diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh
index c600657..464b0e1 100644
--- a/ccp/modules/datashield-setup.sh
+++ b/ccp/modules/datashield-setup.sh
@@ -17,17 +17,18 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
     chmod g+r /tmp/bridgehead/opal-key.pem
   fi
   mkdir -p /tmp/bridgehead/opal-map
-  jq -n '{"sites": input | map({
+  sites="$(cat ./$PROJECT/modules/datashield-mappings.json)"
+  echo "$sites" | docker_jq -n --args '{"sites": input | map({
     "name": .,
     "id": .,
     "virtualhost": "\(.):443",
     "beamconnect": "datashield-connect.\(.).'"$BROKER_ID"'"
-  })}' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/central.json
-  jq -n '[{
+  })}' $sites > /tmp/bridgehead/opal-map/central.json
+  echo "$sites" | docker_jq -n --args '[{
     "external": "'"$SITE_ID"':443",
     "internal": "opal:8443",
     "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'")
-  }]' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/local.json
-  chown -R bridgehead:docker /tmp/bridgehead/
+  }]' > /tmp/bridgehead/opal-map/local.json
+  chown -R bridgehead:docker /tmp/bridgehead/*
   add_private_oidc_redirect_url "/opal/*"
 fi
diff --git a/lib/functions.sh b/lib/functions.sh
index c098cf4..b54ceec 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -345,3 +345,7 @@ generate_simple_password(){
   local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
   echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g'
 }
+
+docker_jq() {
+    docker run --rm -i docker.verbis.dkfz.de/cache/jqlang/jq:1.7 "$@"
+}