diff --git a/docs/src/.vuepress/components/ImageVerification.vue b/docs/src/.vuepress/components/ImageVerification.vue
new file mode 100644
index 000000000..16cd8688a
--- /dev/null
+++ b/docs/src/.vuepress/components/ImageVerification.vue
@@ -0,0 +1,55 @@
+<template>
+  <div class="image-verification">
+    <h2>Verify Image Signature</h2>
+    <p>
+      The <code>{{ image }}</code> image is signed using
+      <a href="https://docs.sigstore.dev/cosign/overview/" target="_blank" rel="noopener">Cosign</a>
+      keyless signing via the official DSF GitHub Actions release workflow.
+      Verify the signature before using the image in production:
+    </p>
+    <pre><code>cosign verify \
+  ghcr.io/datasharingframework/{{ image }}:{{ resolvedTag }}@sha256:{{ digestDisplay }} \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"</code></pre>
+    <p v-if="!resolvedDigest">
+      Replace <code>&lt;digest&gt;</code> with the immutable digest of the image
+      you intend to deploy. See
+      <a :href="guide">How to Verify Image Signatures</a>
+      for the complete guide, SBOM verification, and troubleshooting.
+    </p>
+    <p v-else>
+      See <a :href="guide">How to Verify Image Signatures</a> for the complete
+      guide, SBOM verification, and troubleshooting.
+    </p>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { computed } from 'vue';
+import { useRoute } from 'vue-router';
+import { getReleaseFromPath } from '../data/releases';
+
+const props = defineProps<{
+  image: string;
+  tag?: string;
+  digest?: string;
+  guide?: string;
+}>();
+
+const route = useRoute();
+
+const release = computed(() => getReleaseFromPath(route.path));
+
+const resolvedTag = computed(() => props.tag ?? release.value?.tag ?? '<tag>');
+
+const resolvedDigest = computed(() => {
+  if (props.digest) return props.digest.replace(/^sha256:/, '');
+  const fromData = release.value?.images[props.image as keyof NonNullable<typeof release.value>['images']]?.digest;
+  if (fromData && fromData !== 'sha256:TODO') return fromData.replace(/^sha256:/, '');
+  return '';
+});
+
+const digestDisplay = computed(() => resolvedDigest.value || '<digest>');
+
+const guide = computed(() => props.guide ?? '../image-verification');
+</script>
diff --git a/docs/src/.vuepress/config.ts b/docs/src/.vuepress/config.ts
index b41eb68ce..ea3340245 100644
--- a/docs/src/.vuepress/config.ts
+++ b/docs/src/.vuepress/config.ts
@@ -1,6 +1,8 @@
 import { viteBundler } from '@vuepress/bundler-vite';
 import { defineUserConfig } from "vuepress";
 import theme from "./theme.js";
+import { releaseVarsPlugin, replaceReleaseTokens } from "./markdown/releaseVarsPlugin.js";
+import { getReleaseFromPath } from "./data/releases.js";
 
 
 export default defineUserConfig({
@@ -28,7 +30,32 @@ export default defineUserConfig({
     },
   },*/
   plugins: [
-    
+    {
+      name: 'release-vars',
+      extendsMarkdown: (md) => {
+        md.use(releaseVarsPlugin);
+      },
+      extendsPage: (page) => {
+        const lookup = page.filePathRelative ? '/' + page.filePathRelative : page.path;
+        const release = getReleaseFromPath(lookup);
+        if (!release) return;
+        const walk = (obj: Record<string, unknown> | undefined) => {
+          if (!obj) return;
+          for (const key of Object.keys(obj)) {
+            const v = obj[key];
+            if (typeof v === 'string') {
+              obj[key] = replaceReleaseTokens(v, release);
+            }
+          }
+        };
+        walk(page.frontmatter as Record<string, unknown>);
+        walk(page.routeMeta as Record<string, unknown>);
+        walk(page.data as unknown as Record<string, unknown>);
+        if (typeof page.title === 'string') {
+          page.title = replaceReleaseTokens(page.title, release);
+        }
+      },
+    },
    ],
 
   // Enable it with pwa
diff --git a/docs/src/.vuepress/data/releases.ts b/docs/src/.vuepress/data/releases.ts
new file mode 100644
index 000000000..4e2275624
--- /dev/null
+++ b/docs/src/.vuepress/data/releases.ts
@@ -0,0 +1,40 @@
+export interface ReleaseImage {
+  digest?: string;
+}
+
+export interface Release {
+  tag: string;
+  previousTag?: string;
+  images: {
+    fhir: ReleaseImage;
+    fhir_proxy: ReleaseImage;
+    bpe: ReleaseImage;
+    bpe_proxy: ReleaseImage;
+  };
+}
+
+export const releases: Record<string, Release> = {
+  '2.1.0': {
+    tag: '2.1.0',
+    previousTag: '2.0.2',
+    images: {
+      fhir:       { digest: 'sha256:71599af143f0262a7265aa2bc4ea5a9660f11de6248a053e060b5667070203fd' },
+      fhir_proxy: { digest: 'sha256:9f11a3580c970314532f5951808be6fe72f1de7d53348e625d2dd0c95bcf1d96' },
+      bpe:        { digest: 'sha256:3ee7ef0ac201fc3776273fbfc2569bdc4edf724a2bb9f1b4a889eb7e13ff4049' },
+      bpe_proxy:  { digest: 'sha256:c67da4a1720ea75a383764db2bf25619fe70f57773b1069029f5b49588eb1ecc' },
+    },
+  },
+};
+
+export const latestVersion = '2.1.0';
+
+export function getReleaseFromPath(path: string): Release | undefined {
+  const versionMatch = path.match(/(?:^|\/)operations\/v(\d+\.\d+\.\d+)\//);
+  if (versionMatch) return releases[versionMatch[1]];
+  if (/(?:^|\/)operations\/latest\//.test(path)) return releases[latestVersion];
+  return undefined;
+}
+
+export function tagUnderscored(tag: string): string {
+  return tag.replace(/\./g, '_');
+}
diff --git a/docs/src/.vuepress/layouts/PageLayout.vue b/docs/src/.vuepress/layouts/PageLayout.vue
index 3e16805ff..daab1228f 100644
--- a/docs/src/.vuepress/layouts/PageLayout.vue
+++ b/docs/src/.vuepress/layouts/PageLayout.vue
@@ -4,7 +4,7 @@ import { useRoute, useRouter } from "vue-router";
 import { ref, onMounted } from 'vue'
 
 const version = ref("");
-const latestVersion = "v2.0.2";
+const latestVersion = "v2.1.0";
 
 
 function setVersionBasedOnCurrentPath() : void {
@@ -55,7 +55,8 @@ function navigateToNewVersion() {
       <div class="version-selector" v-if="route.path.startsWith('/operations/')">
         <label class="vp-sidebar-header" for="version-select"><strong>Version:</strong> </label>
         <select id="version-select" class="vp-sidebar-header" v-model="version" @change="navigateToNewVersion">
-        <option value="v2.0.2">latest (2.0.2)</option>
+        <option value="v2.1.0">latest (2.1.0)</option>
+        <option value="v2.0.2">2.0.2</option>
         <option value="v2.0.1">2.0.1</option>
         <option value="v2.0.0">2.0.0</option>
         <option value="v1.9.0">1.9.0</option>
diff --git a/docs/src/.vuepress/markdown/releaseVarsPlugin.ts b/docs/src/.vuepress/markdown/releaseVarsPlugin.ts
new file mode 100644
index 000000000..1eefcf06a
--- /dev/null
+++ b/docs/src/.vuepress/markdown/releaseVarsPlugin.ts
@@ -0,0 +1,51 @@
+import type { PluginSimple } from 'markdown-it';
+import { getReleaseFromPath, tagUnderscored, type Release } from '../data/releases.js';
+
+const TOKEN_RE = /\{\{\s*release\.([a-zA-Z0-9_.]+)\s*\}\}/g;
+
+export function replaceReleaseTokens(input: string, release: Release): string {
+  return input.replace(TOKEN_RE, (match, key) => {
+    const value = resolve(release, key);
+    return value !== undefined ? value : match;
+  });
+}
+
+function resolve(release: Release, key: string): string | undefined {
+  if (key === 'tag') return release.tag;
+  if (key === 'tagUnderscored') return tagUnderscored(release.tag);
+  if (key === 'previousTag') return release.previousTag;
+  if (key === 'previousTagUnderscored')
+    return release.previousTag ? tagUnderscored(release.previousTag) : undefined;
+
+  const imageMatch = key.match(/^image\.([a-z_]+)$/);
+  if (imageMatch) {
+    const name = imageMatch[1] as keyof Release['images'];
+    if (release.images[name]) return `ghcr.io/datasharingframework/${name}:${release.tag}`;
+  }
+  const previousImageMatch = key.match(/^previousImage\.([a-z_]+)$/);
+  if (previousImageMatch && release.previousTag) {
+    const name = previousImageMatch[1] as keyof Release['images'];
+    if (release.images[name]) return `ghcr.io/datasharingframework/${name}:${release.previousTag}`;
+  }
+  const digestMatch = key.match(/^digest\.([a-z_]+)$/);
+  if (digestMatch) {
+    const name = digestMatch[1] as keyof Release['images'];
+    const digest = release.images[name]?.digest;
+    if (!digest || /TODO/i.test(digest)) return '<digest>';
+    return digest.replace(/^sha256:/, '');
+  }
+  return undefined;
+}
+
+export const releaseVarsPlugin: PluginSimple = (md) => {
+  md.core.ruler.before('normalize', 'release-vars', (state) => {
+    const env = state.env ?? {};
+    const filePath: string = env.filePathRelative ?? env.filePath ?? '';
+    if (!filePath) return;
+
+    const release = getReleaseFromPath('/' + filePath.replace(/^\/+/, ''));
+    if (!release) return;
+
+    state.src = replaceReleaseTokens(state.src, release);
+  });
+};
diff --git a/docs/src/.vuepress/public/download/dsf_bpe_2_1_0.tar.gz b/docs/src/.vuepress/public/download/dsf_bpe_2_1_0.tar.gz
new file mode 100644
index 000000000..15cef71da
Binary files /dev/null and b/docs/src/.vuepress/public/download/dsf_bpe_2_1_0.tar.gz differ
diff --git a/docs/src/.vuepress/public/download/dsf_fhir_2_1_0.tar.gz b/docs/src/.vuepress/public/download/dsf_fhir_2_1_0.tar.gz
new file mode 100644
index 000000000..79a0e31ab
Binary files /dev/null and b/docs/src/.vuepress/public/download/dsf_fhir_2_1_0.tar.gz differ
diff --git a/docs/src/.vuepress/sidebar/operations-v2.ts b/docs/src/.vuepress/sidebar/operations-v2.ts
index 2b329c244..55f018c27 100644
--- a/docs/src/.vuepress/sidebar/operations-v2.ts
+++ b/docs/src/.vuepress/sidebar/operations-v2.ts
@@ -4,14 +4,16 @@ export function generate_v2_latest_sidebar() {
 		icon: "tool",
 		link: "./",
 	},
-		"release-notes", "install", "upgrade-from-2", "upgrade-from-1", "allowList-mgm", "root-certificates", "passwords-secrets", {
+		"release-notes", "install", "upgrade-from-2", "upgrade-from-1", "allowList-mgm", "root-certificates", "passwords-secrets", "image-verification", "hardening-measures", {
 		text: "FHIR Reverse Proxy",
 		icon: "module",
+		prefix: "fhir-reverse-proxy/",
+		link: "fhir-reverse-proxy/",
 		children: [
 			{
 				icon: "config",
 				text: "Configuration",
-				link: "fhir-reverse-proxy/configuration",
+				link: "configuration",
 			}
 		]
 	},
@@ -40,11 +42,13 @@ export function generate_v2_latest_sidebar() {
 	}, {
 		text: "BPE Reverse Proxy",
 		icon: "module",
+		prefix: "bpe-reverse-proxy/",
+		link: "bpe-reverse-proxy/",
 		children: [
 			{
 				icon: "config",
 				text: "Configuration",
-				link: "bpe-reverse-proxy/configuration",
+				link: "configuration",
 			}
 		]
 	}, {
diff --git a/docs/src/.vuepress/theme.ts b/docs/src/.vuepress/theme.ts
index 81a3946ef..83dc211bc 100644
--- a/docs/src/.vuepress/theme.ts
+++ b/docs/src/.vuepress/theme.ts
@@ -39,7 +39,7 @@ export default hopeTheme({
           icon: "launch",
           prefix: "/operations/",
           children: [ {
-            text: "Current Version - 2.0.2",
+            text: "Current Version - 2.1.0",
             link: "get-started.md",
             icon: "launch"
           }, "old-versions.md"],
@@ -127,7 +127,8 @@ export default hopeTheme({
     "/operations/old-versions": [],
     "/operations/latest/": generate_v2_latest_sidebar(),
     "/operations/next/": [],
-    "/operations/v2.0.2/": generate_v2_latest_sidebar(),
+    "/operations/v2.1.0/": generate_v2_latest_sidebar(),
+    "/operations/v2.0.2/": generate_v2_0_0_sidebar(),
     "/operations/v2.0.1/": generate_v2_0_0_sidebar(),
     "/operations/v2.0.0/": generate_v2_0_0_sidebar(),
     "/operations/v1.9.0/": generate_v1_latest_sidebar(),
diff --git a/docs/src/operations/latest b/docs/src/operations/latest
index b02d37b0f..852700e11 120000
--- a/docs/src/operations/latest
+++ b/docs/src/operations/latest
@@ -1 +1 @@
-v2.0.2
\ No newline at end of file
+v2.1.0
\ No newline at end of file
diff --git a/docs/src/operations/old-versions.md b/docs/src/operations/old-versions.md
index 3eb0c9dfc..e20a096ec 100644
--- a/docs/src/operations/old-versions.md
+++ b/docs/src/operations/old-versions.md
@@ -5,6 +5,7 @@ icon: launch
 
 ## DSF v2
 
+- [2.1.0](./v2.1.0/)
 - [2.0.1](./v2.0.1/)
 - [2.0.0](./v2.0.0/)
 
diff --git a/docs/src/operations/v2.1.0/allowList-mgm.md b/docs/src/operations/v2.1.0/allowList-mgm.md
new file mode 100644
index 000000000..f15eb7144
--- /dev/null
+++ b/docs/src/operations/v2.1.0/allowList-mgm.md
@@ -0,0 +1,34 @@
+---
+title: Allow List Management
+icon: share
+---
+You can read all about the concept of Allow Lists [in our introduction](/explore/concepts/allow-list.md).
+
+## Overview
+To simplify the DSF Allow List Management we have built a portal for administration. The portal is managed by the GECKO Institute at Heilbronn University. You as an DSF administrator can create or update your Allow List information. The information you provide on this portal will be transferred to us and will be used to built Allow List bundles that get distributed to the communication partners of the distributed processes. 
+
+The DSF Allow List management tool uses client certificates for authentication. You can either use a personal client certificate or the client certificate from your DSF BPE, which needs to be added to your web-browsers certificate store.
+
+
+## Prerequisites
+1. Deployed DSF instance (test or production infrastructure)
+    1.1  If none exists yet, read [the installation guide](install)
+2. Certificate 
+    2.1  If none exists yet, read [the certificate requirements](install#client-server-certificates)
+3. Organization identifier, shortest FQDN of your organizations website, e.g. `my-hospital.de`
+4. FHIR endpoint URL, e.g. `https://dsf.my-hospital.de/fhir`
+5. Contact details from a responsible person of your organization
+6. Access to the E-Mail address from your organization for verification 
+ 
+
+## Start here
+When you have fulfilled all the prerequisites, you can start managing your Allow Lists via the environment specific Allow List Management Tool:
+
+- [**Test** infrastructure](https://allowlist-test.gecko.hs-heilbronn.de)
+- [**Production** infrastructure](https://allowlist.gecko.hs-heilbronn.de)
+
+We use different highlight colors for the DSF Allow List Management Tool: Green for the **Test** environment and blue for the **Production** infrastructure. To access the site, you have to authenticate yourself with a client certificate. Your web-browser will show a dialog to choose a valid certificate.
+
+::: tip Ideas for improvement?
+Have you found an error or is something unclear to you? Then please feel free to contact us on the <a href="https://mii.zulipchat.com/#narrow/stream/392426-Data-Sharing-Framework-.28DSF.29">MII-Zulip Channel</a> or write us at <a href="mailto:dsf-gecko@hs-heilbronn.de">dsf-gecko@hs-heilbronn.de</a>. Thank you very much!
+:::
\ No newline at end of file
diff --git a/docs/src/operations/v2.1.0/bpe-reverse-proxy/README.md b/docs/src/operations/v2.1.0/bpe-reverse-proxy/README.md
new file mode 100644
index 000000000..cdc69f75b
--- /dev/null
+++ b/docs/src/operations/v2.1.0/bpe-reverse-proxy/README.md
@@ -0,0 +1,29 @@
+---
+title: BPE Reverse Proxy
+icon: module
+---
+
+## Purpose
+
+The **DSF BPE Reverse Proxy** is an Apache HTTP Server based front for the [BPE Server](../bpe/). It terminates TLS for the BPE's web UI and OIDC-authenticated administrative endpoints, and forwards authenticated requests to the BPE backend. Unlike the [FHIR Reverse Proxy](../fhir-reverse-proxy/), it is intended for internal operator and administrator access only, not for DSF-to-DSF traffic.
+
+## Docker Image
+
+- Registry: [`ghcr.io/datasharingframework/bpe_proxy`](https://github.com/datasharingframework/dsf/pkgs/container/bpe_proxy)
+- Tag for this release: `{{release.tag}}`
+
+## Verify Image Signature
+
+Verify the signed image before deploying. See [How to Verify Image Signatures](../image-verification) for prerequisites, SBOM verification, and troubleshooting.
+
+```bash
+cosign verify \
+  {{release.image.bpe_proxy}}@sha256:{{release.digest.bpe_proxy}} \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+## Useful Pages
+
+- [Configuration Parameters](configuration)
+- [How to Verify Image Signatures](../image-verification)
diff --git a/docs/src/operations/v2.1.0/bpe-reverse-proxy/configuration.md b/docs/src/operations/v2.1.0/bpe-reverse-proxy/configuration.md
new file mode 100644
index 000000000..ead8cf697
--- /dev/null
+++ b/docs/src/operations/v2.1.0/bpe-reverse-proxy/configuration.md
@@ -0,0 +1,109 @@
+---
+title: Configuration Parameters
+icon: config
+---
+
+### APP_SERVER_IP
+- **Required:** Yes
+- **Description:** Hostname or IP-Address of the DSF BPE server application container, the reverse proxy target
+- **Example:** `app`, `172.28.1.3`
+
+
+### HTTPS_SERVER_NAME_PORT
+- **Required:** Yes
+- **Description:** FQDN of your DSF BPE server with port, typically `443`
+- **Example:** `my-external.fqdn:443`
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_WS
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### PROXY_PASS_TIMEOUT_WS
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### SERVER_CONTEXT_PATH
+- **Required:** No
+- **Description:** Reverse proxy context path that delegates to the app server, `/` character at start, no `/` character at end, use `''` (empty string) to configure root as context path
+- **Default:** `/bpe`
+
+
+### SSL_CA_CERTIFICATE_FILE
+- **Required:** No
+- **Description:** Certificate chain file including all issuing, intermediate and root certificates used to validate client certificates, PEM encoded, sets the apache httpd parameter `SSLCACertificateFile`; not used by default, overrides *SSL_CA_CERTIFICATE_PATH* if not empty
+
+
+### SSL_CA_CERTIFICATE_PATH
+- **Required:** No
+- **Description:** Folder with trusted full CA chains for validating client certificates
+- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
+- **Default:** `ca/client_ca_chains`
+
+
+### SSL_CA_DN_REQUEST_FILE
+- **Required:** No
+- **Description:** File containing all signing certificates excepted, will be used to specify the `Acceptable client certificate CA names` send to the client, during TLS handshake, sets the apache httpd parameter `SSLCADNRequestFile`; if omitted all entries from *SSL_CA_CERTIFICATE_FILE* are used; not used by default, overrides *SSL_CA_DN_REQUEST_PATH* if not empty
+
+
+### SSL_CA_DN_REQUEST_PATH
+- **Required:** No
+- **Description:**  Folder with trusted client certificate issuing CAs, modifies the "Acceptable client certificate CA names" send to the client, uses all from *SSL_CA_CERTIFICATE_FILE* or *SSL_CA_CERTIFICATE_PATH* if not set or empty
+- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
+- **Default:** `ca/client_issuing_cas`
+
+
+### SSL_CERTIFICATE_CHAIN_FILE
+- **Required:** No
+- **Description:** Certificate chain file, PEM encoded, must contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate), sets the apache httpd parameter `SSLCertificateChainFile`; can be omitted if either no chain is needed (self signed server certificate) or the file specified via *SSL_CERTIFICATE_FILE* contains the certificate chain
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_chain_file.pem`
+
+
+### SSL_CERTIFICATE_FILE
+- **Required:** Yes
+- **Description:** Server certificate file, PEM encoded, sets the apache httpd parameter `SSLCertificateFile`, may contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate). Omit *SSL_CERTIFICATE_CHAIN_FILE* if chain included
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_file.pem`
+
+
+### SSL_CERTIFICATE_KEY_FILE
+- **Required:** Yes
+- **Description:** Server certificate private key file, PEM encoded, unencrypted, sets the apache httpd parameter `SSLCertificateKeyFile`
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_key_file.pem`
+
+
+### SSL_EXPECTED_CLIENT_S_DN_C_VALUES
+- **Required:** No
+- **Description:** Expected client certificate subject DN country `C` values, must be a comma-separated list of strings in single quotation marks, e.g. `'DE', 'FR'`. If a client certificate with a not configured subject country `C` value is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'DE'`
+
+
+### SSL_EXPECTED_CLIENT_I_DN_CN_VALUES
+- **Required:** No
+- **Description:** Expected client certificate issuer DN common-name `CN` values, must be a comma-separated list of strings in single quotation marks. If a client certificate from a not configured issuing ca common-name is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'GEANT TLS ECC 1', 'HARICA OV TLS ECC', 'GEANT TLS RSA 1', 'HARICA OV TLS RSA', 'GEANT S/MIME ECC 1', 'HARICA Client Authentication ECC', 'HARICA S/MIME ECC', 'GEANT S/MIME RSA 1', 'HARICA Client Authentication RSA', 'HARICA S/MIME RSA', 'DFN-Verein Global Issuing CA', 'Fraunhofer User CA - G02', 'D-TRUST SSL Class 3 CA 1 2009', 'Sectigo RSA Organization Validation Secure Server CA', 'GEANT OV RSA CA 4', 'GEANT Personal CA 4', 'GEANT eScience Personal CA 4', 'Sectigo ECC Organization Validation Secure Server CA', 'GEANT OV ECC CA 4', 'GEANT Personal ECC CA 4', 'GEANT eScience Personal ECC CA 4', 'D-TRUST Limited Basic CA 1-2 2019', 'D-TRUST Limited Basic CA 1-3 2019'`
+
+
+### SSL_VERIFY_CLIENT
+- **Required:** No
+- **Description:** Modifies the apache mod_ssl config parameter `SSLVerifyClient`
+- **Recommendation:** Set to `optional` when using OIDC authentication
+- **Default:** `require`
\ No newline at end of file
diff --git a/docs/src/operations/v2.1.0/bpe/README.md b/docs/src/operations/v2.1.0/bpe/README.md
new file mode 100644
index 000000000..06912cf9a
--- /dev/null
+++ b/docs/src/operations/v2.1.0/bpe/README.md
@@ -0,0 +1,33 @@
+---
+title: BPE Server
+icon: module
+---
+
+## Purpose
+
+The **DSF Business Process Engine (BPE)** executes the BPMN 2.0 workflows that drive distributed data sharing processes between DSF instances. It listens for new `Task` resources on the local FHIR Server, runs the corresponding process plugin, and creates follow-up `Task` resources on remote FHIR Servers via its configured FHIR client connections. The BPE is an internal component and is not exposed to the public network — it talks to local systeme (e.g., the local FHIR Store) and to remote DSF FHIR Servers through their reverse proxies.
+
+## Docker Image
+
+- Registry: [`ghcr.io/datasharingframework/bpe`](https://github.com/datasharingframework/dsf/pkgs/container/bpe)
+- Tag for this release: `{{release.tag}}`
+
+## Verify Image Signature
+
+Verify the signed image before deploying. See [How to Verify Image Signatures](../image-verification) for prerequisites, SBOM verification, and troubleshooting.
+
+```bash
+cosign verify \
+  {{release.image.bpe}}@sha256:{{release.digest.bpe}} \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+## Useful Pages
+
+- [Configuration Parameters](configuration)
+- [Access Control](access-control)
+- [OpenID Connect](oidc)
+- [Logging](logging)
+- [FHIR Client Connections](fhir-client-connections)
+- [How to Verify Image Signatures](../image-verification)
diff --git a/docs/src/operations/v2.1.0/bpe/access-control.md b/docs/src/operations/v2.1.0/bpe/access-control.md
new file mode 100644
index 000000000..e51587c62
--- /dev/null
+++ b/docs/src/operations/v2.1.0/bpe/access-control.md
@@ -0,0 +1,104 @@
+---
+title: Access Control
+icon: config
+---
+
+## Overview
+
+The DSF BPE server provides a user interface for administrators. Without any additional configuration the user interface is not accessible with the organizations X.509 client certificate or any other certificate or OpenID Connect authenticated user.
+
+::: tip OpenID Connect
+To enable OpenID Connect authentication of local user, see the DSF BPE server OpenID Connect [configuration page](oidc).
+:::
+
+Access to the user interface can be enabled for client certificates and local users authenticating via OAuth 2.0 OpenID Connect. Access can be configured for so called roles, with all roles specified using the configuration parameter [DEV_DSF_BPE_SERVER_ROLECONFIG](configuration#dev-dsf-bpe-server-roleconfig). The value for this environment variable is specified as YAML using the block scalar `|`.
+
+The listing below shows a minimal configuration to enable access for a specific client-certificate:
+
+```yaml
+      DEV_DSF_BPE_SERVER_ROLECONFIG: |
+        - example_read_only_role:
+            thumbprint: 00474993fa261b0225f93c5a66aa6fcc... [a-f0-9]{128}
+            dsf-role:
+              - ADMIN
+```
+The list of user roles above contains a single rule-entry `example_read_only_role`, matching the user via a client certificate SHA-512 thumprint and assigning three DSF roles. Any string can be used as the name for the rule-enty.
+
+::: tip Certificate Thumbprints
+SHA-512 certificate thumbprints in HEX form `[a-f0-9]{128}` can be calculated using:
+```sh
+certtool --fingerprint --hash=sha512 --infile=certificate.pem
+```
+:::
+
+Multiple user roles can be specified and all matching roles will be applied to an authenticated users. Use an empty string `""` or a single block scalar `|` character as the value for the configuration parameter [DEV_DSF_BPE_SERVER_ROLECONFIG](configuration#dev-dsf-bpe-server-roleconfig) if no roles should be configured.
+
+## Matching Users
+
+To apply roles, users can be matched via the `thumbprint`, `email`, `token-role` or `token-group` properties. A single value or a list of values can be specified.
+
+#### thumbprint
+
+The property `thumbprint` can used to specify one or multiple SHA-512 certificate thumbprints. Roles from this rule are applied to the authenticating user if the certificate matches one of the specified thumbprints.
+
+#### email
+
+Using the property `email` users can be matched against e-mail addresses specified in X.509 client certificates and in OpenID Connect access tokens. Values will be matched against e-mail addresses specified in the subject DN (via PKCS#9 extension 1.2.840.113549.1.9.1) and RFC-822 Name entries of the Subject Alternative Name field. If the user authenticates via OpenID Connect, the `email` [claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) from the access token will be matched against the property values.
+
+#### token-role and token-group
+
+With the properties `token-role` and `token-group` role and group names can be specified to match against role and group claims within OAuth 2.0 access tokens.
+
+
+## DSF and Practitioner Roles
+
+Two types of roles can be applied to matched users. 
+
+#### dsf-role
+
+DSF roles specified via the `dsf-role` property define general access to the user interface. Allowed values are:
+
+`ADMIN`.
+
+#### practitioner-role
+
+The BPE server currently does not support any practionier-roles.
