Configuring Compliance Checker
Install licenses
Your license.cxl file(s) should be installed as described in the License Management section.
Configure the system
Config Server is a service of Compliance Checker to populate your settings to other servers (cc-web, cc-bigdata and cc-backend). On startup, all of these services require the Config server to load their settings from it. Config server can update some settings on runtime, but others need to be updated by restarting the servers.
To customize the application the configuration can be modified by editing the application.properties file. Any property changed in the application.properties file will affect the appropriate services.
Config server is deployed to the 8888 port by default. If you POST a request (body is not needed) to the server's /refresh/all endpoint it will refresh all services with the new settings.
(Or visit http://localhost:8888/docs/api/swagger/swagger-ui.html#!/refreshing-controller/refreshAllServicesUsingPOST and click the 'Try it' button.)
Default settings
The following default settings can be changed in the application.properties file (in this format, # stands for comments):
# Security provider chooses what settings to use for user authentication
# IN_MEMORY small number of predefined user, only for testing purposes.
# ANONYMOUS no login required.
# LDAP uses LDAP server to log in users
# ACTIVE_DIRECTORY Uses Microsoft's Active Direcotry service for authentication
securityProviderName = IN_MEMORY
# This forces to use HTTPS connections.
securityProviderSecure =
false
# If this is true, SSL certificate of services is not checked.
securityProviderAllowUnsignedCert =
true
# If you leave this empty, all IP is accepted to connect.
securityProviderAllowedIp =
# or PASSIVE.
queueingStrategy = ACTIVE
# measured in milliseconds.
deadJobTreshold = 120000
# change this to SEQUENTIAL and only one checker thread will be used.
executionStrategy = PARALLEL
Database connection settings
The following default database connection settings can also be modified in the application.properties file :
# Number of molecules checked in one run.
chunkSize = 10
# Host of MongoDB.
databaseHost = 127.0.0.1
# Port of MongoDB.
databasePort = 27017
# Name of database in MongoDB.
databaseName =
test
# Name of the user who connects the database.
mongoUser = cxnMongo
# Name of the user who connects the database.
mongoPassword = ccMongoPass
# Set this property to true in case you are using Transport Encryption in your database.
# https://docs.mongodb.com/v3.0/core/security-transport-encryption/
mongoEncryptConnection =
false
Create user for the corresponding database (ccDB is the default)
# use ccDB
db.createUser(
{
user:
"cxnMongo"
,
pwd:
"ccMongoPass"
,
customData:
{
data:
"anydata"
},
roles : [
{
role:
"clusterAdmin"
,
db:
"admin"
},
{
role:
"readAnyDatabase"
,
db:
"admin"
},
"readWrite"
]
}
)
Installing to Multiple Hosts
You can install multiple instances of Eureka, but there should be only one Config server in the system. If you distribute the system you should set the following settings to the services:
Config server
Config server is the route of the hierarchy. It should register with Eureka service. If Eureka does not run in localhost:8761 (8761 is the default Eureka port) then you have to set the following property in the application.properties file:
eureka.client.serviceUrl.defaultZone=http\:
//
<eureka-
hostname
>\:<eureka-port>
/eureka/
If Eureka runs locally for the Config Server, but it is a remote service for the other services, then you should set the above property with an address that is available for all services, because this setting will be populated to all services.
Eureka server
Eureka server is used by all the services. It uses the Config Server to init itself. If the Config Server does not run in localhost:8888 (8888 is the default Config Server port), then you can have to the following property in bootstrap.properties file:
spring.cloud.config.uri=http\:
//
<config-server-host>\:<config-server-port>/
Configuring the war files
The main components of the application come in 3 war files: cc-backend.war, cc-bigdata.war, cc-web.war. You can install these services to Servlet 3.0 compatible servlet container, or run by the default runnables.
Every war file uses the Config Server to init itself. If the Config Server does not run in localhost:8888, then you have to set for the components where to find the Config Server. One opportunity is to set the CONFIG_SERVER_URI environment variable, or to edit the WEB_INF/classes/bootstrap.properties file of each war file. Or you can set in it in their .vmoptions file, or in an environment variable.
export
CONFIG_SERVER_URI = http:
//
<config-server-host>:<config-server-port>/
CONFIG_SERVER_URI = http:
//
<config-server-host>:<config-server-port>/
-DCONFIG_SERVER_URI=http:
//
<config-server-host>:<config-server-port>/
spring.cloud.config.uri=http\:
//
<config-server-host>\:<config-server-port>/
This property will be used in startup time to connect to the Config Server and receive all the properties to use in initialization.
