Page tree


Install licenses


Your license.cxl file(s) should be installed as described in the License Management section.

Configuring the system


Config Server
is a service of Compliance Checker to populate your settings to other servers (cc-web, cc-bigdata and cc-backend). On startup, all of these services require the Config server to load their settings from it. Config server can update some settings on runtime, but others need to be updated by restarting the servers. 
Config server is deployed to the 8888port by default. If youPOSTa request (body is not needed) to the server's /refresh/all endpoint it will refresh all services with the new settings.
(Or visit http://localhost:8888/docs/api/swagger/swagger-ui.html#!/refreshing-controller/refreshAllServicesUsingPOST and click the 'Try it' button.)

To customize the application the configuration can be modified by editing the application.properties file. Any property changed in the application.properties file will affect the appropriate services. At the clean install the settings in application.properties.default will be copied to the application.properties file.

At upgrading the software - i.e. installing the new software version - the application.properties file will never be overwritten. So your already customized configuration will not be changed!

Creating user for the database (ccDB is the default)

Creating user in MongoDB
# THE DEFAULT DATABASE IS "ccDB". (TO USE THIS, PLEASE UNCOMMENT THE NEXT LINE.)
# use ccDB

db.createUser(
 {
  user:"cxnMongo", 
  pwd:"ccMongoPass", 
  customData: 
   {
    data:"anydata"
   }, 
  roles : [ 
     { 
      role: "clusterAdmin", 
      db: "admin" 
     },
     { 
      role: "readAnyDatabase", 
      db: "admin" 
     },
     "readWrite"
    ] 
 }
)


Default settings in application.properties

The following default settings in application.properties.default can be modified in the application.properties file (in this format, # stands for comments):

Authentication

Authentication
# Security provider chooses what settings to use for user authentication
## LDAP: uses LDAP server to log in users
## ACTIVE_DIRECTORY: Uses Microsoft's Active Direcotry service for authentication
## IN_MEMORY: small number of predefined users, only for testing purposes
## ANONYMOUS: no login required
	common.securityProviderName = IN_MEMORY
 
# If this setting is set to true then the service only accepts HTTPS connections 
	common.securityProviderSecure = false  
 
# If this is set to false then only HTTPS connections with valid certificates will be accepted.
	common.securityProviderAllowUnsignedCert = true   
 
# This setting is to specify that the URL requires a specific IP address (e.g. 192.168.1.79) or a local subnet (e.g. 192.168.0/24).
# (http://forum.springsource.org/showthread.php?102783-How-to-use-hasIpAddress&p=343971#post343971)
# If it is left empty then every IP can access the services.  
	common.securityProviderAllowedIp = 



Database connection settings

The following default database connection settings can also be modified in the application.properties file :

# Host of MongoDB.  
	databaseHost = 127.0.0.1
 
# Port of MongoDB.
	databasePort = 27017
 
# Name of database in MongoDB.
	databaseName = test
 
# Name of the user who connects the database.
	mongoUser = cxnMongo
 
# Name of the user who connects the database.
	mongoPassword = ccMongoPass 
 
# Set this property to true in case you are using Transport Encryption in your database. 
# https://docs.mongodb.com/v3.0/core/security-transport-encryption/
	mongoEncryptConnection = false
Connecting to a MongoDB cluster cloud

Connection to a MongoDB cluster cloud (MongoDB Atlas, Amazon DocumentDB) can be configured by inserting the provided mongoDB URI to the application.properties file:

#spring.data.mongodb.uri=<URI PROVIDED BY CLOUD SERVICE>

For DocumentDB the PEM file should be downloaded, too. (See https://docs.aws.amazon.com/documentdb/latest/developerguide/getting-started.connect.html )
This PEM file should be added to the trusted store:
keytool -import -keystore cacerts -file <PATH TO rds-combined-ca-bundle.pem>

File check settings

FILE CHECK SETTINGS
# These settings set the maximum size of upload for services. These properties also effect the maximum size of DB update as well.
spring.servlet.multipart.max-file-size=256MB
spring.servlet.multipart.max-request-size=256MB