+
+
+## Examples
+
+The first example defines a group of DSF administrators. Two client certificates match against this role:
+
+```yaml
+      DEV_DSF_BPE_SERVER_ROLECONFIG: |
+        - certificate-admins:
+            thumbprint: 
+              - afb68b1d9d47e691b8b3d50fd9848467cada8b1c76f5f4b45f00c9f8432d505361a3ee27805f4aa06799d9ac8dace94b3f1942fce44d84866961259b13be825d
+              - 2441bfddcad97eeb83c8c31fe181b90652787b8b59bf4e569219da7db4429e389479cb7c4a2f311e34217357d594ecad7d58ccfeef2a9e93c6fcf8d98897d88c
+            dsf-role:
+              - ADMIN
+```
+
+
+The second example defines a group of DSF administrators by specifying an `admin` role that gets matched against OAuth 2.0 access tokens:
+
+```yaml
+      DEV_DSF_BPE_SERVER_ROLECONFIG: |
+        - token-role-admins:
+            token-role: admin
+            dsf-role:
+              - ADMIN
+```
+
+
+The third example allows administrator access and users e-mail addresses to match this role. E-mail addresses from X.509 client certificates and OAuth 2.0 access tokens are matched:
+
+```yaml
+      DEV_DSF_BPE_SERVER_ROLECONFIG: |
+        - email-admins:
+            email:
+              - first.user@test.org
+              - second.user@test.org
+            dsf-role:
+              - ADMIN
+```
diff --git a/docs/src/operations/v2.1.0/bpe/configuration.md b/docs/src/operations/v2.1.0/bpe/configuration.md
new file mode 100644
index 000000000..907fd0054
--- /dev/null
+++ b/docs/src/operations/v2.1.0/bpe/configuration.md
@@ -0,0 +1,991 @@
+---
+title: Configuration Parameters
+icon: config
+---
+
+### DEV_DSF_BPE_DB_LIQUIBASE_FORCEUNLOCK
+- **Property:** dev.dsf.bpe.db.liquibase.forceUnlock
+- **Required:** No
+- **Description:** To force liquibase to unlock the migration lock set to `true`
+- **Recommendation:** Only use this option temporarily to unlock a stuck DB migration step
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DB_LIQUIBASE_LOCKWAITTIME
+- **Property:** dev.dsf.bpe.db.liquibase.lockWaitTime
+- **Required:** No
+- **Description:** Liquibase change lock wait time in minutes, default 2 minutes
+- **Default:** `2`
+
+
+### DEV_DSF_BPE_DB_LIQUIBASE_PASSWORD or DEV_DSF_BPE_DB_LIQUIBASE_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.db.liquibase.password
+- **Required:** Yes
+- **Description:** Password to access the database from the DSF BPE server to execute database migrations
+- **Recommendation:** Use docker secret file to configure by using *DEV_DSF_BPE_DB_LIQUIBASE_PASSWORD_FILE*
+- **Example:** `/run/secrets/db_liquibase.password`
+
+
+### DEV_DSF_BPE_DB_LIQUIBASE_USERNAME
+- **Property:** dev.dsf.bpe.db.liquibase.username
+- **Required:** No
+- **Description:** Username to access the database from the DSF BPE server to execute database migrations
+- **Default:** `liquibase_user`
+
+
+### DEV_DSF_BPE_DB_URL
+- **Property:** dev.dsf.bpe.db.url
+- **Required:** Yes
+- **Description:** Address of the database used for the DSF BPE server
+- **Recommendation:** Change only if you don't use the provided docker-compose from the installation guide or made changes to the database settings/networking in the docker-compose
+- **Example:** `jdbc:postgresql://db/bpe`
+
+
+### DEV_DSF_BPE_DB_USER_ENGINE_GROUP
+- **Property:** dev.dsf.bpe.db.user.engine.group
+- **Required:** No
+- **Description:** Name of the user group to access the database from the DSF BPE server workflow engine
+- **Default:** `bpe_engine_users`
+
+
+### DEV_DSF_BPE_DB_USER_ENGINE_PASSWORD or DEV_DSF_BPE_DB_USER_ENGINE_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.db.user.engine.password
+- **Required:** Yes
+- **Description:** Password to access the database from the DSF BPE server workflow engine
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_BPE_DB_USER_ENGINE_PASSWORD_FILE*
+- **Example:** `/run/secrets/db_user_engine.password`
+
+
+### DEV_DSF_BPE_DB_USER_ENGINE_USERNAME
+- **Property:** dev.dsf.bpe.db.user.engine.username
+- **Required:** No
+- **Description:** Username to access the database from the DSF BPE server workflow engine
+- **Recommendation:** Use a different user then in *DEV_DSF_BPE_DB_USER_USERNAME*
+- **Default:** `bpe_server_engine_user`
+
+
+### DEV_DSF_BPE_DB_USER_GROUP
+- **Property:** dev.dsf.bpe.db.user.group
+- **Required:** No
+- **Description:** Name of the user group to access the database from the DSF BPE server
+- **Default:** `bpe_users`
+
+
+### DEV_DSF_BPE_DB_USER_PASSWORD or DEV_DSF_BPE_DB_USER_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.db.user.password
+- **Required:** Yes
+- **Description:** Password to access the database from the DSF BPE server
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_BPE_DB_USER_PASSWORD_FILE*
+- **Example:** `/run/secrets/db_user.password`
+
+
+### DEV_DSF_BPE_DB_USER_USERNAME
+- **Property:** dev.dsf.bpe.db.user.username
+- **Required:** No
+- **Description:** Username to access the database from the DSF BPE server
+- **Default:** `bpe_server_user`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_CURRENTUSER
+- **Property:** dev.dsf.bpe.debug.log.message.currentUser
+- **Required:** No
+- **Description:** To enable logging of the currently requesting user set to `true`
+- **Recommendation:** This debug function should only be activated during development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_DBSTATEMENT
+- **Property:** dev.dsf.bpe.debug.log.message.dbStatement
+- **Required:** No
+- **Description:** To enable logging of DB queries set to `true`
+- **Recommendation:** This debug function should only be activated during development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_ONACTIVITYEND
+- **Property:** dev.dsf.bpe.debug.log.message.onActivityEnd
+- **Required:** No
+- **Description:** To enable debug log messages for every bpmn activity end, set to `true`
+- **Recommendation:** This debug function should only be activated during process plugin development
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_ONACTIVITYSTART
+- **Property:** dev.dsf.bpe.debug.log.message.onActivityStart
+- **Required:** No
+- **Description:** To enable debug log messages for every bpmn activity start, set to `true`
+- **Recommendation:** This debug function should only be activated during process plugin development
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_VARIABLES
+- **Property:** dev.dsf.bpe.debug.log.message.variables
+- **Required:** No
+- **Description:** To enable logging of bpmn variables for every bpmn activity start or end, when logging of these events is enabled, set to `true`
+- **Recommendation:** This debug function should only be activated during process plugin development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_VARIABLESLOCAL
+- **Property:** dev.dsf.bpe.debug.log.message.variablesLocal
+- **Required:** No
+- **Description:** To enable logging of local bpmn variables for every bpmn activity start or end, when logging of these events is enabled, set to `true`
+- **Recommendation:** This debug function should only be activated during process plugin development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_DEBUG_LOG_MESSAGE_WEBSERVICEREQUEST
+- **Property:** dev.dsf.bpe.debug.log.message.webserviceRequest
+- **Required:** No
+- **Description:** To enable logging of webservices requests set to `true`
+- **Recommendation:** This debug function should only be activated during development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE
+- **Property:** dev.dsf.bpe.fhir.client.certificate
+- **Required:** Yes
+- **Description:** PEM encoded file with local client certificate for https connections to local and remote DSF FHIR servers
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/app_client_certificate.pem`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY
+- **Property:** dev.dsf.bpe.fhir.client.certificate.private.key
+- **Required:** Yes
+- **Description:** Private key corresponding to the local client certificate as PEM encoded file. Use DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD* or *DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE* if private key is encrypted
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/app_client_certificate_private_key.pem`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD or DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.fhir.client.certificate.private.key.password
+- **Required:** No
+- **Description:** Password to decrypt the local client certificate encrypted private key
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE*
+- **Example:** `/run/secrets/app_client_certificate_private_key.pem.password`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG
+- **Property:** dev.dsf.bpe.fhir.client.connections.config
+- **Required:** No
+- **Description:** FHIR server connections YAML config for v2 process plugins
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_ENABLE_DEBUG_LOGGING
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.enable.debug.logging
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for properties `enable-debug-logging` and `oidc-auth.enable-debug-logging`
+- **Recommendation:** To enable debug logging of requests and responses to configured FHIR servers by default set to `true`
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_OIDC_DISCOVERY_PATH
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.oidc.discovery.path
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for property `oidc-auth.discovery-path`
+- **Default:** `/.well-known/openid-configuration`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_OIDC_VERIFY_AUTHORIZED_PARTY
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.oidc.verify.authorized.party
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for property `oidc-auth.verify-authorized-party`
+- **Recommendation:** To disable verification of the authorized party (aud) claim by default set to `false`
+- **Default:** `true`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_TEST_CONNECTION_ON_STARTUP
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.test.connection.on.startup
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for properties `test-connection-on-startup` and `oidc-auth.test-connection-on-startup`
+- **Recommendation:** To perform connection tests on BPE startup to configured FHIR servers by default set to `true`
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_TIMEOUT_CONNECT
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.timeout.connect
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for properties `connect-timeout` and `oidc-auth.connect-timeout`
+- **Default:** `PT2S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_TIMEOUT_READ
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.timeout.read
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for properties `read-timeout` and `oidc-auth.read-timeout`
+- **Default:** `PT10M`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_DEFAULT_TRUST_SERVER_CERTIFICATE_CAS
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.default.trust.server.certificate.cas
+- **Required:** No
+- **Description:** FHIR server connections YAML: Default value for properties `trusted-root-certificates-file` and `oidc-auth.trusted-root-certificates-file`. Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted root certificates.
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/app_client_trust_certificates.pem`
+- **Default:** `ca/server_root_cas`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_OIDC_CACHE
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.oidc.cache
+- **Required:** No
+- **Description:** Set `false` to disable caching of OIDC discovery and jwks resources as well as access tokens in the 'Client Credentials Grant' client; access tokens are evicted 10 seconds before they expire
+- **Default:** `true`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_OIDC_CACHE_TIMEOUT_ACCESS_TOKEN
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.oidc.cache.timeout.access.token
+- **Required:** No
+- **Description:** OIDC 'Client Credentials Grant' client cache timeout of access tokens before they expire, duration is subtracted from the expires at value of the access token
+- **Default:** `PT10S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_OIDC_CACHE_TIMEOUT_CONFIGURATION_RESOURCE
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.oidc.cache.timeout.configuration.resource
+- **Required:** No
+- **Description:** OIDC 'Client Credentials Grant' client cache timeout of the 'openid-configuration' discovery resource
+- **Default:** `PT1H`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_OIDC_CACHE_TIMEOUT_JWKS_RESOURCE
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.oidc.cache.timeout.jwks.resource
+- **Required:** No
+- **Description:** OIDC 'Client Credentials Grant' client cache timeout of the jwks resource
+- **Default:** `PT1H`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG_OIDC_TIME_VALIDATION_LEEWAY
+- **Property:** dev.dsf.bpe.fhir.client.connections.config.oidc.time.validation.leeway
+- **Required:** No
+- **Description:** OIDC 'Client Credentials Grant' client access token time validation leeway for 'Not Before', 'Issued At' and 'Expires At' values
+- **Default:** `PT10S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_LOCAL_TIMEOUT_CONNECT
+- **Property:** dev.dsf.bpe.fhir.client.local.timeout.connect
+- **Required:** No
+- **Description:** Timeout until a connection is established with the local DSF FHIR server
+- **Recommendation:** Change default value only if timeout exceptions occur
+- **Default:** `PT2S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_LOCAL_TIMEOUT_READ
+- **Property:** dev.dsf.bpe.fhir.client.local.timeout.read
+- **Required:** No
+- **Description:** Timeout until reading a resource from the local DSF FHIR server is aborted
+- **Recommendation:** Change default value only if timeout exceptions occur
+- **Default:** `PT60S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_LOCAL_VERBOSE
+- **Property:** dev.dsf.bpe.fhir.client.local.verbose
+- **Required:** No
+- **Description:** To enable verbose logging of requests to and replies from the local DSF FHIR server, set to `true`
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_REMOTE_TIMEOUT_CONNECT
+- **Property:** dev.dsf.bpe.fhir.client.remote.timeout.connect
+- **Required:** No
+- **Description:** Timeout until a connection is established with a remote DSF FHIR server
+- **Recommendation:** Change default value only if timeout exceptions occur
+- **Default:** `PT5S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_REMOTE_TIMEOUT_READ
+- **Property:** dev.dsf.bpe.fhir.client.remote.timeout.read
+- **Required:** No
+- **Description:** Timeout until a reading a resource from a remote DSF FHIR server is aborted
+- **Recommendation:** Change default value only if timeout exceptions occur
+- **Default:** `PT60S`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_REMOTE_VERBOSE
+- **Property:** dev.dsf.bpe.fhir.client.remote.verbose
+- **Required:** No
+- **Description:** To enable verbose logging of requests to and replies from remote DSF FHIR servers, set to `true`
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_FHIR_CLIENT_TRUST_SERVER_CERTIFICATE_CAS
+- **Property:** dev.dsf.bpe.fhir.client.trust.server.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted root certificates to validate server certificates for https connections to local and remote DSF FHIR servers
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/app_client_trust_certificates.pem`
+- **Default:** `ca/server_root_cas`
+
+
+### DEV_DSF_BPE_FHIR_QUESTIONNAIRE_RESPONSE_SUBSCRIPTION_SEARCH_PARAMETER
+- **Property:** dev.dsf.bpe.fhir.questionnaire.response.subscription.search.parameter
+- **Required:** No
+- **Description:** Subscription to receive notifications about questionnaire response resources from the DSF FHIR server
+- **Default:** `?criteria:exact=QuestionnaireResponse%3Fstatus%3Dcompleted&status=active&type=websocket&payload=application/fhir%2Bjson`
+
+
+### DEV_DSF_BPE_FHIR_SERVER_BASE_URL
+- **Property:** dev.dsf.bpe.fhir.server.base.url
+- **Required:** Yes
+- **Description:** Base address of the local DSF FHIR server to read/store fhir resources
+- **Example:** `https://foo.bar/fhir`
+
+
+### DEV_DSF_BPE_FHIR_TASK_SUBSCRIPTION_RETRY_MAX
+- **Property:** dev.dsf.bpe.fhir.task.subscription.retry.max
+- **Required:** No
+- **Description:** Number of retries until a websocket connection can be established with the DSF FHIR server, `-1` means infinite number of retries
+- **Default:** `-1`
+
+
+### DEV_DSF_BPE_FHIR_TASK_SUBSCRIPTION_RETRY_SLEEP
+- **Property:** dev.dsf.bpe.fhir.task.subscription.retry.sleep
+- **Required:** No
+- **Description:** Time between two retries to establish a websocket connection with the DSF FHIR server
+- **Default:** `PT5S`
+
+
+### DEV_DSF_BPE_FHIR_TASK_SUBSCRIPTION_SEARCH_PARAMETER
+- **Property:** dev.dsf.bpe.fhir.task.subscription.search.parameter
+- **Required:** No
+- **Description:** Subscription to receive notifications about task resources from the DSF FHIR server
+- **Default:** `?criteria:exact=Task%3Fstatus%3Drequested&status=active&type=websocket&payload=application/fhir%2Bjson`
+
+
+### DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE
+- **Property:** dev.dsf.bpe.mail.client.certificate
+- **Required:** No
+- **Description:** PEM encoded file with client certificate used to authenticate against the SMTP server. Requires SMTP over TLS to be enabled via *DEV_DSF_BPE_MAIL_USESMTPS*
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/smtp_server_client_certificate.pem`
+
+
+### DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE_PRIVATE_KEY
+- **Property:** dev.dsf.bpe.mail.client.certificate.private.key
+- **Required:** No
+- **Description:** Private key corresponging to the SMTP server client certificate as PEM encoded file. Use DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD* or *DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE* if private key is encrypted. Requires SMTP over TLS to be enabled via *DEV_DSF_BPE_MAIL_USESMTPS*
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/smtp_server_client_certificate_private_key.pem`
+
+
+### DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD or DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.mail.client.certificate.private.key.password
+- **Required:** No
+- **Description:** Password to decrypt the local client certificate encrypted private key
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_BPE_MAIL_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE*
+- **Example:** `/run/secrets/smtp_server_client_certificate_private_key.pem.password`
+
+
+### DEV_DSF_BPE_MAIL_FROMADDRESS
+- **Property:** dev.dsf.bpe.mail.fromAddress
+- **Required:** No
+- **Description:** Mail service sender address
+- **Example:** `sender@localhost`
+
+
+### DEV_DSF_BPE_MAIL_HOST
+- **Property:** dev.dsf.bpe.mail.host
+- **Required:** No
+- **Description:** SMTP server hostname
+- **Example:** `smtp.server.de`
+
+
+### DEV_DSF_BPE_MAIL_MAILONERRORLOGEVENTBUFFERSIZE
+- **Property:** dev.dsf.bpe.mail.mailOnErrorLogEventBufferSize
+- **Required:** No
+- **Description:** Number of previous INFO, WARN log messages to include in ERROR log event mails (>=0); requires send mail on ERROR log event option to be enabled to have an effect
+- **Default:** `4`
+
+
+### DEV_DSF_BPE_MAIL_MAILONERRORLOGEVENTDEBUGLOGLOCATION
+- **Property:** dev.dsf.bpe.mail.mailOnErrorLogEventDebugLogLocation
+- **Required:** No
+- **Description:** Location of the BPE debug log as displayed in the footer of ERROR log event mails, does not modify the actual location of the debug log file; requires send mail on ERROR log event option to be enabled to have an effect
+- **Default:** `/opt/bpe/log/bpe.log`
+
+
+### DEV_DSF_BPE_MAIL_PASSWORD or DEV_DSF_BPE_MAIL_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.mail.password
+- **Required:** No
+- **Description:** SMTP server authentication password
+- **Recommendation:** Configure if the SMTP server requires username/password authentication; use docker secret file to configure using *DEV_DSF_BPE_MAIL_PASSWORD_FILE*; enable SMTP over TLS via *DEV_DSF_BPE_MAIL_USESMTPS*
+
+
+### DEV_DSF_BPE_MAIL_PORT
+- **Property:** dev.dsf.bpe.mail.port
+- **Required:** No
+- **Description:** SMTP server port
+- **Example:** `465`
+- **Default:** `0`
+
+
+### DEV_DSF_BPE_MAIL_REPLYTOADDRESSES
+- **Property:** dev.dsf.bpe.mail.replyToAddresses
+- **Required:** No
+- **Description:** Mail service reply to addresses; comma or space separated list, YAML block scalars supported
+- **Example:** `reply.to@localhost`
+
+
+### DEV_DSF_BPE_MAIL_SENDMAILONERRORLOGEVENT
+- **Property:** dev.dsf.bpe.mail.sendMailOnErrorLogEvent
+- **Required:** No
+- **Description:** To enable mails being send for every ERROR logged, set to `true`; requires SMTP server to be configured
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_MAIL_SENDTESTMAILONSTARTUP
+- **Property:** dev.dsf.bpe.mail.sendTestMailOnStartup
+- **Required:** No
+- **Description:** To enable a test mail being send on startup of the BPE, set to `true`; requires SMTP server to be configured
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_MAIL_SMIME_P12KEYSTORE
+- **Property:** dev.dsf.bpe.mail.smime.p12Keystore
+- **Required:** No
+- **Description:** PKCS12 encoded file with S/MIME certificate, private key and certificate chain to enable send mails to be S/MIME signed
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/smime_certificate.p12`
+
+
+### DEV_DSF_BPE_MAIL_SMIME_P12KEYSTORE_PASSWORD or DEV_DSF_BPE_MAIL_SMIME_P12KEYSTORE_PASSWORD_FILE
+- **Property:** dev.dsf.bpe.mail.smime.p12Keystore.password
+- **Required:** No
+- **Description:** Password to decrypt the PKCS12 encoded S/MIMIE certificate file
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_BPE_MAIL_SMIME_P12KEYSTORE_PASSWORD_FILE*
+- **Example:** `/run/secrets/smime_certificate.p12.password`
+
+
+### DEV_DSF_BPE_MAIL_TOADDRESSES
+- **Property:** dev.dsf.bpe.mail.toAddresses
+- **Required:** No
+- **Description:** Mail service recipient addresses, configure at least one; comma or space separated list, YAML block scalars supported
+- **Example:** `recipient@localhost`
+
+
+### DEV_DSF_BPE_MAIL_TOADDRESSESCC
+- **Property:** dev.dsf.bpe.mail.toAddressesCc
+- **Required:** No
+- **Description:** Mail service CC recipient addresses; comma or space separated list, YAML block scalars supported
+- **Example:** `cc.recipient@localhost`
+
+
+### DEV_DSF_BPE_MAIL_TRUST_SERVER_CERTIFICATE_CAS
+- **Property:** dev.dsf.bpe.mail.trust.server.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted root certificates to validate the server certificate of the SMTP server. Requires SMTP over TLS to be enabled via *DEV_DSF_BPE_MAIL_USESMTPS*
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/smtp_server_trust_certificates.pem`
+- **Default:** `ca/server_root_cas`
+
+
+### DEV_DSF_BPE_MAIL_USERNAME
+- **Property:** dev.dsf.bpe.mail.username
+- **Required:** No
+- **Description:** SMTP server authentication username
+- **Recommendation:** Configure if the SMTP server requires username/password authentication; enable SMTP over TLS via *DEV_DSF_BPE_MAIL_USESMTPS*
+
+
+### DEV_DSF_BPE_MAIL_USESMTPS
+- **Property:** dev.dsf.bpe.mail.useSmtps
+- **Required:** No
+- **Description:** To enable SMTP over TLS (smtps), set to `true`
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_PROCESS_API_ALLOWED_BPE_CLASSES
+- **Property:** dev.dsf.bpe.process.api.allowed.bpe.classes
+- **Required:** No
+- **Description:** Map with files containing qualified class names allowed to be loaded by plugins for api versions; map key must match v([1-9]+[0-9]*)
+- **Recommendation:** Change only during development
+- **Example:** `{v1: 'some/example.file', v2: 'other.file'}`
+- **Default:** `{:}`
+
+
+### DEV_DSF_BPE_PROCESS_API_ALLOWED_BPE_RESOURCE
+- **Property:** dev.dsf.bpe.process.api.allowed.bpe.resource
+- **Required:** No
+- **Description:** Map with files containing resources allowed to be loaded by plugins for api versions; map key must match v([1-9]+[0-9]*)
+- **Recommendation:** Change only during development
+- **Example:** `{v1: 'some/example.file', v2: 'other.file'}`
+- **Default:** `{:}`
+
+
+### DEV_DSF_BPE_PROCESS_API_DIRECTORY
+- **Property:** dev.dsf.bpe.process.api.directory
+- **Required:** No
+- **Description:** Directory containing the DSF BPE process plugin api jar files
+- **Recommendation:** Change only during development
+- **Default:** `api`
+
+
+### DEV_DSF_BPE_PROCESS_API_RESOURCES_WITH_PRIORITY
+- **Property:** dev.dsf.bpe.process.api.resources.with.priority
+- **Required:** No
+- **Description:** Map with files containing api/plugin resource with priority over bpe resources for plugins for api versions; map key must match v([1-9]+[0-9]*)
+- **Recommendation:** Change only during development
+- **Example:** `{v1: 'some/example.file', v2: 'other.file'}`
+- **Default:** `{:}`
+
+
+### DEV_DSF_BPE_PROCESS_ENGINE_COREPOOLSIZE
+- **Property:** dev.dsf.bpe.process.engine.corePoolSize
+- **Required:** No
+- **Description:** Process engine job executor core pool size
+- **Default:** `4`
+
+
+### DEV_DSF_BPE_PROCESS_ENGINE_MAXPOOLSIZE
+- **Property:** dev.dsf.bpe.process.engine.maxPoolSize
+- **Required:** No
+- **Description:** Process engine job executor max pool size, additional threads until max pool size are created if the queue is full
+- **Default:** `10`
+
+
+### DEV_DSF_BPE_PROCESS_ENGINE_QUEUESIZE
+- **Property:** dev.dsf.bpe.process.engine.queueSize
+- **Required:** No
+- **Description:** Process engine job executor queue size, jobs are added to the queue if all core pool threads are busy
+- **Default:** `40`
+
+
+### DEV_DSF_BPE_PROCESS_EXCLUDED
+- **Property:** dev.dsf.bpe.process.excluded
+- **Required:** No
+- **Description:** List of process names that should be excluded from deployment during startup of the DSF BPE server; comma or space separated list, YAML block scalars supported
+- **Recommendation:** Only deploy processes that can be started depending on your organization's roles in the Allow-List
+- **Example:** `dsfdev_updateAllowList|1.0, another_process|x.y`
+
+
+### DEV_DSF_BPE_PROCESS_FHIR_SERVER_RETRY_MAX
+- **Property:** dev.dsf.bpe.process.fhir.server.retry.max
+- **Required:** No
+- **Description:** Number of retries until a connection can be established with the local DSF FHIR server during process deployment, `-1` means infinite number of retries
+- **Default:** `-1`
+
+
+### DEV_DSF_BPE_PROCESS_FHIR_SERVER_RETRY_SLEEP
+- **Property:** dev.dsf.bpe.process.fhir.server.retry.sleep
+- **Required:** No
+- **Description:** Time between two retries to establish a connection with the local DSF FHIR server during process deployment
+- **Default:** `PT5S`
+
+
+### DEV_DSF_BPE_PROCESS_FHIR_VALIDATION_ENABLED
+- **Property:** dev.dsf.bpe.process.fhir.validation.enabled
+- **Required:** No
+- **Description:** Set to true to enable FHIR validation feature for process plugins, not implemented for DSF version 2.0.x
+- **Default:** `false`
+
+
+### DEV_DSF_BPE_PROCESS_PLUGIN_DIRECTORY
+- **Property:** dev.dsf.bpe.process.plugin.directory
+- **Required:** No
+- **Description:** Directory containing the DSF BPE process plugins for deployment on startup of the DSF BPE server
+- **Recommendation:** Change only if you don't use the provided directory structure from the installation guide or made changes to tit
+- **Default:** `process`
+
+
+### DEV_DSF_BPE_PROCESS_PLUGIN_EXPLODED
+- **Property:** dev.dsf.bpe.process.plugin.exploded
+- **Required:** No
+- **Description:** Directories containing exploded DSF BPE process plugins for deployment on startup of the DSF BPE server; comma or space separated list, YAML block scalars supported
+- **Recommendation:** Only for testing
+
+
+### DEV_DSF_BPE_PROCESS_RETIRED
+- **Property:** dev.dsf.bpe.process.retired
+- **Required:** No
+- **Description:** List of already deployed process names that should be retired during startup of the DSF BPE server; comma or space separated list, YAML block scalars supported
+- **Recommendation:** Retire processes that where deployed previously but are not anymore available
+- **Example:** `old_process|x.y`
+
+
+### DEV_DSF_BPE_PROCESS_THREADS
+- **Property:** dev.dsf.bpe.process.threads
+- **Required:** No
+- **Description:** Number of parallel Task / QuestionnaireResponse threads to start new or continue existing processes, a value `<= 0` means number of cpu cores
+- **Default:** `-1`
+
+
+### DEV_DSF_BPE_SERVER_BASE_URL
+- **Property:** dev.dsf.bpe.server.base.url
+- **Required:** No
+- **Description:** Base address of the BPE server, configure when exposing the web-ui
+- **Example:** `https://foo.bar/bpe`
+- **Default:** `https://localhost/bpe`
+
+
+### DEV_DSF_BPE_SERVER_ROLECONFIG
+- **Property:** dev.dsf.bpe.server.roleConfig
+- **Required:** No
+- **Description:** Role config YAML as defined in [BPE Server: Access Control](access-control)
+
+
+### DEV_DSF_BPE_SERVER_STATIC_RESOURCE_CACHE
+- **Property:** dev.dsf.bpe.server.static.resource.cache
+- **Required:** No
+- **Description:** To disable static resource caching, set to `false`
+- **Recommendation:** Only set to `false` for development
+- **Default:** `true`
+
+
+### DEV_DSF_BPE_SERVER_UI_THEME
+- **Property:** dev.dsf.bpe.server.ui.theme
+- **Required:** No
+- **Description:** UI theme parameter, adds a color indicator to the ui to distinguish `dev`, `test` and `prod` environments if configured; supported values: `dev`, `test` and `prod`
+
+
+### DEV_DSF_LOG_CONFIG
+- **Property:** dev.dsf.log.config
+- **Required:** No
+- **Description:** Location of a log4j configuration xml file; if file is readable, overrides configuration specified via *DEV_DSF_LOG_...* parameters
+- **Default:** `conf/log4j2.xml`
+
+
+### DEV_DSF_LOG_CONSOLE_ERR_ENABLED
+- **Property:** dev.dsf.log.console.err.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable console err output of the standard logger
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_CONSOLE_ERR_LEVEL
+- **Property:** dev.dsf.log.console.err.level
+- **Required:** No
+- **Description:** Standard logger console err output level, one of: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`
+- **Default:** `INFO`
+
+
+### DEV_DSF_LOG_CONSOLE_ERR_STYLE
+- **Property:** dev.dsf.log.console.err.style
+- **Required:** No
+- **Description:** Standard logger console err output style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`, `TEXT_COLOR_MDC`, `TEXT_COLOR`
+- **Default:** `TEXT_COLOR`
+
+
+### DEV_DSF_LOG_CONSOLE_OUT_ENABLED
+- **Property:** dev.dsf.log.console.out.enabled
+- **Required:** No
+- **Description:** Set to `false` to disable console out output of the standard logger
+- **Default:** `true`
+
+
+### DEV_DSF_LOG_CONSOLE_OUT_LEVEL
+- **Property:** dev.dsf.log.console.out.level
+- **Required:** No
+- **Description:** Standard logger console out output level, one of: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`
+- **Default:** `INFO`
+
+
+### DEV_DSF_LOG_CONSOLE_OUT_STYLE
+- **Property:** dev.dsf.log.console.out.style
+- **Required:** No
+- **Description:** Standard logger console out output style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`, `TEXT_COLOR_MDC`, `TEXT_COLOR`
+- **Default:** `TEXT_COLOR`
+
+
+### DEV_DSF_LOG_DATA_CONSOLE_ERR_ENABLED
+- **Property:** dev.dsf.log.data.console.err.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable console err output of the special data logger; the data logger can be used by process plugins to log sensitive data
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_DATA_CONSOLE_ERR_STYLE
+- **Property:** dev.dsf.log.data.console.err.style
+- **Required:** No
+- **Description:** Special data logger console err style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `TEXT`
+
+
+### DEV_DSF_LOG_DATA_CONSOLE_OUT_ENABLED
+- **Property:** dev.dsf.log.data.console.out.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable console out output of the special data logger; the data logger can be used by process plugins to log sensitive data
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_DATA_CONSOLE_OUT_STYLE
+- **Property:** dev.dsf.log.data.console.out.style
+- **Required:** No
+- **Description:** Special data logger console out style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `TEXT`
+
+
+### DEV_DSF_LOG_DATA_FILE_ENABLED
+- **Property:** dev.dsf.log.data.file.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable log file output of the special data logger; the data logger can be used by process plugins to log sensitive data
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_DATA_FILE_STYLE
+- **Property:** dev.dsf.log.data.file.style
+- **Required:** No
+- **Description:** Special data logger file style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `TEXT`
+
+
+### DEV_DSF_LOG_FILE_ENABLED
+- **Property:** dev.dsf.log.file.enabled
+- **Required:** No
+- **Description:** Set to `false` to disable log file output of the standard logger
+- **Default:** `true`
+
+
+### DEV_DSF_LOG_FILE_LEVEL
+- **Property:** dev.dsf.log.file.level
+- **Required:** No
+- **Description:** Standard logger log file output level, one of: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`
+- **Default:** `DEBUG`
+
+
+### DEV_DSF_LOG_FILE_STYLE
+- **Property:** dev.dsf.log.file.style
+- **Required:** No
+- **Description:** Standard logger log file output style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `TEXT_MDC`
+
+
+### DEV_DSF_LOG_MIN_LEVEL_LOGGERS
+- **Property:** dev.dsf.log.min.level.loggers
+- **Required:** No
+- **Description:** List of logger names that are enabled to produce log output with the minimal configured log level from `DEV_DSF_LOG_CONSOLE_OUT_LEVEL`, `DEV_DSF_LOG_CONSOLE_ERR_LEVEL` and `DEV_DSF_LOG_FILE_LEVEL`
+- **Default:** `dev.dsf, de.medizininformatik_initiative.processes.common`
+
+
+### DEV_DSF_PROXY_NOPROXY
+- **Property:** dev.dsf.proxy.noProxy
+- **Required:** No
+- **Description:** Forward proxy no-proxy list, entries will match exactly or against (one level) sub-domains, if no port is specified - all ports are matched; comma or space separated list, YAML block scalars supported
+- **Example:** `foo.bar, test.com:8080`
+
+
+### DEV_DSF_PROXY_PASSWORD or DEV_DSF_PROXY_PASSWORD_FILE
+- **Property:** dev.dsf.proxy.password
+- **Required:** No
+- **Description:** Forward Proxy password
+- **Recommendation:** Configure password if proxy requires authentication, use docker secret file to configure using *DEV_DSF_PROXY_PASSWORD_FILE*
+
+
+### DEV_DSF_PROXY_URL
+- **Property:** dev.dsf.proxy.url
+- **Required:** No
+- **Description:** Forward (http/https) proxy url, use *DEV_DSF_BPE_PROXY_NOPROXY* to list domains that do not require a forward proxy
+- **Example:** `http://proxy.foo:8080`
+
+
+### DEV_DSF_PROXY_USERNAME
+- **Property:** dev.dsf.proxy.username
+- **Required:** No
+- **Description:** Forward proxy username
+- **Recommendation:** Configure username if proxy requires authentication
+
+
+### DEV_DSF_SERVER_API_HOST
+- **Property:** dev.dsf.server.api.host
+- **Required:** No
+- **Description:** API connector host, default in docker image: `0.0.0.0`
+- **Default:** `127.0.0.1`
+
+
+### DEV_DSF_SERVER_API_PORT
+- **Property:** dev.dsf.server.api.port
+- **Required:** No
+- **Description:** API connector port, default in docker image: `8080`
+
+
+### DEV_DSF_SERVER_AUTH_CLIENT_CERTIFICATE_HEADER
+- **Property:** dev.dsf.server.auth.client.certificate.header
+- **Required:** No
+- **Description:** Name of HTTP header with client certificate from reverse proxy
+- **Default:** `X-ClientCert`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW
+- **Property:** dev.dsf.server.auth.oidc.authorization.code.flow
+- **Required:** No
+- **Description:** Set to `true` to enable OIDC authorization code flow
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL*, *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID* and *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET* or *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE* to be specified
+- **Default:** `false`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT
+- **Property:** dev.dsf.server.auth.oidc.back.channel.logout
+- **Required:** No
+- **Description:** Set to `true` to enable OIDC back-channel logout
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* to be set to `true` (enabled), *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID* and *DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH* to be specified
+- **Default:** `false`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH
+- **Property:** dev.dsf.server.auth.oidc.back.channel.logout.path
+- **Required:** No
+- **Description:** Path called by the OIDC provide to request back-channel logout
+- **Default:** `/back-channel-logout`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN
+- **Property:** dev.dsf.server.auth.oidc.bearer.token
+- **Required:** No
+- **Description:** Set to `true` to enable OIDC bearer token authentication
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL* to be specified
+- **Default:** `false`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN_AUDIENCE
+- **Property:** dev.dsf.server.auth.oidc.bearer.token.audience
+- **Required:** No
+- **Description:** Audience (aud) value to verify before accepting OIDC bearer tokens, uses value from `DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID` by default, set blank string e.g. `''` to disable
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL* to be specified and *DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN* set tor `true`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID
+- **Property:** dev.dsf.server.auth.oidc.client.id
+- **Required:** No
+- **Description:** OIDC provider client_id, must be specified if *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* is enabled
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET or DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE
+- **Property:** dev.dsf.server.auth.oidc.client.secret
+- **Required:** No
+- **Description:** OIDC provider client_secret, must be specified if *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* is enabled
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CACHE_TIMEOUT_CONFIGURATION_RESOURCE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.cache.timeout.configuration.resource
+- **Required:** No
+- **Description:** OIDC provider client cache timeout of the 'openid-configuration' discovery resource
+- **Default:** `PT1H`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CACHE_TIMEOUT_JWKS_RESOURCE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.cache.timeout.jwks.resource
+- **Required:** No
+- **Description:** OIDC provider client cache timeout of the jwks resource
+- **Default:** `PT1H`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.certificate
+- **Required:** No
+- **Description:** PEM encoded file with client certificate for https connections to the OIDC provider
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/oidc_provider_client_certificate.pem`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY
+- **Property:** dev.dsf.server.auth.oidc.provider.client.certificate.private.key
+- **Required:** No
+- **Description:** Private key corresponding to the client certificate for the OIDC provider as PEM encoded file. Use *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD* or *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE* if private key is encrypted
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/oidc_provider_client_certificate_private_key.pem`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD or DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.certificate.private.key.password
+- **Required:** No
+- **Description:** Password to decrypt the client certificate for the OIDC provider encrypted private key
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE*
+- **Example:** `/run/secrets/oidc_provider_client_certificate_private_key.pem.password`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TIMEOUT_CONNECT
+- **Property:** dev.dsf.server.auth.oidc.provider.client.timeout.connect
+- **Required:** No
+- **Description:** OIDC provider client connect timeout
+- **Default:** `PT5S`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TIMEOUT_READ
+- **Property:** dev.dsf.server.auth.oidc.provider.client.timeout.read
+- **Required:** No
+- **Description:** OIDC provider client read timeout
+- **Default:** `PT30S`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS
+- **Property:** dev.dsf.server.auth.oidc.provider.client.trust.server.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted root certificates to validate server certificates for https connections to the OIDC provider
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/oidc_provider_trust_certificates.pem`
+- **Default:** `ca/server_root_cas`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_DISCOVERY_PATH
+- **Property:** dev.dsf.server.auth.oidc.provider.discovery.path
+- **Required:** No
+- **Description:** OIDC provider discovery path
+- **Default:** `/.well-known/openid-configuration`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL
+- **Property:** dev.dsf.server.auth.oidc.provider.realm.base.url
+- **Required:** No
+- **Description:** OIDC provider realm base url
+- **Example:** `https://keycloak.test.com:8443/realms/example-realm-name`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_SESSION_TIMEOUT
+- **Property:** dev.dsf.server.auth.oidc.session.timeout
+- **Required:** No
+- **Description:** Maximum inactivity period after which the server session for OIDC logins is invalidated; the access token may expire earlier, resulting in earlier session invalidation
+- **Default:** `PT30M`
+
+
+### DEV_DSF_SERVER_AUTH_TRUST_CLIENT_CERTIFICATE_CAS
+- **Property:** dev.dsf.server.auth.trust.client.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted full CA chains to validate client certificates for https connections from local and remote clients
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/app_client_trust_certificates.pem`
+- **Default:** `ca/client_ca_chains`
+
+
+### DEV_DSF_SERVER_CERTIFICATE
+- **Property:** dev.dsf.server.certificate
+- **Required:** No
+- **Description:** Server certificate file for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CERTIFICATE_CHAIN
+- **Property:** dev.dsf.server.certificate.chain
+- **Required:** No
+- **Description:** Server certificate chain file for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CERTIFICATE_KEY
+- **Property:** dev.dsf.server.certificate.key
+- **Required:** No
+- **Description:** Server certificate private key file for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CERTIFICATE_KEY_PASSWORD or DEV_DSF_SERVER_CERTIFICATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.server.certificate.key.password
+- **Required:** No
+- **Description:** Server certificate private key file password for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CONTEXT_PATH
+- **Property:** dev.dsf.server.context.path
+- **Required:** No
+- **Description:** Web application context path, default in `bpe` docker image: `/bpe`, default in `fhir` docker image: `/fhir`
+- **Recommendation:** Only modify for testing
+
+
+### DEV_DSF_SERVER_STATUS_HOST
+- **Property:** dev.dsf.server.status.host
+- **Required:** No
+- **Description:** Status connector host
+- **Default:** `127.0.0.1`
+
+
+### DEV_DSF_SERVER_STATUS_PORT
+- **Property:** dev.dsf.server.status.port
+- **Required:** No
+- **Description:** Status connector port, default in docker image: `10000`
\ No newline at end of file
diff --git a/docs/src/operations/v2.1.0/bpe/fhir-client-connections.md b/docs/src/operations/v2.1.0/bpe/fhir-client-connections.md
new file mode 100644
index 000000000..ad5e80c0d
--- /dev/null
+++ b/docs/src/operations/v2.1.0/bpe/fhir-client-connections.md
@@ -0,0 +1,87 @@
+---
+title: FHIR Client Connections
+icon: config
+---
+
+::: info Compatible Process Plugins
+To our knowledge, as of January 2026 no process plugins have been released into production compatible with this plugin API v2 feature.
