Custom Configurations for the In-Memory DB (OLAP)

The In-Memory DB (OLAP) can be configured in many ways to optimize performance. The table below describes the currently available settings.

On-premises customers can customize their Jedox instance with the palo.ini configuration file. These parameters can also be used as command line parameters for the In-Memory Database binary: palo.exe for Windows and "palo" for Linux.

The Palo parameters have a short and a long form. On the command line, the short form has one dash (-) in front; the long form has two dashes (- -) in front. Examples: palo -? / palo - -help. The table below lists the parameters in alphabetical order by long form.

Palo.exe gets these parameters as command line arguments and/or via the palo.ini file. Note: any changes made to the palo.ini file require restarting the OLAP service.

Please see Order of command execution at the end of this document. You can find descriptions and examples of how to use parameters in the palo.ini sample file, located in …\Jedox Suite\olap\data\palo.ini.sample.

Long form

Short form

Argument(s)

Description / Example(s)

Default value

add-new-databases

D

Tries to add directories with OLAP database automatically and adds them to palo.csv.
On/off switch.

True

admin

a

<address> <port>

Http interface with server browser and online documentation. An address can be a server name, an internet address or "" for all server internet addresses.
Port is a number:
admin 192.168.1.2 7777
admin localhost 7770
admin "" 7780

audit

1

See KB article Audit Information

Disabled

audit-blocksize

{

<number> Maximum number of rows returned for simple audit mode

auto-commit

B

Commits all changes on server shutdown.
On/off switch.

True

auto-load

A

Loads all databases on server start into memory which are defined in the palo.csv. On/off switch.

True

autosave-interval x integer, minimum 5, maximum 1440 If set, defines the interval (in minutes) in which automatic autosave runs. If not set, default interval of 5 minutes is used. 5

cache-barrier

b

<max number
of cells to store
in each cube cache>

Sets the max number of cells to store in each cube cache.
cache-barrier 150000000
cache-barrier 0 (sets cache-barrier to 0).

100000000

cross-origin

g

<domain_name>

crypt

c

Turns on encrypting of the database files. Newly saved files are encrypted if this is set using the AES-256-CBC algorithm. On/off switch.

Note: If "crypt" is enabled,
- it is not possible to set the log-level of OLAP Server to "trace" or "debug". Both log levels could make the log file contain information about database contents, and since log files are always readable, this would conflict with the purpose of the "crypt" option.
- it is not possible to enable the "audit" option in palo.ini. The data storage for audit information currently cannot be encrypted, and so that storage would again contain readable data information which would conflict with the purpose of the "crypt" option.

For decryption, just remove crypt from palo.ini and on next "save" the database files will be decrypted, i.e. if a value is written to a cube, it will be decrypted (with all its files). It will not be automatically decrypted. Don't remove crypt-key otherwise it won't be possible to load encrypted files. Remove the crypt-key after you're sure that everything was decrypted.

Procedure to decrypt all databases:
- remove crypt from palo.ini
- restart OLAP service
- use Jedox example (ETL-Tools) "Database Copy"
- copy all databases
- everything will be back to decrypted status

False

crypt-key

k

<passphrase for crypting csv files>

Sets pass phrase used for encrypting/decrypting of the database files.
It is used also for decrypting, so it has to be set if there are any encrypted files in the database (even when encrypting is off ). AES-256-CBC algorithm supports keys of up to 256 bytes in length.

Empty string

default-db-right

R

<right value>

Default value for database access rights.
Possible values: N, R, W, D.

D

defaults-directory

<directory_path>

Specifies the path to the directory where some files for OLAP server are stored. The default directory (../defaults) contains a directory called subsets, which contains database script files that are used to generate default subsets for a dimension.

Note: when the OLAP API function /dimension/create is called with parameter mode=1, then not only is a dimension created, but the OLAP server will also execute all database scripts from the subsets directory, if it exists in the directory indicated by defaults-directory palo.ini key.

../defaults

device

j

<bus_id0>.<device_id0>
<bus_id1>.<device_id1> ...

