The RSE server processes (RSE daemon, RSE thread pool, and RSE
server) use the definitions in rse.env.
Remote Systems Explorer (RSE) provides core services such
as connecting the client to the host system and starting other servers
for specific services.
rse.env is located in /etc/zexpl/,
unless you specified a different location when you customized and
submitted the FEK.SFEKSAMP(FEKSETUP) job. For more
details, see Customization setup. You can
edit the file with the TSO OEDIT command.
See the following sample rse.env file, which can
be customized to match your system environment. Default
values are provided for all variables that are not explicitly specified.
The syntax of the file follows standard z/OS® UNIX shell syntax rules. For example,
comments start with a number sign (#) when using a US code page, and
spaces around the equal sign (=) are not supported.
Note: For your changes to take effect, the RSED started
task must be restarted.
Figure 1. rse.env:
RSE configuration file#_RSE_RSED_PORT=4035 # override by port specified as startup argument
#_RSE_JMON_PORT=6715
#RSE_LOGS=/var/zexpl/logs
#RSE_HOME=/usr/lpp/IBM/zexpl
#JAVA_HOME=/usr/lpp/java/J6.0
#CGI_ISPHOME=/usr/lpp/ispf
#RSE_HLQ=FEK
## load balancing
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Xms128m -Xmx512m"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.clients=10"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.threads=250"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dminimum.threadpool.process=1"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.threadpool.process=100"
## logs
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Ddaemon.log=$RSE_LOGS"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Duser.log=$RSE_LOGS"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_LOG_DIRECTORY="
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlog.file.mode=RW.N.N"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlog.retention.period=5"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dkeep.all.logs=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dkeep.last.log=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlog.secure.mode=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.standard.log=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_TRACING_ON=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_MEMLOGGING_ON=true"
## audit
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.audit.log=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.cycle=30"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.retention.period=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.log.mode=RW.R.N"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.action=<user exit>"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.action.id=<userid>"
## security
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DAPPLID=FEKAPPL"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.port.of.entry=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.certificate.mapping=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDENY_PASSWORD_SAVE=true"
## connect
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dipv6=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.dDVIPA=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Ddeny.nonzero.port=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsingle.logon=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlogon.action=<user exit>"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlogon.action.id=<userid>
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dreject.logon.threshold=1000000"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_TCP_NO_DELAY=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_IDLE_SHUTDOWN_TIMEOUT=3600000"
## system
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dbackupfiles=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDISABLE_MIGRATE_HRECALL_HDELETE=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DHIDE_ZOS_UNIX=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.automount=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Ddisplay.users=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dprocess.cleanup.interval=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dkeep.stats.copy.local=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_USE_THREADED_MINERS=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.ispf.sessions=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Duse.fastpath.getattributes=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dallow.retry.on.failed.saf.check=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaxthreadtasks.threshold=60"
## search
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.hits=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.scanned_objects=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.lines=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.timeout=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.errcount=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.MaxFilterResults=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDISABLE_TEXT_SEARCH=true"
## ispf
#CGI_ISPCONF=$RSE_CFG
#CGI_ISPWORK=$RSE_LOGS/..
#_RSE_ISPF_OPTS=""
#_RSE_ISPF_OPTS="$_RSE_ISPF_OPTS&ISPPROF=&SYSUID..ISPPROF"
#CGI_ISPPREF="&SYSPREF..ISPF.VCMISPF"
#CGI_CEATSO=TRUE
#CGI_CEATSO_KEEPALIVE=FALSE
## system
#TZ=EST5EDT
#LANG=C
#PATH=$PATH:/bin
#TMPDIR=/tmp
#_CEE_DMPTARG=/tmp
#_RSE_UMASK=RWX.N.N
## connect
#_BPXK_SETIBMOPT_TRANSPORT=TCPIP
#_RSE_PORTRANGE=8108-8118
## security
#_RSE_FEK_SAF_CLASS=FACILITY
#GSK_PROTOCOL_SSLV3=OFF
#GSK_V3_CIPHER_SPECS=3536372F30310A100D0F0C
#GSK_FIPS_STATE=OFF
#GSK_CRL_SECURITY_LEVEL=HIGH
#GSK_LDAP_SERVER=ldap_server_url
#GSK_LDAP_PORT=ldap_server_port
#GSK_LDAP_USER=ldap_userid
#GSK_LDAP_PASSWORD=ldap_server_password
## push-to-client
#_RSE_LDAP_SERVER=ldap_server_url
#_RSE_LDAP_PORT=389
#_RSE_LDAP_PTC_GROUP_SUFFIX="O=PTC,C=zOSexplorer"
#STEPLIB=$STEPLIB:CEE.SCEERUN:CEE.SCEERUN2:CBC.SCLBDLL
#STEPLIB=$STEPLIB:ISP.SISPLOAD:ISP.SISPLPA:SYS1.LINKLIB
The following definitions are optional. If omitted, default
values are used.
