Admin Guide - Compliance Checker

ChemAxon Compliance Checker Installation Guide

System requirements

  • 1.5 GB disk space

  • Servlet Container that supports Servlet 3.0

  • 3.5 GB memory for the Servlet Container

  • Mongo DB 2.6 or higher (Mongo DB 3+ is preferred)

  • 2 GB of memory for MongoDB

  • Java 1.8 (Oracle Java is preferred)

Installing to One Host

Select the release tar file suitable for your OS:

  • debRelease.tar is suitable for Debian like systems (Debian, Ubuntu, ElementaryOS, etc.)

  • rpmRelease.tar is suitable for RedHat like systems (RedHat, Fedora, CentOS, etc.)

Using the install script

The debRelease/rpmRelease TAR file contains the following files/directories:

  • wars directory

  • debs / rpms directory (depending on which archive you choose)

  • install.sh file

In install.sh you can set four parameters, as follows:

  • LICENCE_FILE the location of license.cxl file

  • CONTAINER_HOME the home folder of the servlet container (usually /usr/share/tomcat8 for Tomcat 8)

  • WEBAPPS_FOLDER the folder of web applications (usually /var/lib/tomcat7/webapps/ for Tomcat 7 on Ubuntu and /usr/share/tomcat8/webapps for Tomcat 8 on CentOS)

  • WEBAPP_RUNNER_USER the name of the user that will run the servlet container

You have to set these parameters according to your system settings, and then run the install script with root privileges. This script will do the following steps:

  1. Installs the packages in debs / rpms: copies the jar files into your /var/lib/chemaxon/cc/app-config folder (for app-config) and to /var/lib/cc-eureka (for cc-eureka), and creates links in your /etc/init.d/ folder for them. These jars require Java 8 to run.

  2. Copies the war files from wars directory to the web applications root folder.

  3. Creates the .chemaxon folder in the home for the container running user, and copies the licence file into it.

Configuring system

Config Server is a service of Compliance Checker to populate your settings to other servers (cc-web, cc-bigdata and cc-backend). On startup, all of these services require the config server to load their settings from it. Config server can update some settings during runtime, but others need to be updated by restarting the servers.

After installing Config server as a system service you should have a /var/lib/chemaxon/cc/app-config folder. To be able to customize the application, you have to create here a config sub-directory including an application.properties file in it. Any property changed in the /var/lib/chemaxon/cc/app-config/config/application.properties file will affect the appropriate services. Config server by default is deployed to the 8888 port. If you POST a request (body is not needed) to the server's /refresh/all endpoint it will refresh all services with the new settings.

This can be done with curl like this:
curl -X POST --header "Content-Type: application/json" --header "Accept: */*" "http://localhost:8888/refresh/all"

The default settings you can change in application.properties are as follows (in this format # stands for comment):

# Security provider chooses what settings to use for user authentication
# IN_MEMORY small number of predefined user, only for testing purposes.
# ANONYMOUS no login required.
# LDAP uses LDAP server to log in users
# ACTIVE_DIRECTORY Uses Microsoft's Active Direcotry service for authentication
securityProviderName = IN_MEMORY
 
# This forces to use HTTPS connections.
securityProviderSecure = false  
 
# If this is true, SSL certificate of services is not checked.
securityProviderAllowUnsignedCert = true  
 
# If you leave this empty, all IP is accepted to connect.
securityProviderAllowedIp = 
 
# or PASSIVE.
queueingStrategy = ACTIVE  
 
# measured in milliseconds.
deadJobTreshold = 120000 
 
# change this to SEQUENTIAL and only one checker thread will be used.
executionStrategy = PARALLEL

Settings of database connection

The database connection settings can also be set in application.properties; the following settings are the defaults:

# Number of molecules checked in one run.
chunkSize = 10
 
# Host of MongoDB.
databaseHost = 127.0.0.1
 
# Port of MongoDB.
databasePort = 27017
 
# Name of database in MongoDB.
databaseName = test
 
# Name of the user who connects the database.
mongoUser = cxnMongo
 
# Name of the user who connects the database.
mongoPassword = ccMongoPass
 
# Set this property to true in case you are using Transport Encryption in your database. https://docs.mongodb.com/v3.0/core/security-transport-encryption/
mongoEncryptConnection = false
Creating user in MongoDB
db.createUser(
{
user:"cxnMongo",
pwd:"ccMongoPass",
customData:
{
data:"anydata"
},
roles : [
{
role: "clusterAdmin",
db: "admin"
},
{
role: "readAnyDatabase",
db: "admin"
},
"readWrite"
]
}
)