+:::
+
+AS part of the process plugin API v2 the DSF BPE Server provides a standardized way for plugins to use FHIR (data) server client connections configured for the entire BPE server. Connections are configured using YAML and specified via the environment variable [`DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG`](configuration.html#dev-dsf-bpe-fhir-client-connections-config). The value for this environment variable is specified as YAML using the block scalar |.
+
+The listing below shows a minimal configuration:
+
+```yaml
+      DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG: |
+        min-server:
+          base-url: http://min.server/fhir
+```
+
+
+The mechanism supports authenticated and non-authenticated connections to FHIR (data) servers using `http` and `https` connections. Basic, Bearer-Token, Client-Certificate, and OIDC Client-Credentials-Flow authentication schemes are supported.
+
+Multiple connections can be configured. Every connection has an ID (valid YAML property name) that needs to be supplied to the process plugin that is supposed to use the connection. Multiple process plugins can use the same connection config.
+
+<!-- TODO default values and environment variables to configure them -->
+
+A JSON schema is available to validate the configuration YAML: https://dsf.dev/schema/fhir_client_connections.json
+
+### Configuration Examples
+
+#### No Authentication, some defaults overridden
+
+ID: `no-auth-server` 
+
+```yaml
+# yaml-language-server: $schema=https://dsf.dev/schema/fhir_client_connections.json
+no-auth-server:
+  base-url: https://no.auth.server:8443/fhir
+  test-connection-on-startup: yes
+  enable-debug-logging: yes
+  connect-timeout: PT0.5S
+  read-timeout: PT5M
+  trusted-root-certificates-file: 'ca.crt'
+```
+
+#### Basic Authentication
+
+ID: `basic-auth-server` 
+
+```yaml
+# yaml-language-server: $schema=https://dsf.dev/schema/fhir_client_connections.json
+basic-auth-server:
+  base-url: https://basic.auth.server/fhir
+  basic-auth:
+    username: user
+    password-file: 'password.file’
+```
+
+#### Client Certificate Authentication
+
+ID: `cert-auth-server` 
+
+```yaml
+# yaml-language-server: $schema=https://dsf.dev/schema/fhir_client_connections.json
+cert-auth-server:
+  base-url: https://cert.auth.server/fhir/foo
+  cert-auth:
+    private-key-file: 'client.key'
+    certificate-file: 'client.crt'
+    password: 'password'
+```
+
+#### OIDC Client-Credentials-Flow Authentication
+
+ID: `oidc-auth-server`
+
+```yaml
+# yaml-language-server: $schema=https://dsf.dev/schema/fhir_client_connections.json
+oidc-auth-server:
+  base-url: https://oidc.auth.server/fhir
+  oidc-auth:
+    base-url: https://oidc.server
+    client-id: some_client_id
+    client-secret-file: 'path/password.file’
+```
+
+For a full list of configuration properties see the FHIR client connections [validation schema](https://dsf.dev/schema/fhir_client_connections.json).
\ No newline at end of file
diff --git a/docs/src/operations/v2.1.0/bpe/logging.md b/docs/src/operations/v2.1.0/bpe/logging.md
new file mode 100644
index 000000000..4707125c5
--- /dev/null
+++ b/docs/src/operations/v2.1.0/bpe/logging.md
@@ -0,0 +1,788 @@
+---
+title: Logging
+icon: config
+---
+
+The DSF BPE Server provides a **Standard Application Logger** and a dedicated **Data Logger** to help debug problems with process plugins. Both mechanisms can output there messages to standard output (stdout), standard error (stderr) and dedicated log files.
+
+By default the **Standard Application Logger** is configured to output with min. level `INFO` and format `TEXT_COLOR` to *stdout* as well as min. level `DEBUG` and format `TEXT_MDC` to a dedicated log file. The **Data Logger** is disabled by default and should only be used to debug problems with process plugins temporarily.
+
+### Standard Application Logger
+The file, *stdout* and *stderr* outputs for the **Standard Application Logger** can be enabled or disabled using the environment variables [`DEV_DSF_LOG_FILE_ENABLED`](./configuration.md#dev-dsf-log-file-enabled), [`DEV_DSF_LOG_CONSOLE_OUT_ENABLED`](./configuration.md#dev-dsf-log-console-out-enabled) and [`DEV_DSF_LOG_CONSOLE_ERR_ENABLED`](./configuration.md#dev-dsf-log-console-err-enabled).
+
+#### Output Level
+Log messages are grouped by severity (low to high): `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`. A minimal log level can be configured for the file, *stdout* and *stderr* outputs using the environment variables [`DEV_DSF_LOG_FILE_LEVEL`](./configuration.md#dev-dsf-log-file-level), [`DEV_DSF_LOG_CONSOLE_OUT_LEVEL`](./configuration.md#dev-dsf-log-console-out-level) and [`DEV_DSF_LOG_CONSOLE_ERR_LEVEL`](./configuration.md#dev-dsf-log-console-err-level).
+
+#### Output Style
+Multiple styles are supported for the **Standard Application Logger** file, *stdout* and *stderr* outputs. All structured logging JSON styles include additional infos (Mapped Diagnostic Context) about the executing process plugin and process instance, or the requesting user. The output style can be configured using the environment variables [`DEV_DSF_LOG_FILE_STYLE`](./configuration.md#dev-dsf-log-file-style), [`DEV_DSF_LOG_CONSOLE_OUT_STYLE`](./configuration.md#dev-dsf-log-console-out-style) and [`DEV_DSF_LOG_CONSOLE_ERR_STYLE`](./configuration.md#dev-dsf-log-console-err-style). The **TEXT_COLOR** and **TEXT_COLOR_MDC** styles are not supported for the file output.
+* **TEXT** a minimal text format.
+* **TEXT_COLOR** a minimal text format with ANSI escape sequences to colorize WARN and ERROR messages. Not supported for the file output.
+* **TEXT_MDC** text format with additional infos (Mapped Diagnostic Context) about the requesting user.
+* **TEXT_COLOR_MDC** text format with additional infos (Mapped Diagnostic Context) about the requesting user and ANSI escape sequences to colorize WARN and ERROR events. Not supported for the file output.
+* **JSON_ECS** follows the Elastic Common Schema (ECS) reference.
+* **JSON_GCP** uses the Google Cloud Platform structured logging model with additional `_thread`, `_logger` and `_exception` fields.
+* **JSON_GELF** follows the Graylog Extended Log Format (GELF) payload specification with added `_thread` and `_logger` fields.
+* **JSON_LOGSTASH** uses the Logstash json_event pattern for log4j.
+
+::: code-tabs#shell
+
+@tab TEXT
+
+```text :no-line-numbers
+2026-01-14 12:21:17,892 [main] INFO  dev.dsf.common.buildinfo.BuildInfoReaderImpl - Artifact: dsf-bpe-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:46+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685
+2026-01-14 12:23:15,922 [main] ERROR org.springframework.web.context.ContextLoader - Context initialization failed
+org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+	at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)
+	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)
+	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)
+	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)
+	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)
+	at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)
+	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)
+	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)
+	at org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)
+	at org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)
+	at org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)
+	at org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)
+	at org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)
+	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)
+	at org.eclipse.jetty.server.Server.start(Server.java:689)
+	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
+	at org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)
+	at org.eclipse.jetty.server.Server.doStart(Server.java:630)
+	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+	at dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)
+	at dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)
+	... 33 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+	... 48 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+	at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$1(<generated>)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
+	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)
+	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+	... 51 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+	... 73 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+	at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore(<generated>)
+	at dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)
+	at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)
+	at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
+	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+	at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)
+	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+	... 76 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+	... 95 more
+Caused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at dev.dsf.common.config.AbstractCertificateConfig.createClientKeyStore(AbstractCertificateConfig.java:235)
+	at dev.dsf.bpe.spring.config.PropertiesConfig.getDsfClientKeyStore(PropertiesConfig.java:579)
+	at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.CGLIB$getDsfClientKeyStore$23(<generated>)
+	at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
+	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+	at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore(<generated>)
+	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+	... 98 more
+Caused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)
+	at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)
+	at dev.dsf.common.config.AbstractCertificateConfig.createClientKeyStore(AbstractCertificateConfig.java:228)
+	... 107 more
+Caused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
+	at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)
+	... 109 more
+Caused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher
+	at org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)
+	at org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)
+	at org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)
+	at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+	at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+	at org.bouncycastle.util.io.Streams.readAll(Unknown Source)
+	... 111 more
+Caused by: javax.crypto.BadPaddingException: pad block corrupted
+	at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$BufferedGenericBlockCipher.doFinal(Unknown Source)
+	at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
+	at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2139)
+	... 117 more
+2026-01-14 12:24:35,514 [pool-2-thread-1] INFO  dev.dsf.bpe.v2.listener.StartListener - Starting process http://dsf.dev/bpe/Process/helloWorld|2.0 at 2026-01-14T12:24:35+01:00 [task: https://fhir/fhir/Task/04c2ff6f-dfce-4201-9c3d-bbce15dc892a, requester: webbrowser.test.user@invalid, business-key: 92f2eee2-319e-47dc-8bdb-f646740b05c8, message: helloWorld]
+2026-01-14 12:24:35,521 [pool-2-thread-1] INFO  dev.dsf.bpe.service.HelloWorld - Hello World from organization with identifier 'webbrowser.test.user@invalid'
+```
+
+@tab TEXT_MDC
+
+```text :no-line-numbers
+2026-01-14 12:25:51,000 [main] INFO  dev.dsf.common.buildinfo.BuildInfoReaderImpl - Artifact: dsf-bpe-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:46+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685
+2026-01-14 12:26:24,075 [main] ERROR org.springframework.web.context.ContextLoader - Context initialization failed
+org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+	at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)
+	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)
+	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)
+	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)
+	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)
+	at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)
+	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)
+	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)
+	at org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)
+	at org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)
+	at org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)
+	at org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)
+	at org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)
+	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)
+	at org.eclipse.jetty.server.Server.start(Server.java:689)
+	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
+	at org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)
+	at org.eclipse.jetty.server.Server.doStart(Server.java:630)
+	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+	at dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)
+	at dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)
+	... 33 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+	... 48 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+	at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$1(<generated>)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
+	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+	at dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)
+	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+	... 51 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+	... 73 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+	at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore(<generated>)
+	at dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)
+	at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)
+	at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
+	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+	at dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)
+	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+	... 76 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+	... 95 more
+Caused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at dev.dsf.common.config.AbstractCertificateConfig.createClientKeyStore(AbstractCertificateConfig.java:235)
+	at dev.dsf.bpe.spring.config.PropertiesConfig.getDsfClientKeyStore(PropertiesConfig.java:579)
+	at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.CGLIB$getDsfClientKeyStore$23(<generated>)
+	at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
+	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+	at dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore(<generated>)
+	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+	... 98 more
+Caused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)
+	at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)
+	at dev.dsf.common.config.AbstractCertificateConfig.createClientKeyStore(AbstractCertificateConfig.java:228)
+	... 107 more
+Caused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
+	at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)
+	... 109 more
+Caused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher
+	at org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)
+	at org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)
+	at org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)
+	at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+	at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+	at org.bouncycastle.util.io.Streams.readAll(Unknown Source)
+	... 111 more
+Caused by: javax.crypto.BadPaddingException: pad block corrupted
+	at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$BufferedGenericBlockCipher.doFinal(Unknown Source)
+	at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
+	at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2139)
+	... 117 more
+2026-01-14 12:28:10,811 [pool-2-thread-1] INFO  dev.dsf.bpe.v2.listener.StartListener - {dsf.plugin.api=2, dsf.plugin.jar=process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar, dsf.plugin.name=dsf-process-hello-world, dsf.plugin.version=2.0.0.0, dsf.process=http://dsf.dev/bpe/Process/helloWorld|2.0, dsf.process.activityId=StartEvent_1, dsf.process.businessKey=110f2d10-e140-4e9f-a76d-63e9c3eb4579, dsf.process.definitionId=dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa, dsf.process.definitionKey=dsfdev_helloWorld, dsf.process.instanceId=1b5bd4cf-f13c-11f0-8e80-b6c09f49be99, dsf.process.requester.start=webbrowser.test.user@invalid, dsf.process.task.start=https://fhir/fhir/Task/b822f6cb-3cf0-4132-926e-fd7730e780f0} - Starting process http://dsf.dev/bpe/Process/helloWorld|2.0 at 2026-01-14T12:28:10+01:00 [task: https://fhir/fhir/Task/b822f6cb-3cf0-4132-926e-fd7730e780f0, requester: webbrowser.test.user@invalid, business-key: 110f2d10-e140-4e9f-a76d-63e9c3eb4579, message: helloWorld]
+2026-01-14 12:28:10,820 [pool-2-thread-1] INFO  dev.dsf.bpe.service.HelloWorld - {dsf.plugin.api=2, dsf.plugin.jar=process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar, dsf.plugin.name=dsf-process-hello-world, dsf.plugin.version=2.0.0.0, dsf.process=http://dsf.dev/bpe/Process/helloWorld|2.0, dsf.process.activityId=helloWorldTask, dsf.process.activityName=Hello World, dsf.process.businessKey=110f2d10-e140-4e9f-a76d-63e9c3eb4579, dsf.process.definitionId=dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa, dsf.process.definitionKey=dsfdev_helloWorld, dsf.process.instanceId=1b5bd4cf-f13c-11f0-8e80-b6c09f49be99, dsf.process.requester.start=webbrowser.test.user@invalid, dsf.process.task.start=https://fhir/fhir/Task/b822f6cb-3cf0-4132-926e-fd7730e780f0} - Hello World from organization with identifier 'webbrowser.test.user@invalid'
+```
+
+@tab JSON_ECS
+
+```json :no-line-numbers
+{
+    "@timestamp": "2026-01-14T11:33:31.869Z",
+    "ecs.version": "1.2.0",
+    "log.level": "INFO",
+    "message": "Artifact: dsf-bpe-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:46+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+    "process.thread.name": "main",
+    "log.logger": "dev.dsf.common.buildinfo.BuildInfoReaderImpl"
+}
+{
+    "@timestamp": "2026-01-14T11:34:59.557Z",
+    "ecs.version": "1.2.0",
+    "log.level": "ERROR",
+    "message": "Context initialization failed",
+    "process.thread.name": "main",
+    "log.logger": "org.springframework.web.context.ContextLoader",
+    "error.type": "org.springframework.beans.factory.BeanCreationException",
+    "error.message": "Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher",
+    "error.stack_trace": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)\n\t... 33 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 48 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$2(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 51 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 73 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore(<generated>)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.ja…"
+}
+{
+    "@timestamp": "2026-01-14T11:36:22.477Z",
+    "ecs.version": "1.2.0",
+    "log.level": "INFO",
+    "message": "Starting process http://dsf.dev/bpe/Process/helloWorld|2.0 at 2026-01-14T12:36:22+01:00 [task: https://fhir/fhir/Task/8e9cd5b0-17db-460a-9e4a-73d6c8128ed4, requester: webbrowser.test.user@invalid, business-key: 6d808467-4b71-44bd-8c4c-1ec9f5482855, message: helloWorld]",
+    "process.thread.name": "pool-2-thread-1",
+    "log.logger": "dev.dsf.bpe.v2.listener.StartListener",
+    "dsf.plugin.api": "2",
+    "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+    "dsf.plugin.name": "dsf-process-hello-world",
+    "dsf.plugin.version": "2.0.0.0",
+    "dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+    "dsf.process.activityId": "StartEvent_1",
+    "dsf.process.businessKey": "6d808467-4b71-44bd-8c4c-1ec9f5482855",
+    "dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+    "dsf.process.definitionKey": "dsfdev_helloWorld",
+    "dsf.process.instanceId": "406b2d2f-f13d-11f0-9f64-5e3458c5889b",
+    "dsf.process.requester.start": "webbrowser.test.user@invalid",
+    "dsf.process.task.start": "https://fhir/fhir/Task/8e9cd5b0-17db-460a-9e4a-73d6c8128ed4"
+}
+{
+    "@timestamp": "2026-01-14T11:36:22.483Z",
+    "ecs.version": "1.2.0",
+    "log.level": "INFO",
+    "message": "Hello World from organization with identifier 'webbrowser.test.user@invalid'",
+    "process.thread.name": "pool-2-thread-1",
+    "log.logger": "dev.dsf.bpe.service.HelloWorld",
+    "dsf.plugin.api": "2",
+    "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+    "dsf.plugin.name": "dsf-process-hello-world",
+    "dsf.plugin.version": "2.0.0.0",
+    "dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+    "dsf.process.activityId": "helloWorldTask",
+    "dsf.process.activityName": "Hello World",
+    "dsf.process.businessKey": "6d808467-4b71-44bd-8c4c-1ec9f5482855",
+    "dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+    "dsf.process.definitionKey": "dsfdev_helloWorld",
+    "dsf.process.instanceId": "406b2d2f-f13d-11f0-9f64-5e3458c5889b",
+    "dsf.process.requester.start": "webbrowser.test.user@invalid",
+    "dsf.process.task.start": "https://fhir/fhir/Task/8e9cd5b0-17db-460a-9e4a-73d6c8128ed4"
+}
+```
+
+@tab JSON_GCP
+
+```json :no-line-numbers
+{
+    "timestampSeconds": 1768390669,
+    "timestampNanos": 347278835,
+    "severity": "INFO",
+    "message": "Artifact: dsf-bpe-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:46+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+    "logging.googleapis.com/sourceLocation": {
+        "function": "dev.dsf.common.buildinfo.BuildInfoReaderImpl.logBuildInfo"
+    },
+    "logging.googleapis.com/trace_sampled": true,
+    "thread": "main",
+    "logger": "dev.dsf.common.buildinfo.BuildInfoReaderImpl"
+}
+{
+    "timestampSeconds": 1768390720,
+    "timestampNanos": 287531451,
+    "severity": "ERROR",
+    "message": "Context initialization failed\norg.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)\n\t... 33 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 48 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$1(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 51 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 73 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore(<generated>)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(…",
+    "logging.googleapis.com/sourceLocation": {
+        "function": "org.springframework.web.context.ContextLoader.initWebApplicationContext"
+    },
+    "logging.googleapis.com/trace_sampled": true,
+    "exception": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)\n\t... 33 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 48 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$1(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 51 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 73 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore(<generated>)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.ja…",
+    "thread": "main",
+    "logger": "org.springframework.web.context.ContextLoader"
+}
+{
+    "timestampSeconds": 1768390780,
+    "timestampNanos": 130358998,
+    "severity": "INFO",
+    "message": "Starting process http://dsf.dev/bpe/Process/helloWorld|2.0 at 2026-01-14T12:39:40+01:00 [task: https://fhir/fhir/Task/cf656fa3-2067-4e7e-8325-7f6cf1f4300d, requester: webbrowser.test.user@invalid, business-key: 6741a33d-09bd-405e-b011-81c16f42f08f, message: helloWorld]",
+    "logging.googleapis.com/labels": {
+        "dsf.plugin.api": "2",
+        "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+        "dsf.plugin.name": "dsf-process-hello-world",
+        "dsf.plugin.version": "2.0.0.0",
+        "dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+        "dsf.process.activityId": "StartEvent_1",
+        "dsf.process.businessKey": "6741a33d-09bd-405e-b011-81c16f42f08f",
+        "dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+        "dsf.process.definitionKey": "dsfdev_helloWorld",
+        "dsf.process.instanceId": "b63a052a-f13d-11f0-b579-bad729d5f5ed",
+        "dsf.process.requester.start": "webbrowser.test.user@invalid",
+        "dsf.process.task.start": "https://fhir/fhir/Task/cf656fa3-2067-4e7e-8325-7f6cf1f4300d"
+    },
+    "logging.googleapis.com/sourceLocation": {
+        "function": "dev.dsf.bpe.v2.listener.StartListener.logStart"
+    },
+    "logging.googleapis.com/trace_sampled": true,
+    "thread": "pool-2-thread-1",
+    "logger": "dev.dsf.bpe.v2.listener.StartListener"
+}
+{
+    "timestampSeconds": 1768390780,
+    "timestampNanos": 137602932,
+    "severity": "INFO",
+    "message": "Hello World from organization with identifier 'webbrowser.test.user@invalid'",
+    "logging.googleapis.com/labels": {
+        "dsf.plugin.api": "2",
+        "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+        "dsf.plugin.name": "dsf-process-hello-world",
+        "dsf.plugin.version": "2.0.0.0",
+        "dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+        "dsf.process.activityId": "helloWorldTask",
+        "dsf.process.activityName": "Hello World",
+        "dsf.process.businessKey": "6741a33d-09bd-405e-b011-81c16f42f08f",
+        "dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+        "dsf.process.definitionKey": "dsfdev_helloWorld",
+        "dsf.process.instanceId": "b63a052a-f13d-11f0-b579-bad729d5f5ed",
+        "dsf.process.requester.start": "webbrowser.test.user@invalid",
+        "dsf.process.task.start": "https://fhir/fhir/Task/cf656fa3-2067-4e7e-8325-7f6cf1f4300d"
+    },
+    "logging.googleapis.com/sourceLocation": {
+        "function": "dev.dsf.bpe.service.HelloWorld.execute"
+    },
+    "logging.googleapis.com/trace_sampled": true,
+    "thread": "pool-2-thread-1",
+    "logger": "dev.dsf.bpe.service.HelloWorld"
+}
+```
+
+@tab JSON_GELF
+
+```json :no-line-numbers
+{
+    "version": "1.1",
+    "host": "ce85e727ccb2",
+    "short_message": "Artifact: dsf-bpe-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:46+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+    "timestamp": 1768390889.4524915,
+    "level": 6,
+    "_logger": "dev.dsf.common.buildinfo.BuildInfoReaderImpl",
+    "_thread": "main"
+}
+{
+    "version": "1.1",
+    "host": "4fa9b078922b",
+    "short_message": "Context initialization failed",
+    "full_message": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)\n\t... 33 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 48 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$2(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 51 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 73 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore(<generated>)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.ja…",
+    "timestamp": 1768390920.9521272,
+    "level": 3,
+    "_logger": "org.springframework.web.context.ContextLoader",
+    "_thread": "main"
+}
+{
+    "version": "1.1",
+    "host": "bfc8c2c136fd",
+    "short_message": "Starting process http://dsf.dev/bpe/Process/helloWorld|2.0 at 2026-01-14T12:43:10+01:00 [task: https://fhir/fhir/Task/c8e6bcd1-2d1f-4e83-9ebe-fe9e47001771, requester: webbrowser.test.user@invalid, business-key: ee2b9d8b-ea9b-4b0f-85f0-4ce36fda5520, message: helloWorld]",
+    "timestamp": 1768390990.5990896,
+    "level": 6,
+    "_logger": "dev.dsf.bpe.v2.listener.StartListener",
+    "_thread": "pool-2-thread-1",
+    "_dsf.plugin.api": "2",
+    "_dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+    "_dsf.plugin.name": "dsf-process-hello-world",
+    "_dsf.plugin.version": "2.0.0.0",
+    "_dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+    "_dsf.process.activityId": "StartEvent_1",
+    "_dsf.process.businessKey": "ee2b9d8b-ea9b-4b0f-85f0-4ce36fda5520",
+    "_dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+    "_dsf.process.definitionKey": "dsfdev_helloWorld",
+    "_dsf.process.instanceId": "33ac9516-f13e-11f0-b349-ca0141535fb3",
+    "_dsf.process.requester.start": "webbrowser.test.user@invalid",
+    "_dsf.process.task.start": "https://fhir/fhir/Task/c8e6bcd1-2d1f-4e83-9ebe-fe9e47001771"
+}
+{
+    "version": "1.1",
+    "host": "bfc8c2c136fd",
+    "short_message": "Hello World from organization with identifier 'webbrowser.test.user@invalid'",
+    "timestamp": 1768390990.6061802,
+    "level": 6,
+    "_logger": "dev.dsf.bpe.service.HelloWorld",
+    "_thread": "pool-2-thread-1",
+    "_dsf.plugin.api": "2",
+    "_dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+    "_dsf.plugin.name": "dsf-process-hello-world",
+    "_dsf.plugin.version": "2.0.0.0",
+    "_dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+    "_dsf.process.activityId": "helloWorldTask",
+    "_dsf.process.activityName": "Hello World",
+    "_dsf.process.businessKey": "ee2b9d8b-ea9b-4b0f-85f0-4ce36fda5520",
+    "_dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+    "_dsf.process.definitionKey": "dsfdev_helloWorld",
+    "_dsf.process.instanceId": "33ac9516-f13e-11f0-b349-ca0141535fb3",
+    "_dsf.process.requester.start": "webbrowser.test.user@invalid",
+    "_dsf.process.task.start": "https://fhir/fhir/Task/c8e6bcd1-2d1f-4e83-9ebe-fe9e47001771"
+}
+```
+
+@tab:active JSON_LOGSTASH
+
+```json :no-line-numbers
+{
+    "@version": 1,
+    "source_host": "c3d9798e2b31",
+    "message": "Artifact: dsf-bpe-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:46+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+    "thread_name": "main",
+    "@timestamp": "2026-01-14T12:44:25.462+0100",
+    "level": "INFO",
+    "logger_name": "dev.dsf.common.buildinfo.BuildInfoReaderImpl"
+}
+{
+    "exception": {
+        "exception_class": "org.springframework.beans.factory.BeanCreationException",
+        "exception_message": "Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher",
+        "stacktrace": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConnectionsConfig' defined in URL [jar:file:/opt/bpe/lib/dsf-bpe-server-2.0.1.jar!/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.class]: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1826)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:607)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.bpe.BpeJettyServer.main(BpeJettyServer.java:56)\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'fhirClientConfigs' defined in dev.dsf.bpe.spring.config.FhirClientConnectionsConfig: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.afterPropertiesSet(FhirClientConnectionsConfig.java:138)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1873)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1822)\n\t... 33 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.api.config.FhirClientConfigs]: Circular reference involving containing bean 'fhirClientConnectionsConfig' - consider declaring the factory method as static for independence from its containing instance. Factory method 'fhirClientConfigs' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 48 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.bpe.spring.config.DsfClientConfig: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.createDsfConfig(FhirClientConnectionsConfig.java:129)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig.fhirClientConfigs(FhirClientConnectionsConfig.java:105)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.CGLIB$fhirClientConfigs$2(<generated>)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.FhirClientConnectionsConfig$$SpringCGLIB$$0.fhirClientConfigs(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 51 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.bpe.client.dsf.ClientProvider]: Factory method 'clientProvider' threw exception with message: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 73 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getDsfClientKeyStore' defined in dev.dsf.bpe.spring.config.PropertiesConfig: Failed to instantiate [java.security.KeyStore]: Factory method 'getDsfClientKeyStore' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:357)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:212)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:431)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.bpe.spring.config.PropertiesConfig$$SpringCGLIB$$0.getDsfClientKeyStore(<generated>)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig.clientProvider(DsfClientConfig.java:93)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.bpe.spring.config.DsfClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.ja…"
+    },
+    "@version": 1,
+    "source_host": "ff514e221e2f",
+    "message": "Context initialization failed",
+    "thread_name": "main",
+    "@timestamp": "2026-01-14T12:44:55.089+0100",
+    "level": "ERROR",
+    "logger_name": "org.springframework.web.context.ContextLoader"
+}
+{
+    "mdc": {
+        "dsf.plugin.api": "2",
+        "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+        "dsf.plugin.name": "dsf-process-hello-world",
+        "dsf.plugin.version": "2.0.0.0",
+        "dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+        "dsf.process.activityId": "StartEvent_1",
+        "dsf.process.businessKey": "03976b9d-8390-4891-968e-606092e49a9f",
+        "dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+        "dsf.process.definitionKey": "dsfdev_helloWorld",
+        "dsf.process.instanceId": "94b6ce54-f13e-11f0-8382-f2c6c2fdda86",
+        "dsf.process.requester.start": "webbrowser.test.user@invalid",
+        "dsf.process.task.start": "https://fhir/fhir/Task/92b09db8-ffc5-4d32-982a-0212a69fb6e4"
+    },
+    "@version": 1,
+    "source_host": "45bbbf8076b6",
+    "message": "Starting process http://dsf.dev/bpe/Process/helloWorld|2.0 at 2026-01-14T12:45:53+01:00 [task: https://fhir/fhir/Task/92b09db8-ffc5-4d32-982a-0212a69fb6e4, requester: webbrowser.test.user@invalid, business-key: 03976b9d-8390-4891-968e-606092e49a9f, message: helloWorld]",
+    "thread_name": "pool-2-thread-1",
+    "@timestamp": "2026-01-14T12:45:53.399+0100",
+    "level": "INFO",
+    "logger_name": "dev.dsf.bpe.v2.listener.StartListener"
+}
+{
+    "mdc": {
+        "dsf.plugin.api": "2",
+        "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+        "dsf.plugin.name": "dsf-process-hello-world",
+        "dsf.plugin.version": "2.0.0.0",
+        "dsf.process": "http://dsf.dev/bpe/Process/helloWorld|2.0",
+        "dsf.process.activityId": "helloWorldTask",
+        "dsf.process.activityName": "Hello World",
+        "dsf.process.businessKey": "03976b9d-8390-4891-968e-606092e49a9f",
+        "dsf.process.definitionId": "dsfdev_helloWorld:1:28f93392-f13b-11f0-92c1-5ed660dabcfa",
+        "dsf.process.definitionKey": "dsfdev_helloWorld",
+        "dsf.process.instanceId": "94b6ce54-f13e-11f0-8382-f2c6c2fdda86",
+        "dsf.process.requester.start": "webbrowser.test.user@invalid",
+        "dsf.process.task.start": "https://fhir/fhir/Task/92b09db8-ffc5-4d32-982a-0212a69fb6e4"
+    },
+    "@version": 1,
+    "source_host": "45bbbf8076b6",
+    "message": "Hello World from organization with identifier 'webbrowser.test.user@invalid'",
+    "thread_name": "pool-2-thread-1",
+    "@timestamp": "2026-01-14T12:45:53.406+0100",
+    "level": "INFO",
+    "logger_name": "dev.dsf.bpe.service.HelloWorld"
+}
+```
+
+:::
+
+### Data Logger
+The file, *stdout* and *stderr* outputs for the **Data Logger** can be enabled or disabled using the environment variables [`DEV_DSF_LOG_DATA_FILE_ENABLED`](./configuration.md#dev-dsf-log-data-file-enabled), [`DEV_DSF_LOG_DATA_CONSOLE_OUT_ENABLED`](./configuration.md#dev-dsf-log-data-console-out-enabled) and [`DEV_DSF_LOG_DATA_CONSOLE_ERR_ENABLED`](./configuration.md#dev-dsf-log-data-console-err-enabled).
