Skip to content


The purpose of this section is to learn how to configure OpenCTI to have it tailored for your production and development needs.

Here are the configuration keys, for both containers (environment variables) and manual deployment.

Parameters equivalence

The equivalent of a config variable in environment variables is the usage of a double underscores (__) for a level of config.

For example:

"providers": {
  "ldap": {
    "strategy": "LdapStrategy"

will become:


If you need to put a list of elements for the key, it must have a special formatting. Here is an example for redirect URIs for OpenID config:



API & Frontend

Basic parameters

Parameter Environment variable Default value Description
app:port APP__PORT 4000 Listen port of the application
app:base_path APP__BASE_PATH Specific URI (ie. /opencti)
app:base_url APP__BASE_URL http://localhost:4000 Full URL of the platform (should include the base_path if any)
app:request_timeout APP__REQUEST_TIMEOUT 1200000 Request timeout, in ms (default 20 minutes)
app:session_timeout APP__SESSION_TIMEOUT 1200000 Session timeout, in ms (default 20 minutes)
app:admin:email APP__ADMIN__EMAIL Default login email of the admin user
app:admin:password APP__ADMIN__PASSWORD ChangeMe Default password of the admin user
app:admin:token APP__ADMIN__TOKEN ChangeMe Default token (must be a valid UUIDv4)


Parameter Environment variable Default value Description
app:https_cert:ca APP__HTTPS_CERT__CA Empty list [] Certificate authority paths or content, only if the client uses a self-signed certificate.
app:https_cert:key APP__HTTPS_CERT__KEY Certificate key path or content
app:https_cert:crt APP__HTTPS_CERT__CRT Certificate crt path or content
app:https_cert:reject_unauthorized APP__HTTPS_CERT__REJECT_UNAUTHORIZED If not false, the server certificate is verified against the list of supplied CAs


Parameter Environment variable Default value Description
app:app_logs:logs_level APP__APP_LOGS__LOGS_LEVEL info The application log level
app:app_logs:logs_files APP__APP_LOGS__LOGS_FILES true If application logs is logged into files
app:app_logs:logs_console APP__APP_LOGS__LOGS_CONSOLE true If application logs is logged to console (useful for containers)
app:app_logs:logs_max_files APP__APP_LOGS__LOGS_MAX_FILES 7 Maximum number of daily files in logs
app:app_logs:logs_directory APP__APP_LOGS__LOGS_DIRECTORY ./logs File logs directory
Parameter Environment variable Default value Description
app:audit_logs:logs_files APP__AUDIT_LOGS__LOGS_FILES true If audit logs is logged into files
app:audit_logs:logs_console APP__AUDIT_LOGS__LOGS_CONSOLE true If audit logs is logged to console (useful for containers)
app:audit_logs:logs_max_files APP__AUDIT_LOGS__LOGS_MAX_FILES 7 Maximum number of daily files in logs
app:audit_logs:logs_directory APP__AUDIT_LOGS__LOGS_DIRECTORY ./logs Audit logs directory

Maps & references

Parameter Environment variable Default value Description
app:map_tile_server_dark APP__MAP_TILE_SERVER_DARK{z}/{x}/{y}.png The address of the OpenStreetMap provider with dark theme style
app:map_tile_server_light APP__MAP_TILE_SERVER_LIGHT{z}/{x}/{y}.png The address of the OpenStreetMap provider with light theme style
app:reference_attachment APP__REFERENCE_ATTACHMENT false External reference mandatory attachment

Technical customization

Parameter Environment variable Default value Description
app:graphql:playground:enabled APP__GRAPHQL__PLAYGROUND__ENABLED true Enable the playground on /graphql
app:graphql:playground:force_disabled_introspection APP__GRAPHQL_PLAYGROUND__FORCE_DISABLED_INTROSPECTION false Introspection is allowed to auth users but can be disabled in needed
app:concurrency:retry_count APP__CONCURRENCY__RETRY_COUNT 200 Number of try to get the lock to work an element (create/update/merge, ...)
app:concurrency:retry_delay APP__CONCURRENCY__RETRY_DELAY 100 Delay between 2 lock retry (in milliseconds)
app:concurrency:retry_jitter APP__CONCURRENCY__RETRY_JITTER 50 Random jitter to prevent concurrent retry (in milliseconds)
app:concurrency:max_ttl APP__CONCURRENCY__MAX_TTL 30000 Global maximum time for lock retry (in milliseconds)