Installing to Multiple Hosts

You can install multiple instances of Eureka, but there should be only one Config server in the system. If you distribute the system you should set the following settings to the services:

Config server

Config server is the route of the hierarchy. It should register with Eureka service. If Eureka does not run in localhost:8761 (8761 is the default Eureka port) then you have to set the following property in /var/lib/chemaxon/cc/app-config/config/application.properties:

eureka.client.serviceUrl.defaultZone=http\://<eureka-hostname>\:<eureka-port>/eureka/

If Eureka runs locally for the Config Server, but it is a remote service for the other services, then you should set the above property with an address that is available for all services, because this setting will be populated to all services.

Eureka server

Eureka server is used by all the services. It uses the Config Server to init itself. If the Config Server does not run in localhost:8888 (8888 is the default Config Server port), then you can have to the following property in /var/lib/chemaxon/cc/eureka/config/bootstrap.properties:

spring.cloud.config.uri=http\://<config-server-host>\:<config-server-port>/

Configuring the war files

The main components of the application come in 3 war files: cc-backend.war, cc-bigdata.war, cc-web.war. You have to install these services to Servlet 3.0 compatible servlet container.

Every war file uses the Config Server to init itself. If the Config Server does not run in localhost:8888, then you have to set for the war files where to look for the Config Server. One opportunity is to set the CONFIG_SERVER_URI environment variable, or to edit the WEB_INF/classes/bootstrap.properties file of each war file.

Setting environment variable
export CONFIG_SERVER_URI = http://<config-server-host>:<config-server-port>/
editing to bootstrap.properties file
spring.cloud.config.uri=http\://<config-server-host>\:<config-server-port>/

This property will be used in startup time to connect to the Config Server and receive all the properties to use in initialization.

Special features

This product is shipped with MarvinJS as a chemical editor. For full MarvinJS functionalities you should install JChem Web Services as webservices2.war to the same server as cc-web.war. To set the license for MarvinJS, please read the "For MarvinJS useres (wihouth JChem Webservices) section of the "CONFIDENTIAL_-_Setup_Marvin_JS_license.pdf" (attached).

Settings of Compliance Checker

You can set the following things for Compliance Checker:

# These settings set the maximum size of upload for services. These properties also effect the maximum size of DB update as well.
multipart.maxFileSize=256MB
multipart.maxRequestSize=256MB
 
# The URL of config server
spring.cloud.config.uri=http://some.domain.com:8888/
 
# The URL of eureka service
eureka.client.serviceUrl.defaultZone=http://some.domain.com:8761/eureka/
 
# Security provider chooses what settings to use for user authentication
# IN_MEMORY small number of predefined user, only for testing purposes.
# ANONYMOUS no login required.
# LDAP uses LDAP server to log in users
# ACTIVE_DIRECTORY Uses Microsoft's Active Direcotry service for authentication
common.securityProviderName=IN_MEMORY
 
# If this setting is set to true then the service only accepts HTTPS connections.
common.securityProviderSecure=false
 
#If this is set to false then only HTTPS connections with valid certificates will be accepted.
common.securityProviderAllowUnsignedCert=true;
 
# Specify that URLs requires a specific IP Address or http://forum.springsource.org/showthread.php?102783-How-to-use-hasIpAddress&p=343971#post343971 subnet.
# the ip address (i.e. 192.168.1.79) or local subnet (i.e. 192.168.0/24) if it is left empty then every IP can access the services.
common.securityProviderAllowedIp=
 
# If the servers know nothing about a job, then they mark it as dead, and reschedule to process. You can set this checking interval in milliseconds
# through this variable.
common.deadJobTreshold=120000
 
# If you use ACTIVE_DIRECTORY, then you can set it's configuration like this: {"servers":[{"domain":"your.domain","url":"ldap://server.domain.com"}]}
# This is a standard JSON but it has to be in one line. The "servers" property references an array. In this array you can set as many Active Directory
# servers as you want. These servers will be checked in this specified order, and the first AD server that can authenticate the user will authenticate.
common.activeDirectoryConfig={"servers":[{"domain":"your.domain","url":"ldap://server.domain.com"}]}
 