All available devices

Empty vector

dimension-file-format

Possible values:

-legacy
-binary

Legacy: dimensions are saved to database.csv

Binary: dimensions are saved to database_DIM_*.csv and database_DIM_*.bin (if available), similar to cube save/load.

Note: dimensions that have been saved as binary files are not portable between Linux and Windows.

legacy

disable-dump

 

 

Disables the Breakpad crash handler in order to "fall back" to the OS crash handler. Disabling Breakpad results in a WARNING log entry, as it removes the possibility of sending crash reports (via Sentry). (49069)

Enabled

disable-request-logging

Allows you to control the flight recorder file (requests.txt in the data directory). When set in palo.ini, no requests.txt file is created or updated. FALSE

dump-upload

G

On/off switch.

Disabled

dump-upload-desc

3

<description>

""

dump-upload-reporter

2

<email-address>

""

enable-drillthrough

y

Enables cell drillthrough.
On/off switch.

False

enable-gpu

P

On/off switch.

False

enable-hash-login     Enables login with hashed form of password parameter. Disabled

enable-password-retrieval

Enables reading password hashes from OLAP System database FALSE

enable-profiling

4

On/off switch.

False

encryption

X

<encryption-type>
possible values:
-none
-optional
-required

Sets the encryption type.
If optional is selected, then you can use HTTPS. If required is selected, then only /server/info will function unencrypted. All other functions require an HTTPS connection. If encryption is turned on, TLS 1.2 is used for communication.

None

engine-configuration

N

[M][S][1][E]

M - force engine to use Marker Driven Engine for rules with markers (5.1 algorithm)
S - force engine to use statically created markers
1 - single core calculation
E - suppress rule error propagation across consolidation

extensions

E

<directory>

../Modules

failed-login-threshold

<count>

Starts login delay when failed attempts count for username exceeds this value.

10

goalseek-limit

Z

<number_of_cells>

Goalseek algorithm can be executed on slices with maximum <number_of_cells>.

1000

goalseek-timeout

z

<milliseconds>

Algorithm must complete within <familliseconds>.

10000

gpu-frame-size

7

<number>

Size of GPU computation frame in megabytes

gzip

[

<level>

Level values: 0-9
0 - no compression
1 - fastest compression
9 - smallest gzip size

Disabled

http

h

<address> <port>

Examples for http interface:
http "" 7777
http "" 7779
http localhost 7779
See description of admin parameter above.

https

H

<port>

Sets https connection port:
https 7778

init-file

i

<init-file>

Only for command line.

palo.ini

journal-flush-interval    

Flushing of data prevents possible data loss following unexpected events, such as a power outage. This key sets an interval of 1-300 seconds, after which journal data will be flushed to the file system.

Values:
0 = flush always
1-300 = flush at intervals of 1-300 seconds
disabled = no flushing

Examples:
journal-flush-interval 0
journal-flush-interval disabled

1

key-files

K

<ca> <private> <dh>

Empty vector

load-init-file

n

Only for command line.
On/off switch.

True

log

o

log sink=- verbose=<level>
log sink=+ verbose=<level>
log sink=<path_to_file>/palo.log
log sink=syslog address=<address:port> facility=<facility> verbose=<level>
log verbose=<level>

Example: log sink=../log/olap_server.log verbose=info

For details on log levels and parameters, see Log Files in Jedox.

ink=-

maximum-return-cells

l

<number>

Sets a maximum limit for cells return from an area call:
maximum-return-cells 10000

100000

no-archives

<

Turns off saving of .archive files for cubes.

no-csv-save

J

Turns off saving of CSV files for cubes whenever possible. Only BIN files are saved. Reduces time needed for saving.

False

no-csv-save-dim

Dimensions are saved only to database_DIM_*.bin files, NOT to database_DIM_*.csv. Behavior is similar to no_csv_save for cubes.

no-checksum

 

 

Disables checksum validation of binary database files.