+
+All data messages are logged with the same severity level (DEBUG). Data messages are not included in the Standard Application Logger output. API v2 Process Plugins can use the data logger via the `dev.dsf.bpe.v2.service.DataLogger` interface to produce messages.
+
+#### Output Style
+Multiple styles are supported for the **Data Logger** file, *stdout* and *stderr* outputs. All structured logging JSON styles include additional infos (Mapped Diagnostic Context) about the executing process plugin and process instance. The output style can be configured using the environment variables [`DEV_DSF_LOG_DATA_FILE_STYLE`](./configuration.md#dev-dsf-log-data-file-style), [`DEV_DSF_LOG_DATA_CONSOLE_OUT_STYLE`](./configuration.md#dev-dsf-log-data-console-out-style) and [`DEV_DSF_LOG_DATA_CONSOLE_ERR_STYLE`](./configuration.md#dev-dsf-log-data-console-err-style).
+* **TEXT** a minimal text format.
+* **TEXT_MDC** text format with additional infos (Mapped Diagnostic Context) about the requesting user.
+* **JSON_ECS** follows the Elastic Common Schema (ECS) reference.
+* **JSON_GCP** uses the Google Cloud Platform structured logging model with additional `_thread`, `_logger` and `_exception` fields.
+* **JSON_GELF** follows the Graylog Extended Log Format (GELF) payload specification with added `_thread` and `_logger` fields.
+* **JSON_LOGSTASH** uses the Logstash json_event pattern for log4j.
+
+::: code-tabs#shell
+
+@tab TEXT
+
+```text :no-line-numbers
+2026-01-14 13:25:20,030 Completed QuestionnaireResponse: {"resourceType":"QuestionnaireResponse","id":"e4dd7038-eef1-4b03-8249-21eb8f9f8309","meta":{"versionId":"2","lastUpdated":"2026-01-14T13:25:19.800+01:00","profile":["http://dsf.dev/fhir/StructureDefinition/questionnaire-response"]},"extension":[{"url":"http://dsf.dev/fhir/StructureDefinition/extension-questionnaire-authorization","extension":[{"url":"practitioner-role","valueCoding":{"system":"http://dsf.dev/fhir/CodeSystem/practitioner-role","code":"DIC_USER"}}]}],"questionnaire":"http://dsf.dev/fhir/Questionnaire/hello-user|2.0","status":"completed","authored":"2026-01-14T12:25:19.707Z","author":{"type":"Practitioner","identifier":{"system":"http://dsf.dev/sid/practitioner-identifier","value":"webbrowser.test.user@invalid"}},"item":[{"linkId":"business-key","text":"The business-key of the process execution","answer":[{"valueString":"a8e436f4-d86d-4f24-a794-236d62645ab8"}]},{"linkId":"user-task-id","text":"The user-task-id of the process execution","answer":[{"valueString":"ec4da6fd-f143-11f0-80e8-9ae86e84a87b"}]},{"linkId":"display-example","text":"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet."},{"linkId":"string-example","text":"Add a string to test the string type","answer":[{"valueString":"Placeholder.."}]},{"linkId":"text-example","text":"Add a text to test the text type","answer":[{"valueString":"Placeholder.."}]}]}
+```
+
+@tab TEXT_MDC
+
+```text :no-line-numbers
+2026-01-14 13:26:21,587 {dsf.plugin.api=2, dsf.plugin.jar=process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar, dsf.plugin.name=dsf-process-hello-world, dsf.plugin.version=2.0.0.0, dsf.process=http://dsf.dev/bpe/Process/helloUser|2.0, dsf.process.activityId=logUserTaskRespose, dsf.process.activityName=log user task respose, dsf.process.businessKey=bbc5b6d5-7c64-4181-b0c6-82f656883229, dsf.process.definitionId=dsfdev_helloUser:1:28feb1d6-f13b-11f0-92c1-5ed660dabcfa, dsf.process.definitionKey=dsfdev_helloUser, dsf.process.instanceId=35e4749a-f144-11f0-b0d1-bab98b35e98d, dsf.process.requester.start=webbrowser.test.user@invalid, dsf.process.task.start=https://fhir/fhir/Task/eb91b3c1-b635-4ab7-8ba6-00328584b495} Completed QuestionnaireResponse: {"resourceType":"QuestionnaireResponse","id":"38cae383-828b-4acb-b427-c3c3cff23718","meta":{"versionId":"2","lastUpdated":"2026-01-14T13:26:21.436+01:00","profile":["http://dsf.dev/fhir/StructureDefinition/questionnaire-response"]},"extension":[{"url":"http://dsf.dev/fhir/StructureDefinition/extension-questionnaire-authorization","extension":[{"url":"practitioner-role","valueCoding":{"system":"http://dsf.dev/fhir/CodeSystem/practitioner-role","code":"DIC_USER"}}]}],"questionnaire":"http://dsf.dev/fhir/Questionnaire/hello-user|2.0","status":"completed","authored":"2026-01-14T12:26:21.328Z","author":{"type":"Practitioner","identifier":{"system":"http://dsf.dev/sid/practitioner-identifier","value":"webbrowser.test.user@invalid"}},"item":[{"linkId":"business-key","text":"The business-key of the process execution","answer":[{"valueString":"bbc5b6d5-7c64-4181-b0c6-82f656883229"}]},{"linkId":"user-task-id","text":"The user-task-id of the process execution","answer":[{"valueString":"35ec8af3-f144-11f0-b0d1-bab98b35e98d"}]},{"linkId":"display-example","text":"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet."},{"linkId":"string-example","text":"Add a string to test the string type","answer":[{"valueString":"Placeholder.."}]},{"linkId":"text-example","text":"Add a text to test the text type","answer":[{"valueString":"Placeholder.."}]}]}
+```
+
+@tab JSON_ECS
+
+```json :no-line-numbers
+{
+    "@timestamp": "2026-01-14T12:34:21.464Z",
+    "ecs.version": "1.2.0",
+    "log.level": "DEBUG",
+    "message": "Completed QuestionnaireResponse: {\"resourceType\":\"QuestionnaireResponse\",\"id\":\"043a9d98-11b5-4445-accd-efb88441814b\",\"meta\":{\"versionId\":\"2\",\"lastUpdated\":\"2026-01-14T13:34:21.314+01:00\",\"profile\":[\"http://dsf.dev/fhir/StructureDefinition/questionnaire-response\"]},\"extension\":[{\"url\":\"http://dsf.dev/fhir/StructureDefinition/extension-questionnaire-authorization\",\"extension\":[{\"url\":\"practitioner-role\",\"valueCoding\":{\"system\":\"http://dsf.dev/fhir/CodeSystem/practitioner-role\",\"code\":\"DIC_USER\"}}]}],\"questionnaire\":\"http://dsf.dev/fhir/Questionnaire/hello-user|2.0\",\"status\":\"completed\",\"authored\":\"2026-01-14T12:34:21.220Z\",\"author\":{\"type\":\"Practitioner\",\"identifier\":{\"system\":\"http://dsf.dev/sid/practitioner-identifier\",\"value\":\"webbrowser.test.user@invalid\"}},\"item\":[{\"linkId\":\"business-key\",\"text\":\"The business-key of the process execution\",\"answer\":[{\"valueString\":\"9f871bb0-ead8-4172-8ebf-b6614b90c33c\"}]},{\"linkId\":\"user-task-id\",\"text\":\"The user-task-id of the process execution\",\"answer\":[{\"valueString\":\"55ea6fce-f145-11f0-a290-be1b81df4ab5\"}]},{\"linkId\":\"display-example\",\"text\":\"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.\"},{\"linkId\":\"string-example\",\"text\":\"Add a string to test the string type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]},{\"linkId\":\"text-example\",\"text\":\"Add a text to test the text type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]}]}",
+    "process.thread.name": "pool-3-thread-1",
+    "log.logger": "dsf-data-logger",
+    "dsf.plugin.api": "2",
+    "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+    "dsf.plugin.name": "dsf-process-hello-world",
+    "dsf.plugin.version": "2.0.0.0",
+    "dsf.process": "http://dsf.dev/bpe/Process/helloUser|2.0",
+    "dsf.process.activityId": "logUserTaskRespose",
+    "dsf.process.activityName": "log user task respose",
+    "dsf.process.businessKey": "9f871bb0-ead8-4172-8ebf-b6614b90c33c",
+    "dsf.process.definitionId": "dsfdev_helloUser:1:57f9bd33-f144-11f0-a290-be1b81df4ab5",
+    "dsf.process.definitionKey": "dsfdev_helloUser",
+    "dsf.process.instanceId": "55e602f5-f145-11f0-a290-be1b81df4ab5",
+    "dsf.process.requester.start": "webbrowser.test.user@invalid",
+    "dsf.process.task.start": "https://fhir/fhir/Task/776fb9fa-67cb-490c-929b-c9a010c3639e"
+}
+```
+
+@tab JSON_GCP
+
+```json :no-line-numbers
+{
+    "timestampSeconds": 1768394122,
+    "timestampNanos": 561090136,
+    "severity": "DEBUG",
+    "message": "Completed QuestionnaireResponse: {\"resourceType\":\"QuestionnaireResponse\",\"id\":\"5bb1f439-93f9-4d73-9574-2d710a64d0fb\",\"meta\":{\"versionId\":\"2\",\"lastUpdated\":\"2026-01-14T13:35:22.381+01:00\",\"profile\":[\"http://dsf.dev/fhir/StructureDefinition/questionnaire-response\"]},\"extension\":[{\"url\":\"http://dsf.dev/fhir/StructureDefinition/extension-questionnaire-authorization\",\"extension\":[{\"url\":\"practitioner-role\",\"valueCoding\":{\"system\":\"http://dsf.dev/fhir/CodeSystem/practitioner-role\",\"code\":\"DIC_USER\"}}]}],\"questionnaire\":\"http://dsf.dev/fhir/Questionnaire/hello-user|2.0\",\"status\":\"completed\",\"authored\":\"2026-01-14T12:35:22.286Z\",\"author\":{\"type\":\"Practitioner\",\"identifier\":{\"system\":\"http://dsf.dev/sid/practitioner-identifier\",\"value\":\"webbrowser.test.user@invalid\"}},\"item\":[{\"linkId\":\"business-key\",\"text\":\"The business-key of the process execution\",\"answer\":[{\"valueString\":\"23f23222-810f-40d2-b228-63dc65efedbf\"}]},{\"linkId\":\"user-task-id\",\"text\":\"The user-task-id of the process execution\",\"answer\":[{\"valueString\":\"79ccfcd6-f145-11f0-b859-02f958cc3f48\"}]},{\"linkId\":\"display-example\",\"text\":\"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.\"},{\"linkId\":\"string-example\",\"text\":\"Add a string to test the string type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]},{\"linkId\":\"text-example\",\"text\":\"Add a text to test the text type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]}]}",
+    "logging.googleapis.com/labels": {
+        "dsf.plugin.api": "2",
+        "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+        "dsf.plugin.name": "dsf-process-hello-world",
+        "dsf.plugin.version": "2.0.0.0",
+        "dsf.process": "http://dsf.dev/bpe/Process/helloUser|2.0",
+        "dsf.process.activityId": "logUserTaskRespose",
+        "dsf.process.activityName": "log user task respose",
+        "dsf.process.businessKey": "23f23222-810f-40d2-b228-63dc65efedbf",
+        "dsf.process.definitionId": "dsfdev_helloUser:1:57f9bd33-f144-11f0-a290-be1b81df4ab5",
+        "dsf.process.definitionKey": "dsfdev_helloUser",
+        "dsf.process.instanceId": "79c6bb3d-f145-11f0-b859-02f958cc3f48",
+        "dsf.process.requester.start": "webbrowser.test.user@invalid",
+        "dsf.process.task.start": "https://fhir/fhir/Task/8f86cc34-feec-4c27-bb0f-ca3c42ed8c7c"
+    },
+    "logging.googleapis.com/sourceLocation": {
+        "function": "dev.dsf.bpe.v2.service.DataLoggerImpl.log"
+    },
+    "logging.googleapis.com/trace_sampled": true,
+    "thread": "pool-3-thread-1",
+    "logger": "dsf-data-logger"
+}
+```
+
+@tab JSON_GELF
+
+```json :no-line-numbers
+{
+    "version": "1.1",
+    "host": "186cf01dc749",
+    "short_message": "Completed QuestionnaireResponse: {\"resourceType\":\"QuestionnaireResponse\",\"id\":\"74c53749-9179-4b64-867e-87ffb1c2571c\",\"meta\":{\"versionId\":\"2\",\"lastUpdated\":\"2026-01-14T13:36:35.220+01:00\",\"profile\":[\"http://dsf.dev/fhir/StructureDefinition/questionnaire-response\"]},\"extension\":[{\"url\":\"http://dsf.dev/fhir/StructureDefinition/extension-questionnaire-authorization\",\"extension\":[{\"url\":\"practitioner-role\",\"valueCoding\":{\"system\":\"http://dsf.dev/fhir/CodeSystem/practitioner-role\",\"code\":\"DIC_USER\"}}]}],\"questionnaire\":\"http://dsf.dev/fhir/Questionnaire/hello-user|2.0\",\"status\":\"completed\",\"authored\":\"2026-01-14T12:36:35.136Z\",\"author\":{\"type\":\"Practitioner\",\"identifier\":{\"system\":\"http://dsf.dev/sid/practitioner-identifier\",\"value\":\"webbrowser.test.user@invalid\"}},\"item\":[{\"linkId\":\"business-key\",\"text\":\"The business-key of the process execution\",\"answer\":[{\"valueString\":\"22fbbf3d-a172-46fc-81a2-f65df7a2a13f\"}]},{\"linkId\":\"user-task-id\",\"text\":\"The user-task-id of the process execution\",\"answer\":[{\"valueString\":\"9b16de91-f145-11f0-b9cc-7e27fa327b95\"}]},{\"linkId\":\"display-example\",\"text\":\"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.\"},{\"linkId\":\"string-example\",\"text\":\"Add a string to test the string type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]},{\"linkId\":\"text-example\",\"text\":\"Add a text to test the text type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]}]}",
+    "timestamp": 1768394195.3648491,
+    "level": 7,
+    "_logger": "dsf-data-logger",
+    "_thread": "pool-3-thread-1",
+    "_dsf.plugin.api": "2",
+    "_dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+    "_dsf.plugin.name": "dsf-process-hello-world",
+    "_dsf.plugin.version": "2.0.0.0",
+    "_dsf.process": "http://dsf.dev/bpe/Process/helloUser|2.0",
+    "_dsf.process.activityId": "logUserTaskRespose",
+    "_dsf.process.activityName": "log user task respose",
+    "_dsf.process.businessKey": "22fbbf3d-a172-46fc-81a2-f65df7a2a13f",
+    "_dsf.process.definitionId": "dsfdev_helloUser:1:57f9bd33-f144-11f0-a290-be1b81df4ab5",
+    "_dsf.process.definitionKey": "dsfdev_helloUser",
+    "_dsf.process.instanceId": "9b0ea128-f145-11f0-b9cc-7e27fa327b95",
+    "_dsf.process.requester.start": "webbrowser.test.user@invalid",
+    "_dsf.process.task.start": "https://fhir/fhir/Task/4664a61d-2be7-4bd8-a8a6-184b7bc611f7"
+}
+```
+
+@tab:active JSON_LOGSTASH
+
+```json :no-line-numbers
+{
+    "mdc": {
+        "dsf.plugin.api": "2",
+        "dsf.plugin.jar": "process/dsf-process-hello-world-2.0.0.0-SNAPSHOT.jar",
+        "dsf.plugin.name": "dsf-process-hello-world",
+        "dsf.plugin.version": "2.0.0.0",
+        "dsf.process": "http://dsf.dev/bpe/Process/helloUser|2.0",
+        "dsf.process.activityId": "logUserTaskRespose",
+        "dsf.process.activityName": "log user task respose",
+        "dsf.process.businessKey": "bd9f6814-6cb3-4ddf-8389-05b9ae9658c4",
+        "dsf.process.definitionId": "dsfdev_helloUser:1:57f9bd33-f144-11f0-a290-be1b81df4ab5",
+        "dsf.process.definitionKey": "dsfdev_helloUser",
+        "dsf.process.instanceId": "ceb018e9-f145-11f0-9e55-9efb3a5fd65d",
+        "dsf.process.requester.start": "webbrowser.test.user@invalid",
+        "dsf.process.task.start": "https://fhir/fhir/Task/d5bd4243-a87b-4445-8a34-36ddec7ac648"
+    },
+    "@version": 1,
+    "source_host": "59d5d46e125a",
+    "message": "Completed QuestionnaireResponse: {\"resourceType\":\"QuestionnaireResponse\",\"id\":\"2dfbf9d0-1c2f-44f0-9f94-4099280a6bde\",\"meta\":{\"versionId\":\"2\",\"lastUpdated\":\"2026-01-14T13:37:48.172+01:00\",\"profile\":[\"http://dsf.dev/fhir/StructureDefinition/questionnaire-response\"]},\"extension\":[{\"url\":\"http://dsf.dev/fhir/StructureDefinition/extension-questionnaire-authorization\",\"extension\":[{\"url\":\"practitioner-role\",\"valueCoding\":{\"system\":\"http://dsf.dev/fhir/CodeSystem/practitioner-role\",\"code\":\"DIC_USER\"}}]}],\"questionnaire\":\"http://dsf.dev/fhir/Questionnaire/hello-user|2.0\",\"status\":\"completed\",\"authored\":\"2026-01-14T12:37:48.078Z\",\"author\":{\"type\":\"Practitioner\",\"identifier\":{\"system\":\"http://dsf.dev/sid/practitioner-identifier\",\"value\":\"webbrowser.test.user@invalid\"}},\"item\":[{\"linkId\":\"business-key\",\"text\":\"The business-key of the process execution\",\"answer\":[{\"valueString\":\"bd9f6814-6cb3-4ddf-8389-05b9ae9658c4\"}]},{\"linkId\":\"user-task-id\",\"text\":\"The user-task-id of the process execution\",\"answer\":[{\"valueString\":\"ceb76bf2-f145-11f0-9e55-9efb3a5fd65d\"}]},{\"linkId\":\"display-example\",\"text\":\"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.\"},{\"linkId\":\"string-example\",\"text\":\"Add a string to test the string type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]},{\"linkId\":\"text-example\",\"text\":\"Add a text to test the text type\",\"answer\":[{\"valueString\":\"Placeholder..\"}]}]}",
+    "thread_name": "pool-3-thread-1",
+    "@timestamp": "2026-01-14T13:37:48.325+0100",
+    "level": "DEBUG",
+    "logger_name": "dsf-data-logger"
+}
+```
+
+:::
+
+### Custom Logging Config
+A fully custom log4j2 xml logging config can be set via the environment variable [`DEV_DSF_LOG_CONFIG`](./configuration.md#dev-dsf-log-config).
diff --git a/docs/src/operations/v2.1.0/bpe/oidc.md b/docs/src/operations/v2.1.0/bpe/oidc.md
new file mode 100644
index 000000000..b0c6a6458
--- /dev/null
+++ b/docs/src/operations/v2.1.0/bpe/oidc.md
@@ -0,0 +1,56 @@
+---
+title: OpenID Connect
+icon: config
+---
+
+## Overview
+Access to the DSF BPE server user interface can be configured via [access control roles](access-control). By default users are only authenticated using X.509 client certificates, but authentication for local users via OAuth 2.0 OpenID Connect can also be enabled.
+
+The DSF BPE server supports [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) for the user interface. [Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html) is also supported.
+
+
+::: tip BPE Reverse Proxy
+The DSF BPE reverse proxy requires client certificates by default. To use OpenID Connect authentication the configuration parameter [SSL_VERIFY_CLIENT](../bpe-reverse-proxy/configuration.html#ssl-verify-client) needs to be set to `optional`.
+:::
+
+
+## Authorization Code Flow
+
+To enable authentication via OpenID Connect authorization code flow, set the configuration parameter [DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW](configuration#dev-dsf-server-auth-oidc-authorization-code-flow) to `true` and specify the following parameters:
+
+- [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL](configuration#dev-dsf-server-auth-oidc-provider-realm-base-url)
+- [DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID](configuration#dev-dsf-server-auth-oidc-client-id)
+- [DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET](configuration#dev-dsf-server-auth-oidc-client-secret)
+
+Optionally, back channel logout can be enabled by setting [DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT](configuration#dev-dsf-server-auth-oidc-back-channel-logout) to `true`. The DSF BPE server accepts logout tokens at [DEV_DSF_BPE_SERVER_BASE_URL](configuration#dev-dsf-bpe-server-base-url) + `/back-channel-logout`. The path can be modified via [DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH](configuration#dev-dsf-server-auth-oidc-back-channel-logout-path).
+
+## Additional ODIC Configuration Parameter
+
+A number of additional `DEV_DSF_SERVER_AUTH_OIDC ...` configuration parameter are specify on the DSF BPE server [configuration parameter page](configuration).
+
+For example the configuration parameter [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS](configuration#dev-dsf-server-auth-oidc-provider-client-trust-server-certificate-cas) can be used to specify a PEM encoded file with trusted root certificates to be used when accessing the OpenID Connect provider. If not specify the JVM default trusted root certificates are used for this connection.
+
+
+## Example
+```yaml
+services:
+  app:
+    image: ghcr.io/datasharingframework/bpe:1.5.2
+    # ...
+    secrets:
+      - keycloak_root_ca.pem
+      # ...
+    environment:
+      # ...
+      DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW: 'true'
+      DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT: 'true'
+      DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN: 'true'
+      DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL: https://keycloak.test.org/realms/dsf
+      DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS: /run/secrets/keycloak_root_ca.pem
+      DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID: dsf-bpe
+      DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET: n9bCMtjugv3Y_.szktXyQ2RH5se+J%o3
+    # ...
+secrets:
+  keycloak_root_ca.pem:
+    file: ./secrets/keycloak_root_ca.pem
+```
\ No newline at end of file
diff --git a/docs/src/operations/v2.1.0/fhir-reverse-proxy/README.md b/docs/src/operations/v2.1.0/fhir-reverse-proxy/README.md
new file mode 100644
index 000000000..99d71a7a5
--- /dev/null
+++ b/docs/src/operations/v2.1.0/fhir-reverse-proxy/README.md
@@ -0,0 +1,29 @@
+---
+title: FHIR Reverse Proxy
+icon: module
+---
+
+## Purpose
+
+The **DSF FHIR Reverse Proxy** is the externally reachable Apache HTTP Server based front for the [FHIR Server](../fhir/). It terminates TLS, performs client certificate authentication for inbound DSF-to-DSF traffic, optionally accepts OIDC bearer tokens for human users, and forwards authenticated requests to the FHIR Server backend. It is the only component of a DSF instance that should be exposed to the public internet.
+
+## Docker Image
+
+- Registry: [`ghcr.io/datasharingframework/fhir_proxy`](https://github.com/datasharingframework/dsf/pkgs/container/fhir_proxy)
+- Tag for this release: `{{release.tag}}`
+
+## Verify Image Signature
+
+Verify the signed image before deploying. See [How to Verify Image Signatures](../image-verification) for prerequisites, SBOM verification, and troubleshooting.
+
+```bash
+cosign verify \
+  {{release.image.fhir_proxy}}@sha256:{{release.digest.fhir_proxy}} \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+## Useful Pages
+
+- [Configuration Parameters](configuration)
+- [How to Verify Image Signatures](../image-verification)
diff --git a/docs/src/operations/v2.1.0/fhir-reverse-proxy/configuration.md b/docs/src/operations/v2.1.0/fhir-reverse-proxy/configuration.md
new file mode 100644
index 000000000..5c7a1cb30
--- /dev/null
+++ b/docs/src/operations/v2.1.0/fhir-reverse-proxy/configuration.md
@@ -0,0 +1,116 @@
+---
+title: Configuration Parameters
+icon: config
+---
+
+### APP_SERVER_IP
+- **Required:** Yes
+- **Description:** Hostname or IP-Address of the DSF FHIR server application container, the reverse proxy target
+- **Example:** `app`, `172.28.1.3`
+
+
+### HTTPS_SERVER_NAME_PORT
+- **Required:** Yes
+- **Description:** External FQDN of your DSF FHIR server with port, typically `443`
+- **Example:** `my-external.fqdn:443`
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_WS
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### PROXY_PASS_TIMEOUT_WS
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### SERVER_CONTEXT_PATH
+- **Required:** No
+- **Description:** Reverse proxy context path that delegates to the app server, `/` character at start, no `/` character at end, use `''` (empty string) to configure root as context path
+- **Default:** `/fhir`
+
+
+### SSL_CA_CERTIFICATE_FILE
+- **Required:** No
+- **Description:** Certificate chain file including all issuing, intermediate and root certificates used to validate client certificates, PEM encoded, sets the apache httpd parameter `SSLCACertificateFile`; not used by default, overrides *SSL_CA_CERTIFICATE_PATH* if not empty
+
+
+### SSL_CA_CERTIFICATE_PATH
+- **Required:** No
+- **Description:** Folder with trusted full CA chains for validating client certificates
+- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
+- **Default:** `ca/client_ca_chains`
+
+
+### SSL_CA_DN_REQUEST_FILE
+- **Required:** No
+- **Description:** File containing all signing certificates excepted, will be used to specify the `Acceptable client certificate CA names` send to the client, during TLS handshake, sets the apache httpd parameter `SSLCADNRequestFile`; if omitted all entries from *SSL_CA_CERTIFICATE_FILE* are used; not used by default, overrides *SSL_CA_DN_REQUEST_PATH* if not empty
+
+
+### SSL_CA_DN_REQUEST_PATH
+- **Required:** No
+- **Description:**  Folder with trusted client certificate issuing CAs, modifies the "Acceptable client certificate CA names" send to the client, uses all from *SSL_CA_CERTIFICATE_FILE* or *SSL_CA_CERTIFICATE_PATH* if not set or empty
+- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
+- **Default:** `ca/client_issuing_cas`
+
+
+### SSL_CERTIFICATE_CHAIN_FILE
+- **Required:** No
+- **Description:** Certificate chain file, PEM encoded, must contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate), sets the apache httpd parameter `SSLCertificateChainFile`; can be omitted if either no chain is needed (self signed server certificate) or the file specified via *SSL_CERTIFICATE_FILE* contains the certificate chain
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_chain_file.pem`
+
+
+### SSL_CERTIFICATE_CHAIN_FILE
+- **Required:** No
+- **Description:** Certificate chain file, PEM encoded, must contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate), sets the apache httpd parameter `SSLCertificateChainFile`; can be omitted if either no chain is needed (self signed server certificate) or the file specified via *SSL_CERTIFICATE_FILE* contains the certificate chain
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_chain_file.pem`
+
+
+### SSL_CERTIFICATE_FILE
+- **Required:** Yes
+- **Description:** Server certificate file, PEM encoded, sets the apache httpd parameter `SSLCertificateFile`, may contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate). Omit *SSL_CERTIFICATE_CHAIN_FILE* if chain included
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_file.pem`
+
+
+### SSL_CERTIFICATE_KEY_FILE
+- **Required:** Yes
+- **Description:** Server certificate private key file, PEM encoded, unencrypted, sets the apache httpd parameter `SSLCertificateKeyFile`
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_key_file.pem`
+
+
+### SSL_EXPECTED_CLIENT_S_DN_C_VALUES
+- **Required:** No
+- **Description:** Expected client certificate subject DN country `C` values, must be a comma-separated list of strings in single quotation marks, e.g. `'DE', 'FR'`. If a client certificate with a not configured subject country `C` value is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'DE'`
+
+
+### SSL_EXPECTED_CLIENT_I_DN_CN_VALUES
+- **Required:** No
+- **Description:** Expected client certificate issuer DN common-name `CN` values, must be a comma-separated list of strings in single quotation marks. If a client certificate from a not configured issuing ca common-name is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'GEANT TLS ECC 1', 'HARICA OV TLS ECC', 'GEANT TLS RSA 1', 'HARICA OV TLS RSA', 'GEANT S/MIME ECC 1', 'HARICA Client Authentication ECC', 'HARICA S/MIME ECC', 'GEANT S/MIME RSA 1', 'HARICA Client Authentication RSA', 'HARICA S/MIME RSA', 'DFN-Verein Global Issuing CA', 'Fraunhofer User CA - G02', 'D-TRUST SSL Class 3 CA 1 2009', 'Sectigo RSA Organization Validation Secure Server CA', 'GEANT OV RSA CA 4', 'GEANT Personal CA 4', 'GEANT eScience Personal CA 4', 'Sectigo ECC Organization Validation Secure Server CA', 'GEANT OV ECC CA 4', 'GEANT Personal ECC CA 4', 'GEANT eScience Personal ECC CA 4', 'D-TRUST Limited Basic CA 1-2 2019', 'D-TRUST Limited Basic CA 1-3 2019'`
+
+
+### SSL_VERIFY_CLIENT
+- **Required:** No
+- **Description:** Modifies the apache mod_ssl config parameter `SSLVerifyClient`
+- **Recommendation:** Set to `optional` when using OIDC authentication
+- **Default:** `require`
\ No newline at end of file
diff --git a/docs/src/operations/v2.1.0/fhir/README.md b/docs/src/operations/v2.1.0/fhir/README.md
new file mode 100644
index 000000000..14c425f29
--- /dev/null
+++ b/docs/src/operations/v2.1.0/fhir/README.md
@@ -0,0 +1,32 @@
+---
+title: FHIR Server
+icon: module
+---
+
+## Purpose
+
+The **DSF FHIR Server** exposes the HL7® FHIR® R4 REST API that other DSF instances communicate with. It stores and serves the resources required to coordinate distributed business processes — such as `Task`, `ActivityDefinition`, `Organization`, `Endpoint`, and project-specific data resources — and enforces access control on every interaction. Together with the [FHIR Reverse Proxy](../fhir-reverse-proxy/) it forms the externally reachable component of a DSF instance.
+
+## Docker Image
+
+- Registry: [`ghcr.io/datasharingframework/fhir`](https://github.com/datasharingframework/dsf/pkgs/container/fhir)
+- Tag for this release: `{{release.tag}}`
+
+## Verify Image Signature
+
+Verify the signed image before deploying. See [How to Verify Image Signatures](../image-verification) for prerequisites, SBOM verification, and troubleshooting.
