diff --git a/.github/integration-test/docker-compose.yml b/.github/integration-test/docker-compose.yml
index 95388135..2233ece8 100644
--- a/.github/integration-test/docker-compose.yml
+++ b/.github/integration-test/docker-compose.yml
@@ -8,6 +8,7 @@ services:
     depends_on:
       - dataportal-postgres
     environment:
+      JAVA_OPTS: ""
       QUERYRESULT_PUBLIC_KEY: "MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA1lWOfXzE/mUEPitNLxsDMtjERJGVhS8gP1WmuHPvjPxUOQyod4EbJcbJlkBqLqpaIs8Buy3gcbJvIPERdG1N1BSZ8NOKOtRubioKf30JwnLdZAae3vJAzRC3h42OPM3fohZCXMxbrju+KM0ZUIrLEXKEDMHQWfevCQCxeixvXVYpfXlkJIBGaWz4cDgEOiiwhU87AMzGZwjAIHvr4oTF/uHg6+C3Mdx0m8WLtygTiEixJegMb/txR+4gNVYrzpm5BwDUU7Qxy3nTUDYZLlTGeP9MBFWW+W87IHzgP+OFr3ZKMEkAPU0R1lqXFZCYcgZHGA5He2W701isnqkKIQT8ePOH43ZOXo3S34Pqw5oQ4Q2kPubp1wgZWw0VtEiZDtlwqUJ+r3CigU7NAFM5JnC/skiIBKetbWoNm1JPEfGOTrgjHD2uo82jSO8tV45LNH1EaR2+5UWSFZyDvTayLZsxsVlRFXJKgQJDI344R6lhGbLXbhqCuPzeQaHr1XGCKAtdAgMBAAE="
       # ----- app
       QUERY_VALIDATION_ENABLED: "true"
diff --git a/Dockerfile b/Dockerfile
index 4d5db517..8ba54d48 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM eclipse-temurin:22-jre@sha256:26bd835ee107ae775d85f1ff8c55abc799f514fb4201e65981857041d18826c1
+FROM eclipse-temurin:22-jre-alpine@sha256:d8ac5f15b7dc0a91bdfb89422f900383469e5de12dcce3949f145d713f455b34
 
 WORKDIR /opt/dataportal-backend
 
@@ -15,12 +15,14 @@ ENV TRUSTSTORE_FILE=self-signed-truststore.jks
 RUN mkdir logging && \
     mkdir -p $CERTIFICATE_PATH $TRUSTSTORE_PATH && \
     chown -R 10001:10001 /opt/dataportal-backend && \
-    chown 10001:10001 $CERTIFICATE_PATH $TRUSTSTORE_PATH
+    chown 10001:10001 $CERTIFICATE_PATH $TRUSTSTORE_PATH && \
+    apk --no-cache add curl bash
 USER 10001
 
 HEALTHCHECK --interval=5s --start-period=10s CMD curl -s -f http://localhost:8090/actuator/health || exit 1
 
 COPY ./target/*.jar ./dataportal-backend.jar
 COPY ontology ontology
+COPY ./docker-entrypoint.sh /
 
