Encrypting Jedox In-Memory DB

Step 1: Encrypting Jedox Web (HTTPS)
Step 2: Encrypting Jedox In-Memory DB (OLAP)

First, you must make some additional configuration changes to HTTPS:

Make the following changes to config.php:
(standard paths)
C:\Program Files (x86)\Jedox\Jedox Suite\httpd\app\etc
Linux:        /opt/jedox/ps/core-Linux-x86_64/etc/

Change the following lines
define('CFG_PALO_HOST', '');
define('CFG_TC_HOST', '');
define('CFG_SSS_HOST', '');
define('CFG_PALO_HOST', 'www.example.com);
define('CFG_TC_HOST', 'www.example.com');
define('CFG_SSS_HOST', 'www.example.com');

Then, make the following change to Apache PHP by adding this entry in php.ini:
(standard paths)
Windows: C:\Program Files (x86)\Jedox\Jedox Suite\httpd\php
Linux: /opt/jedox/ps/etc/

jedox.phppalo.trust_file="<path to certificate>"


To encrypt the Jedox In-Memory DB, connections to the the following components must be configured:

  • Spreadsheet Server
  • Jedox In-Memory DB (OLAP)
  • Supervision Server
  • Integrator Server

Each case is outlined below.

Spreadsheet Server Connection

Add the certificate parameter and change the interface in palo_config.xml:
(standard paths)
  C:\Program Files (x86)\Jedox\Jedox Suite\core\
Linux:        /opt/jedox/ps/core-Linux-x86_64/etc/

<certificate path="<path to certificate>"/>

Add the certificate parameter in macro_engine_config.xml:
(standard paths)
Windows:  C:\Program Files (x86)\Jedox\Jedox Suite\core\
Linux:        /opt/jedox/ps/core-Linux-x86_64/etc/

jedox.phppalo.trust_file="<path to certificate>"

Jedox In-Memory DB (OLAP) Connection

Add one of these entries in palo.ini
(standard paths)
C:\Program Files (x86)\Jedox\Jedox Suite\olap\data\
Linux:        /opt/jedox/ps/Data/

If all Jedox services are running on the same machine (i.e., they can communicate securely via localhost/, then encryption is optional. To indicate this, add the line encryption optional to the palo.ini. Note that all clients and functions will still require a HTTPS connection.

If Integrator (Tomcat service) is running on a separate machine from the In-Memory DB, then encryption is required. The Integrator service communicates over the internal interface and is normally not reachable from the outside of the server. If you do not plan to communicate over localhost/, then you must add the line encryption required to palo.ini.

Each “http” command must use https instead of http and the HTTPS port.

  •  Add one https port: e.g. “https 7778”

  • Add the “key-files” followed by a list of the certificate files


http "" 7777
encryption optional
https 7778
key-files ca_bundle.pem cert_and_key.pem dh_key.pem

First parameter: root certificate + ca chain

Second parameter: certificate + privatekey

Third parameter: diffie-hellman

If you don’t have these files, you can create your own files with these commands (not recommended):

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.pem -out server.pem -sha256
This will create a file called “server.pem”. This is used for the first 2 parameters.

openssl dhparam -2 -outform PEM -out dh2048.pem 2048
will generate a file called dh2048.pem, this is meant for the last parameter.

The configuration would look like that:

http "" 7777
encryption optional
https 7778
key-files server.pem server.pem dh2048.pem


Supervision Server Connection

Add this entry In php.ini:
(standard paths)
Windows: C:\Program Files (x86)\Jedox\Jedox Suite\svs\
Linux: /opt/jedox/ps/svs-Linux-x86_64/

jedox.phppalo.trust_file="<path to certificate>"

and adapt the following lines:



Integrator Server Connection

Add your certificate to the keystore with the following command:

keytool.exe -import -trustcacerts -keystore keystore -alias tomcat -file server.pem

Copy the keystore from <install_path>\Jedox Suite\tomcat\conf\ (Windows) or <install_path>/tomcat-etl/conf/ (Linux) and your certificate file to your java\bin installation. You must remove the private key from your certificate file to get this running.

To encrypt the communication between the OLAP Server, Integrator, and Scheduler, it is necessary to add the certificate to the Jedox keystore. Java provides a tool called keytool that can be used to do so. The path to the Jedox keystore is <install_path>\Jedox Suite\tomcat\conf\keystore (Windows) or <install_path>/tomcat-etl/conf/ (Linux) and the default password is changeit.

  1. If you change the default password, enter the corresponding password (changeit) of the keystore in the following paragraph:


    in all of the following files:

    <Install_path>\tomcat\client\config\etlcli.properties <Install_path>/tomcat-etl/client/config/etlcli.properties
    <Install_path>\tomcat\webapps\etlserver\config\ssl.properties <Install_path>/tomcat-etl/webapps/etlserver/config/ssl.properties
    <Install_path>\tomcat\webapps\rpc\WEB-INF\classes\scheduler-ssl.properties <Install_path>/tomcat-etl/webapps/rpc/WEB-INF/classes/scheduler-ssl.properties

    In \tomcat\conf\server.xml (Windows) or /tompcat-etl/conf/server.xml (Linux), adjust the keystore password here (if this part is commented out, make sure it’s active):

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" keystoreFile="conf/keystore" keystorePass="changeit" />

    By default, all files mentioned above refer to the same keystore file, except for etlcli.properties, which has its own keystore in \tomcat\client\config\ (Windows) or /tomcat-etl/conf/. This will only affect the etlclient.bat.

  2. Adjust interfaces in \tomcat\webapps\rpc\WEB-INF\classes\etl-mngr.properties (Windows) or /tomcat-rpc/webapps/rpc/WEB-INF/classes/etl-mngr.properties (Linux):

    # ETL Server URL

  3. In \tomcat\conf\server.xml (Windows) or /tomcat-etl/conf/server.xml (Linux), adjust interface in line:

    <Connector port="7775" address="www.example.com" connectionTimeout="20000" protocol="HTTP/1.1" redirectPort="8443" />

  4. In \tomcat\webapps\rpc\WEB-INF\classes\rpc.properties (Windows) or /tomcat-rpc/webapps/hlbrowser/WEB-INF/classes/rpc.properties (Linux)

    # Scheduler Server URL


Next step: Encrypting Excel Client and Jedox Web Environment