Encrypting Jedox In-Memory DB

Step 1: Encrypting a Standalone Installation

After completing the step above, you must make some additional configuration changes to HTTPS:

Make the following changes to config.php:
(standard paths)
Windows: C:\Program Files (x86)\Jedox\Jedox Suite\httpd\app\etc
Linux: /opt/jedox/ps/core-Linux-x86_64/etc/

Change the following lines
define('CFG_PALO_HOST', '127.0.0.1');
define('CFG_TC_HOST', '127.0.0.1');
define('CFG_SSS_HOST', '127.0.0.1');
to:
define('CFG_PALO_HOST', 'www.example.com);
define('CFG_TC_HOST', 'www.example.com');
define('CFG_SSS_HOST', 'www.example.com');

Then, make the following change to Apache PHP by adding this entry in php.ini:
(standard paths)
Windows: C:\Program Files (x86)\Jedox\Jedox Suite\httpd\php
Linux: /opt/jedox/ps/etc/

jedox.phppalo.trust_file="<path to certificate>"

To encrypt the Jedox In-Memory DB, connections to the the following components must be configured:

  • Spreadsheet Server
  • Jedox In-Memory DB (OLAP)
  • Supervision Server
  • Integrator Server

Each case is outlined below.

Spreadsheet Server Connection

Add the certificate parameter and change the interface in palo_config.xml:
(standard paths)
Windows: C:\Program Files (x86)\Jedox\Jedox Suite\core\
Linux: /opt/jedox/ps/core-Linux-x86_64/etc/

<server>
<host>www.example.com</host>
<port>7777</port>
</server>
<certificate path="<path to certificate>"/>

Add the certificate parameter in macro_engine_config.xml:
(standard paths)
Windows: C:\Program Files (x86)\Jedox\Jedox Suite\core\
Linux: /opt/jedox/ps/core-Linux-x86_64/etc/

<ini_directives>
...
jedox.phppalo.trust_file="<path to certificate>"
...
</ini_directives>

Jedox In-Memory DB (OLAP) Connection

Add one of these entries in palo.ini
(standard paths)
Windows: C:\Program Files (x86)\Jedox\Jedox Suite\olap\data\
Linux: /opt/jedox/ps/Data/

If all Jedox services are running on the same machine (i.e., they can communicate securely via localhost/127.0.0.1), then encryption is optional. To indicate this, add the line encryption optional to the palo.ini. All clients and functions will still require a HTTPS connection. Note: unencrypted connections are possible in this scenario. For full security, you should use encryption, as described in the next paragraph.

If Integrator (Tomcat service) is running on a separate machine from the In-Memory DB, then encryption is required. The Integrator service communicates over the internal interface and is normally not reachable from the outside of the server. If you do not plan to communicate over localhost/127.0.0.1, then you must add the line encryption required to palo.ini.

Each “http” command must use https instead of http and the HTTPS port.

  • Add one https port: e.g. “https 7778”

Example:

http "" 7777
....
encryption optional
https 7778
key-files ca_bundle.pem cert_and_key.pem dh_key.pem

First parameter: root certificate + ca chain

Second parameter: certificate + privatekey

Third parameter: diffie-hellman

If you don't have these files, you can create your own files with these commands (not recommended):

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.pem -out server.pem -sha256
This will create a file called "server.pem". This is used for the first 2 parameters.

openssl dhparam -2 -outform PEM -out dh2048.pem 2048
will generate a file called dh2048.pem, this is meant for the last parameter.

The configuration would look like that:

http "" 7777
....
encryption optional
https 7778
key-files server.pem server.pem dh2048.pem

Supervision Server Connection

Add this entry In php.ini:
(standard paths)
Windows: C:\Program Files (x86)\Jedox\Jedox Suite\svs\
Linux: /opt/jedox/ps/svs-Linux-x86_64/

jedox.phppalo.trust_file="<path to certificate>"

and adapt the following lines:

palo_server_hostname=www.example.com
palo_server_port=7777

Integrator Server Connection

Add your certificate to the keystore with the following command:

keytool.exe -import -trustcacerts -keystore keystore -alias tomcat -file server.pem

Copy the keystore from <install_path>\Jedox Suite\tomcat\conf\ (Windows) or <install_path>/tomcat-etl/conf/ (Linux) and your certificate file to your java\bin installation. You must remove the private key from your certificate file to get this running.

To encrypt the communication between the OLAP Server, Integrator, and Scheduler, it is necessary to add the certificate to the Jedox keystore. Java provides a tool called keytool that can be used to do so. The path to the Jedox keystore is <install_path>\Jedox Suite\tomcat\conf\keystore (Windows) or <install_path>/tomcat-etl/conf/ (Linux) and the default password is changeit.

  1. If you change the default password, enter the corresponding password (changeit) of the keystore in the following paragraph:

    javax.net.ssl.keyStorePassword=changeit

    in all of the following files:

    Windows
    		Linux
    <Install_path>\tomcat\client\config\etlcli.properties<Install_path>/tomcat-etl/client/config/etlcli.properties
    <Install_path>\tomcat\webapps\etlserver\config\ssl.properties<Install_path>/tomcat-etl/webapps/etlserver/config/ssl.properties
    <Install_path>\tomcat\webapps\rpc\WEB-INF\classes\scheduler-ssl.properties<Install_path>/tomcat-etl/webapps/rpc/WEB-INF/classes/scheduler-ssl.properties
    In \tomcat\conf\server.xml (Windows) or /tompcat-etl/conf/server.xml (Linux), adjust the keystore password here (if this part is commented out, make sure it's active):

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" keystoreFile="conf/keystore" keystorePass="changeit" />


    By default, all files mentioned above refer to the same keystore file, except for etlcli.properties, which has its own keystore in \tomcat\client\config\ (Windows) or /tomcat-etl/conf/. This will only affect the etlclient.bat.

  2. Adjust interfaces in \tomcat\webapps\rpc\WEB-INF\classes\etl-mngr.properties (Windows) or /tomcat-rpc/webapps/rpc/WEB-INF/classes/etl-mngr.properties (Linux):

    # ETL Server URL
    etl.server.url=http://www.example.com:7775/etlserver/services/ETL-Server?wsdl

  3. In \tomcat\conf\server.xml (Windows) or /tomcat-etl/conf/server.xml (Linux), adjust interface in line:

    <Connector port="7775" address="www.example.com" connectionTimeout="20000" protocol="HTTP/1.1" redirectPort="8443" />

  4. In \tomcat\webapps\rpc\WEB-INF\classes\rpc.properties (Windows) or /tomcat-rpc/webapps/hlbrowser/WEB-INF/classes/rpc.properties (Linux)

    # Scheduler Server URL
    web.url=http://www.example.com

Next step: Encrypting Connections in Excel Add-in and Jedox Web Environment

Updated September 27, 2022