-ENTRYPOINT ["exec", "java", "$JAVA_OPTS" , "-jar", "dataportal-backend.jar"]
\ No newline at end of file
+ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"]
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index df4835e0..e05d96ab 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,7 +2,6 @@ services:
   dataportal-backend:
     container_name: dataportal-backend
     restart: unless-stopped
-    build: .
     ports:
     - ${DATAPORTAL_BACKEND_PORT:-127.0.0.1:8091}:8090
     depends_on:
@@ -13,7 +12,7 @@ services:
       init-elasticsearch:
         condition: service_completed_successfully
     environment:
-      USE_SYSTEM_CA_CERTS: 1
+      JAVA_OPTS: ${DATAPORTAL_BACKEND_JAVA_OPTS}
       # ----- app
       QUERY_VALIDATION_ENABLED: ${DATAPORTAL_BACKEND_QUERY_VALIDATION_ENABLED:-true}
       CQL_TRANSLATE_ENABLED: ${DATAPORTAL_BACKEND_CQL_TRANSLATE_ENABLED:-true}
@@ -24,7 +23,7 @@ services:
       ONTOLOGY_ORDER: ${DATAPORTAL_BACKEND_ONTOLOGY_ORDER:-"Diagnose, Prozedur, Person, Laboruntersuchung, Medikamentenverabreichung, Bioprobe, Einwilligung"}
       MAX_SAVED_QUERIES_PER_USER: ${DATAPORTAL_BACKEND_MAX_SAVED_QUERIES_PER_USER:-100}
       # ---- db config
-      DATABASE_HOST: ${DATAPORTAL_BACKEND_DATABASE_HOST:-dataportal-backend-db}
+      DATABASE_HOST: ${DATAPORTAL_BACKEND_DATABASE_HOST:-dataportal-postgres}
       DATABASE_PORT: ${DATAPORTAL_BACKEND_DATABASE_PORT:-5432}
       DATABASE_USER: ${DATAPORTAL_BACKEND_DATABASE_USERNAME:-dataportaluser}
       DATABASE_PASSWORD: ${DATAPORTAL_BACKEND_DATABASE_PASSWORD:-dataportalpw}
@@ -32,8 +31,8 @@ services:
       # ---- ontology
       ONTOLOGY_FILES_FOLDER_UI: ${DATAPORTAL_BACKEND_ONTOLOGY_FILES_FOLDER:-/opt/dataportal-backend/ontology}
       ONTOLOGY_DB_MIGRATION_FOLDER: ${DATAPORTAL_BACKEND_ONTOLOGY_DB_MIGRATION_FOLDER:-/opt/dataportal-backend/ontology/migration}
-      MAPPINGS_FILE: ${DATAPORTAL_BACKEND_ONTOLOGY_FILES_FOLDER:-/opt/dataportal-backend/ontology}/codex-term-code-mapping.json
-      CONCEPT_TREE_FILE: ${DATAPORTAL_BACKEND_ONTOLOGY_FILES_FOLDER:-/opt/dataportal-backend/ontology}/codex-code-tree.json
+      MAPPINGS_FILE: ${DATAPORTAL_BACKEND_ONTOLOGY_FILES_FOLDER:-/opt/dataportal-backend/ontology}/mapping_cql.json
+      CONCEPT_TREE_FILE: ${DATAPORTAL_BACKEND_ONTOLOGY_FILES_FOLDER:-/opt/dataportal-backend/ontology}/mapping_tree.json
       # ---- auth
       KEYCLOAK_ENABLED: ${DATAPORTAL_BACKEND_KEYCLOAK_ENABLED:-true}
       KEYCLOAK_BASE_URL: ${DATAPORTAL_BACKEND_KEYCLOAK_BASE_URL:-http://keycloak:8080}
@@ -83,21 +82,19 @@ services:
       PRIVACY_QUOTA_READ_DETAILED_OBFUSCATED_INTERVALSECONDS: ${DATAPORTAL_BACKEND_PRIVACY_QUOTA_READ_DETAILED_OBFUSCATED_INTERVALSECONDS:-7200}
       PRIVACY_THRESHOLD_RESULTS: ${DATAPORTAL_BACKEND_PRIVACY_THRESHOLD_RESULTS:-20}
       PRIVACY_THRESHOLD_SITES: ${DATAPORTAL_BACKEND_PRIVACY_THRESHOLD_SITES:-3}
-      PRIVACY_THRESHOLD_SITES_RESULT: ${DATAPORTAL_BACKEND_PRIVACY_THRESHOLD_SITES_RESULT}
+      PRIVACY_THRESHOLD_SITES_RESULT: ${DATAPORTAL_BACKEND_PRIVACY_THRESHOLD_SITES_RESULT:-0}
       QUERYRESULT_DISABLE_LOG_FILE_ENCRYPTION: "true"
       # ---- Elastic Search
-      ELASTIC_SEARCH_ENABLED: ${DATAPORTAL_BACKEND_ELASTIC_SEARCH_ENABLED}
-      ELASTIC_SEARCH_HOST: ${DATAPORTAL_BACKEND_ELASTIC_SEARCH_HOST}
-      ELASTIC_SEARCH_FILTER: ${DATAPORTAL_BACKEND_ELASTIC_SEARCH_FILTER}
