CERF for IT

A Server Your IT Team Will Actually Approve

CERF is built on Java, Apache Tomcat, and standard SQL databases — technology your IT team already knows, already trusts, and already has policies for. It runs on your infrastructure, under your control, with no external dependencies, no cloud lock-in, and no surprises.

Talk to a Lab-Ally Technician View Component & Port Reference

Java 25 Core platform Latest LTS release

3 OS Windows / Mac / Linux Server & client

Zero External calls required Fully self-contained

5 DB Database options MySQL · MariaDB · PostgreSQL · SQL Server · Oracle

Air-gap Capable deployment Sealed LAN supported

Familiar Technology Stack

Built on Industry-Standard Open-Source Components

CERF is built entirely on open-source, industry-standard technologies — the same stack that runs enterprise applications across every major industry. There is no proprietary middleware, no vendor-locked runtime, and no component whose continued availability depends on the commercial fate of a single company.

The core stack is Java 25 (we recommend Eclipse Temurin), Apache Tomcat 11, and MySQL 9 by default. Apache ActiveMQ handles internal messaging and LibreOffice runs headlessly for document conversion. Every component is well-documented, widely understood, and supported by a large community.

If your organization already runs MariaDB, PostgreSQL, Microsoft SQL Server, or Oracle, CERF can use any of them in place of MySQL. The application layer is database-agnostic via JPA/Hibernate, and configuration templates are provided for all supported databases.

Java 25 (Eclipse Temurin recommended) — the latest Long-Term Support release. CERF stays current with the Java LTS cycle, ensuring access to the latest security patches and performance improvements.
Apache Tomcat 11 — bundled within the CERF distribution. No separate Tomcat installation required. Handles all client-server HTTP/HTTPS communication.
MySQL 9 (default) — or your existing MariaDB, PostgreSQL, Microsoft SQL Server, or Oracle instance. The CERF database is lightweight — rarely exceeding 10 GB even after years of active use.
Apache ActiveMQ 6 — bundled, used for internal notifications and background task management. Communicates on TCP port 61616.
LibreOffice — manages document format conversion and PDF generation in headless mode. Communicates on port 8100 (local to the CERF server machine only).
All open-source, no proprietary dependencies — CERF does not depend on any externally hosted service, license server, or commercial third-party runtime to operate.

Cloud deployment — deploy on any cloud provider of your choice: AWS, Azure, GCP, or any VPS running a supported Windows or Linux distribution. Lab-Ally can also host and manage a private AWS instance on your behalf.
On-premise deployment — install CERF on your own physical or virtual server for maximum control. For maximum longevity, Lab-Ally recommends a dedicated physical host. The CERF server requires minimal ongoing IT maintenance once deployed.
Sealed LAN / air-gap deployment — CERF makes no required external calls. It can operate on a completely isolated local area network with no internet connectivity whatsoever — meeting the most stringent requirements of defense, clinical, and pharmaceutical organizations.
Physical or virtual hosts — CERF runs on physical servers, virtual machines, and cloud instances. VMware, Hyper-V, and major cloud hypervisors are all supported.
Database-agnostic — compatible with MySQL (bundled), MariaDB, PostgreSQL, Microsoft SQL Server, and Oracle. Use your existing database infrastructure if preferred.
Native file storage — data files are stored in their original format in a secure file store on the server's local or network-attached storage. Nothing is compressed into a proprietary container. Your data is always extractable by IT without requiring any CERF application involvement.
SMB 2/3 network file links — CERF can link to large files stored on external SMB file servers without copying them into the CERF file store, enabling integration with existing bulk storage infrastructure.

Deployment Flexibility

Deploy Where Your Security Policy Requires

CERF supports three deployment models — cloud, on-premise, and sealed LAN — and is indifferent to which you choose. The application has no awareness of whether it is running on a cloud instance or a physical server in a basement. There is no "cloud edition" with extra features and no "enterprise tier" required to unlock on-premise deployment.

For organizations with strict data sovereignty requirements, CERF's sealed LAN deployment is the correct choice: the server has no required internet connectivity, holds no external license, and makes no outbound calls. Your data stays within your network perimeter, indefinitely.

For organizations that want Lab-Ally to handle hosting entirely, a managed AWS instance is available — giving you a fully supported, maintained server with none of the infrastructure burden on your team.

