Page tree

Install licenses

Your license.cxl file(s) should be installed as described in the License Management section.

Configuring the system

Config Server
is a service of Compliance Checker to populate your settings to other servers (cc-web, cc-bigdata and cc-backend). On startup, all of these services require the Config server to load their settings from it. Config server can update some settings on runtime, but others need to be updated by restarting the servers. 
Config server is deployed to the 8888 port by default. If you POST a request (body is not needed) to the server's /refresh/all endpoint it will refresh all services with the new settings.
(Or visit http://localhost:8888/docs/api/swagger/swagger-ui.html#!/refreshing-controller/refreshAllServicesUsingPOST and click the 'Try it' button.)

To customize the application the configuration can be modified by editing the file. Any property changed in the file will affect the appropriate services. At the clean install the settings in will be copied to the file.

At upgrading the software - i.e. installing the new software version - the file will never be overwritten. So your already customized configuration will not be changed!

Default settings in

The following default settings in can be modified in the file (in this format, # stands for comments):


# Security provider chooses what settings to use for user authentication
## LDAP: uses LDAP server to log in users
## ACTIVE_DIRECTORY: Uses Microsoft's Active Direcotry service for authentication
## IN_MEMORY: small number of predefined users, only for testing purposes
## ANONYMOUS: no login required
	common.securityProviderName = IN_MEMORY
# If this setting is set to true then the service only accepts HTTPS connections 
	common.securityProviderSecure = false  
# If this is true, SSL certificate of services is not checked.
	common.securityProviderAllowUnsignedCert = true   
# This setting is to specify that the URL requires a specific IP address 
# If it is left empty then any IP address is accepted to connect 
	common.securityProviderAllowedIp = 

Database connection settings

The following default database connection settings can also be modified in the file :

# Number of molecules checked in one run.  
	chunkSize = 10
# Host of MongoDB.  
	databaseHost =
# Port of MongoDB.
	databasePort = 27017
# Name of database in MongoDB.
	databaseName = test
# Name of the user who connects the database.
	mongoUser = cxnMongo
# Name of the user who connects the database.
	mongoPassword = ccMongoPass 
# Set this property to true in case you are using Transport Encryption in your database. 
	mongoEncryptConnection = false

Creating user for the database (ccDB is the default)

Creating user in MongoDB

# use ccDB

  roles : [ 
      role: "clusterAdmin", 
      db: "admin" 
      role: "readAnyDatabase", 
      db: "admin" 

Other settings in

You can configure other settings for Compliance Checker in the file.

Other settings in ''
# These settings set the maximum size of upload for services. 
# These properties also affect the maximum size of DB update as well.

# The URL of config server

# The URL of eureka service

# Security provider chooses what settings to use for user authentication
# IN_MEMORY small number of predefined user, only for testing purposes.
# ANONYMOUS no login required.
# LDAP uses LDAP server to log in users
# ACTIVE_DIRECTORY Uses Microsoft's Active Direcotry service for authentication

# If this setting is set to true then the service only accepts HTTPS connections.

#If this is set to false then only HTTPS connections with valid certificates will be accepted.

# Specify that URLs requires a specific IP Address or 
# subnet.

# The IP address (e.g. or local subnet (e.g. 192.168.0/24).
# If it is left empty then every IP can access the services.

# If the servers know nothing about a job, then they mark it as dead, and reschedule to process. 
# You can set this checking interval in milliseconds through this variable.

# If you use ACTIVE_DIRECTORY, then you can set it's configuration like this: 
#  {"servers":[{"domain":"your.domain","url":"ldap://"}]}
# This is a standard JSON but it has to be in one line. The "servers" property references an array. 
# In this array you can set as many Active Directory servers as you want. 
# These servers will be checked in this specified order, and the first AD server that can authenticate the user will authenticate.

