf-bpe-server-roleconfig). The value for this environment variable is specified as YAML using the block scalar `|`.
+
+The listing below shows a minimal configuration to enable access for a specific client-certificate:
+
+```yaml
+ DEV_DSF_BPE_SERVER_ROLECONFIG: |
+ - example_read_only_role:
+ thumbprint: 00474993fa261b0225f93c5a66aa6fcc... [a-f0-9]{128}
+ dsf-role:
+ - ADMIN
+```
+The list of user roles above contains a single rule-entry `example_read_only_role`, matching the user via a client certificate SHA-512 thumprint and assigning three DSF roles. Any string can be used as the name for the rule-enty.
+
+::: tip Certificate Thumbprints
+SHA-512 certificate thumbprints in HEX form `[a-f0-9]{128}` can be calculated using:
+```sh
+certtool --fingerprint --hash=sha512 --infile=certificate.pem
+```
+:::
+
+Multiple user roles can be specified and all matching roles will be applied to an authenticated users. Use an empty string `""` or a single block scalar `|` character as the value for the configuration parameter [DEV_DSF_BPE_SERVER_ROLECONFIG](configuration#dev-dsf-bpe-server-roleconfig) if no roles should be configured.
+
+## Matching Users
+
+To apply roles, users can be matched via the `thumbprint`, `email`, `token-role` or `token-group` properties. A single value or a list of values can be specified.
+
+#### thumbprint
+
+The property `thumbprint` can used to specify one or multiple SHA-512 certificate thumbprints. Roles from this rule are applied to the authenticating user if the certificate matches one of the specified thumbprints.
+
+#### email
+
+Using the property `email` users can be matched against e-mail addresses specified in X.509 client certificates and in OpenID Connect access tokens. Values will be matched against e-mail addresses specified in the subject DN (via PKCS#9 extension 1.2.840.113549.1.9.1) and RFC-822 Name entries of the Subject Alternative Name field. If the user authenticates via OpenID Connect, the `email` [claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) from the access token will be matched against the property values.
+
+#### token-role and token-group
+
+With the properties `token-role` and `token-group` role and group names can be specified to match against role and group claims within OAuth 2.0 access tokens.
+
+
+## DSF and Practitioner Roles
+
+Two types of roles can be applied to matched users.
+
+#### dsf-role
+
+DSF roles specified via the `dsf-role` property define general access to the user interface. Allowed values are:
+
+`ADMIN`.
+
+#### practitioner-role
+
+The BPE server currently does not support any practionier-roles.
+
+
+## Examples
+
+The first example defines a group of DSF administrators. Two client certificates match against this role:
+
+```yaml
+ DEV_DSF_BPE_SERVER_ROLECONFIG: |
+ - certificate-admins:
+ thumbprint:
+ - afb68b1d9d47e691b8b3d50fd9848467cada8b1c76f5f4b45f00c9f8432d505361a3ee27805f4aa06799d9ac8dace94b3f1942fce44d84866961259b13be825d
+ - 2441bfddcad97eeb83c8c31fe181b90652787b8b59bf4e569219da7db4429e389479cb7c4a2f311e34217357d594ecad7d58ccfeef2a9e93c6fcf8d98897d88c
+ dsf-role:
+ - ADMIN
+```
+
+
+The second example defines a group of DSF administrators by specifying an `admin` role that gets matched against OAuth 2.0 access tokens:
+
+```yaml
+ DEV_DSF_BPE_SERVER_ROLECONFIG: |
+ - token-role-admins:
+ token-role: admin
+ dsf-role:
+ - ADMIN
+```
+
+
+The third example allows administrator access and users e-mail addresses to match this role. E-mail addresses from X.509 client certificates and OAuth 2.0 access tokens are matched:
+
+```yaml
+ DEV_DSF_BPE_SERVER_ROLECONFIG: |
+ - email-admins:
+ email:
+ - first.user@test.org
+ - second.user@test.org
+ dsf-role:
+ - ADMIN
+```
+
+---
+
+## Common HTTP Status Codes
+Source: https://dsf.dev/operations/troubleshooting/common-http-status-codes.html
+
+# 401 Unauthorized
+This HTTP status code may be a result of an allow list mismatch. Either the requesting party is using a client certificate that was not updated after making changes to the allow list or the receiving party is using an outdated version of the allow list.
+
+# 403 Forbidden
+This HTTP status code may be encountered in different ways in the context of the DSF:
+- Process plugin is not installed at FHIR server where the Task resource was posted
+- Client certificate of the FHIR server where the Task resource was posted is invalid e.g. because it is expired
+
+# 413 Content Too Large
+This HTTP status code is a result of trying to upload a resource that is too large for the server to handle. This might be due to a misconfiguration of the DSF FHIR server's reverse proxy not allowing this much data to be uploaded.
+
+# 500 Internal Server Error
+This HTTP status may be a result of a connection timeout if a forward proxy is used or when using ping pong 2.x in DSF 1.x with a download resource size of >400MB.
+
+# 502 Bad Gateway
+This HTTP status code is usually the response of a proxy because the upstream server sent an invalid response.
+
+# 504 Gateway Timeout
+This HTTP status code is usually the response of a proxy because the upstream server did not send a response in time.
+
+---
+
+## Connection Refused
+Source: https://dsf.dev/operations/troubleshooting/connection-refused.html
+
+This error occurs when there is nothing listening on the port at the receiving end of a connection attempt or the firewall is blocking the connection. The former might indicate the reverse proxy for the DSF FHIR server being offline.
+
+---
+
+## Connection Timeout
+Source: https://dsf.dev/operations/troubleshooting/connection-timeout.html
+
+A connection timeout happens when a connection attempt is made but there is no response from the endpoint in a certain timeframe.
+There are many possible reasons for why this happens:
+- The server is currently down or unreachable due to network configuration
+- The server is under heavy load and thus unresponsive
+- Firewalls might be blocking outgoing connections to the server
+- Arbitrary network issues
+
+If this is happens during the execution of a DSF process, it is recommended to try starting the process again to see if the issue persists. If the issue persists, further troubleshooting might have include system administrators or a member of the [DSF team](../../community/communication.md).
+
+---
+
+## Read Timeout
+Source: https://dsf.dev/operations/troubleshooting/read-timeout.html
+
+A read timeout is a network error that usually happens when a resource is read from a server but the resource takes too long to arrive at the client.
+There are many possible reasons for why this happens:
+- The server unexpectedly went down during transmission
+- The server is under heavy load and unable to process the request in a timely manner
+- Ping pong 2.x may run in read timeouts if the download resource size too large. This can be mitigated by setting the `pong-timeout-duration` when starting the ping pong process, the environment variables `DEV_DSF_BPE_FHIR_CLIENT_REMOTE_TIMEOUT_READ` and `DEV_DSF_BPE_FHIR_CLIENT_LOCAL_TIMEOUT_READ` of the BPE and/or the `DEV_DSF_FHIR_CLIENT_TIMEOUT_READ` of the DSF FHIR server to higher values
+- Arbitrary network issues
+
+If this is happens during the execution of a DSF process, it is recommended to try starting the process again to see if the issue persists. If the issue persists, further troubleshooting might have include system administrators or a member of the [DSF team](../../community/communication.md).
+
+---
+
+## SSL Issues
+Source: https://dsf.dev/operations/troubleshooting/ssl.html
+
+SSL issues arise if there is a misconfiguration of client/server certificates.
+Client certificates may:
+- Be expired
+- Have an untrusted root
+- Be revoked
+
+Server certificates may:
+- Be expired
+- Have an untrusted root
+- Be revoked
+- Have the wrong host as the subject
+
+It is recommended to use [OpenSSL](https://openssl.org/) for further debugging.
+
+---
+
+## Unknown Host
+Source: https://dsf.dev/operations/troubleshooting/unknown-host.html
+
+This error occurs if a host name cannot be mapped to an IP address. Either because of a spelling mistake of the host name or because of DNS problems. If this happens in the context of a DSF process, it is recommended to review the configuration of the process plugin or contact the process plugin's maintainers. DNS problems have a wide variety of sources like network misconfiguration or the DNS server being unavailable.
+
+---
+
+## Concept
+Source: https://dsf.dev/process-development/api-v2/concept.html
+
+## BPMN
+- [Conditions](bpmn/conditions.md)
+- [Execution Listener](bpmn/execution-listeners.md)
+- [Gateways](bpmn/gateways.md)
+- [Messaging](bpmn/messaging.md)
+- [Sequence Flow](bpmn/sequence-flow.md)
+- [Service Tasks](bpmn/service-tasks.md)
+- [Timer Intermediate Catching Events](bpmn/timer-intermediate-catching-events.md)
+
+## FHIR
+- [ActivityDefinition](fhir/activitydefinition.md)
+- [Codesystem](fhir/codesystem.md)
+- [Questionnaire and QuestionnaireResponse](fhir/questionnaire-and-questionnaireresponse.md)
+- [Task](fhir/task.md)
+- [ValueSet](fhir/valueset.md)
+
+## DSF
+- [Activities](dsf/activities.md)
+- [BPMN Process Variables](dsf/bpmn-process-variables.md)
+- [Draft Task Resources](dsf/draft-task-resources.md)
+- [Environment Variables](dsf/environment-variables.md)
+- [Message Correlation](dsf/message-correlation.md)
+- [Message Activities](dsf/message-activities.md)
+- [Messaging](dsf/messaging.md)
+- [Organization Identifiers](dsf/organization-identifiers.md)
+- [Process Plugin API](dsf/process-plugin-api.md)
+- [Process Plugin Definition](dsf/process-plugin-definition.md)
+- [Read Access Tag](dsf/read-access-tag.md)
+- [Requester and Recipient](dsf/requester-and-recipient.md)
+- [Spring Framework Integration](dsf/spring-framework-integration.md)
+- [Target and Targets](dsf/target-and-targets.md)
+- [Versions, Placeholders and URLs](dsf/versions-placeholders-urls.md)
+
+## Guides
+- [Accessing BPMN Process Variables](guides/accessing-bpmn-process-variables.md)
+- [Accessing Task Resources During Execution](guides/accessing-task-resources-during-execution.md)
+- [Adding Task Parameters to Task Profiles](guides/adding-task-parameters-to-task-profiles.md)
+- [Configuring Read Access Tags](guides/configuring-read-access-tags.md)
+- [Creating ActivityDefinitions](guides/creating-activity-definitions.md)
+- [Creating CodeSystems for DSF Processes](guides/creating-codesystems-for-dsf-processes.md)
+- [Creating Task Resources Based on a Definition](guides/creating-task-resources-based-on-a-definition.md)
+- [Creating ValueSets for DSF Processes](guides/creating-valuesets-for-dsf-processes.md)
+- [Managing Multiple Incoming Messages and Missing Messages](guides/managing-mutiple-incoming-messages-and-missing-messages.md)
+- [Starting a Process via Task Resources](guides/starting-a-process-via-task-resources.md)
+
+---
+
+## Get Started
+Source: https://dsf.dev/process-development/api-v2/get-started.html
+
+## How to start a new Project
+
+::: warning Work in progress
+
+This site is work in progress, please come back later.
+:::
+
+---
+
+## Create a Process Plugin
+Source: https://dsf.dev/process-development/api-v2/create.html
+
+::: warning Work in progress
+
+This site is work in progress, please come back later.
+:::
+
+---
+
+## Implementation
+Source: https://dsf.dev/process-development/api-v2/implementation.html
+
+You can find the FHIR Implementation Guide [here](../../dsf-development/v2/fhir-ig.md).
+
+---
+
+## Testing
+Source: https://dsf.dev/process-development/api-v2/testing.html
+
+::: warning Work in progress
+
+This site is work in progress, please come back later.
+:::
+
+---
+
+## Best Practices
+Source: https://dsf.dev/process-development/api-v2/best-practices.html
+
+::: warning Work in progress
+
+This site is work in progress, please come back later.
+:::
+
+---
+
+## Migration from API v1
+Source: https://dsf.dev/process-development/api-v2/migration.html
+
+## Migration from API 1 to API 2
+
+::: warning Work in progress
+
+This site is work in progress, please come back later.
+:::
+
+---
+
+## Javadoc
+Source: https://dsf.dev/process-development/api-v2/javadoc.html
+
+Open Fullscreen
+
+
+
+
+---
+
+## Publishing on DSF Hub
+Source: https://dsf.dev/process-development/api-v2/publishing/publish-on-dsfhub.html
+
+::: tip Marketplace for process plugins
+To view already published Process Plugins, visit the [DSF Hub](https://hub.dsf.dev).
+:::
+
+## How to publish a project on DSF hub
+
+::: warning Work in progress
+
+This site is work in progress, please come back later.
+:::
+
+---
+
+## BPMN Overview
+Source: https://dsf.dev/process-development/api-v2/bpmn/
+
+## Introduction
+The DSF uses BPMN 2.0 to model processes. Specifically, the [Camunda 7](https://docs.camunda.org/manual/7.21/) dialect from the [Camunda Modeler](https://camunda.com/de/download/modeler/). Modeling processes for the DSF requires this modeler or any other modeler which is able to produce the correct Camunda dialect.
+
+## Details
+- [Conditions](conditions.md)
+- [Execution Listeners](execution-listeners.md)
+- [Gateways](gateways.md)
+- [Messaging](messaging.md)
+- [Sequence Flow](sequence-flow.md)
+- [Service Tasks](service-tasks.md)
+- [Timer Intermediate Catching Events](timer-intermediate-catching-events.md)
+
+---
+
+## Service Tasks
+Source: https://dsf.dev/process-development/api-v2/bpmn/service-tasks.html
+
+## Service Tasks
+
+One of the most common types of BPMN Tasks used for modeling DSF processes is the [Service Task](https://docs.operaton.org/docs/documentation/reference/bpmn20/tasks/service-task). They are different from regular BPMN Tasks in that they offer the ability to link a Java class to the [Service Task](https://docs.operaton.org/docs/documentation/reference/bpmn20/tasks/service-task) which can be called and executed by a BPMN engine. The BPE (Business Process Engine) server of the DSF leverages this engine to execute BPMN processes and their associated code. Java service tasks must implement the API v2 interface `dev.dsf.bpe.v2.activity.ServiceTask`.
+
+---
+
+## User Tasks
+Source: https://dsf.dev/process-development/api-v2/bpmn/user-tasks.html
+
+## User Tasks
+
+User Tasks define a process step that requires some kind of human interaction. Usually this is done by providing some kind of form the user can fill out. Operaton supports three kinds of forms: [Embedded Forms](https://docs.operaton.org/docs/documentation/user-guide/task-forms/#embedded-task-forms), [Operaton Forms](https://docs.operaton.org/docs/documentation/user-guide/task-forms/#embedded-task-forms) and [External Task Forms](https://docs.operaton.org/docs/documentation/user-guide/task-forms/#external-task-forms). The DSF uses `External Task Forms` in the form of [Questionnaire](https://www.hl7.org/fhir/R4/questionnaire.html) and [Questionnaire Response](https://www.hl7.org/fhir/R4/questionnaireresponse.html) resources.
+
+## Related Topics
+[Questionnaire and QuestionnaireResponse](../fhir/questionnaire-and-questionnaireresponse.md), [User Tasks in the DSF](../guides/user-tasks-in-the-dsf.md)
+
+---
+
+## Messaging
+Source: https://dsf.dev/process-development/api-v2/bpmn/messaging.html
+
+## Messaging
+
+Enabling communication with other lanes, pools or even entirely separate processes requires the ability to exchange information. In BPMN, [Message Events](https://docs.operaton.org/docs/documentation/reference/bpmn20/events/message-events/) and [Message Send Tasks](https://docs.operaton.org/docs/documentation/reference/bpmn20/tasks/send-task) are used to model this information exchange. Using them to model communication in the same diagram uses Message Flow. Message Flow is typically represented by a dashed line arrow between BPMN elements with a black (send) or white (receive) envelope icon. The following BPMN collaboration diagram shows message exchange between two processes.
+
+
+
+### Message Start Event
+
+[Message Start Events](https://docs.operaton.org/docs/documentation/reference/bpmn20/events/message-events#message-start-event) allow a BPMN process to be started by an incoming message. In the DSF, all BPMN processes are started via messages. Therefore, it is mandatory to include a [Message Start Event](https://docs.operaton.org/docs/documentation/reference/bpmn20/events/message-events#message-start-event) at the beginning of all DSF BPMN models.
+
+#### Message Intermediate Throwing Event
+[Message Intermediate Throwing Events](https://docs.operaton.org/docs/documentation/reference/bpmn20/events/message-events#message-intermediate-throwing-event) are used to send messages during process execution. Message intermediate throwing events that are used to communicate with DSF instances via FHIR Task resources, should implement the DSF API v2 interface `dev.dsf.bpe.v2.activity.MessageIntermediateThrowEvent`.
+
+#### Message Intermediate Catching Event
+[Message Intermediate Catching Events](https://docs.operaton.org/docs/documentation/reference/bpmn20/events/message-events#message-intermediate-catching-event) serve as the counterpart to [Message Intermediate Throwing Events](messaging.md#message-intermediate-throwing-event). They are used to receive a message from another process or organization during execution.
+
+#### Message End Event
+The [Message End Event](https://docs.operaton.org/docs/documentation/reference/bpmn20/events/message-events#message-end-event) will stop the execution of a BPMN process and finish by sending a message.Message end events that are used to communicate with DSF instances via FHIR Task resources, should implement the API v2 interface `dev.dsf.bpe.v2.activity.MessageEndEvent`.
+
+#### Message Send Task
+Same as the [Message Intermediate Throwing Event](#message-intermediate-throwing-event), the [Message Send Task](https://docs.operaton.org/docs/documentation/reference/bpmn20/tasks/send-task/) is used to send messages during process execution but is also intended to execute some kind of business logic at the same time. Message send tasks that are used to communicate with DSF instances via FHIR Task resources, should implement the API v2 interface `dev.dsf.bpe.v2.activity.MessageSendTask`.
+
+## Related Topics
+[Activities](../dsf/activities.md), [Message Activities](../dsf/message-activities.md)
+
+---
+
+## Gateways
+Source: https://dsf.dev/process-development/api-v2/bpmn/gateways.html
+
+## Gateways
+
+[Gateways](https://docs.operaton.org/docs/documentation/reference/bpmn20/gateways/) allow modelling of decision-based and concurrent workflows. [Exclusive Gateways](#exclusive-gateways) model a decision where one flow gets pursued over other flows. [Event-based Gateways](#event-based-gateways) also model a decision, but are based on events. [Parallel Gateways](#parallel-gateways) model concurrency.
+
+### Exclusive Gateways
+
+[Exclusive Gateways](https://docs.operaton.org/docs/documentation/reference/bpmn20/gateways/exclusive-gateway) decide which one out of multiple [Sequence Flow](sequence-flow.md) should be followed based on [conditions](https://docs.camunda.org/manual/7.21/user-guide/process-engine/expression-language/#conditions). [Conditions](https://docs.camunda.org/manual/7.21/user-guide/process-engine/expression-language/#conditions) are not part of the [Exclusive Gateways](https://docs.operaton.org/docs/documentation/reference/bpmn20/gateways/exclusive-gateway) themselves. They are set through the sequence flow exiting the [Exclusive Gateway](https://docs.operaton.org/docs/documentation/reference/bpmn20/gateways/exclusive-gateway). In the [Camunda Modeler](https://camunda.com/download/modeler/), conditions can be added to [Sequence Flows](sequence-flow.md) by selecting a [Sequence Flow](sequence-flow.md) and opening the `Condition` tab. More information on how to use Conditions can be found in [Conditions](conditions.md).
+
+### Event-based Gateways
+
+The [Event-based Gateway](https://docs.operaton.org/docs/documentation/reference/bpmn20/gateways/event-based-gateway) models a decision in the workflow. But instead of [conditions](./conditions.md), the [Event-based Gateway](https://docs.operaton.org/docs/documentation/reference/bpmn20/gateways/event-based-gateway) uses the triggering of an event to decide which [Sequence Flow](sequence-flow.md) to pursue.
+
+### Parallel Gateways
+
+[Parallel Gateways](https://docs.operaton.org/docs/documentation/reference/bpmn20/gateways/parallel-gateway/) model concurrent workflows. Their outgoing flows can be joined together again with another [Parallel Gateway](https://docs.operaton.org/docs/documentation/reference/bpmn20/gateways/parallel-gateway/). This makes process execution wait for both flows to arrive at the gateway before continuing.
+
+---
+
+## Conditions
+Source: https://dsf.dev/process-development/api-v2/bpmn/conditions.html
+
+## Conditions
+
+BPMN elements can have a property attached to them which either executes a script or evaluates an expression in order to make a decision. The most common example of this is the [Sequence Flow](./sequence-flow.md) elements following an [Exclusive Gateway](./gateways.md). Each [Sequence Flow](./sequence-flow.md) element will have a condition attached to decide which flow should be pursued. The [Camunda Modeler](https://camunda.com/download/modeler/) distinguishes the two types in the `Type` attribute of the `Condition` tab in a BPMN element. Camunda comes with a GraalVM JavaScript engine but can be extended with other types of scripting engines. See the Camunda documentation on [scripting](https://docs.camunda.org/manual/latest/user-guide/process-engine/scripting/) for more details. Expressions are short boolean evaluations and have the following syntax: `${expression}`. An example of a simple expression would be a condition like `var = true`. For this to work during BPMN process execution, the variable that is used for the boolean condition must be available in the BPMN process variables before the [Sequence Flow](sequence-flow.md) reaches the evaluation of the expression. You can learn more advanced features of Expressions [here](https://docs.camunda.org/manual/7.21/user-guide/process-engine/expression-language/).
+
+---
+
+## Execution Listeners
+Source: https://dsf.dev/process-development/api-v2/bpmn/execution-listeners.html
+
+## Execution Listeners
+
+Execution Listeners can be registered to various flow elements like process, events, tasks, gateways and sequence flows. They are called when the process execution arrives at the flow element they are registered to. See [Activities]
+
+---
+
+## Timer Events
+Source: https://dsf.dev/process-development/api-v2/bpmn/timer-intermediate-catching-events.html
+
+## Timer Intermediate Catching Events
+
+A [Timer Intermediate Catching Event](https://docs.operaton.org/docs/documentation/reference/bpmn20/events/timer-events#timer-intermediate-catching-event) allows modelling stopwatch behavior. A timer is started once the BPMN execution arrives at the event. The duration until the timer runs out is specified using the [ISO 8601 Durations](http://en.wikipedia.org/wiki/ISO_8601#Durations) format. Examples can be found [here](https://docs.operaton.org/docs/documentation/reference/bpmn20/events/timer-events#time-duration). After running out, the BPMN process executes the [Sequence Flow](sequence-flow.md) following the [Timer Intermediate Catching Event](https://docs.operaton.org/docs/documentation/reference/bpmn20/events/timer-events#timer-intermediate-catching-event).
+
+---
+
+## FHIR Overview
+Source: https://dsf.dev/process-development/api-v2/fhir/
+
+## Introduction
+The DSF uses a variety of [FHIR resources](https://dsf.dev/intro/info/basics.html#why-are-we-using-fhir-and-bpmn). The DSF uses XML as the format for FHIR resources. The most important resources for plugin development are [ActivityDefinitions](activitydefinition.md), [CodeSystems](codesystem.md), [Tasks](task.md) and [ValueSets](valueset.md). There is also a catalog of DSF-specific FHIR resources including CodeSystems, ValueSets and Extensions. They can be found in the official [DSF GitHub repository](https://github.com/datasharingframework/dsf/tree/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir).
+
+## Details
+- [ActivityDefinition](activitydefinition.md)
+- [CodeSystem](codesystem.md)
+- [Questionnaire and QuestionnaireResponse](questionnaire-and-questionnaireresponse.md)
+- [Task](task.md)
+- [ValueSet](valueset.md)
+
+---
+
+## Task Resource
+Source: https://dsf.dev/process-development/api-v2/fhir/task.html
+
+## Task
+
+The [FHIR Task](https://www.hl7.org/fhir/R4/task.html) resource enables the DSF's distributed communication. Whenever a BPMN process instance communicates with a different process instance, the DSF will create a Task resource based on parameters set in the BPMN model and during execution. It will then automatically send the Task resource to the recipient to start or continue whatever process the Task resource referred to. All Task resources used in the DSF derive from the [DSF Task base definition](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-task-2.0.0.xml). This profile includes a splicing for `Task.input` with three additional [Input Parameters](task.md#task-input-parameters):
+- `message-name`
+- `business-key`
+- `correlation-key`
+
+When creating a process plugin, it is usually necessary to create new profiles based on the [DSF Task base definition](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-task-2.0.0.xml) and put them into `src/resources/fhir/StructureDefinition`.
+
+### Task Input Parameters
+
+Task Input Parameters allow adding additional information to [Task](task.md#task) resources before they are starting a process. For example, if a particular process requires an additional string value, one would add a slice to the Task profile in the same way the [DSF Task base definition](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-task-2.0.0.xml) adds slices to the original [FHIR Task](https://www.hl7.org/fhir/R4/task.html) resource in the `message-name` slice. It is import to know that this also requires creating a [CodeSystem](codesystem.md) and including it in a [ValueSet](valueset.md) to be able to use it in the Task resource.
+
+### Task Output Parameter
+Task Output Parameters function the same way as Input Parameters but are used to add information when a process has finished executing. This is usually used to display the result of the executed process. If the process fails because an uncaught exception is thrown, the DSF will update a Task to status `failed` and include the exception as an Output Parameter.
+
+## Related Topics
+[ActivityDefinition](activitydefinition.md), [Adding Task Parameters to Task Profiles](../guides/adding-task-parameters-to-task-profiles.md)
+
+---
+
+## ActivityDefinition
+Source: https://dsf.dev/process-development/api-v2/fhir/activitydefinition.html
+
+## ActivityDefinition
+
+[ActivityDefinitions](http://hl7.org/fhir/R4/activitydefinition.html) are used by the DSF to advertise which processes are available at any given instance and who is allowed to request and who is allowed to execute a process. The DSF defined elements for this purpose in the [dsf-activity-definition](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-activity-definition-2.0.0.xml) profile.
+
+
+The most important elements in ActivityDefinitions are:
+- `message-name`
+- `task-profile`
+- `requester`
+- `recipient`
+
+The `message-name` element contains the name of the [BPMN message start event](../bpmn/messaging.md#message-start-event) or [BPMN message intermediate catching event](../bpmn/messaging.md#message-intermediate-catching-event) which expects a [Task](task.md) resource complying to the profile defined by `task-profile`.
+
+The `requester` and `recipient` elements define the organisation(s) or person(s) who are allowed to request or receive the message specified by `message-name`. The receiving DSF instance is the one who will execute the process connected to the message. A list of examples for all possible `requester` and `recipient` elements is located [here](../dsf/requester-and-recipient.md).
+
+Creating [ActivityDefinitions](activitydefinition.md) is part of developing a process plugin. Readers fluent in understanding XML FHIR definitions and translating them into resources may take a look at the DSF's profile for ActivityDefinitions [here](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-activity-definition-2.0.0.xml). ActivityDefinitions also reference other resource definitions. Depending on the resource they are located in one of [these folders](https://github.com/datasharingframework/dsf/tree/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir). There is also the guide on [creating ActivityDefinitions](../guides/creating-activity-definitions.md) for more in-depth information.
+
+## Related Topics
+[Requester and Recipient](../dsf/requester-and-recipient.md), [Read Access Tag](../dsf/read-access-tag.md), [Task](task.md)
+
+---
+
+## CodeSystem
+Source: https://dsf.dev/process-development/api-v2/fhir/codesystem.html
+
+## CodeSystem
+
+[CodeSystems](https://www.hl7.org/fhir/R4/codesystem.html) usually represent a set of concepts which can be assigned to a code (think LOINC). Using a Code in a resource requires them to be included in a [ValueSet](valueset.md).
+
+Plugin development for the DSF requires the use of [CodeSystems](https://www.hl7.org/fhir/R4/codesystem.html) in two major ways:
+1. Using existing [DSF CodeSystems](https://github.com/datasharingframework/dsf/tree/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/CodeSystem) in other FHIR resources like the [dsf-extension-process-authorization](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-extension-process-authorization-2.0.0.xml).
+2. Creating custom CodeSystem to add additional [Input Parameters](task.md#task-input-parameters) to [Task](task.md) profiles.
+
+## Related Topics
+[ActivityDefinition](activitydefinition.md), [Task](task.md), [ValueSet](valueset.md)
+
+---
+
+## ValueSet
+Source: https://dsf.dev/process-development/api-v2/fhir/valueset.html
+
+## ValueSet
+
+[ValueSets](https://www.hl7.org/fhir/R4/valueset.html) bind codes from [CodeSystems](codesystem.md) to coded elements like `code`, `Coding` or `CodeableConcept`.
+
+[ValueSets](https://www.hl7.org/fhir/R4/valueset.html) are mostly needed to use the [Concepts](https://www.hl7.org/fhir/R4/codesystem-definitions.html#CodeSystem.concept) from [CodeSystems](codesystem.md) in [Task](task.md) profiles.
+
+## Related Topics
+[CodeSystem](codesystem.md), [Task](task.md)
+
+---
+
+## Questionnaire
+Source: https://dsf.dev/process-development/api-v2/fhir/questionnaire-and-questionnaireresponse.html
+
+## Questionnaire and QuestionnaireResponse
+
+[Questionnaire](https://www.hl7.org/fhir/R4/questionnaire.html) and [QuestionnaireResponse](https://www.hl7.org/fhir/R4/questionnaireresponse.html) resources are used by the DSF to implement the user interaction required in [User Tasks](../bpmn/user-tasks.md). Whenever a [User Task](../bpmn/user-tasks.md) is processed, the DSF will create a [QuestionnaireResponse](https://www.hl7.org/fhir/R4/questionnaireresponse.html) response resource on the DSF FHIR server. This [QuestionnaireResponse](https://www.hl7.org/fhir/R4/questionnaireresponse.html) is based on a [Questionnaire](https://www.hl7.org/fhir/R4/questionnaire.html) resource that is provided by the process plugin. This mechanism is described in more detail in the topic on [User Tasks in the DSF](../guides/user-tasks-in-the-dsf.md).
+
+## Related Topics
+[User Tasks](../bpmn/user-tasks.md), [User Tasks in the DSF](../guides/user-tasks-in-the-dsf.md)
+
+---
+
+## Process Plugin API
+Source: https://dsf.dev/process-development/api-v2/dsf/process-plugin-api.html
+
+## Process Plugin API Maven Module
+
+The [DSF Process Plugin API module](https://central.sonatype.com/artifact/dev.dsf/dsf-bpe-process-api-v2) consists of a set of utility classes designed to provide easy access to common solutions for process plugin use cases which would otherwise require lots of boilerplate code. An example is the `Variables` class, which provides access to the [BPMN process variables](bpmn-process-variables.md).
+
+Maven Dependency:
+
+```xml
+
+
+ dev.dsf
+ dsf-bpe-process-api-v2
+ ${dsf.version}
+ provided
+
+
+```
+
+### Process Plugin Api
+[Activities](activities.md) usually provide access to an instance of `ProcessPluginApi` when implementing/overriding their methods.
+This API instance provides a variety of utility classes:
+- `ProcessPluginDefinition`**:** access to the plugin's [`ProcessPluginDefinition`](process-plugin-definition.md)
+- `ProxyConfig`**:** forward proxy configuration
+- `EndpointProvider`**:** access to Endpoint resources
+- `FhirContext`**:** HAPI FHIR Context for parsing/serializing
+- `DsfClientProvider`**:** Webservice client to access a DSF FHIR server
+- `FhirClientProvider`**:** Webservice client to access a generic FHIR server
+- `OidcClientProvider`**:** Webservice client for OIDC
+- `MailService`**:** for sending automatic E-Mails (if configured)
+- `MimeTypeService`**:** utility for validating MIME types
+- `ObjectMapper`**:** ObjectMapper instance to serialize/deserialize POJOs to/from formats like JSON. ObjectMapper should not be used for FHIR resources. The parser provided by the FhirContext should be used instead
+- `OrganizationProvider`**:** access to Organization resources
+- `ProcessAuthorizationHelper`**:** utility for process authorization in [ActivityDefinitions](../fhir/activitydefinition.md)
+- `QuestionnaireResponseHelper`**:** utility for manipulating [QuestionnaireResponse](../guides/user-tasks-in-the-dsf.md) resources
+- `ReadAccessHelper`**:** utility for adding and validating [Read Access Tags](read-access-tag.md) in FHIR resources
+- `TaskHelper`**:** utility for reading and creating [Input and Output Parameters](../fhir/task.md) in Task resources
+- `CompressionService`**:** utility to compress/decompress data using various compression methods
+- `CryptoService`**:** utility for cryptography like creating RSA key pairs
+- `TargetProvider`**:** utility to create [Target instances](messaging.md) e.g. based on the identifier of a parent organization
+- `Variables`**:** access to BPMN execution variables
+
+## Related Topics
+[Activities](activities.md), [Input and Output Parameters](../fhir/task.md), [ProcessPluginDefinition](process-plugin-definition.md), [Read Access Tags](read-access-tag.md)
+
+---
+
+## Process Plugin Definition
+Source: https://dsf.dev/process-development/api-v2/dsf/process-plugin-definition.html
+
+## Process Plugin Definition
+
+In order for the DSF BPE server to load a plugin properly, it needs to provide the following information in what is called the process plugin definition:
+* A plugin [version](versions-placeholders-urls.md#version-pattern)
+* A release date
+* A plugin name
+* The BPMN model files
+* The FHIR resources grouped by BPMN process ID. A plugin may have any number of BPMN models. Each has their own BPMN process ID and FHIR resources specific to that BPMN process (like [Task](../fhir/task.md) resources needed for messages specific to that BPMN model)
+* The Class holding a [Spring Framework Configuration](spring-framework-integration.md)
+
+To provide this information, one of the classes in the process plugin has to implement the `dev.dsf.bpe.ProcessPluginDefinition` interface. The DSF BPE server then searches for classes implementing this interface using the Java [ServiceLoader](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/ServiceLoader.html) mechanism. Therefore, the class also needs to be registered in the `src/main/resources/META-INF/services/dev.dsf.bpe.v2.ProcessPluginDefinition` file. An example of this can be found in the [process plugin tutorial](https://github.com/datasharingframework/dsf-process-tutorial/).
+It is recommended to extend the [`AbstractProcessPluginDefinition`](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-bpe/dsf-bpe-process-api-v2/src/main/java/dev/dsf/bpe/v2/AbstractProcessPluginDefinition.java) class which already implements some of the methods required by the interface and forces a configuration of the plugin that wards against potential inconsistencies between the Java code and `pom.xml`, while also setting the foundation for reproducible builds.
+
+## Related Topics
+[Spring Integration](spring-framework-integration.md), [Versions, Placeholders and URLs](versions-placeholders-urls.md)
+
+---
+
+## BPMN Process Execution
+Source: https://dsf.dev/process-development/api-v2/dsf/bpmn-process-execution.html
+
+## BPMN Process Execution
+
+The BPMN process execution is the in-memory representation of a running BPMN process. BPMN processes have their executions structured as a tree hierarchy. Each BPMN process starts with the [process instance](https://docs.camunda.org/manual/7.21/user-guide/process-engine/process-engine-concepts/#process-instances) as its root level execution. If, for example, this root execution reaches a parallel gateway with two paths, it would spawn two child executions under itself for them to process all tasks along their paths on their own. Executions can access all the BPMN elements from the BPMN model as well as the [BPMN process variables](bpmn-process-variables.md). Limited access to this representation in the Java code is provided through the `variables` parameter when implementing/overriding certain methods in [Activities](activities.md) like `execute` or `getAdditionalInputParameters`.
+
+## Related Topics
+[Activities](activities.md)
+
+---
+
+## BPMN Process Variables
+Source: https://dsf.dev/process-development/api-v2/dsf/bpmn-process-variables.html
+
+## BPMN Process Variables
+
+BPMN process variables hold additional information which has to be available during BPMN process execution. Variables can be directly related to BPMN elements like the boolean value for [Conditions](../bpmn/conditions.md), but do not have to be. BPMN process variables are stored as key-value pairs with the key being the variable name. Certain [Activities](activities.md) expose an instance of the `Variables` class which gives access to BPMN process variables.
+
+## Related Topics
+[Accessing BPMN Process Variables](../guides/accessing-bpmn-process-variables.md)
+
+---
+
+## Message Correlation
+Source: https://dsf.dev/process-development/api-v2/dsf/message-correlation.html
+
+## Message Correlation
+
+Having messages arrive at the correct process instance requires a mechanism to link them to their rightful process instance. This mechanism is called Message Correlation and attaches a unique identifier to every process instance. This identifier is called the `business-key`. The `business-key` will get attached to every outgoing message automatically. A message can then be sent back to the organization which initiated the communication and have it arrive at the same process instance that initially sent the message since the returning message will have the same `business-key` attached.
+
+It is possible that the `business-key` is insufficient to map messages to the correct process instance. Like when using subprocesses in the BPMN model which all expect messages to be sent to them, not the parent process. To solve this issue, [Task](../fhir/task.md) resources also come with an [Input Parameter](../fhir/task.md#task-input-parameters) called `correlation-key`. This is a secondary identifier attachable to all messages if they need to arrive at a specific subprocess. The [`Variables`](bpmn-process-variables.md) class provides methods to create `Targets` with a `correlation-key` value. The value is usually given as a UUID. When using the [Process Plugin API's](process-plugin-api.md) `TargetProvider` to create targets for messages, its builder offers the option to decide whether a `correlation-key` should be part of each `Target` instance. If set, the [Task](../fhir/task.md) will automatically have a `correlation-key` set when it is sent to the target.
+
+---
+
+## Spring Framework Integration
+Source: https://dsf.dev/process-development/api-v2/dsf/spring-framework-integration.html
+
+## Spring Framework Integration
+
+The DSF uses some of the [Spring Framework's](https://spring.io/projects/spring-framework) functionality. When deployed, every process plugin exists in its own [Spring context](https://docs.spring.io/spring-framework/reference/core/beans/introduction.html). Process plugins require [Spring Beans](https://docs.spring.io/spring-framework/reference/core/beans/definition.html) with `prototype` [scope](https://docs.spring.io/spring-framework/reference/core/beans/factory-scopes.html) for all classes which either extend or implement the following classes/interfaces:
+- `Activity`
+- `DefaultUserTaskListener`
+- `ExecutionListener`
+- `MessageActivity`
+- `MessageEndEvent`
+- `MessageIntermediateThrowEvent`
+- `MessageSendTask`
+- `ServiceTask`
+- `UserTaskListener`
+
+A [Spring-Framework configuration class](https://docs.spring.io/spring-framework/docs/current/reference/html/core.html#beans-java-basic-concepts) located in the `spring/config` directory is expected to provide the Spring Beans. If you are unfamiliar with the Spring Framework, you can find more information in [Java-based Container Configuration](https://docs.spring.io/spring-framework/reference/core/beans/java.html) of the Spring Framework documentation, specifically the topics [Using the @Bean Annotation](https://docs.spring.io/spring-framework/reference/core/beans/java/bean-annotation.html) and [Using the @Configuration Annotation](https://docs.spring.io/spring-framework/reference/core/beans/java/configuration-annotation.html).
+
+Below is an example of a Spring configuration class:
+```java
+@Configuration
+public class TutorialConfig
+{
+ @Value("${dev.dsf.process.tutorial.loggingEnabled:false}")
+ @ProcessDocumentation(description = "Set to true to enable logging", required = false, processNames = PROCESS_NAME_FULL_DIC)
+ private boolean loggingEnabled; //environment variable
+
+ @Value("${dev.dsf.process.tutorial.userVote:false}")
+ @ProcessDocumentation(description = "Set to true to enable users to vote", required = false, processNames = PROCESS_NAME_FULL_VOTING_PROCESS)
+ private boolean userVote; //environment variable
+
+ //register classes with default constructor as prototype beans
+ @Bean
+ public static ActivityPrototypeBeanCreator activityPrototypeBeanCreator()
+ {
+ return new ActivityPrototypeBeanCreator(HelloCosMessage.class, CosTask.class, HelloHrpMessage.class,
+ HrpTask.class, GoodbyeDicMessage.class, StartVotingProcess.class, SelectTargets.class, StartVote.class,
+ SaveUserVote.class, AutomatedVote.class, PrepareReturnVote.class, ReturnVote.class,
+ SaveVotingResult.class, SaveTimeoutResult.class, AggregateResults.class);
+ }
+
+ //register classes with custom constructor as prototype beans
+ @Bean
+ @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
+ public DicTask dicTask()
+ {
+ return new DicTask(loggingEnabled);
+ }
+
+ @Bean
+ @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
+ public DecideWhetherUserVote decideWhetherUserVote()
+ {
+ return new DecideWhetherUserVote(userVote);
+ }
+
+ @Bean
+ @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
+ public UserVoteListener userVoteListener()
+ {
+ return new UserVoteListener();
+ }
+
+ @Bean
+ @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
+ public SetCorrelationKeyListener setCorrelationKeyListener()
+ {
+ return new SetCorrelationKeyListener();
+ }
+}
+```
+
+## Related Topics
+[Activities](activities.md), [Environment Variables](environment-variables.md)
+
+---
+
+## Starting a Process
+Source: https://dsf.dev/process-development/api-v2/guides/starting-a-process-via-task-resources.html
+
+## Starting a Process via Task Resources
+
+To start a BPMN process, a new [Task](../fhir/task.md) resource must be created in the DSF FHIR server by sending an HTTP request in accordance with the [FHIR RESTful API](https://www.hl7.org/fhir/R4/http.html). Specifically, a [create](https://www.hl7.org/fhir/R4/http.html#create) operation is required to generate the resource for the first time. The [Task](../fhir/task.md) resource being sent must conform to the [Task](../fhir/task.md) profile of the intended process and adhere to the [ActivityDefinition's](../fhir/activitydefinition.md) authorization rules.
+There are two major ways of making this HTTP request:
+1. Using cURL
+2. Using the DSF FHIR server's web interface
+
+### Using cURL
+To use cURL, an appropriate [Task](../fhir/task.md) resource must be created and posted to the DSF FHIR server. There is a guide on [creating Task Resources based on a StructureDefinition](../guides/creating-task-resources-based-on-a-definition.md). A file named `example-task.xml` is available in `tutorial-process/src/main/resources/fhir` in the [DSF Process Tutorial](https://github.com/datasharingframework/dsf-process-tutorial) and can serve as a starting point. The [solution branches of the tutorial](https://github.com/datasharingframework/dsf-process-tutorial/blob/solutions/exercise-1/tutorial-process/src/main/resources/fhir/Task/task-start-dic-process.xml) can be consulted for a full example.
+
+Below is a cURL command skeleton. All <>-Placeholders should be replaced with appropriate values. Host name depends on the instance that should be addressed.
+
+#### Linux:
+```shell
+curl https:///fhir/Task \
+--cacert \
+--cert :password \
+--key \
+-H "Content-Type: application/fhir+xml" \
+-H "Accept: application/fhir+xml" \
+-d @
+```
+
+### Using the DSF FHIR Server's Web Interface
+
+When accessing the web interface of a DSF FHIR server instance (e.g. https://instance-name/fhir), the DSF FHIR server can be queried using the [FHIR RESTful API](https://www.hl7.org/fhir/R4/http.html) to return a list of all [Draft Task Resources](../dsf/draft-task-resources.md). These [Task](../fhir/task.md) resources serve as templates for instantiating [Task](../fhir/task.md) resources that initiate BPMN processes. Instead of performing the query manually, a predefined bookmark can be used to navigate to the query URL. A list of bookmarks is available in the top right corner of the web interface. Selecting the bookmark referencing `?_sort=_profile,identifier&status=draft` under the `Task` section will display the list of all [Draft Task Resources](../dsf/draft-task-resources.md). From this list, the desired resource to start the BPMN process can be selected. A detailed view of the resource will be shown, allowing the specification of any necessary [Task Input Parameters](../fhir/task.md#task-input-parameters). If all required information is provided correctly, the process can be initiated by clicking `Start Process`.
+
+For [Draft Task Resources](../dsf/draft-task-resources.md) to be available, they must be included in the mapping for the BPMN process ID in `ProcessPluginDefinition#getFhirResourcesByProcessId`. Additional information can be found in [the Process Plugin Definition](../dsf/process-plugin-definition.md).
+
+## Related Topics
+[Task](../fhir/task.md)
+
+---
+
+## Accessing Process Variables
+Source: https://dsf.dev/process-development/api-v2/guides/accessing-bpmn-process-variables.html
+
+## Accessing BPMN Process Variables
+
+Access to retrieve data from or store data in the [BPMN process variables](../dsf/bpmn-process-variables.md) can be acquired via the `Variables` class. An instance is usually available when overriding/implementing methods in [Activities](../dsf/activities.md). If an instance is missing in a place where it should be accessible, please [let us know](https://dsf.dev/community/contribute/).
+
+The `Variables` class provides lots of utility methods to read or write certain types
+of [BPMN process variables](../dsf/bpmn-process-variables.md). If the methods provided by the `Variables` class are insufficient to solve a problem, we would like to learn in what way the current API of the `Variables` class is limiting. Again, please [let us know](https://dsf.dev/community/contribute/).