Other settings in application.properties
You can configure other settings for Compliance Checker in the application.properties file.
# These settings set the maximum size of upload for services.
# These properties also affect the maximum size of DB update as well.
spring.http.multipart.maxFileSize=256MB
spring.http.multipart.maxRequestSize=256MB
# The URL of config server
spring.cloud.config.uri=http:
//localhost
:8888/
# The URL of eureka service
eureka.client.serviceUrl.defaultZone=http:
//localhost
:8761
/eureka/
# Security provider chooses what settings to use for user authentication
# IN_MEMORY small number of predefined user, only for testing purposes.
# ANONYMOUS no login required.
# LDAP uses LDAP server to log in users
# ACTIVE_DIRECTORY Uses Microsoft's Active Direcotry service for authentication
common.securityProviderName=IN_MEMORY
# If this setting is set to true then the service only accepts HTTPS connections.
common.securityProviderSecure=
false
#If this is set to false then only HTTPS connections with valid certificates will be accepted.
common.securityProviderAllowUnsignedCert=
true
# Specify that URLs requires a specific IP Address or
# http://forum.springsource.org/showthread.php?102783-How-to-use-hasIpAddress&p=343971#post343971 subnet.
# The IP address (e.g. 192.168.1.79) or local subnet (e.g. 192.168.0/24).
# If it is left empty then every IP can access the services.
common.securityProviderAllowedIp=
# If the servers know nothing about a job, then they mark it as dead, and reschedule to process.
# You can set this checking interval in milliseconds through this variable.
common.deadJobTreshold=120000
# If you use ACTIVE_DIRECTORY, then you can set it's configuration like this:
# {"servers":[{"domain":"your.domain","url":"ldap://server.domain.com"}]}
# This is a standard JSON but it has to be in one line. The "servers" property references an array.
# In this array you can set as many Active Directory servers as you want.
# These servers will be checked in this specified order, and the first AD server that can authenticate the user will authenticate.
common.activeDirectoryConfig={
"servers"
:[{
"domain"
:
"your.domain"
,
"url"
:
"ldap://server.domain.com"
}]}
# If you use LDAP, then you can set it's configuration like this:
# {"servers":[{"serverUrl":"ldap://ldap.server.com:389/dc=test,dc=tld","userDNPatterns":["uid={0},cn=users,cn=accounts"],"groupSearchBase":"","managerDN":"uid=cchecker,cn=sysaccounts","managerPassword":"password"}]}
# This is a standard JSON but it has to be in one line. The "servers" property references an array.
# In this array you can set as many LDAP servers as you want.
# These servers will be checked in this specified order, and the first LDAP server that can authenticate the user will authenticate it.
# Properties stands for the following:
# -- "serverURL" -- The URL of the LDAP server
# -- "userDNPatterns" -- The domain name of the users in the LDAP tree
# -- "groupSearchBase" -- Domain name of groups in LDAP tree
# -- "managerDN' -- The domain name of the manager user to query LDAP tree.
# -- "managerPassword" -- The password of manager user.
common.ldapConfig = {
"servers"
:[{
"serverUrl"
:
"ldap://ldap.server.com:389/dc=test,dc=tld"
,
"userDNPatterns"
:[
"uid={0},cn=users,cn=accounts"
],
"groupSearchBase"
:
""
,
"managerDN"
:
"uid=cchecker,cn=sysaccounts"
,
"managerPassword"
:
"password"
}]}
# If you are using IN_MEMORY authentication manager, you can configure it here:
common.inMemoryConfig = {
"users"
:[{
"name"
:
"user"
,
"password"
:
"password"
,
"roles"
:[
"USER"
]}, {
"name"
:
"admin"
,
"password"
:
"adminPass"
,
"roles"
:[
"USER"
,
"ADMIN"
]}, {
"name"
:
"system"
,
"password"
:
"system"
,
"roles"
:[
"SYSTEM"