Security & Authentication

Enterprise Security Without Enterprise Complexity

CERF's security architecture is designed for regulated environments — environments where "we trust everyone on the network" is not an acceptable security model. Access controls are enforced at every layer: network, application, workgroup, and individual record.

All client-server communication can be encrypted using HTTPS/TLS (SHA256 with RSA 2048). CERF supports LDAP integration, allowing organizations to authenticate users against their existing Active Directory or LDAP directory — eliminating the need to maintain a separate credential store and ensuring that user provisioning and deprovisioning follow your existing identity management processes.

CERF 6 adds optional TOTP multi-factor authentication for both the desktop client and the Automaton data ingestion tool, compatible with Google Authenticator, Microsoft Authenticator, and Bitwarden. MFA can be enforced selectively by administrators using Business Policy controls.

HTTPS/TLS encryption in flight — SHA256 with RSA 2048. Strongly recommended for any deployment that is not fully isolated. Lab-Ally discusses TLS configuration during the pre-install call.
LDAP / Active Directory integration — authenticate CERF users against your existing LDAP directory or Active Directory, eliminating a separate credential store and ensuring deprovisioning follows your existing identity management workflows.
TOTP multi-factor authentication — optional, administrator-enforced MFA for all user logins and Automaton sessions. Compatible with Google Authenticator, Microsoft Authenticator, and Bitwarden.
Nine role-based access levels — from Read Only through Annotator, Editor, Manager, and System Administrator, enforced at the workgroup level and down to individual records. Unauthorized users cannot see that a resource exists in search results.
Single-session enforcement — a user cannot be logged in from multiple workstations simultaneously. Session tokens are unique and expire on timeout or logout.
Configurable account lockout and session timeout — administrator-controlled via Business Policies. Failed login attempts trigger lockout; only an administrator can re-enable a locked account.
True PKI digital signatures — CERF uses the U.S. federal government's Digital Signature Algorithm (DSA). Signed records carry a unique MD5 hash cryptographically linked to the record — signatures cannot be transferred, falsified, or retroactively applied.
Hash verification on file check-in — CERF 6 cryptographically verifies the hash of every file uploaded to the server, protecting against man-in-the-middle attack vectors between workstation and server.

Minimal external port footprint — only two ports need to be open to the network: 61616 (ActiveMQ) and either 8080 (HTTP) or 443 (HTTPS). All other CERF components communicate on localhost only and should never be exposed externally.
MySQL on localhost only — the CERF database listens on port 3306 but is configured for local access only. It should not be exposed externally.
LibreOffice on localhost only — headless LibreOffice listens on port 8100 for CERF's document conversion requests. Local to the server machine only.
LDAP integration — CERF can be configured to authenticate against your existing directory services, integrating CERF user management into your standard identity management workflows.
CERF Automaton — code-free instrument integration — monitors designated network folders and automatically ingests files from lab instruments as they are generated. No programming or API work required; configured through a simple interface.
Email-to-CERF ingestion — users can send files and email attachments directly into CERF via email. Files arrive attributed to the correct user with automatic metadata extraction. Requires POP3 configuration on the CERF server.
SMB 2/3 external file server links — CERF can link to files on existing SMB network shares without physically copying them into the CERF file store.

Network & Integration

Minimal Network Footprint, Maximum Compatibility

CERF's network architecture is straightforward: two ports open to the network, everything else bound to localhost. There is no complex mesh of exposed services to secure, no requirement to open database ports across network segments, and no dependency on external DNS, authentication, or processing services.

The CERF server communicates with clients over two configurable ports — 61616 (ActiveMQ) and either 8080 (HTTP) or 443 (HTTPS). The Tomcat web application server and Apache ActiveMQ are the only CERF components that need to be reachable from the network. MySQL and LibreOffice all communicate locally and should be explicitly excluded from external access in your firewall policy.

Integration with existing infrastructure is handled through LDAP for identity management, SMB for external file storage, and the CERF Automaton for automated instrument data ingestion — all configurable without programming.

Platform & Client Support

Windows, Mac, and Linux — All Fully Supported

CERF 6 is the first release to provide full native support across all three major desktop platforms for both the server and the client application. Windows, macOS, and Debian-based Linux workstations (including Ubuntu with GNOME desktop) are all fully supported — enabling seamless collaboration in mixed-platform environments without any platform-specific feature gaps.