+
+## Related Topics
+[BPMN Process Variables](../dsf/bpmn-process-variables.md), [Activities](../dsf/activities.md)
+
+---
+
+## Accessing Task Resources
+Source: https://dsf.dev/process-development/api-v2/guides/accessing-task-resources-during-execution.html
+
+## Accessing Task Resources During Execution
+
+Access to the [Task](../fhir/task.md) resources in [Activities](../dsf/activities.md) is provided by the `Variables` class. It comes with methods which return certain kinds of [Task](../fhir/task.md) resources. The most commonly used ones are the start [Task](../fhir/task.md), referring to the [Task](../fhir/task.md) / [Message Start Event](../bpmn/messaging.md#message-start-event) responsible for starting the process, and the latest [Task](../fhir/task.md), referring to most recently received [Task](../fhir/task.md) / Message.
+In principle, this is sufficient to access all information in a [Task](../fhir/task.md) resource, since there is access to the full in-memory representation of the [Task](../fhir/task.md) resource. This however can be very cumbersome to use and produces a lot of boilerplate when traversing the resource tree to access certain common elements.
+Instead of navigating the [Task](../fhir/task.md) resource's element tree, it is recommended to use the [ProcessPluginApi's](../dsf/process-plugin-api.md) `TaskHelper` in conjunction with the method above. The `TaskHelper` class offers specific methods related to [Task](../fhir/task.md) resources.
+The most common use case for this is retrieving data from a [Task's](../fhir/task.md) [Input Parameter](../fhir/task.md#task-input-parameters) or creating a new [Input Parameter](../fhir/task.md#task-input-parameters) for a [Message Activity's](../dsf/message-activities.md) `getAdditionalInputParameters` method.
+
+### Retrieving Data from Input Parameters
+1. Know the [CodeSystem](../fhir/codesystem.md) and Code of the `type` element of the [Input Parameter](../fhir/task.md#task-input-parameters) to extract data from. This depends on the [Task's](../fhir/task.md) [StructureDefinition](https://www.hl7.org/fhir/R4/structuredefinition.html). Example:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+2. Know the [FHIR Datatype](https://www.hl7.org/fhir/R4/datatypes.html) of the [Input Parameter](../fhir/task.md#task-input-parameters) defined by its `value[x]` element. This also depends on the [Task's](../fhir/task.md) [StructureDefinition](https://www.hl7.org/fhir/R4/structuredefinition.html). Example:
+```xml
+
+
+
+
+
+
+```
+3. The `TaskHelper's` getters for [Input Parameters](../fhir/task.md#task-input-parameters) should be used depending on the information available. The methods will try to match the provided [CodeSystem](../fhir/codesystem.md) and Code to any [Input Parameter](../fhir/task.md#task-input-parameters) of the provided [Task](../fhir/task.md) resource. Depending on the method it is possible to receive all matches or just the first one. There are also methods immediately returning the value of the [Input Parameter](../fhir/task.md#task-input-parameters) if the [FHIR Datatype](https://www.hl7.org/fhir/R4/datatypes.html) is provided. The `string` datatype is used often enough to have its own method immediately returning the String value of the matched [Input Parameter](../fhir/task.md#task-input-parameters).
+
+## Related Topics
+[Accessing BPMN Process Variables](accessing-bpmn-process-variables.md), [Activities](../dsf/activities.md), [Task](../fhir/task.md)
+
+---
+
+## Creating Activity Definitions
+Source: https://dsf.dev/process-development/api-v2/guides/creating-activity-definitions.html
+
+## Creating ActivityDefinitions
+
+This guide will explain how to create an ActivityDefinition based on the [dsf-activity-definition](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-activity-definition-2.0.0.xml) profile for a process plugin.
+It is divided into steps for each of the main components of ActivityDefinitions:
+1. Read Access Tag
+2. Extension: process authorization
+3. BPE Managed Elements
+4. Regular Elements
+
+*Regular elements* are all elements not part of the first 3 main components.
+
+*This guide assumes the reader knows how to translate [ElementDefinitions](https://www.hl7.org/fhir/R4/elementdefinition.html) to actual elements in a FHIR resource. If not, the guide on [creating Task resources](../guides/creating-task-resources-based-on-a-definition.md) includes explanations for this.*
+
+### 1. Profile and Read Access Tag
+Start out with an empty [ActivityDefinition](../fhir/activitydefinition.md):
+```xml
+
+
+
+```
+
+The first elements in DSF FHIR resources are always the profile the resources corresponds to and the [Read Access Tag](../dsf/read-access-tag.md). The profile usually has a [DSF base resource](https://github.com/datasharingframework/dsf/tree/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition) as its value. The [Read Access Tag](../dsf/read-access-tag.md) describes who is allowed to read this resource through the DSF FHIR server's REST API. More complex configurations of the [Read Access Tag](../dsf/read-access-tag.md) are explained in [this guide](../dsf/read-access-tag.md). For this example, everyone will be allowed to read the resource:
+
+```xml
+
+
+
+
+
+
+
+
+
+```
+
+### 2. Extension: Process Authorization
+This part of the ActivityDefinition will tell the DSF who is allowed to request and receive messages ([Task](../fhir/task.md) resources) for BPMN process. If the plugin contains more than one BPMN process, there will have to be one [ActivityDefinition](../fhir/activitydefinition.md) for each BPMN process. It is important to note that authorization rules need to be included for **ALL** messages received in the BPMN process. This includes the messages starting the BPMN process initially. The extension containing all possible rules is found [here](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-extension-process-authorization-2.0.0.xml). Next up is adding the [extension element](http://hl7.org/fhir/R4/extensibility.html#extension) with the correct URL. The value for the URL is found in the `Extension.url` element:
+```xml
+
+ ...
+
+
+
+
+```
+*Elements not relevant to the current component are hidden with `...` to increase readability.*
+
+The [differential](https://www.hl7.org/fhir/R4/profiling.html#snapshot) statement starts by defining the [slicing](https://www.hl7.org/fhir/R4/profiling.html#snapshot) for the `Extension.extension` element:
+
+```xml
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ...
+
+
+```
+
+The above states that whenever this extension is used in a profile, the profile needs to include this extension at least once (``). The [slicing](https://www.hl7.org/fhir/R4/profiling.html#snapshot) on `Extension.extension` defines that elements of this [slicing](https://www.hl7.org/fhir/R4/profiling.html#snapshot) are identified by the value of their URL (``), which is always the case for extensions, and that other extensions can be added to the [slicing](https://www.hl7.org/fhir/R4/profiling.html#snapshot) (``). Since there is a [slicing](https://www.hl7.org/fhir/R4/profiling.html#snapshot) on `Extension.extension`, this is a nested extension.
+
+After these initial element definitions come the elements relevant for the process plugin. The first one is the `message-name` slice:
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ...
+
+
+```
+
+This section defines that there has to be exactly one extension element from the `message-name` slice in the [ActivityDefinition](../fhir/activitydefinition.md). The extension element will have a URL value of `message-name`. This URL value identifies the element to belong to the `message-name` slice on `Extension.extension`, in accordance with the `discriminator`. Lastly, the extension element includes a `valueString` element. FHIR does not allow using `value[x]` as actual element. The value in `value[x]` is always strictly bound to some kind of type. FHIR uses the `value[x].type.code` value to determine this type and replaces `[x]` with an uppercase version of `element.type.code`. This results in the following extension element:
+```xml
+
+
+
+```
+
+`myMessage` will have to be replaced with the name of the [BPMN message event](../bpmn/messaging.md) in a BPMN process that is expecting this message.
+
+
+This is how the ActivityDefinition should look like so far
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+The next slice is called `task-profile`:
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ...
+
+
+```
+
+This section has almost the same structure as `message-name`. The only difference is the value for `value[x].type.code`. This means that instead of `valueString`, it requires using a `valueCanonical` element for `task-profile.value[x]`. Canonical values referring to [Task](../fhir/task.md) profiles in ActivityDefinitions have to conform to the rules outlined by the documentation on [URLs](../dsf/versions-placeholders-urls.md#urls). From the definition above, the following extension element is created and added to the [ActivityDefinition](../fhir/activitydefinition.md):
+```xml
+
+
+
+```
+
+
+This is how the ActivityDefinition should look like so far
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+The next slice is `requester`:
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ...
+
+
+```
+Instead of a `string` or `canonical` type for `value[x]` there now is a `Coding` type. See the [FHIR documentation on Codings](https://www.hl7.org/fhir/R4/datatypes.html#Coding) for more in-depth information. `Codings` are elements which contain, among other things, a `code` and the `system` the code belongs to. In the same way `value[x]` transformed into `valueString` or `valueCanonical` before, `value[x]` will be transformed into `valueCoding`. To use `Codings` in `valueCoding` elements, they are usually bound to the element through a [ValueSet](../fhir/valueset.md). This is the responsibility of the `binding` element. There is also a list of `value[x].type.profile` elements referencing other [StructureDefinitions](https://www.hl7.org/fhir/R4/structuredefinition.html). Instead of defining the elements in the same file, they were defined in different files for better readability. The use case decides which one to pick.
+Here is what they mean:
+- `local-all`: All local requests will be allowed. Local requests are identified by matching the requester's certificate to a thumbprint which was internally marked by the DSF FHIR server as belonging to a local organization.
+- `local-organization`: All local requests made from an organization with a specific `organization-identifier` will be allowed.
+- `local-parent-organization-role`: All local requests made from an organization having a specific role inside a specific parent organization will be allowed.
+- `remote` versions of the above rules work the same but the requester's certificate is instead required to match a thumbprint marked as a remote organization.
+- `practitioner` suffixes all work the same. They include the same rules as their prefixes but now additionally require the requester to match a certain `practitioner-role`. A list of them
+ can be found [here](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/CodeSystem/dsf-practitioner-role-2.0.0.xml). This allows
+ for more granularity when defining authorization rules within an organization and can be integrated into local user management via [OpenID Connect](https://dsf.dev/stable/maintain/fhir/access-control.html).
+
+There are no `practitioner` versions of `remote` authorization rules. From the perspective of the receiving DSF instance, remote requests are always issued by an organization. They do not hold any information about the local user management of the requesting organization. Examples of all Codings from above can be found [here](../dsf/requester-and-recipient.md).
+
+It is also good to keep in mind that any number of `requester` elements may be added to an [ActivityDefinition](../fhir/activitydefinition.md). Start out by adding a `requester` element like previous extensions:
+
+```xml
+
+
+
+
+
+```
+
+The remaining element definitions are found in one of the profiles. This example will use the [dsf-coding-process-authorization-local-organization-practitioner](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-coding-process-authorization-local-organization-practitioner-2.0.0.xml) profile. Since all elements listed in the [Coding definition](https://www.hl7.org/fhir/R4/datatypes.html#codesystem) are optional, only the `differential` elements from the profile are relevant:
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+It defines an extension called `organization-practitioner` which is identified through its url attribute. Again, the extension is only referenced, its location is in a [different file](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-extension-process-authorization-organization-practitioner-2.0.0.xml). Below is its `differential` element in order to see how the extension needs to be populated:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+This extension does not reference any other files. This means this is the "deepest" level. The process can now proceed by translating this definition into actual extension elements, inserting it into the selected Coding, translating the remaining element definitions from the Coding resource, and incorporating all components into the [ActivityDefinition](../fhir/activitydefinition.md).
+
+Start with the `Extension.url` element, since the `Extension` element is the parent element for all slices on the `Extension.extension` elements:
+```xml
+
+
+
+```
+
+Next, add the `organization` slice:
+```xml
+
+
+
+
+
+
+
+
+```
+Finally, add the `practitionerRole` slice:
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+There is no `binding` element specified for `practitionerRole.value[x]`. This is intentional. The example used a code from the [dsf-practitioner-role](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/CodeSystem/dsf-practitioner-role-2.0.0.xml) CodeSystem. This CodeSystem includes a standard set of codes which are often sufficient for DSF use cases. Other/new CodeSystems if may be added if these codes do not apply for a given use case. The code set here can be used in the [DSF role config](https://dsf.dev/stable/maintain/fhir/access-control.html) to allow certain users with this `practitioner-role` to send requests.
+
+Now add the extension as the `Coding.extension:organization-practitioner` element:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+Look at the [differential](#coding-differential) from the Coding again. The next elements to be added are `Coding.system` and `Coding.code`:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+The `requester` extension is now finished and can be added it to the [ActivityDefinition](../fhir/activitydefinition.md) under the [dsf-extension-process-authorization](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-extension-process-authorization-2.0.0.xml).
+
+
+This is how the ActivityDefinition should look like so far
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+Back to looking at the [dsf-extension-process-authorization](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-extension-process-authorization-2.0.0.xml) again. The last slice for this extension is `recipient`:
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ...
+
+
+```
+
+The `recipient` will decide which DSF instance is allowed to process that message. That is the reason why there are no Codings for `remote` or `practitioner` here. For `requester`, it was decided to only allow users with a certain role from a local organization to send this message. The message should now also only be processable by that same local organization. The right Coding for this job is the [coding-process-authorization-local-organization](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-coding-process-authorization-local-organization-2.0.0.xml). The configuration of a local requester and local receiver is often used for the message that starts up the first BPMN process of the plugin. The process of adding the `recipient` slice is the exact same as it is for `requester`. It's possible to follow the same steps for the `requester` slice again but using a different Coding.
+
+
+This is how the ActivityDefinition should look like
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+The last element defined in the [process authorization extension](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-extension-process-authorization-2.0.0.xml) is `Extension.url`. This was already added at the very beginning of the working through the extension, so there is nothing more to add.
+
+#### 3. BPE Managed Elements
+
+Some elements of [ActivityDefinitions](../fhir/activitydefinition.md) are managed by the DSF BPE and replaced with certain values at appropriate times.
+
+The following elements are managed by the DSF BPE:
+- `ActivityDefinition.version` should use the [placeholder](../dsf/versions-placeholders-urls.md#placeholders) `#{version}`
+- `ActivityDefinition.date` is not required, but if it is included, it should use the [placeholder](../dsf/versions-placeholders-urls.md#placeholders) `#{date}`
+- `ActivityDefinition.status` must have a value of `unknown`
+
+
+The ActivityDefinition should now look like this
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+### 4. Regular Elements
+
+The only required elements in this set are `ActivityDefinition.url` and `ActivityDefinition.kind`. `ActivityDefinition.url` expects a certain format. This is explained in detail in the [documentation on URLs](../dsf/versions-placeholders-urls.md#urls). `ActivityDefinition.kind` must have the value `Task`.
+All other elements can technically be omitted. Still, the following elements are recommended to be populated:
+- `AcitivityDefinition.name`
+- `AcitivityDefinition.title`
+- `AcitivityDefinition.subtitle`
+- `AcitivityDefinition.experimental`
+- `AcitivityDefinition.publisher`
+- `AcitivityDefinition.contact`
+- `AcitivityDefinition.description`
+
+
+The finished ActivityDefinition should now look something like this
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+## Related Topics
+[ActivityDefinition](../fhir/activitydefinition.md), [Creating CodeSystems for DSF Processes](creating-codesystems-for-dsf-processes.md), [Creating ValueSets for DSF Processes](creating-valuesets-for-dsf-processes.md), [Task](../fhir/task.md)
+
+---
+
+## Creating CodeSystems
+Source: https://dsf.dev/process-development/api-v2/guides/creating-codesystems-for-dsf-processes.html
+
+## Creating CodeSystems for DSF Processes
+
+Sometimes it is necessary to create custom [CodeSystem](../fhir/codesystem.md) resources. For example, when defining the type of an [Input Parameter](../fhir/task.md#task-input-parameters). [CodeSystems](../fhir/codesystem.md) for the DSF differ from regular [CodeSystems](../fhir/codesystem.md) in that some element's values are managed by the DSF BPE server. The following template can be populated with custom values:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+Dummy values should be replaced with appropriate values. Elements managed by the DSF BPE server should not be changed. More codes can be added by defining more `concept` elements.
+
+When building a plugin, the [CodeSystem](../fhir/codesystem.md) is expected to be in `src/main/resources/fhir/CodeSystem` of the Java project.
+
+## Related Topics
+[Adding Task Input Parameters to Task Profiles](adding-task-parameters-to-task-profiles.md), [CodeSystem](../fhir/codesystem.md), [Creating ValueSets for DSF processes](creating-valuesets-for-dsf-processes.md), [ValueSet](../fhir/valueset.md)
+
+---
+
+## Creating ValueSets
+Source: https://dsf.dev/process-development/api-v2/guides/creating-valuesets-for-dsf-processes.html
+
+## Creating ValueSets for DSF Processes
+
+In some cases, it may be necessary to create a [ValueSet](../fhir/valueset.md). For example, when adding [Input Parameters](../fhir/task.md#task-input-parameters) to DSF [Task](../fhir/task.md) resources, a [ValueSet](../fhir/valueset.md) resource must also be referenced in the binding for `Task.input.type` to define the type of the [Input Parameter](../fhir/task.md#task-input-parameters). [ValueSets](../fhir/valueset.md) for the DSF differ from regular [ValueSets](../fhir/valueset.md) in that certain element values are managed by the DSF BPE server. The following template can be used for a [ValueSet](../fhir/valueset.md):
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+Dummy values should be replaced with appropriate, context-specific values. Elements managed by the DSF BPE server must not be modified. The `compose` element defines the codes included in this [ValueSet](../fhir/valueset.md) and contains at least one `include` element. Each `include` element references a [CodeSystem](../fhir/codesystem.md) and includes a list of `concept` elements, each containing an individual `code` element. The use of one code from `my-code-system` and one code from `my-other-code-system` results in the following `compose` element:
+```xml
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+When building a plugin, the [ValueSet](../fhir/valueset.md) is expected to be in `src/main/resources/fhir/CodeSystem` of the Java project.
+
+## Related Topics
+[CodeSystem](../fhir/codesystem.md), [Creating CodeSystems for DSF processes](creating-codesystems-for-dsf-processes.md), [ValueSet](../fhir/valueset.md)
+
+---
+
+## Creating Task Resources
+Source: https://dsf.dev/process-development/api-v2/guides/creating-task-resources-based-on-a-definition.html
+
+## Creating Task Resources Based on a Definition
+
+This short guide provides an overview of how to create [Task](../fhir/task.md) resources for use in [Starting A Process Via Task Resources](../guides/starting-a-process-via-task-resources.md). As an example, a [Task](../fhir/task.md) resource based on the [`task-start-dic-process.xml`](https://github.com/datasharingframework/dsf-process-tutorial/blob/main/tutorial-process/src/main/resources/fhir/StructureDefinition/task-start-dic-process.xml) profile is created.
+
+Like all Task resources created for process plugins, the [`task-start-dic-process.xml`](https://github.com/datasharingframework/dsf-process-tutorial/blob/main/tutorial-process/src/main/resources/fhir/StructureDefinition/task-start-dic-process.xml) is based on the [DSF's base definition for Task resources](https://dsf.dev/fhir/ImplementationGuide/dev.dsf/StructureDefinition-task.html). This base definition specifies mandatory elements for all Tasks in the DSF. This results in the following base template for all Tasks:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+Start out by replacing dummy values with values appropriate for the [`task-start-dic-process.xml`](https://github.com/datasharingframework/dsf-process-tutorial/blob/main/tutorial-process/src/main/resources/fhir/StructureDefinition/task-start-dic-process.xml):
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+The `profile` will be the StructureDefinition the Task is based on, which in this case is the url of the [`task-start-dic-process.xml`](https://github.com/datasharingframework/dsf-process-tutorial/blob/main/tutorial-process/src/main/resources/fhir/StructureDefinition/task-start-dic-process.xml) including the version of the plugin that should be targeted.
+
+The `instantiatesCanonical` value is the same value as the one defined by the StructureDefinition [`task-start-dic-process.xml`](https://github.com/datasharingframework/dsf-process-tutorial/blob/main/tutorial-process/src/main/resources/fhir/StructureDefinition/task-start-dic-process.xml):
+```xml
+
+
+
+
+```
+
+The `requester` element usually holds the identifier of the local organization but may be replaced by the `http://dsf.dev/sid/practitioner-identifier` CodeSystem, `requester.type` with value `Practitioner` and a practitioner identifier while the `recipient` element always holds the identifier of an organization.
+
+The StructureDefinition [`task-start-dic-process.xml`](https://github.com/datasharingframework/dsf-process-tutorial/blob/main/tutorial-process/src/main/resources/fhir/StructureDefinition/task-start-dic-process.xml) also mandates the string value for the [input](../fhir/task.md#task-input-parameters) to be fixed as `startDicProcess`:
+```xml
+
+
+
+
+```
+
+Depending on the StructureDefinition of the [Task](../fhir/task.md) resource, there may be more [input parameters](../fhir/task.md#task-input-parameters) of varying [FHIR data types](https://hl7.org/fhir/R4/datatypes.html) and including extensions.
+
+## Related Topics
+[Draft Task Resources](../dsf/draft-task-resources.md), [Task](../fhir/task.md)
+
+---
+
+## Read Access Tags
+Source: https://dsf.dev/process-development/api-v2/guides/configuring-read-access-tags.html
+
+## Configuring Read Access Tags
+
+Before starting to configure anything, it is advised to take a look at the [CodeSystem](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/CodeSystem/dsf-read-access-tag-2.0.0.xml) defined for the [Read Access Tag](../dsf/read-access-tag.md) and choose one of the codes from it:
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+The codes `LOCAL` and `ALL` are trivial. Their [Read Access Tag](../dsf/read-access-tag.md) would look like this:
+```xml
+
+
+
+
+
+
+```
+
+Now to configure a Read Access Tag whose code uses an extension. This example will use the code `ROLE`. It starts out the same way as before:
+```xml
+
+
+
+
+
+
+```
+
+The `definition` element of the `ROLE` code references an extension called [dsf-extension-read-access-parent-organization-role](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-extension-read-access-parent-organization-role-2.0.0.xml).
+
+The most important part of it is the `differential` statement. It uses [element definitions](https://www.hl7.org/fhir/R4/elementdefinition.html) to describe how the extensions needs to be implemented:
+```xml
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+All extensions for the [Read Access Tag](../dsf/read-access-tag.md) CodeSystem are defined on the `meta.tag.extension` element through the extension's `context` element:
+```xml
+
+
+
+
+```
+
+That is why the first element to be added to `meta.tag` is an `extension` element:
+```xml
+
+
+
+
+
+
+
+
+
+```
+
+Now to process the `differential` statement one element at a time, starting at the top:
+```xml
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+ ...
+
+
+```
+
+It defines a [slicing](https://www.hl7.org/fhir/R4/profiling.html#slicing) for the `Extension.extension` element, meaning this is a nested extension. The `discriminator` element defines that slices will be identified by the value of their `url` attribute. A `rules` element with value `open` means other types of slices may be added later on e.g. when creating a profile. This element is not added to the `meta.tag.extension` element it only serves the purpose of defining the `discriminator`. Next up is the first slice called `parentOrganization`:
+
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ...
+
+
+```
+
+The first element defines a slice called `parentOrganization` on the `Extension.extension` element with cardinality `1..1`. The second element defines the url attribute of the `parentOrganization` slice to be fixed to the value `parent-organization`. With this information the next element can be added to `meta.tag`. Since it is defined on `Extension.extension` it will be added it to `meta.tag.extension.extension` like this:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+```
+
+After that, it defines `parentOrganization.value[x]` to occur at least once and have a type of `Identifier`. To turn this into an element to add to `meta.tag.extension.extension` requires replacing `[x]` with the code in `value[x].type`, which in this case is `Identifier`. It is important to note, that `value[x]` should be camel cased after replacement. This means there will be a `meta.tag.extension.extension.valueIdentifier` element:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+The last two elements define a `system` element with a fixed value and `value` element that can be freely set, since it does not have any constraints applied. Notice that the element definition still uses `value[x].system` and `value[x].value`. The replacement mentioned earlier does not happen in the element definition, but since `value[x]` is defined to have the type `Identifier`, it is inferred that `Identifier.system` and `Identifier.value` are referenced. The example will use an arbitrary `Identifier` value, but real application should be using an actual organization identifier depending on which organization has read access to the resource.
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+Next is the slice is called `organizationRole`:
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ...
+
+
+```
+
+Like with `parentOrganization`, an extension element to `meta.tag.extension` is added with the fixed url value defined above:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+Instead of `Identifier`, the `value[x]` element is now defined as a `Coding` type. This the next element to add will be `valueCoding`:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+A `Coding` has to belong to some [CodeSystem](../fhir/codesystem.md). The DSF has a CodeSystem called [dsf-organization-role](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/CodeSystem/dsf-organization-role-2.0.0.xml). Before creating new CodeSystems, it is worth taking a look at it to see if an appropriate role already exists for an organization. The example will be using the `DIC` role:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+Now there is only two elements left in the `differential` statement:
+
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+
+
+```
+
+The `Extension.url` element requires a url attribute to be added to `meta.tag.extension`. The last element defines that there must not be a `meta.tag.extension.value[x]` element. This results in this final Read Access Tag:
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related Topics
+[Read Access Tag](../dsf/read-access-tag.md)
+
+---
+
+## Task Parameters
+Source: https://dsf.dev/process-development/api-v2/guides/adding-task-parameters-to-task-profiles.html
+
+## Adding Task Parameters to Task Profiles
+This guide will demonstrate adding Input Parameters to a Task profile but can be used analogously for Output Parameters as well by replacing instances of `input` with `output`
+
+When adding a new [Input Parameter](../fhir/task.md#task-input-parameters) to a [Task](../fhir/task.md) profile, a new slice is added to `Task.input`. [Slicing](https://www.hl7.org/fhir/R4/profiling.html#slicing) is part of [profiling](https://www.hl7.org/fhir/R4/profiling.html) in FHIR. Profiling lets you create your own FHIR definitions based on pre-existing FHIR definitions. A slicing defines constraints on element lists like `Task.input` e.g. by only allowing the elements to be of certain types.
+For example, there might be a list of fruits in a `FruitBasket` resource. Constraining that list to only include fruits of type `Apple`, `Banana` and `Orange` would be considered [slicing](https://www.hl7.org/fhir/R4/profiling.html#slicing).
+This guide will not cover how slicing works in general, only for the case presented by the DSF FHIR resource context. The goal will be to add a new [Input Parameter](../fhir/task.md#task-input-parameters) of type `example-input` to the `task-start-dic-process.xml` profile which will be used to submit `integer` values to a process called `dicProcess`.
+
+As a first step, a slice to `task-start-dic-process.xml` is added. Since there is already a slicing defined on `Task.input` by `task-start-dic-process.xml`'s `baseDefinition`, this resource has to be looked at first. As a part of the [differential](https://www.hl7.org/fhir/R4/profiling.html#snapshot) statement, slicing also uses [Element Definitions](https://www.hl7.org/fhir/R4/elementdefinition.html).
+The slicing for `Task.input` is defined in this part of the `baseDefinition`:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+*The resource can be found [here](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-task-2.0.0.xml)*
+
+First look at the `discriminator` tag. Discriminators define the elements a FHIR processor needs to distinguish slices by. In this case, a processor would look at the values for `type.coding.system` and `type.coding.code` to determine which slice this element belongs to. The discriminator type `value` implies that `type.coding.system` and `type.coding.code` have to be present in all slices and need to have a fixed value. There is more information about discriminators in the [official FHIR documentation](https://www.hl7.org/fhir/R4/profiling.html#discriminator).
+
+Now revisit `task-start-dic-process.xml` and start adding a slice called `example-input` to it:
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+```
+*Irrelevant elements for this guide are hidden by ... placeholders.*
+
+There is now a slice defined on `Task.input` with the name and id of `example-input` and cardinality of `1..1`. The name and cardinality depend on the use case. It is recommended to also take a look at the documentation for [ElementDefinition.id](https://www.hl7.org/fhir/R4/elementdefinition.html#id) and [ElementDefinition.path](https://www.hl7.org/fhir/R4/elementdefinition.html#path). They explain how to create the proper values for these elements. Cardinality is also part of the [element definition](https://www.hl7.org/fhir/R4/elementdefinition.html) hierarchy (see [ElementDefinition.min](https://www.hl7.org/fhir/R4/elementdefinition-definitions.html#ElementDefinition.min) and [ElementDefinition.max](https://www.hl7.org/fhir/R4/elementdefinition-definitions.html#ElementDefinition.max)).
+
+Next up is the binding for `Task.input:example-input.type`. Because `Task.input.type` is a `CodeableConcept` which uses codings from a [ValueSet](../fhir/valueset.md), the [discriminator](https://www.hl7.org/fhir/R4/profiling.html#discriminator) requires the use of `required` as the binding strength:
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+The binding now references a [ValueSet](../fhir/valueset.md). Moving beyond this example will require referencing an existing [ValueSet](../fhir/valueset.md) resource or create a new one. A guide on how to create them can be found [here](../guides/creating-valuesets-for-dsf-processes.md).
+
+Since the [discriminator](https://www.hl7.org/fhir/R4/profiling.html#discriminator) requires `Task.input.coding.code` and `Task.input.coding.system` to be present, `Task.input.coding` will be marked as mandatory as well:
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+The beginning mentioned how `Task.input.type.coding.system` and `Task.input.type.coding.code` have to use fixed values. Here is how this is accomplished:
+
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+*Notice the two new elements were marked as mandatory because they are required by the discriminator.*
+
+The `type.coding.system` element references a [CodeSystem](../fhir/codesystem.md). The `type.coding.code` element uses a code from this [CodeSystem](../fhir/codesystem.md) called `example-input`. This is the mechanism by which [Input Parameter](../fhir/task.md#task-input-parameters) are "named". The `type.coding.code` value will identify the [Input Parameter](../fhir/task.md#task-input-parameters) when it is used in an actual [Task](../fhir/task.md#task-input-parameters) resource. Here is how this would look like:
+
+```xml
+
+ ...
+
+
+
+
+
+
+
+ ...
+
+
+```
+
+Adding a slice in a different use case will also require to reference an existing [CodeSystem](../fhir/codesystem.md) resource or create a new one to reference. A guide on how to create them can be found [here](../guides/creating-codesystems-for-dsf-processes.md).
+
+`Task.input.value[x]` is the actual value submitted when using the Input Parameter. They may be any of [these](https://www.hl7.org/fhir/R4/datatypes.html#open) data types. This is because `Type.input.value[x]` refers to `*` instead of any particular type in its [definition](https://www.hl7.org/fhir/R4/task-definitions.html#Task.input.value_x_). In this case, let it be an `integer` type`:
+
+```xml
+
+ ...
+
+ ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+There is now a new Input Parameter of type `example-input` which accepts any `integer` as its value.
+
+## Related Topics
+[Creating CodeSystems for DSF processes](creating-codesystems-for-dsf-processes.md), [Creating ValueSets for DSF processes](creating-valuesets-for-dsf-processes.md), [Task](../fhir/task.md)
+
+---
+
+## User Tasks
+Source: https://dsf.dev/process-development/api-v2/guides/user-tasks-in-the-dsf.html
+
+### User Tasks in the DSF
+
+Creating a [User Task](../bpmn/user-tasks.md) in a BPMN model causes the DSF to automatically generate a [QuestionnaireResponse](https://www.hl7.org/fhir/R4/questionnaireresponse.html) resource based on the [Questionnaire](https://www.hl7.org/fhir/R4/questionnaire.html) specified in the [User Task's](../bpmn/user-tasks.md) `Forms` field when process execution reaches the [User Task](../bpmn/user-tasks.md). The `Forms` field must have the type `Embedded or External Task Forms`, with the `Form key` set to the URL of the [Questionnaire](https://www.hl7.org/fhir/R4/questionnaire.html) resource. The [Questionnaire](https://www.hl7.org/fhir/R4/questionnaire.html) resource must be placed in the `src/main/resources/fhir/Questionnaire` directory.
+
+The generated [QuestionnaireResponse](https://www.hl7.org/fhir/R4/questionnaireresponse.html) can be accessed and answered by navigating to `https://example.org/fhir/QuestionnaireResponse?_sort=-_lastUpdated&status=in-progress` in the DSF FHIR server UI. After completing and submitting the [QuestionnaireResponse](https://www.hl7.org/fhir/R4/questionnaireresponse.html), the process execution will proceed to the next BPMN element following the [User Task](../bpmn/user-tasks.md). The updated [QuestionnaireResponse](https://www.hl7.org/fhir/R4/questionnaireresponse.html) will then be accessible via the [Process Plugin Api's](../dsf/process-plugin-api.md) `Variables` instance by calling `getLatestReceivedQuestionnaireResponse()`.
+
+It is also possible to register a [Task Listener](https://docs.camunda.org/manual/7.21/user-guide/process-engine/delegation-code/#task-listener) on the [User Task](../bpmn/user-tasks.md). This enables manipulation of the [QuestionnaireResponse](https://www.hl7.org/fhir/R4/questionnaireresponse.html) before it is posted to the DSF FHIR server. This can be achieved by extending the `DefaultUserTaskListener` class, which provides overrides for interacting with the [QuestionnaireResponse](https://www.hl7.org/fhir/R4/questionnaireresponse.html).
+
+Dynamically changing the `item.text` value of an item in a [QuestionnaireResponse](https://www.hl7.org/fhir/R4/questionnaireresponse.html) (if the item is **not** of type `display`) is not permitted. To change text dynamically, the `item.text` value of the corresponding [Questionnaire](https://www.hl7.org/fhir/R4/questionnaire.html) resource must also be updated. As an alternative, an item of type `display` can be placed above the item requiring dynamic text, and its `item.text` value can be modified instead, as shown in the template. In this case, the `item.text` element of the item below the display item may be omitted.
+
+
+Below is a template for a [Questionnaire](https://www.hl7.org/fhir/R4/questionnaire.html) resource. The placeholder `questionnaire-name` should be replaced with the actual name of the [Questionnaire](https://www.hl7.org/fhir/R4/questionnaire.html), and the file should be named accordingly. The items `business-key` and `user-task-id` are required by the DSF and must always be included. Additional items can be added to the [Questionnaire](https://www.hl7.org/fhir/R4/questionnaire.html) as needed.
+
+
+### Questionnaire Template
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related Topics
+[Questionnaire and QuestionnaireResponse](../fhir/questionnaire-and-questionnaireresponse.md)
+
+---
+
+## Managing Messages
+Source: https://dsf.dev/process-development/api-v2/guides/managing-mutiple-incoming-messages-and-missing-messages.html
+
+## Managing Multiple Incoming Messages and Missing Messages
+
+If an already running process instance is waiting for a message from another organization, the corresponding FHIR [Task](../fhir/task.md) may never arrive. Either because the other organization decides to never send the message or because some technical problem prohibits the [Task](../fhir/task.md) resource from being posted to the DSF FHIR server. This would result in stale process instances that never finish.
+
+At the same time, it might also be expected to receive one out of a number of different message types at once.
+
+An [Event Based Gateway](../bpmn/gateways.md#event-based-gateway) can be used to solve both problems by adding it to the process waiting for a response and then either handling a [Task](../fhir/task.md) resource with the response and finish the process in a success state or triggering a [Timer Intermediate Catching Event](../bpmn/timer-intermediate-catching-events.md) after a defined wait period and finish the process in an error state. The following BPMN collaboration diagram shows how the process at the first organization would look like if we wanted to react to multiple different messages or missing messages:
+
+
+
+
+
+
+
+
+## Related Topics
+[Gateways](../bpmn/gateways.md), [Message Correlation](../dsf/message-correlation.md), [Message Activities](../dsf/message-activities.md)
+
+---
+
+## Linter Tool
+Source: https://dsf.dev/process-development/linter-tool/linter-tool.html
+
+# DSF Linter - Complete Documentation
+
+A comprehensive linting tool for DSF (Data Sharing Framework) process plugins. Validates BPMN processes, FHIR resources, and plugin configurations from JAR files.
+
+## Table of Contents
+
+1. [Overview](#overview)
+2. [Quick Start](#quick-start)
+3. [Installation](#installation)
+4. [Usage](#usage)
+5. [CLI Options](#cli-options)
+6. [Report Generation](#report-generation)
+7. [Architecture](#architecture)
+8. [API Reference](#api-reference)
+
+## Overview
+
+The DSF Linter is a static analysis tool designed to validate DSF process plugins before deployment. It performs comprehensive checks on:
+
+- **BPMN Process Definitions**: Validates Camunda BPMN 2.0 models, task implementations, event configurations, and FHIR resource references
+- **FHIR Resources**: Validates ActivityDefinition, Task, StructureDefinition, ValueSet, CodeSystem, and Questionnaire resources
+- **Plugin Configuration**: Verifies ServiceLoader registrations, resource references, and plugin structure
+
+### Key Features
+
+- ✅ Validates BPMN processes against DSF conventions
+- ✅ Validates FHIR resources against DSF profiles and HL7 specifications
+- ✅ Detects unreferenced (leftover) resources
+- ✅ Generates detailed HTML and JSON reports
+- ✅ Supports local and remote JAR file input
+- ✅ Multi-plugin project support
+- ✅ CI/CD integration ready
+- ✅ Comprehensive error reporting with severity levels
+- ✅ Extensible architecture for custom validation rules
+
+### What is DSF?
+
+The Data Sharing Framework (DSF) is a framework for implementing interoperable healthcare data sharing processes. DSF process plugins contain:
+
+- **BPMN Processes**: Business process definitions using Camunda BPMN 2.0
+- **FHIR Resources**: Healthcare data resources conforming to HL7 FHIR specifications
+- **Plugin Classes**: Java classes implementing the DSF ProcessPlugin interface
+
+## Quick Start
+
+### Build the Project
+
+```bash
+# Full build with tests
+mvn clean package
+
+# Skip tests for faster build
+mvn clean package -DskipTests
+
+# Verbose output
+mvn clean package -X
+```
+
+### Basic Usage
+
+```bash
+# Lint a local JAR file
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path your-plugin.jar --html
+
+# Lint a remote JAR file
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path https://github.com/datasharingframework/dsf-process-ping-pong/releases/download/v2.0.0.1/dsf-process-ping-pong-2.0.0.1.jar --html
+
+# View report at: /tmp/dsf-linter-report-/dsf-linter-report/index.html
+```
+
+## Installation
+
+### Requirements
+
+- **Java**: 17 or higher (Java 25+ required for API Version 2 validation)
+- **Maven**: 3.6 or higher
+- **Operating System**: Windows, Linux, or macOS
+
+### Building from Source
+
+```bash
+# Clone the repository
+git clone
+cd dsf-linter
+
+# Build the project
+mvn clean package
+
+# The executable JAR will be at:
+# linter-cli/target/linter-cli-0.1.2.jar
+```
+
+### Distribution
+
+The linter is distributed as a single executable JAR file that includes all dependencies. After building, the JAR can be used standalone:
+
+```bash
+# Copy to a convenient location
+cp linter-cli/target/linter-cli-0.1.2.jar ~/bin/dsf-linter.jar
+
+# Use from anywhere
+java -jar ~/bin/dsf-linter.jar --path plugin.jar --html
+```
+
+## Usage
+
+### Input Types
+
+The linter accepts only **JAR files** as input:
+
+| Input Type | Example | Description |
+|------------|---------|-------------|
+| Local JAR | `--path C:\path\to\plugin.jar` | JAR file in local filesystem |
+| Remote JAR | `--path https://example.com/plugin.jar` | JAR file via HTTP/HTTPS URL |
+
+**Important:** Maven projects must first be built with `mvn clean package` before the resulting JAR file can be linted.
+
+### Expected JAR Structure
+
+The linter expects the following structure in the JAR file:
+
+```
+plugin.jar
+├── META-INF/
+│ └── services/
+│ ├── dev.dsf.bpe.v1.ProcessPluginDefinition (v1)
+│ └── dev.dsf.bpe.v2.ProcessPluginDefinition (v2)
+├── bpe/
+│ └── *.bpmn (BPMN process definitions)
+└── fhir/
+ ├── ActivityDefinition/
+ │ └── *.xml or *.json
+ ├── Task/
+ │ └── *.xml or *.json
+ ├── StructureDefinition/
+ │ └── *.xml or *.json
+ ├── ValueSet/
+ │ └── *.xml or *.json
+ ├── CodeSystem/
+ │ └── *.xml or *.json
+ └── Questionnaire/
+ └── *.xml or *.json
+```
+
+### Usage Examples
+
+#### Basic Linting
+
+```bash
+# Local JAR file
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path C:\path\to\plugin.jar --html
+
+# Remote JAR file
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path https://github.com/datasharingframework/dsf-process-ping-pong/releases/download/v2.0.0.1/dsf-process-ping-pong-2.0.0.1.jar --html
+```
+
+#### Advanced Configuration
+
+```bash
+# Multiple report formats with custom path
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path plugin.jar --html --json --report-path ./reports
+
+# Verbose output (colors enabled by default, use --no-color to disable)
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path plugin.jar --html --verbose
+
+# Lint Maven project (two-step process)
+# Step 1: Build the project
+cd /path/to/project && mvn clean package
+
+# Step 2: Lint the resulting JAR
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path /path/to/project/target/my-plugin-1.0.0.jar --html
+```
+
+#### CI/CD Integration
+
+```bash
+# GitHub Actions / GitLab CI
+FORCE_COLOR=1 java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path plugin.jar --html --json --verbose
+
+# Jenkins (fail on errors)
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path plugin.jar --html
+# Exit code: 0 = success, 1 = errors
+
+# Don't fail build (gradual adoption)
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path plugin.jar --html --no-fail
+```
+
+## CLI Options
+
+| Option | Short | Description | Required |
+|--------|-------|-------------|----------|
+| `--path ` | `-p` | Path to JAR file (local or remote URL) | Yes |
+| `--html` | | Generate HTML report | No |
+| `--json` | | Generate JSON report | No |
+| `--report-path ` | `-r` | Custom report directory (default: `/dsf-linter-report-/dsf-linter-report`) | No |
+| `--verbose` | `-v` | Enable verbose logging output | No |
+| `--no-color` | | Disable colored console output (default: enabled) | No |
+| `--no-fail` | | Exit with code 0 even if linter errors are found | No |
+| `--help` | `-h` | Display help message | No |
+| `--version` | | Display version information | No |
+
+### Environment Variables
+
+| Variable | Effect |
+|----------|--------|
+| `NO_COLOR` | Disables colored output |
+| `FORCE_COLOR` | Forces colored output (useful in CI) |
+| `TERM=dumb` | Disables colored output |
+| `WT_SESSION`, `ANSICON` | Windows color detection |
+
+### Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | Success (no errors, or `--no-fail` was used) |
+| 1 | Failure (errors found, or fatal error occurred) |
+
+
+## Report Generation
+
+### Report Structure
+
+Reports are generated in the following structure:
+
+```
+/
+├── index.html # Summary report (all plugins)
+├── plugin-name.html # Detailed report for each plugin
+└── plugin-name.json # JSON report (if --json specified)
+```
+
+The default `` resolves to `/dsf-linter-report-/dsf-linter-report`, for example:
+
+```
+/tmp/dsf-linter-report-my-plugin/dsf-linter-report/
+├── index.html
+├── my-plugin.html
+└── my-plugin.json
+```
+
+Use `--report-path` to override this location.
+
+### HTML Report
+
+The HTML report provides a comprehensive, human-readable view of all linting results.
+
+#### Summary Page (`index.html`)
+
+The summary page includes:
+
+- **Header**:
+ - DSF Linter version
+ - Execution timestamp
+ - Project path
+
+- **Overall Statistics**:
+ - Total number of plugins
+ - Total errors
+ - Total warnings
+ - Execution time
+
+- **Plugin Summary Table**:
+ - Plugin name
+ - API version
+ - Error count
+ - Warning count
+ - Link to detailed report
+
+- **Leftover Resource Summary**:
+ - Unreferenced BPMN files
+ - Unreferenced FHIR resources
+
+#### Plugin Report (`plugin-name.html`)
+
+Each plugin has a detailed report page containing:
+
+- **Plugin Metadata**:
+ - Plugin name
+ - Plugin class name
+ - API version (v1 or v2)
+
+- **BPMN Validation Results**:
+ - List of all BPMN files
+ - Errors and warnings per file
+ - Detailed error messages with file and line references
+
+- **FHIR Validation Results**:
+ - List of all FHIR resources by type
+ - Errors and warnings per resource
+ - Detailed error messages with element paths
+
+- **Plugin Configuration Results**:
+ - ServiceLoader registration status
+ - Resource reference validation results
+
+- **Leftover Resource Analysis**:
+ - Unreferenced BPMN files
+ - Unreferenced FHIR resources
+
+- **Severity Indicators**:
+ - Color-coded severity levels (ERROR, WARNING, INFO, SUCCESS)
+ - Expandable/collapsible sections
+
+### JSON Report
+
+The JSON report provides machine-readable output for CI/CD integration and automated processing.
+
+#### Structure
+
+```json
+{
+ "version": "0.1.1",
+ "timestamp": "2025-06-15T10:30:00Z",
+ "projectPath": "/path/to/plugin.jar",
+ "executionTimeMs": 2300,
+ "success": true,
+ "summary": {
+ "totalPlugins": 1,
+ "totalErrors": 0,
+ "totalWarnings": 1,
+ "totalLeftoverBpmn": 0,
+ "totalLeftoverFhir": 0
+ },
+ "plugins": {
+ "plugin-name": {
+ "name": "plugin-name",
+ "class": "dev.dsf.bpe.plugin.ExamplePlugin",
+ "apiVersion": "V1",
+ "errors": 0,
+ "warnings": 1,
+ "bpmnFiles": [
+ {
+ "path": "bpe/process.bpmn",
+ "errors": 0,
+ "warnings": 1,
+ "items": [...]
+ }
+ ],
+ "fhirResources": {
+ "ActivityDefinition": [...],
+ "Task": [...],
+ "StructureDefinition": [...]
+ },
+ "pluginConfig": {
+ "serviceLoaderRegistered": true,
+ "items": [...]