]}]}
# You can map user groups to ROLEs in CC by this setting.
# We have 3 ROLEs:
# -- USER: everybody who can authenticate to CC.
# -- ADMIN: everybody who can manage CC.
# -- SYSTEM: special group to run automatic system checks.
# This is a standard JSON but it has to be in one line.
# For every property you can add specified group or role names and also any regular expression to map your users.
# In this example everybody will have USER privileges, and users with the group (or ROLE) and cc-admin will have
# ADMIN privileges (every user with the group cc-system will have SYSTEM privileges as well).
common.rolesToGroupsMap={
"userGroups"
:[],
"userPattern"
:
".*"
,
"adminGroups"
:[
"cc-admin"
],
"adminPattern"
:
""
,
"systemGroups"
:[
"cc-system"
],
"systemPattern"
:
""
}
# For automated system communication we need to have a user that can log in to the services.
# This is a very limited privilege user, that we call System user. This user will use one of
# The above mentioned authentication providers, so you must register it in your LDAP / AD server.
common.systemUser=system
common.systemPassword=system
# Search always runs on all available cores.
# If you set this property to PARALLEL, then the system will distinct executors,
# one for all cores, that can boost the overall system performance and can cause a massive CPU load on the server.
# If you use SEQUENTIAL execution strategy then only one executor will run on the server.
# (For search this executor will use all cores, but it creates a smaller CPU load.)
executionStrategy=PARALLEL
# This size determines how many molecules are check in one run.
# If you upload a file with 1000 molecules, and set this property to 25 then the file
# will be cut to 40 pieces, and 40 executors can start working simultaneously:
chunkSize=10
# Host of the database
databaseHost=localhost:
# The port where MongoDB listens for requests:
databasePort=27017
# The name of database in MongoDB:
databaseName=ccDB
# Username of database user:
mongoUser=cxnMongo
# Password of database user:
mongoPassword=ccMongoPass
# Set this property to true in case you are using Transport Encryption in your database.
# https://docs.mongodb.com/v3.0/core/security-transport-encryption/
mongoEncryptConnection =
false
# Compliance Checker services use Hystrix circuit breaker to protect servers from overload.
# You can read more about hystrix settings here: https://github.com/Netflix/Hystrix/wiki/Configuration
hystrix.
command
.default.execution.timeout.enabled=
true
hystrix.threadpool.default.coreSize=10
hystrix.shareSecurityContext=
true
hystrix.
command
.default.execution.isolation.thread.timeoutInMilliseconds=15000
hystrix.threadpool.default.maxQueueSize=100
# Communication is load-balanced through Ribbon classes.
# You can read about ribbon settings here:
# https://github.com/Netflix/ribbon/wiki/Programmers-Guide/ribbon.ReadTimeout=16000
# The URL of the latest database file:
common.autoUpdateUrl=https:
//dl
.chemaxon.com
/cchecker/cc-database
.jar
# The URL of the text file containing the version of the latest database file.
common.autoUpdateVersionUrl=https:
//dl
.chemaxon.com
/cchecker/cc-version
.txt
common.autoUpdateEnabled=
true
spring.profiles.active=native,production
# Enables to schedule the removal of all batch report related data from the database.
# The value should be a cron-like expression, which extends the usual UN*X definition to include triggers
# on the second as well as minute, hour, day of month, month and day of week.
# Example patterns:
# -- "0 0 * * * *" = the top of every hour of every day.
# -- "*/10 * * * * *" = every ten seconds.
# -- "0 0 8-10 * * *" = 8, 9 and 10 o'clock of every day.
# -- "0 * 6,19 * * *" = 6:00 AM and 7:00 PM every day.
# -- "0 0/30 8-10 * * *" = 8:00, 8:30, 9:00, 9:30 and 10 o'clock every day.
# -- "0 0 9-17 * * MON-FRI" = on the hour nine-to-five weekdays
# -- "0 0 0 25 12 ?" = every Christmas Day at midnight
# batch.cleanup.scheduler=0 0 4 * * *
{
"servers"
: [
{
"domain"
:
"first.domain"
,
"url"
:
"ldap://first.com"
} ,
{
"domain"
:
"second.domain"
,
"url"
:
"ldap://second.com"
}
]
}
// Don't forget that you have to set it in the <code>application.properties</code> file in one line.
// Like this: { "servers": [ {"domain" : "first.domain", "url" : "ldap://first.com"} , {"domain" : "second.domain", "url" : "ldap://second.com"} ]}
// We only used multi line example for better readability.