+
+```bash
+cosign verify \
+  {{release.image.fhir}}@sha256:{{release.digest.fhir}} \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+## Useful Pages
+
+- [Configuration Parameters](configuration)
+- [Access Control](access-control)
+- [OpenID Connect](oidc)
+- [Logging](logging)
+- [How to Verify Image Signatures](../image-verification)
diff --git a/docs/src/operations/v2.1.0/fhir/access-control.md b/docs/src/operations/v2.1.0/fhir/access-control.md
new file mode 100644
index 000000000..3447e3dc6
--- /dev/null
+++ b/docs/src/operations/v2.1.0/fhir/access-control.md
@@ -0,0 +1,146 @@
+---
+title: Access Control
+icon: config
+---
+
+## Overview
+
+The DSF FHIR server implements a subset of the FHIR R4 [REST API](http://hl7.org/fhir/R4/http.html). When accessing the API with a web browser a limited graphical user interface is shown. Without any additional configuration the API and user interface is only accessible with the X.509 client certificate configured for the organization via the client certificate configuration parameter  [DEV_DSF_FHIR_CLIENT_CERTIFICATE](configuration##dev-dsf-fhir-client-certificate) or the manual override option [DEV_DSF_FHIR_SERVER_ORGANIZATION_THUMBPRINT](configuration#dev-dsf-fhir-server-organization-thumbprint).
+
+::: tip OpenID Connect
+To enable OpenID Connect authentication of local user, see the DSF FHIR server OpenID Connect [configuration page](oidc).
+:::
+
+Access to the API and user interface can be enabled for additional client certificates and local users authenticating via OAuth 2.0 OpenID Connect. Access can be configured for so called roles, with all roles specified using the configuration parameter [DEV_DSF_FHIR_SERVER_ROLECONFIG](configuration#dev-dsf-fhir-server-roleconfig). The value for this environment variable is specified as YAML using the block scalar `|`.
+
+The listing below shows a minimal configuration to enable read access for all resources for a specific client-certificate:
+
+```yaml
+      DEV_DSF_FHIR_SERVER_ROLECONFIG: |
+        - example_read_only_role:
+            thumbprint: 00474993fa261b0225f93c5a66aa6fcc... [a-f0-9]{128}
+            dsf-role:
+              - READ
+              - SEARCH
+              - HISTORY
+```
+
+The list of user roles above contains a single rule-entry `example_read_only_role`, matching the user via a client certificate SHA-512 thumbprint and assigning three DSF roles. Any string can be used as the name for the rule-entry.
+
+With DSF 2, you can now restrict the granted priviledges to specific resource types. If you want to restrict the rule-entry `example_read_only_role` to Organization resources, you can specify the resource type per dsf-role ("action"):
+
+```yaml
+      DEV_DSF_FHIR_SERVER_ROLECONFIG: |
+        - example_read_only_organization_role:
+            thumbprint: 00474993fa261b0225f93c5a66aa6fcc... [a-f0-9]{128}
+            dsf-role:
+              - READ: [Organization]
+              - SEARCH: [Organization]
+              - HISTORY: [Organization]
+```
+
+::: tip Certificate Thumbprints
+SHA-512 certificate thumbprints in HEX form `[a-f0-9]{128}` can be calculated using:
+```sh
+certtool --fingerprint --hash=sha512 --infile=certificate.pem
+```
+:::
+
+Multiple user roles can be specified and all matching roles will be applied to an authenticated users. Use an empty string `""` or a single block scalar `|` character as the value for the configuration parameter [DEV_DSF_FHIR_SERVER_ROLECONFIG](configuration#dev-dsf-fhir-server-roleconfig) if no roles should be configured.
+
+## Matching Users
+
+To apply roles, users can be matched via the `thumbprint`, `email`, `token-role` or `token-group` properties. A single value or a list of values can be specified.
+
+#### thumbprint
+
+The property `thumbprint` can used to specify one or multiple SHA-512 certificate thumbprints. Roles from this rule are applied to the authenticating user if the certificate matches one of the specified thumbprints.
+
+#### email
+
+Using the property `email` users can be matched against e-mail addresses specified in X.509 client certificates and in OpenID Connect access tokens. Values will be matched against e-mail addresses specified in the subject DN (via PKCS#9 extension 1.2.840.113549.1.9.1) and RFC-822 Name entries of the Subject Alternative Name field. If the user authenticates via OpenID Connect, the `email` [claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) from the access token will be matched against the property values.
+
+#### token-role and token-group
+
+With the properties `token-role` and `token-group` role and group names can be specified to match against role and group claims within OAuth 2.0 access tokens.
+
+
+## DSF and Practitioner Roles
+
+Two types of roles can be applied to matched users. 
+
+#### dsf-role
+
+DSF roles specified via the `dsf-role` property define general access to the REST API and user interface. Allowed values are:
+
+`CREATE`, `READ`, `UPDATE`, `DELETE`, `SEARCH`, `HISTORY`, `PERMANENT_DELETE` and `WEBSOCKET`.
+
+
+#### practitioner-role
+
+In order to allow users to start processes, the property `practitioner-role` can be used to assign codes from FHIR [CodeSystem](http://hl7.org/fhir/R4/codesystem.html) resources. Codes are specified in the form `system-url|code`.
+If the uses has a code specified here that match with a `requester` extension within the process plugin's [ActivityDefinition](http://hl7.org/fhir/R4/activitydefinition.html) resource, the user can start the process if he also has the `dsf-role` `CREATE`.
+
+Process plugins can define and use their own code-systems. However, the DSF specifies a standard set of practitioner roles within the CodeSystem `http://dsf.dev/fhir/CodeSystem/practitioner-role`:
+
+`UAC_USER`, `COS_USER`, `CRR_USER`, `DIC_USER`, `DMS_USER`, `DTS_USER`, `HRP_USER`, `TTP_USER`, `AMS_USER`, `ASP_USER`, `SPR_USER`, `TSP_USER`, `PPH_USER`, `BIO_USER`, and `DSF_ADMIN`.
+
+
+## Examples
+
+The first example defines a group of DSF administrators. Two client certificates match against this role:
+
+```yaml
+      DEV_DSF_FHIR_SERVER_ROLECONFIG: |
+        - certificate-admins:
+            thumbprint: 
+              - afb68b1d9d47e691b8b3d50fd9848467cada8b1c76f5f4b45f00c9f8432d505361a3ee27805f4aa06799d9ac8dace94b3f1942fce44d84866961259b13be825d
+              - 2441bfddcad97eeb83c8c31fe181b90652787b8b59bf4e569219da7db4429e389479cb7c4a2f311e34217357d594ecad7d58ccfeef2a9e93c6fcf8d98897d88c
+            dsf-role:
+              - CREATE
+              - READ
+              - UPDATE
+              - DELETE
+              - SEARCH
+              - HISTORY
+            practitioner-role:
+              - http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN
+
+```
+
+
+The second example defines an administrator group consisting of all users with the OAuth role admin plus two additional administrators identified by their client-certificate thumbprints. These administrators may perform the basic DSF tasks: starting and continuing of new process instances (by creating tasks and answering QuestionnaireResponses) and reading all resources on the DSF FHIR server.
+
+```yaml
+      DEV_DSF_FHIR_SERVER_ROLECONFIG: |
+        - example_minimal_admin:
+            thumbprint:
+              - 0123...cdef
+              - abcd...6789
+            token-role: admin
+            dsf-role:
+              - CREATE: [Task]
+              - READ
+              - UPDATE: [QuestionnaireResponse]
+              - SEARCH
+              - HISTORY
+            practitioner-role:
+              - http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN
+
+```
+
+
+The third example allows read-only access, restricted to QuestionnaireResponse resources only. Two e-mail addresses are used to match this role. E-mail addresses from X.509 client certificates and OAuth 2.0 access tokens are matched:
+
+```yaml
+      DEV_DSF_FHIR_SERVER_ROLECONFIG: |
+        - read-only:
+            email:
+              - first.user@test.org
+              - second.user@test.org
+            dsf-role:
+              - READ: [QuestionnaireResponse]
+              - UPDATE: [QuestionnaireResponse]
+              - SEARCH: [QuestionnaireResponse]
+              - HISTORY: [QuestionnaireResponse]
+```
diff --git a/docs/src/operations/v2.1.0/fhir/configuration.md b/docs/src/operations/v2.1.0/fhir/configuration.md
new file mode 100644
index 000000000..a56b85c1b
--- /dev/null
+++ b/docs/src/operations/v2.1.0/fhir/configuration.md
@@ -0,0 +1,579 @@
+---
+title: Configuration Parameters
+icon: config
+---
+
+### DEV_DSF_FHIR_CLIENT_CERTIFICATE
+- **Property:** dev.dsf.fhir.client.certificate
+- **Required:** Yes
+- **Description:** PEM encoded file with local client certificate for https connections to remote DSF FHIR servers
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/app_client_certificate.pem`
+
+
+### DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY
+- **Property:** dev.dsf.fhir.client.certificate.private.key
+- **Required:** Yes
+- **Description:** Private key corresponding to the local client certificate as PEM encoded file. Use *DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD* or *DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE* if private key is encrypted
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/app_client_certificate_private_key.pem`
+
+
+### DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD or DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.fhir.client.certificate.private.key.password
+- **Required:** No
+- **Description:** Password to decrypt the local client certificate encrypted private key
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE*
+- **Example:** `/run/secrets/app_client_certificate_private_key.pem.password`
+
+
+### DEV_DSF_FHIR_CLIENT_TIMEOUT_CONNECT
+- **Property:** dev.dsf.fhir.client.timeout.connect
+- **Required:** No
+- **Description:** Timeout until a connection is established between this DSF FHIR server and a remote DSF FHIR server
+- **Recommendation:** Change default value only if timeout exceptions occur
+- **Default:** `PT2S`
+
+
+### DEV_DSF_FHIR_CLIENT_TIMEOUT_READ
+- **Property:** dev.dsf.fhir.client.timeout.read
+- **Required:** No
+- **Description:** Timeout until a reading a resource from a remote DSF FHIR server is aborted
+- **Recommendation:** Change default value only if timeout exceptions occur
+- **Default:** `PT10S`
+
+
+### DEV_DSF_FHIR_CLIENT_TRUST_SERVER_CERTIFICATE_CAS
+- **Property:** dev.dsf.fhir.client.trust.server.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted root certificates to validate server certificates for https connections to remote DSF FHIR servers
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/app_client_trust_certificates.pem`
+- **Default:** `ca/server_root_cas`
+
+
+### DEV_DSF_FHIR_CLIENT_VERBOSE
+- **Property:** dev.dsf.fhir.client.verbose
+- **Required:** No
+- **Description:** To enable verbose logging of requests to and replies from remote DSF FHIR servers, set to `true`
+- **Default:** `false`
+
+
+### DEV_DSF_FHIR_DB_LIQUIBASE_FORCEUNLOCK
+- **Property:** dev.dsf.fhir.db.liquibase.forceUnlock
+- **Required:** No
+- **Description:** To force liquibase to unlock the migration lock set to `true`
+- **Recommendation:** Only use this option temporarily to unlock a stuck DB migration step
+- **Default:** `false`
+
+
+### DEV_DSF_FHIR_DB_LIQUIBASE_LOCKWAITTIME
+- **Property:** dev.dsf.fhir.db.liquibase.lockWaitTime
+- **Required:** No
+- **Description:** Liquibase change lock wait time in minutes, default 2 minutes
+- **Default:** `2`
+
+
+### DEV_DSF_FHIR_DB_LIQUIBASE_PASSWORD or DEV_DSF_FHIR_DB_LIQUIBASE_PASSWORD_FILE
+- **Property:** dev.dsf.fhir.db.liquibase.password
+- **Required:** Yes
+- **Description:** Password to access the database from the DSF FHIR server to execute database migrations
+- **Recommendation:** Use docker secret file to configure by using *DEV_DSF_FHIR_DB_LIQUIBASE_PASSWORD_FILE*
+- **Example:** `/run/secrets/db_liquibase.password`
+
+
+### DEV_DSF_FHIR_DB_LIQUIBASE_USERNAME
+- **Property:** dev.dsf.fhir.db.liquibase.username
+- **Required:** No
+- **Description:** Username to access the database from the DSF FHIR server to execute database migrations
+- **Default:** `liquibase_user`
+
+
+### DEV_DSF_FHIR_DB_URL
+- **Property:** dev.dsf.fhir.db.url
+- **Required:** Yes
+- **Description:** Address of the database used for the DSF FHIR server
+- **Recommendation:** Change only if you don't use the provided docker-compose from the installation guide or made changes to the database settings/networking in the docker-compose
+- **Example:** `jdbc:postgresql://db/fhir`
+
+
+### DEV_DSF_FHIR_DB_USER_GROUP
+- **Property:** dev.dsf.fhir.db.user.group
+- **Required:** No
+- **Description:** Name of the user group to access the database from the DSF FHIR server
+- **Default:** `fhir_users`
+
+
+### DEV_DSF_FHIR_DB_USER_PASSWORD or DEV_DSF_FHIR_DB_USER_PASSWORD_FILE
+- **Property:** dev.dsf.fhir.db.user.password
+- **Required:** Yes
+- **Description:** Password to access the database from the DSF FHIR server
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_FHIR_DB_USER_PASSWORD_FILE*
+- **Example:** `/run/secrets/db_user.password`
+
+
+### DEV_DSF_FHIR_DB_USER_PERMANENT_DELETE_GROUP
+- **Property:** dev.dsf.fhir.db.user.permanent.delete.group
+- **Required:** No
+- **Description:** Name of the user group to access the database from the DSF FHIR server for permanent deletes
+- **Default:** `fhir_permanent_delete_users`
+
+
+### DEV_DSF_FHIR_DB_USER_PERMANENT_DELETE_PASSWORD or DEV_DSF_FHIR_DB_USER_PERMANENT_DELETE_PASSWORD_FILE
+- **Property:** dev.dsf.fhir.db.user.permanent.delete.password
+- **Required:** Yes
+- **Description:** Password to access the database from the DSF FHIR server for permanent deletes
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_FHIR_DB_USER_PERMANENT_DELETE_PASSWORD_FILE*
+- **Example:** `/run/secrets/db_user_permanent_delete.password`
+
+
+### DEV_DSF_FHIR_DB_USER_PERMANENT_DELETE_USERNAME
+- **Property:** dev.dsf.fhir.db.user.permanent.delete.username
+- **Required:** No
+- **Description:** Username to access the database from the DSF FHIR server for permanent deletes
+- **Recommendation:** Use a different user then *DEV_DSF_FHIR_DB_USER_USERNAME*
+- **Default:** `fhir_server_permanent_delete_user`
+
+
+### DEV_DSF_FHIR_DB_USER_USERNAME
+- **Property:** dev.dsf.fhir.db.user.username
+- **Required:** No
+- **Description:** Username to access the database from the DSF FHIR server
+- **Default:** `fhir_server_user`
+
+
+### DEV_DSF_FHIR_DEBUG_LOG_MESSAGE_CURRENTUSER
+- **Property:** dev.dsf.fhir.debug.log.message.currentUser
+- **Required:** No
+- **Description:** To enable logging of the currently requesting user set to `true`
+- **Recommendation:** This debug function should only be activated during development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_FHIR_DEBUG_LOG_MESSAGE_DBSTATEMENT
+- **Property:** dev.dsf.fhir.debug.log.message.dbStatement
+- **Required:** No
+- **Description:** To enable logging of DB queries set to `true`
+- **Recommendation:** This debug function should only be activated during development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_FHIR_DEBUG_LOG_MESSAGE_WEBSERVICEREQUEST
+- **Property:** dev.dsf.fhir.debug.log.message.webserviceRequest
+- **Required:** No
+- **Description:** To enable logging of webservices requests set to `true`
+- **Recommendation:** This debug function should only be activated during development; WARNING: Confidential information may be leaked via the debug log!
+- **Default:** `false`
+
+
+### DEV_DSF_FHIR_SERVER_BASE_URL
+- **Property:** dev.dsf.fhir.server.base.url
+- **Required:** Yes
+- **Description:** Base address of this DSF FHIR server to read/store fhir resources
+- **Example:** `https://foo.bar/fhir`
+
+
+### DEV_DSF_FHIR_SERVER_INIT_BUNDLE
+- **Property:** dev.dsf.fhir.server.init.bundle
+- **Required:** No
+- **Description:** Fhir bundle containing the initial Allow-List, loaded on startup of the DSF FHIR server
+- **Recommendation:** Change only if you don't use the provided files from the installation guide, have local changes in the Allow-List or received an Allow-List from another source
+- **Default:** `conf/bundle.xml`
+
+
+### DEV_DSF_FHIR_SERVER_ORGANIZATION_IDENTIFIER_VALUE
+- **Property:** dev.dsf.fhir.server.organization.identifier.value
+- **Required:** Yes
+- **Description:** Local identifier value used in the Allow-List
+- **Recommendation:** By convention: The shortest possible FQDN that resolve the homepage of the organization
+- **Example:** `hospital.com`
+
+
+### DEV_DSF_FHIR_SERVER_ORGANIZATION_THUMBPRINT
+- **Property:** dev.dsf.fhir.server.organization.thumbprint
+- **Required:** No
+- **Description:** The SHA-512 thumbprint of the local organization client certificate; will be calculated on startup based on the client certificate specified via *DEV_DSF_FHIR_CLIENT_CERTIFICATE*
+- **Recommendation:** Do not specify this variable when using the same client certificate for the FHIR and BPE server; the thumbprint can be calculated via `certtool --fingerprint --hash=sha512 --infile=client_certificate.pem`
+
+
+### DEV_DSF_FHIR_SERVER_PAGE_COUNT
+- **Property:** dev.dsf.fhir.server.page.count
+- **Required:** No
+- **Description:** Page size returned by the DSF FHIR server when reading/searching fhir resources
+- **Default:** `20`
+
+
+### DEV_DSF_FHIR_SERVER_ROLECONFIG
+- **Property:** dev.dsf.fhir.server.roleConfig
+- **Required:** No
+- **Description:** Role config YAML as defined in [FHIR Server: Access Control](access-control)
+
+
+### DEV_DSF_FHIR_SERVER_STATIC_RESOURCE_CACHE
+- **Property:** dev.dsf.fhir.server.static.resource.cache
+- **Required:** No
+- **Description:** To disable static resource caching, set to `false`
+- **Recommendation:** Only set to `false` for development
+- **Default:** `true`
+
+
+### DEV_DSF_FHIR_SERVER_UI_THEME
+- **Property:** dev.dsf.fhir.server.ui.theme
+- **Required:** No
+- **Description:** UI theme parameter, adds a color indicator to the ui to distinguish `dev`, `test` and `prod` environments if configured; supported values: `dev`, `test` and `prod`
+
+
+### DEV_DSF_LOG_AUDIT_CONSOLE_ERR_ENABLED
+- **Property:** dev.dsf.log.audit.console.err.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable console err output of the audit logger
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_AUDIT_CONSOLE_ERR_STYLE
+- **Property:** dev.dsf.log.audit.console.err.style
+- **Required:** No
+- **Description:** Audit logger console err style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `STYLE_TEXT`
+
+
+### DEV_DSF_LOG_AUDIT_CONSOLE_OUT_ENABLED
+- **Property:** dev.dsf.log.audit.console.out.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable console out output of the audit logger
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_AUDIT_CONSOLE_OUT_STYLE
+- **Property:** dev.dsf.log.audit.console.out.style
+- **Required:** No
+- **Description:** Audit logger console out style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `STYLE_TEXT`
+
+
+### DEV_DSF_LOG_AUDIT_FILE_ENABLED
+- **Property:** dev.dsf.log.audit.file.enabled
+- **Required:** No
+- **Description:** Set to `false` to disable log file output of the audit logger
+- **Default:** `true`
+
+
+### DEV_DSF_LOG_AUDIT_FILE_STYLE
+- **Property:** dev.dsf.log.audit.file.style
+- **Required:** No
+- **Description:** Audit logger file style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `TEXT_MDC`
+
+
+### DEV_DSF_LOG_CONFIG
+- **Property:** dev.dsf.log.config
+- **Required:** No
+- **Description:** Location of a log4j configuration xml file; if file is readable, overrides configuration specified via *DEV_DSF_LOG_...* parameters
+- **Default:** `conf/log4j2.xml`
+
+
+### DEV_DSF_LOG_CONSOLE_ERR_ENABLED
+- **Property:** dev.dsf.log.console.err.enabled
+- **Required:** No
+- **Description:** Set to `true` to enable console err output of the standard logger
+- **Default:** `false`
+
+
+### DEV_DSF_LOG_CONSOLE_ERR_LEVEL
+- **Property:** dev.dsf.log.console.err.level
+- **Required:** No
+- **Description:** Standard logger console err output level, one of: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`
+- **Default:** `INFO`
+
+
+### DEV_DSF_LOG_CONSOLE_ERR_STYLE
+- **Property:** dev.dsf.log.console.err.style
+- **Required:** No
+- **Description:** Standard logger console err output style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`, `TEXT_COLOR_MDC`, `TEXT_COLOR`
+- **Default:** `TEXT_COLOR`
+
+
+### DEV_DSF_LOG_CONSOLE_OUT_ENABLED
+- **Property:** dev.dsf.log.console.out.enabled
+- **Required:** No
+- **Description:** Set to `false` to disable console out output of the standard logger
+- **Default:** `true`
+
+
+### DEV_DSF_LOG_CONSOLE_OUT_LEVEL
+- **Property:** dev.dsf.log.console.out.level
+- **Required:** No
+- **Description:** Standard logger console out output level, one of: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`
+- **Default:** `INFO`
+
+
+### DEV_DSF_LOG_CONSOLE_OUT_STYLE
+- **Property:** dev.dsf.log.console.out.style
+- **Required:** No
+- **Description:** Standard logger console out output style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`, `TEXT_COLOR_MDC`, `TEXT_COLOR`
+- **Default:** `TEXT_COLOR`
+
+
+### DEV_DSF_LOG_FILE_ENABLED
+- **Property:** dev.dsf.log.file.enabled
+- **Required:** No
+- **Description:** Set to `false` to disable log file output of the standard logger
+- **Default:** `true`
+
+
+### DEV_DSF_LOG_FILE_LEVEL
+- **Property:** dev.dsf.log.file.level
+- **Required:** No
+- **Description:** Standard logger log file output level, one of: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`
+- **Default:** `DEBUG`
+
+
+### DEV_DSF_LOG_FILE_STYLE
+- **Property:** dev.dsf.log.file.style
+- **Required:** No
+- **Description:** Standard logger log file output style, one of: `JSON_ECS`, `JSON_GCP`, `JSON_GELF`, `JSON_LOGSTASH`, `TEXT_MDC`, `TEXT`
+- **Default:** `TEXT_MDC`
+
+
+### DEV_DSF_LOG_MIN_LEVEL_LOGGERS
+- **Property:** dev.dsf.log.min.level.loggers
+- **Required:** No
+- **Description:** List of logger names that are enabled to produce log output with the minimal configured log level from `DEV_DSF_LOG_CONSOLE_OUT_LEVEL`, `DEV_DSF_LOG_CONSOLE_ERR_LEVEL` and `DEV_DSF_LOG_FILE_LEVEL`
+- **Default:** `dev.dsf`
+
+
+### DEV_DSF_PROXY_NOPROXY
+- **Property:** dev.dsf.proxy.noProxy
+- **Required:** No
+- **Description:** Forward proxy no-proxy list, entries will match exactly or against (one level) sub-domains, if no port is specified - all ports are matched; comma or space separated list, YAML block scalars supported
+- **Example:** `foo.bar, test.com:8080`
+
+
+### DEV_DSF_PROXY_PASSWORD or DEV_DSF_PROXY_PASSWORD_FILE
+- **Property:** dev.dsf.proxy.password
+- **Required:** No
+- **Description:** Forward Proxy password
+- **Recommendation:** Configure password if proxy requires authentication, use docker secret file to configure using *DEV_DSF_PROXY_PASSWORD_FILE*
+
+
+### DEV_DSF_PROXY_URL
+- **Property:** dev.dsf.proxy.url
+- **Required:** No
+- **Description:** Forward (http/https) proxy url, use *DEV_DSF_BPE_PROXY_NOPROXY* to list domains that do not require a forward proxy
+- **Example:** `http://proxy.foo:8080`
+
+
+### DEV_DSF_PROXY_USERNAME
+- **Property:** dev.dsf.proxy.username
+- **Required:** No
+- **Description:** Forward proxy username
+- **Recommendation:** Configure username if proxy requires authentication
+
+
+### DEV_DSF_SERVER_API_HOST
+- **Property:** dev.dsf.server.api.host
+- **Required:** No
+- **Description:** API connector host, default in docker image: `0.0.0.0`
+- **Default:** `127.0.0.1`
+
+
+### DEV_DSF_SERVER_API_PORT
+- **Property:** dev.dsf.server.api.port
+- **Required:** No
+- **Description:** API connector port, default in docker image: `8080`
+
+
+### DEV_DSF_SERVER_AUTH_CLIENT_CERTIFICATE_HEADER
+- **Property:** dev.dsf.server.auth.client.certificate.header
+- **Required:** No
+- **Description:** Name of HTTP header with client certificate from reverse proxy
+- **Default:** `X-ClientCert`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW
+- **Property:** dev.dsf.server.auth.oidc.authorization.code.flow
+- **Required:** No
+- **Description:** Set to `true` to enable OIDC authorization code flow
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL*, *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID* and *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET* or *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE* to be specified
+- **Default:** `false`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT
+- **Property:** dev.dsf.server.auth.oidc.back.channel.logout
+- **Required:** No
+- **Description:** Set to `true` to enable OIDC back-channel logout
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* to be set to `true` (enabled), *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID* and *DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH* to be specified
+- **Default:** `false`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH
+- **Property:** dev.dsf.server.auth.oidc.back.channel.logout.path
+- **Required:** No
+- **Description:** Path called by the OIDC provide to request back-channel logout
+- **Default:** `/back-channel-logout`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN
+- **Property:** dev.dsf.server.auth.oidc.bearer.token
+- **Required:** No
+- **Description:** Set to `true` to enable OIDC bearer token authentication
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL* to be specified
+- **Default:** `false`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN_AUDIENCE
+- **Property:** dev.dsf.server.auth.oidc.bearer.token.audience
+- **Required:** No
+- **Description:** Audience (aud) value to verify before accepting OIDC bearer tokens, uses value from `DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID` by default, set blank string e.g. `''` to disable
+- **Recommendation:** Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL* to be specified and *DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN* set tor `true`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID
+- **Property:** dev.dsf.server.auth.oidc.client.id
+- **Required:** No
+- **Description:** OIDC provider client_id, must be specified if *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* is enabled
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET or DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE
+- **Property:** dev.dsf.server.auth.oidc.client.secret
+- **Required:** No
+- **Description:** OIDC provider client_secret, must be specified if *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* is enabled
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CACHE_TIMEOUT_CONFIGURATION_RESOURCE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.cache.timeout.configuration.resource
+- **Required:** No
+- **Description:** OIDC provider client cache timeout of the 'openid-configuration' discovery resource
+- **Default:** `PT1H`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CACHE_TIMEOUT_JWKS_RESOURCE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.cache.timeout.jwks.resource
+- **Required:** No
+- **Description:** OIDC provider client cache timeout of the jwks resource
+- **Default:** `PT1H`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.certificate
+- **Required:** No
+- **Description:** PEM encoded file with client certificate for https connections to the OIDC provider
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/oidc_provider_client_certificate.pem`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY
+- **Property:** dev.dsf.server.auth.oidc.provider.client.certificate.private.key
+- **Required:** No
+- **Description:** Private key corresponding to the client certificate for the OIDC provider as PEM encoded file. Use *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD* or *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE* if private key is encrypted
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/oidc_provider_client_certificate_private_key.pem`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD or DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.server.auth.oidc.provider.client.certificate.private.key.password
+- **Required:** No
+- **Description:** Password to decrypt the client certificate for the OIDC provider encrypted private key
+- **Recommendation:** Use docker secret file to configure using *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE*
+- **Example:** `/run/secrets/oidc_provider_client_certificate_private_key.pem.password`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TIMEOUT_CONNECT
+- **Property:** dev.dsf.server.auth.oidc.provider.client.timeout.connect
+- **Required:** No
+- **Description:** OIDC provider client connect timeout
+- **Default:** `PT5S`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TIMEOUT_READ
+- **Property:** dev.dsf.server.auth.oidc.provider.client.timeout.read
+- **Required:** No
+- **Description:** OIDC provider client read timeout
+- **Default:** `PT30S`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS
+- **Property:** dev.dsf.server.auth.oidc.provider.client.trust.server.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted root certificates to validate server certificates for https connections to the OIDC provider
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/oidc_provider_trust_certificates.pem`
+- **Default:** `ca/server_root_cas`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_DISCOVERY_PATH
+- **Property:** dev.dsf.server.auth.oidc.provider.discovery.path
+- **Required:** No
+- **Description:** OIDC provider discovery path
+- **Default:** `/.well-known/openid-configuration`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL
+- **Property:** dev.dsf.server.auth.oidc.provider.realm.base.url
+- **Required:** No
+- **Description:** OIDC provider realm base url
+- **Example:** `https://keycloak.test.com:8443/realms/example-realm-name`
+
+
+### DEV_DSF_SERVER_AUTH_OIDC_SESSION_TIMEOUT
+- **Property:** dev.dsf.server.auth.oidc.session.timeout
+- **Required:** No
+- **Description:** Maximum inactivity period after which the server session for OIDC logins is invalidated; the access token may expire earlier, resulting in earlier session invalidation
+- **Default:** `PT30M`
+
+
+### DEV_DSF_SERVER_AUTH_TRUST_CLIENT_CERTIFICATE_CAS
+- **Property:** dev.dsf.server.auth.trust.client.certificate.cas
+- **Required:** No
+- **Description:** Folder with PEM encoded files (*.crt, *.pem) or a single PEM encoded file with one or more trusted full CA chains to validate client certificates for https connections from local and remote clients
+- **Recommendation:** Add file to default folder via bind mount or use docker secret file to configure
+- **Example:** `/run/secrets/app_client_trust_certificates.pem`
+- **Default:** `ca/client_ca_chains`
+
+
+### DEV_DSF_SERVER_CERTIFICATE
+- **Property:** dev.dsf.server.certificate
+- **Required:** No
+- **Description:** Server certificate file for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CERTIFICATE_CHAIN
+- **Property:** dev.dsf.server.certificate.chain
+- **Required:** No
+- **Description:** Server certificate chain file for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CERTIFICATE_KEY
+- **Property:** dev.dsf.server.certificate.key
+- **Required:** No
+- **Description:** Server certificate private key file for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CERTIFICATE_KEY_PASSWORD or DEV_DSF_SERVER_CERTIFICATE_KEY_PASSWORD_FILE
+- **Property:** dev.dsf.server.certificate.key.password
+- **Required:** No
+- **Description:** Server certificate private key file password for testing
+- **Recommendation:** Only specify For testing when terminating TLS in jetty server
+
+
+### DEV_DSF_SERVER_CONTEXT_PATH
+- **Property:** dev.dsf.server.context.path
+- **Required:** No
+- **Description:** Web application context path, default in `bpe` docker image: `/bpe`, default in `fhir` docker image: `/fhir`
+- **Recommendation:** Only modify for testing
+
+
+### DEV_DSF_SERVER_STATUS_HOST
+- **Property:** dev.dsf.server.status.host
+- **Required:** No
+- **Description:** Status connector host
+- **Default:** `127.0.0.1`
+
+
+### DEV_DSF_SERVER_STATUS_PORT
+- **Property:** dev.dsf.server.status.port
+- **Required:** No
+- **Description:** Status connector port, default in docker image: `10000`
\ No newline at end of file
diff --git a/docs/src/operations/v2.1.0/fhir/logging.md b/docs/src/operations/v2.1.0/fhir/logging.md
new file mode 100644
index 000000000..eb9c0cf2b
--- /dev/null
+++ b/docs/src/operations/v2.1.0/fhir/logging.md
@@ -0,0 +1,704 @@
+---
+title: Logging
+icon: config
+---
+
+The DSF FHIR Server provides a **Standard Application Logger** and a dedicated **Audit Logger** for compliance-relevant access events. Both mechanisms can output there messages to standard output (stdout), standard error (stderr) and dedicated log files.
+
+By default the **Standard Application Logger** is configured to output with min. level `INFO` and format `TEXT_COLOR` to *stdout* as well as min. level `DEBUG` and format `TEXT_MDC` to a dedicated log file. In addition the **Audit Logger** is enabled by default to log with format `TEXT_MDC` to a dedicated log file.
+
+### Standard Application Logger
+The file, *stdout* and *stderr* outputs for the **Standard Application Logger** can be enabled or disabled using the environment variables [`DEV_DSF_LOG_FILE_ENABLED`](./configuration.md#dev-dsf-log-file-enabled), [`DEV_DSF_LOG_CONSOLE_OUT_ENABLED`](./configuration.md#dev-dsf-log-console-out-enabled) and [`DEV_DSF_LOG_CONSOLE_ERR_ENABLED`](./configuration.md#dev-dsf-log-console-err-enabled).