# If you use LDAP, then you can set it's configuration like this: 
# {"servers":[{"serverUrl":"ldap://,dc=tld","userDNPatterns":["uid={0},cn=users,cn=accounts"],"groupSearchBase":"","managerDN":"uid=cchecker,cn=sysaccounts","managerPassword":"password"}]}
# This is a standard JSON but it has to be in one line. The "servers" property references an array. 
# In this array you can set as many LDAP servers as you want. 
# These servers will be checked in this specified order, and the first LDAP server that can authenticate the user will authenticate it.
# Properties stands for the following:
# -- "serverURL" -- The URL of the LDAP server
# -- "userDNPatterns" -- The domain name of the users in the LDAP tree
# -- "groupSearchBase" -- Domain name of groups in LDAP tree
# -- "managerDN' -- The domain name of the manager user to query LDAP tree.
# -- "managerPassword" -- The password of manager user.
	common.ldapConfig = {"servers":[{"serverUrl":"ldap://,dc=tld","userDNPatterns":["uid={0},cn=users,cn=accounts"],"groupSearchBase":"","managerDN":"uid=cchecker,cn=sysaccounts","managerPassword":"password"}]}

# If you are using IN_MEMORY authentication manager, you can configure it here:
	common.inMemoryConfig = {"users":[{"name":"user", "password": "password", "roles":["USER"]}, {"name":"admin", "password": "adminPass", "roles":["USER","ADMIN"]}, {"name":"system", "password": "system", "roles":["SYSTEM"]}]}

# You can map user groups to ROLEs in CC by this setting. 
# We have 3 ROLEs:
# -- USER: everybody who can authenticate to CC.
# -- ADMIN: everybody who can manage CC.
# -- SYSTEM: special group to run automatic system checks.
# This is a standard JSON but it has to be in one line. 
# For every property you can add specified group or role names and also any regular expression to map your users.
# In this example everybody will have USER privileges, and users with the group (or ROLE) and cc-admin will have 
#  ADMIN privileges (every user with the group cc-system will have SYSTEM privileges as well).

# For automated system communication we need to have a user that can log in to the services.
# This is a very limited privilege user, that we call System user. This user will use one of 
# The above mentioned authentication providers, so you must register it in your LDAP / AD server.

# Search always runs on all available cores. 
# If you set this property to PARALLEL, then the system will distinct executors, 
#  one for all cores, that can boost the overall system performance and can cause a massive CPU load on the server. 
# If you use SEQUENTIAL execution strategy then only one executor will run on the server. 
# (For search this executor will use all cores, but it creates a smaller CPU load.)

# This size determines how many molecules are check in one run.
# If you upload a file with 1000 molecules, and set this property to 25 then the file 
#  will be cut to 40 pieces, and 40 executors can start working simultaneously:

# Host of the database

# The port where MongoDB listens for requests:

# The name of database in MongoDB:

# Username of database user:

# Password of database user:

# Set this property to true in case you are using Transport Encryption in your database. 
	mongoEncryptConnection = false

# Compliance Checker services use Hystrix circuit breaker to protect servers from overload.
# You can read more about hystrix settings here:

# Communication is load-balanced through Ribbon classes.
# You can read about ribbon settings here: 
# The URL of the latest database file:

# The URL of the text file containing the version of the latest database file.

# Enables to schedule the removal of all batch report related data from the database.
# The value should be a cron-like expression, which extends the usual UN*X definition to include triggers
#  on the second as well as minute, hour, day of month, month and day of week. 
# Example patterns:
# -- "0 0 * * * *" = the top of every hour of every day.
# -- "*/10 * * * * *" = every ten seconds.
# -- "0 0 8-10 * * *" = 8, 9 and 10 o'clock of every day.
# -- "0 * 6,19 * * *" = 6:00 AM and 7:00 PM every day.
# -- "0 0/30 8-10 * * *" = 8:00, 8:30, 9:00, 9:30 and 10 o'clock every day.
# -- "0 0 9-17 * * MON-FRI" = on the hour nine-to-five weekdays
# -- "0 0 0 25 12 ?" = every Christmas Day at midnight
#batch.cleanup.scheduler=0 0 4 * * *