The CERF desktop client is a Java Swing application that connects to the CERF server via HTTP or HTTPS on your designated port. It requires no browser dependency, no browser version management, and no web proxy configuration for standard deployments. Client updates are managed through the application itself and do not require IT involvement.

The CERF Web Administration Client is a lightweight browser-based interface for server administration tasks — accessible from any supported browser on the local network without requiring a separate installation.

Windows server & client — full support. The CERF server runs as standard Windows services (Tomcat, ActiveMQ, MySQL), managed via the Windows Services panel or Task Manager. The Windows client installer is now delivered as a modern .MSI package in CERF 6.
macOS server & client — full support. Tomcat and ActiveMQ are controlled via shell scripts and MySQL via the preference pane.
Linux server & client — full support. MySQL is managed as systemd service on Debian/Ubuntu. Tomcat and ActiveMQ are controlled via shell scripts. The CERF 6 desktop client runs natively on Ubuntu with GNOME desktop — new in CERF 6.
Web Administration Client — browser-based, accessible from any supported browser on your local network. Used for user account management, workgroup setup, and server configuration tasks.
Mixed-platform environments — Windows, Mac, and Linux users work together within the same CERF system seamlessly. No platform-specific feature gaps or access restrictions.
No browser dependency for end users — the CERF desktop client is a standalone application. End users do not need a specific browser version, and client behaviour is not affected by browser updates.

Lab-Ally installs the server — a Lab-Ally technician performs the installation remotely via Zoom (or similar) screen-sharing. Your technical team grants access and makes decisions about local network configuration; Lab-Ally handles the rest.
Pre-install technical call — before installation, Lab-Ally discusses deployment options, verifies server hardware configuration, records the server MAC address (required for license generation), clarifies network requirements, and reviews the backup strategy.
Installation Verification Test — Lab-Ally runs the CERF Installation Verification Test after every install to confirm all major functionality is present before handing over to your administrator.
Dedicated server host recommended — Lab-Ally recommends that the CERF server be a dedicated host. Running other applications on the same machine as CERF can cause conflicts that are outside Lab-Ally's support scope.
Backup strategy guidance included — Lab-Ally provides guidance on backup procedures for both the CERF database and the file store during the installation process. The customer is responsible for verifying ongoing backup completion.
Minimal ongoing IT maintenance — once deployed, CERF requires very little day-to-day IT attention. Server start/stop is straightforward; log files are in standard locations; and database and file store backup follows your existing procedures.
Component updates are coordinated — do not update Java, MySQL, the operating system, or other CERF server components without first consulting Lab-Ally. Lab-Ally coordinates all component updates to ensure compatibility and will make a full backup before any update.

Installation & Ongoing Maintenance

Low IT Burden from Day One

Lab-Ally performs all CERF server installations remotely. Your IT team does not need to work through an installation guide or resolve configuration problems independently — a Lab-Ally technician handles the full installation process via Zoom (or similar) screen-sharing, with a member of your technical team available to grant access and make local network decisions.

Once installed, CERF requires minimal ongoing IT involvement. The application runs as standard system services, logs to standard locations, and backs up via standard database and file system backup tools. There is no background agent phoning home, no automatic update process that runs without your knowledge, and no external dependency that can silently change.

How a typical installation works: Lab-Ally schedules a remote session via Zoom. A member of your technical team grants screen-sharing access. Lab-Ally installs and configures all components, runs the Installation Verification Test, configures SMTP and email settings if required, and provides a quick-start orientation for your CERF Administrator — typically in a single session of two to four hours.

Long-Term Stability & Licensing

No Forced Updates. No Forced Subscriptions.

CERF is available with a perpetual license — a one-time purchase that gives your organization permanent, unconditional access to your CERF system and all your data, regardless of any future changes in your relationship with Lab-Ally. Annual subscription licensing is also available for organizations that prefer predictable operating expenditure.

Software updates are released approximately twice per year and are included in the standard support package. Updates are not automatic and are not forced — your organization decides when to apply them, in coordination with Lab-Ally. If an update is applied, Lab-Ally performs a full backup first and coordinates the process.

CERF has been in continuous production use for more than 20 years, built on open-source components specifically selected for long-term technological stability. While other ELN products have been acquired, sunset, or migrated to new architectures that broke existing deployments, CERF installations have continued to run on their original infrastructure.