+
+#### Output Level
+Log messages are grouped by severity (low to high): `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`. A minimal log level can be configured for the file, *stdout* and *stderr* outputs using the environment variables [`DEV_DSF_LOG_FILE_LEVEL`](./configuration.md#dev-dsf-log-file-level), [`DEV_DSF_LOG_CONSOLE_OUT_LEVEL`](./configuration.md#dev-dsf-log-console-out-level) and [`DEV_DSF_LOG_CONSOLE_ERR_LEVEL`](./configuration.md#dev-dsf-log-console-err-level).
+
+#### Output Style
+Multiple styles are supported for the **Standard Application Logger** file, *stdout* and *stderr* outputs. All structured logging JSON styles include additional infos (Mapped Diagnostic Context) about the requesting user. The output style can be configured using the environment variables [`DEV_DSF_LOG_FILE_STYLE`](./configuration.md#dev-dsf-log-file-style), [`DEV_DSF_LOG_CONSOLE_OUT_STYLE`](./configuration.md#dev-dsf-log-console-out-style) and [`DEV_DSF_LOG_CONSOLE_ERR_STYLE`](./configuration.md#dev-dsf-log-console-err-style). The **TEXT_COLOR** and **TEXT_COLOR_MDC** styles are not supported for the file output.
+* **TEXT** a minimal text format.
+* **TEXT_COLOR** a minimal text format with ANSI escape sequences to colorize WARN and ERROR messages. Not supported for the file output.
+* **TEXT_MDC** text format with additional infos (Mapped Diagnostic Context) about the requesting user.
+* **TEXT_COLOR_MDC** text format with additional infos (Mapped Diagnostic Context) about the requesting user and ANSI escape sequences to colorize WARN and ERROR events. Not supported for the file output.
+* **JSON_ECS** follows the Elastic Common Schema (ECS) reference.
+* **JSON_GCP** uses the Google Cloud Platform structured logging model with additional `_thread`, `_logger` and `_exception` fields.
+* **JSON_GELF** follows the Graylog Extended Log Format (GELF) payload specification with added `_thread` and `_logger` fields.
+* **JSON_LOGSTASH** uses the Logstash json_event pattern for log4j.
+
+::: code-tabs#shell
+
+@tab TEXT
+
+```text :no-line-numbers
+2026-01-13 15:57:57,567 [main] INFO  dev.dsf.common.buildinfo.BuildInfoReaderImpl - Artifact: dsf-fhir-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:47+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685
+2026-01-13 16:03:28,524 [main] ERROR org.springframework.web.context.ContextLoader - Context initialization failed
+org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+	at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)
+	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)
+	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)
+	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)
+	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)
+	at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)
+	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)
+	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)
+	at org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)
+	at org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)
+	at org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)
+	at org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)
+	at org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)
+	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)
+	at org.eclipse.jetty.server.Server.start(Server.java:689)
+	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
+	at org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)
+	at org.eclipse.jetty.server.Server.doStart(Server.java:630)
+	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+	at dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)
+	at dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+	... 36 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+	at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)
+	at dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)
+	at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2(<generated>)
+	at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
+	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+	at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule(<generated>)
+	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+	... 39 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+	... 60 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+	at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)
+	at dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)
+	at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1(<generated>)
+	at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
+	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+	at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)
+	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+	... 63 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+	... 84 more
+Caused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)
+	at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)
+	at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
+	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+	at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)
+	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+	... 87 more
+Caused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)
+	at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)
+	at dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)
+	at dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)
+	... 95 more
+Caused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
+	at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)
+	... 98 more
+Caused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher
+	at org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)
+	at org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)
+	at org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)
+	at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+	at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+	at org.bouncycastle.util.io.Streams.readAll(Unknown Source)
+	... 100 more
+Caused by: javax.crypto.BadPaddingException: pad block corrupted
+	at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$BufferedGenericBlockCipher.doFinal(Unknown Source)
+	at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
+	at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2139)
+	... 106 more
+2026-01-13 16:09:55,478 [jetty-server-95] INFO  dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule - Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/3 authorized for identity 'Test_Organization/webbrowser.test.user@invalid', matching access tag {ALL}
+```
+
+@tab TEXT_MDC
+
+```text :no-line-numbers
+2026-01-13 16:11:47,115 [main] INFO  dev.dsf.common.buildinfo.BuildInfoReaderImpl - Artifact: dsf-fhir-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:47+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685
+2026-01-13 16:12:36,611 [main] ERROR org.springframework.web.context.ContextLoader - Context initialization failed
+org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+	at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)
+	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)
+	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)
+	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)
+	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)
+	at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)
+	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)
+	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)
+	at org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)
+	at org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)
+	at org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)
+	at org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)
+	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)
+	at org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)
+	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)
+	at org.eclipse.jetty.server.Server.start(Server.java:689)
+	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
+	at org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)
+	at org.eclipse.jetty.server.Server.doStart(Server.java:630)
+	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
+	at dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)
+	at dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+	... 36 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+	at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)
+	at dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)
+	at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2(<generated>)
+	at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
+	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+	at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule(<generated>)
+	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+	... 39 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+	... 60 more
+Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
+	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
+	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
+	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
+	at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)
+	at dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)
+	at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1(<generated>)
+	at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
+	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+	at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)
+	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+	... 63 more
+Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
+	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
+	... 84 more
+Caused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)
+	at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)
+	at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
+	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
+	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
+	at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)
+	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
+	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
+	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
+	... 87 more
+Caused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)
+	at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)
+	at dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)
+	at dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)
+	... 95 more
+Caused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
+	at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
+	at de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)
+	... 98 more
+Caused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher
+	at org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)
+	at org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)
+	at org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)
+	at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+	at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
+	at org.bouncycastle.util.io.Streams.readAll(Unknown Source)
+	... 100 more
+Caused by: javax.crypto.BadPaddingException: pad block corrupted
+	at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$BufferedGenericBlockCipher.doFinal(Unknown Source)
+	at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
+	at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2139)
+	... 106 more
+2026-01-13 16:13:25,589 [jetty-server-94] INFO  dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule - {dsf.user.endpoint.identifier=fhir, dsf.user.name=Test_Organization/webbrowser.test.user@invalid, dsf.user.organization.identifier=Test_Organization, dsf.user.practitioner.dn=CN=Webbrowser Test User,O=DSF,C=DE, dsf.user.practitioner.identifier=webbrowser.test.user@invalid, dsf.user.practitioner.roles=[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN], dsf.user.practitioner.thumbprint=a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7, dsf.user.roles=[HISTORY, READ, CREATE, UPDATE, SEARCH]} - Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/5 authorized for identity 'Test_Organization/webbrowser.test.user@invalid', matching access tag {ALL}
+```
+
+@tab JSON_ECS
+
+```json :no-line-numbers
+{
+    "@timestamp": "2026-01-12T12:54:35.653Z",
+    "ecs.version": "1.2.0",
+    "log.level": "INFO",
+    "message": "Artifact: dsf-fhir-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:47+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+    "process.thread.name": "main",
+    "log.logger": "dev.dsf.common.buildinfo.BuildInfoReaderImpl"
+}
+{
+    "@timestamp": "2026-01-12T12:54:36.931Z",
+    "ecs.version": "1.2.0",
+    "log.level": "ERROR",
+    "message": "Context initialization failed",
+    "process.thread.name": "main",
+    "log.logger": "org.springframework.web.context.ContextLoader",
+    "error.type": "org.springframework.beans.factory.BeanCreationException",
+    "error.message": "Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher",
+    "error.stack_trace": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 36 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2(<generated>)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 39 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 60 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1(<generated>)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 63 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 84 more\nCaused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 87 more\nCaused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)\n\tat dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)\n\t... 95 more\nCaused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)\n\t... 98 more\nCaused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher\n\tat org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)\n\tat org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)\n\tat org.bounc…"
+}
+{
+    "@timestamp": "2026-01-12T13:27:49.008Z",
+    "ecs.version": "1.2.0",
+    "log.level": "INFO",
+    "message": "Read of Organization/90500752-381a-46fa-858f-14d6d5b11627/_history/4 authorized for identity 'Test_Organization/webbrowser.test.user@invalid', matching access tag {ALL}",
+    "process.thread.name": "jetty-server-83",
+    "log.logger": "dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule",
+    "dsf.user.endpoint.identifier": "fhir",
+    "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+    "dsf.user.organization.identifier": "Test_Organization",
+    "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+    "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+    "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+    "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+    "dsf.user.roles": "[UPDATE, READ, CREATE, HISTORY, SEARCH]"
+}
+```
+
+@tab JSON_GCP
+
+```json :no-line-numbers
+{
+    "timestampSeconds": 1768222644,
+    "timestampNanos": 461746234,
+    "severity": "INFO",
+    "message": "Artifact: dsf-fhir-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:47+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+    "logging.googleapis.com/sourceLocation": {
+        "function": "dev.dsf.common.buildinfo.BuildInfoReaderImpl.logBuildInfo"
+    },
+    "logging.googleapis.com/trace_sampled": true,
+    "thread": "main",
+    "logger": "dev.dsf.common.buildinfo.BuildInfoReaderImpl"
+}
+{
+    "timestampSeconds": 1768222645,
+    "timestampNanos": 738845490,
+    "severity": "ERROR",
+    "message": "Context initialization failed\norg.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 36 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2(<generated>)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 39 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 60 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1(<generated>)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 63 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 84 more\nCaused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 87 more\nCaused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)\n\tat dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)\n\t... 95 more\nCaused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)\n\t... 98 more\nCaused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher\n\tat org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)\n\tat org.bouncycastle.util.io.Streams.pipeAll…",
+    "logging.googleapis.com/sourceLocation": {
+        "function": "org.springframework.web.context.ContextLoader.initWebApplicationContext"
+    },
+    "logging.googleapis.com/trace_sampled": true,
+    "exception": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 36 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2(<generated>)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 39 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 60 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1(<generated>)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 63 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 84 more\nCaused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 87 more\nCaused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)\n\tat dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)\n\t... 95 more\nCaused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)\n\t... 98 more\nCaused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher\n\tat org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)\n\tat org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)\n\tat org.bounc…",
+    "thread": "main",
+    "logger": "org.springframework.web.context.ContextLoader"
+}
+{
+    "timestampSeconds": 1768225245,
+    "timestampNanos": 847212542,
+    "severity": "INFO",
+    "message": "Read of Organization/90500752-381a-46fa-858f-14d6d5b11627/_history/5 authorized for identity 'Test_Organization/webbrowser.test.user@invalid', matching access tag {ALL}",
+    "logging.googleapis.com/labels": {
+        "dsf.user.endpoint.identifier": "fhir",
+        "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+        "dsf.user.organization.identifier": "Test_Organization",
+        "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+        "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+        "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+        "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+        "dsf.user.roles": "[UPDATE, READ, HISTORY, CREATE, SEARCH]"
+    },
+    "logging.googleapis.com/sourceLocation": {
+        "function": "dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule.reasonReadAllowed"
+    },
+    "logging.googleapis.com/trace_sampled": true,
+    "thread": "jetty-server-63",
+    "logger": "dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule"
+}
+```
+
+@tab JSON_GELF
+
+```json :no-line-numbers
+{
+    "version": "1.1",
+    "host": "46e6824590a7",
+    "short_message": "Artifact: dsf-fhir-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:47+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+    "timestamp": 1768224184.7015762,
+    "level": 6,
+    "_logger": "dev.dsf.common.buildinfo.BuildInfoReaderImpl",
+    "_thread": "main"
+}
+{
+    "version": "1.1",
+    "host": "46e6824590a7",
+    "short_message": "Context initialization failed",
+    "full_message": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 36 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2(<generated>)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 39 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 60 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$0(<generated>)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 63 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 84 more\nCaused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 87 more\nCaused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)\n\tat dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)\n\t... 95 more\nCaused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)\n\t... 98 more\nCaused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher\n\tat org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)\n\tat org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)\n\tat org.bounc…",
+    "timestamp": 1768224186.0572188,
+    "level": 3,
+    "_logger": "org.springframework.web.context.ContextLoader",
+    "_thread": "main"
+}
+{
+    "version": "1.1",
+    "host": "f169cdb63fde",
+    "short_message": "Read of Organization/90500752-381a-46fa-858f-14d6d5b11627/_history/6 authorized for identity 'Test_Organization/webbrowser.test.user@invalid', matching access tag {ALL}",
+    "timestamp": 1768225406.81688,
+    "level": 6,
+    "_logger": "dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule",
+    "_thread": "jetty-server-89",
+    "_dsf.user.endpoint.identifier": "fhir",
+    "_dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+    "_dsf.user.organization.identifier": "Test_Organization",
+    "_dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+    "_dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+    "_dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+    "_dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+    "_dsf.user.roles": "[CREATE, SEARCH, READ, UPDATE, HISTORY]"
+}
+```
+
+@tab:active JSON_LOGSTASH
+
+```json :no-line-numbers
+{
+    "@version": 1,
+    "source_host": "da524e19dd3e",
+    "message": "Artifact: dsf-fhir-server-jetty, version: 2.0.1, build: 2025-11-26T20:24:47+01:00, branch: main, commit: 77ac1d45a35fae8666d531953572ab6c51a58685",
+    "thread_name": "main",
+    "@timestamp": "2026-01-12T14:24:17.152+0100",
+    "level": "INFO",
+    "logger_name": "dev.dsf.common.buildinfo.BuildInfoReaderImpl"
+}
+{
+    "exception": {
+        "exception_class": "org.springframework.beans.factory.BeanCreationException",
+        "exception_message": "Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher",
+        "stacktrace": "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)\n\tat org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)\n\tat org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)\n\tat org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)\n\tat org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)\n\tat org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)\n\tat org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)\n\tat org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)\n\tat org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)\n\tat org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)\n\tat org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)\n\tat org.eclipse.jetty.server.Server.start(Server.java:689)\n\tat org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)\n\tat org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)\n\tat org.eclipse.jetty.server.Server.doStart(Server.java:630)\n\tat org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)\n\tat dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)\n\tat dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 36 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2(<generated>)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 39 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 60 more\nCaused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)\n\tat org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)\n\tat org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)\n\tat org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1(<generated>)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 63 more\nCaused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)\n\tat org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)\n\t... 84 more\nCaused by: java.lang.RuntimeException: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)\n\tat org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)\n\tat org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)\n\tat dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)\n\tat java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:565)\n\tat org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)\n\t... 87 more\nCaused by: java.io.IOException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:435)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:398)\n\tat dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:111)\n\tat dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)\n\t... 95 more\nCaused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher\n\tat org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)\n\tat de.hsheilbronn.mi.utils.crypto.io.PemReader.readPrivateKey(PemReader.java:430)\n\t... 98 more\nCaused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher\n\tat org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)\n\tat org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)\n\tat org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)\n\tat org.bounc…"
+    },
+    "@version": 1,
+    "source_host": "da524e19dd3e",
+    "message": "Context initialization failed",
+    "thread_name": "main",
+    "@timestamp": "2026-01-12T14:24:18.486+0100",
+    "level": "ERROR",
+    "logger_name": "org.springframework.web.context.ContextLoader"
+}
+{
+    "mdc": {
+        "dsf.user.endpoint.identifier": "fhir",
+        "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+        "dsf.user.organization.identifier": "Test_Organization",
+        "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+        "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+        "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+        "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+        "dsf.user.roles": "[UPDATE, READ, CREATE, HISTORY, SEARCH]"
+    },
+    "@version": 1,
+    "source_host": "4bc83d5bca72",
+    "message": "Read of Organization/90500752-381a-46fa-858f-14d6d5b11627/_history/7 authorized for identity 'Test_Organization/webbrowser.test.user@invalid', matching access tag {ALL}",
+    "thread_name": "jetty-server-89",
+    "@timestamp": "2026-01-12T14:44:52.948+0100",
+    "level": "INFO",
+    "logger_name": "dev.dsf.fhir.authorization.AbstractMetaTagAuthorizationRule"
+}
+```
+
+:::
+
+### Audit Logger
+The file, *stdout* and *stderr* outputs for the **Audit Logger** can be enabled or disabled using the environment variables [`DEV_DSF_LOG_AUDIT_FILE_ENABLED`](./configuration.md#dev-dsf-log-audit-file-enabled), [`DEV_DSF_LOG_AUDIT_CONSOLE_OUT_ENABLED`](./configuration.md#dev-dsf-log-audit-console-out-enabled) and [`DEV_DSF_LOG_AUDIT_CONSOLE_ERR_ENABLED`](./configuration.md#dev-dsf-log-audit-console-err-enabled).
+
+All audit messages are logged with the same severity level (INFO). Audit messages are not included in the Standard Application Logger output.
+
+#### Output Style
+Multiple styles are supported for the **Audit Logger** file, *stdout* and *stderr* outputs. All structured logging JSON styles include additional infos (Mapped Diagnostic Context) about the requesting user. The output style can be configured using the environment variables [`DEV_DSF_LOG_AUDIT_FILE_STYLE`](./configuration.md#dev-dsf-log-audit-file-style), [`DEV_DSF_LOG_AUDIT_CONSOLE_OUT_STYLE`](./configuration.md#dev-dsf-log-audit-console-out-style) and [`DEV_DSF_LOG_AUDIT_CONSOLE_ERR_STYLE`](./configuration.md#dev-dsf-log-audit-console-err-style).
+* **TEXT** a minimal text format.
+* **TEXT_MDC** text format with additional infos (Mapped Diagnostic Context) about the requesting user.
+* **JSON_ECS** follows the Elastic Common Schema (ECS) reference.
+* **JSON_GCP** uses the Google Cloud Platform structured logging model with additional `_thread`, `_logger` and `_exception` fields.
+* **JSON_GELF** follows the Graylog Extended Log Format (GELF) payload specification with added `_thread` and `_logger` fields.
+* **JSON_LOGSTASH** uses the Logstash json_event pattern for log4j.
+
+::: code-tabs#shell
+
+@tab TEXT
+
+```text :no-line-numbers
+2026-01-14 13:05:15,281 Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/6 allowed for identity 'Test_Organization/webbrowser.test.user@invalid', reason: Identity has role READ [Organization], matching access tag {ALL}
+2026-01-14 13:05:15,281 Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/6 for identity 'Test_Organization/webbrowser.test.user@invalid' successful, status: 200 OK
+```
+
+@tab TEXT_MDC
+
+```text :no-line-numbers
+2026-01-14 13:06:58,279 {dsf.user.endpoint.identifier=fhir, dsf.user.name=Test_Organization/webbrowser.test.user@invalid, dsf.user.organization.identifier=Test_Organization, dsf.user.practitioner.dn=CN=Webbrowser Test User,O=DSF,C=DE, dsf.user.practitioner.identifier=webbrowser.test.user@invalid, dsf.user.practitioner.roles=[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN], dsf.user.practitioner.thumbprint=a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7, dsf.user.roles=[HISTORY, READ, CREATE, UPDATE, SEARCH]} Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/7 allowed for identity 'Test_Organization/webbrowser.test.user@invalid', reason: Identity has role READ [Organization], matching access tag {ALL}
+2026-01-14 13:06:58,281 {dsf.user.endpoint.identifier=fhir, dsf.user.name=Test_Organization/webbrowser.test.user@invalid, dsf.user.organization.identifier=Test_Organization, dsf.user.practitioner.dn=CN=Webbrowser Test User,O=DSF,C=DE, dsf.user.practitioner.identifier=webbrowser.test.user@invalid, dsf.user.practitioner.roles=[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN], dsf.user.practitioner.thumbprint=a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7, dsf.user.roles=[HISTORY, READ, CREATE, UPDATE, SEARCH]} Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/7 for identity 'Test_Organization/webbrowser.test.user@invalid' successful, status: 200 OK
+```
+
+@tab JSON_ECS
+
+```json :no-line-numbers
+{
+    "@timestamp": "2026-01-14T12:10:18.467Z",
+    "ecs.version": "1.2.0",
+    "log.level": "INFO",
+    "message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/8 allowed for identity 'Test_Organization/webbrowser.test.user@invalid', reason: Identity has role READ [Organization], matching access tag {ALL}",
+    "process.thread.name": "jetty-server-84",
+    "log.logger": "dsf-audit-logger",
+    "dsf.user.endpoint.identifier": "fhir",
+    "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+    "dsf.user.organization.identifier": "Test_Organization",
+    "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+    "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+    "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+    "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+    "dsf.user.roles": "[UPDATE, READ, CREATE, HISTORY, SEARCH]"
+}
+{
+    "@timestamp": "2026-01-14T12:10:18.470Z",
+    "ecs.version": "1.2.0",
+    "log.level": "INFO",
+    "message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/8 for identity 'Test_Organization/webbrowser.test.user@invalid' successful, status: 200 OK",
+    "process.thread.name": "jetty-server-84",
+    "log.logger": "dsf-audit-logger",
+    "dsf.user.endpoint.identifier": "fhir",
+    "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+    "dsf.user.organization.identifier": "Test_Organization",
+    "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+    "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+    "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+    "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+    "dsf.user.roles": "[UPDATE, READ, CREATE, HISTORY, SEARCH]"
+}
+```
+
+@tab JSON_GCP
+
+```json :no-line-numbers
+{
+    "timestampSeconds": 1768392701,
+    "timestampNanos": 247233466,
+    "severity": "INFO",
+    "message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/9 allowed for identity 'Test_Organization/webbrowser.test.user@invalid', reason: Identity has role READ [Organization], matching access tag {ALL}",
+    "logging.googleapis.com/labels": {
+        "dsf.user.endpoint.identifier": "fhir",
+        "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+        "dsf.user.organization.identifier": "Test_Organization",
+        "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+        "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+        "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+        "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+        "dsf.user.roles": "[UPDATE, CREATE, SEARCH, READ, HISTORY]"
+    },
+    "logging.googleapis.com/sourceLocation": {
+        "function": "dev.dsf.fhir.webservice.secure.AbstractResourceServiceSecure.checkRead"
+    },
+    "logging.googleapis.com/trace_sampled": true,
+    "thread": "jetty-server-76",
+    "logger": "dsf-audit-logger"
+}
+{
+    "timestampSeconds": 1768392701,
+    "timestampNanos": 249559501,
+    "severity": "INFO",
+    "message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/9 for identity 'Test_Organization/webbrowser.test.user@invalid' successful, status: 200 OK",
+    "logging.googleapis.com/labels": {
+        "dsf.user.endpoint.identifier": "fhir",
+        "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+        "dsf.user.organization.identifier": "Test_Organization",
+        "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+        "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+        "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+        "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+        "dsf.user.roles": "[UPDATE, CREATE, SEARCH, READ, HISTORY]"
+    },
+    "logging.googleapis.com/sourceLocation": {
+        "function": "dev.dsf.fhir.webservice.secure.AbstractResourceServiceSecure.lambda$checkRead$1"
+    },
+    "logging.googleapis.com/trace_sampled": true,
+    "thread": "jetty-server-76",
+    "logger": "dsf-audit-logger"
+}
+```
+
+@tab JSON_GELF
+
+```json :no-line-numbers
+{
+    "version": "1.1",
+    "host": "5061409e4b61",
+    "short_message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/10 allowed for identity 'Test_Organization/webbrowser.test.user@invalid', reason: Identity has role READ [Organization], matching access tag {ALL}",
+    "timestamp": 1768393090.890408,
+    "level": 6,
+    "_logger": "dsf-audit-logger",
+    "_thread": "jetty-server-63",
+    "_dsf.user.endpoint.identifier": "fhir",
+    "_dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+    "_dsf.user.organization.identifier": "Test_Organization",
+    "_dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+    "_dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+    "_dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+    "_dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+    "_dsf.user.roles": "[CREATE, SEARCH, HISTORY, READ, UPDATE]"
+}
+{
+    "version": "1.1",
+    "host": "5061409e4b61",
+    "short_message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/10 for identity 'Test_Organization/webbrowser.test.user@invalid' successful, status: 200 OK",
+    "timestamp": 1768393090.8934536,
+    "level": 6,
+    "_logger": "dsf-audit-logger",
+    "_thread": "jetty-server-63",
+    "_dsf.user.endpoint.identifier": "fhir",
+    "_dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+    "_dsf.user.organization.identifier": "Test_Organization",
+    "_dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+    "_dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+    "_dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+    "_dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+    "_dsf.user.roles": "[CREATE, SEARCH, HISTORY, READ, UPDATE]"
+}
+```
+
+@tab:active JSON_LOGSTASH
+
+```json :no-line-numbers
+{
+    "mdc": {
+        "dsf.user.endpoint.identifier": "fhir",
+        "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+        "dsf.user.organization.identifier": "Test_Organization",
+        "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+        "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+        "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+        "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+        "dsf.user.roles": "[UPDATE, READ, HISTORY, CREATE, SEARCH]"
+    },
+    "@version": 1,
+    "source_host": "df1d729560c0",
+    "message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/11 allowed for identity 'Test_Organization/webbrowser.test.user@invalid', reason: Identity has role READ [Organization], matching access tag {ALL}",
+    "thread_name": "jetty-server-89",
+    "@timestamp": "2026-01-14T13:19:02.403+0100",
+    "level": "INFO",
+    "logger_name": "dsf-audit-logger"
+}
+{
+    "mdc": {
+        "dsf.user.endpoint.identifier": "fhir",
+        "dsf.user.name": "Test_Organization/webbrowser.test.user@invalid",
+        "dsf.user.organization.identifier": "Test_Organization",
+        "dsf.user.practitioner.dn": "CN=Webbrowser Test User,O=DSF,C=DE",
+        "dsf.user.practitioner.identifier": "webbrowser.test.user@invalid",
+        "dsf.user.practitioner.roles": "[http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN]",
+        "dsf.user.practitioner.thumbprint": "a8874b56a7442fae17f27acc8f91a6b8f531c1855c9c7070ce04baf3a3ba17cc5cc337ba7cbd9cbb1a24d331ce99d2eb71c1368de1ae4b142084c696991214e7",
+        "dsf.user.roles": "[UPDATE, READ, HISTORY, CREATE, SEARCH]"
+    },
+    "@version": 1,
+    "source_host": "df1d729560c0",
+    "message": "Read of Organization/6d40351b-2237-486f-8fa0-6bed0ca08e72/_history/11 for identity 'Test_Organization/webbrowser.test.user@invalid' successful, status: 200 OK",
+    "thread_name": "jetty-server-89",
+    "@timestamp": "2026-01-14T13:19:02.406+0100",
+    "level": "INFO",
+    "logger_name": "dsf-audit-logger"
+}
+```
+
+:::
+
+### Custom Logging Config
+A fully custom log4j2 xml logging config can be set via the environment variable [`DEV_DSF_LOG_CONFIG`](./configuration.md#dev-dsf-log-config).
diff --git a/docs/src/operations/v2.1.0/fhir/oidc.md b/docs/src/operations/v2.1.0/fhir/oidc.md
new file mode 100644
index 000000000..519c6625f
--- /dev/null
+++ b/docs/src/operations/v2.1.0/fhir/oidc.md
@@ -0,0 +1,63 @@
+---
+title: OpenID Connect
+icon: config
+---
+
+## Overview
+Access to the DSF FHIR server REST API and user interface can be configured via [access control roles](access-control). By default users are only authenticated using X.509 client certificates, but authentication for local users via OAuth 2.0 OpenID Connect can also be enabled.
+
+The DSF FHIR server supports [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) for the user interface as well as [Bearer Token Authentication](https://datatracker.ietf.org/doc/html/rfc6750) for the REST API. [Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html) is also supported.
+
+
+::: tip FHIR Reverse Proxy
+The DSF FHIR reverse proxy requires client certificates by default. To use OpenID Connect authentication the configuration parameter [SSL_VERIFY_CLIENT](../fhir-reverse-proxy/configuration.html#ssl-verify-client) needs to be set to `optional`.
+:::
+
+
+## Authorization Code Flow
+
+To enable authentication via OpenID Connect authorization code flow, set the configuration parameter [DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW](configuration#dev-dsf-server-auth-oidc-authorization-code-flow) to `true` and specify the following parameters:
+
+- [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL](configuration#dev-dsf-server-auth-oidc-provider-realm-base-url)
+- [DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID](configuration#dev-dsf-server-auth-oidc-client-id)
+- [DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET](configuration#dev-dsf-server-auth-oidc-client-secret)
+
+Optionally, back channel logout can be enabled by setting [DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT](configuration#dev-dsf-server-auth-oidc-back-channel-logout) to `true`. The DSF FHIR server accepts logout tokens at [DEV_DSF_FHIR_SERVER_BASE_URL](configuration#dev-dsf-fhir-server-base-url) + `/back-channel-logout`. The path can be modified via [DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH](configuration#dev-dsf-server-auth-oidc-back-channel-logout-path).
+
+
+## Bearer Token Authentication
+
+To enable bearer token authentication, set the configuration parameter [DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN](configuration#dev-dsf-server-auth-oidc-bearer-token) to `true` and specify the following parameter:
+- [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL](configuration#dev-dsf-server-auth-oidc-provider-realm-base-url)
+
+
+## Additional ODIC Configuration Parameter
+
+A number of additional `DEV_DSF_SERVER_AUTH_OIDC ...` configuration parameter are specify on the DSF FHIR server [configuration parameter page](configuration).
+
+For example the configuration parameter [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS](configuration#dev-dsf-server-auth-oidc-provider-client-trust-server-certificate-cas) can be used to specify a PEM encoded file with trusted root certificates to be used when accessing the OpenID Connect provider. If not specify the JVM default trusted root certificates are used for this connection.
+
+
+## Example
+```yaml
+services:
+  app:
+    image: ghcr.io/datasharingframework/fhir:1.5.2
+    # ...
+    secrets:
+      - keycloak_root_ca.pem
+      # ...
+    environment:
+      # ...
+      DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW: 'true'
+      DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT: 'true'
+      DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN: 'true'
+      DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL: https://keycloak.test.org/realms/dsf
+      DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS: /run/secrets/keycloak_root_ca.pem
+      DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID: dsf-fhir
+      DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET: n9bCMtjugv3Y_.szktXyQ2RH5se+J%o3
+    # ...
+secrets:
+  keycloak_root_ca.pem:
+    file: ./secrets/keycloak_root_ca.pem
+```
\ No newline at end of file
diff --git a/docs/src/operations/v2.1.0/hardening-measures.md b/docs/src/operations/v2.1.0/hardening-measures.md
new file mode 100644
index 000000000..5daa10c17
--- /dev/null
+++ b/docs/src/operations/v2.1.0/hardening-measures.md
@@ -0,0 +1,95 @@
+---
+title: Security Hardening Measures
+icon: safe
+---
+
+# Defense-in-Depth Hardening Measures
+
+For DSF {{release.tag}} we performed a number of IT security hardening measures. The following changes follow security best practices. They reduce risk for non-standard deployments, protect against future code changes that could introduce new attack paths, and align with common security audit expectations.
+
+Each entry describes the change and why we consider it not exploitable in the standard DSF deployment model.
+
+## Deployment Context
+
+The standard DSF deployment uses:
+
+- **Apache2 reverse proxy** with `mod_ssl` performing TLS termination and client certificate validation (`SSLVerifyClient require`, DN checks against trusted CA list)
+- **Docker containers** with network isolation (frontend / backend / inter-service networks)
+- **Jetty application** on internal port 8080, not directly reachable from outside
+- **Status port** on `127.0.0.1:10000` (localhost only), separate Jetty connector
+- **Configuration** via Docker environment variables / secrets, only admin-writable
+- **PostgreSQL** not exposed to host, only accessible from the application container
+
+The assessments below consider this standard deployment. Non-standard deployments (e.g., Jetty directly exposed, no reverse proxy) may have different risk profiles.
+
+## Improved XML Transformer Configuration
+
+Disabled external entity resolution and enabled secure processing on `TransformerFactory` instances in `ProcessService`, `ThymeleafTemplateServiceImpl`, and `BundleGenerator`. We consider this not exploitable because although external organizations and authorized users can create FHIR resources (e.g., Tasks), the content never reaches the TransformerFactory as raw XML. The data path is: user input is parsed by HAPI FHIR into a Java object model (stripping any XML-level constructs like DOCTYPE/ENTITY declarations), stored as JSONB in PostgreSQL, and then re-serialized to well-formed XML by HAPI's serializer when displayed. The TransformerFactory only pretty-prints HAPI's serialized output, where all text content is properly XML-escaped. `BundleGenerator` is a Maven build-time tool, not a runtime component. Hardening against CWE-611 (XXE).
+
+Commit: [`b89c512dc`](https://github.com/datasharingframework/dsf/commit/b89c512dc)
+
+## Database Username/Group Validation
+
+Added regex validation (`^[a-zA-Z_][a-zA-Z0-9_$]{0,62}$`) for PostgreSQL identifier config parameters used in DDL statements. We consider this not exploitable because these values come exclusively from admin-managed config files and Docker environment variables — an attacker with write access to these already has full system control. Hardening against CWE-89.