# The default report format for batch checks. Valid values are: HTML,PDF,SDF,MRV,XLSX

# The default view for Regulation Categories. Valid values are: COUNTRIES, CHECK_LEVELS

# Setting this to true will only display the check levels as selectable categories on the check pages

# Comma separated list of fields to be included in the JSON reports.
# Including only needed fields in JSON reports can greatly increase the speed of report generation
# To include child fields, parent fields also have to be listed
# If none of the listed fields are present in the result
# or the config key is not set then the full result will be added to the report 

# Example:
# [  
#   [  
#      {  
#         "segments":[  
#            {  
#               "categoryName":"catName",
#               "categoryCode":1234
#            }
#         ],
#         "inputProperties":{  
#            "ID":"123",
#             "Name":"Name"
#         }
#      }
#   ]
# ]

# To include only the categoryCode and ID in the JSON report from the above example result
# the following configuration has to be made:,categoryCode,inputProperties,ID

  • The default Report format can be set by the Admin by adding HTML, PDF, SDF, MRV or XLSX value to the batch.default.reportFormat key in
    (User's last selection is saved in the mongo DB and will not be modified.)
  • Admin can select Available countries or Selected check levels to be displayed in Regulation categories by setting check.default.regulationCategories key to COUNTRIES or CHECK_LEVELS in
    By adding/setting the check.hideCountries key value to true (default is false) Available countries will not be displayed at all.
    (On the System monitor page the Reload settings from config file button should be clicked after editing

Example settings for 2 Active Directory servers
	"servers": [
			"domain" : "first.domain",
			"url" : "ldap://"
		} ,
			"domain" : "second.domain",
			"url" : "ldap://"
// Don't forget that you have to set it in the <code></code> file in one line.
// Like this: { "servers": [	{"domain" : "first.domain", "url" : "ldap://"} , {"domain" : "second.domain", "url" : "ldap://"} ]}
// We only used multi line example for better readability.

Advanced LDAP settings

Our LDAP configuration object is a list of configurations of LDAP servers. Each server configuration can hold several attributes. Each of them can be left empty, left out from configuration string or can be set to null. In this case, they will be used by their default values. One server holds the following possible settings:

Attribute nameAttribute typeDefault valueExampleExplanation
"ldaps://" or 
The URL where the system can reach the LDAP server.
List of Strings

[ ]

[ "uid={0},dc=mycompany,dc=com", 
"uid={0},ou=internal,dc=mycompany,dc=com" ]

These patterns will be used to find the User by its distinguished name.

The part between the curly brackets will be replaced by the username.

If this setting is left empty, then user distinguished name won't be used in the user authentication.

This element of the LDAP tree will be used as the root element during user group search. In case it is left empty, the root of the LDAP tree will be used.
Only groups that match this criteria will be resolved after authentication.
This element of the LDAP tree will be used as the root element during user search. In case it is left empty, the root of the LDAP tree will be used. If you use userSearchFilter, than you must provide userSearchBase as well.
In case the users are not found by their distinguished name, user search will happen. The part with the curly brackets will be replaced with the username that used to log in. In case of Active Directory, usually sAMAccountName is required to log in. You can not use userSearchFilter without userSearchBase.
"dn=admin,dc=mycompany,dc=com" or 
This is the name of the manager user. This name will be used to bind to the LDAP server. The second format can be used to log in to Active Directory through LDAP.
This is the password of the manager user.
In case the serverURL does not contain the root of the LDAP search, then it can be set here. If it is left empty, then root from URL will be used. Active Directory usually requests root to be set separately for binding.


LDAP config
    "servers" : [{
            "serverUrl" : "ldap://,dc=com",
            "userDNPatterns" : ["uid={0},cn=users,dc=mycompany,dc=com", "uid={0},cn=external,dc=mycompany,dc=com"],
            "groupSearchBase" : "",
            "groupSearchFiler" : "",
            "userSearchBase" : "",
            "userSearchFilter" : "",
            "managerDN" : "uid=admin,cn=sysusers,dc=mycompany,dc=com",
            "managerPassword" : "PASSWORD!",
            "root" : ""
        }, {
            "serverUrl" : "ldaps://,dc=com",
            "userDNPatterns" : [],
            "groupSearchBase" : "",
            "groupSearchFiler" : "",
            "userSearchBase" : "dc=cmp,dc=com",
            "userSearchFilter" : "sAMAccountName={0}",
            "managerDN" : "",
            "managerPassword" : "other_PASSWORD!",
            "root" : "dc=cmp,dc=com"