# If you use LDAP, then you can set it's configuration like this: 
# {"servers":[{"serverUrl":"ldap://ldap.server.com:389/dc=test,dc=tld","userDNPatterns":["uid={0},cn=users,cn=accounts"],"groupSearchBase":"","managerDN":"uid=cchecker,cn=sysaccounts","managerPassword":"password"}]}
# This is a standard JSON but it has to be in one line. The "servers" property references an array. In this array you can set as many LDAP servers as you want. 
# These servers will be checked in this specified order, and the first LDAP server that can authenticate the user will authenticate it.
# The properties stands for the following:
# "serverURL" -- The URL of the LDAP server
# "userDNPatterns" -- The domain name of the users in the LDAP tree
# "groupSearchBase" -- Domain name of groups in LDAP tree
# "managerDN' -- The domain name of the manager user to query LDAP tree.
# "managerPassword" -- The password of manager user.
common.ldapConfig = {"servers":[{"serverUrl":"ldap://ldap.server.com:389/dc=test,dc=tld","userDNPatterns":["uid={0},cn=users,cn=accounts"],"groupSearchBase":"","managerDN":"uid=cchecker,cn=sysaccounts","managerPassword":"password"}]}
 
# You can map user groups to ROLEs in CC by this setting. We have 3 roles:
# USER: everybody who can authenticate to CC.
# ADMIN: everybody who can manage CC.
# SYSTEM: special group to run automatic system checks.
# This is a standard JSON but it has to be in one line. For every property you can add concrete group or role names and also any regular expression to map your users.
# In this example everybody will have USER privileges, and users with the group (or role) cc-admin will have ADMIN privileges (every user with the group cc-system will 
# have SYSTEM privileges as well).
common.rolesToGroupsMap={"userGroups":[],"userPattern":".*","adminGroups":["cc-admin"],"adminPattern":"","systemGroups":["cc-system"],"systemPattern":""}
 
# For automated system communication we need to have a user that can log in to the services.
# this is a very limited privilege user, that we call System user. This user will use one of 
# the above mentioned authentication providers, so you must register it in your LDAP / AD server.
common.systemUser=SystemUserName
common.systemPassword=PasswordOfSystemUser
 
 
# Search always runs on all available core. If you set this property to PARALLEL, then the system will distinct executors, one for all cores, that can boost the over all system
# performance and can cause a massive CPU load on server. If you use SEQUENTIAL execution strategy then only one executor will run on the server. (For search this executor will
# use all cores, but it creates a smaller CPU load.)
executionStrategy=PARALLEL
 
# This size determines how many molecules are check in one run.
# If you upload a file with 1000 molecules, and set this property to 25 then the file will be cut to 40 pieces, and 40 executors can start working simultaneously.
chunkSize=10
 
# Host of the database
databaseHost=db.host.com
 
# The port where MongoDB listens for requests
databasePort=27017
 
# The name of database in MongoDB
databaseName=ccDB
 
# Username of database user.
mongoUser=cxnMongo
 
# Password of database user.
mongoPassword=ccMongoPass
 
# Set this property to true in case you are using Transport Encryption in your database. https://docs.mongodb.com/v3.0/core/security-transport-encryption/
mongoEncryptConnection=false
 
# Compliance Checker services use Hystrix circuit breaker to protect servers from overload.
# You can read more about hystrix settings here: https://github.com/Netflix/Hystrix/wiki/Configuration
hystrix.command.default.execution.timeout.enabled=true
hystrix.threadpool.default.coreSize=10
 
 
# Communication is load-balanced through Ribbon classes.
# You can read about ribbon settings here: https://github.com/Netflix/ribbon/wiki/Programmers-Guide
ribbon.ReadTimeout=6000
Example settings for 2 Active Directory servers
{
"servers": [
{
"domain" : "first.domain",
"url" : "ldap://first.com"
} ,
{
"domain" : "second.domain",
"url" : "ldap://second.com"
}
]
}
 
// Don't forget that you have to set it in the application.properties file in one line.
// Like this: { "servers": [ {"domain" : "first.domain", "url" : "ldap://first.com"} , {"domain" : "second.domain", "url" : "ldap://second.com"} ]}
// We only used multi line example for better readability.