# Search always runs on all available cores.
# If you use PARALLEL, then the system will distinct executors, one for all cores, that can boost the overall system performance and can cause a massive CPU load on server.
# If you use SEQUENTIAL execution strategy then only one executor will run on the server. (For search this executor will use all cores, but it creates a smaller CPU load.)
executionStrategy=PARALLEL


# The priority of Single check and Batch check can be configured by setting *.threadPriority key values between 1 (minimum) and 10 (maximum) priority.
# Default values are 5 for single 3 for batch.
check.single.threadPriority=5
check.batch.threadPriority=3


# This size determines how many molecules are checked in one run.
# If you upload a file with 1000 molecules, and set this property to 25 then the file will be cut to 40 pieces, and 40 executors can start working simultaneously.
chunkSize=10


# The maximum number of heavy atoms in a molecule that should be checked.
check.structure.maxAtomCount=200


# Speed up of checking Markush structures
searchEngine.enableMarkushAnalyzer=true


Timeout settings

TIMEOUT SETTINGS
# Session timeout settings in seconds or minutes (m)
server.servlet.session.timeout=120m


# If the servers know nothing about a job, then they mark it as dead, and reschedule to process. You can set this checking interval in milliseconds
# through this variable.
common.deadJobTreshold=120000


# Time limit in milliseconds for checking compliance of one target molecule against all selected rules.
# If check reaches this limit then search with the given target is stopped and it is added to the list of errors.
searchEngine.check.timeLimit=10000


# Time limit in milliseconds for checking compliance of one target molecule against one query substance.
# If the check against a substance reaches this limit then checking the given target is stopped and the given target molecule is added to the list of errors.
searchEngine.molSearch.timeLimit=60000

# Communication is load-balanced through Ribbon classes. 
# (https://github.com/Netflix/ribbon/wiki/Programmers-Guide/)
ribbon.ReadTimeout=16000


Hystrix settings

HYSTRIX SETTINGS
# Compliance Checker services use Hystrix circuit breaker to protect servers from overload.
# You can read more about hystrix settings here: https://github.com/Netflix/Hystrix/wiki/Configuration
hystrix.command.default.execution.timeout.enabled=true
hystrix.threadpool.default.coreSize=10
hystrix.threadpool.default.maxQueueSize=100
hystrix.threadpool.default.queueSizeRejectionThreshold=90
hystrix.command.default.execution.isolation.thread.timeoutInMilliseconds=15000
hystrix.shareSecurityContext=true
feign.hystrix.enabled=true


Other settings in application.properties

You can configure other settings for Compliance Checker in the application.properties file.

URL of config server and eureka service
URL OF CONFIG AND EUREKA
# The URL of config server
spring.cloud.config.uri=http://localhost:8888/

# The URL of eureka service
eureka.client.serviceUrl.defaultZone=http://localhost:8761/eureka/
Auto-check/auto-update the latest KB version

LATEST KB CHECK
# The URL of the latest database file: 
common.autoUpdateUrl=https://dl.chemaxon.com/cchecker/cc-database.jar 

# The URL of the text file containing the version of the latest database file. common.autoUpdateVersionUrl=https://dl.chemaxon.com/cchecker/cc-version.txt 
common.autoUpdateEnabled=true 

# Enables to schedule the knowledge base update automatically.
# The value should be a cron-like expression, which extends the usual UN*X definition to include triggers
# on the second as well as minute, hour, day of month, month and day of week.
# Example patterns:
# "0 0 * * * *" = the top of every hour of every day.
# "*/10 * * * * *" = every ten seconds.
# "0 0 8-10 * * *" = 8, 9 and 10 o'clock of every day.
# "0 * 6,19 * * *" = 6:00 AM and 7:00 PM every day.
# "0 0/30 8-10 * * *" = 8:00, 8:30, 9:00, 9:30 and 10 o'clock every day.
# "0 0 9-17 * * MON-FRI" = on the hour nine-to-five weekdays
# "0 0 0 25 12 ?" = every Christmas Day at midnight
common.autoUpdateScheduler=0 0 0 * * MON-FRI


User roles

Roles - with special privileges - can be assigned to different user groups.