+ }
+ }
+ },
+ "leftoverAnalysis": {
+ "unreferencedBpmn": [],
+ "unreferencedFhir": []
+ }
+}
+```
+
+#### Lint Item Structure
+
+Each lint item in the JSON report has the following structure:
+
+```json
+{
+ "severity": "ERROR",
+ "type": "BpmnServiceTaskNameEmptyLintItem",
+ "message": "Service task must have a non-empty name",
+ "file": "bpe/process.bpmn",
+ "element": "ServiceTask_1",
+ "line": 42,
+ "column": 10
+}
+```
+
+### Example Console Output
+
+```
+DSF Linter v0.1.1
+=================================================================
+Project: /path/to/plugin.jar
+Report: /tmp/dsf-linter-report-plugin/dsf-linter-report
+=================================================================
+
+Phase 1: Project Setup
+✓ JAR file validated
+✓ Resources extracted
+
+Phase 2: Resource Discovery
+✓ Found 1 plugin(s)
+✓ Plugin: my-process-plugin
+ - BPMN: 2 files
+ - FHIR: 15 resources
+
+Phase 3: Linting
+✓ BPMN validation: 0 errors, 1 warning
+✓ FHIR validation: 0 errors, 0 warnings
+✓ Plugin validation: 0 errors
+
+Phase 4: Report Generation
+✓ HTML report generated
+
+Summary
+=================================================================
+✓ SUCCESS - No errors found
+ Plugins: 1
+ Errors: 0
+ Warnings: 1
+ Execution time: 2.3s
+=================================================================
+```
+
+## Architecture
+
+### Project Structure
+
+```
+dsf-linter/
+├── linter-core/ # Core linting logic
+│ ├── src/main/java/dev/dsf/linter/
+│ │ ├── DsfLinter.java # Main orchestrator
+│ │ ├── analysis/ # Resource analysis
+│ │ │ └── LeftoverResourceDetector.java
+│ │ ├── bpmn/ # BPMN parsing & validation
+│ │ │ ├── BpmnLinter.java
+│ │ │ ├── BpmnModelLinter.java
+│ │ │ ├── BpmnElementLinter.java
+│ │ │ ├── BpmnProcessLinter.java
+│ │ │ ├── BpmnTaskLinter.java
+│ │ │ ├── BpmnEventLinter.java
+│ │ │ ├── BpmnFieldInjectionLinter.java
+│ │ │ ├── BpmnGatewayAndFlowLinter.java
+│ │ │ └── BpmnSubProcessLinter.java
+│ │ ├── classloading/ # Dynamic class loading
+│ │ │ ├── ProjectClassLoaderFactory.java
+│ │ │ └── ClassInspector.java
+│ │ ├── constants/ # Constants & configuration
+│ │ │ ├── BpmnElementType.java
+│ │ │ └── DsfApiConstants.java
+│ │ ├── exception/ # Custom exceptions
+│ │ │ ├── ApiVersionUnknownException.java
+│ │ │ ├── MissingServiceRegistrationException.java
+│ │ │ └── ResourceLinterException.java
+│ │ ├── fhir/ # FHIR parsing & validation
+│ │ │ ├── FhirResourceLinter.java
+│ │ │ ├── FhirFileLinter.java
+│ │ │ ├── FhirTaskLinter.java
+│ │ │ ├── FhirStructureDefinitionLinter.java
+│ │ │ ├── FhirValueSetLinter.java
+│ │ │ ├── FhirActivityDefinitionLinter.java
+│ │ │ ├── FhirCodeSystemLinter.java
+│ │ │ └── FhirQuestionnaireLinter.java
+│ │ ├── input/ # Input handling & JAR processing
+│ │ │ ├── InputResolver.java
+│ │ │ ├── InputType.java
+│ │ │ └── JarHandler.java
+│ │ ├── logger/ # Logging infrastructure
+│ │ │ ├── Logger.java
+│ │ │ ├── ConsoleLogger.java
+│ │ │ ├── Console.java
+│ │ │ ├── LogDecorators.java
+│ │ │ └── LogUtils.java
+│ │ ├── output/ # Lint item definitions & types
+│ │ │ ├── FloatingElementType.java
+│ │ │ ├── FlowElementType.java
+│ │ │ ├── LinterSeverity.java
+│ │ │ ├── LintingType.java
+│ │ │ ├── ProcessingLevel.java
+│ │ │ └── item/ # Lint item base classes
+│ │ │ ├── AbstractLintItem.java
+│ │ │ ├── BpmnElementLintItem.java
+│ │ │ ├── BpmnFlowElementLintItem.java
+│ │ │ ├── BpmnLintItem.java
+│ │ │ ├── FhirElementLintItem.java
+│ │ │ ├── FhirLintItem.java
+│ │ │ ├── LintItem.java
+│ │ │ └── PluginLintItem.java
+│ │ ├── plugin/ # Plugin definition discovery
+│ │ │ ├── EnhancedPluginDefinitionDiscovery.java
+│ │ │ ├── PluginDefinitionDiscovery.java
+│ │ │ └── PluginDiscoveryError.java
+│ │ ├── report/ # Report generation
+│ │ │ ├── HtmlReportGenerator.java
+│ │ │ ├── JsonReportGenerator.java
+│ │ │ ├── LintConsolePrinter.java
+│ │ │ └── LintingReportGenerator.java
+│ │ ├── service/ # Linting services
+│ │ │ ├── AbstractResourceLintingService.java
+│ │ │ ├── BpmnLintingService.java
+│ │ │ ├── FhirLintingService.java
+│ │ │ ├── LintingResult.java
+│ │ │ ├── PluginLintingOrchestrator.java
+│ │ │ ├── PluginLintingService.java
+│ │ │ ├── PluginMetadataLinter.java
+│ │ │ └── ResourceDiscoveryService.java
+│ │ ├── setup/ # Project setup & JAR extraction
+│ │ │ └── ProjectSetupHandler.java
+│ │ └── util/ # Utilities
+│ │ ├── api/ # API version detection
+│ │ │ ├── ApiVersion.java
+│ │ │ ├── ApiVersionDetector.java
+│ │ │ ├── ApiVersionHolder.java
+│ │ │ ├── DetectedVersion.java
+│ │ │ ├── DetectionSource.java
+│ │ │ └── PluginVersionUtils.java
+│ │ ├── bpmn/ # BPMN utilities
+│ │ │ ├── BpmnModelUtils.java
+│ │ │ └── linters/ # Element-specific BPMN linters
+│ │ │ ├── BpmnBoundaryEventLinter.java
+│ │ │ ├── BpmnEndEventLinter.java
+│ │ │ ├── BpmnEventLinter.java
+│ │ │ ├── BpmnIntermediateCatchEventLinter.java
+│ │ │ ├── BpmnIntermediateThrowEventLinter.java
+│ │ │ ├── BpmnListenerLinter.java
+│ │ │ ├── BpmnMessageEventImplementationLinter.java
+│ │ │ ├── BpmnMessageLinter.java
+│ │ │ ├── BpmnStartEventLinter.java
+│ │ │ └── BpmnTimerLinter.java
+│ │ ├── cache/ # Caching utilities
+│ │ │ └── ConcurrentCache.java
+│ │ ├── converter/ # Format converters
+│ │ │ └── JsonXmlConverter.java
+│ │ ├── linting/ # Linting utilities
+│ │ │ ├── AbstractFhirInstanceLinter.java
+│ │ │ ├── LintingOutput.java
+│ │ │ ├── LintingUtils.java
+│ │ │ └── PluginLintingUtils.java
+│ │ ├── loader/ # Class/service loading
+│ │ │ ├── ClassLoaderUtils.java
+│ │ │ └── ServiceLoaderUtils.java
+│ │ └── resource/ # Resource management
+│ │ ├── CompositeResourceProvider.java
+│ │ ├── FhirAuthorizationCache.java
+│ │ ├── FhirFileUtils.java
+│ │ ├── FhirResourceEntry.java
+│ │ ├── FhirResourceExtractor.java
+│ │ ├── FhirResourceLocator.java
+│ │ ├── FhirResourceParser.java
+│ │ ├── FileSystemResourceProvider.java
+│ │ ├── JarResourceProvider.java
+│ │ ├── ResourceDiscoveryUtils.java
+│ │ ├── ResourceEntryFactory.java
+│ │ ├── ResourcePathNormalizer.java
+│ │ ├── ResourceProvider.java
+│ │ ├── ResourceResolutionResult.java
+│ │ ├── ResourceResolutionService.java
+│ │ ├── ResourceRootResolver.java
+│ │ └── ResourceType.java
+│ ├── src/main/resources/
+│ │ ├── logback.xml # Logging configuration
+│ │ ├── logback-verbose.xml # Verbose logging configuration
+│ │ └── templates/ # HTML report templates
+│ │ ├── logo.svg
+│ │ ├── single_plugin_report.html
+│ │ └── summary_report.html
+│ └── src/test/ # Unit tests
+│ ├── java/
+│ └── resources/ # Test fixtures
+└── linter-cli/ # CLI interface
+ └── src/main/java/dev/dsf/linter/
+ ├── Main.java # CLI entry point
+ ├── LinterExecutor.java # Execution wrapper
+ └── ResultPrinter.java # Result formatting
+```
+
+### Key Components
+
+| Component | Purpose |
+|-----------|---------|
+| `DsfLinter` | Main orchestrator coordinating all linting phases |
+| `ProjectSetupHandler` | Handles JAR extraction and classloader setup |
+| `ResourceDiscoveryService` | Discovers plugins, BPMN files, and FHIR resources |
+| `BpmnLintingService` | Orchestrates BPMN validation |
+| `FhirLintingService` | Orchestrates FHIR resource validation |
+| `PluginLintingService` | Validates plugin configuration and ServiceLoader registration |
+| `PluginLintingOrchestrator` | Coordinates per-plugin linting workflow |
+| `LeftoverResourceDetector` | Identifies unreferenced resources |
+| `LintingReportGenerator` | Generates HTML and JSON reports |
+| `InputResolver` | Resolves and downloads remote JAR files |
+| `BpmnModelLinter` | Validates BPMN model structure and elements |
+| `FhirResourceLinter` | Validates FHIR resources using pluggable linters |
+
+### Design Patterns
+
+The linter uses several design patterns:
+
+- **Template Method Pattern**: Abstract base classes define linting algorithm structure
+- **Strategy Pattern**: Pluggable linters for different resource types
+- **Factory Pattern**: Classloader and service creation
+- **Service Locator Pattern**: Plugin discovery via ServiceLoader
+- **Builder Pattern**: Configuration and result objects
+
+### Thread Safety
+
+- Most components are stateless and thread-safe
+- Classloader isolation ensures no cross-plugin interference
+- Temporary context classloader used for resource access
+- Result objects are immutable
+
+## API Reference
+
+### Core Classes
+
+#### `DsfLinter`
+
+Main orchestrator class for the linting process.
+
+**Constructor**:
+```java
+DsfLinter(Config config)
+```
+
+**Methods**:
+```java
+OverallLinterResult lint() throws IOException
+```
+
+**Usage**:
+```java
+DsfLinter.Config config = new DsfLinter.Config(
+ projectPath,
+ reportPath,
+ generateHtmlReport,
+ generateJsonReport,
+ failOnErrors,
+ logger
+);
+
+DsfLinter linter = new DsfLinter(config);
+DsfLinter.OverallLinterResult result = linter.lint();
+```
+
+#### `DsfLinter.Config`
+
+Configuration record for the linter.
+
+**Fields**:
+- `Path projectPath`: Path to the project root
+- `Path reportPath`: Path for report generation
+- `boolean generateHtmlReport`: Whether to generate HTML report
+- `boolean generateJsonReport`: Whether to generate JSON report
+- `boolean failOnErrors`: Whether to fail on errors
+- `Logger logger`: Logger instance
+
+#### `DsfLinter.OverallLinterResult`
+
+Result record containing all linting results.
+
+**Fields**:
+- `Map pluginLinter`: Results per plugin
+- `LeftoverResourceDetector.AnalysisResult leftoverAnalysis`: Leftover resource analysis
+- `Path masterReportPath`: Path to master report
+- `long executionTimeMs`: Execution time in milliseconds
+- `boolean success`: Whether linting succeeded
+
+**Methods**:
+- `int getPluginErrors()`: Total error count from plugins
+- `int getPluginWarnings()`: Total warning count from plugins
+- `int getLeftoverCount()`: Count of leftover resources
+- `int getTotalErrors()`: Total errors including leftovers
+
+#### `DsfLinter.PluginLinter`
+
+Linting result for a single plugin.
+
+**Fields**:
+- `String pluginName`: Name of the plugin
+- `String pluginClass`: Fully qualified class name
+- `ApiVersion apiVersion`: DSF API version (V1 or V2)
+- `LintingOutput output`: Detailed linting output
+- `Path reportPath`: Path to generated report
+
+### Linting Services
+
+#### `BpmnLintingService`
+
+Service for linting BPMN files.
+
+**Constructor**:
+```java
+BpmnLintingService(Logger logger)
+```
+
+**Methods**:
+```java
+LintingResult lint(
+ String pluginName,
+ List bpmnFiles,
+ List missingRefs,
+ Map outsideRoot,
+ Map fromDependencies,
+ File pluginResourceRoot
+)
+```
+
+#### `FhirLintingService`
+
+Service for linting FHIR resources.
+
+**Constructor**:
+```java
+FhirLintingService(Logger logger)
+```
+
+**Methods**:
+```java
+LintingResult lint(
+ String pluginName,
+ List fhirFiles,
+ List missingRefs,
+ Map outsideRoot,
+ Map fromDependencies,
+ File pluginResourceRoot
+)
+```
+
+#### `PluginLintingService`
+
+Service for linting plugin configuration.
+
+**Constructor**:
+```java
+PluginLintingService(Logger logger)
+```
+
+**Methods**:
+```java
+LintingResult lintPlugin(
+ Path projectPath,
+ PluginAdapter pluginAdapter,
+ ApiVersion apiVersion,
+ List collectedPluginItems
+) throws MissingServiceRegistrationException
+```
+
+### Lint Items
+
+All lint items extend `AbstractLintItem` and implement specific interfaces.
+
+#### Base Classes
+
+- `AbstractLintItem`: Base class for all lint items
+- `BpmnElementLintItem`: Base class for BPMN-specific lint items
+- `FhirElementLintItem`: Base class for FHIR-specific lint items
+- `PluginLintItem`: Base class for plugin-specific lint items
+
+#### Severity Levels
+
+- `ERROR`: Critical issue that **must be fixed**. Will cause the plugin to fail at deployment or runtime.
+- `WARNING`: Violation of DSF best practices, or something that **could be an error depending on context**.
+- `INFO`: Technically valid, but something looks unusual or incomplete. Worth a second look — no immediate action required.
+- `SUCCESS`: Validation passed. Shown to confirm what was checked and give confidence in the covered areas.
+
+#### Common Lint Item Methods
+
+```java
+LinterSeverity getSeverity()
+String getMessage()
+File getFile()
+String getElement()
+```
+
+### Utility Classes
+
+#### `Logger`
+
+Interface for logging functionality.
+
+**Methods**:
+```java
+void error(String message)
+void error(String message, Throwable throwable)
+void warn(String message)
+void info(String message)
+void debug(String message)
+```
+
+#### `InputResolver`
+
+Resolves and processes input JAR files.
+
+**Methods**:
+```java
+Optional resolve(String inputPath)
+String extractInputName(String inputPath, InputType inputType)
+void cleanup(ResolutionResult resolution)
+```
+
+#### `ResourceDiscoveryService`
+
+Discovers plugins and resources.
+
+**Methods**:
+```java
+DiscoveryResult discover(ProjectContext context)
+```
+
+---
+
+## Validation Rules
+Source: https://dsf.dev/process-development/linter-tool/validation.html
+
+The linter performs comprehensive validation across multiple dimensions. This section details all validation rules organized by resource type.
+
+## Table of Contents
+
+1. [BPMN Validation](#bpmn-validation)
+2. [FHIR Validation](#fhir-resource-validation)
+3. [Plugin Configuration](#plugin-configuration-validation)
+
+### BPMN Validation
+The linter performs comprehensive validation on BPMN 2.0 process definitions using the Camunda BPMN model API.
+
+
+
+**Important:** The linter automatically detects the DSF API version (V1 or V2) from the plugin configuration and applies version-specific validation rules. Many validation rules differ between V1 and V2 API, particularly for:
+- Service Task and Send Task implementation classes
+- Execution Listeners
+- Task Listeners (User Tasks)
+- Message Events (Intermediate Throw and End Events)
+
+#### Process Validation
+
+##### Process ID Pattern Validation
+
+- **Pattern Requirement**:
+ - Process ID must follow the pattern: `domain_processname`
+ - Domain and process name must consist only of alphanumeric characters (a-z, A-Z, 0-9) and hyphens (-)
+ - Exactly one underscore must separate domain and process name
+ - Error: `BPMN_PROCESS_ID_PATTERN_MISMATCH`
+ - Error: `BPMN_PROCESS_ID_EMPTY`
+ - Success: `SUCCESS` when the pattern is matched
+
+- **Valid Examples**:
+ - ✅ `testorg_myprocess`
+ - ✅ `dsf-dev_download-allowlist`
+ - ✅ `example123_process456`
+
+- **Invalid Examples**:
+ - ❌ `myProcess` (missing underscore)
+ - ❌ `test.org_myprocess` (dots not allowed)
+ - ❌ `test_my_process` (multiple underscores not allowed)
+ - ❌ `test_process_name` (only one underscore allowed)
+
+- **Pattern Definition**:
+ ```regex
+ ^(?[a-zA-Z0-9-]+)_(?[a-zA-Z0-9-]+)$
+ ```
+
+- **DSF Framework Reference**:
+ - This validation is based on the DSF Framework requirement defined in:
+ - `dsf-bpe/dsf-bpe-process-api/src/main/java/dev/dsf/bpe/api/plugin/AbstractProcessPlugin.java`
+
+##### Process Count Validation
+
+- **Requirement**:
+ - Each BPMN file must contain **exactly one** process definition
+ - Error: `BPMN_FILE_NO_PROCESS` (when no process is found)
+ - Error: `BPMN_FILE_MULTIPLE_PROCESSES` (when more than one process is found)
+ - Success: `SUCCESS` when exactly one process is found
+
+- **Valid Examples**:
+ - ✅ BPMN file with 1 process definition
+
+- **Invalid Examples**:
+ - ❌ BPMN file with 0 process definitions
+ - ❌ BPMN file with 2 or more process definitions
+
+- **DSF Framework Reference**:
+ - This validation is based on the DSF Framework requirement defined in:
+ - `dsf-bpe/dsf-bpe-process-api/src/main/java/dev/dsf/bpe/api/plugin/AbstractProcessPlugin.java`
+ - DSF validates: `if (processes.size() != 1) { return false; }`
+
+##### Process History Time To Live Validation
+
+- **Requirement**:
+ - Process should have `camunda:historyTimeToLive` attribute set
+ - If not set (null or empty), DSF automatically uses default value `P30D` (30 days)
+ - Warning: `BPMN_PROCESS_HISTORY_TIME_TO_LIVE_MISSING`
+ - Success: `SUCCESS` when historyTimeToLive is explicitly set
+
+- **Valid Examples**:
+ - ✅ ``
+ - ✅ ``
+
+- **Warning Example**:
+ - ⚠️ `` (no historyTimeToLive attribute)
+
+- **DSF Framework Reference**:
+ - DSF Framework sets default at runtime if not specified:
+ - `process.setOperatonHistoryTimeToLiveString("P30D")`
+ - Best practice: Set explicitly in BPMN file
+
+##### Process Executable Validation
+
+- **Requirement**:
+ - Process must have `isExecutable="true"` attribute set
+ - Processes without this attribute cannot be deployed and executed by the process engine
+ - Error: `BPMN_PROCESS_NOT_EXECUTABLE`
+ - Success: `SUCCESS` when isExecutable is true
+
+- **Valid Examples**:
+ - ✅ ``
+
+- **Invalid Examples**:
+ - ❌ `` (no isExecutable attribute, defaults to false)
+ - ❌ ``
+
+- **Reason**:
+ - The process engine only deploys and executes processes marked as executable
+ - Non-executable processes are typically used for documentation or as templates
+
+#### Task Validation
+
+##### Service Tasks
+
+- **Name Validation**:
+ - Task must have a non-empty name
+ - Error: `BPMN_SERVICE_TASK_NAME_EMPTY`
+
+- **Implementation Class Validation**:
+ - `camunda:class` or `camunda:delegateExpression` must be specified
+ - Error: `BPMN_SERVICE_TASK_IMPLEMENTATION_NOT_EXIST`
+ - Error: `BPMN_SERVICE_TASK_IMPLEMENTATION_CLASS_EMPTY`
+ - Implementation class must exist in the classpath
+ - Error: `BPMN_SERVICE_TASK_IMPLEMENTATION_CLASS_NOT_FOUND`
+
+- **API Version-Specific Requirements**:
+ - **V1 API**:
+ - Both checks are performed separately:
+ - Class must extend `dev.dsf.bpe.v1.activity.AbstractServiceDelegate`
+ - Error: `BPMN_SERVICE_TASK_IMPLEMENTATION_CLASS_NOT_EXTENDING_ABSTRACT_SERVICE_DELEGATE` (if not extending)
+ - Class must implement `org.camunda.bpm.engine.delegate.JavaDelegate`
+ - Error: `BPMN_SERVICE_TASK_IMPLEMENTATION_CLASS_NOT_IMPLEMENTING_JAVA_DELEGATE` (if not implementing)
+ - Note: Both conditions are checked independently. A class should ideally satisfy both, but the linter reports separate errors for each missing requirement.
+ - **V2 API**:
+ - Class must implement `dev.dsf.bpe.v2.activity.ServiceTask`
+ - Error: `BPMN_SERVICE_TASK_NO_INTERFACE_CLASS_IMPLEMENTING`
+
+##### User Tasks
+
+- **Name Validation**:
+ - Task must have a non-empty name
+ - Error: `BPMN_USER_TASK_NAME_EMPTY`
+
+- **Form Key Validation**:
+ - `camunda:formKey` must be present and non-empty
+ - Error: `BPMN_USER_TASK_FORM_KEY_EMPTY`
+ - Must reference an external form (starting with "external:", "http://", or "https://")
+ - Error: `BPMN_USER_TASK_FORM_KEY_IS_NOT_AN_EXTERNAL_FORM`
+ - Must reference a valid Questionnaire resource
+ - Referenced Questionnaire must exist in the plugin
+ - Error: `BPMN_USER_TASK_QUESTIONNAIRE_NOT_FOUND`
+
+- **Listener Validation**:
+ - Listener classes must exist
+ - Error: `BPMN_USER_TASK_LISTENER_JAVA_CLASS_NOT_FOUND`
+ - Listener must have class attribute
+ - Error: `BPMN_USER_TASK_LISTENER_MISSING_CLASS_ATTRIBUTE`
+
+- **API Version-Specific Requirements**:
+ - **V1 API**:
+ - Listener must extend `dev.dsf.bpe.v1.activity.DefaultUserTaskListener` OR implement `org.camunda.bpm.engine.delegate.TaskListener`
+ - Error: `BPMN_USER_TASK_LISTENER_NOT_EXTENDING_OR_IMPLEMENTING_REQUIRED_CLASS`
+ - **V2 API**:
+ - Listener must extend `dev.dsf.bpe.v2.activity.DefaultUserTaskListener` OR implement `dev.dsf.bpe.v2.activity.UserTaskListener`
+ - Error: `BPMN_USER_TASK_LISTENER_NOT_EXTENDING_OR_IMPLEMENTING_REQUIRED_CLASS`
+
+- **Task Listener Input Parameter Validation (V2 API only)**:
+ - Validates input parameters (`camunda:inputParameter`) within task listeners for API v2
+ - Applies to all task listeners in API v2, with severity based on whether the listener extends `DefaultUserTaskListener`
+
+ - **`practitionerRole` Parameter**:
+ - If a `practitionerRole` input parameter is defined in the task listener's `extensionElements`, its value must not be null or empty
+ - **Severity**:
+ - **ERROR**: When the task listener extends `dev.dsf.bpe.v2.activity.DefaultUserTaskListener`
+ - **WARN**: When the task listener does not extend `DefaultUserTaskListener`
+ - Error/Warning: `BPMN_PRACTITIONER_ROLE_HAS_NO_VALUE_OR_NULL`
+ - Success: `SUCCESS` (when value is present and non-empty)
+
+ - **`practitioners` Parameter**:
+ - If a `practitioners` input parameter is defined in the task listener's `extensionElements`, its value must not be null or empty
+ - **Severity**:
+ - **ERROR**: When the task listener extends `dev.dsf.bpe.v2.activity.DefaultUserTaskListener`
+ - **WARN**: When the task listener does not extend `DefaultUserTaskListener`
+ - Error/Warning: `BPMN_PRACTITIONERS_HAS_NO_VALUE_OR_NULL`
+ - Success: `SUCCESS` (when value is present and non-empty)
+
+ - **Validation Behavior**:
+ - Only validates input parameters if they are explicitly defined in the BPMN file
+ - Supports various value formats: direct text content, ``, or `` with `` elements
+ - Validation is skipped if the input parameter is not present (no lint items generated)
+ - Validation only applies to API v2 task listeners
+
+- **Task Listener TaskOutput Field Injections Validation (V2 API only)**:
+ - Validates the taskOutput field injections (`taskOutputSystem`, `taskOutputCode`, `taskOutputVersion`) used to configure output parameters for UserTask listeners
+ - Applies to all task listeners in API v2
+
+ - **Completeness Check**:
+ - If any of the three fields (`taskOutputSystem`, `taskOutputCode`, `taskOutputVersion`) is set, all three must be set
+ - Error: `BPMN_USER_TASK_LISTENER_INCOMPLETE_TASK_OUTPUT_FIELDS`
+ - Message: "If taskOutputSystem, taskOutputCode, or taskOutputVersion is set, all three must be set"
+ - Validation is skipped if none of the fields are set
+
+ - **FHIR Resource Validation**:
+ - **`taskOutputSystem`**: Should reference a valid CodeSystem URL
+ - Uses `FhirAuthorizationCache.containsSystem()` to check if the CodeSystem exists
+ - Error: `BPMN_USER_TASK_LISTENER_TASK_OUTPUT_SYSTEM_INVALID_FHIR_RESOURCE` if CodeSystem is unknown
+ - Success: `SUCCESS` when CodeSystem is valid
+
+ - **`taskOutputCode`**: Should be a valid code in the referenced CodeSystem
+ - Uses `FhirAuthorizationCache.isUnknown()` to check if the code exists in the CodeSystem
+ - Error: `BPMN_USER_TASK_LISTENER_TASK_OUTPUT_CODE_INVALID_FHIR_RESOURCE` if code is unknown
+ - Success: `SUCCESS` when code is valid
+
+ - **`taskOutputVersion`**: Must contain a placeholder (e.g., `#{version}`)
+ - Uses `LintingUtils.containsPlaceholder()` to check for placeholders
+ - Warning: `BPMN_USER_TASK_LISTENER_TASK_OUTPUT_VERSION_NO_PLACEHOLDER` if no placeholder found
+ - Success: `SUCCESS` when placeholder is present
+
+ - **Validation Behavior**:
+ - Only validates field injections if they are explicitly defined in the task listener's `extensionElements`
+ - Field values are read from `camunda:field` elements with `camunda:stringValue` or nested `` elements
+ - Validation is skipped if none of the fields are set (no lint items generated)
+ - Validation only applies to API v2 task listeners
+ - FHIR resource validation is only performed if all three fields are set (completeness check passes)
+
+##### Send Tasks
+
+- **Name Validation**:
+ - Task must have a non-empty name
+
+- **Implementation Class Validation**:
+ - Implementation class must exist
+ - Error: `BPMN_MESSAGE_SEND_TASK_IMPLEMENTATION_CLASS_EMPTY`
+ - Error: `BPMN_MESSAGE_SEND_TASK_IMPLEMENTATION_CLASS_NOT_FOUND`
+
+- **API Version-Specific Requirements**:
+ - **V1 API**:
+ - Both checks are performed separately:
+ - Class must extend `dev.dsf.bpe.v1.activity.AbstractTaskMessageSend`
+ - Error: `BPMN_SEND_TASK_IMPLEMENTATION_CLASS_NOT_EXTENDING_ABSTRACT_TASK_MESSAGE_SEND` (if not extending)
+ - Class must implement `org.camunda.bpm.engine.delegate.JavaDelegate`
+ - Error: `BPMN_MESSAGE_SEND_EVENT_IMPLEMENTATION_CLASS_NOT_IMPLEMENTING_JAVA_DELEGATE` (if not implementing)
+ - Note: Both conditions are checked independently. A class should ideally satisfy both, but the linter reports separate errors for each missing requirement.
+ - **V2 API**:
+ - Class must implement `dev.dsf.bpe.v2.activity.MessageSendTask`
+ - Error: `BPMN_SEND_TASK_NO_INTERFACE_CLASS_IMPLEMENTING`
+
+- **Field Injection Validation**:
+ - Same field injections as Message Send Events are validated: `profile`, `messageName`, and `instantiatesCanonical`
+ - `profile` field injection:
+ - Must be non-empty
+ - Error: `BPMN_FIELD_INJECTION_PROFILE_EMPTY`
+ - Must contain version placeholder `#{version}`
+ - Error: `BPMN_FIELD_INJECTION_PROFILE_NO_VERSION_PLACEHOLDER`
+ - Must reference existing StructureDefinition
+ - Error: `BPMN_NO_STRUCTURE_DEFINITION_FOUND_FOR_MESSAGE`
+ - `messageName` field injection:
+ - Must be non-empty
+ - Error: `BPMN_FIELD_INJECTION_MESSAGE_VALUE_EMPTY`
+ - Must be a string literal
+ - Error: `BPMN_FIELD_INJECTION_NOT_STRING_LITERAL`
+ - `instantiatesCanonical` field injection:
+ - Must be non-empty
+ - Error: `BPMN_FIELD_INJECTION_INSTANTIATES_CANONICAL_EMPTY`
+ - Must end with version placeholder `|#{version}`
+ - Error: `BPMN_FIELD_INJECTION_INSTANTIATES_CANONICAL_NO_VERSION_PLACEHOLDER`
+ - Must reference existing ActivityDefinition
+ - Error: `BPMN_NO_ACTIVITY_DEFINITION_FOUND_FOR_MESSAGE`
+ - Unknown field injections are reported
+ - Error: `BPMN_UNKNOWN_FIELD_INJECTION`
+
+##### Receive Tasks
+
+- **Name Validation**:
+ - Task must have a non-empty name
+ - Warning: `BPMN_EVENT_NAME_EMPTY`
+
+- **Message Definition Validation**:
+ - Message definition must be present and have a non-empty message name
+ - Error: `BPMN_MESSAGE_START_EVENT_MESSAGE_NAME_EMPTY`
+
+- **FHIR Resource Validation**:
+ - Message name must reference an existing ActivityDefinition
+ - Error: `BPMN_NO_ACTIVITY_DEFINITION_FOUND_FOR_MESSAGE`
+ - Message name must reference an existing StructureDefinition
+ - Error: `BPMN_NO_STRUCTURE_DEFINITION_FOUND_FOR_MESSAGE`
+
+#### Event Validation
+
+##### Message Events (Start/Intermediate/End)
+
+- **Event Name Validation**:
+ - Event must have a non-empty name
+ - Error: `BPMN_EVENT_NAME_EMPTY`
+ - Error: `BPMN_MESSAGE_START_EVENT_MESSAGE_NAME_EMPTY`
+ - Error: `BPMN_MESSAGE_INTERMEDIATE_CATCH_EVENT_NAME_EMPTY`
+ - Error: `BPMN_MESSAGE_INTERMEDIATE_CATCH_EVENT_MESSAGE_NAME_EMPTY`
+ - Error: `BPMN_MESSAGE_BOUNDARY_EVENT_NAME_EMPTY`
+
+- **Implementation Class Validation**:
+ - For send events, implementation class must exist
+ - Error: `BPMN_MESSAGE_SEND_EVENT_IMPLEMENTATION_CLASS_EMPTY`
+ - Error: `BPMN_MESSAGE_SEND_EVENT_IMPLEMENTATION_CLASS_NOT_FOUND`
+ - Intermediate throw events should not have message definitions
+ - Error: `BPMN_MESSAGE_INTERMEDIATE_THROW_EVENT_HAS_MESSAGE`
+
+- **API Version-Specific Requirements**:
+ - **V1 API**:
+ - Class must implement `org.camunda.bpm.engine.delegate.JavaDelegate`
+ - Error: `BPMN_MESSAGE_SEND_EVENT_IMPLEMENTATION_CLASS_NOT_IMPLEMENTING_JAVA_DELEGATE`
+ - Throw events must implement `org.camunda.bpm.engine.delegate.JavaDelegate`
+ - Error: `BPMN_END_EVENT_NO_INTERFACE_CLASS_IMPLEMENTING`
+ - **V2 API**:
+ - Message Intermediate Throw Events must implement `dev.dsf.bpe.v2.activity.MessageIntermediateThrowEvent`
+ - Message End Events must implement `dev.dsf.bpe.v2.activity.MessageEndEvent`
+ - Error: `BPMN_END_EVENT_NO_INTERFACE_CLASS_IMPLEMENTING`
+
+- **Field Injection Validation**:
+ - `profile` field injection:
+ - Must be non-empty
+ - Error: `BPMN_FIELD_INJECTION_PROFILE_EMPTY`
+ - Must contain version placeholder `#{version}`
+ - Error: `BPMN_FIELD_INJECTION_PROFILE_NO_VERSION_PLACEHOLDER`
+ - Must reference existing StructureDefinition
+ - Error: `BPMN_NO_STRUCTURE_DEFINITION_FOUND_FOR_MESSAGE`
+
+ - `messageName` field injection:
+ - Must be non-empty
+ - Error: `BPMN_FIELD_INJECTION_MESSAGE_VALUE_EMPTY`
+ - Must be a string literal
+ - Error: `BPMN_FIELD_INJECTION_NOT_STRING_LITERAL`
+
+ - `instantiatesCanonical` field injection:
+ - Must be non-empty
+ - Error: `BPMN_FIELD_INJECTION_INSTANTIATES_CANONICAL_EMPTY`
+ - Must end with version placeholder `|#{version}`
+ - Error: `BPMN_FIELD_INJECTION_INSTANTIATES_CANONICAL_NO_VERSION_PLACEHOLDER`
+ - Must reference existing ActivityDefinition
+ - Error: `BPMN_NO_ACTIVITY_DEFINITION_FOUND_FOR_MESSAGE`
+
+##### Timer Events
+
+- **Timer Type Validation**:
+ - At least one of `timeDate`, `timeCycle`, or `timeDuration` must be set
+ - Error: `BPMN_FLOATING_ELEMENT` (`TIMER_TYPE_IS_EMPTY`)
+
+- **Fixed Date Warning**:
+ - `timeDate` expressions are flagged with an informational message to verify if a fixed date is intended
+ - Info: `BPMN_FLOATING_ELEMENT` (`TIMER_TYPE_IS_A_FIXED_DATE_TIME`)
+
+- **Placeholder Validation**:
+ - `timeCycle` and `timeDuration` values should contain a placeholder (e.g., `#{interval}`)
+ - Warning: `BPMN_FLOATING_ELEMENT` (`TIMER_VALUE_APPEARS_FIXED_NO_PLACEHOLDER_FOUND`)
+
+##### Error Boundary Events
+
+- **Error Configuration Validation**:
+ - Error reference must be present
+ - Error code must not be empty
+ - Error: `BPMN_ERROR_BOUNDARY_EVENT_ERROR_CODE_EMPTY`
+ - Error name must not be empty (warning)
+ - Error: `BPMN_ERROR_BOUNDARY_EVENT_ERROR_NAME_EMPTY`
+ - Error: `BPMN_ERROR_BOUNDARY_EVENT_NAME_EMPTY`
+ - Error code variable must not be empty
+ - Error: `BPMN_ERROR_BOUNDARY_EVENT_ERROR_CODE_VARIABLE_EMPTY`
+
+##### Signal Events
+
+- **Signal Definition Validation**:
+ - Signal end events must have a non-empty name
+ - Error: `BPMN_SIGNAL_END_EVENT_NAME_EMPTY`
+ - Signal end events must have a signal definition
+ - Error: `BPMN_SIGNAL_END_EVENT_SIGNAL_EMPTY`
+ - Signal intermediate throw events must have a non-empty name
+ - Error: `BPMN_SIGNAL_INTERMEDIATE_THROW_EVENT_NAME_EMPTY`
+ - Signal intermediate throw events must have a signal definition
+ - Error: `BPMN_SIGNAL_INTERMEDIATE_THROW_EVENT_SIGNAL_EMPTY`
+ - Signal definitions must be valid
+ - Signal references must be correct
+
+##### Conditional Events
+
+- **Event Name Validation**:
+ - Conditional Intermediate Catch Event should have a non-empty name
+ - Warning: `BPMN_FLOATING_ELEMENT` (`CONDITIONAL_INTERMEDIATE_CATCH_EVENT_NAME_IS_EMPTY`)
+
+- **Variable Name Validation**:
+ - `camunda:variableName` attribute must not be empty
+ - Error: `BPMN_FLOATING_ELEMENT` (`CONDITIONAL_INTERMEDIATE_CATCH_EVENT_VARIABLE_NAME_IS_EMPTY`)
+
+- **Variable Events Validation**:
+ - `camunda:variableEvents` attribute must not be empty
+ - Error: `BPMN_FLOATING_ELEMENT` (`CONDITIONAL_INTERMEDIATE_CATCH_EVENT_VARIABLE_EVENTS_IS_EMPTY`)
+
+- **Condition Type Validation**:
+ - `camunda:conditionType` must be set, or a condition expression must be provided (in which case `"expression"` is assumed)
+ - Error: `BPMN_FLOATING_ELEMENT` (`CONDITIONAL_INTERMEDIATE_CATCH_EVENT_CONDITION_TYPE_IS_EMPTY`)
+
+- **Condition Expression Validation**:
+ - When condition type is `"expression"`, the condition expression must not be empty
+ - Error: `BPMN_FLOATING_ELEMENT` (`CONDITIONAL_INTERMEDIATE_CATCH_EVENT_CONDITION_TYPE_IS_NOT_EXPRESSION`)
+
+#### Gateway and Flow Validation
+
+##### Flow Structure
+
+- **Message Start Event**:
+ - Message-triggered processes must have a message start event
+ - Error: `BPMN_MESSAGE_START_EVENT_NOT_FOUND`
+
+##### Exclusive Gateways
+
+- **Sequence Flow Validation**:
+ - Outgoing sequence flows must have appropriate names
+ - When multiple outgoing flows exist, gateway must have a name
+ - Error: `BPMN_EXCLUSIVE_GATEWAY_HAS_MULTIPLE_OUTGOING_FLOWS_BUT_NAME_IS_EMPTY`
+ - Conditional expressions required when multiple paths exist
+ - Default flow validation
+
+##### Inclusive Gateways
+
+- **Sequence Flow Validation**:
+ - Similar requirements as exclusive gateways
+ - When multiple outgoing flows exist, gateway must have a name
+ - Error: `BPMN_INCLUSIVE_GATEWAY_HAS_MULTIPLE_OUTGOING_FLOWS_BUT_NAME_IS_EMPTY`
+ - Multiple path handling
+
+##### Event-Based Gateways
+
+- **Configuration Validation**:
+ - Proper configuration required
+ - Outgoing flow setup validation
+
+##### Sequence Flows
+
+- **Naming and Conditions**:
+ - Naming conventions
+ - Conditional expressions for non-default flows from splitting gateways
+ - Error: `BPMN_FLOW_ELEMENT`
+
+#### SubProcess Validation
+
+##### Multi-Instance SubProcesses
+
+- **Asynchronous Execution**:
+ - `asyncBefore` must be set to `true` for proper asynchronous execution
+ - Required for multi-instance subprocesses
+ - Error: `BPMN_SUB_PROCESS_HAS_MULTI_INSTANCE_BUT_IS_NOT_ASYNC_BEFORE_TRUE`
+
+##### Start/End Events in SubProcesses
+
+- **Structural Validation**:
+ - Start events must be part of subprocess
+ - Error: `BPMN_START_EVENT_NOT_PART_OF_SUB_PROCESS`
+ - End events must be part of subprocess
+ - Error: `BPMN_END_EVENT_NOT_PART_OF_SUB_PROCESS`
+ - End events inside subprocesses should have `asyncAfter` set to `true`
+ - Error: `BPMN_END_EVENT_INSIDE_SUB_PROCESS_SHOULD_HAVE_ASYNC_AFTER_TRUE`
+
+#### Floating Elements
+
+- **Element Placement**:
+ - Elements must be properly connected
+ - Error: `BPMN_FLOATING_ELEMENT`
+
+#### Execution Listeners
+
+- **Execution Listener Validation**:
+ - Execution listener classes must exist in the classpath
+ - Error: `BPMN_EXECUTION_LISTENER_CLASS_NOT_FOUND`
+
+- **API Version-Specific Requirements**:
+ - **V1 API**:
+ - Execution listener classes must implement `org.camunda.bpm.engine.delegate.ExecutionListener`
+ - Error: `BPMN_EXECUTION_LISTENER_NOT_IMPLEMENTING_REQUIRED_INTERFACE`
+ - **V2 API**:
+ - Execution listener classes must implement `dev.dsf.bpe.v2.activity.ExecutionListener`
+ - Error: `BPMN_EXECUTION_LISTENER_NOT_IMPLEMENTING_REQUIRED_INTERFACE`
+
+#### Unknown Field Injections
+
+- **Field Injection Validation**:
+ - Only known field injections are allowed
+ - Error: `BPMN_UNKNOWN_FIELD_INJECTION`
+
+### FHIR Resource Validation
+
+The linter validates FHIR resources against DSF-specific profiles and HL7 FHIR specifications.
+
+
+
+#### Unparsable FHIR Resources
+
+- **Resource Parsing**:
+ - FHIR resources must be valid XML or JSON
+ - Error: `PLUGIN_DEFINITION_UNPARSABLE_FHIR_RESOURCE`
+
+#### Task Resources
+
+Task resources are validated against the DSF Task base profile (`http://dsf.dev/fhir/StructureDefinition/dsf-task-base`).
+
+##### Metadata and Profile Validation
+
+- **Profile Validation**:
+ - `meta.profile` must be present and point to a DSF Task profile
+ - Error: `FHIR_TASK_MISSING_PROFILE`
+ - Profile must be loadable
+ - Error: `FHIR_TASK_COULD_NOT_LOAD_PROFILE`
+
+- **InstantiatesCanonical Validation**:
+ - `instantiatesCanonical` must be present
+ - Error: `FHIR_TASK_MISSING_INSTANTIATES_CANONICAL`
+ - Must end with version placeholder `|#{version}`
+ - Error: `FHIR_TASK_INSTANTIATES_CANONICAL_PLACEHOLDER`
+ - Must reference existing ActivityDefinition
+ - Error: `FHIR_TASK_UNKNOWN_INSTANTIATES_CANONICAL`
+
+##### Fixed Elements
+
+- **Status Validation**:
+ - `status` must be present
+ - Error: `FHIR_TASK_MISSING_STATUS`
+ - Must be `"draft"` for template Task instances
+ - Error: `FHIR_TASK_STATUS_NOT_DRAFT`
+ - Must be a valid TaskStatus value
+ - Error: `FHIR_TASK_UNKNOWN_STATUS`
+
+- **Intent Validation**:
+ - `intent` must be `"order"`
+ - Error: `FHIR_TASK_VALUE_IS_NOT_SET_AS_ORDER`
+
+- **Requester Validation**:
+ - Requester must be present
+ - Error: `FHIR_TASK_MISSING_REQUESTER`
+ - `requester.identifier.system` must be `http://dsf.dev/sid/organization-identifier`
+ - Error: `FHIR_TASK_INVALID_REQUESTER`
+ - `requester.identifier.value` must be `#{organization}` (development)
+ - Error: `FHIR_TASK_REQUESTER_ORGANIZATION_NO_PLACEHOLDER`
+ - Error: `FHIR_TASK_REQUESTER_ID_NO_PLACEHOLDER`
+ - Error: `FHIR_TASK_REQUESTER_ID_NOT_EXIST`
+
+- **Recipient Validation**:
+ - Recipient must be present
+ - Error: `FHIR_TASK_MISSING_RECIPIENT`
+ - `restriction.recipient.identifier.system` must be `http://dsf.dev/sid/organization-identifier`
+ - Error: `FHIR_TASK_INVALID_RECIPIENT`
+ - `restriction.recipient.identifier.value` must be `#{organization}` (development)
+ - Error: `FHIR_TASK_RECIPIENT_ORGANIZATION_NO_PLACEHOLDER`
+ - Error: `FHIR_TASK_RECIPIENT_ID_NO_PLACEHOLDER`
+ - Error: `FHIR_TASK_RECIPIENT_ID_NOT_EXIST`
+
+##### Development Placeholders
+
+- **Date Placeholder**:
+ - `authoredOn` must contain `#{date}`
+ - Error: `FHIR_TASK_DATE_NO_PLACEHOLDER`
+
+##### Task Identifier Validation
+
+- **System Validation**:
+ - Task identifiers must have a valid system element
+ - Expected system: `http://dsf.dev/sid/task-identifier`
+ - Error: `FHIR_TASK_IDENTIFIER_MISSING_SYSTEM` (when system is missing or empty)
+ - Error: `FHIR_TASK_IDENTIFIER_INVALID_SYSTEM` (when system is set but incorrect)
+ - Success: When the system is correctly set to `http://dsf.dev/sid/task-identifier`
+
+- **Value Format Validation**:
+ - Task identifiers with system `http://dsf.dev/sid/task-identifier` must follow a specific format
+ - Format: `{process-url}/{process-version}/{task-example-name}`
+ - Example: `http://test.org/bpe/Process/someProcessName/1.0/someExampleName`
+ - Error: `FHIR_TASK_IDENTIFIER_INVALID_FORMAT`
+ - Success: When the identifier format is valid
+
+- **Pattern Definition**:
+ ```regex
+ ^https?://[^/]+/bpe/Process/[a-zA-Z0-9-]+/(?:\d+\.\d+|#{version})/.+$
+ ```
+ The pattern accepts both actual version numbers (e.g., `1.0`) and placeholders (e.g., `#{version}`) for development-time validation.