- _RSE_RSED_PORT
- RSE daemon port number. The default is 4035. Uncomment
and change to match your needs.
Note: - Before selecting a port, verify that the port is available on
your system by using the TSO commands NETSTAT and NETSTAT
PORTL.
- This port is used for client-host communication.
- The RSED started task can override the port number specified here.
- _RSE_JMON_PORT
- JES Job Monitor port number. The default is 6715. Uncomment and change to match your needs.
Note: - This value must match the port number set for JES Job Monitor
in the FEJJCNFG configuration file. If these values
differ, RSE cannot connect the client to JES Job Monitor. To learn
how to define the variable for JES Job Monitor, see FEJJCNFG, the JES Job Monitor configuration file.
- Before selecting a port, verify that the port is available on
your system by using the TSO commands NETSTAT and NETSTAT
PORTL.
- All communication on this port is confined to your z/OS host system.
- RSE_LOGS
- RSE log directory. The default is /var/zexpl/logs.
Uncomment and change to match your needs.
Note: If you did not use
the SFEKSAMP(FEKSETUP) sample job to build the customizable
environment, verify that the last directory in the path specified
in RSE_LOGS has read, write, and execute permission for owner, group,
and other (permission bitmask 777).
- RSE_HOME
- RSE home directory. The default is the directory specified in
the HOME variable of the RSED started task (default /usr/lpp/IBM/zexpl). Uncomment and change to match your z/OS Explorer installation.
Note: RSE
daemon startup will fail if RSE_HOME is not equal to the HOME variable
of the RSED started task.
- JAVA_HOME
- Java™ home directory. The
default is /usr/lpp/java/J6.0. Uncomment
and change to match your Java installation.
- CGI_ISPHOME
- Home directory for the ISPF code that provides the ISPF
Gateway service. The default is /usr/lpp/ispf. Uncomment and change to match your ISPF installation.
- RSE_HLQ
- The high-level qualifier used to install z/OS Explorer.
The default is FEK. Uncomment and change to
match the location of your z/OS Explorer data
sets.
- _RSE_JAVAOPTS
- Additional
RSE-specific Java options.
For more information about this definition, see Defining extra Java startup parameters with _RSE_JAVAOPTS.
- CGI_ISPCONF
- ISPF base configuration directory. The default is $RSE_CFG, which holds the z/OS Explorer configuration directory name.
When using defaults, CGI_ISPCONF is set to /etc/zexpl. Uncomment and change to match the location of ISPF.conf,
the Legacy ISPF Gateway customization file.
- CGI_ISPWORK
- ISPF base work directory. The default is $RSE_LOGS/..,
which holds the z/OS Explorer
log directory name. When using defaults, CGI_ISPWORK is
set to /var/zexpl. Uncomment and
change to match the location of the WORKAREA directory used by
the Legacy ISPF Gateway.
Note: - The Legacy ISPF Gateway adds /WORKAREA to
the path specified in CGI_ISPWORK. Do not
add it yourself.
- If you did not use the SFEKSAMP(FEKSETUP) sample
job to build the customizable environment, verify that the WORKAREA
directory exists in the path specified in CGI_ISPWORK.
The directory permission bits must allow read, write, and execute
for owner, group, and other (permission bitmask 777).