  • USER: Can execute Single and File checks - against all Countries and those User-defined category groups which are not restricted for the USER by the CONTENT_MANAGER or by the ADMIN.
  • EXPERT_USER: Can execute Single and File checks - against all Countries and those User-defined category groups which are not restricted for the EXPERT_USER by the CONTENT_MANAGER or by the ADMIN.
  • CONTENT_MANAGER: Can execute Single and File checks and has limited access to the Administration functions:
    -- User-defined category group editor: Select categories and make restrictions for the USER and/or EXPERT_USER roles,
    -- User-defined category editor
    -- Database update history
    -- Report template editor
  • ADMIN: Has access to all administration functions.
  • SYSTEM: A special group to run automatic system checks - with very limited privileges.

Roles can be assigned directly to special users by setting the value of the config key. The value should be a comma separated list of ROLES.
(E.g.: roles.username=EXPERT_USER,CONTENT_MANAGER)

Category group access can be controlled according to ROLES.

USER ROLES
# USER ROLES
# User groups can be mapped to the following Roles:
# - USER: Can execute Single and File checks - against all Countries and those User-defined category groups 
# which are not restricted for the USER by the CONTENT_MANAGER or by the ADMIN.
# - EXPERT_USER: Can execute Single and File checks - against all Countries and those User-defined category groups 
# which are not restricted for the EXPERT_USER by the CONTENT_MANAGER or by the ADMIN.
# - CONTENT_MANAGER: Has limited access to the Administration functions: 
#   -- User-defined category group editor: Select categories and make restrictions for the USER and/or EXPERT_USER roles,
#   -- User-defined category editor
#   -- Database update history
#   -- Report template editor
# - ADMIN: Has access to all administration functions
# - SYSTEM: A special group to run automatic system checks
# For automated system communication we need to have a SYSTEM user that can log in to the services.
# The SYSTEM user - with very limited privileges - will use one of the authentication providers 
# mentioned below, so you must register it in your LDAP / AD server.
	common.systemUser=system
	common.systemPassword=system

# Roles - with special privileges - can be assigned to different user groups:
	common.rolesToGroupsMap={"userGroups":["<CCUserGroup>"],"userPattern":"","expertUserGroups":["<CCExpertUserGroup>"],"expertUserPattern":"","contentManagerGroups":["<CCContentManagers>"],"contentManagerPattern":"","adminGroups":["<CCAdmins>"],"adminPattern":"","systemGroups":["<CCSystems>"],"systemPattern":""}

 
# Configuring ROLES
# - FOR LDAP
# If you use LDAP, then you can set it's configuration like this: 
#	{"servers":[{"serverUrl":"ldap://ldap.server.com:389/dc=test,dc=tld","userDNPatterns":["uid={0},cn=users,cn=accounts"],"groupSearchBase":"","managerDN":"uid=cchecker,cn=sysaccounts","managerPassword":"<password>"}]}
# This is a standard JSON but it has to be in one line. The "servers" property references an array. In this array you can set as many LDAP servers as you want. 
# These servers will be checked in this specified order, and the first LDAP server that can authenticate the user will authenticate it.
# The properties stands for the following:
# "serverURL" -- The URL of the LDAP server
# "userDNPatterns" -- The domain name of the users in the LDAP tree
# "groupSearchBase" -- Domain name of groups in LDAP tree
# "managerDN' -- The domain name of the manager user to query LDAP tree.
# "managerPassword" -- The password of manager user.
	common.ldapConfig = {"servers":[{"serverUrl":"ldap://ldap.server.com:389/dc=test,dc=tld","userDNPatterns":["uid={0},cn=users,cn=accounts"],"groupSearchBase":"","managerDN":"uid=cchecker,cn=sysaccounts","managerPassword":"<password>"}]}

# - FOR ACTIVE_DIRECTORY
# If you use ACTIVE_DIRECTORY, then you can set you can set it's configuration like this: 
#	{"servers":[{"domain":"your.domain","url":"ldap://server.domain.com"}]}
# This is a standard JSON but it has to be in one line. The "servers" property references an array. 
# In this array you can set as many Active Directory servers as you want. 
# These servers will be checked in this specified order, and the first AD server that can authenticate the user will authenticate.
	common.activeDirectoryConfig={"servers":[{"domain":"your.domain","url":"ldap://server.domain.com"}]}