+
+- **Valid Examples**:
+ - ✅ System: `http://dsf.dev/sid/task-identifier`
+ - ✅ Value: `http://test.org/bpe/Process/someProcessName/1.0/someExampleName` (with actual version)
+ - ✅ Value: `http://test.org/bpe/Process/someProcessName/#{version}/someExampleName` (with placeholder)
+ - ✅ Value: `https://dsf.dev/bpe/Process/myProcess/2.5/startTask`
+ - ✅ Value: `http://medizininformatik-initiative.de/bpe/Process/coordinateDataSharing/#{version}/coordinateDataSharing`
+
+- **Invalid Examples**:
+ - ❌ System missing or empty
+ - ❌ System: `http://wrong.system/identifier` (wrong system URL)
+ - ❌ Value: `http://test.org/someProcessName/1.0/taskName` (missing `/bpe/Process/` segment)
+ - ❌ Value: `http://test.org/bpe/Process/myProcess/1/taskName` (version must be in `X.Y` format, e.g. `1.0`)
+ - ❌ Empty or blank identifier value
+
+- **DSF Framework Reference**:
+ - Based on the DSF NamingSystem definition: `http://dsf.dev/sid/task-identifier`
+ - See: [DSF Framework Repository](https://github.com/datasharingframework/dsf)
+
+##### Task.input Validation
+
+- **Input Presence**:
+ - `Task.input` must not be empty
+ - Error: `FHIR_TASK_MISSING_INPUT`
+
+- **Structural Validation**:
+ - Each input must have `type.coding.system` and `type.coding.code`
+ - Error: `FHIR_TASK_INPUT_REQUIRED_CODING_SYSTEM_AND_CODING_CODE`
+ - Each input must have a `value[x]` element
+ - Error: `FHIR_TASK_INPUT_MISSING_VALUE`
+
+- **Duplicate Detection**:
+ - No two inputs may share the same `system#code` combination
+ - Error: `FHIR_TASK_INPUT_DUPLICATE_SLICE`
+
+- **BPMN Slice Validation**:
+ - `message-name` slice: Required (min=1, max=1)
+ - Error: `FHIR_TASK_REQUIRED_INPUT_WITH_CODE_MESSAGE_NAME`
+ - `business-key` slice:
+ - Required when status is "in-progress", "completed", or "failed"
+ - Error: `FHIR_TASK_STATUS_REQUIRED_INPUT_BUSINESS_KEY`
+ - Must be absent when status is "draft"
+ - Error: `FHIR_TASK_BUSINESS_KEY_EXISTS`
+ - Business key validation may be skipped in certain conditions
+ - Warning: `FHIR_TASK_BUSINESS_KEY_CHECK_IS_SKIPPED`
+ - `correlation-key` slice:
+ - Validated against StructureDefinition cardinality
+ - Error: `FHIR_TASK_CORRELATION_EXISTS`
+ - Error: `FHIR_TASK_CORRELATION_MISSING_BUT_REQUIRED`
+
+- **Cardinality Validation**:
+ - Total input count validated against base cardinality
+ - Error: `FHIR_TASK_INPUT_INSTANCE_COUNT_BELOW_MIN`
+ - Error: `FHIR_TASK_INPUT_INSTANCE_COUNT_EXCEEDS_MAX`
+ - Slice occurrence counts validated against slice-specific cardinality
+ - Error: `FHIR_TASK_INPUT_SLICE_COUNT_BELOW_SLICE_MIN`
+ - Error: `FHIR_TASK_INPUT_SLICE_COUNT_EXCEEDS_SLICE_MAX`
+
+- **Terminology Validation**:
+ - Code/system combinations validated against DSF CodeSystems
+ - Error: `FHIR_TASK_UNKNOWN_CODE`
+
+#### StructureDefinition Resources
+
+StructureDefinition resources are validated against DSF-specific constraints.
+
+##### Metadata Validation
+
+- **Read Access Tag**:
+ - Must contain valid read-access tag
+ - Error: `STRUCTURE_DEFINITION_READ_ACCESS_TAG_MISSING`
+
+- **URL Validation**:
+ - `url` must be present and non-empty
+ - Error: `STRUCTURE_DEFINITION_URL_MISSING`
+
+- **Status Validation**:
+ - `status` must be `"unknown"` (DSF convention)
+ - Error: `STRUCTURE_DEFINITION_INVALID_STATUS`
+
+##### Placeholder Validation
+
+- **Version Placeholder**:
+ - `version` must contain exactly `#{version}`
+ - Error: `STRUCTURE_DEFINITION_VERSION_NO_PLACEHOLDER`
+
+- **Date Placeholder**:
+ - `date` must contain exactly `#{date}`
+ - Error: `STRUCTURE_DEFINITION_DATE_NO_PLACEHOLDER`
+
+##### Structure Validation
+
+- **Differential**:
+ - `differential` element must exist
+ - Error: `STRUCTURE_DEFINITION_DIFFERENTIAL_MISSING`
+
+- **Snapshot**:
+ - `snapshot` element should not be present (warning)
+ - Error: `STRUCTURE_DEFINITION_SNAPSHOT_PRESENT`
+
+- **Element IDs**:
+ - Every `element` must have an `@id` attribute
+ - Error: `STRUCTURE_DEFINITION_ELEMENT_ID_MISSING`
+ - Element IDs must be unique
+ - Error: `STRUCTURE_DEFINITION_ELEMENT_ID_DUPLICATE`
+
+##### Slice Cardinality Validation
+
+According to FHIR profiling specification §5.1.0.14:
+
+- **SHOULD Rule**:
+ - Sum of all slice minimum cardinalities should be ≤ base element's minimum
+ - Error: `STRUCTURE_DEFINITION_SLICE_MIN_SUM_ABOVE_BASE_MIN`
+
+- **MUST Rule (Min Sum)**:
+ - Sum of all slice minimum cardinalities must not exceed base element's maximum
+ - Error: `STRUCTURE_DEFINITION_SLICE_MIN_SUM_EXCEEDS_MAX`
+
+- **MUST Rule (Slice Max)**:
+ - No individual slice's maximum cardinality may exceed base element's maximum
+ - Error: `STRUCTURE_DEFINITION_SLICE_MAX_TOO_HIGH`
+
+#### ValueSet Resources
+
+ValueSet resources are validated against the DSF ValueSet base profile.
+
+##### Metadata Validation
+
+- **Read Access Tags**:
+ - Must contain at least one read-access tag (ALL or LOCAL)
+ - Error: `FHIR_VALUE_SET_MISSING_READ_ACCESS_TAG_ALL_OR_LOCAL`
+ - Organization role codes must be valid
+ - Error: `FHIR_VALUE_SET_ORGANIZATION_ROLE_MISSING_VALID_CODE_VALUE`
+
+- **Required Elements**:
+ - `url` must be present
+ - Error: `FHIR_VALUE_SET_MISSING_URL`
+ - `name` must be present
+ - Error: `FHIR_VALUE_SET_MISSING_NAME`
+ - `title` must be present
+ - Error: `FHIR_VALUE_SET_MISSING_TITLE`
+ - `publisher` must be present
+ - Error: `FHIR_VALUE_SET_MISSING_PUBLISHER`
+ - `description` must be present
+ - Error: `FHIR_VALUE_SET_MISSING_DESCRIPTION`
+
+##### Placeholder Validation
+
+- **Version Placeholder**:
+ - `version` must be `#{version}`
+ - Error: `FHIR_VALUE_SET_VERSION_NO_PLACEHOLDER`
+
+- **Date Placeholder**:
+ - `date` must be `#{date}`
+ - Error: `FHIR_VALUE_SET_DATE_NO_PLACEHOLDER`
+
+- **Include Version Placeholder**:
+ - `compose.include.version` must be `#{version}`
+ - Error: `FHIR_VALUE_SET_INCLUDE_VERSION_NO_PLACEHOLDER`
+
+##### Compose Structure Validation
+
+- **Include Elements**:
+ - At least one `compose.include` required
+ - Error: `FHIR_VALUE_SET_MISSING_COMPOSE_INCLUDE`
+ - Each include must have a `system` attribute
+ - Error: `FHIR_VALUE_SET_INCLUDE_MISSING_SYSTEM`
+
+- **Concept Validation**:
+ - Concept codes must be non-blank
+ - Error: `FHIR_VALUE_SET_CONCEPT_MISSING_CODE`
+ - Duplicate codes detected
+ - Error: `FHIR_VALUE_SET_DUPLICATE_CONCEPT_CODE`
+
+##### Terminology Compliance
+
+- **CodeSystem Validation**:
+ - CodeSystem URLs validated against DSF terminology cache
+ - Warn: `FHIR_VALUE_SET_UNKNOWN_CODE`
+ - Code exists but in different CodeSystem
+ - Error: `FHIR_VALUE_SET_FALSE_URL_REFERENCED`
+
+#### ActivityDefinition Resources
+
+##### Profile Validation
+
+- **Profile**:
+ - Must have valid profile
+ - Error: `ACTIVITY_DEFINITION_MISSING_PROFILE`
+ - Profile must not have version number
+ - Error: `ACTIVITY_DEFINITION_PROFILE_NO_PLACEHOLDER`
+
+##### URL Validation
+
+- **URL Presence**:
+ - URL must be present and non-empty
+ - Error: `INVALID_FHIR_URL`
+
+- **URL Pattern Validation**:
+ - ActivityDefinition URL must follow a specific pattern
+ - Format: `http[s]://domain/bpe/Process/processName`
+ - Example: `http://dsf.dev/bpe/Process/test`
+ - Error: `ACTIVITY_DEFINITION_INVALID_URL_PATTERN`
+ - Success: When the URL pattern is valid
+
+- **Pattern Definition**:
+ ```regex
+ ^http[s]{0,1}://(?(?:(?:[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9])\.)+(?:[a-zA-Z0-9]{1,63}))/bpe/Process/(?[a-zA-Z0-9-]+)$
+ ```
+
+- **Valid Examples**:
+ - ✅ `http://dsf.dev/bpe/Process/test`
+ - ✅ `https://example.org/bpe/Process/my-process`
+ - ✅ `http://test.example.com/bpe/Process/process123`
+
+- **Invalid Examples**:
+ - ❌ `http://dsf.dev/Process/test` (missing `/bpe/`)
+ - ❌ `http://dsf.dev/bpe/Process/test_invalid` (underscore not allowed in processName)
+ - ❌ `http://dsf.dev/bpe/Process/` (missing processName)
+ - ❌ `ftp://dsf.dev/bpe/Process/test` (only http/https allowed)
+
+- **DSF Framework Reference**:
+ - Based on the DSF Framework requirement defined in:
+ - `dsf-bpe/dsf-bpe-process-api/src/main/java/dev/dsf/bpe/api/plugin/AbstractProcessPlugin.java`
+ - See: [DSF Framework Repository](https://github.com/datasharingframework/dsf)
+
+##### Status Validation
+
+- **Status**:
+ - Status must be valid
+ - Error: `INVALID_FHIR_STATUS`
+
+##### Authorization Validation
+
+- **Requester**:
+ - Requester entry must be present
+ - Error: `ACTIVITY_DEFINITION_ENTRY_MISSING_REQUESTER`
+ - Requester entry must be valid
+ - Error: `ACTIVITY_DEFINITION_ENTRY_INVALID_REQUESTER`
+
+- **Recipient**:
+ - Recipient entry must be present
+ - Error: `ACTIVITY_DEFINITION_ENTRY_MISSING_RECIPIENT`
+ - Recipient entry must be valid
+ - Error: `ACTIVITY_DEFINITION_ENTRY_INVALID_RECIPIENT`
+
+#### CodeSystem Resources
+
+##### Metadata Validation
+
+- **Read Access Tag**:
+ - Must have read access tag
+ - Error: `MISSING_READ_ACCESS_TAG`
+
+- **Required Elements**:
+ - Required elements must be present
+ - Error: `CODE_SYSTEM_MISSING_ELEMENT`
+
+##### URL Validation
+
+- **URL Format**:
+ - URL must be valid
+ - Error: `INVALID_FHIR_URL`
+
+##### Status Validation
+
+- **Status**:
+ - Status must be valid
+ - Error: `CODE_SYSTEM_INVALID_STATUS`
+
+##### Concept Validation
+
+- **Concepts**:
+ - Must have at least one concept
+ - Error: `CODE_SYSTEM_MISSING_CONCEPT`
+ - Concepts must have code
+ - Error: `CODE_SYSTEM_CONCEPT_MISSING_CODE`
+ - Concepts must have display
+ - Error: `CODE_SYSTEM_CONCEPT_MISSING_DISPLAY`
+ - Duplicate codes detected
+ - Error: `CODE_SYSTEM_DUPLICATE_CODE`
+
+##### Placeholder Validation
+
+- **Version Placeholder**:
+ - Version must be `#{version}`
+ - Error: `CODE_SYSTEM_VERSION_NO_PLACEHOLDER`
+
+- **Date Placeholder**:
+ - Date must be `#{date}`
+ - Error: `CODE_SYSTEM_DATE_NO_PLACEHOLDER`
+
+#### Questionnaire Resources
+
+##### Metadata Validation
+
+- **Meta Profile**:
+ - Must have meta profile
+ - Error: `QUESTIONNAIRE_MISSING_META_PROFILE`
+ - Meta profile must be valid
+ - Error: `QUESTIONNAIRE_INVALID_META_PROFILE`
+
+- **Read Access Tag**:
+ - Must have read access tag
+ - Error: `QUESTIONNAIRE_MISSING_READ_ACCESS_TAG`
+
+##### Status Validation
+
+- **Status**:
+ - Status must be valid
+ - Error: `QUESTIONNAIRE_INVALID_STATUS`
+
+##### Item Validation
+
+- **Items**:
+ - Must have at least one item
+ - Error: `QUESTIONNAIRE_MISSING_ITEM`
+ - Items must have linkId
+ - Error: `QUESTIONNAIRE_ITEM_MISSING_ATTRIBUTES_LINK_ID`
+ - Items must have text
+ - Error: `QUESTIONNAIRE_ITEM_MISSING_ATTRIBUTES_TEXT`
+ - Items must have type
+ - Error: `QUESTIONNAIRE_ITEM_MISSING_ATTRIBUTES_TYPE`
+ - Link IDs must be unique
+ - Error: `QUESTIONNAIRE_DUPLICATE_LINK_ID`
+ - Unusual link IDs detected
+ - Error: `QUESTIONNAIRE_UNUSUAL_LINK_ID`
+
+##### Mandatory Item Validation
+
+- **Required Items**:
+ - Mandatory items must be required
+ - Error: `QUESTIONNAIRE_MANDATORY_ITEM_NOT_REQUIRED`
+ - Mandatory items must have valid type
+ - Error: `QUESTIONNAIRE_MANDATORY_ITEM_INVALID_TYPE`
+
+##### Placeholder Validation
+
+- **Version Placeholder**:
+ - Version must be `#{version}`
+ - Error: `QUESTIONNAIRE_VERSION_NO_PLACEHOLDER`
+
+- **Date Placeholder**:
+ - Date must be `#{date}`
+ - Error: `QUESTIONNAIRE_DATE_NO_PLACEHOLDER`
+
+#### Common FHIR Validations
+
+##### Access Tag Validation
+
+- **Read Access Tag**:
+ - Must have read access tag
+ - Error: `MISSING_FHIR_ACCESS_TAG`
+ - Access tag must be valid
+ - Error: `INVALID_FHIR_ACCESS_TAG`
+
+##### Kind Validation
+
+- **Kind**:
+ - Kind must be present
+ - Error: `INVALID_FHIR_KIND`
+ - Kind must be "Task" for Task resources
+ - Error: `FHIR_KIND_NOT_SET_AS_TASK`
+
+##### Status Validation
+
+- **Status**:
+ - Status must be "unknown" (DSF convention)
+ - Error: `FHIR_STATUS_IS_NOT_SET_AS_UNKNOWN`
+
+##### Extension Validation
+
+- **Process Authorization Extension**:
+ - Must have process authorization extension
+ - Error: `NO_EXTENSION_PROCESS_AUTHORIZATION_FOUND`
+
+### Plugin Configuration Validation
+
+#### ServiceLoader Registration
+
+- **Registration File**:
+ - **V1 API**: Must be registered in `META-INF/services/dev.dsf.bpe.v1.ProcessPluginDefinition`
+ - **V2 API**: Must be registered in `META-INF/services/dev.dsf.bpe.v2.ProcessPluginDefinition`
+ - Error: `PLUGIN_DEFINITION_MISSING_SERVICE_LOADER_REGISTRATION`
+ - Plugin class must be loadable
+ - Error: `PLUGIN_DEFINITION_PROCESS_PLUGIN_RESOURCE_NOT_LOADED`
+
+#### Resource References
+
+- **BPMN File References**:
+ - BPMN files referenced in plugin must exist
+ - Error: `PLUGIN_DEFINITION_BPMN_FILE_NOT_FOUND`
+ - BPMN files must be in expected root
+ - Error: `PLUGIN_DEFINITION_BPMN_FILE_OUTSIDE_ROOT`
+ - BPMN files must be parsable
+ - Error: `PLUGIN_DEFINITION_UNPARSABLE_BPMN_RESOURCE`
+
+- **FHIR File References**:
+ - FHIR resources referenced in BPMN must exist
+ - Error: `PLUGIN_DEFINITION_FHIR_RESOURCE_NOT_FOUND`
+ - FHIR resources must be in expected root
+ - Error: `PLUGIN_DEFINITION_FHIR_FILE_OUTSIDE_ROOT`
+ - FHIR resources must be parsable
+ - Error: `PLUGIN_DEFINITION_UNPARSABLE_FHIR_RESOURCE`
+
+#### Resource Presence
+
+- **BPMN Processes**:
+ - At least one BPMN process must be defined
+ - Error: `PLUGIN_DEFINITION_NO_PROCESS_MODEL_DEFINED`
+
+- **FHIR Resources**:
+ - At least one FHIR resource must be defined
+ - Error: `PLUGIN_DEFINITION_NO_FHIR_RESOURCES_DEFINED`
+
+#### Version Validation
+
+##### Resource Version Validation
+
+- **Version Pattern Requirement**:
+ - Plugin version must follow the pattern: `d.d.d.d` (e.g., `1.0.0.1`, `2.5.3.10`)
+ - Resource version is derived from the first two numbers (e.g., `1.0` from `1.0.0.1`)
+ - Error: `PLUGIN_DEFINITION_RESOURCE_VERSION_NULL`
+
+- **Valid Examples**:
+ - ✅ Version `1.0.0.1` → Resource Version `1.0`
+ - ✅ Version `2.5.3.10` → Resource Version `2.5`
+
+- **Invalid Examples**:
+ - ❌ Version `1.0.0` (missing fourth number)
+ - ❌ Version `1.0` (only two numbers)
+ - ❌ Version `invalid` (non-numeric)
+
+- **Pattern Definition**:
+ ```regex
+ (?\d+\.\d+)\.\d+\.\d+
+ ```
+
+- **DSF Framework Reference**:
+ - This validation is based on the DSF Framework requirement defined in:
+ - `dsf-bpe/dsf-bpe-process-api-v2/src/main/java/dev/dsf/bpe/v2/ProcessPluginDefinition.java`
+ - The `getResourceVersion()` method extracts the resource version from the plugin version
+
+#### Leftover Resource Detection
+
+The linter performs project-level analysis to identify unreferenced resources:
+
+- **Unreferenced BPMN Files**:
+ - BPMN files that are not referenced by any plugin
+ - Reported as warnings
+
+- **Unreferenced FHIR Resources**:
+ - FHIR resources that are not referenced by any BPMN process
+ - Reported as warnings
+
+This analysis works uniformly for single-plugin and multi-plugin projects.
+
+---
+
+## Phases
+Source: https://dsf.dev/process-development/linter-tool/phases.html
+
+### Linting Phases
+The linter executes in five phases:
+
+
+#### Phase 1: Project Setup
+
+1. **Input Validation**:
+ - Validates that input is a JAR file
+ - Checks file existence or URL accessibility
+
+2. **JAR Extraction**:
+ - Downloads remote JAR files if needed
+ - Extracts JAR contents to temporary directory
+ - Preserves directory structure
+
+3. **Classloader Setup**:
+ - Creates project-specific classloader
+ - Loads plugin classes and dependencies
+ - Sets up context classloader for resource access
+
+#### Phase 2: Resource Discovery
+
+1. **Plugin Discovery**:
+ - Scans `META-INF/services/` for plugin registrations
+ - Loads plugin classes
+ - Detects API version (v1 or v2)
+
+2. **BPMN Discovery**:
+ - Scans `bpe/` directory for BPMN files
+ - Parses BPMN files to extract process definitions
+ - Maps BPMN files to plugins
+
+3. **FHIR Discovery**:
+ - Scans `fhir/` directory for FHIR resources
+ - Organizes resources by type
+ - Maps FHIR resources to plugins
+
+4. **Reference Mapping**:
+ - Extracts BPMN references to FHIR resources
+ - Maps FHIR resource references
+ - Identifies cross-references
+
+#### Phase 3: Linting
+
+1. **Per-Plugin Linting**:
+ - For each discovered plugin:
+ - Validates BPMN processes
+ - Validates FHIR resources
+ - Validates plugin configuration
+ - Collects lint items
+
+2. **Project-Level Analysis**:
+ - Performs leftover resource analysis
+ - Aggregates referenced resources across all plugins
+ - Identifies unreferenced resources
+
+3. **Result Aggregation**:
+ - Combines results from all plugins
+ - Calculates totals (errors, warnings)
+ - Determines overall success status
+
+#### Phase 4: Report Generation
+
+1. **HTML Report Generation**:
+ - Generates summary page
+ - Generates detailed plugin pages
+ - Applies templates and styling
+
+2. **JSON Report Generation** (if requested):
+ - Serializes all results to JSON
+ - Includes metadata and statistics
+ - Provides machine-readable format
+
+#### Phase 5: Summary
+
+1. **Console Output**:
+ - Displays execution summary
+ - Shows error and warning counts
+ - Reports execution time
+
+2. **Exit Code Determination**:
+ - Sets exit code based on results
+ - Respects `--no-fail` flag
+ - Returns appropriate status code
+
+---
+
+## Troubleshooting
+Source: https://dsf.dev/process-development/linter-tool/troubleshooting.html
+
+## Troubleshooting
+
+### "Input must be a JAR file" Error
+
+**Problem**: The linter only accepts JAR files as input.
+
+**Solution**:
+```bash
+# Wrong - Maven project directly
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path /path/to/project --html
+
+# Correct - Build first, then lint JAR
+cd /path/to/project && mvn clean package
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path /path/to/project/target/my-plugin-1.0.0.jar --html
+```
+
+### JAR File Not Found
+
+**Problem**: The specified JAR file path cannot be found.
+
+**Solution**: Verify the path and use absolute paths if needed:
+
+```bash
+# Windows
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path "C:\Users\Username\project\target\plugin.jar" --html
+
+# Linux/Mac
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path /home/username/project/target/plugin.jar --html
+```
+
+### Missing Dependencies
+
+**Problem**: ClassNotFoundException or similar errors during linting.
+
+**Solution**:
+```bash
+# Check Maven settings
+ls ~/.m2/settings.xml
+
+# Use verbose mode to see detailed error messages
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path plugin.jar --html --verbose
+
+# Check if dependencies are in the JAR
+jar -tf plugin.jar | grep -i "class"
+```
+
+### Report Not Generated
+
+**Problem**: No report files are created.
+
+**Solution**:
+```bash
+# --html or --json flag must be set
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path plugin.jar --html # ← Required
+
+# Use absolute path for report directory
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path plugin.jar --html --report-path $(pwd)/reports
+
+# Check write permissions
+ls -ld /tmp/dsf-linter-report-*
+```
+
+### Remote JAR Download Error
+
+**Problem**: Cannot download JAR from remote URL.
+
+**Solution**:
+```bash
+# Test download separately
+curl -L -o test.jar https://example.com/plugin.jar
+
+# Verify the download
+ls -lh test.jar
+
+# Check network connectivity
+ping example.com
+
+# Then use the local file
+java -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path test.jar --html
+```
+
+### Plugin Not Found
+
+**Problem**: "No plugins found" message.
+
+**Solution**:
+- Verify ServiceLoader registration exists in `META-INF/services/`
+- Check that plugin class is in the JAR file
+- Ensure plugin class implements the correct interface
+- Use `--verbose` to see detailed discovery logs
+- Check API version compatibility
+
+### Out of Memory Errors
+
+**Problem**: `OutOfMemoryError` during linting.
+
+**Solution**:
+```bash
+# Increase heap size
+java -Xmx2g -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path plugin.jar --html
+
+# For very large projects
+java -Xmx4g -Xms1g -jar linter-cli/target/linter-cli-0.1.2.jar \
+ --path plugin.jar --html
+```
+
+### Slow Performance
+
+**Problem**: Linting takes too long.
+
+**Solution**:
+- Use `-DskipTests` during build
+- Disable verbose logging in production
+- Check network latency for remote JARs
+- Consider increasing heap size
+- Profile with JVM tools if needed
+
+### Class Loading Issues
+
+**Problem**: Classes cannot be loaded from plugin JAR.
+
+**Solution**:
+- Verify JAR structure
+- Check classpath configuration
+- Ensure dependencies are included
+- Use verbose mode to see classloader logs
+- Check API version compatibility
+
+---
+
+## FHIR Implementation Guide
+Source: https://dsf.dev/dsf-development/v2/fhir-ig.html
+
+Open Fullscreen
+
+
+
+
+---
+
+## Maven Build
+Source: https://dsf.dev/dsf-development/v2/maven.html
+
+Open Fullscreen
+
+
+
+
+---
+
+## Team
+Source: https://dsf.dev/community/team.html
+
+The funded project team includes:
+
+- Prof. Dr. Christian Fegeler • [Homepage](https://www.hs-heilbronn.de/de/christian.fegeler)
+- Hauke Hund • [GitHub](https://github.com/hhund)
+- Maximilian Kurscheidt • [GitHub](https://github.com/MadMax93)
+- Simon Schweizer • [GitHub](https://github.com/schwzr)
+- Reto Wettstein • [GitHub](https://github.com/wetret)
+- Alexander Kiel • [GitHub](https://github.com/alexanderkiel)
+- Jan Böhringer • [GitHub](https://github.com/jaboehri)
+- Mathias Rühle • [GitHub](https://github.com/EmteZogaf)
+- Mohamad Khalil Malla • [GitHub](https://github.com/khalilmalla95)
+- Paul Maibach • [GitHub](https://github.com/javarum)
+- Sylvester Baidoo-A.
+- Tom Holler • [GitHub](https://github.com/H99-code)
+- Serap Aydin • [GitHub](https://github.com/seay28)
+
+We thank additional contributors, including:
+- Florian Seidel • [GitHub](https://github.com/FloSeidel)
+- Simon Mödinger • [GitHub](https://github.com/simonmoedinger)
+- Christoph Zilske • [GitHub](https://github.com/ZilskeC)
+- Amir Kannout
+
+## Funded Partners
+
+### Heilbronn University of Applied Sciences | Gecko Institute
+The [GECKO Institute](https://www.hs-heilbronn.de/de/gecko) is a research institution of [Heilbronn University of Applied Sciences](https://www.hs-heilbronn.de/de) and conducts research and development at the interfaces between medicine, economics and computer science. The DSF is part of Prof. Fegeler's research area: Interoperability and Digital Processes in Medicine. Other areas of research include educational technologies, health economics, and consumer health informatics.
+
+
+### University of Heidelberg | Institute of Medical Informatics
+The [Institute of Medical Informatics](https://www.klinikum.uni-heidelberg.de/kliniken-institute/institute/institut-fuer-medizinische-informatik) belongs to the University of Heidelberg. The scientific focus of the institute is on structured patient data, e.g.
+- in the Medical Data Integration Center (MeDIC),
+- structured acquisition and transformation of biomedical data,
+- medical information systems and data models
+- and much more.
+
+
+### University of Leipzig | LIFE Institute
+The [LIFE Institute](https://www.uniklinikum-leipzig.de/einrichtungen/life/) of the University of Leipzig manages collaborative and follow-on projects in the fields of medicine, public health, medical informatics, and biobanking.
+
+## Public Funding
+### Medical Informatics Initiative: "Data Sharing Framework Community" (2023-2026)
+
+
+
+
+ The DSF Community connects the DSF competencies of the entire [Medical Informatics Initiative (MII)](https://www.medizininformatik-initiative.de/de/start) so that new use cases, in particular from Module 3 or the [Network University Medicine (NUM)](https://www.netzwerk-universitaetsmedizin.de/), are better supported in creating the respective DSF plugins. In the context of Module 2b, the DSF Community contributes to the further development of the common digital infrastructure of the MII together with the [FDPG+](https://forschen-fuer-gesundheit.de/) and [TRANSIT](https://www.gesundheitsforschung-bmbf.de/de/transit-medizininformatik-struktur-data-management-unit-16148.php) projects. [BMBF](https://www.gesundheitsforschung-bmbf.de/de/dsf-medizininformatik-struktur-data-sharing-framework-community-16133.php)
+
+ Heilbronn University (HHN) focuses on the connecting of DSF related topics and competencies in the MII with the community management. The quality assurance of new DSF plugins and further development of the application and core components aim at a scalable, stable and secure operation of the DSF (Funding code: 01ZZ2307A).
+
+ Heidelberg University is focusing on the further development of the DSF core components as well as the rollout of the DSF plugins, in particular also from the perspective of a data integration center in consultation with the FDGP+ and TRANSIT projects (Funding code: 01ZZ2307B).
+
+ The University of Leipzig will further develop and adapt the DSF plugin for the Research Data Portal for Health FDPG according to specifications resulting from the FDPG+ project and enable Data Integration Centers (DIC) to operate the FDPG plugin (Funding code: 01ZZ2307C).
+
+ 
+
+
+
+
+
+---
+
+### Medical Informatics Initiative: HiGHmed consortium (2018-2022)
+
+[HiGHmed](https://www.highmed.org/en/home) aims to increase the efficiency of clinical research and improve patient care through new medical informatics solutions and cross-organizational data exchange. The concept will be developed on the basis of three defined prototypical use cases, which will ensure close integration with the requirements of patient care and medical research. The [GECKO Institute](https://www.hs-heilbronn.de/de/gecko) of HHN will establish a trusted third party with pseudonymization service to implement the goals of HiGHmed and is involved in the technical development of the DSF together with the partners (Funding code: 01ZZ1802E). Heidelberg University is in particular involved in the technical development of the DSF (Funding code: 01ZZ1802A).
+
+
+
+---
+
+## Communication
+Source: https://dsf.dev/community/communication.html
+
+## Contact the team
+Feel free to contact us via E-Mail (dsf-gecko@hs-heilbronn.de) and we will take care of your request as soon as possible.
+
+### Stay up to Date
+- [GitHub](https://github.com/datasharingframework/dsf)
+- Follow our [contributors](./team.md) on GitHub
+- [Zulip Chat - MII](https://mii.zulipchat.com)
+
+## Community
+DSF's community is growing and we welcome anyone who would like to join! :rocket:
+
+### Contribute Code
+You can get familiar with the DSF code on GitHub. Branching follows the git-flow model, for the latest development version see branch [develop](https://github.com/datasharingframework/dsf/tree/develop).
+
+### Share your Experience & Get support
+You´re welcome to share your experience with the Community. If you have a bug to report or feature to request, that's what the [GitHub issues](https://github.com/datasharingframework/dsf/issues) are for.
+
+
+In case of support needs you can join the weekly [DSF consultation hours](/community/consultation-hours).
+
+---
+
+## Ecosystem
+Source: https://dsf.dev/community/ecosystem.html
+
+We believe that the Data Sharing Framework (DSF) can only develop its full potential when embedded in a well-connected network of tools, organizations, and individuals.
+
+We appreciate the contributions of everyone who supports this shared approach—whether by directly advancing the DSF or by developing and applying tools that make use of it in various contexts.
+
+Your expertise and ongoing efforts are an essential part of this broader ecosystem.
+
+
+- [Medical Informatics Initiative (MII)](https://www.medizininformatik-initiative.de/en/start)
+ - [German Portal for Medical Research Data (FDPG)](https://forschen-fuer-gesundheit.de/en/)
+ - [The FDPG+ Project and Team](https://www.gesundheitsforschung-bmbf.de/de/fdpg-plus-medizininformatik-struktur-erweiterung-des-mii-forschungsdatenportals-fur-16137.php)
+ - [Open Medical Inference (OMI)](https://omi.ikim.nrw/)
+ - [MII Service Unit Terminological Services (SU-TermServ)](https://mii-termserv.de/en/)
+ - [TRANSIT Data Management Unit](https://www.isst.fraunhofer.de/en/departments/healthcare/projects/TRANSIT.html)
+- [Network University Medicine](https://www.netzwerk-universitaetsmedizin.de/en)
+ - [NUM Dashboard](https://numdashboard.ukbonn.de/welcome)
+ - [NUM RDP](https://www.netzwerk-universitaetsmedizin.de/en/projects/num-rdp)
+- [German Cancer Research Center (DKFZ)](https://www.dkfz.de/en/)
+ - [NCT Digital Oncology Program](https://www.nct-heidelberg.de/en/the-nct/newsroom/news/details/keno-maerz-new-head-of-the-nct-digital-oncology-program.html)
+ - [National Center for Tumor Diseases (NCT)](https://nct.dkfz.de/en/index.html)
+- [Bavarian Center for Cancer Research (BZKF)](https://bzkf.de/)
+- Various working groups and contributors
+
+And, of course, individuals whose dedication and insight continue to drive the DSF forward.
+
+---
+
+## Contributing Code
+Source: https://dsf.dev/community/contribute/code.html
+
+# Contribute code
+
+Your code can make a difference for the Data Sharing Framework (DSF). We invite all users to share their code, tests, scripts and improvement ideas. Contributions of any size enhance the DSF and support the data sharing framework community.
+
+### Benefits of Contributing:
+- Foster community growth and diversification.
+- Sharpen your coding skills.
+- Gain recognition in the DSF community.
+- Directly impact the future of data sharing in medicine.
+
+Start now by visiting our contribution pages. Every line of code helps us build a stronger and more versatile DSF.
+
+## General
+
+### Code style
+
+You can import our code style for your specific IDE:
+
+* [Eclipse](https://github.com/datasharingframework/dsf/blob/main/src/main/resources/eclipse-formatter-config.xml). Open your preferences, click on `Java`, `Code style`, `Formatter`, `Import` and select the downloaded file.
+* [IntelliJ](https://github.com/datasharingframework/dsf/blob/main/src/main/resources/intellij-formatter-config.xml). Open your settings, click on `Editor`, `Code style`, `Java`, the settings icon, `import scheme`, `IntelliJ` and select the downloaded file.
+
+Pull requests will only be approved if the code is formatted according to the code style configurations above. To format the code with maven before pushing to GitHub, use `mvn compile -Pformat-and-sort`.
+
+### Branching strategy
+
+[Git Flow](https://www.atlassian.com/de/git/tutorials/comparing-workflows/gitflow-workflow) is used as this project's branching strategy. Therefore, you will find the following structure:
+
+* main
+* develop
+* issue
+* hotfix
+* release
+
+Notice that only the first two elements listed are actual branches. The other elements are containers to hold all branches belonging to that category.
+
+
+#### Branch naming
+
+The following ruleset is applied to name branches:
+
+* `issue/_`
+* `hotfix/`
+* `release/`
+
+## Setting up the project
+
+This chapter lists all important requirements to get the project buildable and running properly.
+
+### Java
+
+This project uses Java JDK 17, so make sure you have it installed on your system.
+
+### Docker
+
+[Docker](https://www.docker.com/) is used in this project to test database functionality and to run more complex test-setups.
+
+### Maven
+
+The project relies on [Maven](https://maven.apache.org/) as its management tool.
+*Important:* When building the project you might encounter the following error:
+*Could not determine gpg version* [GPG](https://gnupg.org/) is used to sign artifacts for public release. Since this does not concern contributors, you may skip this step in the maven build process with `-Dgpg.skip`.
+
+
+## Workflow
+
+1. Create an issue or comment on an issue that you want to contribute some feature
+2. Fork the repository, create a branch and mention it in the issue
+3. If you desire feedback, create a pull request or comment on it in the issue. Feel free to @ any member with write permissions if you feel like your request has not been registered yet. They will review your changes and/or change requests
+4. If your changes are production-ready, create a [pull request](https://github.com/datasharingframework/dsf/pulls).
+
+### Pull request process
+
+We follow Martin Fowler's method for managing pull requests. This approach categorizes pull requests based on the level of trust and experience of the contributor, as well as the impact of the changes. Here's how we apply it:
+
+1. **Ship**: For our most trusted contributors with a proven track record. These members can merge their pull requests without prior review, typically for minor or highly confident changes.
+
+2. **Show**: This level is for trusted contributors who need some oversight, as well as for experienced developers who want to demonstrate how certain changes should be made in the future. They create pull requests and show their work to the team.
+
+3. **Ask**: New or less experienced contributors, as well as those submitting more complex changes, fall into this category. They are required to ask for feedback and approval before their changes can be merged, ensuring thorough review and quality control.
+
+
+This method helps us maintain a balance between code quality and efficient development, recognizing the varying levels of expertise among our contributors.
+
+For more information on Fowler's approach, visit [Martin Fowler's article on Pull Requests](https://martinfowler.com/articles/ship-show-ask.html).
+
+
+## Data Security in DSF Development
+
+The DSF (Data Sharing Framework) and its process plugins are frequently used to transmit sensitive personal data. To prevent the release of personal data during development, please adhere to the following guidelines:
+
+- **No development with real personal data:** Always use anonymized or synthetic data for development purposes.
+- **No personal data in repositories:** Ensure no personal data is present in local and remote repositories intended for publication, not even temporarily.
+- **Review all log files:** Before using log files in issues, examples, etc., thoroughly review them to ensure no personal and sensitive data is included.
+
+---
+
+## Contributing Documentation
+Source: https://dsf.dev/community/contribute/documentation.html
+
+# Contribute documentation
+**Join us in enhancing our documentation!**
+
+We believe in the power of community collaboration to make our documentation clearer, more comprehensive, and more user-friendly. There are several ways you can contribute, and we welcome greatly your input!
+
+
+1. **Contact us with feedback**: If you find any of our documentation unclear or if you think there's a topic not covered yet, please don't hesitate to reach out to us. Your perspective as a reader is invaluable in helping us to identify areas for improvement.
+2. **Create an issue**: You noticed something that needs fixing or you have a suggestion? Head over to our GitHub repository at [Data Sharing Framework Documentation](https://github.com/datasharingframework/datasharingframework.github.io/issues) and please create an issue. This way, our team and other contributors can track and address documentation changes systematically.
+3. **Contribute directly with a pull request**: If you're feeling proactive and want to make direct changes, you're more than welcome to submit a pull request. Visit our GitHub repository at [Data Sharing Framework Documentation](https://github.com/datasharingframework/datasharingframework.github.io) and feel free to propose your changes. Whether it's a typo fix, a new section, or enhanced explanations, every contribution counts.
+
+We're excited to see your suggestions and are grateful for every contribution that helps us improve. Let's build better documentation together!
+
+---
+
+## Consultation Hours
+Source: https://dsf.dev/community/consultation-hours.html
+
+::: tip Joint Technical Consultation of the DSF Community and FDPG+
+
+Mondays, 14:00–14:50
+
+Location: https://dsf.dev/sprechstunde
+:::
+
+Click [here](https://lecture.senfcall.de/sim-ock-1vk-l8o) to join the consultation hour.
+
+---
+
+## Publications
+Source: https://dsf.dev/explore/publications.html
+
+### Publications
+
+- H. Hund, R. Wettstein, C.M. Heidt, C. Fegeler, **Executing Distributed Healthcare and Research Processes – The HiGHmed Data Sharing Framework**, Stud Health Technol Inform, 278 (2021) 126-133, [doi:10.3233/SHTI210060](https://ebooks.iospress.nl/doi/10.3233/SHTI210060)
+
+- R. Wettstein, H. Hund, I. Kobylinski, C. Fegeler, O. Heinze, **Feasibility Queries in Distributed Architectures – Concept and Implementation in HiGHmed**, Stud Health Technol Inform, 278 (2021) 134-141, [doi:10.3233/SHTI210061](https://ebooks.iospress.nl/doi/10.3233/SHTI210061)
+
+- C.M. Heidt, H. Hund, C. Fegeler, **A Federated Record Linkage Algorithm for Secure Medical Data Sharing**, Stud Health Technol Inform, 278 (2021) 142-149, [doi:10.3233/SHTI210062](https://ebooks.iospress.nl/doi/10.3233/SHTI210062)
+
+- R. Wettstein, H. Hund, C. Fegeler, O. Heinze, **Data Sharing in Distributed Architectures – Concept and Implementation in HiGHmed**, Stud Health Technol Inform, 283 (2021) 111-118, [doi:10.3233/SHTI210548](https://ebooks.iospress.nl/doi/10.3233/SHTI210548)
+
+- H.-U. Prokosch, T. Bahls, M. Bialke, J. Eils, C. Fegeler, J. Gruendner, B. Haarbrandt, C. Hampf, W. Hoffmann, H. Hund, et al. **The COVID-19 Data Exchange Platform of the German University Medicine**, Stud Health Technol Inform, 294 (2022) 674-678, [doi:10.3233/SHTI220554](https://ebooks.iospress.nl/doi/10.3233/SHTI220554)
+
+- R. Wettstein, T. Kussel, H. Hund, C. Fegeler, M. Dugas, K. Hamacher, **Secure Multi-Party Computation Based Distributed Feasibility Queries – A HiGHmed Use Case**, Stud Health Technol Inform, 296 (2022) 41-49, [doi:10.3233/SHTI220802](https://ebooks.iospress.nl/doi/10.3233/SHTI220802)
+
+- C. Zilske, M. Kurscheidt, S.T. Schweizer, H. Hund, S. Mödinger, C. Fegeler, **Monitoring Distributed Business Processes in Biomedical Research**, Stud Health Technol Inform, 302 (2023) 252-256, [doi:10.3233/SHTI230113](https://ebooks.iospress.nl/doi/10.3233/SHTI230113)
+
+- H. Hund, R. Wettstein, C. Hampf, M. Bialke, M. Kurscheidt, S.T. Schweizer, C. Zilske, S. Mödinger, C. Fegeler, **No Transfer Without Validation: A Data Sharing Framework Use Case**, Stud Health Technol Inform, 302 (2023) 68-72, [doi:10.3233/SHTI230066](https://ebooks.iospress.nl/doi/10.3233/SHTI230066)
+
+- H. Hund, R. Wettstein, M. Kurscheidt, S.T. Schweizer, C. Zilske, C. Fegeler, **Interoperability Is a Process- The Data Sharing Framework**, Stud Health Technol Inform, 310 (2024) 28-32, [doi:10.3233/SHTI230921](https://ebooks.iospress.nl/doi/10.3233/SHTI230921)
+
+- S.T. Schweizer, H. Hund, M. Kurscheidt, C. Zilske, J.P. Böhringer, C. Fegeler, **Handling Complexity in Decentralized Research Networks: The Data Sharing Framework Allowlist Management Application**, Stud Health Technol Inform, 317 (2024) 85-93, [doi:10.3233/SHTI240841](https://ebooks.iospress.nl/doi/10.3233/SHTI240841)
+
+### Recorded Talks
+#### Operaton 2025
+- [Migration experiences from Camunda 7 to Operaton for DSF 2.0 ](https://www.youtube.com/watch?v=sdjm1wqGMMM)
+
+#### Miracum Difuture Kolloquium 2024
+- [MII Modul 2 Verbundprojekt „Data Sharing Framework Community“](https://sites.google.com/master-bids.de/miracum-difuture-kolloquium/archiv/2024/2024-02-20_data-sharing-framework-community)
+
+#### GMDS Conference 2022
+- [Hands On! - Introduction to the Data Sharing Framework from a User Perspective ](https://www.youtube.com/playlist?list=PLsHs7HOt6jDMe3PNevpo-uGsDTWVSMsYZ)
+
+#### GMDS Conference 2020
+- [Executing Distributed Healthcare and Research Processes – the HiGHmed Data Sharing Framework](https://www.youtube.com/watch?v=OzjyqmZZPSA)
+- [Feasibility Queries in Distributed Architectures – Concept and Implementation in HiGHmed](https://www.youtube.com/watch?v=6Pom8KqYhTs)
+- [A Federated Record Linkage Algorithm for Secure Medical Data Sharing](https://www.youtube.com/watch?v=bSEPqzxF8mM)
+
+---
+
+## Awards
+Source: https://dsf.dev/explore/awards.html
+
+## Awards
+- [Rolf Hansen Memorial Award 2023](../posts/2023-05-30-mie-award-2023.md)
+
+---
+
+## Security Policy
+Source: https://dsf.dev/security/
+
+We take security of the DSF, its process plugins, services and tools we operate very seriously.