 

ntlm_auth

(

<path to ntlm_auth
with helper arguments>

"/usr/bin/ntlm_auth
--helper-protocol
=gss-spnego"

password

p

<private-password>

On/off switch.

password-pattern

<regular expression>

Regular expression used for checking password complexity when the password is changed (or a password is assigned to a new user), to enforce password complexity.
e.g. (?=........+)(?=.*[a-z].*)(?=.*[A-Z].*)(.*[0-9@#$%].*) defines:
the password has to be at least 8 characters long and it has to contain at least one uppercase, one lowercase character and one digit or special symbol from '@#$%'

When multiple password patterns are defined, the last one has priority.

empty string

profile-interval

5

<seconds>

60

profile-log

sink=syslog address=<address:port> facility=<facility>

If profiling is enabled, it specifies the address and port of syslog server and the facility of messages
'address' parameter is optional with the default value localhost:5556
'facility' parameter is optional with default value 0 (kern)
profile-log sink=syslog address=localhost:5556 facility=0

saml-authentication

Enables SAML authentication mode

saml-authorization

Enables saml-authorization mode

saml-certificate

<path to certificate> Certificate is published in metadata so identity provider can verify the signature or use it to encrypt its responses.
saml-digest-algorithm Hashing algorithm for signing. http://www.w3.org/2001/04/xmlenc#sha256 saml-digest-algorithm
saml-embed-signature Embeds SAML request signature inside XML message instead of using it as GET parameter as defined by SAML Redirect standard. saml-embed-signature

saml-encrypt-login

Enables encrypting of SAML login requests

saml-encrypt-logout

Enables encrypting of SAML logout requests

saml-force-authn

 

 

If the key is defined in palo.ini, the identity provider must authenticate the presenter directly rather than rely on a previous security context.

False

saml-idp-metadata

<url>

IdP metadata XML url

If metadata is distributed as a file, or server is restricted from accessing the internet, use file://<filepath>.

empty string

saml-nameidpolicy

<NameID policy>

SAML NameID policy Empty/omitted

saml-privatekey

<path to private key>

Private key is used to sign requests (if enabled by saml-sign-login) and decrypt responses from identity provider.

saml-sign-login

Enables signing the SAML login requests

saml-sign-logout

Enables signing the SAML logout requests

saml-signature-algorithm

<algorithm type>

Algorithm used for SAML signatures http://www.w3.org/2000/09/xmldsig#rsa-sha1

saml-use-logout

Enables SAML IdP logout

session-timeout

M

<seconds>

Specifies the idle time after which the session is closed:
session-timeout 3600

-1 (300s)

splash-limit

L

<error>

<warning>

<info>

<bulk error>

<bytes>

Splashing limits in megabytes:

Generates an error if splashing requires more space than the first number.

Generates a warning entry if splashing requires more space than the second number.

Generates an info entry if splashing requires more space than the third number.

Generates an error if splashing operations in a bulk request require in total more space than the fourth number.

“Bulk” requests are those where multiple values (cells) are changed in a single request. PALO.SETDATA_BULK() function uses this, but also ETL cube loads. In previous versions, the check was executed for each single value change in the bulk request. This new value will additionally check the overall memory requirement for the whole bulk.

Without a change of the default value (empty or 0) the overall memory requirement for the whole bulk will not be checked.

The fifth number is an estimation of the memory used for one cell in bytes.The used default value is 16 (entry: empty or 16).

This value influences how the memory consumption of values is calculated, i.e. how much memory OLAP assumes for individual base cell values. The previously used value was hardcoded to 16 bytes; this value may be too low in reality. It can now be changed via this value. A higher value (e.g. 32) will increase the assumed memory for splashing operations and the value of number four will be exceeded earlier.

Example: splash-limit 2000 1000 200 8000 32

1000, 500, 100

ssl-ciphers

<list of SSL ciphers>

List of allowed ssl ciphers
Example: HIGH:!ADH:!EDH:!DHE:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!kRSA

system-restore

 

 

New fresh System DB is created when System database.csv file is missing.

Disabled

template-directory

t

<directory>

Directory of online documentation:
template-directory Binary/Api.