# - FOR IN_MEMORY
# If you are using IN_MEMORY authentication manager, you can configure it like this:
#	{"users":[{"name":"<user>","password":"<userpwd>","roles":["USER"]}, {"name":"<admin>","password":"<adminpwd>","roles":["ADMIN"]}, {"name":"contentmanager", "<password>": "<contentmanagerpwd>", "roles":["CONTENT_MANAGER"]}, {"name":"expertuser", "<password>": "<expertuserpwd>", "roles":["EXPERT_USER"]}, {"name":"system","<password>":"system","roles":["SYSTEM"]}]}
# This is a standard JSON but it has to be in one line. The "servers" property references an array. 
	common.inMemoryConfig={"users":[{"name":"user","password":"userpwd","roles":["USER"]}, {"name":"admin","password":"adminpwd","roles":["ADMIN"]}, {"name":"contentmanager", "password": "contentmanagerpwd", "roles":["CONTENT_MANAGER"]}, {"name":"expertuser", "password": "expertuserpwd", "roles":["EXPERT_USER"]}, {"name":"system","password":"systempwd","roles":["SYSTEM"]}]}

# - DIRECT ROLE ASSIGN
# Roles can be assigned directly to special users by setting the value of the config key.
# The value should be a comma separated list of ROLES. 
# Currently available roles are: USER, EXPERT_USER, CONTENT_MANAGER, ADMIN, SYSTEM.
#	roles.<username>=<roles>

Default regulation categories

Admin can select Available countries or Selected check levels to be displayed in Regulation categories by setting check.default.regulationCategories key to COUNTRIES or CHECK_LEVELS in  application.properties.
By adding/setting the check.hideCountries key value to true (default is false) Available countries will not be displayed at all.
(On the System monitor page the Reload settings from config file button should be clicked after editing application.properties.)

Default regulation categories
# The default view for Regulation Categories. Valid values are: COUNTRIES, CHECK_LEVELS
#check.default.regulationCategories=CHECK_LEVELS


# Setting this to true will only display the check levels as selectable categories on the check pages
#check.hideCountries=true


Default report format

The default Report format can be set by the Admin by adding HTML, PDF, SDF, MRV or XLSX value to the batch.default.reportFormat key in application.properties.
(User's last selection is saved in the mongo DB and will not be modified.)

Default report format
# The default report format for batch checks. Valid values are: HTML,PDF,SDF,MRV,XLSX
#batch.default.reportFormat=HTML 
JSON reports' config

JSON REPORTS
# Comma separated list of fields to be included in the JSON reports.

# Including only needed fields in JSON reports can greatly increase the speed of report generation

# To include child fields, parent fields also have to be listed

# If none of the listed fields are present in the result or the config key is not set
# then the full result will be added to the report

# Example: 
# [ 
#    [
#       { 
#          "segments":[ 
#             { 
#                "categoryName":"catName", 
#                "categoryCode":1234 
#             } 
#          ], 
#          "inputProperties":{ 
#             "ID":"123", 
#             "Name":"Name" 
#          } 
#       } 
#    ] 
# ] 

#
 To include only the categoryCode and ID in the JSON report from the above example result 
# the following configuration has to be made: 
#json.report.fields=segments,categoryCode,inputProperties,ID 
Scheduled removal of all File-check data

FILE-CHECK CLEANUP SCHEDULER
# Enables to schedule the removal of all check related data from the database.
# The value should be a cron-like expression, which extends the usual UN*X definition to include triggers
# on the second as well as minute, hour, day of month, month and day of week.

# Example patterns:
# "0 0 * * * *" = the top of every hour of every day.
# "*/10 * * * * *" = every ten seconds.
# "0 0 8-10 * * *" = 8, 9 and 10 o'clock of every day.
# "0 * 6,19 * * *" = 6:00 AM and 7:00 PM every day.
# "0 0/30 8-10 * * *" = 8:00, 8:30, 9:00, 9:30 and 10 o'clock every day.
# "0 0 9-17 * * MON-FRI" = on the hour nine-to-five weekdays
# "0 0 0 25 12 ?" = every Christmas Day at midnight
#batch.cleanup.scheduler=0 0 4 * * *