In the above example, we have a configuration that uses two servers (an LDAP and an Active Directory), and has all attributes. This example means the same as the following:

Shorter Config
    "servers" : [{
            "serverUrl" : "ldap://,dc=com",
            "userDNPatterns" : ["uid={0},cn=users,dc=mycompany,dc=com", "uid={0},cn=external,dc=mycompany,dc=com"],
            "managerDN" : "uid=admin,cn=sysusers,dc=mycompany,dc=com",
            "managerPassword" : "PASSWORD!"
        }, {
            "serverUrl" : "ldaps://,dc=com",
            "userSearchBase" : "dc=cmp,dc=com",
            "userSearchFilter" : "sAMAccountName={0}",
            "managerDN" : "",
            "managerPassword" : "other_PASSWORD!",
			"root" : "dc=cmp,dc=com"

Consider using the sorter config format, since in, the config must be in one single line, like this:

Config in one line
{"servers" : [{"serverUrl" : "ldap://,dc=com", "userDNPatterns" : ["uid={0},cn=users,dc=mycompany,dc=com", "uid={0},cn=external,dc=mycompany,dc=com"], "managerDN" : "uid=admin,cn=sysusers,dc=mycompany,dc=com", "managerPassword" : "PASSWORD!"}, { "serverUrl" : "ldaps://,dc=com", "userSearchBase" : "dc=cmp,dc=com","userSearchFilter" : "sAMAccountName={0}", "managerDN" : "", "managerPassword" : "other_PASSWORD!", "root":"dc=cmp,dc=com"}]}

Merge specific rules into the Knowledge Base

Chemical substances can be checked against some special (e.g. company-specific) rules, too.

MRV files should be created from these rules - with the same data structure as the main Knowledge Base. An MRV file for the specific rules (rule_structures.mrv) and another MRV file for the specific exceptions (exclusion_structures.mrv).

These files should be copied to the ChemAxon_home/compliancechecker/user folder. (I.e. to the "user" subfolder of the "database" folder. The cc_backend startup process creates that folder with empty MRV files - but these files will never be overwritten automatically.)

Compliance Checker should be restarted to merge these specific rules into the main Knowledge Base.

Installing to Multiple Hosts

You can install multiple instances of Eureka, but there should be only one Config server in the system. If you distribute the system you should set the following settings to the services:

Config server

Config server is the route of the hierarchy. It should register with Eureka service. If Eureka does not run in localhost:8761 (8761 is the default Eureka port) then you have to set the following property in the file:


If Eureka runs locally for the Config Server, but it is a remote service for the other services, then you should set the above property with an address that is available for all services, because this setting will be populated to all services.

Eureka server

Eureka server is used by all the services. It uses the Config Server to init itself. If the Config Server does not run in localhost:8888 ( 8888 is the default Config Server port), then you can have to the following property in file:\://<config-server-host>\:<config-server-port>/

Configuring the war files

The main components of the application come in 3 war files: cc-backend.war, cc-bigdata.war, cc-web.war. You can install these services to Servlet 3.0 compatible servlet container, or run by the default runnables.

Every war file uses the Config Server to init itself. If the Config Server does not run in localhost:8888, then you have to set for the components where to find the Config Server. One opportunity is to set the CONFIG_SERVER_URI environment variable, or to edit the WEB_INF/classes/ file of each war file. Or you can set in it in their .vmoptions file, or in an environment variable.

Setting environment variable in unix
	export CONFIG_SERVER_URI = http://<config-server-host>:<config-server-port>/
Setting environment variable in windows command line
	CONFIG_SERVER_URI = http://<config-server-host>:<config-server-port>/
Set environment variables in .vmoption file
Editing file\://<config-server-host>\:<config-server-port>/

This property will be used in startup time to connect to the Config Server and receive all the properties to use in initialization.