+
+We describe the security mechanisms used by the DSF to implement secure communication on the pages [Architecture](/explore/concepts/architecture), [Security](/explore/concepts/security) and [Allow List](/explore/concepts/allow-list).
+
+To ensure a high level of security, you should always install the latest DSF version and use the latest versions of the process plugins. Use the [instructions to install](/operations/latest/install) the latest version of the DSF or [to upgrade](/operations/latest/upgrade-from-1) on the latest version. The instructions described there implement the security configuration recommended by us.
+
+It is also important that you ensure a secure operating environment in which you verify firewall configurations, keep the operating systems on which the DSF is running up to date and harden it according to the latest state of the art.
+
+## Security vulnerability disclosure policy
+
+### Our commitment to security
+
+We as the DSF development team take security of our software, services and data very seriously. We understand that despite our best efforts, vulnerabilities can exist. To address this, we encourage responsible reporting of any security vulnerabilities discovered in our software and systems.
+
+### Responsible disclosure
+
+We kindly ask security researchers and the general public to follow the principles of *Coordinated Vulnerability Disclosure (CVD)* or *Responsible Disclosure* when reporting vulnerabilities to us. This approach helps us to mitigate potential risks and protect our users' data effectively.
+
+### How to Report a Vulnerability
+
+If you believe you have found a security vulnerability in our system, please email us at **[dsf-security@hs-heilbronn.de](mailto:dsf-security@hs-heilbronn.de)**. If you want to use end-to-end-encryption, you can send us mails using s-mime with the certificate chain provided [here](https://github.com/datasharingframework/dsf/blob/main/SECURITY_CERTIFICATE.pem). We kindly request the following:
+
+* Provide a detailed description of the vulnerability, including if possible the potential impact and how it can be exploited.
+* Include steps to reproduce the vulnerability or proof-of-concept code, if possible.
+* Avoid accessing or modifying user data without permission, and do not exploit a security issue for any reason other than testing.
+* Maintain confidentiality and do not publicly disclose the vulnerability, until we have had the opportunity to investigate and address it.
+
+Please do not file an issue on a security-related topic and use the e-mail address provided. You can verify the address both in the [application repository](https://github.com/datasharingframework/dsf/blob/main/SECURITY.md) and at the homepage (this page).
+
+### Our promise
+
+* **Acknowledgement**: We usually will acknowledge receipt of your vulnerability report within 48 hours.
+* **Investigation**: Our security team will investigate the issue and work diligently to verify and reproduce the vulnerability.
+* **Communication**: We will keep you informed of our progress as we work to resolve the issue.
+* **Resolution**: We will strive to resolve security issues in a timely manner and release updates, patches, or remediations as needed.
+* **Recognition**: We value your effort in making our systems more secure and will recognize your contribution, if desired, once the vulnerability is resolved.
+
+### Legal Protection
+
+We promise not to initiate legal action against individuals who report vulnerabilities responsibly in accordance with this policy. This includes not suing for accidental access to data or reporting in good faith.
+
+### Questions?
+
+If you have any questions about this policy or security of the Data Sharing Framework, the services and tools we provide, please contact us at **[dsf-security@hs-heilbronn.de](mailto:dsf-security@hs-heilbronn.de)**. You can send us encrypted e-mails using s-mime. You can find the certificate chain [here](https://github.com/datasharingframework/dsf/blob/main/SECURITY_CERTIFICATE.pem).
+
+---
+
+## Process Plugin Development API v1
+Source: https://dsf.dev/process-development/api-v1/
+
+## Overview
+- [About API1](description)
+- [Implementation Guide](implementation)
+
+---
+
+## Old DSF Versions
+Source: https://dsf.dev/operations/old-versions.html
+
+
+
+---
+
+## News
+Source: https://dsf.dev/news/
+
+
+
+---
+
+## DSF for your project
+Source: https://dsf.dev/for-you/
+
+
+
+::: tip Summary
+
+- **Use case agnostic middleware**: DSF is adaptable to any distributed process, leveraging BPMN 2.0 and FHIR R4 for secure, efficient data sharing across various biomedical research scenarios.
+
+- **Security**: DSF prioritizes security through stringent authentication and authorization protocols, ensuring data is accessed and shared only by authorized organizations to maintain data confidentiality and integrity.
+
+- **Proven in clinical research**: Deployed in German university hospitals, DSF's effectiveness and reliability are validated in real-world settings.
+
+- **Implementation guidance**: DSF offers resources on how to implement new process plugins.
+
+
+:::
+
+
+## Overview of DSF
+
+The **Data Sharing Framework (DSF)** is a secure middleware solution designed to facilitate data sharing across different organizations for biomedical research. It utilizes BPMN 2.0 and FHIR R4 standards to support processes such as data extraction, merging, pseudonymization, and provisioning. Funded by the German Federal Ministry of Research, Technology and Space as part of the Medical Informatics initiative, the DSF aims to improve data interoperability and security across institutional boundaries.
+
+## Key features and benefits
+
+### Distributed data sharing processes
+
+DSF enables distributed data sharing by providing each participating site with a FHIR endpoint and a business process engine. This setup ensures that data can be securely shared and processed across different sites, facilitating cross-site data sharing and feasibility analyses.
+
+### Flexibility with data standards
+
+While DSF primarily uses the FHIR R4 standard to ensure high-quality data exchange, it is designed to be open and adaptable to other data formats. This flexibility allows for a wide range of data types to be incorporated into research projects.
+
+### Security and access control
+
+Security is a critical component of DSF, which includes robust authentication and authorization protocols. These protocols ensure that data access and sharing are restricted to authorized organizations, maintaining the confidentiality and integrity of the data.
+
+### Deployment in clinical environments
+
+DSF is already deployed and operational in *Data Integration Centers* at German university hospitals, demonstrating its applicability and reliability in real-world clinical research settings.
+
+## Getting started with the DSF
+
+
+
+If you're looking to leverage the DSF for your research or you're interested in exploring how it can enhance your data sharing needs, we're here to support you. Visit the **[Learn how to implement your use case](./learn.md)** page to start your journey towards integrating the DSF into your research project.
+
+Should you have any questions or need personalized assistance, don't hesitate to reach out to the DSF core team directly at **dsf-gecko@hs-heilbronn.de**.
+
+Embark on your DSF journey today and [join a community](/community/contribute/) committed to advancing biomedical research through secure, interoperable data sharing.
+
+---
+
+## How to implement your use-case
+Source: https://dsf.dev/for-you/learn.html
+
+::: warning Work in progress
+
+This site is work in progress, please come back later.
+
+If you want further information about the DSF and how to implement use cases, please visit:
+
+- [Documentation Overview](../explore/)
+- [Getting started](../operations/get-started.md)
+- [Contact us](../community/communication.md)
+
+:::
+
+---
+
+## Operations Overview
+Source: https://dsf.dev/operations/latest/
+
+Data Sharing Framework 2.x is the new upcoming release of the Data Sharing Framework.
+
+
+# System Administrators
+
+- [Install DSF 2.1.0](install)
+- [Upgrade from DSF 1.9.0](upgrade-from-1)
+
+
+## New features
+- See [Release Notes](https://github.com/datasharingframework/dsf/releases/tag/v2.1.0)
+
+
+
+---
+
+## BPE Reverse Proxy
+Source: https://dsf.dev/operations/latest/bpe-reverse-proxy/
+
+## Purpose
+
+The **DSF BPE Reverse Proxy** is an Apache HTTP Server based front for the [BPE Server](../bpe/). It terminates TLS for the BPE's web UI and OIDC-authenticated administrative endpoints, and forwards authenticated requests to the BPE backend. Unlike the [FHIR Reverse Proxy](../fhir-reverse-proxy/), it is intended for internal operator and administrator access only, not for DSF-to-DSF traffic.
+
+## Docker Image
+
+- Registry: [`ghcr.io/datasharingframework/bpe_proxy`](https://github.com/datasharingframework/dsf/pkgs/container/bpe_proxy)
+- Tag for this release: `2.1.0`
+
+## Verify Image Signature
+
+Verify the signed image before deploying. See [How to Verify Image Signatures](../image-verification) for prerequisites, SBOM verification, and troubleshooting.
+
+```bash
+cosign verify \
+ ghcr.io/datasharingframework/bpe_proxy:2.1.0@sha256:c67da4a1720ea75a383764db2bf25619fe70f57773b1069029f5b49588eb1ecc \
+ --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+## Useful Pages
+
+- [Configuration Parameters](configuration)
+- [How to Verify Image Signatures](../image-verification)
+
+---
+
+## BPE Server
+Source: https://dsf.dev/operations/latest/bpe/
+
+## Purpose
+
+The **DSF Business Process Engine (BPE)** executes the BPMN 2.0 workflows that drive distributed data sharing processes between DSF instances. It listens for new `Task` resources on the local FHIR Server, runs the corresponding process plugin, and creates follow-up `Task` resources on remote FHIR Servers via its configured FHIR client connections. The BPE is an internal component and is not exposed to the public network — it talks to local systeme (e.g., the local FHIR Store) and to remote DSF FHIR Servers through their reverse proxies.
+
+## Docker Image
+
+- Registry: [`ghcr.io/datasharingframework/bpe`](https://github.com/datasharingframework/dsf/pkgs/container/bpe)
+- Tag for this release: `2.1.0`
+
+## Verify Image Signature
+
+Verify the signed image before deploying. See [How to Verify Image Signatures](../image-verification) for prerequisites, SBOM verification, and troubleshooting.
+
+```bash
+cosign verify \
+ ghcr.io/datasharingframework/bpe:2.1.0@sha256:3ee7ef0ac201fc3776273fbfc2569bdc4edf724a2bb9f1b4a889eb7e13ff4049 \
+ --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+## Useful Pages
+
+- [Configuration Parameters](configuration)
+- [Access Control](access-control)
+- [OpenID Connect](oidc)
+- [Logging](logging)
+- [FHIR Client Connections](fhir-client-connections)
+- [How to Verify Image Signatures](../image-verification)
+
+---
+
+## BPE FHIR Client Connections
+Source: https://dsf.dev/operations/latest/bpe/fhir-client-connections.html
+
+::: info Compatible Process Plugins
+To our knowledge, as of January 2026 no process plugins have been released into production compatible with this plugin API v2 feature.
+:::
+
+AS part of the process plugin API v2 the DSF BPE Server provides a standardized way for plugins to use FHIR (data) server client connections configured for the entire BPE server. Connections are configured using YAML and specified via the environment variable [`DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG`](configuration.html#dev-dsf-bpe-fhir-client-connections-config). The value for this environment variable is specified as YAML using the block scalar |.
+
+The listing below shows a minimal configuration:
+
+```yaml
+ DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG: |
+ min-server:
+ base-url: http://min.server/fhir
+```
+
+
+The mechanism supports authenticated and non-authenticated connections to FHIR (data) servers using `http` and `https` connections. Basic, Bearer-Token, Client-Certificate, and OIDC Client-Credentials-Flow authentication schemes are supported.
+
+Multiple connections can be configured. Every connection has an ID (valid YAML property name) that needs to be supplied to the process plugin that is supposed to use the connection. Multiple process plugins can use the same connection config.
+
+
+
+A JSON schema is available to validate the configuration YAML: https://dsf.dev/schema/fhir_client_connections.json
+
+### Configuration Examples
+
+#### No Authentication, some defaults overridden
+
+ID: `no-auth-server`
+
+```yaml
+# yaml-language-server: $schema=https://dsf.dev/schema/fhir_client_connections.json
+no-auth-server:
+ base-url: https://no.auth.server:8443/fhir
+ test-connection-on-startup: yes
+ enable-debug-logging: yes
+ connect-timeout: PT0.5S
+ read-timeout: PT5M
+ trusted-root-certificates-file: 'ca.crt'
+```
+
+#### Basic Authentication
+
+ID: `basic-auth-server`
+
+```yaml
+# yaml-language-server: $schema=https://dsf.dev/schema/fhir_client_connections.json
+basic-auth-server:
+ base-url: https://basic.auth.server/fhir
+ basic-auth:
+ username: user
+ password-file: 'password.file’
+```
+
+#### Client Certificate Authentication
+
+ID: `cert-auth-server`
+
+```yaml
+# yaml-language-server: $schema=https://dsf.dev/schema/fhir_client_connections.json
+cert-auth-server:
+ base-url: https://cert.auth.server/fhir/foo
+ cert-auth:
+ private-key-file: 'client.key'
+ certificate-file: 'client.crt'
+ password: 'password'
+```
+
+#### OIDC Client-Credentials-Flow Authentication
+
+ID: `oidc-auth-server`
+
+```yaml
+# yaml-language-server: $schema=https://dsf.dev/schema/fhir_client_connections.json
+oidc-auth-server:
+ base-url: https://oidc.auth.server/fhir
+ oidc-auth:
+ base-url: https://oidc.server
+ client-id: some_client_id
+ client-secret-file: 'path/password.file’
+```
+
+For a full list of configuration properties see the FHIR client connections [validation schema](https://dsf.dev/schema/fhir_client_connections.json).
+
+---
+
+## BPE Logging
+Source: https://dsf.dev/operations/latest/bpe/logging.html
+
+The DSF BPE Server provides a **Standard Application Logger** and a dedicated **Data Logger** to help debug problems with process plugins. Both mechanisms can output there messages to standard output (stdout), standard error (stderr) and dedicated log files.
+
+By default the **Standard Application Logger** is configured to output with min. level `INFO` and format `TEXT_COLOR` to *stdout* as well as min. level `DEBUG` and format `TEXT_MDC` to a dedicated log file. The **Data Logger** is disabled by default and should only be used to debug problems with process plugins temporarily.
+
+### Standard Application Logger
+The file, *stdout* and *stderr* outputs for the **Standard Application Logger** can be enabled or disabled using the environment variables [`DEV_DSF_LOG_FILE_ENABLED`](./configuration.md#dev-dsf-log-file-enabled), [`DEV_DSF_LOG_CONSOLE_OUT_ENABLED`](./configuration.md#dev-dsf-log-console-out-enabled) and [`DEV_DSF_LOG_CONSOLE_ERR_ENABLED`](./configuration.md#dev-dsf-log-console-err-enabled).
+
+#### Output Level
+Log messages are grouped by severity (low to high): `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`. A minimal log level can be configured for the file, *stdout* and *stderr* outputs using the environment variables [`DEV_DSF_LOG_FILE_LEVEL`](./configuration.md#dev-dsf-log-file-level), [`DEV_DSF_LOG_CONSOLE_OUT_LEVEL`](./configuration.md#dev-dsf-log-console-out-level) and [`DEV_DSF_LOG_CONSOLE_ERR_LEVEL`](./configuration.md#dev-dsf-log-console-err-level).
+
+#### Output Style
+Multiple styles are supported for the **Standard Application Logger** file, *stdout* and *stderr* outputs. All structured logging JSON styles include additional infos (Mapped Diagnostic Context) about the executing process plugin and process instance, or the requesting user. The output style can be configured using the environment variables [`DEV_DSF_LOG_FILE_STYLE`](./configuration.md#dev-dsf-log-file-style), [`DEV_DSF_LOG_CONSOLE_OUT_STYLE`](./configuration.md#dev-dsf-log-console-out-style) and [`DEV_DSF_LOG_CONSOLE_ERR_STYLE`](./configuration.md#dev-dsf-log-console-err-style). The **TEXT_COLOR** and **TEXT_COLOR_MDC** styles are not supported for the file output.
+* **TEXT** a minimal text format.
+* **TEXT_COLOR** a minimal text format with ANSI escape sequences to colorize WARN and ERROR messages. Not supported for the file output.
+* **TEXT_MDC** text format with additional infos (Mapped Diagnostic Context) about the requesting user.
+* **TEXT_COLOR_MDC** text format with additional infos (Mapped Diagnostic Context) about the requesting user and ANSI escape sequences to colorize WARN and ERROR events. Not supported for the file output.
+* **JSON_ECS** follows the Elastic Common Schema (ECS) reference.
+* **JSON_GCP** uses the Google Cloud Platform structured logging model with additional `_thread`, `_logger` and `_exception` fields.
+* **JSON_GELF** follows the Graylog Extended Log Format (GELF) payload specification with added `_thread` and `_logger` fields.
+* **JSON_LOGSTASH** uses the Logstash json_event pattern for log4j.
+
+::: code-tabs#shell
+
+@tab TEXT
+
+```text :no-line-numbers
+2026-01-14 12:21:17,892 [main] INFO dev.dsf.common.buildinfo.BuildInfoReaderImpl - Artifact: dsf-bpe-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:46+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685
+2026-01-14 12:23:15,922 [main] ERROR org.springframework.web.context.ContextLoader - Context initialization failed
+org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+ at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+ at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)
+ at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)
+ at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)
+ at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)
+ at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)
+ at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)
+ at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)
+ at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)
+ at org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)
+ at org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)
+ at org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)
+ at org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)
+ at org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)
+ at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+ at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)
+ at org.eclipse.jetty.server.Server.start(Server.java:689)
+ at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
+ at org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)
+ at org.eclipse.jetty.server.Server.doStart(Server.java:630)
+ at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+ at dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)
+ at dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+ at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)
+ ... 33 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+ ... 48 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+ at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+ at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$1()
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke()
+ at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()
+ at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+ at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+ ... 51 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+ ... 73 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+ at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore()
+ at dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)
+ at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()
+ at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke()
+ at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+ at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()
+ at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+ at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+ ... 76 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+ ... 95 more
+Caused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at dev.dsf.common.config.AbstractCertificateConfig.createClientKeyStore(AbstractCertificateConfig.java:235)
+ at dev.dsf.bpe.spring.config.PropertiesConfig.getDsfClientKeyStore(PropertiesConfig.java:579)
+ at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.CGLIB$getDsfClientKeyStore$23()
+ at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$FastClass$$1.invoke()
+ at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+ at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore()
+ at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+ at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+ ... 98 more
+Caused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)
+ at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)
+ at dev.dsf.common.config.AbstractCertificateConfig.createClientKeyStore(AbstractCertificateConfig.java:228)
+ ... 107 more
+Caused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
+ at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)
+ ... 109 more
+Caused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher
+ at org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)
+ at org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)
+ at org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)
+ at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+ at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+ at org.bouncycastle.util.io.Streams.readAll(Unknown Source)
+ ... 111 more
+Caused by: javax.crypto.BadPaddingException: pad block corrupted
+ at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$BufferedGenericBlockCipher.doFinal(Unknown Source)
+ at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
+ at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2139)
+ ... 117 more
+2026-01-14 12:24:35,514 [pool-2-thread-1] INFO dev.dsf.bpe.v2.listener.StartListener - Starting process http://dsf.dev/bpe/Process/helloWorld|2.0 at 2026-01-14T12:24:35+01:00 [task: https://fhir/fhir/Task/04c2ff6f-dfce-4201-9c3d-bbce15dc892a, requester: webbrowser.test.user@invalid, business-key: 92f2eee2-319e-47dc-8bdb-f646740b05c8, message: helloWorld]
+2026-01-14 12:24:35,521 [pool-2-thread-1] INFO dev.dsf.bpe.service.HelloWorld - Hello World from organization with identifier 'webbrowser.test.user@invalid'
+```
+
+@tab TEXT_MDC
+
+```text :no-line-numbers
+2026-01-14 12:25:51,000 [main] INFO dev.dsf.common.buildinfo.BuildInfoReaderImpl - Artifact: dsf-bpe-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:46+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685
+2026-01-14 12:26:24,075 [main] ERROR org.springframework.web.context.ContextLoader - Context initialization failed
+org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+ at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+ at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)
+ at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)
+ at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)
+ at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)
+ at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)
+ at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)
+ at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)
+ at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)
+ at org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)
+ at org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)
+ at org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)
+ at org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)
+ at org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)
+ at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+ at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)
+ at org.eclipse.jetty.server.Server.start(Server.java:689)
+ at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
+ at org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)
+ at org.eclipse.jetty.server.Server.doStart(Server.java:630)
+ at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+ at dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)
+ at dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+ at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)
+ ... 33 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+ ... 48 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+ at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+ at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$1()
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke()
+ at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+ at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()
+ at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+ at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+ ... 51 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+ ... 73 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+ at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore()
+ at dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)
+ at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()
+ at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke()
+ at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+ at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()
+ at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+ at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+ ... 76 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+ ... 95 more
+Caused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at dev.dsf.common.config.AbstractCertificateConfig.createClientKeyStore(AbstractCertificateConfig.java:235)
+ at dev.dsf.bpe.spring.config.PropertiesConfig.getDsfClientKeyStore(PropertiesConfig.java:579)
+ at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.CGLIB$getDsfClientKeyStore$23()
+ at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$FastClass$$1.invoke()
+ at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+ at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore()
+ at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+ at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+ ... 98 more
+Caused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)
+ at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)
+ at dev.dsf.common.config.AbstractCertificateConfig.createClientKeyStore(AbstractCertificateConfig.java:228)
+ ... 107 more
+Caused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
+ at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)
+ ... 109 more
+Caused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher
+ at org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)
+ at org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)
+ at org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)
+ at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+ at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+ at org.bouncycastle.util.io.Streams.readAll(Unknown Source)
+ ... 111 more
+Caused by: javax.crypto.BadPaddingException: pad block corrupted
+ at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$BufferedGenericBlockCipher.doFinal(Unknown Source)
+ at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
+ at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2139)
+ ... 117 more
+2026-01-14 12:28:10,811 [pool-2-thread-1] INFO dev.dsf.bpe.v2.listener.StartListener - {dsf.plugin.api=2, dsf.plugin.jar=process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar, dsf.plugin.name=dsf-process-hello-world, dsf.plugin.version=2.0.0.0, dsf.process=http://dsf.dev/bpe/Process/helloWorld|2.0, dsf.process.activityId=StartEvent_1, dsf.process.businessKey=110f2d10-e140-4e9f-a76d-63e9c3eb4579, dsf.process.definitionId=dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa, dsf.process.definitionKey=dsfdev_helloWorld, dsf.process.instanceId=1b5bd4cf-f13c-11f0-8e80-b6c09f49be99, dsf.process.requester.start=webbrowser.test.user@invalid, dsf.process.task.start=https://fhir/fhir/Task/b822f6cb-3cf0-4132-926e-fd7730e780f0} - Starting process http://dsf.dev/bpe/Process/helloWorld|2.0 at 2026-01-14T12:28:10+01:00 [task: https://fhir/fhir/Task/b822f6cb-3cf0-4132-926e-fd7730e780f0, requester: webbrowser.test.user@invalid, business-key: 110f2d10-e140-4e9f-a76d-63e9c3eb4579, message: helloWorld]
+2026-01-14 12:28:10,820 [pool-2-thread-1] INFO dev.dsf.bpe.service.HelloWorld - {dsf.plugin.api=2, dsf.plugin.jar=process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar, dsf.plugin.name=dsf-process-hello-world, dsf.plugin.version=2.0.0.0, dsf.process=http://dsf.dev/bpe/Process/helloWorld|2.0, dsf.process.activityId=helloWorldTask, dsf.process.activityName=Hello World, dsf.process.businessKey=110f2d10-e140-4e9f-a76d-63e9c3eb4579, dsf.process.definitionId=dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa, dsf.process.definitionKey=dsfdev_helloWorld, dsf.process.instanceId=1b5bd4cf-f13c-11f0-8e80-b6c09f49be99, dsf.process.requester.start=webbrowser.test.user@invalid, dsf.process.task.start=https://fhir/fhir/Task/b822f6cb-3cf0-4132-926e-fd7730e780f0} - Hello World from organization with identifier 'webbrowser.test.user@invalid'
+```
+
+@tab JSON_ECS
+
+```json :no-line-numbers
+{
+ "@timestamp": "2026-01-14T11:33:31.869Z",
+ "ecs.version": "1.2.0",
+ "log.level": "INFO",
+ "message": "Artifact: dsf-bpe-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:46+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+ "process.thread.name": "main",
+ "log.logger": "dev.dsf.common.buildinfo.BuildInfoReaderImpl"
+}
+{
+ "@timestamp": "2026-01-14T11:34:59.557Z",
+ "ecs.version": "1.2.0",
+ "log.level": "ERROR",
+ "message": "Context initialization failed",
+ "process.thread.name": "main",
+ "log.logger": "org.springframework.web.context.ContextLoader",
+ "error.type": "org.springframework.beans.factory.BeanCreationException",
+ "error.message": "Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher",
+ "error.stack_trace": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)\n\t... 33 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 48 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$2()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 51 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 73 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore()\n\tat dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.ja…"
+}
+{
+ "@timestamp": "2026-01-14T11:36:22.477Z",
+ "ecs.version": "1.2.0",
+ "log.level": "INFO",
+ "message": "Starting process http://dsf.dev/bpe/Process/helloWorld|2.0 at 2026-01-14T12:36:22+01:00 [task: https://fhir/fhir/Task/8e9cd5b0-17db-460a-9e4a-73d6c8128ed4, requester: webbrowser.test.user@invalid, business-key: 6d808467-4b71-44bd-8c4c-1ec9f5482855, message: helloWorld]",
+ "process.thread.name": "pool-2-thread-1",
+ "log.logger": "dev.dsf.bpe.v2.listener.StartListener",
+ "dsf.plugin.api": "2",
+ "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+ "dsf.plugin.name": "dsf-process-hello-world",
+ "dsf.plugin.version": "2.0.0.0",
+ "dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+ "dsf.process.activityId": "StartEvent_1",
+ "dsf.process.businessKey": "6d808467-4b71-44bd-8c4c-1ec9f5482855",
+ "dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+ "dsf.process.definitionKey": "dsfdev_helloWorld",
+ "dsf.process.instanceId": "406b2d2f-f13d-11f0-9f64-5e3458c5889b",
+ "dsf.process.requester.start": "webbrowser.test.user@invalid",
+ "dsf.process.task.start": "https://fhir/fhir/Task/8e9cd5b0-17db-460a-9e4a-73d6c8128ed4"
+}
+{
+ "@timestamp": "2026-01-14T11:36:22.483Z",
+ "ecs.version": "1.2.0",
+ "log.level": "INFO",
+ "message": "Hello World from organization with identifier 'webbrowser.test.user@invalid'",
+ "process.thread.name": "pool-2-thread-1",
+ "log.logger": "dev.dsf.bpe.service.HelloWorld",
+ "dsf.plugin.api": "2",
+ "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+ "dsf.plugin.name": "dsf-process-hello-world",
+ "dsf.plugin.version": "2.0.0.0",
+ "dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+ "dsf.process.activityId": "helloWorldTask",
+ "dsf.process.activityName": "Hello World",
+ "dsf.process.businessKey": "6d808467-4b71-44bd-8c4c-1ec9f5482855",
+ "dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+ "dsf.process.definitionKey": "dsfdev_helloWorld",
+ "dsf.process.instanceId": "406b2d2f-f13d-11f0-9f64-5e3458c5889b",
+ "dsf.process.requester.start": "webbrowser.test.user@invalid",
+ "dsf.process.task.start": "https://fhir/fhir/Task/8e9cd5b0-17db-460a-9e4a-73d6c8128ed4"
+}
+```
+
+@tab JSON_GCP
+
+```json :no-line-numbers
+{
+ "timestampSeconds": 1768390669,
+ "timestampNanos": 347278835,
+ "severity": "INFO",
+ "message": "Artifact: dsf-bpe-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:46+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+ "logging.googleapis.com/sourceLocation": {
+ "function": "dev.dsf.common.buildinfo.BuildInfoReaderImpl.logBuildInfo"
+ },
+ "logging.googleapis.com/trace_sampled": true,
+ "thread": "main",
+ "logger": "dev.dsf.common.buildinfo.BuildInfoReaderImpl"
+}
+{
+ "timestampSeconds": 1768390720,
+ "timestampNanos": 287531451,
+ "severity": "ERROR",
+ "message": "Context initialization failed\norg.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)\n\t... 33 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 48 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$1()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 51 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 73 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore()\n\tat dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(…",
+ "logging.googleapis.com/sourceLocation": {
+ "function": "org.springframework.web.context.ContextLoader.initWebApplicationContext"
+ },
+ "logging.googleapis.com/trace_sampled": true,
+ "exception": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)\n\t... 33 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 48 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$1()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 51 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 73 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore()\n\tat dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.ja…",
+ "thread": "main",
+ "logger": "org.springframework.web.context.ContextLoader"
+}
+{
+ "timestampSeconds": 1768390780,
+ "timestampNanos": 130358998,
+ "severity": "INFO",
+ "message": "Starting process http://dsf.dev/bpe/Process/helloWorld|2.0 at 2026-01-14T12:39:40+01:00 [task: https://fhir/fhir/Task/cf656fa3-2067-4e7e-8325-7f6cf1f4300d, requester: webbrowser.test.user@invalid, business-key: 6741a33d-09bd-405e-b011-81c16f42f08f, message: helloWorld]",
+ "logging.googleapis.com/labels": {
+ "dsf.plugin.api": "2",
+ "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+ "dsf.plugin.name": "dsf-process-hello-world",
+ "dsf.plugin.version": "2.0.0.0",
+ "dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+ "dsf.process.activityId": "StartEvent_1",
+ "dsf.process.businessKey": "6741a33d-09bd-405e-b011-81c16f42f08f",
+ "dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+ "dsf.process.definitionKey": "dsfdev_helloWorld",
+ "dsf.process.instanceId": "b63a052a-f13d-11f0-b579-bad729d5f5ed",
+ "dsf.process.requester.start": "webbrowser.test.user@invalid",
+ "dsf.process.task.start": "https://fhir/fhir/Task/cf656fa3-2067-4e7e-8325-7f6cf1f4300d"
+ },
+ "logging.googleapis.com/sourceLocation": {
+ "function": "dev.dsf.bpe.v2.listener.StartListener.logStart"
+ },
+ "logging.googleapis.com/trace_sampled": true,
+ "thread": "pool-2-thread-1",
+ "logger": "dev.dsf.bpe.v2.listener.StartListener"
+}
+{
+ "timestampSeconds": 1768390780,
+ "timestampNanos": 137602932,
+ "severity": "INFO",
+ "message": "Hello World from organization with identifier 'webbrowser.test.user@invalid'",
+ "logging.googleapis.com/labels": {
+ "dsf.plugin.api": "2",
+ "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+ "dsf.plugin.name": "dsf-process-hello-world",
+ "dsf.plugin.version": "2.0.0.0",
+ "dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+ "dsf.process.activityId": "helloWorldTask",
+ "dsf.process.activityName": "Hello World",
+ "dsf.process.businessKey": "6741a33d-09bd-405e-b011-81c16f42f08f",
+ "dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+ "dsf.process.definitionKey": "dsfdev_helloWorld",
+ "dsf.process.instanceId": "b63a052a-f13d-11f0-b579-bad729d5f5ed",
+ "dsf.process.requester.start": "webbrowser.test.user@invalid",
+ "dsf.process.task.start": "https://fhir/fhir/Task/cf656fa3-2067-4e7e-8325-7f6cf1f4300d"
+ },
+ "logging.googleapis.com/sourceLocation": {
+ "function": "dev.dsf.bpe.service.HelloWorld.execute"
+ },
+ "logging.googleapis.com/trace_sampled": true,
+ "thread": "pool-2-thread-1",
+ "logger": "dev.dsf.bpe.service.HelloWorld"
+}
+```
+
+@tab JSON_GELF
+
+```json :no-line-numbers
+{
+ "version": "1.1",
+ "host": "ce85e727ccb2",
+ "short_message": "Artifact: dsf-bpe-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:46+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+ "timestamp": 1768390889.4524915,
+ "level": 6,
+ "_logger": "dev.dsf.common.buildinfo.BuildInfoReaderImpl",
+ "_thread": "main"
+}
+{
+ "version": "1.1",
+ "host": "4fa9b078922b",
+ "short_message": "Context initialization failed",
+ "full_message": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)\n\t... 33 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 48 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$2()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 51 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 73 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore()\n\tat dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.ja…",
+ "timestamp": 1768390920.9521272,
+ "level": 3,
+ "_logger": "org.springframework.web.context.ContextLoader",
+ "_thread": "main"
+}
+{
+ "version": "1.1",
+ "host": "bfc8c2c136fd",
+ "short_message": "Starting process http://dsf.dev/bpe/Process/helloWorld|2.0 at 2026-01-14T12:43:10+01:00 [task: https://fhir/fhir/Task/c8e6bcd1-2d1f-4e83-9ebe-fe9e47001771, requester: webbrowser.test.user@invalid, business-key: ee2b9d8b-ea9b-4b0f-85f0-4ce36fda5520, message: helloWorld]",
+ "timestamp": 1768390990.5990896,
+ "level": 6,
+ "_logger": "dev.dsf.bpe.v2.listener.StartListener",
+ "_thread": "pool-2-thread-1",
+ "_dsf.plugin.api": "2",
+ "_dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+ "_dsf.plugin.name": "dsf-process-hello-world",
+ "_dsf.plugin.version": "2.0.0.0",
+ "_dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+ "_dsf.process.activityId": "StartEvent_1",
+ "_dsf.process.businessKey": "ee2b9d8b-ea9b-4b0f-85f0-4ce36fda5520",
+ "_dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+ "_dsf.process.definitionKey": "dsfdev_helloWorld",
+ "_dsf.process.instanceId": "33ac9516-f13e-11f0-b349-ca0141535fb3",
+ "_dsf.process.requester.start": "webbrowser.test.user@invalid",
+ "_dsf.process.task.start": "https://fhir/fhir/Task/c8e6bcd1-2d1f-4e83-9ebe-fe9e47001771"
+}
+{
+ "version": "1.1",
+ "host": "bfc8c2c136fd",
+ "short_message": "Hello World from organization with identifier 'webbrowser.test.user@invalid'",
+ "timestamp": 1768390990.6061802,
+ "level": 6,
+ "_logger": "dev.dsf.bpe.service.HelloWorld",
+ "_thread": "pool-2-thread-1",
+ "_dsf.plugin.api": "2",
+ "_dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+ "_dsf.plugin.name": "dsf-process-hello-world",
+ "_dsf.plugin.version": "2.0.0.0",
+ "_dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+ "_dsf.process.activityId": "helloWorldTask",
+ "_dsf.process.activityName": "Hello World",
+ "_dsf.process.businessKey": "ee2b9d8b-ea9b-4b0f-85f0-4ce36fda5520",
+ "_dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+ "_dsf.process.definitionKey": "dsfdev_helloWorld",
+ "_dsf.process.instanceId": "33ac9516-f13e-11f0-b349-ca0141535fb3",
+ "_dsf.process.requester.start": "webbrowser.test.user@invalid",
+ "_dsf.process.task.start": "https://fhir/fhir/Task/c8e6bcd1-2d1f-4e83-9ebe-fe9e47001771"
+}
+```
+
+@tab:active JSON_LOGSTASH
+
+```json :no-line-numbers
+{
+ "@version": 1,
+ "source_host": "c3d9798e2b31",
+ "message": "Artifact: dsf-bpe-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:46+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+ "thread_name": "main",
+ "@timestamp": "2026-01-14T12:44:25.462+0100",
+ "level": "INFO",
+ "logger_name": "dev.dsf.common.buildinfo.BuildInfoReaderImpl"
+}
+{
+ "exception": {
+ "exception_class": "org.springframework.beans.factory.BeanCreationException",
+ "exception_message": "Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher",
+ "stacktrace": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)\n\t... 33 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 48 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$2()\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 51 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 73 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore()\n\tat dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.ja…"
+ },
+ "@version": 1,
+ "source_host": "ff514e221e2f",
+ "message": "Context initialization failed",
+ "thread_name": "main",
+ "@timestamp": "2026-01-14T12:44:55.089+0100",
+ "level": "ERROR",
+ "logger_name": "org.springframework.web.context.ContextLoader"
+}
+{
+ "mdc": {
+ "dsf.plugin.api": "2",
+ "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+ "dsf.plugin.name": "dsf-process-hello-world",
+ "dsf.plugin.version": "2.0.0.0",
+ "dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+ "dsf.process.activityId": "StartEvent_1",
+ "dsf.process.businessKey": "03976b9d-8390-4891-968e-606092e49a9f",
+ "dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+ "dsf.process.definitionKey": "dsfdev_helloWorld",
+ "dsf.process.instanceId": "94b6ce54-f13e-11f0-8382-f2c6c2fdda86",
+ "dsf.process.requester.start": "webbrowser.test.user@invalid",
+ "dsf.process.task.start": "https://fhir/fhir/Task/92b09db8-ffc5-4d32-982a-0212a69fb6e4"
+ },
+ "@version": 1,
+ "source_host": "45bbbf8076b6",
+ "message": "Starting process http://dsf.dev/bpe/Process/helloWorld|2.0 at 2026-01-14T12:45:53+01:00 [task: https://fhir/fhir/Task/92b09db8-ffc5-4d32-982a-0212a69fb6e4, requester: webbrowser.test.user@invalid, business-key: 03976b9d-8390-4891-968e-606092e49a9f, message: helloWorld]",
+ "thread_name": "pool-2-thread-1",
+ "@timestamp": "2026-01-14T12:45:53.399+0100",
+ "level": "INFO",
+ "logger_name": "dev.dsf.bpe.v2.listener.StartListener"
+}
+{
+ "mdc": {
+ "dsf.plugin.api": "2",
+ "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+ "dsf.plugin.name": "dsf-process-hello-world",
+ "dsf.plugin.version": "2.0.0.0",
+ "dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+ "dsf.process.activityId": "helloWorldTask",
+ "dsf.process.activityName": "Hello World",
+ "dsf.process.businessKey": "03976b9d-8390-4891-968e-606092e49a9f",
+ "dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+ "dsf.process.definitionKey": "dsfdev_helloWorld",
+ "dsf.process.instanceId": "94b6ce54-f13e-11f0-8382-f2c6c2fdda86",
+ "dsf.process.requester.start": "webbrowser.test.user@invalid",
+ "dsf.process.task.start": "https://fhir/fhir/Task/92b09db8-ffc5-4d32-982a-0212a69fb6e4"
+ },
+ "@version": 1,
+ "source_host": "45bbbf8076b6",
+ "message": "Hello World from organization with identifier 'webbrowser.test.user@invalid'",
+ "thread_name": "pool-2-thread-1",
+ "@timestamp": "2026-01-14T12:45:53.406+0100",
+ "level": "INFO",
+ "logger_name": "dev.dsf.bpe.service.HelloWorld"
+}
+```
+
+:::
+
+### Data Logger
+The file, *stdout* and *stderr* outputs for the **Data Logger** can be enabled or disabled using the environment variables [`DEV_DSF_LOG_DATA_FILE_ENABLED`](./configuration.md#dev-dsf-log-data-file-enabled), [`DEV_DSF_LOG_DATA_CONSOLE_OUT_ENABLED`](./configuration.md#dev-dsf-log-data-console-out-enabled) and [`DEV_DSF_LOG_DATA_CONSOLE_ERR_ENABLED`](./configuration.md#dev-dsf-log-data-console-err-enabled).
+
+All data messages are logged with the same severity level (DEBUG). Data messages are not included in the Standard Application Logger output. API v2 Process Plugins can use the data logger via the `dev.dsf.bpe.v2.service.DataLogger` interface to produce messages.
+
+#### Output Style
+Multiple styles are supported for the **Data Logger** file, *stdout* and *stderr* outputs. All structured logging JSON styles include additional infos (Mapped Diagnostic Context) about the executing process plugin and process instance. The output style can be configured using the environment variables [`DEV_DSF_LOG_DATA_FILE_STYLE`](./configuration.md#dev-dsf-log-data-file-style), [`DEV_DSF_LOG_DATA_CONSOLE_OUT_STYLE`](./configuration.md#dev-dsf-log-data-console-out-style) and [`DEV_DSF_LOG_DATA_CONSOLE_ERR_STYLE`](./configuration.md#dev-dsf-log-data-console-err-style).
+* **TEXT** a minimal text format.
+* **TEXT_MDC** text format with additional infos (Mapped Diagnostic Context) about the requesting user.
+* **JSON_ECS** follows the Elastic Common Schema (ECS) reference.
+* **JSON_GCP** uses the Google Cloud Platform structured logging model with additional `_thread`, `_logger` and `_exception` fields.
+* **JSON_GELF** follows the Graylog Extended Log Format (GELF) payload specification with added `_thread` and `_logger` fields.
+* **JSON_LOGSTASH** uses the Logstash json_event pattern for log4j.