Advanced LDAP settings

Our LDAP configuration object is a list of configurations of LDAP servers.
Each server configuration can hold several attributes. Each of them can be left empty, left out from configuration string or can be set to null.
In this case, they will be used by their default values.
One server holds the following possible settings:

Attribute nameAttribute typeDefault valueExampleExplanation
serverUrl
String
ldap://localhost:389
"ldaps://ldap.mycompany.com:621" or 
"ldap://ldap2.cmp.com/dc=cmp,dc=com"
The URL where the system can reach the LDAP server.
userDNPatterns
List of Strings

[ ]

[ "uid={0},dc=mycompany,dc=com", 
"uid={0},ou=internal,dc=mycompany,dc=com" ]

These patterns will be used to find the User by its distinguished name.

The part between the curly brackets will be replaced by the username.

If this setting is left empty, then user distinguished name won't be used in the user authentication.

groupSearchBase
String
""
"ou=InternalGroups,dc=mycompany,dc=com"
This element of the LDAP tree will be used as the root element during user group search. In case it is left empty, the root of the LDAP tree will be used.
groupSearchFilter
String
""
"ou=ExternalGroups"
Only groups that match this criteria will be resolved after authentication.
userSearchBase
String
""
"ou=Users,dc=mycompany,dc=com"
This element of the LDAP tree will be used as the root element during user search. In case it is left empty, the root of the LDAP tree will be used. If you use userSearchFilter, than you must provide userSearchBase as well.
userSearchFilter
String
""
"sAMAccountName={0}"
In case the users are not found by their distinguished name, user search will happen. The part with the curly brackets will be replaced with the username that used to log in. In case of Active Directory, usually sAMAccountName is required to log in. You can not use userSearchFilter without userSearchBase.
managerDN
String
""
"dn=admin,dc=mycompany,dc=com" or 
"admin@mycompany.com"
This is the name of the manager user. This name will be used to bind to the LDAP server. The second format can be used to log in to Active Directory through LDAP.
managerPassword
String
""
"s3cr3tp455w0rd"
This is the password of the manager user.
root
String
""
"dc=mycompany,dc=com"
In case the serverURL does not contain the root of the LDAP search, then it can be set here. If it is left empty, then root from URL will be used. Active Directory usually requests root to be set separately for binding.

Example config for two (LDAP and Active Directory) servers 

This configuration uses two servers (an LDAP and an Active Directory) and has all attributes:

LDAP config
{
    "servers" : [{
            "serverUrl" : "ldap://ldap1.mycompany.com/dc=mycompany,dc=com",
            "userDNPatterns" : ["uid={0},cn=users,dc=mycompany,dc=com", "uid={0},cn=external,dc=mycompany,dc=com"],
            "groupSearchBase" : "",
            "groupSearchFiler" : "",
            "userSearchBase" : "",
            "userSearchFilter" : "",
            "managerDN" : "uid=admin,cn=sysusers,dc=mycompany,dc=com",
            "managerPassword" : "PASSWORD!",
            "root" : ""
        }, {
            "serverUrl" : "ldaps://ad.mycompany.com/dc=cmp,dc=com",
            "userDNPatterns" : [],
            "groupSearchBase" : "",
            "groupSearchFiler" : "",
            "userSearchBase" : "dc=cmp,dc=com",
            "userSearchFilter" : "sAMAccountName={0}",
            "managerDN" : "Administrator@cmp.com",
            "managerPassword" : "other_PASSWORD!",
            "root" : "dc=cmp,dc=com"
        }
    ]
}


This means the same as the following:

Shorter Config
{
    "servers" : [{
            "serverUrl" : "ldap://ldap1.mycompany.com/dc=mycompany,dc=com",
            "userDNPatterns" : ["uid={0},cn=users,dc=mycompany,dc=com", "uid={0},cn=external,dc=mycompany,dc=com"],
            "managerDN" : "uid=admin,cn=sysusers,dc=mycompany,dc=com",
            "managerPassword" : "PASSWORD!"
        }, {
            "serverUrl" : "ldaps://ad.mycompany.com/dc=cmp,dc=com",
            "userSearchBase" : "dc=cmp,dc=com",
            "userSearchFilter" : "sAMAccountName={0}",
            "managerDN" : "Administrator@cmp.com",
            "managerPassword" : "other_PASSWORD!",
			"root" : "dc=cmp,dc=com"
        }
    ]
}