- _RSE_ISPF_OPTS
- Additional Legacy
ISPF Gateway-specific Java options.
The default is "". For more information about this
definition, see Defining extra Java startup parameters with _RSE_ISPF_OPTS.
- CGI_ISPPREF
- High-level qualifier
for the temporary data set created by the Legacy ISPF Gateway. The
default is "&SYSPREF..ISPF.VCMISPF".
Uncomment and change to match your data set naming conventions.
The
following variables can be used in the data set name:
- &SYSUID. to substitute the developer's user
ID
- &SYSPREF. to substitute the developer's TSO
prefix or, if the TSO prefix cannot be determined, the user ID
- &SYSNAME. to substitute the system name as
specified in the IEASYMxx parmlib member
Note: This directive requires ISPF APAR OA38740.
- CGI_CEATSO
- Activate Interactive ISPF Gateway. The default is FALSE.
Uncomment and specify TRUE to use the Interactive
ISPF Gateway when possible. For more information, see (Optional) Interactive ISPF Gateway.
Note: - As of z/OS 2.2, Legacy
ISPF Gateway, previously named TSO/ISPF Client Gateway, is deprecated
and is no longer being enhanced. The functionality is now provided
by the Interactive ISPF Gateway.
- Interactive ISPF Gateway requires z/OS 2.2,
and the Common Event Adapter (CEA) TSO/E address space manager service.
- CGI_CEATSO_KEEPALIVE
- Prevent an idle Interactive ISPF Gateway session from timing out
after 15 minutes. The default is TRUE. Uncomment
and specify FALSE to allow the session to time out
when not used.
- TZ
- Time zone selector. The default is EST5EDT.
The default time zone is UTC -5 hours (Eastern Standard Time (EST)
Eastern Daylight Savings Time (EDT)). Uncomment and change to
match your time zone.
Additional information can be found in the UNIX System Services Command Reference (SA22-7802).
- LANG
- Specifies the name of the default locale. The default is C. C specifies
the POSIX locale and (for example) Ja_JP specifies
the Japanese locale. Uncomment and change to match
your locale.
- PATH
- Additional command path entries. The default is /bin plus z/OS Explorer specific directories.
Uncomment and add your own directories as needed.
- TMPDIR
- Specifies the path used to store temporary files. The default
is /tmp. Uncomment and change to use the requested
path.
- _CEE_DMPTARG
- Language Environment® (LE) z/OS UNIX dump
location used by the Java Virtual
Machine (JVM). The default is /tmp. Uncomment
and change to match your needs.
- _RSE_UMASK
- Specifies the access permission mask for z/OS UNIX files
and directories that are created by users. The default is RWX.N.N,
which grants the owner read, write, and execute/search access. The
owner's default group and everyone else have no access. To set the
required access permissions, uncomment and customize this variable.
UNIX standards dictate that permissions
can be set for three types of users: owner, group, and other. The
fields in this variable match this order, and the fields are separated
by a period (.). Each field can be empty (which
equals N), or have N,
or any combination of R, W,
and X as values, where N =
none, R = read, W =
write, and X = execute/search.
- _BPXK_SETIBMOPT_TRANSPORT
- Specifies the name of the TCP/IP stack to be used. The default
is TCPIP. Uncomment and change to the requested TCP/IP
stack name, as defined in the TCPIPJOBNAME statement
in the related TCPIP.DATA.
Note: - Coding a SYSTCPD DD statement in the server JCL does not set the
requested stack affinity.
- When this directive is not active, RSE binds to every
available stack on the system (BIND INADDRANY).
- _RSE_PORTRANGE
- Specifies the port range that the RSE server can open for communication
with a client. Any port can be used by default. For more information
about this definition, see Defining the PORTRANGE available for RSE server.
- GSK_PROTOCOL_SSLV3
- Specifies whether the specified encryption protocol, SSLV3 in
this sample, is enabled. A protocol that is supported by but not enabled
in System SSL can be enabled here by specifying GSK_PROTOCOL_<protocol>=ON.
