Encrypting Jedox In-Memory DB

image_pdfimage_print
Step 1: Encrypting Jedox Web (HTTPS)
Step 2: Encrypting Jedox In-Memory DB

To encrypt the Jedox In-Memory DB, connections to the the following components must be configured:

  • Spreadsheet Server
  • Jedox In-Memory DB Server
  • Supervision Server
  • Integrator Server

Each case is outlined below.

Spreadsheet Server Connection

Add the certificate parameter and change the interface in palo_config.xml:
(standard paths)
Windows:
  C:\Program Files (x86)\Jedox\Jedox Suite\core\
Linux:        /opt/jedox/ps/core-Linux-x86_64/etc/

<server>
<host>www.example.com</host>
<port>7777</port>
</server>
<certificate path="<path to certificate>"/>

Add the certificate parameter in macro_engine_config.xml:
(standard paths)
Windows:  C:\Program Files (x86)\Jedox\Jedox Suite\core\
Linux:        /opt/jedox/ps/core-Linux-x86_64/etc/

<ini_directives>
...
jedox.phppalo.trust_file="<path to certificate>"
...
</ini_directives>

Jedox In-Memory DB Server Connection

Add one of these entries in palo.ini
(standard paths)
Windows: 
C:\Program Files (x86)\Jedox\Jedox Suite\olap\data\
Linux:        /opt/jedox/ps/Data/

If all Jedox services are running on the same machine (i.e., they can communicate securely via localhost/127.0.0.1), then encryption is optional. To indicate this, add the line encryption optional to the palo.ini. Note that all clients and functions will still require a HTTPS connection.

If Integrator (Tomcat service) is running on a separate machine from the In-Memory DB, then encryption is required. The Integrator service communicates over the internal interface and is normally not reachable from the outside of the server. If you do not plan to communicate over localhost/127.0.0.1, then you must add the line encryption required to the palo.ini.

Each “http” command must use https instead of http and the HTTPS port.

  •  Add one https port: e.g. “https 7778”

  • Add the “key-files” followed by a list of the certificate files

Example:

http "" 7777
....
encryption optional
https 7778
key-files ca_bundle.pem cert_and_key.pem dh_key.pem

First parameter: root certificate + ca chain

Second parameter: certificate + privatekey

Third parameter: diffie-hellman

If you don’t have these files, you can create your own files with these commands (not recommended):

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.pem -out server.pem -sha256
This will create a file called “server.pem”. This is used for the first 2 parameters.

openssl dhparam -2 -outform PEM -out dh2048.pem 2048
will generate a file called dh2048.pem, this is meant for the last parameter.

The configuration would look like that:

http "" 7777
....
encryption optional
https 7778
key-files server.pem server.pem dh2048.pem

 

Supervision Server Connection

Add this entry In php.ini:
jedox.phppalo.trust_file="<path to certificate>"

and adapt the following lines:
palo_server_hostname=www.example.com
palo_server_port=7777

 

Integrator Server Connection

Add your certificate to the keystore with the following command:

keytool.exe -import -trustcacerts -keystore keystore -alias tomcat -file server.pem

Copy the keystore from <install_path>\Jedox Suite\tomcat\conf\ and your certificate file to your java\bin installation to do so. Please keep in mind that you’ll need to remove the private key from your certificate file to get this running.

To encrypt the communication between the OLAP Server, Integrator, and Scheduler, it is necessary to add the certificate to the Jedox keystore. Java provides a tool called keytool that can be used to do so. The path to the Jedox keystore is <install_path>\Jedox Suite\tomcat\conf\keystore and the default password is changeit.

  1. If you change the default password, enter the corresponding password (changeit) of the keystore in the following paragraph:

    javax.net.ssl.keyStorePassword=changeit

    in all of the following files:

    <Install_path>\tomcat\client\config\etlcli.properties
    <Install_path>\tomcat\webapps\etlserver\config\ssl.properties
    <Install_path>\tomcat\webapps\rpc\WEB-INF\classes\scheduler-ssl.properties

    In <Install_path>\tomcat\conf\server.xml, adjust the keystore password here (if this part is commented out, make sure it’s active):

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" keystoreFile="conf/keystore" keystorePass="changeit" />

    By default, all files mentioned above refer to the same keystore file, except for <Install_path>/tomcat/client/config/etlcli.properties, which has its own keystore, stored in <Install_path>/tomcat/client/config/. This will only affect the etlclient.bat.

  2. Adjust interfaces in <Install_path>\tomcat\webapps\rpc\WEB-INF\classes\etl-mngr.properties:

    # ETL Server URL
    etl.server.url=http://www.example.com:7775/etlserver/services/ETL-Server?wsdl

  3. In <Install_path>\tomcat\conf\server.xml, adjust interface in line:

    <Connector port="7775" address="www.example.com" connectionTimeout="20000" protocol="HTTP/1.1" redirectPort="8443" />

  4. In <Install_path>\tomcat\webapps\rpc\WEB-INF\classes\rpc.properties

    # Scheduler Server URL
    web.url=http://www.example.com

 

Next step: Encrypting Excel Client and Jedox Web Environment

image_pdfimage_print