+
+::: code-tabs#shell
+
+@tab TEXT
+
+```text :no-line-numbers
+2026-01-14 13:25:20,030 Completed QuestionnaireResponse: {"resourceType":"QuestionnaireResponse","id":"e4dd7038-eef1-4b03-8249-21eb8f9f8309","meta":{"versionId":"2","lastUpdated":"2026-01-14T13:25:19.800+01:00","profile":["http://dsf.dev/fhir/StructureDefinition/questionnaire-response"]},"extension":[{"url":"http://dsf.dev/fhir/StructureDefinition/extension-questionnaire-authorization","extension":[{"url":"practitioner-role","valueCoding":{"system":"http://dsf.dev/fhir/CodeSystem/practitioner-role","code":"DIC_USER"}}]}],"questionnaire":"http://dsf.dev/fhir/Questionnaire/hello-user|2.0","status":"completed","authored":"2026-01-14T12:25:19.707Z","author":{"type":"Practitioner","identifier":{"system":"http://dsf.dev/sid/practitioner-identifier","value":"webbrowser.test.user@invalid"}},"item":[{"linkId":"business-key","text":"The business-key of the process execution","answer":[{"valueString":"a8e436f4-d86d-4f24-a794-236d62645ab8"}]},{"linkId":"user-task-id","text":"The user-task-id of the process execution","answer":[{"valueString":"ec4da6fd-f143-11f0-80e8-9ae86e84a87b"}]},{"linkId":"display-example","text":"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet."},{"linkId":"string-example","text":"Add a string to test the string type","answer":[{"valueString":"Placeholder.."}]},{"linkId":"text-example","text":"Add a text to test the text type","answer":[{"valueString":"Placeholder.."}]}]}
+```
+
+@tab TEXT_MDC
+
+```text :no-line-numbers
+2026-01-14 13:26:21,587 {dsf.plugin.api=2, dsf.plugin.jar=process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar, dsf.plugin.name=dsf-process-hello-world, dsf.plugin.version=2.0.0.0, dsf.process=http://dsf.dev/bpe/Process/helloUser|2.0, dsf.process.activityId=logUserTaskRespose, dsf.process.activityName=log user task respose, dsf.process.businessKey=bbc5b6d5-7c64-4181-b0c6-82f656883229, dsf.process.definitionId=dsfdev_helloUser:1:28feb1d6-f13b-11f0-92c1-5ed660dabcfa, dsf.process.definitionKey=dsfdev_helloUser, dsf.process.instanceId=35e4749a-f144-11f0-b0d1-bab98b35e98d, dsf.process.requester.start=webbrowser.test.user@invalid, dsf.process.task.start=https://fhir/fhir/Task/eb91b3c1-b635-4ab7-8ba6-00328584b495} Completed QuestionnaireResponse: {"resourceType":"QuestionnaireResponse","id":"38cae383-828b-4acb-b427-c3c3cff23718","meta":{"versionId":"2","lastUpdated":"2026-01-14T13:26:21.436+01:00","profile":["http://dsf.dev/fhir/StructureDefinition/questionnaire-response"]},"extension":[{"url":"http://dsf.dev/fhir/StructureDefinition/extension-questionnaire-authorization","extension":[{"url":"practitioner-role","valueCoding":{"system":"http://dsf.dev/fhir/CodeSystem/practitioner-role","code":"DIC_USER"}}]}],"questionnaire":"http://dsf.dev/fhir/Questionnaire/hello-user|2.0","status":"completed","authored":"2026-01-14T12:26:21.328Z","author":{"type":"Practitioner","identifier":{"system":"http://dsf.dev/sid/practitioner-identifier","value":"webbrowser.test.user@invalid"}},"item":[{"linkId":"business-key","text":"The business-key of the process execution","answer":[{"valueString":"bbc5b6d5-7c64-4181-b0c6-82f656883229"}]},{"linkId":"user-task-id","text":"The user-task-id of the process execution","answer":[{"valueString":"35ec8af3-f144-11f0-b0d1-bab98b35e98d"}]},{"linkId":"display-example","text":"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet."},{"linkId":"string-example","text":"Add a string to test the string type","answer":[{"valueString":"Placeholder.."}]},{"linkId":"text-example","text":"Add a text to test the text type","answer":[{"valueString":"Placeholder.."}]}]}
+```
+
+@tab JSON_ECS
+
+```json :no-line-numbers
+{
+ "@timestamp": "2026-01-14T12:34:21.464Z",
+ "ecs.version": "1.2.0",
+ "log.level": "DEBUG",
+ "message": "Completed QuestionnaireResponse: {\"resourceType\":\"QuestionnaireResponse\",\"id\":\"043a9d98-11b5-4445-accd-efb88441814b\",\"meta\":{\"versionId\":\"2\",\"lastUpdated\":\"2026-01-14T13:34:21.314+01:00\",\"profile\":[\"http://dsf.dev/fhir/StructureDefinition/questionnaire-response\"]},\"extension\":[{\"url\":\"http://dsf.dev/fhir/StructureDefinition/extension-questionnaire-authorization\",\"extension\":[{\"url\":\"practitioner-role\",\"valueCoding\":{\"system\":\"http://dsf.dev/fhir/CodeSystem/practitioner-role\",\"code\":\"DIC_USER\"}}]}],\"questionnaire\":\"http://dsf.dev/fhir/Questionnaire/hello-user|2.0\",\"status\":\"completed\",\"authored\":\"2026-01-14T12:34:21.220Z\",\"author\":{\"type\":\"Practitioner\",\"identifier\":{\"system\":\"http://dsf.dev/sid/practitioner-identifier\",\"value\":\"webbrowser.test.user@invalid\"}},\"item\":[{\"linkId\":\"business-key\",\"text\":\"The business-key of the process execution\",\"answer\":[{\"valueString\":\"9f871bb0-ead8-4172-8ebf-b6614b90c33c\"}]},{\"linkId\":\"user-task-id\",\"text\":\"The user-task-id of the process execution\",\"answer\":[{\"valueString\":\"55ea6fce-f145-11f0-a290-be1b81df4ab5\"}]},{\"linkId\":\"display-example\",\"text\":\"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.\"},{\"linkId\":\"string-example\",\"text\":\"Add a string to test the string type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]},{\"linkId\":\"text-example\",\"text\":\"Add a text to test the text type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]}]}",
+ "process.thread.name": "pool-3-thread-1",
+ "log.logger": "dsf-data-logger",
+ "dsf.plugin.api": "2",
+ "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+ "dsf.plugin.name": "dsf-process-hello-world",
+ "dsf.plugin.version": "2.0.0.0",
+ "dsf.process": "http://dsf.dev/bpe/Process/helloUser|2.0",
+ "dsf.process.activityId": "logUserTaskRespose",
+ "dsf.process.activityName": "log user task respose",
+ "dsf.process.businessKey": "9f871bb0-ead8-4172-8ebf-b6614b90c33c",
+ "dsf.process.definitionId": "dsfdev_helloUser:1:57f9bd33-f144-11f0-a290-be1b81df4ab5",
+ "dsf.process.definitionKey": "dsfdev_helloUser",
+ "dsf.process.instanceId": "55e602f5-f145-11f0-a290-be1b81df4ab5",
+ "dsf.process.requester.start": "webbrowser.test.user@invalid",
+ "dsf.process.task.start": "https://fhir/fhir/Task/776fb9fa-67cb-490c-929b-c9a010c3639e"
+}
+```
+
+@tab JSON_GCP
+
+```json :no-line-numbers
+{
+ "timestampSeconds": 1768394122,
+ "timestampNanos": 561090136,
+ "severity": "DEBUG",
+ "message": "Completed QuestionnaireResponse: {\"resourceType\":\"QuestionnaireResponse\",\"id\":\"5bb1f439-93f9-4d73-9574-2d710a64d0fb\",\"meta\":{\"versionId\":\"2\",\"lastUpdated\":\"2026-01-14T13:35:22.381+01:00\",\"profile\":[\"http://dsf.dev/fhir/StructureDefinition/questionnaire-response\"]},\"extension\":[{\"url\":\"http://dsf.dev/fhir/StructureDefinition/extension-questionnaire-authorization\",\"extension\":[{\"url\":\"practitioner-role\",\"valueCoding\":{\"system\":\"http://dsf.dev/fhir/CodeSystem/practitioner-role\",\"code\":\"DIC_USER\"}}]}],\"questionnaire\":\"http://dsf.dev/fhir/Questionnaire/hello-user|2.0\",\"status\":\"completed\",\"authored\":\"2026-01-14T12:35:22.286Z\",\"author\":{\"type\":\"Practitioner\",\"identifier\":{\"system\":\"http://dsf.dev/sid/practitioner-identifier\",\"value\":\"webbrowser.test.user@invalid\"}},\"item\":[{\"linkId\":\"business-key\",\"text\":\"The business-key of the process execution\",\"answer\":[{\"valueString\":\"23f23222-810f-40d2-b228-63dc65efedbf\"}]},{\"linkId\":\"user-task-id\",\"text\":\"The user-task-id of the process execution\",\"answer\":[{\"valueString\":\"79ccfcd6-f145-11f0-b859-02f958cc3f48\"}]},{\"linkId\":\"display-example\",\"text\":\"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.\"},{\"linkId\":\"string-example\",\"text\":\"Add a string to test the string type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]},{\"linkId\":\"text-example\",\"text\":\"Add a text to test the text type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]}]}",
+ "logging.googleapis.com/labels": {
+ "dsf.plugin.api": "2",
+ "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+ "dsf.plugin.name": "dsf-process-hello-world",
+ "dsf.plugin.version": "2.0.0.0",
+ "dsf.process": "http://dsf.dev/bpe/Process/helloUser|2.0",
+ "dsf.process.activityId": "logUserTaskRespose",
+ "dsf.process.activityName": "log user task respose",
+ "dsf.process.businessKey": "23f23222-810f-40d2-b228-63dc65efedbf",
+ "dsf.process.definitionId": "dsfdev_helloUser:1:57f9bd33-f144-11f0-a290-be1b81df4ab5",
+ "dsf.process.definitionKey": "dsfdev_helloUser",
+ "dsf.process.instanceId": "79c6bb3d-f145-11f0-b859-02f958cc3f48",
+ "dsf.process.requester.start": "webbrowser.test.user@invalid",
+ "dsf.process.task.start": "https://fhir/fhir/Task/8f86cc34-feec-4c27-bb0f-ca3c42ed8c7c"
+ },
+ "logging.googleapis.com/sourceLocation": {
+ "function": "dev.dsf.bpe.v2.service.DataLoggerImpl.log"
+ },
+ "logging.googleapis.com/trace_sampled": true,
+ "thread": "pool-3-thread-1",
+ "logger": "dsf-data-logger"
+}
+```
+
+@tab JSON_GELF
+
+```json :no-line-numbers
+{
+ "version": "1.1",
+ "host": "186cf01dc749",
+ "short_message": "Completed QuestionnaireResponse: {\"resourceType\":\"QuestionnaireResponse\",\"id\":\"74c53749-9179-4b64-867e-87ffb1c2571c\",\"meta\":{\"versionId\":\"2\",\"lastUpdated\":\"2026-01-14T13:36:35.220+01:00\",\"profile\":[\"http://dsf.dev/fhir/StructureDefinition/questionnaire-response\"]},\"extension\":[{\"url\":\"http://dsf.dev/fhir/StructureDefinition/extension-questionnaire-authorization\",\"extension\":[{\"url\":\"practitioner-role\",\"valueCoding\":{\"system\":\"http://dsf.dev/fhir/CodeSystem/practitioner-role\",\"code\":\"DIC_USER\"}}]}],\"questionnaire\":\"http://dsf.dev/fhir/Questionnaire/hello-user|2.0\",\"status\":\"completed\",\"authored\":\"2026-01-14T12:36:35.136Z\",\"author\":{\"type\":\"Practitioner\",\"identifier\":{\"system\":\"http://dsf.dev/sid/practitioner-identifier\",\"value\":\"webbrowser.test.user@invalid\"}},\"item\":[{\"linkId\":\"business-key\",\"text\":\"The business-key of the process execution\",\"answer\":[{\"valueString\":\"22fbbf3d-a172-46fc-81a2-f65df7a2a13f\"}]},{\"linkId\":\"user-task-id\",\"text\":\"The user-task-id of the process execution\",\"answer\":[{\"valueString\":\"9b16de91-f145-11f0-b9cc-7e27fa327b95\"}]},{\"linkId\":\"display-example\",\"text\":\"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.\"},{\"linkId\":\"string-example\",\"text\":\"Add a string to test the string type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]},{\"linkId\":\"text-example\",\"text\":\"Add a text to test the text type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]}]}",
+ "timestamp": 1768394195.3648491,
+ "level": 7,
+ "_logger": "dsf-data-logger",
+ "_thread": "pool-3-thread-1",
+ "_dsf.plugin.api": "2",
+ "_dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+ "_dsf.plugin.name": "dsf-process-hello-world",
+ "_dsf.plugin.version": "2.0.0.0",
+ "_dsf.process": "http://dsf.dev/bpe/Process/helloUser|2.0",
+ "_dsf.process.activityId": "logUserTaskRespose",
+ "_dsf.process.activityName": "log user task respose",
+ "_dsf.process.businessKey": "22fbbf3d-a172-46fc-81a2-f65df7a2a13f",
+ "_dsf.process.definitionId": "dsfdev_helloUser:1:57f9bd33-f144-11f0-a290-be1b81df4ab5",
+ "_dsf.process.definitionKey": "dsfdev_helloUser",
+ "_dsf.process.instanceId": "9b0ea128-f145-11f0-b9cc-7e27fa327b95",
+ "_dsf.process.requester.start": "webbrowser.test.user@invalid",
+ "_dsf.process.task.start": "https://fhir/fhir/Task/4664a61d-2be7-4bd8-a8a6-184b7bc611f7"
+}
+```
+
+@tab:active JSON_LOGSTASH
+
+```json :no-line-numbers
+{
+ "mdc": {
+ "dsf.plugin.api": "2",
+ "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+ "dsf.plugin.name": "dsf-process-hello-world",
+ "dsf.plugin.version": "2.0.0.0",
+ "dsf.process": "http://dsf.dev/bpe/Process/helloUser|2.0",
+ "dsf.process.activityId": "logUserTaskRespose",
+ "dsf.process.activityName": "log user task respose",
+ "dsf.process.businessKey": "bd9f6814-6cb3-4ddf-8389-05b9ae9658c4",
+ "dsf.process.definitionId": "dsfdev_helloUser:1:57f9bd33-f144-11f0-a290-be1b81df4ab5",
+ "dsf.process.definitionKey": "dsfdev_helloUser",
+ "dsf.process.instanceId": "ceb018e9-f145-11f0-9e55-9efb3a5fd65d",
+ "dsf.process.requester.start": "webbrowser.test.user@invalid",
+ "dsf.process.task.start": "https://fhir/fhir/Task/d5bd4243-a87b-4445-8a34-36ddec7ac648"
+ },
+ "@version": 1,
+ "source_host": "59d5d46e125a",
+ "message": "Completed QuestionnaireResponse: {\"resourceType\":\"QuestionnaireResponse\",\"id\":\"2dfbf9d0-1c2f-44f0-9f94-4099280a6bde\",\"meta\":{\"versionId\":\"2\",\"lastUpdated\":\"2026-01-14T13:37:48.172+01:00\",\"profile\":[\"http://dsf.dev/fhir/StructureDefinition/questionnaire-response\"]},\"extension\":[{\"url\":\"http://dsf.dev/fhir/StructureDefinition/extension-questionnaire-authorization\",\"extension\":[{\"url\":\"practitioner-role\",\"valueCoding\":{\"system\":\"http://dsf.dev/fhir/CodeSystem/practitioner-role\",\"code\":\"DIC_USER\"}}]}],\"questionnaire\":\"http://dsf.dev/fhir/Questionnaire/hello-user|2.0\",\"status\":\"completed\",\"authored\":\"2026-01-14T12:37:48.078Z\",\"author\":{\"type\":\"Practitioner\",\"identifier\":{\"system\":\"http://dsf.dev/sid/practitioner-identifier\",\"value\":\"webbrowser.test.user@invalid\"}},\"item\":[{\"linkId\":\"business-key\",\"text\":\"The business-key of the process execution\",\"answer\":[{\"valueString\":\"bd9f6814-6cb3-4ddf-8389-05b9ae9658c4\"}]},{\"linkId\":\"user-task-id\",\"text\":\"The user-task-id of the process execution\",\"answer\":[{\"valueString\":\"ceb76bf2-f145-11f0-9e55-9efb3a5fd65d\"}]},{\"linkId\":\"display-example\",\"text\":\"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.\"},{\"linkId\":\"string-example\",\"text\":\"Add a string to test the string type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]},{\"linkId\":\"text-example\",\"text\":\"Add a text to test the text type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]}]}",
+ "thread_name": "pool-3-thread-1",
+ "@timestamp": "2026-01-14T13:37:48.325+0100",
+ "level": "DEBUG",
+ "logger_name": "dsf-data-logger"
+}
+```
+
+:::
+
+### Custom Logging Config
+A fully custom log4j2 xml logging config can be set via the environment variable [`DEV_DSF_LOG_CONFIG`](./configuration.md#dev-dsf-log-config).
+
+---
+
+## FHIR Reverse Proxy
+Source: https://dsf.dev/operations/latest/fhir-reverse-proxy/
+
+## Purpose
+
+The **DSF FHIR Reverse Proxy** is the externally reachable Apache HTTP Server based front for the [FHIR Server](../fhir/). It terminates TLS, performs client certificate authentication for inbound DSF-to-DSF traffic, optionally accepts OIDC bearer tokens for human users, and forwards authenticated requests to the FHIR Server backend. It is the only component of a DSF instance that should be exposed to the public internet.
+
+## Docker Image
+
+- Registry: [`ghcr.io/datasharingframework/fhir_proxy`](https://github.com/datasharingframework/dsf/pkgs/container/fhir_proxy)
+- Tag for this release: `2.1.0`
+
+## Verify Image Signature
+
+Verify the signed image before deploying. See [How to Verify Image Signatures](../image-verification) for prerequisites, SBOM verification, and troubleshooting.
+
+```bash
+cosign verify \
+ ghcr.io/datasharingframework/fhir_proxy:2.1.0@sha256:9f11a3580c970314532f5951808be6fe72f1de7d53348e625d2dd0c95bcf1d96 \
+ --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+## Useful Pages
+
+- [Configuration Parameters](configuration)
+- [How to Verify Image Signatures](../image-verification)
+
+---
+
+## FHIR Server
+Source: https://dsf.dev/operations/latest/fhir/
+
+## Purpose
+
+The **DSF FHIR Server** exposes the HL7® FHIR® R4 REST API that other DSF instances communicate with. It stores and serves the resources required to coordinate distributed business processes — such as `Task`, `ActivityDefinition`, `Organization`, `Endpoint`, and project-specific data resources — and enforces access control on every interaction. Together with the [FHIR Reverse Proxy](../fhir-reverse-proxy/) it forms the externally reachable component of a DSF instance.
+
+## Docker Image
+
+- Registry: [`ghcr.io/datasharingframework/fhir`](https://github.com/datasharingframework/dsf/pkgs/container/fhir)
+- Tag for this release: `2.1.0`
+
+## Verify Image Signature
+
+Verify the signed image before deploying. See [How to Verify Image Signatures](../image-verification) for prerequisites, SBOM verification, and troubleshooting.
+
+```bash
+cosign verify \
+ ghcr.io/datasharingframework/fhir:2.1.0@sha256:71599af143f0262a7265aa2bc4ea5a9660f11de6248a053e060b5667070203fd \
+ --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+## Useful Pages
+
+- [Configuration Parameters](configuration)
+- [Access Control](access-control)
+- [OpenID Connect](oidc)
+- [Logging](logging)
+- [How to Verify Image Signatures](../image-verification)
+
+---
+
+## FHIR Logging
+Source: https://dsf.dev/operations/latest/fhir/logging.html
+
+The DSF FHIR Server provides a **Standard Application Logger** and a dedicated **Audit Logger** for compliance-relevant access events. Both mechanisms can output there messages to standard output (stdout), standard error (stderr) and dedicated log files.
+
+By default the **Standard Application Logger** is configured to output with min. level `INFO` and format `TEXT_COLOR` to *stdout* as well as min. level `DEBUG` and format `TEXT_MDC` to a dedicated log file. In addition the **Audit Logger** is enabled by default to log with format `TEXT_MDC` to a dedicated log file.
+
+### Standard Application Logger
+The file, *stdout* and *stderr* outputs for the **Standard Application Logger** can be enabled or disabled using the environment variables [`DEV_DSF_LOG_FILE_ENABLED`](./configuration.md#dev-dsf-log-file-enabled), [`DEV_DSF_LOG_CONSOLE_OUT_ENABLED`](./configuration.md#dev-dsf-log-console-out-enabled) and [`DEV_DSF_LOG_CONSOLE_ERR_ENABLED`](./configuration.md#dev-dsf-log-console-err-enabled).
+
+#### Output Level
+Log messages are grouped by severity (low to high): `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`. A minimal log level can be configured for the file, *stdout* and *stderr* outputs using the environment variables [`DEV_DSF_LOG_FILE_LEVEL`](./configuration.md#dev-dsf-log-file-level), [`DEV_DSF_LOG_CONSOLE_OUT_LEVEL`](./configuration.md#dev-dsf-log-console-out-level) and [`DEV_DSF_LOG_CONSOLE_ERR_LEVEL`](./configuration.md#dev-dsf-log-console-err-level).
+
+#### Output Style
+Multiple styles are supported for the **Standard Application Logger** file, *stdout* and *stderr* outputs. All structured logging JSON styles include additional infos (Mapped Diagnostic Context) about the requesting user. The output style can be configured using the environment variables [`DEV_DSF_LOG_FILE_STYLE`](./configuration.md#dev-dsf-log-file-style), [`DEV_DSF_LOG_CONSOLE_OUT_STYLE`](./configuration.md#dev-dsf-log-console-out-style) and [`DEV_DSF_LOG_CONSOLE_ERR_STYLE`](./configuration.md#dev-dsf-log-console-err-style). The **TEXT_COLOR** and **TEXT_COLOR_MDC** styles are not supported for the file output.
+* **TEXT** a minimal text format.
+* **TEXT_COLOR** a minimal text format with ANSI escape sequences to colorize WARN and ERROR messages. Not supported for the file output.
+* **TEXT_MDC** text format with additional infos (Mapped Diagnostic Context) about the requesting user.
+* **TEXT_COLOR_MDC** text format with additional infos (Mapped Diagnostic Context) about the requesting user and ANSI escape sequences to colorize WARN and ERROR events. Not supported for the file output.
+* **JSON_ECS** follows the Elastic Common Schema (ECS) reference.
+* **JSON_GCP** uses the Google Cloud Platform structured logging model with additional `_thread`, `_logger` and `_exception` fields.
+* **JSON_GELF** follows the Graylog Extended Log Format (GELF) payload specification with added `_thread` and `_logger` fields.
+* **JSON_LOGSTASH** uses the Logstash json_event pattern for log4j.
+
+::: code-tabs#shell
+
+@tab TEXT
+
+```text :no-line-numbers
+2026-01-13 15:57:57,567 [main] INFO dev.dsf.common.buildinfo.BuildInfoReaderImpl - Artifact: dsf-fhir-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:47+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685
+2026-01-13 16:03:28,524 [main] ERROR org.springframework.web.context.ContextLoader - Context initialization failed
+org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+ at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+ at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)
+ at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)
+ at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)
+ at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)
+ at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)
+ at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)
+ at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)
+ at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)
+ at org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)
+ at org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)
+ at org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)
+ at org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)
+ at org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)
+ at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+ at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)
+ at org.eclipse.jetty.server.Server.start(Server.java:689)
+ at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
+ at org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)
+ at org.eclipse.jetty.server.Server.doStart(Server.java:630)
+ at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+ at dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)
+ at dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+ ... 36 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+ at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+ at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()
+ at dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)
+ at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2()
+ at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke()
+ at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+ at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule()
+ at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+ at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+ ... 39 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+ ... 60 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+ at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+ at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()
+ at dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)
+ at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1()
+ at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke()
+ at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+ at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()
+ at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+ at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+ ... 63 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+ ... 84 more
+Caused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)
+ at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()
+ at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke()
+ at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+ at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()
+ at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+ at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+ ... 87 more
+Caused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)
+ at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)
+ at dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)
+ at dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)
+ ... 95 more
+Caused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
+ at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)
+ ... 98 more
+Caused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher
+ at org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)
+ at org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)
+ at org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)
+ at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+ at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+ at org.bouncycastle.util.io.Streams.readAll(Unknown Source)
+ ... 100 more
+Caused by: javax.crypto.BadPaddingException: pad block corrupted
+ at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$BufferedGenericBlockCipher.doFinal(Unknown Source)
+ at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
+ at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2139)
+ ... 106 more
+2026-01-13 16:09:55,478 [jetty-server-95] INFO dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule - Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/3 authorized for identity 'Test_Organization/webbrowser.test.user@invalid', matching access tag {ALL}
+```
+
+@tab TEXT_MDC
+
+```text :no-line-numbers
+2026-01-13 16:11:47,115 [main] INFO dev.dsf.common.buildinfo.BuildInfoReaderImpl - Artifact: dsf-fhir-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:47+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685
+2026-01-13 16:12:36,611 [main] ERROR org.springframework.web.context.ContextLoader - Context initialization failed
+org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+ at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+ at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)
+ at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)
+ at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)
+ at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)
+ at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)
+ at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)
+ at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)
+ at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)
+ at org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)
+ at org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)
+ at org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)
+ at org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)
+ at org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)
+ at org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)
+ at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+ at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)
+ at org.eclipse.jetty.server.Server.start(Server.java:689)
+ at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
+ at org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)
+ at org.eclipse.jetty.server.Server.doStart(Server.java:630)
+ at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+ at dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)
+ at dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+ ... 36 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+ at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+ at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()
+ at dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)
+ at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2()
+ at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke()
+ at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+ at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule()
+ at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+ at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+ ... 39 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+ ... 60 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+ at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+ at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+ at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+ at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()
+ at dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)
+ at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1()
+ at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke()
+ at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+ at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()
+ at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+ at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+ ... 63 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+ at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+ ... 84 more
+Caused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)
+ at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()
+ at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke()
+ at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+ at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+ at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()
+ at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+ at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+ at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+ ... 87 more
+Caused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)
+ at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)
+ at dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)
+ at dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)
+ ... 95 more
+Caused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+ at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
+ at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)
+ ... 98 more
+Caused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher
+ at org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)
+ at org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)
+ at org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)
+ at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+ at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+ at org.bouncycastle.util.io.Streams.readAll(Unknown Source)
+ ... 100 more
+Caused by: javax.crypto.BadPaddingException: pad block corrupted
+ at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$BufferedGenericBlockCipher.doFinal(Unknown Source)
+ at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
+ at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2139)
+ ... 106 more
+2026-01-13 16:13:25,589 [jetty-server-94] INFO dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule - {dsf.user.endpoint.identifier=fhir, dsf.user.name=Test_Organization/webbrowser.test.user@invalid, dsf.user.organization.identifier=Test_Organization, dsf.user.practitioner.dn=CN=Webbrowser Test User,O=DSF,C=DE, dsf.user.practitioner.identifier=webbrowser.test.user@invalid, dsf.user.practitioner.roles=[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN], dsf.user.practitioner.thumbprint=a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7, dsf.user.roles=[HISTORY, READ, CREATE, UPDATE, SEARCH]} - Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/5 authorized for identity 'Test_Organization/webbrowser.test.user@invalid', matching access tag {ALL}
+```
+
+@tab JSON_ECS
+
+```json :no-line-numbers
+{
+ "@timestamp": "2026-01-12T12:54:35.653Z",
+ "ecs.version": "1.2.0",
+ "log.level": "INFO",
+ "message": "Artifact: dsf-fhir-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:47+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+ "process.thread.name": "main",
+ "log.logger": "dev.dsf.common.buildinfo.BuildInfoReaderImpl"
+}
+{
+ "@timestamp": "2026-01-12T12:54:36.931Z",
+ "ecs.version": "1.2.0",
+ "log.level": "ERROR",
+ "message": "Context initialization failed",
+ "process.thread.name": "main",
+ "log.logger": "org.springframework.web.context.ContextLoader",
+ "error.type": "org.springframework.beans.factory.BeanCreationException",
+ "error.message": "Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher",
+ "error.stack_trace": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 36 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2()\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 39 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 60 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1()\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 63 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 84 more\nCaused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 87 more\nCaused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)\n\tat dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)\n\t... 95 more\nCaused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)\n\t... 98 more\nCaused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher\n\tat org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)\n\tat org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)\n\tat org.bounc…"
+}
+{
+ "@timestamp": "2026-01-12T13:27:49.008Z",
+ "ecs.version": "1.2.0",
+ "log.level": "INFO",
+ "message": "Read of Organization/90500752-381a-46fa-858f-14d6d5b11627/_history/4 authorized for identity 'Test_Organization/webbrowser.test.user@invalid', matching access tag {ALL}",
+ "process.thread.name": "jetty-server-83",
+ "log.logger": "dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule",
+ "dsf.user.endpoint.identifier": "fhir",
+ "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+ "dsf.user.organization.identifier": "Test_Organization",
+ "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+ "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+ "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+ "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+ "dsf.user.roles": "[UPDATE, READ, CREATE, HISTORY, SEARCH]"
+}
+```
+
+@tab JSON_GCP
+
+```json :no-line-numbers
+{
+ "timestampSeconds": 1768222644,
+ "timestampNanos": 461746234,
+ "severity": "INFO",
+ "message": "Artifact: dsf-fhir-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:47+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+ "logging.googleapis.com/sourceLocation": {
+ "function": "dev.dsf.common.buildinfo.BuildInfoReaderImpl.logBuildInfo"
+ },
+ "logging.googleapis.com/trace_sampled": true,
+ "thread": "main",
+ "logger": "dev.dsf.common.buildinfo.BuildInfoReaderImpl"
+}
+{
+ "timestampSeconds": 1768222645,
+ "timestampNanos": 738845490,
+ "severity": "ERROR",
+ "message": "Context initialization failed\norg.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 36 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2()\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 39 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 60 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1()\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 63 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 84 more\nCaused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 87 more\nCaused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)\n\tat dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)\n\t... 95 more\nCaused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)\n\t... 98 more\nCaused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher\n\tat org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)\n\tat org.bouncycastle.util.io.Streams.pipeAll…",
+ "logging.googleapis.com/sourceLocation": {
+ "function": "org.springframework.web.context.ContextLoader.initWebApplicationContext"
+ },
+ "logging.googleapis.com/trace_sampled": true,
+ "exception": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 36 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2()\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 39 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 60 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1()\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 63 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 84 more\nCaused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 87 more\nCaused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)\n\tat dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)\n\t... 95 more\nCaused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)\n\t... 98 more\nCaused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher\n\tat org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)\n\tat org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)\n\tat org.bounc…",
+ "thread": "main",
+ "logger": "org.springframework.web.context.ContextLoader"
+}
+{
+ "timestampSeconds": 1768225245,
+ "timestampNanos": 847212542,
+ "severity": "INFO",
+ "message": "Read of Organization/90500752-381a-46fa-858f-14d6d5b11627/_history/5 authorized for identity 'Test_Organization/webbrowser.test.user@invalid', matching access tag {ALL}",
+ "logging.googleapis.com/labels": {
+ "dsf.user.endpoint.identifier": "fhir",
+ "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+ "dsf.user.organization.identifier": "Test_Organization",
+ "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+ "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+ "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+ "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+ "dsf.user.roles": "[UPDATE, READ, HISTORY, CREATE, SEARCH]"
+ },
+ "logging.googleapis.com/sourceLocation": {
+ "function": "dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule.reasonReadAllowed"
+ },
+ "logging.googleapis.com/trace_sampled": true,
+ "thread": "jetty-server-63",
+ "logger": "dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule"
+}
+```
+
+@tab JSON_GELF
+
+```json :no-line-numbers
+{
+ "version": "1.1",
+ "host": "46e6824590a7",
+ "short_message": "Artifact: dsf-fhir-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:47+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+ "timestamp": 1768224184.7015762,
+ "level": 6,
+ "_logger": "dev.dsf.common.buildinfo.BuildInfoReaderImpl",
+ "_thread": "main"
+}
+{
+ "version": "1.1",
+ "host": "46e6824590a7",
+ "short_message": "Context initialization failed",
+ "full_message": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 36 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2()\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 39 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 60 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$0()\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 63 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 84 more\nCaused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 87 more\nCaused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)\n\tat dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)\n\t... 95 more\nCaused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)\n\t... 98 more\nCaused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher\n\tat org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)\n\tat org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)\n\tat org.bounc…",
+ "timestamp": 1768224186.0572188,
+ "level": 3,
+ "_logger": "org.springframework.web.context.ContextLoader",
+ "_thread": "main"
+}
+{
+ "version": "1.1",
+ "host": "f169cdb63fde",
+ "short_message": "Read of Organization/90500752-381a-46fa-858f-14d6d5b11627/_history/6 authorized for identity 'Test_Organization/webbrowser.test.user@invalid', matching access tag {ALL}",
+ "timestamp": 1768225406.81688,
+ "level": 6,
+ "_logger": "dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule",
+ "_thread": "jetty-server-89",
+ "_dsf.user.endpoint.identifier": "fhir",
+ "_dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+ "_dsf.user.organization.identifier": "Test_Organization",
+ "_dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+ "_dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+ "_dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+ "_dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+ "_dsf.user.roles": "[CREATE, SEARCH, READ, UPDATE, HISTORY]"
+}
+```
+
+@tab:active JSON_LOGSTASH
+
+```json :no-line-numbers
+{
+ "@version": 1,
+ "source_host": "da524e19dd3e",
+ "message": "Artifact: dsf-fhir-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:47+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+ "thread_name": "main",
+ "@timestamp": "2026-01-12T14:24:17.152+0100",
+ "level": "INFO",
+ "logger_name": "dev.dsf.common.buildinfo.BuildInfoReaderImpl"
+}
+{
+ "exception": {
+ "exception_class": "org.springframework.beans.factory.BeanCreationException",
+ "exception_message": "Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher",
+ "stacktrace": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 36 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2()\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 39 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 60 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1()\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 63 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 84 more\nCaused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1()\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke()\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider()\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 87 more\nCaused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)\n\tat dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)\n\t... 95 more\nCaused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)\n\t... 98 more\nCaused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher\n\tat org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)\n\tat org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)\n\tat org.bounc…"
+ },
+ "@version": 1,
+ "source_host": "da524e19dd3e",
+ "message": "Context initialization failed",
+ "thread_name": "main",
+ "@timestamp": "2026-01-12T14:24:18.486+0100",
+ "level": "ERROR",
+ "logger_name": "org.springframework.web.context.ContextLoader"
+}
+{
+ "mdc": {
+ "dsf.user.endpoint.identifier": "fhir",
+ "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+ "dsf.user.organization.identifier": "Test_Organization",
+ "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+ "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+ "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+ "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+ "dsf.user.roles": "[UPDATE, READ, CREATE, HISTORY, SEARCH]"
+ },
+ "@version": 1,
+ "source_host": "4bc83d5bca72",
+ "message": "Read of Organization/90500752-381a-46fa-858f-14d6d5b11627/_history/7 authorized for identity 'Test_Organization/webbrowser.test.user@invalid', matching access tag {ALL}",
+ "thread_name": "jetty-server-89",
+ "@timestamp": "2026-01-12T14:44:52.948+0100",
+ "level": "INFO",
+ "logger_name": "dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule"
+}
+```
+
+:::
+
+### Audit Logger
+The file, *stdout* and *stderr* outputs for the **Audit Logger** can be enabled or disabled using the environment variables [`DEV_DSF_LOG_AUDIT_FILE_ENABLED`](./configuration.md#dev-dsf-log-audit-file-enabled), [`DEV_DSF_LOG_AUDIT_CONSOLE_OUT_ENABLED`](./configuration.md#dev-dsf-log-audit-console-out-enabled) and [`DEV_DSF_LOG_AUDIT_CONSOLE_ERR_ENABLED`](./configuration.md#dev-dsf-log-audit-console-err-enabled).
+
+All audit messages are logged with the same severity level (INFO). Audit messages are not included in the Standard Application Logger output.
+
+#### Output Style
+Multiple styles are supported for the **Audit Logger** file, *stdout* and *stderr* outputs. All structured logging JSON styles include additional infos (Mapped Diagnostic Context) about the requesting user. The output style can be configured using the environment variables [`DEV_DSF_LOG_AUDIT_FILE_STYLE`](./configuration.md#dev-dsf-log-audit-file-style), [`DEV_DSF_LOG_AUDIT_CONSOLE_OUT_STYLE`](./configuration.md#dev-dsf-log-audit-console-out-style) and [`DEV_DSF_LOG_AUDIT_CONSOLE_ERR_STYLE`](./configuration.md#dev-dsf-log-audit-console-err-style).
+* **TEXT** a minimal text format.
+* **TEXT_MDC** text format with additional infos (Mapped Diagnostic Context) about the requesting user.
+* **JSON_ECS** follows the Elastic Common Schema (ECS) reference.
+* **JSON_GCP** uses the Google Cloud Platform structured logging model with additional `_thread`, `_logger` and `_exception` fields.
+* **JSON_GELF** follows the Graylog Extended Log Format (GELF) payload specification with added `_thread` and `_logger` fields.
+* **JSON_LOGSTASH** uses the Logstash json_event pattern for log4j.
+
+::: code-tabs#shell
+
+@tab TEXT
+
+```text :no-line-numbers
+2026-01-14 13:05:15,281 Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/6 allowed for identity 'Test_Organization/webbrowser.test.user@invalid', reason: Identity has role READ [Organization], matching access tag {ALL}
+2026-01-14 13:05:15,281 Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/6 for identity 'Test_Organization/webbrowser.test.user@invalid' successful, status: 200 OK
+```
+
+@tab TEXT_MDC
+
+```text :no-line-numbers
+2026-01-14 13:06:58,279 {dsf.user.endpoint.identifier=fhir, dsf.user.name=Test_Organization/webbrowser.test.user@invalid, dsf.user.organization.identifier=Test_Organization, dsf.user.practitioner.dn=CN=Webbrowser Test User,O=DSF,C=DE, dsf.user.practitioner.identifier=webbrowser.test.user@invalid, dsf.user.practitioner.roles=[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN], dsf.user.practitioner.thumbprint=a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7, dsf.user.roles=[HISTORY, READ, CREATE, UPDATE, SEARCH]} Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/7 allowed for identity 'Test_Organization/webbrowser.test.user@invalid', reason: Identity has role READ [Organization], matching access tag {ALL}
+2026-01-14 13:06:58,281 {dsf.user.endpoint.identifier=fhir, dsf.user.name=Test_Organization/webbrowser.test.user@invalid, dsf.user.organization.identifier=Test_Organization, dsf.user.practitioner.dn=CN=Webbrowser Test User,O=DSF,C=DE, dsf.user.practitioner.identifier=webbrowser.test.user@invalid, dsf.user.practitioner.roles=[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN], dsf.user.practitioner.thumbprint=a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7, dsf.user.roles=[HISTORY, READ, CREATE, UPDATE, SEARCH]} Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/7 for identity 'Test_Organization/webbrowser.test.user@invalid' successful, status: 200 OK
+```
+
+@tab JSON_ECS
+
+```json :no-line-numbers
+{
+ "@timestamp": "2026-01-14T12:10:18.467Z",
+ "ecs.version": "1.2.0",
+ "log.level": "INFO",
+ "message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/8 allowed for identity 'Test_Organization/webbrowser.test.user@invalid', reason: Identity has role READ [Organization], matching access tag {ALL}",
+ "process.thread.name": "jetty-server-84",
+ "log.logger": "dsf-audit-logger",
+ "dsf.user.endpoint.identifier": "fhir",
+ "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+ "dsf.user.organization.identifier": "Test_Organization",
+ "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+ "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+ "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+ "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+ "dsf.user.roles": "[UPDATE, READ, CREATE, HISTORY, SEARCH]"
+}
+{
+ "@timestamp": "2026-01-14T12:10:18.470Z",
+ "ecs.version": "1.2.0",
+ "log.level": "INFO",
+ "message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/8 for identity 'Test_Organization/webbrowser.test.user@invalid' successful, status: 200 OK",
+ "process.thread.name": "jetty-server-84",
+ "log.logger": "dsf-audit-logger",
+ "dsf.user.endpoint.identifier": "fhir",
+ "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+ "dsf.user.organization.identifier": "Test_Organization",
+ "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+ "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+ "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+ "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+ "dsf.user.roles": "[UPDATE, READ, CREATE, HISTORY, SEARCH]"
+}
+```
+
+@tab JSON_GCP
+
+```json :no-line-numbers
+{
+ "timestampSeconds": 1768392701,
+ "timestampNanos": 247233466,
+ "severity": "INFO",
+ "message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/9 allowed for identity 'Test_Organization/webbrowser.test.user@invalid', reason: Identity has role READ [Organization], matching access tag {ALL}",
+ "logging.googleapis.com/labels": {
+ "dsf.user.endpoint.identifier": "fhir",
+ "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+ "dsf.user.organization.identifier": "Test_Organization",
+ "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+ "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+ "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+ "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+ "dsf.user.roles": "[UPDATE, CREATE, SEARCH, READ, HISTORY]"
+ },
+ "logging.googleapis.com/sourceLocation": {
+ "function": "dev.dsf.fhir.webservice.secure.AbstractResourceServiceSecure.checkRead"
+ },
+ "logging.googleapis.com/trace_sampled": true,
+ "thread": "jetty-server-76",
+ "logger": "dsf-audit-logger"
+}
+{
+ "timestampSeconds": 1768392701,
+ "timestampNanos": 249559501,
+ "severity": "INFO",
+ "message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/9 for identity 'Test_Organization/webbrowser.test.user@invalid' successful, status: 200 OK",
+ "logging.googleapis.com/labels": {
+ "dsf.user.endpoint.identifier": "fhir",
+ "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+ "dsf.user.organization.identifier": "Test_Organization",
+ "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+ "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+ "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+ "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+ "dsf.user.roles": "[UPDATE, CREATE, SEARCH, READ, HISTORY]"
+ },
+ "logging.googleapis.com/sourceLocation": {
+ "function": "dev.dsf.fhir.webservice.secure.AbstractResourceServiceSecure.lambda$checkRead$1"
+ },
+ "logging.googleapis.com/trace_sampled": true,
+ "thread": "jetty-server-76",
+ "logger": "dsf-audit-logger"
+}
+```
+
+@tab JSON_GELF
+
+```json :no-line-numbers
+{
+ "version": "1.1",
+ "host": "5061409e4b61",
+ "short_message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/10 allowed for identity 'Test_Organization/webbrowser.test.user@invalid', reason: Identity has role READ [Organization], matching access tag {ALL}",
+ "timestamp": 1768393090.890408,
+ "level": 6,
+ "_logger": "dsf-audit-logger",
+ "_thread": "jetty-server-63",
+ "_dsf.user.endpoint.identifier": "fhir",
+ "_dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+ "_dsf.user.organization.identifier": "Test_Organization",
+ "_dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+ "_dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+ "_dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+ "_dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+ "_dsf.user.roles": "[CREATE, SEARCH, HISTORY, READ, UPDATE]"
+}
+{
+ "version": "1.1",
+ "host": "5061409e4b61",
+ "short_message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/10 for identity 'Test_Organization/webbrowser.test.user@invalid' successful, status: 200 OK",
+ "timestamp": 1768393090.8934536,
+ "level": 6,
+ "_logger": "dsf-audit-logger",
+ "_thread": "jetty-server-63",
+ "_dsf.user.endpoint.identifier": "fhir",
+ "_dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+ "_dsf.user.organization.identifier": "Test_Organization",
+ "_dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+ "_dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+ "_dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+ "_dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+ "_dsf.user.roles": "[CREATE, SEARCH, HISTORY, READ, UPDATE]"
+}
+```
+
+@tab:active JSON_LOGSTASH
+
+```json :no-line-numbers
+{
+ "mdc": {
+ "dsf.user.endpoint.identifier": "fhir",
+ "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+ "dsf.user.organization.identifier": "Test_Organization",
+ "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+ "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+ "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+ "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+ "dsf.user.roles": "[UPDATE, READ, HISTORY, CREATE, SEARCH]"
+ },
+ "@version": 1,
+ "source_host": "df1d729560c0",
+ "message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/11 allowed for identity 'Test_Organization/webbrowser.test.user@invalid', reason: Identity has role READ [Organization], matching access tag {ALL}",
+ "thread_name": "jetty-server-89",
+ "@timestamp": "2026-01-14T13:19:02.403+0100",
+ "level": "INFO",
+ "logger_name": "dsf-audit-logger"
+}
+{
+ "mdc": {
+ "dsf.user.endpoint.identifier": "fhir",
+ "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+ "dsf.user.organization.identifier": "Test_Organization",
+ "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+ "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+ "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+ "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+ "dsf.user.roles": "[UPDATE, READ, HISTORY, CREATE, SEARCH]"
+ },
+ "@version": 1,
+ "source_host": "df1d729560c0",
+ "message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/11 for identity 'Test_Organization/webbrowser.test.user@invalid' successful, status: 200 OK",
+ "thread_name": "jetty-server-89",
+ "@timestamp": "2026-01-14T13:19:02.406+0100",
+ "level": "INFO",
+ "logger_name": "dsf-audit-logger"
+}
+```
+
+:::
+
+### Custom Logging Config
+A fully custom log4j2 xml logging config can be set via the environment variable [`DEV_DSF_LOG_CONFIG`](./configuration.md#dev-dsf-log-config).
+
+---
+
+## Install Plugins
+Source: https://dsf.dev/operations/latest/install-plugins.html
+
+## **Overview**
+- You can find an overview of compatable process plugins below (last updated 2026-01-19).
+
+
+| Process Plugin | released for test | released for production |
+| -------------- | ----------------- | ----------------------- |
+| [Ping-Pong](https://github.com/datasharingframework/dsf-process-ping-pong/releases) | [v1.0.1.0](https://github.com/datasharingframework/dsf-process-ping-pong/releases/tag/v1.0.1.0) & [v2.0.0.2](https://github.com/datasharingframework/dsf-process-ping-pong/releases/tag/v2.0.0.2) | [v1.0.1.0](https://github.com/datasharingframework/dsf-process-ping-pong/releases/tag/v1.0.1.0) & [v2.0.0.2](https://github.com/datasharingframework/dsf-process-ping-pong/releases/tag/v2.0.0.2) |
+| [Allow-List](https://github.com/datasharingframework/dsf-process-allow-list/releases) | [v1.0.0.1](https://github.com/datasharingframework/dsf-process-allow-list/releases/tag/v1.0.0.1) | [v1.0.0.1](https://github.com/datasharingframework/dsf-process-allow-list/releases/tag/v1.0.0.1) |
+| [MII Process Feasibility](https://github.com/medizininformatik-initiative/mii-process-feasibility/releases) | [v1.0.0.11](https://github.com/medizininformatik-initiative/mii-process-feasibility/releases/tag/v1.0.0.11) | [v1.0.0.11](https://github.com/medizininformatik-initiative/mii-process-feasibility/releases/tag/v1.0.0.11) |
+| [MII Process Report](https://github.com/medizininformatik-initiative/mii-process-report/releases) | [v1.2.0.1](https://github.com/medizininformatik-initiative/mii-process-report/releases/tag/v1.2.0.1) | [v1.2.0.1](https://github.com/medizininformatik-initiative/mii-process-report/releases/tag/v1.2.0.1) |
+| [MII Process Data Transfer](https://github.com/medizininformatik-initiative/mii-process-data-transfer/releases) | [v1.1.0.1](https://github.com/medizininformatik-initiative/mii-process-data-transfer/releases/tag/v1.1.0.1) | [v1.1.0.1](https://github.com/medizininformatik-initiative/mii-process-data-transfer/releases/tag/v1.1.0.1) |
+| [MII Process Data Sharing](https://github.com/medizininformatik-initiative/mii-process-data-sharing/releases) | [v1.1.0.0](https://github.com/medizininformatik-initiative/mii-process-data-sharing/releases/tag/v1.1.0.0) | [v1.1.0.0](https://github.com/medizininformatik-initiative/mii-process-data-sharing/releases/tag/v1.1.0.0) |
+| [NUM Dashboard Report](https://github.com/medizininformatik-initiative/dsf-plugin-numdashboard/releases) [Note](#num-dashboard-report-on-dsf-2) | [v1.1.0.0](https://github.com/medizininformatik-initiative/dsf-plugin-numdashboard/releases/tag/v1.1.0.0) | [v1.1.0.0](https://github.com/medizininformatik-initiative/dsf-plugin-numdashboard/releases/tag/v1.1.0.0) |
+
+- Deploying the process plugin to the DSF involves copy the process jar-file and configuring environment variable for the business process engine (BPE).
+
+
+### Prerequisites
+- A DSF installation of version 2.0.0 or higher. An installation guide can be found [here](https://dsf.dev/operations/latest/install.html).
+
+### Deployment
+- Add the process jar-file to the DSF BPE folder `/opt/bpe/process`:
+```
+wget (your jar-file download link)
+```
+
+For example:
+```
+ wget https://github.com/medizininformatik-initiative/mii-process-data-sharing/releases/download/v1.1.0.0/mii-process-data-sharing-1.1.0.0.jar
+```
+
+- Make sure the process is readable by the bpe user or group, for example by executing:
+```
+sudo chmod 440 (your jar-file name.jar)
+sudo chown root:bpe (your jar-file name.jar)
+```
+For example:
+```
+sudo chmod 440 mii-process-data-sharing-1.1.0.0.jar
+sudo chown root:bpe mii-process-data-sharing-1.1.0.0.jar
+```
+
+- Modify the process exclude config in `/opt/bpe/docker-compose.yml`
+- **Reminder:** Update/verify required configurations in `docker-compose.yml`
+
+
+### NUM Dashboard Report on DSF 2
+The NUM Dashboard Report Plugin is now fully compabile with DSF 2.0.2 and above. If you implemented the workaround for DSF 2.0.1 and below, you can remove it:
+
+
+1. Remove the file with the name `api-v1-allowed-bpe-classes.list`
+
+
+2. Edit the `docker-compose.yml` file and remove the following volume and environment variable:
+
+```yaml
+...
+ app:
+ image: ghcr.io/datasharingframework/bpe:2.0.2
+...
+ volumes:
+...
+ - type: bind
+ source: api-v1-allowed-bpe-classes.list
+ target: /api-v1-allowed-bpe-classes.list
+...
+ environment:
+ DEV_DSF_BPE_PROCESS_API_ALLOWED_BPE_CLASSES: "{v1: '/api-v1-allowed-bpe-classes.list'}"
+...
+```
+
+3. Restart the application container with `docker compose up -d && docker compose logs -f`.