+      ELASTIC_SEARCH_ENABLED: ${DATAPORTAL_BACKEND_ELASTIC_SEARCH_ENABLED:-true}
+      ELASTIC_SEARCH_HOST: ${DATAPORTAL_BACKEND_ELASTIC_SEARCH_HOST:-dataportal-elastic}
+      ELASTIC_SEARCH_FILTER: ${DATAPORTAL_BACKEND_ELASTIC_SEARCH_FILTER:-context,terminology,kds_module}
       # ---- logging
       LOG_LEVEL_SQL: ${DATAPORTAL_BACKEND_LOG_LEVEL_SQL:-warn}
       LOG_LEVEL: ${DATAPORTAL_BACKEND_LOG_LEVEL:-warn}
     volumes:
-      - ${DATAPORTAL_BACKEND_LOCAL_CONCEPT_TREE_PATH:-./ontology/dataportal-code-tree.json}:${DATAPORTAL_BACKEND_ONTOLOGY_FILES_FOLDER:-/opt/dataportal-backend/ontology}/dataportal-code-tree.json
-      - ${DATAPORTAL_BACKEND_LOCAL_TERM_CODE_MAPPING_PATH:-./ontology/dataportal-term-code-mapping.json}:${DATAPORTAL_BACKEND_ONTOLOGY_FILES_FOLDER:-/opt/dataportal-backend/ontology}/dataportal-term-code-mapping.json
-      - ${DATAPORTAL_BACKEND_DSF_SECURITY_DIR:-/dev/null}:/opt/dataportal-backend/dsf-security/
-      - ${DATAPORTAL_BACKEND_ONTOLOGY_DB_MIGRATION_FOLDER:-../ontology/migration}:/opt/dataportal-backend/ontology/migration
-      - ${DATAPORTAL_BACKEND_CERTS_DIR:-./certs}:/certificates/
+      - ${DATAPORTAL_BACKEND_CERTS_PATH:-../certs}:/opt/dataportal-security
+      - ./certs:/opt/dataportal-backend/certs
+
   dataportal-postgres:
     container_name: dataportal-postgres
     image: 'postgres:16-alpine'
@@ -135,6 +132,7 @@ services:
         target: /usr/share/elasticsearch/data
   init-elasticsearch:
     image: curlimages/curl:8.8.0
+    container_name: dataportal-elasticsearch-init
     depends_on:
       dataportal-elastic:
         condition: service_healthy
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100644
index 00000000..6235bf40
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+TRUSTSTORE_FILE="/opt/dataportal-backend/truststore/self-signed-truststore.jks"
+TRUSTSTORE_PASS=${TRUSTSTORE_PASS:-changeit}
+KEY_PASS=${KEY_PASS:-changeit}
+
+shopt -s nullglob
+IFS=$'\n'
+ca_files=(certs/*.pem)
+
+if [ ! "${#ca_files[@]}" -eq 0 ]; then
+
+    echo "# At least one CA file with extension *.pem found in certs folder -> starting dataportal backend with own CAs"
+
+    if [[ -f "$TRUSTSTORE_FILE" ]]; then
+          echo "## Truststore already exists -> resetting truststore"
+          rm "$TRUSTSTORE_FILE"
+    fi
+
+    keytool -genkey -alias self-signed-truststore -keyalg RSA -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -keypass "$KEY_PASS" -dname "CN=self-signed,OU=self-signed,O=self-signed,L=self-signed,S=self-signed,C=TE"
+    keytool -delete -alias self-signed-truststore -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -noprompt
+
+    for filename in "${ca_files[@]}"; do
+
+      echo "### ADDING CERT: $filename"
+      keytool -delete -alias "$filename" -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -noprompt > /dev/null 2>&1
+      keytool -importcert -alias "$filename" -file "$filename" -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -noprompt
+
+    done
+
+    echo "### JAVA_OPTS is set to $JAVA_OPTS"
+
+    java $JAVA_OPTS -Djavax.net.ssl.trustStore="$TRUSTSTORE_FILE" -Djavax.net.ssl.trustStorePassword="$TRUSTSTORE_PASS" -jar dataportal-backend.jar
+else
+    echo "# No CA *.pem cert files found in /opt/dataportal-backend/certs -> starting dataportal backend without own CAs"
+    echo "### JAVA_OPTS is set to $JAVA_OPTS"
+    java $JAVA_OPTS -jar dataportal-backend.jar
+fi