Consider using the shorter config format because in application.properties, the config must be in one single line, like this:

Config in one line
{"servers" : [{"serverUrl" : "ldap://ldap1.mycompany.com/dc=mycompany,dc=com", "userDNPatterns" : ["uid={0},cn=users,dc=mycompany,dc=com", "uid={0},cn=external,dc=mycompany,dc=com"], "managerDN" : "uid=admin,cn=sysusers,dc=mycompany,dc=com", "managerPassword" : "PASSWORD!"}, { "serverUrl" : "ldaps://ad.mycompany.com/dc=cmp,dc=com", "userSearchBase" : "dc=cmp,dc=com","userSearchFilter" : "sAMAccountName={0}", "managerDN" : "Administrator@cmp.com", "managerPassword" : "other_PASSWORD!", "root":"dc=cmp,dc=com"}]}

Example for two
 Active Directory servers

Example settings for 2 Active Directory servers
{
	"servers": [
		{
			"domain" : "first.domain",
			"url" : "ldap://first.com"
		} ,
		{
			"domain" : "second.domain",
			"url" : "ldap://second.com"
		} 
	]
}
 
// Don't forget that you have to set it in the <code>application.properties</code> file in one line.
// Like this: { "servers": [	{"domain" : "first.domain", "url" : "ldap://first.com"} , {"domain" : "second.domain", "url" : "ldap://second.com"} ]}
// We only used multi line example for better readability.

Merge specific rules into the Knowledge Base

Chemical substances can be checked against some special (e.g. company-specific) rules, too.

MRV files should be created from these rules - with the same data structure as the main Knowledge Base. An MRV file for the specific rules (rule_structures.mrv) and another MRV file for the specific exceptions (exclusion_structures.mrv).

These files should be copied to the ChemAxon_home/compliancechecker/user folder. (I.e. to the "user" subfolder of the "database" folder. The cc_backend startup process creates that folder with empty MRV files - but these files will never be overwritten automatically.)

Compliance Checker should be restarted to merge these specific rules into the main Knowledge Base.

Installing to Multiple Hosts

You can install multiple instances of Eureka, but there should be only one Config server in the system. If you distribute the system you should set the following settings to the services:

Config server

Config server is the route of the hierarchy. It should register with Eureka service. If Eureka does not run in localhost:8761 (8761 is the default Eureka port) then you have to set the following property in the application.properties file:

	eureka.client.serviceUrl.defaultZone=http\://<eureka-hostname>\:<eureka-port>/eureka/


If Eureka runs locally for the Config Server, but it is a remote service for the other services, then you should set the above property with an address that is available for all services, because this setting will be populated to all services.

Eureka server

Eureka server is used by all the services. It uses the Config Server to init itself. If the Config Server does not run in localhost:8888 (8888 is the default Config Server port), then you can have to the following property in bootstrap.properties file:

	spring.cloud.config.uri=http\://<config-server-host>\:<config-server-port>/

Configuring the war files

The main components of the application come in 3 war files: cc-backend.war, cc-bigdata.war, cc-web.war. You can install these services to Servlet 3.0 compatible servlet container, or run by the default runnables.

Every war file uses the Config Server to init itself. If the Config Server does not run in localhost:8888, then you have to set for the components where to find the Config Server. One opportunity is to set the CONFIG_SERVER_URI environment variable, or to edit the WEB_INF/classes/bootstrap.properties file of each war file. Or you can set in it in their .vmoptions file, or in an environment variable.

Setting environment variable in unix
	export CONFIG_SERVER_URI = http://<config-server-host>:<config-server-port>/
Setting environment variable in windows command line
	CONFIG_SERVER_URI = http://<config-server-host>:<config-server-port>/
Set environment variables in .vmoption file
	-DCONFIG_SERVER_URI=http://<config-server-host>:<config-server-port>/
Editing bootstrap.properties file
	spring.cloud.config.uri=http\://<config-server-host>\:<config-server-port>/

This property will be used in startup time to connect to the Config Server and receive all the properties to use in initialization.