Perpetual license option — a one-time purchase. Your system continues to operate indefinitely — even on a sealed LAN with no internet access — regardless of changes in your vendor relationship. If Lab-Ally is ever discontinued, your system keeps running.
Annual subscription option — for organizations that prefer OPEX over CAPEX. All software updates included.
Updates are optional and coordinated — approximately two per year. Never automatic. Lab-Ally coordinates every update, makes a full backup first, and validates the result.
Open-source components only — no component depends on a proprietary runtime, external license server, or hosted service that could be deprecated, acquired, or discontinued.
Native file storage — data always recoverable — files are stored in their original format in a secure file store on your infrastructure. Even if the CERF application itself were unavailable, your IT team could extract all data files directly from the file store.
Lightweight database — the CERF SQL database rarely exceeds 10 GB even after years of active use. It does not grow unpredictably and does not require dedicated DBA resources to maintain.

Freeze your validated installation — organizations in regulated environments can elect not to apply updates after initial validation, keeping their installation at a fixed, validated version indefinitely. CERF continues to operate normally on a frozen version — there is no built-in expiry or forced update mechanism.
Perpetual license + freeze = permanent validated system — with a perpetual license and a frozen installation, your validated CERF system operates indefinitely, at zero additional cost, with no re-validation burden triggered by vendor-imposed updates.
IQ/OQ validation support — Lab-Ally and qualified third-party validation specialists provide Installation Qualification and Operational Qualification documentation and services. CERF is designed to be validated in your specific deployment environment — the only defensible approach under 21 CFR Part 11.
Updates re-validated before deployment — when your organization elects to apply an update, Lab-Ally coordinates the process and can provide updated IQ/OQ documentation for your re-validation activities.
No automatic component updates — CERF does not automatically update Java, Tomcat, MySQL, or any other component. All component changes are coordinated with Lab-Ally and are under your control.
21 CFR Part 11 full compliance — CERF's immutable audit trail, PKI digital signatures, configurable signature workflows, and access controls satisfy the requirements of 21 CFR Part 11. Full compliance documentation is available at cerf-notebook.com/resources/21-cfr-11-compliant-eln/

Validation & Update Control

Freeze Your Validated Installation. Forever if Needed.

For IT teams in regulated environments, one of the most significant hidden costs of ELN ownership is re-validation after vendor-imposed software updates. CERF eliminates this problem: updates are never automatic, never forced, and never required to keep the system running.

Organizations that have validated their CERF installation under 21 CFR Part 11 can elect to freeze it at that version indefinitely. Combined with a perpetual license, this means a validated CERF system can operate forever — on your infrastructure, under your control — with no re-validation burden and no ongoing vendor dependency.

Lab-Ally and qualified third-party validation specialists provide IQ/OQ documentation and services for new installations and for organizations updating from a previously validated version. CERF is designed to be validated in your specific deployment environment — the only approach that is truly defensible under 21 CFR Part 11.

Technical Reference

Component & Network Port Reference

The following tables summarise the software components installed by Lab-Ally during a CERF 6 deployment, and the network ports required for operation. Share these with your network team and security reviewers before installation.

Software Components — CERF 6

Component	Version / Notes
Java (JDK)	Java 25 — Eclipse Temurin recommended NEW
Apache Tomcat	Tomcat 11 — bundled, no separate install NEW
Database (default)	MySQL 9 NEW
Database (alt.)	MariaDB · PostgreSQL · SQL Server · Oracle
Apache ActiveMQ	ActiveMQ Classic 6.x — bundled NEW
LibreOffice	Headless, managed by CERF
CERF Server App	WAR deployed within Tomcat
CERF Desktop Client	Windows (.MSI) · macOS · Linux (Ubuntu with GNOME) NEW
CERF Web Admin	Browser-based — no installation required
Server License	Cryptographic file — tied to server MAC address

Network Port Requirements

Port	Purpose & Exposure
8080	CERF HTTP client-server traffic. Open to network. Can be changed to any available port.
443	HTTPS/TLS — strongly recommended for any non-isolated network. Open to network.
61616	Apache ActiveMQ broker — internal CERF messaging only. Open to network.
8100	LibreOffice headless service — document conversion. localhost only — do not expose externally
3306	MySQL database — default configuration. localhost only — do not expose externally

Only ports 61616, and 8080 or 443 need to be open to the network. LibreOffice and MySQL communicate on localhost only and must not be externally exposed. Lab-Ally reviews firewall requirements during the pre-installation call.