+
+---
+
+## Sequence Flow
+Source: https://dsf.dev/process-development/api-v2/bpmn/sequence-flow.html
+
+## Sequence Flow
+BPMN 2.0 calls the continuous arrows connecting the BPMN elements in BPMN models, Sequence Flow. Sequence Flow exits one BPMN element and points at the next BPMN element to be processed.
+
+---
+
+## Activities
+Source: https://dsf.dev/process-development/api-v2/dsf/activities.html
+
+### Activities
+
+Activities are Java interfaces in the DSF API v2 that represent certain BPMN elements which can/need to specify a Java class as their `Implementation` value. Implementing Activity interfaces and [registering them as Spring beans](spring-framework-integration.md) causes the DSF to execute the code provided by the implementation when the process execution reaches the corresponding flow element. The value for the `Implementation` field of BPMN elements expects the fully qualified class name:
+```
+org.package.myClass
+```
+
+### List of Activities
+- ExecutionListener
+- MessageEndEvent
+- MessageIntermediateThrowEvent
+- MessageSendTask
+- ServiceTask
+- UserTaskListener
+
+### ExecutionListener
+`ExecutionListener` is the interface to be implemented for a class set as the Java implementation for [Execution Listeners](../bpmn/execution-listeners.md) attached to certain flow elements.
+
+### MessageEndEvent
+`MessageEndEvent` is the interface to be implemented for a class set as the Java implementation for Message End Events. It inherits from the `MessageActivity` interface which specifies additional methods specific to [messaging](messaging.md).
+
+### MessageIntermediateThrowEvent
+`MessageIntermediateThrowEvent` is the interface to be implemented for a class set as the Java implementation for Message Intermediate Throw Events. It inherits from the `MessageActivity` interface which specifies additional methods specific to [messaging](messaging.md).
+
+### MessageSendTask
+`MessageSendTask` is the interface to be implemented for a class set as the Java implementation for Message Send Tasks. It inherits from the `MessageActivity` interface which specifies additional methods specific to [messaging](messaging.md).
+
+### ServiceTask
+`ServiceTask` is the interface to be implemented for a class set as the Java implementation for Service Tasks.
+
+### UserTaskListener
+`ServiceTask` is the interface to be implemented for a class set as the Java implementation for Service Tasks's Task Listener. Task Listeners have properties that separate them from [Execution Listeners](../bpmn/execution-listeners.md). More on Task Listeners in the guide on [User Tasks in the DSF](../guides/user-tasks-in-the-dsf.md)
+
+---
+
+## Draft Task Resources
+Source: https://dsf.dev/process-development/api-v2/dsf/draft-task-resources.html
+
+## Draft Task Resources
+
+[Task](../fhir/task.md) resources with status `draft` are used to create the DSF FHIR server's functionality of starting processes via its web interface. They are stored in the `.../src/main/resources/fhir/Task` subdirectory of a project. Compared to regular [Task](../fhir/task.md) resources used to start BPMN processes, this type of [Task](../fhir/task.md) resource requires the status `draft` instead the usual `requested`. It also replaces the value for `authoredOn` with the placeholder `#{date}`, the values of organization identifiers with the placeholder `#{organization}` and all instances of version numbers with `#{version}`. Additionally, it requires setting the `Task.identifier` element. It should look something like this:
+
+```xml
+
+
+
+
+```
+`processKey` should be the same one used in [URLs](versions-placeholders-urls.md#urls).
+`task-name` may be any String to identify this task with. E.g. the file name of the Draft Task.
+
+Complete examples can be found in existing process plugins like [Ping Pong](https://github.com/datasharingframework/dsf-process-ping-pong/blob/main/src/main/resources/fhir/Task/dsf-task-stop-ping-autostart.xml).
+
+## Related Topics
+[Creating Task Resources Based On a Definition](../guides/creating-task-resources-based-on-a-definition.md)
+
+---
+
+## Environment Variables
+Source: https://dsf.dev/process-development/api-v2/dsf/environment-variables.html
+
+## Environment Variables
+
+Environment variables offer a way to make configuration data available at the start of a process. They are the same for all process instances. They can be defined by adding a member variable with the [Spring-Framework @Value](https://docs.spring.io/spring-framework/docs/current/reference/html/core.html#beans-value-annotations) annotation to a configuration class (a class annotated with the [Spring-Framework @Configuration](https://docs.spring.io/spring-framework/reference/core/beans/java/configuration-annotation.html) annotation). The value of the annotation uses the `${..}` notation and follows the form `${some.property:defaultValue}`, where each dot in the property name corresponds to an underscore in the equivalent environment variable. Environment variables are always written upper-case. The property `some.property` therefore corresponds to the environment variable `SOME_PROPERTY`.
+
+```java
+@Configuration
+public class MyConfiguration
+{
+ @Value("${example.org.my.value}")
+ private String myValue;
+}
+```
+
+The DSF provides a feature to automatically generate documentation of environment variables during the Maven build process. The `@ProcessDocumentation` annotation causes the build process to automatically generate Markdown documentation for all fields with this annotation.
+```java
+@Configuration
+public class MyConfiguration
+{
+ @ProcessDocumentation(processNames = "myorg_MyProcess", description = "My process description", required = true, recommendation = "Foo")
+ @Value("${example.org.my.value}")
+ private String myValue;
+}
+```
+ This requires the DSF Maven Plugin to be configured in the `pom.xml` file of the project. A configuration to generate documentation for a package `example.org.spring.config` containing all Spring configuration classes looks like this:
+```xml
+
+ dev.dsf
+ dsf-maven-plugin
+ 2.0.2
+
+
+
+ generate-config-doc
+
+
+
+
+ dev.dsf.bpe.config
+
+
+```
+
+Maven build plugins will be executed during the build phase and should be configured in the `` element from the `pom.xml`.
+
+## Related Topics
+[Spring Framework Integration](spring-framework-integration.md)
+
+---
+
+## Message Activities
+Source: https://dsf.dev/process-development/api-v2/dsf/message-activities.html
+
+### Message Activities
+
+Compared to other [Activities](activities.md), Message Activities additionally extend the [Message Activity](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-bpe/dsf-bpe-process-api-v2/src/main/java/dev/dsf/bpe/v2/activity/MessageActivity.java) interface. It provides additional methods which are specific to messaging:
+
+- `getTaskSender`: Overriding this method allows fine control over how the message should be sent as a [Task](../fhir/task.md) resource by returning a custom [`TaskSender`](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-bpe/dsf-bpe-process-api-v2/src/main/java/dev/dsf/bpe/v2/activity/task/TaskSender.java) implementation
+- `getBusinessKeyStrategy`: Overriding this method allows setting a different [`BusinessKeyStrategy`](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-bpe/dsf-bpe-process-api-v2/src/main/java/dev/dsf/bpe/v2/activity/task/BusinessKeyStrategies.java)
+- `getAdditionalInputParameters`: If the message should contain additional information beyond what the DSF automatically sets, like the `business-key`, this method needs to be overridden to return that information in the form of [Task Input Parameters](../fhir/task.md#task-input-parameters)
+
+## Related Topics
+[Messaging](messaging.md)
+
+---
+
+## Messaging
+Source: https://dsf.dev/process-development/api-v2/dsf/messaging.html
+
+### Messaging
+
+BPMN does not provide an implementation for its [messaging](../bpmn/messaging.md) model, nor does the Business Process Engines the DSF is currently built upon. The DSF implements messaging through FHIR [Task](../fhir/task.md) resources. Sending a message is thus equivalent to making an HTTP POST request including a [Task](../fhir/task.md) resource to another (DSF) FHIR server. This step is done by the DSF automatically if the required prerequisites are met.
+
+### Messaging Prerequisites
+
+After modelling communication using [BPMN message elements](../bpmn/messaging.md), the DSF will create a [Task](../fhir/task.md) resource based on the field injection values `profile`, `messageName` and `instantiatesCanonical` of the [BPMN message element](../bpmn/messaging.md) and the additional input parameters provided by the [activity's](message-activities.md) `getAdditionalInputParameters` method. The [Task](../fhir/task.md) is then sent to the recipient specified by the [Target](target-and-targets.md) instance set in the current process execution as a [process variable](bpmn-process-variables.md).
+
+## Related Topics
+[Activities](activities.md), [Message Activities](message-activities.md), [Process Plugin API](process-plugin-api.md), [Task](../fhir/task.md)
+
+---
+
+## Organization Identifiers
+Source: https://dsf.dev/process-development/api-v2/dsf/organization-identifiers.html
+
+## Organization Identifiers
+DSF FHIR server instances can configure an `organization identifier`. It uniquely identifies the organization the DSF FHIR server instance belongs to for its [Allow-List mechanism](https://dsf.dev/intro/info/allowList.html). It is set as an [environment variable](https://dsf.dev/stable/maintain/fhir/configuration.html#dev-dsf-fhir-server-organization-identifier-value). A GET request to `https://example.org/fhir/Organization` will return a list of all organizations for the DSF FHIR server instance running under `example.org`. The results will also include the `organization identifier` of each organization.
+
+### Organization Identifiers in Task Resources
+[Task](../fhir/task.md) resources require a reference to an organization via its identifier as the `Task.requester` and `Task.restriction.recipient` elements. The exact values for these elements depend on the [ActivityDefinition](../fhir/activitydefinition.md) the [Task](../fhir/task.md) resource should conform to. As a general rule, the identifier of your own organization should be used as the `Task.requester` and `Task.restriction.recipient` elements for [Task](../fhir/task.md) resources which initially start processes. All other cases depend on the context of the message being sent during process execution. An easy way to generalize this in [Draft Task Resources](draft-task-resources.md) is to use the `#{organization}` [placeholder](versions-placeholders-urls.md#placeholders).
+
+## Related Topics
+[Allow-List](https://dsf.dev/intro/info/allowList.html), [ActivityDefinition](../fhir/activitydefinition.md), [Environment Variables](environment-variables.md), [Requester and Recipient](requester-and-recipient.md), [Task](../fhir/task.md)
+
+---
+
+## Read Access Tag
+Source: https://dsf.dev/process-development/api-v2/dsf/read-access-tag.html
+
+## Read Access Tag
+
+Axiomatically, nobody is allowed to write FHIR resources (except [Task](../fhir/task.md)) to the DSF FHIR server unless it is the organization running the instance, which is [configurable](https://dsf.dev/operations/latest/fhir/configuration.html#dev-dsf-fhir-server-organization-identifier-value). By default, the same applies to reading FHIR resources (again except [Task](../fhir/task.md)). But since the DSF is often used to offer medical data in form of FHIR resources, other organizations should be allowed to read some of the resources on the DSF FHIR server. The `Resource.meta.tag` element is used define access rules for all FHIR resources in the DSF, with the exception of [Task](../fhir/task.md) resources. For example, allowing read access for all organizations would use the following `system` and `code` in your FHIR resource:
+
+```xml
+
+
+
+
+
+
+```
+All codes for the Read Access Tag can be found in its [CodeSystem](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/CodeSystem/dsf-read-access-tag-2.0.0.xml).
+
+The read access rules for [Task](../fhir/task.md) resources are defined through the `requester` and `recipient` elements of the [dsf-extension-process-authorization](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-extension-process-authorization-2.0.0.xml) in a plugin's [ActivityDefinitions](../fhir/activitydefinition.md). Therefore, no `read-access-tag` is needed.
+
+It is also possible to restrict read access of FHIR resources to organizations with a specific role in a parent organization or a specific identifier. More information on that can be found in the [guide on configuring the Read Access Tag](../guides/configuring-read-access-tags.md).
+
+## Related Topics
+[Configuring Read Access Tags](../guides/configuring-read-access-tags.md)
+
+---
+
+## Requester and Recipient
+Source: https://dsf.dev/process-development/api-v2/dsf/requester-and-recipient.html
+
+## Requester and Recipient Elements
+
+Below is a set of examples for each Coding used by `requester` and `recipient` elements from the [dsf-extension-process-authorization](https://github.com/datasharingframework/dsf/blob/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/StructureDefinition/dsf-extension-process-authorization-2.0.0.xml). CodeSystems referenced in the examples can be found [here](https://github.com/datasharingframework/dsf/tree/release/2.0.2/dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/CodeSystem). This collection aims to provide a reference point when creating [ActivityDefinitions](../fhir/activitydefinition.md).
+
+### Requester
+The `requester` element uses one of the following Codings:
+```xml
+
+
+
+
+
+
+
+
+
+```
+
+#### Local All
+```xml
+
+
+
+
+
+
+```
+
+#### Local All Practitioner
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+#### Local Organization
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+#### Local Organization Practitioner
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+#### Local Parent Organization Role
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+#### Local Parent Organization Role Practitioner
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+#### Remote All
+```xml
+
+
+
+
+
+
+```
+
+#### Remote Organization
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+#### Remote Parent Organization Role
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+### Recipient
+The `recipeint` element uses one of the following Codings:
+```xml
+
+
+
+```
+
+#### Local All
+```xml
+
+
+
+
+
+
+```
+
+#### Local Organization
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+#### Local Parent Organization Role
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+
+## Related Topics
+[ActivityDefinition](../fhir/activitydefinition.md)
+
+---
+
+## Target and Targets
+Source: https://dsf.dev/process-development/api-v2/dsf/target-and-targets.html
+
+## Target
+
+A target is a container for all information necessary to send messages to other DSF instances. This information includes:
+- **Organization Identifier:** Identifier of an [Organization Resource](https://www.hl7.org/fhir/R4/organization.html). It can be acquired through the API's `OrganizationProvider` or by querying a FHIR server. Querying the DSF FHIR server should be done using the `DsfClient` provided by the API's `DsfClientProvider` while a `FhirClient` provided by the API's `FhirClientProvider` may be used for other types of FHIR servers.
+- **Endpoint Identifier:** Identifier of an [Endpoint Resource](https://www.hl7.org/fhir/R4/endpoint.html) with the `managingOrganization` being the same organization as the one from the `Organization Identifier` above. It can be acquired through the API's `OrganizationProvider` or by querying a FHIR server. Querying the DSF FHIR server should be done using the `DsfClient` provided by the API's `DsfClientProvider` while a `FhirClient` provided by the API's `FhirClientProvider` may be used for other types of FHIR servers.
+- **Endpoint URL:** The URL of the endpoint. The [Endpoint Resource](https://www.hl7.org/fhir/R4/endpoint.html) provides this value through its `address` field.
+- **Correlation Key:** Optional value used to correlate messages, that are sent to this target, to their correct process instances. More information on this mechanism can be found in [Message Correlation](message-correlation.md).
+
+## Targets
+
+Targets is a container class for a collection of [Target](#target) objects. It also provides utility methods for manipulating the underlying collection.
+
+## Creating Target/Targets
+
+Creating Target instances requires the target's organization identifier, endpoint identifier, and endpoint address. These values can be obtained from the DSF FHIR server's web interface or by querying the FHIR server via an instance of `DsfClient` or a `generic FHIR client`. By clicking the `Show Bookmarks` button in the top right corner and selecting `Endpoint`, a list of all Endpoints available to the FHIR server will be displayed. Instances of `DsfClient` or a `generic FHIR client` can be accessed via the [process plugin API](../dsf/process-plugin-api.md).
+Targets can be created by using the [`Variables'`](bpmn-process-variables.md) `createTarget` method or by using [Process Plugin API's](process-plugin-api.md) `TargetProvider` instance. The methods provided by [`Variables`](bpmn-process-variables.md) allow creating specific Target instances and Targets instances based on collections of Target instances. For cases where for example, all member organizations of a particular parent organization should be targeted, the [Process Plugin API's](process-plugin-api.md) `TargetProvider` instance offers various different utility methods.
+
+## Setting Target/Targets
+
+Targets should be set in a [Service Task](../bpmn/service-tasks.md) before a [Message Activity](message-activities.md).
+Targets should be set either through the [`Variables'`](bpmn-process-variables.md) `setTarget` or `setTargets` methods. When modelling parallel subprocesses where each execution sends messages to its own target, the Target can be set automatically for each execution by using `${targets.entries}` as the `Collection` value for the parallel subprocess and `target` as the `Element variable` value in the [Camunda Modeler](https://camunda.com/download/modeler/). This requires having called `setTargets` before entering the parallel subprocess.
+
+## Related Topics
+[Message Activities](message-activities.md), [Message Correlation](message-correlation.md)
+
+---
+
+## Versions, Placeholders and URLs
+Source: https://dsf.dev/process-development/api-v2/dsf/versions-placeholders-urls.html
+
+## Versions, Placeholders and URLs
+
+### Version Pattern
+
+Process plugin versions have to obey the pattern:
+```
+\d+\.\d+\.\d+\.\d+ Example: 1.2.3.4
+```
+
+The first two numbers (`1.2`) are used in FHIR resources and signal changes which break compatibility with previous process versions. For example, altering FHIR resources usually results in a breaking change. The latter two (`3.4`) signal changes which do not break compatibility with previous process versions. Specifically, the 4th number is reserved for bug-fixes and the 3rd number includes all other non-breaking changes.
+
+### Placeholders
+
+To avoid specifying the version and release date in multiple files, the placeholders `#{version}` and `#{date}` can be used within FHIR resources and BPMN models. They are replaced with the values returned by the methods `ProcessPluginDefinition#getResourceVersion` and `ProcessPluginDefinition#getReleaseDate` respectively during deployment of a process plugin by the DSF BPE server. There is also a placeholder for the organization the DSF instance is running in: `#{organization}`, typically use in [Draft Task Resources](draft-task-resources.md).
+
+### URLs
+
+BPMN models have an ID called process definition key. The BPMN process definition key needs to be specified following the pattern:
+```
+^[-a-zA-Z0-9]+_[-a-zA-Z0-9]+$ Example: exampleorg_processKey
+```
+In addition, the BPMN model needs to specify a version. The `#{version}` [placeholder](#placeholders) should be used for this as well. The DSF will also reference this process in URL form in FHIR resources:
+```
+http://example.org/bpe/Process/processKey|1.2
+```
+
+The version in the URL `|1.2` only uses the resource version and omits the code base version. As mentioned in [Version Pattern](#version-pattern), this means that only changes to the first two version numbers are significant to signal compatibility when communicating with other process plugin instances. The process definition key and URL are also related to each other. The DSF will try to match BPMN models to FHIR resources by transforming the URL into a process definition key. That is why it is mandatory to follow the pattern above.
+
+The above URL will be used as the instantiatesCanonical value for [Task](../fhir/task.md) profile definitions as well as references to [Task](../fhir/task.md) profiles in other resources. It is also used as the URL value for [ActivityDefinitions](../fhir/activitydefinition.md). In this case though, the URL has to be split into two parts. The version (`|1.2`) needs to be separated from the URL and used as a value for the `ActivityDefinition.version` element. Since it refers to the plugin's resource version, the `#{version}` [placeholder](#placeholders) should be used here instead. Going by the example from above, the final URL looks like this:
+```
+http://example.org/bpe/Process/processKey
+```
+This will be the value for the `ActivityDefinition.url` element with `#{version}` as the value for the `ActivityDefinition.version` element.
+
+## Related Topics
+[ActivityDefinition](../fhir/activitydefinition.md), [Process Plugin Definition](process-plugin-definition.md)
+
+---
+
+## Empty Process Plugin
+Source: https://dsf.dev/process-development/api-v2/tooling/empty-process-plugin.html
+
+## Empty Process Plugin
+
+::: warning Work in progress
+
+This site is work in progress, please come back later.
+:::
+
+---
+
+## DSF IDE
+Source: https://dsf.dev/process-development/api-v2/tooling/ide.html
+
+## DSF IDE
+
+::: warning Work in progress
+
+This site is work in progress, please come back later.
+:::
+
+---
+
+## Maven Central and Resources
+Source: https://dsf.dev/process-development/api-v2/tooling/maven.html
+
+## Maven Central and Ressources
+
+::: warning Work in progress
+
+This site is work in progress, please come back later.
+:::
+
+---
+
+## Pipeline Testing
+Source: https://dsf.dev/process-development/api-v2/tooling/pipeline-testing.html
+
+## Pipeline Testing
+
+::: warning Work in progress
+
+This site is work in progress, please come back later.
+:::
diff --git a/docs/src/.vuepress/public/llms.txt b/docs/src/.vuepress/public/llms.txt
new file mode 100644
index 000000000..8c3c2da19
--- /dev/null
+++ b/docs/src/.vuepress/public/llms.txt
@@ -0,0 +1,139 @@
+# Data Sharing Framework (DSF)
+
+> The Data Sharing Framework (DSF) is a secure middleware for distributing data sharing processes based on BPMN 2.0 and FHIR R4 standards. It enables biomedical researchers to extract, merge, pseudonymize, and share data across organizational boundaries. Funded by the German Federal Ministry of Research, Technology and Space within the Medical Informatics Initiative (MII). Website: https://dsf.dev
+
+## Core Concepts
+
+- [Introduction](https://dsf.dev/explore/concepts/introduction.html): Overview of the DSF, the Medical Informatics Initiative, and Data Integration Centers
+- [Basics](https://dsf.dev/explore/concepts/basics.html): Fundamental concepts of the DSF architecture
+- [Architecture](https://dsf.dev/explore/concepts/architecture.html): Technical architecture of the DSF including FHIR endpoints and business process engines
+- [Security](https://dsf.dev/explore/concepts/security.html): Security model and concepts used by the DSF
+- [Allow List](https://dsf.dev/explore/concepts/allow-list.html): How the DSF manages trusted organizations via allow lists
+- [Process Plugins](https://dsf.dev/explore/concepts/process-plugins.html): How process plugins extend the DSF with new data sharing processes
+- [Network Setup](https://dsf.dev/explore/concepts/network-setup.html): How to set up a DSF network
+
+## Use Cases
+
+- [Feasibility](https://dsf.dev/explore/use-cases/feasibility.html): Feasibility queries across multiple sites
+- [NUM (Network University Medicine)](https://dsf.dev/explore/use-cases/num.html): Use in the German Network University Medicine
+- [Internal MII Data Sharing](https://dsf.dev/explore/use-cases/internal-mii-data-sharing.html): Data sharing within the Medical Informatics Initiative
+
+## Operations (Latest)
+
+- [Get Started](https://dsf.dev/operations/get-started.html): Getting started with DSF operations
+- [Installation Guide](https://dsf.dev/operations/latest/install.html): Step-by-step installation of the latest DSF release
+- [Release Notes](https://dsf.dev/operations/latest/release-notes.html): What's new in the latest DSF release
+- [FHIR Server Configuration](https://dsf.dev/operations/latest/fhir/configuration.html): Configuration options for the FHIR server component
+- [BPE Configuration](https://dsf.dev/operations/latest/bpe/configuration.html): Configuration options for the Business Process Engine
+- [FHIR Reverse Proxy](https://dsf.dev/operations/latest/fhir-reverse-proxy/configuration.html): Reverse proxy configuration for the FHIR endpoint
+- [BPE Reverse Proxy](https://dsf.dev/operations/latest/bpe-reverse-proxy/configuration.html): Reverse proxy configuration for the BPE
+- [Allow List Management](https://dsf.dev/operations/latest/allowList-mgm.html): Managing the allow list of trusted organizations
+- [Process Plugin Deployment](https://dsf.dev/operations/process-plugin-deployment.html): How to deploy process plugins
+- [Passwords and Secrets](https://dsf.dev/operations/latest/passwords-secrets.html): Managing passwords and secrets
+- [Root Certificates](https://dsf.dev/operations/latest/root-certificates.html): Certificate management
+- [Image Verification](https://dsf.dev/operations/latest/image-verification.html): Verifying the authenticity and integrity of DSF container images
+- [Hardening Measures](https://dsf.dev/operations/latest/hardening-measures.html): Recommended hardening measures for a production deployment
+- [Upgrade from DSF v1](https://dsf.dev/operations/latest/upgrade-from-1.html): Migration guide from DSF v1 to v2
+- [Upgrade within DSF v2](https://dsf.dev/operations/latest/upgrade-from-2.html): Upgrading between DSF v2.x versions
+- [OIDC Configuration (FHIR)](https://dsf.dev/operations/latest/fhir/oidc.html): OpenID Connect setup for FHIR server
+- [OIDC Configuration (BPE)](https://dsf.dev/operations/latest/bpe/oidc.html): OpenID Connect setup for BPE
+- [Access Control (FHIR)](https://dsf.dev/operations/latest/fhir/access-control.html): Access control for the FHIR server
+- [Access Control (BPE)](https://dsf.dev/operations/latest/bpe/access-control.html): Access control for the Business Process Engine
+
+## Troubleshooting
+
+- [Common HTTP Status Codes](https://dsf.dev/operations/troubleshooting/common-http-status-codes.html): Common HTTP errors and solutions
+- [Connection Refused](https://dsf.dev/operations/troubleshooting/connection-refused.html): Troubleshooting connection refused errors
+- [Connection Timeout](https://dsf.dev/operations/troubleshooting/connection-timeout.html): Troubleshooting connection timeouts
+- [Read Timeout](https://dsf.dev/operations/troubleshooting/read-timeout.html): Troubleshooting read timeouts
+- [SSL Issues](https://dsf.dev/operations/troubleshooting/ssl.html): Troubleshooting SSL/TLS certificate problems
+- [Unknown Host](https://dsf.dev/operations/troubleshooting/unknown-host.html): Troubleshooting DNS resolution issues
+
+## Process Plugin Development (API v2 - Current)
+
+- [Concept](https://dsf.dev/process-development/api-v2/concept.html): Process plugin concept and design
+- [Get Started](https://dsf.dev/process-development/api-v2/get-started.html): Getting started with process plugin development
+- [Create a Process Plugin](https://dsf.dev/process-development/api-v2/create.html): Step-by-step guide to creating a process plugin
+- [Implementation](https://dsf.dev/process-development/api-v2/implementation.html): Implementation details
+- [Testing](https://dsf.dev/process-development/api-v2/testing.html): Testing process plugins
+- [Best Practices](https://dsf.dev/process-development/api-v2/best-practices.html): Best practices for process plugin development
+- [Migration from API v1](https://dsf.dev/process-development/api-v2/migration.html): Migrating process plugins from API v1 to v2
+- [Javadoc](https://dsf.dev/process-development/api-v2/javadoc.html): Java API reference
+- [Publishing on DSF Hub](https://dsf.dev/process-development/api-v2/publishing/publish-on-dsfhub.html): How to publish process plugins
+
+### BPMN in DSF
+
+- [BPMN Overview](https://dsf.dev/process-development/api-v2/bpmn/): BPMN 2.0 elements supported by the DSF
+- [Service Tasks](https://dsf.dev/process-development/api-v2/bpmn/service-tasks.html): Using service tasks in DSF processes
+- [User Tasks](https://dsf.dev/process-development/api-v2/bpmn/user-tasks.html): User tasks for human interaction
+- [Messaging](https://dsf.dev/process-development/api-v2/bpmn/messaging.html): Cross-site messaging via BPMN
+- [Gateways](https://dsf.dev/process-development/api-v2/bpmn/gateways.html): BPMN gateways for process flow control
+- [Conditions](https://dsf.dev/process-development/api-v2/bpmn/conditions.html): Conditional flow in BPMN processes
+- [Execution Listeners](https://dsf.dev/process-development/api-v2/bpmn/execution-listeners.html): Execution listeners for process events
+- [Timer Events](https://dsf.dev/process-development/api-v2/bpmn/timer-intermediate-catching-events.html): Timer-based events
+
+### FHIR Resources
+
+- [FHIR Overview](https://dsf.dev/process-development/api-v2/fhir/): FHIR R4 resources used by DSF process plugins
+- [Task Resource](https://dsf.dev/process-development/api-v2/fhir/task.html): The FHIR Task resource in DSF
+- [ActivityDefinition](https://dsf.dev/process-development/api-v2/fhir/activitydefinition.html): Defining activities with FHIR ActivityDefinition
+- [CodeSystem](https://dsf.dev/process-development/api-v2/fhir/codesystem.html): Custom CodeSystems for DSF processes
+- [ValueSet](https://dsf.dev/process-development/api-v2/fhir/valueset.html): ValueSets in DSF processes
+- [Questionnaire](https://dsf.dev/process-development/api-v2/fhir/questionnaire-and-questionnaireresponse.html): Questionnaire and QuestionnaireResponse resources
+
+### DSF Internals
+
+- [Process Plugin API](https://dsf.dev/process-development/api-v2/dsf/process-plugin-api.html): The DSF Process Plugin API
+- [Process Plugin Definition](https://dsf.dev/process-development/api-v2/dsf/process-plugin-definition.html): Defining a process plugin
+- [BPMN Process Execution](https://dsf.dev/process-development/api-v2/dsf/bpmn-process-execution.html): How the DSF executes BPMN processes
+- [BPMN Process Variables](https://dsf.dev/process-development/api-v2/dsf/bpmn-process-variables.html): Available process variables
+- [Message Correlation](https://dsf.dev/process-development/api-v2/dsf/message-correlation.html): How messages are correlated between sites
+- [Spring Framework Integration](https://dsf.dev/process-development/api-v2/dsf/spring-framework-integration.html): Spring integration details
+
+### Developer Guides
+
+- [Starting a Process](https://dsf.dev/process-development/api-v2/guides/starting-a-process-via-task-resources.html): How to start a DSF process
+- [Accessing Process Variables](https://dsf.dev/process-development/api-v2/guides/accessing-bpmn-process-variables.html): Working with BPMN process variables
+- [Accessing Task Resources](https://dsf.dev/process-development/api-v2/guides/accessing-task-resources-during-execution.html): Accessing FHIR Task resources during execution
+- [Creating Activity Definitions](https://dsf.dev/process-development/api-v2/guides/creating-activity-definitions.html): Guide to creating ActivityDefinitions
+- [Creating CodeSystems](https://dsf.dev/process-development/api-v2/guides/creating-codesystems-for-dsf-processes.html): Guide to creating CodeSystems
+- [Creating ValueSets](https://dsf.dev/process-development/api-v2/guides/creating-valuesets-for-dsf-processes.html): Guide to creating ValueSets
+- [Creating Task Resources](https://dsf.dev/process-development/api-v2/guides/creating-task-resources-based-on-a-definition.html): Creating Task resources
+- [Read Access Tags](https://dsf.dev/process-development/api-v2/guides/configuring-read-access-tags.html): Configuring read access tags
+- [Task Parameters](https://dsf.dev/process-development/api-v2/guides/adding-task-parameters-to-task-profiles.html): Adding parameters to Task profiles
+- [User Tasks](https://dsf.dev/process-development/api-v2/guides/user-tasks-in-the-dsf.html): Implementing user tasks
+- [Managing Messages](https://dsf.dev/process-development/api-v2/guides/managing-mutiple-incoming-messages-and-missing-messages.html): Handling multiple and missing messages
+
+## Linter Tool
+
+- [Linter Tool](https://dsf.dev/process-development/linter-tool/linter-tool.html): Process plugin validation tool
+- [Validation Rules](https://dsf.dev/process-development/linter-tool/validation.html): Validation rules and checks
+- [Phases](https://dsf.dev/process-development/linter-tool/phases.html): Linter validation phases
+- [Troubleshooting](https://dsf.dev/process-development/linter-tool/troubleshooting.html): Linter troubleshooting
+
+## DSF Development
+
+- [FHIR Implementation Guide](https://dsf.dev/dsf-development/v2/fhir-ig.html): DSF FHIR Implementation Guide
+- [Maven Build](https://dsf.dev/dsf-development/v2/maven.html): Building the DSF with Maven
+
+## Community
+
+- [Team](https://dsf.dev/community/team.html): The team behind the DSF
+- [Communication](https://dsf.dev/community/communication.html): How to reach the DSF community
+- [Ecosystem](https://dsf.dev/community/ecosystem.html): Partner organizations and ecosystem
+- [Contributing Code](https://dsf.dev/community/contribute/code.html): How to contribute code
+- [Contributing Documentation](https://dsf.dev/community/contribute/documentation.html): How to contribute documentation
+- [Consultation Hours](https://dsf.dev/community/consultation-hours.html): Regular consultation hours for DSF users
+
+## Additional Resources
+
+- [Publications](https://dsf.dev/explore/publications.html): Research publications about and using the DSF
+- [Awards](https://dsf.dev/explore/awards.html): Awards received by the DSF project
+- [Security Policy](https://dsf.dev/security/): Security disclosure policy
+- [GitHub Repository](https://github.com/datasharingframework/dsf): Source code of the DSF
+
+## Optional
+
+- [Process Plugin Development API v1](https://dsf.dev/process-development/api-v1/): Legacy API v1 documentation (superseded by API v2)
+- [Old DSF Versions](https://dsf.dev/operations/old-versions.html): Documentation for older DSF versions (v1.x)
+- [News](https://dsf.dev/news/): News and blog posts about the DSF
diff --git a/docs/src/.vuepress/scripts/create-version.ts b/docs/src/.vuepress/scripts/create-version.ts
new file mode 100644
index 000000000..36b57e3b4
--- /dev/null
+++ b/docs/src/.vuepress/scripts/create-version.ts
@@ -0,0 +1,115 @@
+#!/usr/bin/env npx tsx
+// Creates a new DSF documentation version.
+//
+// Usage: npx tsx docs/src/.vuepress/scripts/create-version.ts
+// Example: npx tsx docs/src/.vuepress/scripts/create-version.ts 2.2.0
+//
+// What it does:
+// 1. Copies the current latest version folder to operations/v/
+// 2. Updates releases.ts: adds new entry to allVersions, updates latestVersion,
+// adds a releases entry with TODO digests
+// 3. Updates the latest symlink to point to v/
+// 4. Runs fetch-versioned-release-notes.ts if a GitHub release exists
+
+import { cpSync, existsSync, readFileSync, writeFileSync, unlinkSync, symlinkSync, realpathSync } from 'fs';
+import { resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { execSync } from 'child_process';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const OPERATIONS_DIR = resolve(__dirname, '../../operations');
+const RELEASES_FILE = resolve(__dirname, '../data/releases.ts');
+
+function die(msg: string): never {
+ console.error(`Error: ${msg}`);
+ process.exit(1);
+}
+
+function parseVersion(v: string): [number, number, number] {
+ const m = v.match(/^(\d+)\.(\d+)\.(\d+)$/);
+ if (!m) die(`Invalid version format: "${v}". Expected X.Y.Z`);
+ return [parseInt(m![1]), parseInt(m![2]), parseInt(m![3])];
+}
+
+function main() {
+ const newVersion = process.argv[2];
+ if (!newVersion) die('Usage: npx tsx create-version.ts \n Example: npx tsx create-version.ts 2.2.0');
+
+ parseVersion(newVersion); // validate format
+
+ const newDir = resolve(OPERATIONS_DIR, `v${newVersion}`);
+ if (existsSync(newDir)) die(`Directory ${newDir} already exists.`);
+
+ // --- 1. Determine current latest and copy ---
+ const latestLink = resolve(OPERATIONS_DIR, 'latest');
+ const currentLatestDir = realpathSync(latestLink);
+ const currentLatestVersion = currentLatestDir.match(/v(\d+\.\d+\.\d+)$/)?.[1];
+ if (!currentLatestVersion) die(`Could not determine current latest version from symlink: ${currentLatestDir}`);
+
+ console.log(`Copying v${currentLatestVersion}/ → v${newVersion}/...`);
+ cpSync(currentLatestDir, newDir, { recursive: true });
+
+ // --- 2. Update releases.ts ---
+ console.log('Updating releases.ts...');
+ let src = readFileSync(RELEASES_FILE, 'utf-8');
+
+ // Determine sidebar key from previous latest
+ const prevSidebarMatch = src.match(new RegExp(`\\{\\s*tag:\\s*'${currentLatestVersion}'\\s*,\\s*sidebar:\\s*'([^']+)'`));
+ const sidebarKey = prevSidebarMatch?.[1] ?? 'v2_latest';
+
+ // Add new entry at the top of allVersions
+ const allVersionsMarker = 'export const allVersions: VersionEntry[] = [';
+ const newEntry = ` { tag: '${newVersion}', sidebar: '${sidebarKey}' },`;
+ src = src.replace(allVersionsMarker, `${allVersionsMarker}\n${newEntry}`);
+
+ // Update latestVersion
+ src = src.replace(
+ /export const latestVersion = '[^']+';/,
+ `export const latestVersion = '${newVersion}';`
+ );
+
+ // Add releases entry with TODO digests (if major >= 2)
+ const [major] = parseVersion(newVersion);
+ if (major >= 2) {
+ const releasesClosingBrace = /^};$/m;
+ const newRelease = ` '${newVersion}': {
+ tag: '${newVersion}',
+ previousTag: '${currentLatestVersion}',
+ images: {
+ fhir: { digest: 'sha256:TODO' },
+ fhir_proxy: { digest: 'sha256:TODO' },
+ bpe: { digest: 'sha256:TODO' },
+ bpe_proxy: { digest: 'sha256:TODO' },
+ },
+ },\n`;
+ src = src.replace(releasesClosingBrace, `${newRelease}};`);
+ }
+
+ writeFileSync(RELEASES_FILE, src, 'utf-8');
+
+ // --- 3. Update latest symlink ---
+ console.log(`Updating latest symlink → v${newVersion}/...`);
+ unlinkSync(latestLink);
+ symlinkSync(`v${newVersion}`, latestLink);
+
+ // --- 4. Fetch release notes (if release exists) ---
+ const fetchScript = resolve(__dirname, '../sidebar/fetch-versioned-release-notes.ts');
+ if (existsSync(fetchScript)) {
+ console.log('Fetching release notes...');
+ try {
+ execSync(`npx tsx "${fetchScript}"`, { stdio: 'inherit' });
+ } catch {
+ console.log('(Release notes fetch had warnings — may not exist on GitHub yet)');
+ }
+ }
+
+ // --- Done ---
+ console.log(`\n✓ Version ${newVersion} created successfully.\n`);
+ console.log('Remaining manual steps:');
+ console.log(` 1. Update image digests in releases.ts (replace sha256:TODO)`);
+ console.log(` 2. Review/edit release-specific content in operations/v${newVersion}/`);
+ console.log(` (release-notes.md, upgrade-from-*.md if upgrade steps differ)`);
+ console.log(` 3. Run: cd docs && npm run docs:build`);
+}
+
+main();
diff --git a/docs/src/.vuepress/scripts/generate-llms.ts b/docs/src/.vuepress/scripts/generate-llms.ts
new file mode 100644
index 000000000..f68194114
--- /dev/null
+++ b/docs/src/.vuepress/scripts/generate-llms.ts
@@ -0,0 +1,146 @@
+#!/usr/bin/env npx tsx
+// Generates the llms.txt and llms-full.txt files in public/ from the curated
+// index in llms-index.ts and the markdown documentation sources.
+//
+// Usage: npx tsx docs/src/.vuepress/scripts/generate-llms.ts
+// or: cd docs && npm run docs:generate-llms
+//
+// - llms.txt: concise, sectioned index of links + descriptions (llmstxt.org)
+// - llms-full.txt: the same pages with their full markdown content inlined
+//
+// What it does for the full-text file:
+// 1. Maps each dsf.dev link to its markdown source (resolving /latest/ to the
+// current latestVersion and .html to the .md / README.md file)
+// 2. Strips frontmatter and resolves {{release.*}} tokens exactly like the site
+// (reusing replaceReleaseTokens from the markdown plugin)
+// 3. Emits "## \nSource: <url>\n\n<content>" blocks
+//
+// External links and pages without a markdown source are kept in llms.txt but
+// skipped in llms-full.txt; any skipped dsf.dev pages are reported at the end.
+
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { sections, fullExtra, intro, title, siteUrl, type LlmsPage } from './llms-index.js';
+import { getReleaseFromPath, latestVersion } from '../data/releases.js';
+import { replaceReleaseTokens } from '../markdown/releaseVarsPlugin.js';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const SRC = resolve(__dirname, '../..'); // docs/src
+const PUBLIC = resolve(__dirname, '../public'); // docs/src/.vuepress/public
+
+function isExternal(link: string): boolean {
+ return /^https?:\/\//.test(link);
+}
+
+function fullUrl(link: string): string {
+ return isExternal(link) ? link : `${siteUrl}/${link.replace(/^\//, '')}`;
+}
+
+function allPages(): LlmsPage[] {
+ const pages: LlmsPage[] = [];
+ for (const s of sections) {
+ pages.push(...s.pages);
+ for (const sub of s.subsections ?? []) pages.push(...sub.pages);
+ }
+ return pages;
+}
+
+// Map a dsf.dev-relative link to its markdown source path (relative to docs/src),
+// or null if it is external or has no markdown file (route alias, blog, etc.).
+function sourceRel(link: string): string | null {
+ if (isExternal(link)) return null;
+ let p = link.replace(/^\//, '').replace(/^operations\/latest\//, `operations/v${latestVersion}/`);
+ p = p.replace(/\.html$/, '');
+ const stem = p.replace(/\/$/, '');
+ const candidates: string[] = [];
+ if (!p.endsWith('/')) candidates.push(`${stem}.md`);
+ candidates.push(`${stem}/README.md`, `${stem}/readme.md`, `${stem}/index.md`);
+ for (const c of candidates) if (existsSync(resolve(SRC, c))) return c;
+ return null;
+}
+
+function stripFrontmatter(md: string): string {
+ if (!md.startsWith('---')) return md;
+ const end = md.indexOf('\n---', 3);
+ if (end === -1) return md;
+ const newline = md.indexOf('\n', end + 1);
+ return newline === -1 ? '' : md.slice(newline + 1);
+}
+
+function pageBody(rel: string): string {
+ let md = readFileSync(resolve(SRC, rel), 'utf-8').replace(/\r\n/g, '\n');
+ md = stripFrontmatter(md);
+ const release = getReleaseFromPath('/' + rel);
+ if (release) md = replaceReleaseTokens(md, release);
+ return md.trim();
+}
+
+function buildIndex(): string {
+ const out: string[] = [`# ${title}`, '', `> ${intro}`, ''];
+ for (const s of sections) {
+ out.push(`## ${s.heading}`, '');
+ for (const p of s.pages) out.push(`- [${p.title}](${fullUrl(p.link)}): ${p.description}`);
+ if (s.pages.length) out.push('');
+ for (const sub of s.subsections ?? []) {
+ out.push(`### ${sub.heading}`, '');
+ for (const p of sub.pages) out.push(`- [${p.title}](${fullUrl(p.link)}): ${p.description}`);
+ out.push('');
+ }
+ }
+ return out.join('\n').replace(/\n+$/, '\n');
+}
+
+function buildFull(): { text: string; skipped: string[]; inlined: number } {
+ const out: string[] = [`# ${title}`, '', `> ${intro}`, ''];
+ const skipped: string[] = [];
+ const seen = new Set<string>();
+ let inlined = 0;
+ for (const p of [...allPages(), ...fullExtra]) {
+ const rel = sourceRel(p.link);
+ if (!rel) {
+ if (!isExternal(p.link)) skipped.push(p.link);
+ continue;
+ }
+ if (seen.has(rel)) continue; // page already inlined via the index
+ seen.add(rel);
+ out.push('---', '', `## ${p.title}`, `Source: ${fullUrl(p.link)}`, '', pageBody(rel), '');
+ inlined++;
+ }
+ return { text: out.join('\n').replace(/\n+$/, '\n'), skipped, inlined };
+}
+
+function main(): void {
+ const check = process.argv.includes('--check');
+ const index = buildIndex();
+ const { text: full, skipped, inlined } = buildFull();
+ const targets: [string, string][] = [
+ [resolve(PUBLIC, 'llms.txt'), index],
+ [resolve(PUBLIC, 'llms-full.txt'), full],
+ ];
+
+ if (check) {
+ const stale = targets.filter(([path, content]) => {
+ const current = existsSync(path) ? readFileSync(path, 'utf-8') : '';
+ return current !== content;
+ });
+ if (stale.length) {
+ console.error('✗ llms files are out of date. Run: npm run docs:generate-llms');
+ for (const [path] of stale) console.error(` - ${path.replace(`${SRC}/`, 'src/')}`);
+ process.exit(1);
+ }
+ console.log('✓ llms.txt and llms-full.txt are up to date');
+ return;
+ }
+
+ for (const [path, content] of targets) writeFileSync(path, content, 'utf-8');
+
+ console.log(`✓ Wrote llms.txt (${allPages().length} links)`);
+ console.log(`✓ Wrote llms-full.txt (${inlined} pages inlined, latest = v${latestVersion})`);
+ if (skipped.length) {
+ console.log(`\nNote: ${skipped.length} dsf.dev page(s) had no markdown source and were left out of llms-full.txt:`);
+ for (const s of skipped) console.log(` - ${s}`);
+ }
+}
+
+main();
diff --git a/docs/src/.vuepress/scripts/llms-index.ts b/docs/src/.vuepress/scripts/llms-index.ts
new file mode 100644
index 000000000..ad9a5fe04
--- /dev/null
+++ b/docs/src/.vuepress/scripts/llms-index.ts
@@ -0,0 +1,611 @@
+// Curated index for the llms.txt / llms-full.txt files.
+// This is the editorial source of truth: edit titles, descriptions, ordering
+// and which pages are included here, then regenerate with:
+// npm run docs:generate-llms
+//
+// 'link' is relative to https://dsf.dev/ (e.g. 'operations/latest/install.html')
+// or a full external URL. The full-text generator maps each dsf.dev link to its
+// markdown source; external links and pages without a markdown source are listed
+// in llms.txt but skipped in llms-full.txt.