+
+Commit: [`7e2de0ed8`](https://github.com/datasharingframework/dsf/commit/7e2de0ed8)
+
+## HTTPS Enforcement for OIDC Endpoints
+
+Added explicit check that OIDC token and JWKS endpoints use HTTPS. We consider this not exploitable because a compromised OIDC provider can already issue arbitrary tokens directly, making HTTP interception redundant. In the MITM scenario (legitimate provider, network attacker), the provider URL is admin-configured as HTTPS and legitimate providers always return HTTPS endpoints in their discovery documents. In both cases, obtained tokens are constrained by the admin-managed `roleConfig` — no privilege escalation beyond configured roles is possible. Hardening against CWE-918 / CWE-319.
+
+Commit: [`bdeddf308`](https://github.com/datasharingframework/dsf/commit/bdeddf308)
+
+## JWKS Minimum Key Size and `use=sig` Filtering
+
+Added 2048-bit minimum RSA key length and `use=sig` check for JWKS keys used in JWT verification. We consider this not exploitable because no mainstream OIDC provider (Keycloak, etc.) publishes RSA keys below 2048 bits. Even if an attacker could forge tokens via weak keys, privileges are constrained by the admin-managed `roleConfig` — the same limitation as with a compromised OIDC provider. Hardening against CWE-326 / CWE-347.
+
+Commit: [`31c2e974d`](https://github.com/datasharingframework/dsf/commit/31c2e974d)
+
+## Removed Access Token Claim Logging
+
+Removed DEBUG-level logging of token claims (groups, roles) in `AbstractIdentityProvider` and `BearerTokenAuthenticator`. We consider this not exploitable because DEBUG logging is disabled in production by default, and the logged data (group memberships, roles) is operational metadata — not secrets like passwords or signing keys. Hardening against CWE-532.
+
+Commit: [`cc0bb71ef`](https://github.com/datasharingframework/dsf/commit/cc0bb71ef)
+
+## Session Cookie Security Attributes
+
+Added `Secure`, `HttpOnly`, and `SameSite=LAX` flags to session cookies. We consider this not exploitable because TLS is terminated at the Apache HTTP Server reverse proxy (clients only communicate over HTTPS), the `HttpOnly` flag is only relevant if an XSS vulnerability exists (none is exploitable, see `th:utext` below), and `SameSite` has limited impact since primary authentication uses mTLS, not cookies. Hardening against CWE-614 / CWE-1004.
+
+Commit: [`5cc00611b`](https://github.com/datasharingframework/dsf/commit/5cc00611b)
+
+## JSON Serialization in JSONB Query Parameters
+
+Replaced string concatenation with Jackson `ObjectMapper` serialization for JSONB query parameters in all DAO classes and search filters. We consider this not exploitable because user-controlled values are bound via `PreparedStatement.setString()`, which transmits query template and parameter values separately to PostgreSQL — the parameter value is never parsed as SQL and there is no way to inject `JOIN`, `UNION`, or subqueries. Within the JSONB domain, the identity filter (access control) operates as a separate `AND` condition with server-side parameters that cannot be influenced by search parameter manipulation, the `@>` containment operator becomes more restrictive with additional injected elements (not less), and result sets are always a subset of authorized resources — no enumeration of unauthorized data is possible. Hardening against CWE-89.
+
+Commit: [`37c0282c6`](https://github.com/datasharingframework/dsf/commit/37c0282c6)
+
+## Client Certificate Expiration Check
+
+Added explicit certificate expiration check and changed auth type from `"RSA"` to `"UNKNOWN"` in `ClientCertificateAuthenticator`. We consider this not exploitable because the Apache HTTP Server reverse proxy performs TLS termination with `SSLVerifyClient require` and validates certificate expiration, chain trust, and revocation before requests reach Jetty. The Jetty-level check is a redundant second validation. Hardening against CWE-295 / CWE-324.
+
+Commit: [`c6d369828`](https://github.com/datasharingframework/dsf/commit/c6d369828)
+
+## Safe YAML Deserialization
+
+Replaced `new Yaml()` with `new Yaml(new SafeConstructor(new LoaderOptions()))` in `RoleConfigReader`. We consider this not exploitable because the YAML content comes exclusively from admin-managed config files (`config.properties`) and Docker environment variables — an attacker with write access to these can already execute arbitrary code through simpler means. Hardening against CWE-502.
+
+Commit: [`e0b6cf00a`](https://github.com/datasharingframework/dsf/commit/e0b6cf00a)
+
+## Thymeleaf `th:utext` Replaced with `th:text`
+
+Replaced `th:utext` (unescaped HTML output) with `th:text` / `th:each` for page headings built from URL segments. We consider this not exploitable because the old code applied `HtmlUtils.htmlEscape()` to all user inputs before concatenation — this escapes `& < > " '`, preventing tag injection (`<` `>` escaped to `&lt;` `&gt;`) and attribute breakout (`"` escaped to `&quot;`, which per HTML spec does not terminate double-quoted attributes). The fix makes XSS structurally impossible and removes reliance on manual escaping — a future developer could have forgotten the `htmlEscape()` call when adding new URL segments. Hardening against CWE-79.
+
+Commit: [`58edc26c5`](https://github.com/datasharingframework/dsf/commit/58edc26c5)
+
+## Error Message Removed from Status Endpoint
+
+Removed database exception messages from the status endpoint error response body. We consider this not exploitable because the status endpoint runs on a separate Jetty connector (port 10000, bound to `127.0.0.1` only) with role-based access control (`STATUS_PORT_ROLE`) — it is not reachable through the Apache HTTP Server reverse proxy or from outside the Docker container. Hardening against CWE-209.
+
+Commit: [`5103d0e9d`](https://github.com/datasharingframework/dsf/commit/5103d0e9d)
+
+## Content Security Policy and Binary Inline Display
+
+Introduced a new inline display mode for `Binary` resources with a strict CSP (`script-src 'none'`), a media type policy, and `ContentTypeSanitizer`. We consider this not a vulnerability fix because the old code served all `Binary` resources with `Content-Disposition: attachment` (forced download, never rendered in browser), so the old `unsafe-inline` CSP was never reachable. This commit implements a new feature with secure defaults. Hardening against CWE-1021.
+
+Commit: [`454c1197b`](https://github.com/datasharingframework/dsf/commit/454c1197b)
diff --git a/docs/src/operations/v2.1.0/image-verification.md b/docs/src/operations/v2.1.0/image-verification.md
new file mode 100644
index 000000000..46731312b
--- /dev/null
+++ b/docs/src/operations/v2.1.0/image-verification.md
@@ -0,0 +1,107 @@
+---
+title: Verify Image Signature
+icon: safe
+---
+
+# How to Verify Image Signatures
+
+Starting with DSF {{release.tag}}, all official Docker images published to [ghcr.io/datasharingframework](https://github.com/orgs/datasharingframework/packages) are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with [keyless signing](https://docs.sigstore.dev/cosign/signing/overview/) backed by GitHub's OIDC identity provider. Each image additionally has a CycloneDX SBOM attached to the registry, which is signed the same way.
+
+Verifying signatures before pulling images into production is strongly recommended. It ensures that the image was built and published by the official DSF GitHub Actions release workflow and has not been tampered with.
+
+## Prerequisites
+
+- [Cosign](https://docs.sigstore.dev/cosign/installation/) v2.0 or newer installed on the host running the verification.
+- Network access to `ghcr.io` and the public Sigstore transparency log (`rekor.sigstore.dev`).
+- The exact image digest (`sha256:...`) of the image you want to verify. The digest can be looked up on the [GitHub package page](https://github.com/orgs/datasharingframework/packages) of the respective image or via:
+
+  ```bash
+  docker buildx imagetools inspect ghcr.io/datasharingframework/<image>:<tag>
+  ```
+
+::: warning Always pin the digest
+Verifying by tag alone (`:{{release.tag}}`) is not sufficient — tags can be reassigned. Always include the immutable `@sha256:<digest>` in the verification command and in your production `docker-compose.yml`.
+:::
+
+## Verify the Image Signature
+
+A successful verification prints the verified claims to stdout and exits with status `0`. The certificate identity confirms the signature was created by a workflow inside the `datasharingframework/dsf` repository, the OIDC issuer confirms it was a GitHub Actions run.
+
+The commands below are pre-filled with the correct image tag for this release. Replace `<digest>` with the digest you looked up for the image you intend to deploy.
+
+### FHIR Server (`fhir`)
+
+- Image: [`ghcr.io/datasharingframework/fhir`](https://github.com/datasharingframework/dsf/pkgs/container/fhir)
+
+```bash
+cosign verify \
+  {{release.image.fhir}}@sha256:{{release.digest.fhir}} \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+### FHIR Reverse Proxy (`fhir_proxy`)
+
+- Image: [`ghcr.io/datasharingframework/fhir_proxy`](https://github.com/datasharingframework/dsf/pkgs/container/fhir_proxy)
+
+```bash
+cosign verify \
+  {{release.image.fhir_proxy}}@sha256:{{release.digest.fhir_proxy}} \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+### BPE Server (`bpe`)
+
+- Image: [`ghcr.io/datasharingframework/bpe`](https://github.com/datasharingframework/dsf/pkgs/container/bpe)
+
+```bash
+cosign verify \
+  {{release.image.bpe}}@sha256:{{release.digest.bpe}} \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+### BPE Reverse Proxy (`bpe_proxy`)
+
+- Image: [`ghcr.io/datasharingframework/bpe_proxy`](https://github.com/datasharingframework/dsf/pkgs/container/bpe_proxy)
+
+```bash
+cosign verify \
+  {{release.image.bpe_proxy}}@sha256:{{release.digest.bpe_proxy}} \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+## Verify the SBOM Attestation
+
+Each image has a signed CycloneDX SBOM attached. Substitute `<image>` with one of `fhir`, `fhir_proxy`, `bpe`, `bpe_proxy` and `<digest>` with the digest of the image you are verifying:
+
+```bash
+cosign verify-attestation \
+  --type cyclonedx \
+  ghcr.io/datasharingframework/<image>:{{release.tag}}@sha256:<digest> \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+To extract the SBOM payload for further processing (e.g. dependency or vulnerability analysis):
+
+```bash
+cosign download attestation \
+  --predicate-type https://cyclonedx.org/bom \
+  ghcr.io/datasharingframework/<image>:{{release.tag}}@sha256:<digest> \
+  | jq -r .payload | base64 -d | jq .predicate > sbom.cdx.json
+```
+
+## Troubleshooting
+
+- **`no matching signatures`** — The image was not signed by the official DSF release workflow. Do not use it in production. Re-check the registry path (`ghcr.io/datasharingframework/...`) and the digest.
+- **`certificate identity ... did not match`** — The signature exists but was produced by a different repository or workflow. Verify you are pulling from the official `datasharingframework/dsf` org.
+- **Network errors against `rekor.sigstore.dev`** — Cosign queries the public transparency log during verification. In air-gapped environments, pre-fetch and cache the log entries, or run cosign with `--insecure-ignore-tlog=true` only after carefully assessing the security implications.
+
+## Further Reading
+
+- [Cosign documentation](https://docs.sigstore.dev/cosign/overview/)
+- [Sigstore keyless signing](https://docs.sigstore.dev/cosign/signing/overview/)
+- [CycloneDX SBOM specification](https://cyclonedx.org/specification/overview/)
diff --git a/docs/src/operations/v2.1.0/index.md b/docs/src/operations/v2.1.0/index.md
new file mode 100644
index 000000000..d4a803168
--- /dev/null
+++ b/docs/src/operations/v2.1.0/index.md
@@ -0,0 +1,23 @@
+---
+title: DSF 2.1.0
+icon: guide
+---
+
+Data Sharing Framework 2.x is the new upcoming release of the Data Sharing Framework.
+
+
+# System Administrators
+
+- [Install DSF 2.1.0](install)
+- [Upgrade from DSF 1.9.0](upgrade-from-1)
+
+
+## New features
+- See [Release Notes](https://github.com/datasharingframework/dsf/releases/tag/v2.1.0)
+
+<!--
+This breaks the page with a 
+Hydration completed but contains mismatches.
+error
+<releas-notes  path="release-notes.md" />
+-->
diff --git a/docs/src/operations/v2.1.0/install-plugins.md b/docs/src/operations/v2.1.0/install-plugins.md
new file mode 100644
index 000000000..be61ca4a8
--- /dev/null
+++ b/docs/src/operations/v2.1.0/install-plugins.md
@@ -0,0 +1,78 @@
+---
+title: Install Plugins
+icon: plugin
+---
+
+
+## **Overview**
+- You can find an overview of compatable process plugins below (last updated 2026-01-19).
+
+
+| Process Plugin | released for test | released for production |
+| -------------- | ----------------- | ----------------------- |
+| [Ping-Pong](https://github.com/datasharingframework/dsf-process-ping-pong/releases) | [v1.0.1.0](https://github.com/datasharingframework/dsf-process-ping-pong/releases/tag/v1.0.1.0) & [v2.0.0.2](https://github.com/datasharingframework/dsf-process-ping-pong/releases/tag/v2.0.0.2) | [v1.0.1.0](https://github.com/datasharingframework/dsf-process-ping-pong/releases/tag/v1.0.1.0) & [v2.0.0.2](https://github.com/datasharingframework/dsf-process-ping-pong/releases/tag/v2.0.0.2) |
+| [Allow-List](https://github.com/datasharingframework/dsf-process-allow-list/releases) | [v1.0.0.1](https://github.com/datasharingframework/dsf-process-allow-list/releases/tag/v1.0.0.1) | [v1.0.0.1](https://github.com/datasharingframework/dsf-process-allow-list/releases/tag/v1.0.0.1) |
+| [MII Process Feasibility](https://github.com/medizininformatik-initiative/mii-process-feasibility/releases) | [v1.0.0.11](https://github.com/medizininformatik-initiative/mii-process-feasibility/releases/tag/v1.0.0.11) | [v1.0.0.11](https://github.com/medizininformatik-initiative/mii-process-feasibility/releases/tag/v1.0.0.11) |
+| [MII Process Report](https://github.com/medizininformatik-initiative/mii-process-report/releases) | [v1.2.0.1](https://github.com/medizininformatik-initiative/mii-process-report/releases/tag/v1.2.0.1) | [v1.2.0.1](https://github.com/medizininformatik-initiative/mii-process-report/releases/tag/v1.2.0.1) |
+| [MII Process Data Transfer](https://github.com/medizininformatik-initiative/mii-process-data-transfer/releases) | [v1.1.0.1](https://github.com/medizininformatik-initiative/mii-process-data-transfer/releases/tag/v1.1.0.1) | [v1.1.0.1](https://github.com/medizininformatik-initiative/mii-process-data-transfer/releases/tag/v1.1.0.1) |
+| [MII Process Data Sharing](https://github.com/medizininformatik-initiative/mii-process-data-sharing/releases) | [v1.1.0.0](https://github.com/medizininformatik-initiative/mii-process-data-sharing/releases/tag/v1.1.0.0) | [v1.1.0.0](https://github.com/medizininformatik-initiative/mii-process-data-sharing/releases/tag/v1.1.0.0) |
+| [NUM Dashboard Report](https://github.com/medizininformatik-initiative/dsf-plugin-numdashboard/releases) [Note](#num-dashboard-report-on-dsf-2) | [v1.1.0.0](https://github.com/medizininformatik-initiative/dsf-plugin-numdashboard/releases/tag/v1.1.0.0) | [v1.1.0.0](https://github.com/medizininformatik-initiative/dsf-plugin-numdashboard/releases/tag/v1.1.0.0) |
+
+- Deploying the process plugin to the DSF involves copy the process jar-file and configuring environment variable for the business process engine (BPE).
+
+
+### Prerequisites
+- A DSF installation of version 2.0.0 or higher. An installation guide can be found [here](https://dsf.dev/operations/latest/install.html).
+
+### Deployment
+- Add the process jar-file to the DSF BPE folder `/opt/bpe/process`: 
+```
+wget (your jar-file download link)
+```
+
+For example:
+```
+ wget https://github.com/medizininformatik-initiative/mii-process-data-sharing/releases/download/v1.1.0.0/mii-process-data-sharing-1.1.0.0.jar
+```
+
+- Make sure the process is readable by the bpe user or group, for example by executing:
+```
+sudo chmod 440 (your jar-file name.jar)
+sudo chown root:bpe (your jar-file name.jar)
+```
+For example:
+```
+sudo chmod 440 mii-process-data-sharing-1.1.0.0.jar
+sudo chown root:bpe mii-process-data-sharing-1.1.0.0.jar
+```
+
+- Modify the process exclude config in `/opt/bpe/docker-compose.yml`
+- **Reminder:** Update/verify required configurations in `docker-compose.yml`
+
+
+### NUM Dashboard Report on DSF 2
+The NUM Dashboard Report Plugin is now fully compabile with DSF 2.0.2 and above. If you implemented the workaround for DSF 2.0.1 and below, you can remove it:
+
+
+1. Remove the file with the name `api-v1-allowed-bpe-classes.list`
+
+
+2. Edit the `docker-compose.yml` file and remove the following volume and environment variable:
+
+```yaml
+...
+  app:
+    image: ghcr.io/datasharingframework/bpe:2.0.2
+...
+    volumes:
+...
+      - type: bind
+        source: api-v1-allowed-bpe-classes.list
+        target: /api-v1-allowed-bpe-classes.list
+...
+    environment:
+      DEV_DSF_BPE_PROCESS_API_ALLOWED_BPE_CLASSES: "{v1: '/api-v1-allowed-bpe-classes.list'}"
+...
+```
+
+3. Restart the application container with `docker compose up -d && docker compose logs -f`.
diff --git a/docs/src/operations/v2.1.0/install.md b/docs/src/operations/v2.1.0/install.md
new file mode 100644
index 000000000..0f81cd78f
--- /dev/null
+++ b/docs/src/operations/v2.1.0/install.md
@@ -0,0 +1,228 @@
+---
+title: Install DSF {{release.tag}}
+icon: install
+---
+
+In the following installation manual we will show you how you can install your own DSF instance to be part of an already existing DSF network.
+
+
+## Prerequisites
+### Virtual Machines
+* DSF FHIR VM: min. 4 GB RAM, 4 vCPU, 100 GB HDD
+* DSF BPE VM: min. 8 GB RAM, 4 vCPU, 20 GB HDD
+
+If you plan to transfer a lot of large files, we recommend a larger FHIR VM disk for temporary storage (if your largest file to transfer is 200GB in size, we recommend a disk with a size of at least 1TB).
+
+Please make sure to use a CPU with a modern instruction set with crypto acceleration enabled. We saw large performance drops on systems with inadequate hardware.
+
+### Docker / Docker-Compose
+Both VMs need latest docker and docker compose. For the latest install guide see https://docs.docker.com/engine/install. 
+
+```
+sudo apt-get update
+sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+sudo apt-get update
+sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin
+sudo systemctl enable docker.service
+sudo systemctl enable containerd.service
+```
+
+The current version of docker compose is installed with the current docker version.
+
+### Client/Server Certificates
+Two Certificates from a list of allowed certificate authorities (see [details about certificates](root-certificates.html)) are needed:
+* Certificate _A_: Server Certificate  - `TLS Web Server Authentication`
+* Certificate _B_: Client Certificate  - `TLS Web Client Authentication`
+
+If you use GÉANT TCS certificates, then they are configured by default with the necessary *X509v3 Extended Key Usage*s until the end of February 2026: `TLS Web Server Authentication, TLS Web Client Authentication`.
+
+For further details on supported Root Certificate Authorities click [here](root-certificates.html#list-of-default-trusted-certificate-authorities)
+
+
+### Network setup / Network access
+
+* The DSF FHIR server needs to be accessible via the internet and able to access the internet without TLS interception.
+* The BPE FHIR server should only be accessible by the internal network and able to access your DSF FHIR server via its external FQDN and the internet without TLS interception.
+
+Here is a quick overview of the expected network setup.
+
+| Source                        | Target                        | Port | Protocol               |
+| ----------------------------- | ----------------------------- | ---- | ---------------------- |
+| DSF BPE (local)               | DSF FHIR (local)              | 443  | https, wss             |
+| DSF BPE (local)               | DSF FHIR (other DSF communication partners)	| 443  | https                  |
+| DSF FHIR (local)              | DSF FHIR (other DSF communication partners)	| 443  | https (HTTP HEAD only) |
+| DSF BPE (other DSF communication partners)  | DSF FHIR (local)              | 443  | https                  |
+| DSF FHIR (other DSF communication partners) | DSF FHIR (local)              | 443  | https (HTTP HEAD only) |
+
+ Connections to services that are used by process plugins (e.g. a fTTP, a terminology server, simplifier.net or a local FHIR server) are not listed. Please refer to the respective process plugin documentation pages for more information.
+
+
+
+## Setup
+### Prepare Certificates
+1. Server Certificate (certificate _A_)  
+    _This certificate will be used as the DSF FHIR servers server certificate (ssl_certificate_file.pem, ssl_certificate_key_file.pem)_
+    * Store PEM encoded certificate as `ssl_certificate_file.pem`
+    * Store unencrypted, PEM encoded private-key as `ssl_certificate_key_file.pem`
+    * Store PEM encoded certificate chain (all intermediate CAs between the server and the root certificate, excluding root) as `ssl_certificate_chain_file.pem`
+
+1. Client Certificate (Certificate _B_)  
+    _This certificate will be used as the DSF BPE servers client certificate (client_certificate.pem, client_certificate_private_key.pem) as well as the DSF FHIR servers client certificate (client_certificate.pem, client_certificate_private_key.pem)_
+    * Store PEM encoded certificate as `client_certificate.pem`
+    * Store encrypted or not encrypted, PEM encoded private-key as `client_certificate_private_key.pem`
+
+### DSF FHIR Server
+1. Add Group/User  
+    Add group and user used by the DSF FHIR java application. Ubuntu compatible commands below:
+    ```
+    sudo groupadd --gid 2101 fhir
+    sudo useradd --system --no-create-home --uid 2101 --gid 2101 fhir
+    ```
+
+1. Download and Extract Config Files  
+    Download and unpack the prepared DSF FHIR server config files and folder structure:
+    ```
+    cd /opt
+    wget https://dsf.dev/download/dsf_fhir_{{release.tagUnderscored}}.tar.gz
+    sudo tar --same-owner -zxvf dsf_fhir_{{release.tagUnderscored}}.tar.gz
+    ```
+    _The `tar` command will unpack the config files at `/opt/fhir` assuming you changed into the `/opt` directory._
+
+1. Verify that the `fhir` system user or group can write into the following folder
+   * `/opt/fhir/log`
+
+1. Add certificates and keys
+    * Add the server certificate (certificate _A_), the corresponding private-key and the certificate chain (one file with all intermediate certificates, excluding the root CA) to **/opt/fhir/secrets/**
+        * ssl_certificate_file.pem (chmod: 440, chown: root:4101, 4101 is the user of the fhir proxy)
+        * ssl_certificate_key_file.pem (chmod: 440, chown: root:4101)
+        * ssl_certificate_chain_file.pem  (chmod: 444, chown: root:fhir)
+    * Add the client certificate (Certificate _B_) and the corresponding private-key to **/opt/fhir/secrets/**
+        * client_certificate.pem (chmod: 440, chown: root:fhir)
+        * client_certificate_private_key.pem (chmod: 440, chown: root:fhir)
+    * If the private key is encrypted, add a password file with the password as the only content to **/opt/fhir/secrets/client_certificate_private_key.pem.password**
+    * If the private key is not encrypted, remove the corresponding docker secret lines from the `docker-compose.yml` file
+        ```
+        L37:      - app_client_certificate_private_key.pem.password
+        ...
+        L50:      DEV_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE: /run/secrets/app_client_certificate_private_key.pem.password
+        ...
+        L108:  app_client_certificate_private_key.pem.password:
+        L109:    file: ./secrets/client_certificate_private_key.pem.password
+        ```
+
+    ::: tip How to chmod / chown
+    For the example *ssl_certificate_file.pem (chmod: 440, chown: root:4101)* you must:
+
+    1. Set the file content as requested
+    2. Change the file permissions to 440 (allow read access to the owner of the file and the group the file belongs to, deny write access to everybody and deny read for other users):
+    `chmod 440 /opt/fhir/secrets/ssl_certificate_file.pem`
+    3. Change the owner of the file to the user root and the group the file belongs to to the id 4101:
+    `chown fhir:docker /opt/fhir/secrets/ssl_certificate_file.pem`
+
+    :::
+
+1. Modify database passwords
+    * **/opt/fhir/secrets/db_liquibase.password**
+        * Generate a random password (min. 32 characters recommended) and replace the content of the file.
+    * **/opt/fhir/secrets/db_user.password**
+        * Generate a random password (min. 16 characters recommended) and replace the content of the file.
+    * **/opt/fhir/secrets/db_user_permanent_delete.password**
+        * Generate a random password (min. 16 characters recommended) and replace the content of the file.
+
+1. Modify the docker-compose.yml file and set environment variables to the appropriate values
+    * **services -> proxy -> environment:**
+        * **HTTPS_SERVER_NAME_PORT**: `dsf.todo.organization.com:443`
+            Set your FHIR servers external FQDN, e.g. `https://foo.bar.de` -> `foo.bar.de:443`
+        * For additional environment variables, see the FHIR Reverse Proxy [Configuration Parameters](fhir-reverse-proxy/configuration) page.
+    * **services -> app -> environment:**
+        * **DEV_DSF_FHIR_SERVER_ORGANIZATION_IDENTIFIER_VALUE**: `todo.organization.com`  
+            Set your Organizations DSF identifier, aka the shortest FQDN that resolves to the main homepage of the organization, e.g. `hs-heilbronn.de`
+        * **DEV_DSF_FHIR_SERVER_BASE_URL**: `https://dsf.todo.organization.com/fhir`  
+            Set your FHIR servers external FQDN, e.g. `foo.bar.de` -> `https://foo.bar.de/fhir`
+        * **DEV_DSF_FHIR_SERVER_ROLECONFIG**: `|`
+            (Optional) You can add other client certificates (e.g. personal certificates from admins) to your DSF instance. For additional information, see the FHIR server [Access Control](fhir/access-control) page.
+            
+        * For additional environment variables, see the FHIR server [Configuration Parameters](fhir/configuration) page.
+
+1. Start the DSF FHIR Server  
+    Start using: `docker compose up -d && docker compose logs -f` (Ctrl-C will close log, but not stop container)
+
+### DSF BPE Server
+1. Add Group/User  
+    Add group and user used by the DSF BPE java application. Ubuntu compatible commands below:
+    ```
+    sudo groupadd --gid 2202 bpe
+    sudo useradd --system --no-create-home --uid 2202 --gid 2202 bpe
+    ```
+1. Download and Extract Config Files  
+    Download and extract prepared DSF BPE server config files and folder structure:  
+    ```
+    cd /opt
+    wget https://dsf.dev/download/dsf_bpe_{{release.tagUnderscored}}.tar.gz
+    sudo tar --same-owner -zxvf dsf_bpe_{{release.tagUnderscored}}.tar.gz
+    ```
+    _The `tar` command will unpack the config files at `/opt/bpe` assuming you changed into the `/opt` directory._
+
+1. Verify that the `bpe` system user or group can write into the following folders
+   * `/opt/bpe/log`
+
+1. Add certificates and keys
+    * Add the client certificate (Certificate _B_) and the corresponding private-key to **/opt/bpe/secrets/**
+        * client_certificate.pem (chmod: 440 chown: root:bpe)
+        * client_certificate_private_key.pem (chmod: 440 chown: root:bpe)
+    * If the private key is encrypted, add a password file with the password as the only content to **/opt/bpe/secrets/client_certificate_private_key.pem.password**
+    * If the private key is not encrypted, remove the corresponding docker secret lines from the `docker-compose.yml` file
+        ```
+        L11:      - app_client_certificate_private_key.pem.password
+        ...
+        L31:      DEV_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE: /run/secrets/app_client_certificate_private_key.pem.password
+        ...
+        L82:  app_client_certificate_private_key.pem.password:
+        L83:    file: ./secrets/client_certificate_private_key.pem.password
+        ```
+1. Modify database passwords
+    * **/opt/bpe/secrets/db_liquibase.password**
+        * Generate a random password (min. 32 characters recommended) and replace the content of the file.
+    * **/opt/bpe/secrets/db_user.password**
+        * Generate a random password (min. 16 characters recommended) and replace the content of the file.
+    * **/opt/bpe/secrets/db_user_camunda.password**
+        * Generate a random password (min. 16 characters recommended) and replace the content of the file.
+
+1. Modify the docker-compose.yml file and set environment variables to the appropriate values
+    * **services -> app -> environment:**
+        * **DEV_DSF_BPE_FHIR_SERVER_BASE_URL**: `https://dsf.todo.organization.com/fhir`  
+            Set your FHIR servers external FQDN, e.g. `foo.bar.de` -> `https://foo.bar.de/fhir`
+            
+        * For additional environment variables, see the BPE server [Configuration Parameters](bpe/configuration) page.
+
+1. Start the DSF BPE Server (without process plugins)  
+    Start using: `docker compose up -d && docker compose logs -f` (Ctrl-C will close log, but not stop container)
+
+1. Verify DSF BPE Startup  
+    * Check that the BPE was able to download new Task resources from the DSF FHIR server during startup.
+    * Check that the BPE was able to download a Subscription resource from the DSF FHIR server during startup.
+    * Check that the BPE was able to connect to the websocket endpoint of the DSF FHIR server during startup.
+
+    If you need to debug the TLS connection to your DSF FHIR server use for example:  
+    `docker run -it --rm alpine/openssl s_client your-fhir-server.fqdn:443`  
+    The command above should print the server certificate of your DSF FHIR server (certificate _A_) and end with a message like `[...]tlsv13 alert certificate required[...]`
+
+
+### Logs
+By default, we will log both to the console (collected by docker) and to files in the log directory, so you can use `docker compose logs -f` in `/opt/bpe` and `/opt/fhir` to view informational, warning and error logs. If you encounter any error and the reported information is not detailed enough, you can also check the logs in the `/opt/fhir/log` and `/opt/bpe/log` directories with debugging logs. There, you will also find older log files. If you have any questions and can't resolve them by yourself please always include the latest logs from `/opt/fhir/log` and `/opt/bpe/log` in your support request.
+
+On a successful BPE start, you should see the following entries in your BPE log:
+
+```
+INFO Grizzly(1) -  INFO Grizzly(1) - ClientEndpoint.onOpen(37) | Websocket open, session SOME_RANDOM_UUID1
+INFO Grizzly(1) -  INFO Grizzly(1) - ClientEndpoint.onOpen(37) | Websocket open, session SOME_RANDOM_UUID2
+```
+
+### On-Boarding
+Please visit the on boarding website of your network for more information.
+
+::: tip Ideas for improvement?
+Have you found an error or is something unclear to you? Then please feel free to write to us at <a href="mailto:dsf-gecko@hs-heilbronn.de">dsf-gecko@hs-heilbronn.de</a>. Thank you very much!
+:::
\ No newline at end of file
diff --git a/docs/src/operations/v2.1.0/passwords-secrets.md b/docs/src/operations/v2.1.0/passwords-secrets.md
new file mode 100644
index 000000000..62bb2ef1f
--- /dev/null
+++ b/docs/src/operations/v2.1.0/passwords-secrets.md
@@ -0,0 +1,33 @@
+---
+title: Passwords and Secrets
+icon: safe
+---
+
+Environment variables ending in `_PASSWORD` or `_SECRET` can be configured using plain-text files. To achieve this, environment variable should be defined with `_FILE` appended to the name with the value defined as the location of the file. For all variables ending in `_PASSWORD_FILE` or `_SECRET_FILE` the DSF FHIR and DSF BPE applications will read the content of the fist line of the referenced file and dynamically define the corresponding `_PASSWORD` or `_SECRET` environment variables with the read values.
+
+### Example Environment Variables
+- **DEV_DSF_BPE_DB_USER_PASSWORD_FILE**: If set to `/run/secrets/db_user_password`, the application will read the contents of the `/run/secrets/db_user_password` file and set the `DEV_DSF_BPE_DB_USER_PASSWORD` environment variable with the content from that file.
+- **DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE**: If set to `/run/secrets/oidc_client_secret`, the application will read the contents of the referenced file and set the `DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET` environment variable accordingly.
+
+### Docker Secrets
+
+It is recommended to use [docker secrets](https://docs.docker.com/compose/how-tos/use-secrets) as files for these environment variables. Docker secrets are mounted as files in `/run/secrets/<secret_name>` inside the container.
