We were using Camunda 7.16 with its inbuilt/embedded Apache tomcat 9.0.52 and it was all fine so far. However, recently when we started fixing the vulnerability issues of our camunda applications (war files that we deploy in the Apache tomcat 9.0.52 of Camunda 7.16), we realized we have to upgrade some of our dependencies to say for e.g. Spring 6. Also, we had to upgrade our java runtime to Java 17 because of Spring 6.
Build of such camunda applications is just fine, however, when we deploy in a setup where we have Java 17 + Camunda 7.16 + Apache Tomcat 10.1.20 … the server does not start properly. (because console shows server started but the logs show many ClassNotFoundExceptions).
What I have done is I have compared Apache Tomcat 9.0.52 with Apache Tomcat 10.1.20 and borrowed all camunda specific configurations, dependencies, applications but I get the error mentioned above.
Since i could not attach log file and since i cannot copy paste the log file contents due to size limitations i am copying the image of the classes its saying not found on start of camunda: -
We have tried and tested Camunda 7.16 + Tomcat 9.0.52 + Java 17 and it worked, BPMN, DMN get deployed, they can be executed, process instances, tasks etc are getting created. We assume, due to backward compatibility of Java 17, it is working.
Do you recommend any problem we may face but are not aware of it now ?
I understand that it worked, but I tried to say that it’s not listed as supported in case of any issues. I would recommend following the supported versions that would allow me to raise a support ticket with Camunda team if required but it’s me
To summarize, we not in supported list we are using Java 17 (Adoptium OpenJDK 17) with camunda 7.16 and Apache 9.0.52 and things are fine, BPMNs, DMNs get deployed, they can be executed without any issues.
The problem is the camunda process applications that we develop need other libraries like spring, jackson etc …and they have vulnerabilities, to solve the vulnerability issues, if we upgrade the libraries then we have to upgrade Apache Tomcat to 10.1.2 and if we do that then, things don’t work.
Sorry to bother all at same time, but so far have no direction or guideline to move ahead hence calling out all whom I know in the community. Any help is very much appreciated.
Camunda 7.16 End of Maintenance was: 11th of April 2023 so I am not expecting you will get help from Community . If you have enterprise license , they may help but I doubt that.
Even if you manage to patch dependencies by trial and error, you will be doing the same exercide every month in case of new vulnerabilities.
If Vulnerability managent is your concern then I suggest to create a spring boot project using camunda starter and add all the plugins you are using. That will give you full control over your dependencies as they will be managed via maven in your springboot project. You will also be able to add test cases this way to test everything works in your builds.
You should also upgrade Camunda every 6 months if you on Camunda CE .
If you have to stick with Tomcat distro due to some reasons What you should try is the use Camunda 7.2X because that contains lot’s of new features and vulnerability patches.
Camunda 7.xx releases have a solid track record of backward compatibility so upgrades are relatively easy. I recently moved few projects from Camunda 7.11 and 7.16/ 7.17 to 7.21 and upgrades were smooth. We just had to read Camunda official guides for upgrades.
In addition to the said from @Alex_Voloshyn and @ad_sahota, Tomcat 10 application server is not supported for Camunda 7.16.
If you want to use Tomcat 10 and/or Spring 6 you have two options:
Wait for Camunda 7.22 where we plan to support Tomcat 10 (container-managed process engine) - scheduled for 8th of October 2024. Support Announcements | docs.camunda.org