+
+export interface LlmsPage {
+ title: string;
+ link: string;
+ /** Shown in llms.txt. Optional for full-text-only pages (see fullExtra). */
+ description?: string;
+}
+
+export interface LlmsSubsection {
+ heading: string;
+ pages: LlmsPage[];
+}
+
+export interface LlmsSection {
+ heading: string;
+ pages: LlmsPage[];
+ subsections?: LlmsSubsection[];
+}
+
+export const siteUrl = 'https://dsf.dev';
+
+export const title = 'Data Sharing Framework (DSF)';
+
+export const intro =
+ "The Data Sharing Framework (DSF) is a secure middleware for distributing data sharing processes based on BPMN 2.0 and FHIR R4 standards. It enables biomedical researchers to extract, merge, pseudonymize, and share data across organizational boundaries. Funded by the German Federal Ministry of Research, Technology and Space within the Medical Informatics Initiative (MII). Website: https://dsf.dev";
+
+export const sections: LlmsSection[] = [
+ {
+ "heading": "Core Concepts",
+ "pages": [
+ {
+ "title": "Introduction",
+ "link": "explore/concepts/introduction.html",
+ "description": "Overview of the DSF, the Medical Informatics Initiative, and Data Integration Centers"
+ },
+ {
+ "title": "Basics",
+ "link": "explore/concepts/basics.html",
+ "description": "Fundamental concepts of the DSF architecture"
+ },
+ {
+ "title": "Architecture",
+ "link": "explore/concepts/architecture.html",
+ "description": "Technical architecture of the DSF including FHIR endpoints and business process engines"
+ },
+ {
+ "title": "Security",
+ "link": "explore/concepts/security.html",
+ "description": "Security model and concepts used by the DSF"
+ },
+ {
+ "title": "Allow List",
+ "link": "explore/concepts/allow-list.html",
+ "description": "How the DSF manages trusted organizations via allow lists"
+ },
+ {
+ "title": "Process Plugins",
+ "link": "explore/concepts/process-plugins.html",
+ "description": "How process plugins extend the DSF with new data sharing processes"
+ },
+ {
+ "title": "Network Setup",
+ "link": "explore/concepts/network-setup.html",
+ "description": "How to set up a DSF network"
+ }
+ ]
+ },
+ {
+ "heading": "Use Cases",
+ "pages": [
+ {
+ "title": "Feasibility",
+ "link": "explore/use-cases/feasibility.html",
+ "description": "Feasibility queries across multiple sites"
+ },
+ {
+ "title": "NUM (Network University Medicine)",
+ "link": "explore/use-cases/num.html",
+ "description": "Use in the German Network University Medicine"
+ },
+ {
+ "title": "Internal MII Data Sharing",
+ "link": "explore/use-cases/internal-mii-data-sharing.html",
+ "description": "Data sharing within the Medical Informatics Initiative"
+ }
+ ]
+ },
+ {
+ "heading": "Operations (Latest)",
+ "pages": [
+ {
+ "title": "Get Started",
+ "link": "operations/get-started.html",
+ "description": "Getting started with DSF operations"
+ },
+ {
+ "title": "Installation Guide",
+ "link": "operations/latest/install.html",
+ "description": "Step-by-step installation of the latest DSF release"
+ },
+ {
+ "title": "Release Notes",
+ "link": "operations/latest/release-notes.html",
+ "description": "What's new in the latest DSF release"
+ },
+ {
+ "title": "FHIR Server Configuration",
+ "link": "operations/latest/fhir/configuration.html",
+ "description": "Configuration options for the FHIR server component"
+ },
+ {
+ "title": "BPE Configuration",
+ "link": "operations/latest/bpe/configuration.html",
+ "description": "Configuration options for the Business Process Engine"
+ },
+ {
+ "title": "FHIR Reverse Proxy",
+ "link": "operations/latest/fhir-reverse-proxy/configuration.html",
+ "description": "Reverse proxy configuration for the FHIR endpoint"
+ },
+ {
+ "title": "BPE Reverse Proxy",
+ "link": "operations/latest/bpe-reverse-proxy/configuration.html",
+ "description": "Reverse proxy configuration for the BPE"
+ },
+ {
+ "title": "Allow List Management",
+ "link": "operations/latest/allowList-mgm.html",
+ "description": "Managing the allow list of trusted organizations"
+ },
+ {
+ "title": "Process Plugin Deployment",
+ "link": "operations/process-plugin-deployment.html",
+ "description": "How to deploy process plugins"
+ },
+ {
+ "title": "Passwords and Secrets",
+ "link": "operations/latest/passwords-secrets.html",
+ "description": "Managing passwords and secrets"
+ },
+ {
+ "title": "Root Certificates",
+ "link": "operations/latest/root-certificates.html",
+ "description": "Certificate management"
+ },
+ {
+ "title": "Image Verification",
+ "link": "operations/latest/image-verification.html",
+ "description": "Verifying the authenticity and integrity of DSF container images"
+ },
+ {
+ "title": "Hardening Measures",
+ "link": "operations/latest/hardening-measures.html",
+ "description": "Recommended hardening measures for a production deployment"
+ },
+ {
+ "title": "Upgrade from DSF v1",
+ "link": "operations/latest/upgrade-from-1.html",
+ "description": "Migration guide from DSF v1 to v2"
+ },
+ {
+ "title": "Upgrade within DSF v2",
+ "link": "operations/latest/upgrade-from-2.html",
+ "description": "Upgrading between DSF v2.x versions"
+ },
+ {
+ "title": "OIDC Configuration (FHIR)",
+ "link": "operations/latest/fhir/oidc.html",
+ "description": "OpenID Connect setup for FHIR server"
+ },
+ {
+ "title": "OIDC Configuration (BPE)",
+ "link": "operations/latest/bpe/oidc.html",
+ "description": "OpenID Connect setup for BPE"
+ },
+ {
+ "title": "Access Control (FHIR)",
+ "link": "operations/latest/fhir/access-control.html",
+ "description": "Access control for the FHIR server"
+ },
+ {
+ "title": "Access Control (BPE)",
+ "link": "operations/latest/bpe/access-control.html",
+ "description": "Access control for the Business Process Engine"
+ }
+ ]
+ },
+ {
+ "heading": "Troubleshooting",
+ "pages": [
+ {
+ "title": "Common HTTP Status Codes",
+ "link": "operations/troubleshooting/common-http-status-codes.html",
+ "description": "Common HTTP errors and solutions"
+ },
+ {
+ "title": "Connection Refused",
+ "link": "operations/troubleshooting/connection-refused.html",
+ "description": "Troubleshooting connection refused errors"
+ },
+ {
+ "title": "Connection Timeout",
+ "link": "operations/troubleshooting/connection-timeout.html",
+ "description": "Troubleshooting connection timeouts"
+ },
+ {
+ "title": "Read Timeout",
+ "link": "operations/troubleshooting/read-timeout.html",
+ "description": "Troubleshooting read timeouts"
+ },
+ {
+ "title": "SSL Issues",
+ "link": "operations/troubleshooting/ssl.html",
+ "description": "Troubleshooting SSL/TLS certificate problems"
+ },
+ {
+ "title": "Unknown Host",
+ "link": "operations/troubleshooting/unknown-host.html",
+ "description": "Troubleshooting DNS resolution issues"
+ }
+ ]
+ },
+ {
+ "heading": "Process Plugin Development (API v2 - Current)",
+ "pages": [
+ {
+ "title": "Concept",
+ "link": "process-development/api-v2/concept.html",
+ "description": "Process plugin concept and design"
+ },
+ {
+ "title": "Get Started",
+ "link": "process-development/api-v2/get-started.html",
+ "description": "Getting started with process plugin development"
+ },
+ {
+ "title": "Create a Process Plugin",
+ "link": "process-development/api-v2/create.html",
+ "description": "Step-by-step guide to creating a process plugin"
+ },
+ {
+ "title": "Implementation",
+ "link": "process-development/api-v2/implementation.html",
+ "description": "Implementation details"
+ },
+ {
+ "title": "Testing",
+ "link": "process-development/api-v2/testing.html",
+ "description": "Testing process plugins"
+ },
+ {
+ "title": "Best Practices",
+ "link": "process-development/api-v2/best-practices.html",
+ "description": "Best practices for process plugin development"
+ },
+ {
+ "title": "Migration from API v1",
+ "link": "process-development/api-v2/migration.html",
+ "description": "Migrating process plugins from API v1 to v2"
+ },
+ {
+ "title": "Javadoc",
+ "link": "process-development/api-v2/javadoc.html",
+ "description": "Java API reference"
+ },
+ {
+ "title": "Publishing on DSF Hub",
+ "link": "process-development/api-v2/publishing/publish-on-dsfhub.html",
+ "description": "How to publish process plugins"
+ }
+ ],
+ "subsections": [
+ {
+ "heading": "BPMN in DSF",
+ "pages": [
+ {
+ "title": "BPMN Overview",
+ "link": "process-development/api-v2/bpmn/",
+ "description": "BPMN 2.0 elements supported by the DSF"
+ },
+ {
+ "title": "Service Tasks",
+ "link": "process-development/api-v2/bpmn/service-tasks.html",
+ "description": "Using service tasks in DSF processes"
+ },
+ {
+ "title": "User Tasks",
+ "link": "process-development/api-v2/bpmn/user-tasks.html",
+ "description": "User tasks for human interaction"
+ },
+ {
+ "title": "Messaging",
+ "link": "process-development/api-v2/bpmn/messaging.html",
+ "description": "Cross-site messaging via BPMN"
+ },
+ {
+ "title": "Gateways",
+ "link": "process-development/api-v2/bpmn/gateways.html",
+ "description": "BPMN gateways for process flow control"
+ },
+ {
+ "title": "Conditions",
+ "link": "process-development/api-v2/bpmn/conditions.html",
+ "description": "Conditional flow in BPMN processes"
+ },
+ {
+ "title": "Execution Listeners",
+ "link": "process-development/api-v2/bpmn/execution-listeners.html",
+ "description": "Execution listeners for process events"
+ },
+ {
+ "title": "Timer Events",
+ "link": "process-development/api-v2/bpmn/timer-intermediate-catching-events.html",
+ "description": "Timer-based events"
+ }
+ ]
+ },
+ {
+ "heading": "FHIR Resources",
+ "pages": [
+ {
+ "title": "FHIR Overview",
+ "link": "process-development/api-v2/fhir/",
+ "description": "FHIR R4 resources used by DSF process plugins"
+ },
+ {
+ "title": "Task Resource",
+ "link": "process-development/api-v2/fhir/task.html",
+ "description": "The FHIR Task resource in DSF"
+ },
+ {
+ "title": "ActivityDefinition",
+ "link": "process-development/api-v2/fhir/activitydefinition.html",
+ "description": "Defining activities with FHIR ActivityDefinition"
+ },
+ {
+ "title": "CodeSystem",
+ "link": "process-development/api-v2/fhir/codesystem.html",
+ "description": "Custom CodeSystems for DSF processes"
+ },
+ {
+ "title": "ValueSet",
+ "link": "process-development/api-v2/fhir/valueset.html",
+ "description": "ValueSets in DSF processes"
+ },
+ {
+ "title": "Questionnaire",
+ "link": "process-development/api-v2/fhir/questionnaire-and-questionnaireresponse.html",
+ "description": "Questionnaire and QuestionnaireResponse resources"
+ }
+ ]
+ },
+ {
+ "heading": "DSF Internals",
+ "pages": [
+ {
+ "title": "Process Plugin API",
+ "link": "process-development/api-v2/dsf/process-plugin-api.html",
+ "description": "The DSF Process Plugin API"
+ },
+ {
+ "title": "Process Plugin Definition",
+ "link": "process-development/api-v2/dsf/process-plugin-definition.html",
+ "description": "Defining a process plugin"
+ },
+ {
+ "title": "BPMN Process Execution",
+ "link": "process-development/api-v2/dsf/bpmn-process-execution.html",
+ "description": "How the DSF executes BPMN processes"
+ },
+ {
+ "title": "BPMN Process Variables",
+ "link": "process-development/api-v2/dsf/bpmn-process-variables.html",
+ "description": "Available process variables"
+ },
+ {
+ "title": "Message Correlation",
+ "link": "process-development/api-v2/dsf/message-correlation.html",
+ "description": "How messages are correlated between sites"
+ },
+ {
+ "title": "Spring Framework Integration",
+ "link": "process-development/api-v2/dsf/spring-framework-integration.html",
+ "description": "Spring integration details"
+ }
+ ]
+ },
+ {
+ "heading": "Developer Guides",
+ "pages": [
+ {
+ "title": "Starting a Process",
+ "link": "process-development/api-v2/guides/starting-a-process-via-task-resources.html",
+ "description": "How to start a DSF process"
+ },
+ {
+ "title": "Accessing Process Variables",
+ "link": "process-development/api-v2/guides/accessing-bpmn-process-variables.html",
+ "description": "Working with BPMN process variables"
+ },
+ {
+ "title": "Accessing Task Resources",
+ "link": "process-development/api-v2/guides/accessing-task-resources-during-execution.html",
+ "description": "Accessing FHIR Task resources during execution"
+ },
+ {
+ "title": "Creating Activity Definitions",
+ "link": "process-development/api-v2/guides/creating-activity-definitions.html",
+ "description": "Guide to creating ActivityDefinitions"
+ },
+ {
+ "title": "Creating CodeSystems",
+ "link": "process-development/api-v2/guides/creating-codesystems-for-dsf-processes.html",
+ "description": "Guide to creating CodeSystems"
+ },
+ {
+ "title": "Creating ValueSets",
+ "link": "process-development/api-v2/guides/creating-valuesets-for-dsf-processes.html",
+ "description": "Guide to creating ValueSets"
+ },
+ {
+ "title": "Creating Task Resources",
+ "link": "process-development/api-v2/guides/creating-task-resources-based-on-a-definition.html",
+ "description": "Creating Task resources"
+ },
+ {
+ "title": "Read Access Tags",
+ "link": "process-development/api-v2/guides/configuring-read-access-tags.html",
+ "description": "Configuring read access tags"
+ },
+ {
+ "title": "Task Parameters",
+ "link": "process-development/api-v2/guides/adding-task-parameters-to-task-profiles.html",
+ "description": "Adding parameters to Task profiles"
+ },
+ {
+ "title": "User Tasks",
+ "link": "process-development/api-v2/guides/user-tasks-in-the-dsf.html",
+ "description": "Implementing user tasks"
+ },
+ {
+ "title": "Managing Messages",
+ "link": "process-development/api-v2/guides/managing-mutiple-incoming-messages-and-missing-messages.html",
+ "description": "Handling multiple and missing messages"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "heading": "Linter Tool",
+ "pages": [
+ {
+ "title": "Linter Tool",
+ "link": "process-development/linter-tool/linter-tool.html",
+ "description": "Process plugin validation tool"
+ },
+ {
+ "title": "Validation Rules",
+ "link": "process-development/linter-tool/validation.html",
+ "description": "Validation rules and checks"
+ },
+ {
+ "title": "Phases",
+ "link": "process-development/linter-tool/phases.html",
+ "description": "Linter validation phases"
+ },
+ {
+ "title": "Troubleshooting",
+ "link": "process-development/linter-tool/troubleshooting.html",
+ "description": "Linter troubleshooting"
+ }
+ ]
+ },
+ {
+ "heading": "DSF Development",
+ "pages": [
+ {
+ "title": "FHIR Implementation Guide",
+ "link": "dsf-development/v2/fhir-ig.html",
+ "description": "DSF FHIR Implementation Guide"
+ },
+ {
+ "title": "Maven Build",
+ "link": "dsf-development/v2/maven.html",
+ "description": "Building the DSF with Maven"
+ }
+ ]
+ },
+ {
+ "heading": "Community",
+ "pages": [
+ {
+ "title": "Team",
+ "link": "community/team.html",
+ "description": "The team behind the DSF"
+ },
+ {
+ "title": "Communication",
+ "link": "community/communication.html",
+ "description": "How to reach the DSF community"
+ },
+ {
+ "title": "Ecosystem",
+ "link": "community/ecosystem.html",
+ "description": "Partner organizations and ecosystem"
+ },
+ {
+ "title": "Contributing Code",
+ "link": "community/contribute/code.html",
+ "description": "How to contribute code"
+ },
+ {
+ "title": "Contributing Documentation",
+ "link": "community/contribute/documentation.html",
+ "description": "How to contribute documentation"
+ },
+ {
+ "title": "Consultation Hours",
+ "link": "community/consultation-hours.html",
+ "description": "Regular consultation hours for DSF users"
+ }
+ ]
+ },
+ {
+ "heading": "Additional Resources",
+ "pages": [
+ {
+ "title": "Publications",
+ "link": "explore/publications.html",
+ "description": "Research publications about and using the DSF"
+ },
+ {
+ "title": "Awards",
+ "link": "explore/awards.html",
+ "description": "Awards received by the DSF project"
+ },
+ {
+ "title": "Security Policy",
+ "link": "security/",
+ "description": "Security disclosure policy"
+ },
+ {
+ "title": "GitHub Repository",
+ "link": "https://github.com/datasharingframework/dsf",
+ "description": "Source code of the DSF"
+ }
+ ]
+ },
+ {
+ "heading": "Optional",
+ "pages": [
+ {
+ "title": "Process Plugin Development API v1",
+ "link": "process-development/api-v1/",
+ "description": "Legacy API v1 documentation (superseded by API v2)"
+ },
+ {
+ "title": "Old DSF Versions",
+ "link": "operations/old-versions.html",
+ "description": "Documentation for older DSF versions (v1.x)"
+ },
+ {
+ "title": "News",
+ "link": "news/",
+ "description": "News and blog posts about the DSF"
+ }
+ ]
+ }
+];
+
+// Additional pages included in llms-full.txt only (not in the concise llms.txt
+// index). These keep the full-text export comprehensive without cluttering the
+// curated index. Descriptions are optional here since they are not rendered.
+export const fullExtra: LlmsPage[] = [
+ { title: "DSF for your project", link: "for-you/" },
+ { title: "How to implement your use-case", link: "for-you/learn.html" },
+ { title: "Operations Overview", link: "operations/latest/" },
+ { title: "BPE Reverse Proxy", link: "operations/latest/bpe-reverse-proxy/" },
+ { title: "BPE Server", link: "operations/latest/bpe/" },
+ { title: "BPE FHIR Client Connections", link: "operations/latest/bpe/fhir-client-connections.html" },
+ { title: "BPE Logging", link: "operations/latest/bpe/logging.html" },
+ { title: "FHIR Reverse Proxy", link: "operations/latest/fhir-reverse-proxy/" },
+ { title: "FHIR Server", link: "operations/latest/fhir/" },
+ { title: "FHIR Logging", link: "operations/latest/fhir/logging.html" },
+ { title: "Install Plugins", link: "operations/latest/install-plugins.html" },
+ { title: "Sequence Flow", link: "process-development/api-v2/bpmn/sequence-flow.html" },
+ { title: "Activities", link: "process-development/api-v2/dsf/activities.html" },
+ { title: "Draft Task Resources", link: "process-development/api-v2/dsf/draft-task-resources.html" },
+ { title: "Environment Variables", link: "process-development/api-v2/dsf/environment-variables.html" },
+ { title: "Message Activities", link: "process-development/api-v2/dsf/message-activities.html" },
+ { title: "Messaging", link: "process-development/api-v2/dsf/messaging.html" },
+ { title: "Organization Identifiers", link: "process-development/api-v2/dsf/organization-identifiers.html" },
+ { title: "Read Access Tag", link: "process-development/api-v2/dsf/read-access-tag.html" },
+ { title: "Requester and Recipient", link: "process-development/api-v2/dsf/requester-and-recipient.html" },
+ { title: "Target and Targets", link: "process-development/api-v2/dsf/target-and-targets.html" },
+ { title: "Versions, Placeholders and URLs", link: "process-development/api-v2/dsf/versions-placeholders-urls.html" },
+ { title: "Empty Process Plugin", link: "process-development/api-v2/tooling/empty-process-plugin.html" },
+ { title: "DSF IDE", link: "process-development/api-v2/tooling/ide.html" },
+ { title: "Maven Central and Resources", link: "process-development/api-v2/tooling/maven.html" },
+ { title: "Pipeline Testing", link: "process-development/api-v2/tooling/pipeline-testing.html" },
+];
diff --git a/docs/src/.vuepress/sidebar/fetch-versioned-release-notes.sh b/docs/src/.vuepress/sidebar/fetch-versioned-release-notes.sh
deleted file mode 100755
index f5de21af4..000000000
--- a/docs/src/.vuepress/sidebar/fetch-versioned-release-notes.sh
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/bin/bash
-# To run: chmod +x fetch-versioned-release-notes.sh && ./fetch-versioned-release-notes.sh
-# Dokumentation https://wiki.gecko.hs-heilbronn.de/doc/dokumentation-release-notes-script-45Ex3hoxjB
-
-# GitHub repository details
-REPO_OWNER="datasharingframework"
-REPO_NAME="dsf"
-
-# Output base directory (this will hold the versioned folders)
-OUTPUT_BASE_DIR="../../operations"
-
-# Define the range of versions
-VERSIONS=("v1.0.0" "v1.1.0" "v1.2.0" "v1.3.0" "v1.3.1" "v1.3.2" "v1.4.0" "v1.5.0" "v1.5.1" "v1.5.2" "v1.6.0" "v1.7.0" "v1.7.1" "v1.8.0" "v1.9.0" "v2.0.0" "v2.0.1" "v2.0.2" "v2.1.0")
-
-# Fetch all release details
-echo "Fetching all releases..."
-RELEASES=$(curl -s https://api.github.com/repos/$REPO_OWNER/$REPO_NAME/releases)
-
-# Loop through each version in the version list
-for VERSION in "${VERSIONS[@]}"; do
- VERSION_FOUND=$(echo "$RELEASES" | jq -r ".[] | select(.tag_name == \"$VERSION\")")
-
- if [ ! -z "$VERSION_FOUND" ]; then
- VERSION_DIR="$OUTPUT_BASE_DIR/$VERSION"
-
- if [ ! -d "$VERSION_DIR" ]; then
- echo "Directory $VERSION_DIR does not exist. Skipping $VERSION."
- continue
- fi
-
- OUTPUT_FILE="$VERSION_DIR/release-notes.md"
-
-
-# Write frontmatter at the top of the Markdown file
-cat <<EOF > "$OUTPUT_FILE"
----
-title: Release Notes ($VERSION)
-icon: note
----
-
-## [Release Notes for $VERSION](https://github.com/$REPO_OWNER/$REPO_NAME/releases/tag/$VERSION)
-
-::: tip Release Notes
-You can access all release notes on our [GitHub](https://github.com/datasharingframework/dsf/releases).
-:::
-
-EOF
-
- echo "$RELEASES" | jq -r ".[] | select(.tag_name == \"$VERSION\") | @base64" | while read -r RELEASE; do
- RELEASE_JSON=$(echo "$RELEASE" | base64 --decode)
- RELEASE_BODY=$(echo "$RELEASE_JSON" | jq -r '.body')
- RELEASE_NAME=$(echo "$RELEASE_JSON" | jq -r '.name')
-
- # Convert #issue_number to GitHub issue link
- RELEASE_BODY=$(echo "$RELEASE_BODY" | sed -E 's/#([0-9]+)/[#\1](https:\/\/github.com\/datasharingframework\/dsf\/issues\/\1)/g')
-
- # Convert @username to GitHub user link
- RELEASE_BODY=$(echo "$RELEASE_BODY" | sed -E 's/@([a-zA-Z0-9_-]+)/[@\1](https:\/\/github.com\/\1)/g')
-
-
- echo "### $RELEASE_NAME" >> "$OUTPUT_FILE"
- echo "$RELEASE_BODY" >> "$OUTPUT_FILE"
- echo "" >> "$OUTPUT_FILE"
- done
-
- echo "Release notes for version $VERSION saved to $OUTPUT_FILE"
- else
- echo "No release found for version $VERSION"
- fi
-done
-
-echo "Process completed."
diff --git a/docs/src/.vuepress/sidebar/fetch-versioned-release-notes.ts b/docs/src/.vuepress/sidebar/fetch-versioned-release-notes.ts
new file mode 100644
index 000000000..7338edab6
--- /dev/null
+++ b/docs/src/.vuepress/sidebar/fetch-versioned-release-notes.ts
@@ -0,0 +1,90 @@
+#!/usr/bin/env npx tsx
+// Fetches GitHub release notes for all versions in releases.ts and writes them
+// as Markdown files into the corresponding operations/v<tag>/ directories.
+//
+// Usage: npx tsx fetch-versioned-release-notes.ts
+// Docs: https://wiki.gecko.hs-heilbronn.de/doc/dokumentation-release-notes-script-45Ex3hoxjB
+
+import { writeFileSync, existsSync } from 'fs';
+import { resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { allVersions } from '../data/releases.js';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+const REPO_OWNER = 'datasharingframework';
+const REPO_NAME = 'dsf';
+const OUTPUT_BASE = resolve(__dirname, '../../operations');
+
+interface GitHubRelease {
+ tag_name: string;
+ name: string;
+ body: string;
+}
+
+async function fetchAllReleases(): Promise<GitHubRelease[]> {
+ const url = `https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/releases?per_page=100`;
+ console.log('Fetching all releases...');
+ const res = await fetch(url, {
+ headers: { Accept: 'application/vnd.github+json' },
+ });
+ if (!res.ok) throw new Error(`GitHub API error: ${res.status} ${res.statusText}`);
+ return res.json() as Promise<GitHubRelease[]>;
+}
+
+function linkify(body: string): string {
+ // Convert #123 to GitHub issue link
+ body = body.replace(/#(\d+)/g, `[#$1](https://github.com/${REPO_OWNER}/${REPO_NAME}/issues/$1)`);
+ // Convert @username to GitHub user link
+ body = body.replace(/@([a-zA-Z0-9_-]+)/g, '[@$1](https://github.com/$1)');
+ return body;
+}
+
+async function main() {
+ const releases = await fetchAllReleases();
+ const releaseByTag = new Map(releases.map(r => [r.tag_name, r]));
+
+ for (const { tag } of allVersions) {
+ const version = `v${tag}`;
+ const release = releaseByTag.get(version);
+
+ if (!release) {
+ console.log(`No release found for version ${version}`);
+ continue;
+ }
+
+ const versionDir = resolve(OUTPUT_BASE, version);
+ if (!existsSync(versionDir)) {
+ console.log(`Directory ${versionDir} does not exist. Skipping ${version}.`);
+ continue;
+ }
+
+ const outputFile = resolve(versionDir, 'release-notes.md');
+ const body = linkify(release.body ?? '');
+
+ const content = `---
+title: Release Notes (${version})
+icon: note
+---
+
+## [Release Notes for ${version}](https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/tag/${version})
+
+::: tip Release Notes
+You can access all release notes on our [GitHub](https://github.com/datasharingframework/dsf/releases).
+:::
+
+### ${release.name}
+${body}
+`;
+
+ writeFileSync(outputFile, content, 'utf-8');
+ console.log(`Release notes for version ${version} saved to ${outputFile}`);
+ }
+
+ console.log('Process completed.');
+}
+
+main().catch((err) => {
+ console.error(err);
+ process.exit(1);
+});
diff --git a/docs/src/.vuepress/theme.ts b/docs/src/.vuepress/theme.ts
index 83dc211bc..105034682 100644
--- a/docs/src/.vuepress/theme.ts
+++ b/docs/src/.vuepress/theme.ts
@@ -2,6 +2,27 @@ import { slimsearchPlugin } from "@vuepress/plugin-slimsearch";
import { hopeTheme } from "vuepress-theme-hope";
import { generate_v1_latest_sidebar, generate_v1_gt_eq_1_7_0_sidebar, generate_v1_gt_eq_1_5_0_sidebar, generate_v1_gt_eq_1_0_0_sidebar } from "./sidebar/operations-v1";
import { generate_v2_0_0_sidebar, generate_v2_latest_sidebar } from "./sidebar/operations-v2";
+import { allVersions, latestVersion, type SidebarKey } from "./data/releases";
+
+const sidebarGenerators: Record<SidebarKey, () => any[]> = {
+ v2_latest: generate_v2_latest_sidebar,
+ v2_0_0: generate_v2_0_0_sidebar,
+ v1_latest: generate_v1_latest_sidebar,
+ v1_gte_1_7: generate_v1_gt_eq_1_7_0_sidebar,
+ v1_gte_1_5: generate_v1_gt_eq_1_5_0_sidebar,
+ v1_gte_1_0: generate_v1_gt_eq_1_0_0_sidebar,
+};
+
+function buildOperationsSidebar(): Record<string, any[]> {
+ const map: Record<string, any[]> = {
+ '/operations/latest/': sidebarGenerators[allVersions.find(v => v.tag === latestVersion)!.sidebar](),
+ '/operations/next/': [],
+ };
+ for (const v of allVersions) {
+ map[`/operations/v${v.tag}/`] = sidebarGenerators[v.sidebar]();
+ }
+ return map;
+}
export default hopeTheme({
author: {
@@ -39,7 +60,7 @@ export default hopeTheme({
icon: "launch",
prefix: "/operations/",
children: [ {
- text: "Current Version - 2.1.0",
+ text: `Current Version - ${latestVersion}`,
link: "get-started.md",
icon: "launch"
}, "old-versions.md"],
@@ -125,27 +146,7 @@ export default hopeTheme({
"/spring-school": [],
"/news": [],
"/operations/old-versions": [],
- "/operations/latest/": generate_v2_latest_sidebar(),
- "/operations/next/": [],
- "/operations/v2.1.0/": generate_v2_latest_sidebar(),
- "/operations/v2.0.2/": generate_v2_0_0_sidebar(),
- "/operations/v2.0.1/": generate_v2_0_0_sidebar(),
- "/operations/v2.0.0/": generate_v2_0_0_sidebar(),
- "/operations/v1.9.0/": generate_v1_latest_sidebar(),
- "/operations/v1.8.0/": generate_v1_gt_eq_1_7_0_sidebar(),
- "/operations/v1.7.1/": generate_v1_gt_eq_1_7_0_sidebar(),
- "/operations/v1.7.0/": generate_v1_gt_eq_1_7_0_sidebar(),
- "/operations/v1.6.0/": generate_v1_gt_eq_1_5_0_sidebar(),
- "/operations/v1.5.2/": generate_v1_gt_eq_1_5_0_sidebar(),
- "/operations/v1.5.1/": generate_v1_gt_eq_1_5_0_sidebar(),
- "/operations/v1.5.0/": generate_v1_gt_eq_1_5_0_sidebar(),
- "/operations/v1.4.0/": generate_v1_gt_eq_1_0_0_sidebar(),
- "/operations/v1.3.2/": generate_v1_gt_eq_1_0_0_sidebar(),
- "/operations/v1.3.1/": generate_v1_gt_eq_1_0_0_sidebar(),
- "/operations/v1.3.0/": generate_v1_gt_eq_1_0_0_sidebar(),
- "/operations/v1.2.0/": generate_v1_gt_eq_1_0_0_sidebar(),
- "/operations/v1.1.0/": generate_v1_gt_eq_1_0_0_sidebar(),
- "/operations/v1.0.0/": generate_v1_gt_eq_1_0_0_sidebar(),
+ ...buildOperationsSidebar(),
"/process-development": [
{
text: "API v1",
diff --git a/docs/src/operations/old-versions.md b/docs/src/operations/old-versions.md
index e20a096ec..316965d4b 100644
--- a/docs/src/operations/old-versions.md
+++ b/docs/src/operations/old-versions.md
@@ -3,27 +3,4 @@ title: Old Versions
icon: launch
---
-## DSF v2
-
-- [2.1.0](./v2.1.0/)
-- [2.0.1](./v2.0.1/)
-- [2.0.0](./v2.0.0/)
-
-
-## DSF v1
-
-- [1.9.0](./v1.9.0/)
-- [1.8.0](./v1.8.0/)
-- [1.7.1](./v1.7.1/)
-- [1.7.0](./v1.7.0/)
-- [1.6.0](./v1.6.0/)
-- [1.5.2](./v1.5.2/)
-- [1.5.1](./v1.5.1/)
-- [1.5.0](./v1.5.0/)
-- [1.4.0](./v1.4.0/)
-- [1.3.2](./v1.3.2/)
-- [1.3.1](./v1.3.1/)
-- [1.3.0](./v1.3.0/)
-- [1.2.0](./v1.2.0/)
-- [1.1.0](./v1.1.0/)
-- [1.0.0](./v1.0.0/)
+<OldVersions />
diff --git a/docs/src/operations/v1.0.0/release-notes.md b/docs/src/operations/v1.0.0/release-notes.md
index 9a295f644..0f65fbff4 100644
--- a/docs/src/operations/v1.0.0/release-notes.md
+++ b/docs/src/operations/v1.0.0/release-notes.md
@@ -75,4 +75,3 @@ Issues closed:
- Migrate to dsf.dev Namespace [#1](https://github.com/datasharingframework/dsf/issues/1)
This release contains contributions from [@schwzr](https://github.com/schwzr), [@wetret](https://github.com/wetret) and [@hhund](https://github.com/hhund).
-
diff --git a/docs/src/operations/v1.1.0/release-notes.md b/docs/src/operations/v1.1.0/release-notes.md
index ff8c087a5..7bbccfa08 100644
--- a/docs/src/operations/v1.1.0/release-notes.md
+++ b/docs/src/operations/v1.1.0/release-notes.md
@@ -51,4 +51,3 @@ Issues closed:
- Improve Task HTML view [#56](https://github.com/datasharingframework/dsf/issues/56)
This release contains contributions from [@wetret](https://github.com/wetret) and [@hhund](https://github.com/hhund).
-
diff --git a/docs/src/operations/v1.2.0/release-notes.md b/docs/src/operations/v1.2.0/release-notes.md
index 8d85f9d6f..6bba5fb74 100644
--- a/docs/src/operations/v1.2.0/release-notes.md
+++ b/docs/src/operations/v1.2.0/release-notes.md
@@ -51,4 +51,3 @@ Issues closed:
- Make FHIR proxy server context path customizable [#85](https://github.com/datasharingframework/dsf/issues/85)
This release contains contributions from [@wetret](https://github.com/wetret) and [@hhund](https://github.com/hhund).
-
diff --git a/docs/src/operations/v1.3.0/release-notes.md b/docs/src/operations/v1.3.0/release-notes.md
index e21deaf63..e921554dc 100644
--- a/docs/src/operations/v1.3.0/release-notes.md
+++ b/docs/src/operations/v1.3.0/release-notes.md
@@ -43,4 +43,3 @@ Issues closed:
- Make FHIR proxy server context path customizable [#85](https://github.com/datasharingframework/dsf/issues/85)
This release contains contributions from [@EmteZogaf](https://github.com/EmteZogaf), [@wetret](https://github.com/wetret) and [@hhund](https://github.com/hhund).
-
diff --git a/docs/src/operations/v1.3.1/release-notes.md b/docs/src/operations/v1.3.1/release-notes.md
index d0812b34e..b8436cd4d 100644
--- a/docs/src/operations/v1.3.1/release-notes.md
+++ b/docs/src/operations/v1.3.1/release-notes.md
@@ -50,4 +50,3 @@ Issues closed:
- Unsafe 3DES Cipher Suite in FHIR Proxy [#117](https://github.com/datasharingframework/dsf/issues/117)
This release contains contributions from [@wetret](https://github.com/wetret), [@schwzr](https://github.com/schwzr) and [@hhund](https://github.com/hhund).
-
diff --git a/docs/src/operations/v1.3.2/release-notes.md b/docs/src/operations/v1.3.2/release-notes.md
index d245cbfe0..bb74d9c9c 100644
--- a/docs/src/operations/v1.3.2/release-notes.md
+++ b/docs/src/operations/v1.3.2/release-notes.md
@@ -35,4 +35,3 @@ Issues closed:
- Use UUID generator instead of database id generator [#139](https://github.com/datasharingframework/dsf/issues/139)
This release contains contributions from [@EmteZogaf](https://github.com/EmteZogaf), [@wetret](https://github.com/wetret), [@schwzr](https://github.com/schwzr) and [@hhund](https://github.com/hhund).
-
diff --git a/docs/src/operations/v1.4.0/release-notes.md b/docs/src/operations/v1.4.0/release-notes.md
index 3a776a924..23e468da0 100644
--- a/docs/src/operations/v1.4.0/release-notes.md
+++ b/docs/src/operations/v1.4.0/release-notes.md
@@ -56,4 +56,3 @@ Issues closed:
- Treat RC releases similar to SNAPSHOT releases [#131](https://github.com/datasharingframework/dsf/issues/131)
This release contains contributions from [@EmteZogaf](https://github.com/EmteZogaf), [@hhund](https://github.com/hhund), [@schwzr](https://github.com/schwzr) and [@wetret](https://github.com/wetret).
-
diff --git a/docs/src/operations/v1.5.0/release-notes.md b/docs/src/operations/v1.5.0/release-notes.md
index eff44fafa..c75ee0c9a 100644
--- a/docs/src/operations/v1.5.0/release-notes.md
+++ b/docs/src/operations/v1.5.0/release-notes.md
@@ -58,4 +58,3 @@ Issues closed:
- Add community guidelines [#152](https://github.com/datasharingframework/dsf/issues/152)
This release contains contributions from [@EmteZogaf](https://github.com/EmteZogaf), [@hhund](https://github.com/hhund), [@jbellmann](https://github.com/jbellmann), [@schwzr](https://github.com/schwzr) and [@wetret](https://github.com/wetret).
-
diff --git a/docs/src/operations/v1.5.1/release-notes.md b/docs/src/operations/v1.5.1/release-notes.md
index d7343143b..374032862 100644
--- a/docs/src/operations/v1.5.1/release-notes.md
+++ b/docs/src/operations/v1.5.1/release-notes.md
@@ -41,4 +41,3 @@ Issues closed:
- FHIR Server GUI: Fix recipient in Task view [#189](https://github.com/datasharingframework/dsf/issues/189)
This release contains contributions from [@EmteZogaf](https://github.com/EmteZogaf), [@hhund](https://github.com/hhund), [@schwzr](https://github.com/schwzr) and [@wetret](https://github.com/wetret).
-
diff --git a/docs/src/operations/v1.5.2/release-notes.md b/docs/src/operations/v1.5.2/release-notes.md
index 4e61564cf..5ad6857b8 100644
--- a/docs/src/operations/v1.5.2/release-notes.md
+++ b/docs/src/operations/v1.5.2/release-notes.md
@@ -43,4 +43,3 @@ Issues closed:
- Start New Development Cycle [#198](https://github.com/datasharingframework/dsf/issues/198)
This release contains contributions from [@hhund](https://github.com/hhund) and [@wetret](https://github.com/wetret).
-
diff --git a/docs/src/operations/v1.6.0/release-notes.md b/docs/src/operations/v1.6.0/release-notes.md
index 7669b4b80..3bb139f4d 100644
--- a/docs/src/operations/v1.6.0/release-notes.md
+++ b/docs/src/operations/v1.6.0/release-notes.md
@@ -52,4 +52,3 @@ Issues closed:
- Start New Development Cycle [#219](https://github.com/datasharingframework/dsf/issues/219)
This release contains contributions from [@hhund](https://github.com/hhund), [@jaboehri](https://github.com/jaboehri), [@schwzr](https://github.com/schwzr) and [@wetret](https://github.com/wetret).
-
diff --git a/docs/src/operations/v1.7.0/release-notes.md b/docs/src/operations/v1.7.0/release-notes.md
index 710f9f365..8f7963cd9 100644
--- a/docs/src/operations/v1.7.0/release-notes.md
+++ b/docs/src/operations/v1.7.0/release-notes.md
@@ -42,4 +42,3 @@ Issues closed:
- Start New Development Cycle [#245](https://github.com/datasharingframework/dsf/issues/245)
This release contains contributions from [@hhund](https://github.com/hhund), [@schwzr](https://github.com/schwzr) and [@wetret](https://github.com/wetret).
-
diff --git a/docs/src/operations/v1.7.1/release-notes.md b/docs/src/operations/v1.7.1/release-notes.md
index 98689be80..ca20b0090 100644
--- a/docs/src/operations/v1.7.1/release-notes.md
+++ b/docs/src/operations/v1.7.1/release-notes.md
@@ -35,4 +35,3 @@ Issues closed:
- Modify Documentation Generator to Support SECRET_FILE Environment Variables [#265](https://github.com/datasharingframework/dsf/issues/265)
This release contains contributions from [@hhund](https://github.com/hhund), [@jaboehri](https://github.com/jaboehri), [@schwzr](https://github.com/schwzr) and [@wetret](https://github.com/wetret).
-
diff --git a/docs/src/operations/v1.8.0/release-notes.md b/docs/src/operations/v1.8.0/release-notes.md
index 11b823994..ea46974b4 100644
--- a/docs/src/operations/v1.8.0/release-notes.md
+++ b/docs/src/operations/v1.8.0/release-notes.md
@@ -37,4 +37,3 @@ Issues closed:
- Adapt Github Actions to build on pull request [#163](https://github.com/datasharingframework/dsf/issues/163)
This release contains contributions from [@hhund](https://github.com/hhund), [@schwzr](https://github.com/schwzr) and [@wetret](https://github.com/wetret).
-
diff --git a/docs/src/operations/v1.9.0/release-notes.md b/docs/src/operations/v1.9.0/release-notes.md
index 9e75bda9b..c6a9feca4 100644
--- a/docs/src/operations/v1.9.0/release-notes.md
+++ b/docs/src/operations/v1.9.0/release-notes.md
@@ -35,4 +35,3 @@ Issues closed:
- Support for running the proxy containers as non-root by default [#352](https://github.com/datasharingframework/dsf/issues/352)
This release contains contributions from [@EmteZogaf](https://github.com/EmteZogaf), [@hhund](https://github.com/hhund), [@jaboehri](https://github.com/jaboehri) and [@schwzr](https://github.com/schwzr).
-
diff --git a/docs/src/operations/v2.0.0/release-notes.md b/docs/src/operations/v2.0.0/release-notes.md
index cc7ac2829..9ac6b38b7 100644
--- a/docs/src/operations/v2.0.0/release-notes.md
+++ b/docs/src/operations/v2.0.0/release-notes.md
@@ -113,4 +113,3 @@ Issues closed:
- Improve DefaultUserTaskListener [#78](https://github.com/datasharingframework/dsf/issues/78)
This release contains contributions from [@alexanderkiel](https://github.com/alexanderkiel), [@EmteZogaf](https://github.com/EmteZogaf), [@hhund](https://github.com/hhund), [@jaboehri](https://github.com/jaboehri), [@MadMax93](https://github.com/MadMax93), [@schwzr](https://github.com/schwzr) and [@wetret](https://github.com/wetret).
-
diff --git a/docs/src/operations/v2.0.1/release-notes.md b/docs/src/operations/v2.0.1/release-notes.md
index 30a1b0749..62861972a 100644
--- a/docs/src/operations/v2.0.1/release-notes.md
+++ b/docs/src/operations/v2.0.1/release-notes.md
@@ -57,4 +57,3 @@ Issues closed:
- DSF Fails to Start with Certain ECC Client Certificates [#405](https://github.com/datasharingframework/dsf/issues/405)
This release contains contributions from [@hhund](https://github.com/hhund) and [@schwzr](https://github.com/schwzr).
-
diff --git a/docs/src/operations/v2.0.2/release-notes.md b/docs/src/operations/v2.0.2/release-notes.md
index 39b840688..9743fb929 100644
--- a/docs/src/operations/v2.0.2/release-notes.md
+++ b/docs/src/operations/v2.0.2/release-notes.md
@@ -68,4 +68,3 @@ Issues closed:
- Property dev.dsf.bpe.fhir.client.connections.config.default.enable.debug.logging Used for Unrelated Configuration Values [#411](https://github.com/datasharingframework/dsf/issues/411)
This release contains contributions from [@EmteZogaf](https://github.com/EmteZogaf), [@hhund](https://github.com/hhund), [@jaboehri](https://github.com/jaboehri), [@schwzr](https://github.com/schwzr) and [@wetret](https://github.com/wetret).
-
diff --git a/docs/src/operations/v2.1.0/release-notes.md b/docs/src/operations/v2.1.0/release-notes.md
index 67fe39011..7f76a9df4 100644
--- a/docs/src/operations/v2.1.0/release-notes.md
+++ b/docs/src/operations/v2.1.0/release-notes.md
@@ -30,6 +30,7 @@ Feature Summary:
- The DSF FHIR server front-end was improved to display the `Binary` resource content inline. This feature is enabled for `Binary` resources with content-types: `text/html` and `text/plain`.
- The performance of allow-list and other bundle executions was improved by modifying the database schema and optimizing the FHIR server code base. A new `current` column was added to resource tables together with a number of new database indexes. A "not found" cache was added for metadata resources to reduce unnecessary database calls.
- Other security improvements were implemented and are detailed in the [DSF 2.1.0 hardening measures](https://dsf.dev/operations/v2.1.0/hardening-measures.html) document.
+- Starting with this release our docker images are cryptographically signed. Take a look at the [Verify Image Signatures](https://dsf.dev/operations/latest/image-verification.html) document for details.
Docker images for this release can be accessed via the GitHub Docker registry - ghcr.io:
* **bpe**: [ghcr.io/datasharingframework/bpe:2.1.0](https://github.com/datasharingframework/dsf/pkgs/container/bpe/796016761?tag=2.1.0)
@@ -78,4 +79,3 @@ Issues closed:
- ClientConfig in DsfClientJersey overwrites Authentication Features [#432](https://github.com/datasharingframework/dsf/issues/432)
This release contains contributions from [@EmteZogaf](https://github.com/EmteZogaf), [@hhund](https://github.com/hhund), [@jaboehri](https://github.com/jaboehri), [@schwzr](https://github.com/schwzr) and [@wetret](https://github.com/wetret).
-
+