+
+#### Example docker-compose
+```yaml
+services:
+  app:
+    image: ghcr.io/datasharingframework/fhir
+    secrets:
+      - db_user_password
+      - oidc_client_secret
+    environment:
+      DEV_DSF_BPE_DB_USER_PASSWORD_FILE: /run/secrets/db_user_password
+      DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET_FILE: /run/secrets/oidc_client_secret
+
+secrets:
+  db_user_password:
+    file: ./secrets/db_user.password
+  api_key:
+    file: ./secrets/oidc_client.secret
+```
\ No newline at end of file
diff --git a/docs/src/operations/v2.1.0/release-notes.md b/docs/src/operations/v2.1.0/release-notes.md
new file mode 100644
index 000000000..944face9f
--- /dev/null
+++ b/docs/src/operations/v2.1.0/release-notes.md
@@ -0,0 +1,4 @@
+---
+title: Release Notes (v2.1.0)
+icon: note
+---
diff --git a/docs/src/operations/v2.1.0/root-certificates.md b/docs/src/operations/v2.1.0/root-certificates.md
new file mode 100644
index 000000000..d2788e27e
--- /dev/null
+++ b/docs/src/operations/v2.1.0/root-certificates.md
@@ -0,0 +1,246 @@
+---
+title: Trusted Certificates
+icon: safe
+---
+
+A number of trusted certificate authorities (CAs) are included in the DSF docker images [fhir_proxy](https://github.com/datasharingframework/dsf/pkgs/container/fhir_proxy), [fhir](https://github.com/datasharingframework/dsf/pkgs/container/fhir), [bpe_proxy](https://github.com/datasharingframework/dsf/pkgs/container/bpe_proxy) and [bpe](https://github.com/datasharingframework/dsf/pkgs/container/bpe) by default. Root and intermediate certificates as well as the configured usage of issuing CAs as either **server**, **client** oder **server and client** CA are listed at the end.
+
+:::info
+Please ensure that you are using an organization-validated certificate (OV). We check for the presence of certain elements in the FHIR proxy. These are not set for domain-validated (DV) certificates. DV-validated certificates cannot be used in the standard setup.
+:::
+
+## Extending or Replacing Trusted Certificate Authorities
+X.509 certificates of default trusted CAs are stored as individual .pem files containing one certificate each in the docker images and can be replaced by either using docker [bind mounts](https://docs.docker.com/engine/storage/bind-mounts) or configuring appropriate environment variables with different targets.
+
+### FHIR Reverse Proxy
+Defaults are configured for the list of issuing, intermediate and root CAs used for validating client certificates (Apache httpd mod_ssl configuration option [SSLCACertificatePath](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcacertificatepath)) as well as the CA Certificates for defining acceptable CA names (option [SSLCADNRequestPath](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcadnrequestpath)). The default values of the following environment variables point to folders containing .pem files with one file per trusted CA:
+* [SSL_CA_CERTIFICATE_PATH](fhir-reverse-proxy/configuration.html#ssl-ca-certificate-path)
+  Default Value: `ca/client_ca_chains`
+* [SSL_CA_DN_REQUEST_PATH](fhir-reverse-proxy/configuration.html#ssl-ca-dn-request-path)
+  Default Value: `ca/client_issuing_cas`
+
+Use docker bind mounts to replace all default files or add additional CAs to the folders.
+
+**Note:** Default file location are relative to the docker image work directory `/usr/local/apache2`.
+**Also Note:** Using non default .pem files for the environment variables above may require also modifying the default values of the environment variables [SSL_EXPECTED_CLIENT_S_DN_C_VALUES](fhir-reverse-proxy/configuration.html#ssl-expected-client-s-dn-c-values) and [SSL_EXPECTED_CLIENT_I_DN_CN_VALUES](fhir-reverse-proxy/configuration.html#ssl-expected-client-i-dn-cn-values).
+
+### FHIR Server
+Defaults are configured for the list of issuing, intermediate and root CAs used for validating client certificates as well as root CAs used for validating server certificates of remote DSF FHIR servers and the OIDC provider when using [OpenID Connect](fhir/oidc.html) for authenticating local users.
+
+**Note:** Default file location are relative to the docker image work directory `/opt/fhir`.
+
+You can add an additional certificate authority (e.g., your hospital CA) for 
+
+- server certificates by creating a bind-mount of the CA file into the `/opt/fhir/ca/server_root_cas/` directory
+- client certificates by creating bind-mounts of the intermediate CA files and their root CA file into the `/opt/fhir/ca/client_ca_chains/` directory.
+
+See the [BPE Server configuration](#bpe-server) for an example.
+
+If you can't override the default configuration with bind-mounts, you can use the following environment variables to configure non default .pem file directories or .pem file:
+* [DEV_DSF_SERVER_AUTH_TRUST_CLIENT_CERTIFICATE_CAS](fhir/configuration.html#dev-dsf-server-auth-trust-client-certificate-cas)
+  Default Value: [ca/client_ca_chains](/download/1.9.0/client_cert_ca_chains.pem)
+* [DEV_DSF_FHIR_CLIENT_TRUST_SERVER_CERTIFICATE_CAS](fhir/configuration.html#dev-dsf-fhir-client-trust-server-certificate-cas)
+  Default Value: [ca/server_root_cas](/download/1.9.0/server_cert_root_cas.pem)
+* [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS](fhir/configuration.html#dev-dsf-server-auth-oidc-provider-client-trust-server-certificate-cas)
+  Default Value: [ca/server_root_cas](/download/1.9.0/server_cert_root_cas.pem)
+
+### BPE Reverse Proxy
+Defaults are configured for the list of issuing, intermediate and root CAs used for validating client certificates (Apache httpd mod_ssl configuration option [SSLCACertificatePath](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcacertificatepath)) as well as the CA Certificates for defining acceptable CA names (option [SSLCADNRequestPath](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcadnrequestpath)). The default values of the following environment variables point to folders containing .pem files with one file per trusted CA:
+* [SSL_CA_CERTIFICATE_PATH](bpe-reverse-proxy/configuration.html#ssl-ca-certificate-path)
+  Default Value: `ca/client_ca_chains`
+* [SSL_CA_DN_REQUEST_PATH](bpe-reverse-proxy/configuration.html#ssl-ca-dn-request-path)
+  Default Value: `ca/client_issuing_cas`
+
+Use docker bind mounts to replace all default files or add additional CAs to the folders.
+
+**Note:** Default file location are relative to the docker image work directory `/usr/local/apache2`.
+**Also Note:** Using non default .pem files for the environment variables above may require also modifying the default values of the environment variables [SSL_EXPECTED_CLIENT_S_DN_C_VALUES](bpe-reverse-proxy/configuration.html#ssl-expected-client-s-dn-c-values) and [SSL_EXPECTED_CLIENT_I_DN_CN_VALUES](bpe-reverse-proxy/configuration.html#ssl-expected-client-i-dn-cn-values).
+
+### BPE Server
+Defaults are configured for the list of issuing, intermediate and root CAs used for validating client certificates as well as root CAs used for validating server certificates of local and remote DSF FHIR servers, the local mail server (if configured and SMTP over TLS required) and the OIDC provider when using [OpenID Connect](fhir/oidc.html) for authenticating local users.
+
+**Note:** Default file location are relative to the docker image work directory `/opt/bpe`.
+
+You can add an additional certificate authority (e.g., your hospital CA) for 
+
+- server certificates by creating a bind-mount of the CA file into the `/opt/bpe/ca/server_root_cas/` directory
+- client certificates by creating bind-mounts of the intermediate CA files and their root CA file into the `/opt/bpe/ca/client_ca_chains/` directory.
+
+If you have an additional certificate authority (e.g., your hospital CA) as `hospital-root-ca.pem` in your `/opt/bpe/secrets` directory, you can add it by adding the following entry in your docker-compose.yml file:
+
+```diff
+services:
+  app:
+...
+    volumes:
++      - type: bind
++        source: ./secrets/hospital-root-ca.pem
++        target: /opt/bpe/ca/server_root_cas/hospital-root-ca.pem
++        read_only: true
+```
+
+Use the following environment variable to configure non default .pem files or override the existing files using docker bind mounts:
+* [DEV_DSF_SERVER_AUTH_TRUST_CLIENT_CERTIFICATE_CAS](bpe/configuration.html#dev-dsf-server-auth-trust-client-certificate-cas)
+  Default Value: [ca/client_ca_chains](/download/1.9.0/client_cert_ca_chains.pem)
+* [DEV_DSF_BPE_FHIR_CLIENT_TRUST_SERVER_CERTIFICATE_CAS](bpe/configuration.html#dev-dsf-bpe-fhir-client-trust-server-certificate-cas)
+  Default Value: [ca/server_root_cas](/download/1.9.0/server_cert_root_cas.pem)
+  [DEV_DSF_BPE_MAIL_TRUST_SERVER_CERTIFICATE_CAS](bpe/configuration.html#dev-dsf-bpe-mail-trust-server-certificate-cas)
+  Default Value: [ca/server_root_cas](/download/1.9.0/server_cert_root_cas.pem)
+* [DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS](bpe/configuration.html#dev-dsf-server-auth-oidc-provider-client-trust-server-certificate-cas)
+  Default Value: [ca/server_root_cas](/download/1.9.0/server_cert_root_cas.pem)
+
+## List of Default Trusted Certificate Authorities
+If not mentioned explicitly, issuing CAs listed will sign X.509 certificates with [Extended Key Usage](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12) entries `TLS WWW server authentication` and `TLS WWW client authentication`.
+
+* Root CA: **HARICA TLS ECC Root CA 2021**
+  Info: https://crt.sh/?caid=202185
+  X509 Certificate: https://crt.sh/?id=4147045948
+  Not after: Feb 13 11:01:09 2045 GMT
+  * Issuing CA: **GEANT TLS ECC 1**
+    Info: https://crt.sh/?caid=390050
+    X509 Certificate: https://crt.sh/?id=16099180990
+    Not after: Dec 31 11:14:20 2039 GMT
+  * Issuing CA: **HARICA OV TLS ECC**
+    Info: https://crt.sh/?caid=207661
+    X509 Certificate: https://crt.sh/?id=4442848530
+    Not after: Mar 15 09:33:51 2036 GMT
+* Root CA: **HARICA TLS RSA Root CA 2021**
+  Info: https://crt.sh/?caid=202184
+  X509 Certificate: https://crt.sh/?id=4147041876
+  Not after: Feb 13 10:55:37 2045 GMT
+  * Issuing CA: **GEANT TLS RSA 1**
+    Info: https://crt.sh/?caid=390054
+    X509 Certificate: https://crt.sh/?id=16099180997
+    Not after: Dec 31 11:14:59 2039 GMT
+  * Issuing CA: **HARICA OV TLS RSA**
+    Info: https://crt.sh/?caid=207660
+    X509 Certificate: https://crt.sh/?id=4442848529
+    Not after: Mar 15 09:34:16 2036 GMT
+* Root CA: **HARICA Client ECC Root CA 2021** [client certificates only]
+  Info: https://crt.sh/?caid=202189
+  X509 Certificate: https://crt.sh/?id=4147052292
+  Not after: Feb 13 11:03:33 2045 GMT
+  * Issuing CA: **GEANT S/MIME ECC 1** [client certificates only]
+    Info: https://crt.sh/?caid=390048
+    X509 Certificate: https://crt.sh/?id=16099180988
+    Not after: Dec 31 11:11:39 2039 GMT
+  * Issuing CA: **HARICA S/MIME ECC** [client certificates only]
+    Info: https://crt.sh/?caid=207659
+    X509 Certificate: https://crt.sh/?id=4442848523
+    Not after: Mar 15 09:36:57 2036 GMT
+  * Issuing CA: **HARICA Client Authentication ECC** [client certificates only]
+    Info: https://crt.sh/?caid=207671
+    X509 Certificate: https://crt.sh/?id=4442848518
+    Not after: Mar 15 09:17:38 2036 GMT
+* Root CA: **HARICA Client RSA Root CA 2021** [client certificates only]
+  Info: https://crt.sh/?caid=202188
+  X509 Certificate: https://crt.sh/?id=4147049674
+  Not after: Feb 13 10:58:45 2045 GMT
+  * Issuing CA: **GEANT S/MIME RSA 1** [client certificates only]
+    Info: https://crt.sh/?caid=390049
+    X509 Certificate: https://crt.sh/?id=16099180989
+    Not after: Dec 31 11:13:07 2039 GMT
+  * Issuing CA: **HARICA S/MIME RSA** [client certificates only]
+    Info: https://crt.sh/?caid=207658
+    X509 Certificate: https://crt.sh/?id=4442848517
+    Not after: Mar 15 09:37:37 2036 GMT
+  * Issuing CA: **HARICA Client Authentication RSA** [client certificates only]
+    Info: https://crt.sh/?caid=207670
+    X509 Certificate: https://crt.sh/?id=4442848531
+    Not after: Mar 15 09:19:36 2036 GMT
+* Root CA: **T-TeleSec GlobalRoot Class 2** [client certificates only, will be removed in a future release, incl. derived CAs]
+  Info: https://crt.sh/?caid=6068
+  X509 Certificate: https://crt.sh/?id=8733622
+  Not after: Oct 1 23:59:59 2033 GMT
+  * Intermediate Root CA: **DFN-Verein Certification Authority 2** [client certificates only, will be removed in a future release, incl. derived CAs]
+    Info: https://crt.sh/?caid=22818
+    X509 Certificate: https://crt.sh/?id=23908438
+    Not after: Feb 22 23:59:59 2031 GMT
+   * Issuing CA: **DFN-Verein Global Issuing CA** [client certificates only, no new certificates]
+     Info: https://crt.sh/?caid=23770
+     X509 Certificate: https://crt.sh/?id=25484751
+     Not after: Feb 22 23:59:59 2031 GMT
+   * Issuing CA: **Fraunhofer User CA - G02** [client certificates only, no new certificates]
+     Info: https://crt.sh/?caid=23772
+     X509 Certificate: https://crt.sh/?id=25484789
+     Not after: Feb 22 23:59:59 2031 GMT
+* Root CA: **D-TRUST Root Class 3 CA 2 2009**
+  Info: https://crt.sh/?caid=712
+  X509 Certificate: https://crt.sh/?id=133226
+  Not after: Nov 5 08:35:58 2029 GMT
+   * Issuing CA: **D-TRUST SSL Class 3 CA 1 2009** [server certificates via TMF e.V.]
+     Info: https://crt.sh/?caid=713
+     X509 Certificate: https://crt.sh/?id=133227
+     Not after: Nov 5 08:35:58 2029 GMT
+* Root CA: **D-TRUST BR Root CA 1 2020 (ECC)**, optionally crosssigned by D-TRUST Root Class 3 CA 2 2009 [server only]
+  Info: https://crt.sh/?caid=192951
+  X509 Certificate: https://crt.sh/?id=3699642382 and https://crt.sh/?id=19754747817
+  Not after: Feb 11 09:44:59 2035
+* Root CA: **D-TRUST BR Root CA 2 2023 (RSA)**, optionally crosssigned by D-TRUST Root Class 3 CA 2 2009 [server only]
+  Info: https://crt.sh/?caid=266681
+  X509 Certificate: https://crt.sh/?id=9609658147 and https://crt.sh/?id=19754898942
+  Not after: May  9 08:56:30 2038 GMT
+
+* Root CA: **USERTrust ECC Certification Authority** [will be removed in a future release, incl. derived CAs]
+  Info: https://crt.sh/?caid=1390
+  X509 Certificate: https://crt.sh/?id=2841410
+  Not after: Jan 18 23:59:59 2038 GMT
+  * Issuing CA: **Sectigo ECC Organization Validation Secure Server CA**
+    Info: https://crt.sh/?caid=105483
+    X509 Certificate: https://crt.sh/?id=924467859
+    Not after: Dec 31 23:59:59 2030 GMT
+  * Issuing CA: **GEANT OV ECC CA 4**
+    Info: https://crt.sh/?caid=160140
+    X509 Certificate: https://crt.sh/?id=2475254970
+  * Issuing CA: **GEANT Personal ECC CA 4** [client certificates only]
+    Info: https://crt.sh/?caid=160136
+    X509 Certificate: https://crt.sh/?id=2475254903
+    Not after: May 1 23:59:59 2033 GMT
+  * Issuing CA: **GEANT eScience Personal ECC CA 4** [client certificates only]
+    Info: https://crt.sh/?caid=160138
+    X509 Certificate: https://crt.sh/?id=2475254888
+    Not after: May 1 23:59:59 2033 GMT
+* Root CA: **USERTrust RSA Certification Authority** [will be removed in a future release, incl. derived CAs]
+  Info: https://crt.sh/?caid=1167
+  X509 Certificate: https://crt.sh/?id=1199354
+  Not after: Jan 18 23:59:59 2038 GMT
+  * Issuing CA: **Sectigo RSA Organization Validation Secure Server CA**
+    Info: https://crt.sh/?caid=105487
+    X509 Certificate: https://crt.sh/?id=924467857
+    Not after: Dec 31 23:59:59 2030 GMT
+  * Issuing CA: **GEANT OV RSA CA 4**
+    Info: https://crt.sh/?caid=160137
+    X509 Certificate: https://crt.sh/?id=2475254782
+    Not after: May 1 23:59:59 2033 GMT
+  * Issuing CA: **GEANT Personal CA 4** [client certificates only]
+    Info: https://crt.sh/?caid=160144
+    X509 Certificate: https://crt.sh/?id=2475255043
+    Not after: May 1 23:59:59 2033 GMT
+  * Issuing CA: **GEANT eScience Personal CA 4** [client certificates only]
+    Info: https://crt.sh/?caid=160134
+    X509 Certificate: https://crt.sh/?id=2475253350
+    Not after: May 1 23:59:59 2033 GMT
+* Root CA: **D-TRUST Limited Basic Root CA 1 2019** [client certificates only]
+  X509 Certificate: https://www.d-trust.net/cgi-bin/D-TRUST_Limited_Basic_Root_CA_1_2019.crt
+  Not after: Jun 19 08:15:51 2034 GMT
+  * Issuing CA: **D-TRUST Limited Basic CA 1-2 2019** [client certificates via TMF e.V.]
+    X509 Certificate: https://www.d-trust.net/cgi-bin/D-TRUST_Limited_Basic_CA_1-2_2019.crt
+    Not after: Jun 19 08:15:51 2034 GMT
+  * Issuing CA: **D-TRUST Limited Basic CA 1-3 2019** [client certificates via TMF e.V.]
+    X509 Certificate: https://www.d-trust.net/cgi-bin/D-TRUST_Limited_Basic_CA_1-3_2019.crt
+    Not after: Jun 19 08:15:51 2034 GMT
+* Root CA: **DFN-Verein Community Root CA 2022** [client certificates only]
+  X509 Certificate: https://doku.tid.dfn.de/_media/de:dfnpki:ca:dfn-verein_community_root_ca_2022.pem
+  Not after: Jan 21 14:08:41 2042 GMT
+  * Issuing CA: **DFN-Verein Community Issuing CA 2022** [client certificates only]
+    X509 Certificate: https://doku.tid.dfn.de/_media/de:dfnpki:ca:dfn-verein_community_issuing_ca_2022.pem
+    Not after: Jan 21 14:08:41 2042 GMT
+  * Issuing CA: **Fraunhofer Service CA 2022** [client certificates only]
+    X509 Certificate: https://doku.tid.dfn.de/_media/de:dfnpki:ca:fraunhofer_service_ca_2022.pem
+    Not after: Jan 21 14:08:41 2042 GMT
+  * Issuing CA: **Fraunhofer User CA 2022** [client certificates only]
+    X509 Certificate: https://doku.tid.dfn.de/_media/de:dfnpki:ca:fraunhofer_user_ca_2022.pem
+    Not after: Jan 21 14:08:41 2042 GMT
+  * Issuing CA: **MPG Community CA** [client certificates only]
+    X509 Certificate: https://doku.tid.dfn.de/_media/de:dfnpki:ca:mpg_community_ca.pem
+    Not after: Jan 21 14:08:41 2042 GMT
diff --git a/docs/src/operations/v2.1.0/upgrade-from-1.md b/docs/src/operations/v2.1.0/upgrade-from-1.md
new file mode 100644
index 000000000..663f9d6cf
--- /dev/null
+++ b/docs/src/operations/v2.1.0/upgrade-from-1.md
@@ -0,0 +1,214 @@
+---
+title: Upgrade from DSF 1.9.0
+icon: update
+---
+
+Upgrading the DSF from 1.9.0 to {{release.tag}} involves modifying the docker-compose.yml files and recreating the containers. 
+
+::: warning Update to DSF 1.9.0 first
+When upgrading from DSF version < 1.9.0 it is important to migrate to [DSF 1.9.0 first](../v1.9.0/upgrade-from-1).
+:::
+
+For DSF 2, we refined the [system requirements](install.md#prerequisites). If your current DSF 1 setup works, it should also work with DSF 2. As DSF 2 is designed to support large file transfers, you might need to increase the storage on the DSF FHIR Server instance.
+
+::: info Non-standard configuration changes
+
+Most non-standard configuration changes working in DSF 1 will continue to work in DSF 2. If you have set custom timeout options in the DSF configuration (starting with `DEV_DSF_...`) please change them to the ISO 8601 standard. `120000` (Milliseconds) must be changed to `PT2M`. The configuration options for process plugins (e.g., starting with `DE_...`) remain unchanged.
+
+- You can now use more advanced [logging options](./fhir/logging.md).
+- If you use your own certificate authority, the [configuration](root-certificates.md) will be easier.
+- More granular control in [access control / role config settings](./fhir/access-control.md).
+:::
+
+We recommend upgrading the PostgreSQL DBMS from version 15 to version 18. At present, it is possible to use PostgreSQL version 15, but we exclusively support PostgreSQL version 18 and test the DSF solely with version 18.
+The DBMS upgrade is described below in the update instructions.
+
+DSF 2 was designed to run DSF 1 (APIv1) process plugins, but due to stricter validation rules in DSF 2 we strongly recommend using the latest compatible plugin versions. Updates within the same major and minor version (e.g., from 1.2.3.4 to 1.2.9.9) are generally safe. An overview of the recommended MII/NUM versions can be found [here](./install-plugins.md).
+
+## Modify DSF FHIR Server Setup
+1. Preparation / Backup
+    * We recommend to create a backup of the `/opt/fhir` directory before proceeding with the upgrade.  
+    For example using: `sudo cp -rp /opt/fhir /opt/fhir_backup_pre_{{release.tag}}_upgrade`
+
+2. Modify the DSF FHIR docker-compose.yml file, replace the version number with {{release.tag}}.
+```diff
+ version: '3.8'
+ services:
+   proxy:
+-    image: ghcr.io/datasharingframework/fhir_proxy:1.9.0
++    image: ghcr.io/datasharingframework/fhir_proxy:{{release.tag}}
+     restart: on-failure
+...
+   app:
+-    image: ghcr.io/datasharingframework/fhir:1.9.0
++    image: ghcr.io/datasharingframework/fhir:{{release.tag}}
+     restart: on-failure
+...
+     environment:
+-      DEV_DSF_FHIR_SERVER_ORGANIZATION_THUMBPRINT: f4344032fe77bffb...
+...
+ 
+```
+The environment variable `DEV_DSF_FHIR_SERVER_ORGANIZATION_THUMBPRINT` does not need to be specified starting version 2.0.0. The thumbprint is now calculated based on the client certificate specified via `DEV_DSF_FHIR_CLIENT_CERTIFICATE`.
+
+
+3. Upgrade the DSF FHIR containers  
+    From `/opt/fhir` execute  
+    ```
+    docker compose up -d && docker compose logs -f
+    ```
+
+## Modify DSF BPE Server Setup
+1. Preparation / Backup
+    * We recommend to create a backup of the `/opt/bpe` directory before proceeding with the upgrade.  
+    For example using: `sudo cp -rp /opt/bpe /opt/bpe_backup_pre_{{release.tag}}_upgrade`
+
+2. Modify the DSF BPE docker-compose.yml file, replace the version number with {{release.tag}}.
+```diff
+ version: '3.8'
+ services:
+   app:
+-    image: ghcr.io/datasharingframework/bpe:1.9.0
++    image: ghcr.io/datasharingframework/bpe:{{release.tag}}
+     restart: on-failure
+...
+     environment:
+-      DEV_DSF_BPE_DB_USER_CAMUNDA_PASSWORD_FILE: /run/secrets/db_user_camunda.password
++      DEV_DSF_BPE_DB_USER_ENGINE_PASSWORD_FILE: /run/secrets/db_user_camunda.password
+...
+ 
+```
+
+3. Upgrade the DSF BPE containers  
+    From `/opt/bpe` execute  
+    ```
+    docker compose up -d && docker compose logs -f
+    ```
+
+5. Verify your upgrade:
+    * Verify the DSF FHIR server is running in version {{release.tag}}. The log should contain a message:  
+        `INFO main - BuildInfoReaderImpl.logBuildInfo(137) | Artifact: dsf-fhir-server-jetty, version: {{release.tag}}, [...]`
+    * Verify the DSF FHIR server started without errors
+    * Verify the DSF FHIR server is accessible via https, for example by browsing to https://your-dsf-endpoint.de/fhir/ (authentication with your client-certificate)
+    * Verify the DSF BPE server is running in version {{release.tag}}. The log should contain a message:  
+        `INFO main - BuildInfoReaderImpl.logBuildInfo(137) | Artifact: dsf-bpe-server-jetty, version: {{release.tag}}, [...]`
+    * Verify the DSF BPE server started without errors
+    * Verify your install with a ping/pong test  
+
+
+## Upgrade PostgreSQL from 15 to 18
+To upgrade your DSF databases, you have to stop the application, dump your database, recreate the bind mount directory, update the version, start it, restore the backup and start the application again.
+
+### On the DSF FHIR Server
+
+1. Stop the application
+    From `/opt/fhir` execute
+    ```
+    docker compose down app
+    ```
+2. Dump the database
+    From `/opt/fhir` execute
+    ```
+    docker compose exec db pg_dumpall -U liquibase_user > dump.sql
+    ```
+3. Stop the database
+    From `/opt/fhir` execute
+    ```
+    docker compose down db
+    ```
+4. Recreate the database bind mount directory
+    From `/opt/fhir` execute
+    ```
+    mv postgres-data postgres-data-psql-15
+    mkdir postgres-data
+    ```
+5. Update the version and change the bind mount target to respect the [PostgreSQL best practices](https://github.com/docker-library/postgres/pull/1259) in `/opt/fhir/docker-compose.yml`
+    ```diff
+    db:
+    -    image: postgres:15
+    +    image: postgres:18
+         restart: always
+         healthcheck:
+             test: ["CMD-SHELL", "pg_isready -U liquibase_user -d fhir"]
+             interval: 10s
+             timeout: 5s
+             retries: 5
+         volumes:
+         - type: bind
+           source: ./postgres-data
+    -      target: /var/lib/postgresql/data
+    +      target: /var/lib/postgresql  
+    ```
+6. Start the new database
+    From `/opt/fhir` execute
+    ```
+    docker compose up -d db
+    ```
+7. Restore the database dump
+    From `/opt/fhir` execute
+    ```
+    cat dump.sql | docker compose exec -T db psql -U liquibase_user fhir
+    ```
+8. Start the application
+    From `/opt/fhir` execute
+    ```
+    docker compose up -d && docker compose logs -f app
+    ```
+
+### On the DSF BPE Server
+
+1. Stop the application
+    From `/opt/bpe` execute
+    ```
+    docker compose down app
+    ```
+2. Dump the database
+    From `/opt/bpe` execute
+    ```
+    docker compose exec db pg_dumpall -U liquibase_user > dump.sql
+    ```
+3. Stop the database
+    From `/opt/bpe` execute
+    ```
+    docker compose down db
+    ```
+4. Recreate the database bind mount directory
+    From `/opt/bpe` execute
+    ```
+    mv postgres-data postgres-data-psql-15
+    mkdir postgres-data
+    ```
+5. Update the version and change the bind mount target to respect the [PostgreSQL best practices](https://github.com/docker-library/postgres/pull/1259) in `/opt/bpe/docker-compose.yml`
+    ```diff
+    db:
+    -    image: postgres:15
+    +    image: postgres:18
+         restart: always
+         healthcheck:
+             test: ["CMD-SHELL", "pg_isready -U liquibase_user -d bpe"]
+             interval: 10s
+             timeout: 5s
+             retries: 5
+         volumes:
+         - type: bind
+           source: ./postgres-data
+    -      target: /var/lib/postgresql/data
+    +      target: /var/lib/postgresql  
+    ```
+6. Start the new database
+    From `/opt/bpe` execute
+    ```
+    docker compose up -d db
+    ```
+7. Restore the database dump
+    From `/opt/bpe` execute
+    ```
+    cat dump.sql | docker compose exec -T db psql -U liquibase_user bpe
+    ```
+8. Start the application
+    From `/opt/bpe` execute
+    ```
+    docker compose up -d && docker compose logs -f app
+    ```
+
+Once you have ensured that DSF is working successfully with the new database, you can remove the dump.sql file and the postgres-data-psql-15 directory. As a precaution, we recommend keeping the postgres-data-psql-15 directory for some time.
diff --git a/docs/src/operations/v2.1.0/upgrade-from-2.md b/docs/src/operations/v2.1.0/upgrade-from-2.md
new file mode 100644
index 000000000..c898f8674
--- /dev/null
+++ b/docs/src/operations/v2.1.0/upgrade-from-2.md
@@ -0,0 +1,76 @@
+---
+title: Upgrade from DSF {{release.previousTag}}
+icon: update
+---
+
+Upgrading the DSF from {{release.previousTag}} to {{release.tag}} involves modifying the image versions in the docker-compose.yml files and recreating the containers. 
+
+
+DSF 2 was designed to run DSF 1 (APIv1) process plugins, but due to stricter validation rules in DSF 2 we strongly recommend using the latest compatible plugin versions. Updates within the same major and minor version (e.g., from 1.2.3.4 to 1.2.9.9) are generally safe. An overview of the recommended MII/NUM versions can be found [here](./install-plugins.md).
+
+If you have installed the NUM Dashboard Process Plugin, you can [remove the workaround](./install-plugins.md).
+
+## Modify DSF FHIR Server Setup
+1. Preparation / Backup
+    * We recommend to create a backup of the `/opt/fhir` directory before proceeding with the upgrade.  
+    For example using: `sudo cp -rp /opt/fhir /opt/fhir_backup_pre_{{release.tag}}_upgrade`
+
+2. Modify the DSF FHIR docker-compose.yml file, replace the version number with {{release.tag}}.
+```diff
+ version: '3.8'
+ services:
+   proxy:
+-    image: ghcr.io/datasharingframework/fhir_proxy:{{release.previousTag}}
++    image: ghcr.io/datasharingframework/fhir_proxy:{{release.tag}}
+     restart: on-failure
+...
+   app:
+-    image: ghcr.io/datasharingframework/fhir:{{release.previousTag}}
++    image: ghcr.io/datasharingframework/fhir:{{release.tag}}
+     restart: on-failure
+...
+
+```
+
+
+
+3. Upgrade the DSF FHIR containers  
+    From `/opt/fhir` execute  
+    ```
+    docker compose up -d && docker compose logs -f
+    ```
+
+## Modify DSF BPE Server Setup
+1. Preparation / Backup
+    * We recommend to create a backup of the `/opt/bpe` directory before proceeding with the upgrade.  
+    For example using: `sudo cp -rp /opt/bpe /opt/bpe_backup_pre_{{release.tag}}_upgrade`
+
+2. Modify the DSF BPE docker-compose.yml file, replace the version number with {{release.tag}}.
+```diff
+ version: '3.8'
+ services:
+   app:
+-    image: ghcr.io/datasharingframework/bpe:{{release.previousTag}}
++    image: ghcr.io/datasharingframework/bpe:{{release.tag}}
+     restart: on-failure
+...
+
+ 
+```
+
+3. Upgrade the DSF BPE containers  
+    From `/opt/bpe` execute  
+    ```
+    docker compose up -d && docker compose logs -f
+    ```
+
+5. Verify your upgrade:
+    * Verify the DSF FHIR server is running in version {{release.tag}}. The log should contain a message:  
+        `INFO main - BuildInfoReaderImpl.logBuildInfo(137) | Artifact: dsf-fhir-server-jetty, version: {{release.tag}}, [...]`
+    * Verify the DSF FHIR server started without errors
+    * Verify the DSF FHIR server is accessible via https, for example by browsing to https://your-dsf-endpoint.de/fhir/ (authentication with your client-certificate)
+    * Verify the DSF BPE server is running in version {{release.tag}}. The log should contain a message:  
+        `INFO main - BuildInfoReaderImpl.logBuildInfo(137) | Artifact: dsf-bpe-server-jetty, version: {{release.tag}}, [...]`
+    * Verify the DSF BPE server started without errors
+    * Verify your install with a ping/pong test  
+