Parameter Environment variable Default value Description
elasticsearch:url ELASTICSEARCH__URL http://localhost:9200 URL(s) of the ElasticSearch (supports http://user:pass@localhost:9200 and list of URLs)
elasticsearch:username ELASTICSEARCH__USERNAME Username can be put in the URL or with this parameter
elasticsearch:password ELASTICSEARCH__PASSWORD Password can be put in the URL or with this parameter
elasticsearch:index_prefix ELASTICSEARCH__INDEX_PREFIX opencti Prefix for the indices
elasticsearch:ssl:reject_unauthorized ELASTICSEARCH__SSL__REJECT_UNAUTHORIZED true Enable TLS certificate check
elasticsearch:ssl:ca ELASTICSEARCH__SSL__CA Custom certificate path or content
elasticsearch:ssl:ca_plain (depecated) ELASTICSEARCH__SSL__CA_PLAIN @depecated, use ca directly


Parameter Environment variable Default value Description
redis:mode REDIS__MODE single Connect to redis "single" or "cluster"
redis:namespace REDIS__NAMESPACE Namespace (to use as prefix)
redis:hostname REDIS__HOSTNAME localhost Hostname of the Redis Server
redis:hostnames REDIS__HOSTNAMES Hostnames definition for Redis cluster mode: a list of host/port objects.
redis:port REDIS__PORT 6379 Port of the Redis Server
redis:use_ssl REDIS__USE_SSL false Is the Redis Server has TLS enabled
redis:username REDIS__USERNAME Username of the Redis Server
redis:password REDIS__PASSWORD Password of the Redis Server
redis:ca REDIS__CA Path of the CA certificate
redis:trimming REDIS__TRIMMING 2000000 Number of elements to maintain in the stream. (0 = unlimited)


Parameter Environment variable Default value Description
rabbitmq:hostname RABBITMQ__HOSTNAME localhost Hostname of the RabbitMQ server
rabbitmq:port RABBITMQ__PORT 5672 Port of the RabbitMQ server
rabbitmq:port_management RABBITMQ__PORT_MANAGEMENT 15672 Port of the RabbitMQ Management Plugin
rabbitmq:username RABBITMQ__USERNAME guest RabbitMQ user
rabbitmq:password RABBITMQ__PASSWORD guest RabbitMQ password
rabbitmq:queue_type RABBITMQ__QUEUE_TYPE "classic" RabbitMQ Queue Type ("classic" or "quorum")
- - - -
rabbitmq:use_ssl RABBITMQ__USE_SSL false Use TLS connection
rabbitmq:use_ssl_cert RABBITMQ__USE_SSL_CERT Path or cert content
rabbitmq:use_ssl_key RABBITMQ__USE_SSL_KEY Path or key content
rabbitmq:use_ssl_pfx RABBITMQ__USE_SSL_PFX Path or pfx content
rabbitmq:use_ssl_ca RABBITMQ__USE_SSL_CA Path or cacert content
rabbitmq:use_ssl_passphrase RABBITMQ__SSL_PASSPHRASE Passphrase for the key certificate
rabbitmq:use_ssl_reject_unauthorized RABBITMQ__SSL_REJECT_UNAUTHORIZED false Reject rabbit self signed certificate
- - - -
rabbitmq:management_ssl RABBITMQ__MANAGEMENT_SSL false Is the Management Plugin has TLS enabled
rabbitmq:management_ssl_reject_unauthorized RABBITMQ__SSL_REJECT_UNAUTHORIZED true Reject management self signed certificate

S3 Bucket

Parameter Environment variable Default value Description
minio:endpoint MINIO__ENDPOINT localhost Hostname of the S3 Service
minio:port MINIO__PORT 9000 Port of the S3 Service
minio:use_ssl MINIO__USE_SSL false Is the S3 Service has TLS enabled
minio:access_key MINIO__ACCESS_KEY ChangeMe The S3 Service access key
minio:secret_key MINIO__SECRET_KEY ChangeMe The S3 Service secret key
minio:bucket_name MINIO__BUCKET_NAME opencti-bucket The S3 bucket name (useful to change if you use AWS)
minio:bucket_region MINIO__BUCKET_REGION us-east-1 The S3 bucket region if you use AWS
minio:use_aws_role MINIO__USE_AWS_ROLE false To use AWS role auto credentials