../Api

trace

T

<logname>

Enables trace logging. Once enabled, a trace log file will be created in the olap/data directory for each opened port per startup (note: you can specify just the filename for the data folder - thus it will be saved in the olap/data directory - or a full path to another directory, such as /full/path/traceFolder/<logname>).

Empty string

undo-file-size

u

<number of
bytes per lock>

In a locked cube area it is possible to undo changes. Each lock can use <number of bytes per lock> bytes in files for storing changes:
undo-file-size 100000000

50 * 1024 * 1024

undo-memory-size

m

<number of bytes per lock>

In a locked cube area it is possible to undo changes. Each lock can use <number of bytes per lock> bytes in memory for storing changes:
undo-memory-size 10000000

10 * 1024 * 1024

use-cube-worker

Y

Uses cube worker.
Can react on cell value changes.
On/off switch.

False

use-dimension-worker

W

Uses dimension worker. Can react on creation, deletion, and renaming of an element in a specified dimension.
On/off switch.

False

use-new-subset-def

 

 

Converts existing subsets to View XML schema upon database load.

 

verbose

v

<level>

Log levels:
error, warning, info, debug, trace

If no value has been set, then error is the default value.

Error

wbinfo

)

<path to wbinfo>

"/usr/bin/wbinfo"

windows-sso

e

Enables Windows SSO authentication.
On/off switch.

False

windows-sso-authentication

}

windows-sso-ignore-groups

Disables group fetching in authentication mode (i.e., when windows-sso-authentication is active). Can speed up authentication process when users are assigned to many groups.

When activated, arrays with group names are not retrieved from AD, so SVS authentication script receives empty array with group names.

worker

w

<worker-executable>
<argument1>
<argument2>
<argumentX>

worker /usr/bin/php5 /
home/palo/worker.php

Empty string
empty vector

worker-pool-init-size

Sets the initial size of the SVS worker pool for all OLAP operations.

worker-pool-init-size 5

1

worker-pool-max-size

Sets the maximum size of the SVS worker pool for all OLAP operations. Introduces a maximum on the number of parallel activities involving SVS, such as parallel writebacks through SVS.

worker-pool-max-size 32

32

workerlogin

x

<worker-login-type>

Uses a worker for login
Possible values:
-information
-authentication
-authorization
Example: workerlogin authorization

The workerlogin parameter has one additional argument. If you supply workerlogin on the command line and in the configuration file, then the value supplied in the configuration will be taken. If the http option is supplied for port A on the command line and for port B in the configuration file, then both ports A and B are used.

None

zip-backup

]

<level>

Level values: 0-9
0 - no compression
1 - fastest compression
9 - smallest zip size

The following values are possible for <facility> (code or keyword)

Code Keyword
0 kern
1 user
2 mail
3 daemon
4 auth
5 syslog
6 lpr
7 news
8 uucp
9 cron
10 authpriv
11 ftp
12 ntp
13 security
14 console
15 solaris-cron
16-23 local0...local7

Order of command execution

A comment starts with a "#" sign in palo.ini. The command line arguments are evaluated first, and the file palo.ini is evaluated after the command line arguments have been processed. If you start palo with -n or - -load-init-file on the command line, then the init file is not read. The load-init-file option is ignored if given in the configuration file. Parameters without additional parameters like "auto-load" or "auto-commit" toggle a state from "true" to "false" and vice versa. You can declare a "toggle" parameter more than once.

If additional parameters like "worker" or "workerlogin" are given more than once on the command line or the configuration file, then only the last definition is valid, with the exception of the parameters "admin" and "http", which are treated specially. All the definitions supplied on the command line and in the init file are used. For example, the default of "add-new-database" is true (see palo -?). If you supply - -add-new-database on the command line but not in the configuration file, then the option will be set to false. If you supply add-new-database in the configuration file but not on the command line then the option will also be set to false. If you supply - -add-new-database on the command line and in the configuration file, then the option will be true again, as it is toggled twice.

The option "workerlogin" has one additional argument. If you supply workerlogin on the command line and in the configuration file, then the value supplied in the configuration will be taken. If the http option is supplied for port A on the command line and for port B in the configuration file, then both ports A and B are used.

Updated June 5, 2023