You can disable a protocol by specifying OFF as
value. For a list of supported protocols and the matching variable
names, see Cryptographic Services System SSL Programming (SC24-5901).
Note: Due
to a vulnerability in the SSLv3 (Secure Socket Layer) protocol, support
for this protocol is deprecated in z/OS Explorer.
- GSK_V3_CIPHER_SPECS
- Specifies the encryption cipher selection specifications in order
of preference as a string consisting of one or more 2-character values.
Uncomment and specify the desired string if you want to influence
cipher selection. For a list of supported ciphers and their 2-character
ID, see Cryptographic Services System SSL Programming (SC24-5901).
Note: z/OS Explorer will
disable ciphers that are known to be insecure.
- GSK_FIPS_STATE
- Specifies whether the FIPS 140-2 standard for encrypted communication
is used. The default is OFF. Uncomment and
specify ON to use encrypted communication that
conforms to the FIPS 140-2 standard.
- GSK_CRL_SECURITY_LEVEL
- Specifies the level of security applications use when
contacting LDAP servers to check CRLs for revoked certificates during
certificate validation. The default is MEDIUM. To
enforce the usage of the specified value, uncomment and change. The
following values are valid:
- LOW: Certificate validation does not fail if
the LDAP server cannot be contacted.
- MEDIUM: Certificate validation requires the LDAP
server to be contactable, but does not require a CRL to be defined.
This value is the default.
- HIGH: Certificate validation requires the LDAP
server to be contactable and a CRL to be defined.
- GSK_LDAP_SERVER
- Specifies one or more blank-separated LDAP server host names used
for certificate validation. To enforce the usage of the specified
LDAP servers to obtain their CRL, uncomment and change.
The host
name can either be a TCP/IP address or a URL. Each host name can contain
an optional port number separated from the host name by a colon sign
(:).
- GSK_LDAP_PORT
- Specifies the LDAP server port used for certificate validation.
The default is 389. To enforce the usage of the
specified value, uncomment and change.
- GSK_LDAP_USER
- Specifies the distinguished name to use when connecting to the
LDAP server for certificate validation. To enforce the usage of the
specified value, uncomment and change.
- GSK_LDAP_PASSWORD
- Specifies the password to use when connecting to the LDAP server
for certificate validation. To enforce the usage of the specified
value, uncomment and change.
- _RSE_LDAP_SERVER
- Specifies the LDAP server host name used by the push-to-client
function. The default is the current z/OS host
name. To enforce the usage of the specified value, uncomment and change.
- _RSE_LDAP_PORT
- Specifies the LDAP server port used by the push-to-client function.
The default is 389. To enforce the usage of the specified
value, uncomment and change.
- _RSE_LDAP_PTC_GROUP_SUFFIX
- Specifies the “O=<organization>, C=<country>”
suffix needed to find the push-to-client groups within the LDAP server.
The default is "O=PTC,C=zOSexplorer". To enforce
the usage of the specified value, uncomment and change.
- STEPLIB
- Access MVS™ data sets not
in LINKLIST/LPALIB. The default is "NONE".
You can bypass the need of having prerequisite libraries in LINKLIST/LPALIB
by uncommenting and customizing one or more of the following STEPLIB
directives. For more information about the usage of the libraries
in the following list, see
PARMLIB changes:
# RSE
STEPLIB=$STEPLIB:CEE.SCEERUN:CEE.SCEERUN2:CBC.SCLBDLL
# ISPF
STEPLIB=$STEPLIB:ISP.SISPLOAD:ISP.SISPLPA:SYS1.LINKLIB
Note:
- Using STEPLIB in z/OS UNIX has a negative performance
impact.
- If one STEPLIB library is APF-authorized, then all the other STEPLIB
libraries must be authorized. Libraries lose their APF authorization
when they are mixed with non-authorized libraries in STEPLIB.
- Libraries that are designed for LPA placement might require additional
program control and APF authorizations if they are accessed through
LINKLIST or STEPLIB.
- Coding a STEPLIB DD statement in the server JCL does not set the
requested STEPLIB concatenation.