SMTP Service

Parameter Environment variable Default value Description
smtp:hostname SMTP__HOSTNAME SMTP Server hostname
smtp:port SMTP__PORT 9000 SMTP Port (25 or 465 for TLS)
smtp:use_ssl SMTP__USE_SSL false SMTP over TLS
smtp:reject_unauthorized SMTP__REJECT_UNAUTHORIZED false Enable TLS certificate check
smtp:username SMTP__USERNAME SMTP Username if authentication is needed
smtp:password SMTP__PASSWORD SMTP Password if authentication is needed
smtp:from_email SMTP__FROM_EMAIL Sender email address

Schedules & Engines

Parameter Environment variable Default value Description
rule_engine:enabled RULE_ENGINE__ENABLED true Enable/disable the rule engine
rule_engine:lock_key RULE_ENGINE__LOCK_KEY rule_engine_lock Lock key of the engine in Redis
- - - -
history_manager:enabled HISTORY_MANAGER__ENABLED true Enable/disable the history manager
history_manager:lock_key HISTORY_MANAGER__LOCK_KEY history_manager_lock Lock key for the manager in Redis
- - - -
task_scheduler:enabled TASK_SCHEDULER__ENABLED true Enable/disable the task scheduler
task_scheduler:lock_key TASK_SCHEDULER__LOCK_KEY task_manager_lock Lock key for the scheduler in Redis
task_scheduler:interval TASK_SCHEDULER__INTERVAL 10000 Interval to check new task to do (in ms)
- - - -
sync_manager:enabled SYNC_MANAGER__ENABLED true Enable/disable the sync manager
sync_manager:lock_key SYNC_MANAGER__LOCK_KEY sync_manager_lock Lock key for the manager in Redis
sync_manager:interval SYNC_MANAGER__INTERVAL 10000 Interval to check new sync feeds to consume (in ms)
- - - -
expiration_scheduler:enabled EXPIRATION_SCHEDULER__ENABLED true Enable/disable the scheduler
expiration_scheduler:lock_key EXPIRATION_SCHEDULER__LOCK_KEY expired_manager_lock Lock key for the scheduler in Redis
expiration_scheduler:interval EXPIRATION_SCHEDULER__INTERVAL 300000 Interval to check expired indicators
- - - -
retention_manager:enabled RETENTION_MANAGER__ENABLED true Enable/disable the manager
retention_manager:lock_key RETENTION_MANAGER__LOCK_KEY retention_manager_lock Lock key for the manager in Redis
retention_manager:interval RETENTION_MANAGER__INTERVAL 60000 Interval to check items to be deleted
- - - -
notification_manager:enabled NOTIFICATION_MANAGER__ENABLED true Enable/disable the notification manager
notification_manager:lock_key NOTIFICATION_MANAGER__LOCK_KEY notification_manager_lock Lock key for the manager in Redis
notification_manager:interval NOTIFICATION_MANAGER__INTERVAL 10000 Sender email address
- - - -
publisher_manager:enabled PUBLISHER_MANAGER__ENABLED true Enable/disable the publisher manager
publisher_manager:lock_key PUBLISHER_MANAGER__LOCK_KEY publisher_manager_lock Sender email address
publisher_manager:interval PUBLISHER_MANAGER__INTERVAL 10000 Sender email address

Default file

It is possible to check all default parameters implemented in the platform in the default.json file.

Worker and connector

Can be configured manually using the configuration file config.yml or through environment variables.

Parameter Environment variable Default value Description
opencti:url OPENCTI_URL The URL of the OpenCTI platform
opencti:token OPENCTI_TOKEN A token of an administrator account with bypass capability
- - - -
mq:use_ssl / / Depending of the API configuration (fetch from API)
mq:use_ssl_ca MQ_USE_SSL_CA Path or cacert content
mq:use_ssl_cert MQ_USE_SSL_CERT Path or cert content
mq:use_ssl_key MQ_USE_SSL_KEY Path or key content
mq:use_ssl_passphrase MQ_USE_SSL_PASSPHRASE Passphrase for the key certificate
mq:use_ssl_reject_unauthorized MQ_USE_SSL_REJECT_UNAUTHORIZED false Reject rabbit self signed certificate

Worker specific configuration

Parameter Environment variable Default value Description
worker:log_level WORKER_LOG_LEVEL info The log level (error, warning, info or debug)

Connector specific configuration

For specific connector configuration, you need to check each connector behavior.


If you want to adapt the memory consumption of ElasticSearch, you can use theses options:

# Add the following environment variable:
"ES_JAVA_OPTS=-Xms8g -Xmx8g"

This can be done in configuration file in the jvm.conf file.