rse.env, the RSE configuration file

The RSE server processes (RSE daemon, RSE thread pool, and RSE server) use the definitions in rse.env.

Remote Systems Explorer (RSE) provides core services such as connecting the client to the host system and starting other servers for specific services.

rse.env is located in /etc/zexpl/, unless you specified a different location when you customized and submitted the FEK.SFEKSAMP(FEKSETUP) job. For more details, see Customization setup. You can edit the file with the TSO OEDIT command.

See the following sample rse.env file, which can be customized to match your system environment. Default values are provided for all variables that are not explicitly specified. The syntax of the file follows standard z/OS® UNIX shell syntax rules. For example, comments start with a number sign (#) when using a US code page, and spaces around the equal sign (=) are not supported.

Note: For your changes to take effect, the RSED started task must be restarted.

Figure 1. rse.env: RSE configuration file

#
# rse.env - RSE environment variables
#

#=============================================================
# optional definitions, defaults provided if not specified
#=============================================================

# Specify the RSE Daemon and JES Job Monitor ports
#-------------------------------------------------------------
#_RSE_RSED_PORT=4035   # override by port specified as startup argument
#_RSE_JMON_PORT=6715

# Specify the directory where RSE logs are stored
#-------------------------------------------------------------
#RSE_LOGS=/var/zexpl/logs

# Specify the directory where RSE is installed
#-------------------------------------------------------------
#RSE_HOME=/usr/lpp/IBM/zexpl

# Specify the directory where Java is installed
#-------------------------------------------------------------
#JAVA_HOME=/usr/lpp/java/J8.0_64

# Specify the directory where ISPF is installed
#-------------------------------------------------------------
#CGI_ISPHOME=/usr/lpp/ispf

# Specify the HLQ where RSE is installed
#-------------------------------------------------------------
#RSE_HLQ=FEK

# Specify the directories where RSE plugins are installed
#-------------------------------------------------------------
#RSE_PLUGIN_PATH=

# Specify the RSE application ID
#-------------------------------------------------------------
#RSE_APPLID=FEKAPPL

# Specify restriction on data set names for MVS search
# The value specified must be a valid regular expression.
#
# A optional substitution variable {UserID} may be included in the
# regex string.  In that case, that will be replaced by the actual
# user ID of a given user when comparing with data set names.
# For example, if the search pattern is {UserID}\.COBOL\..*
# then when USERX tried to do a search, he/she will only be able
# to search under USERX.COBOL.*
#-------------------------------------------------------------
#RSE_DSN_SEARCH_REGEX=".*"

# Specify Java options to start RSE server
#-------------------------------------------------------------
## load balancing
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Xms128m -Xmx512m"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.clients=10"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.threads=250"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dminimum.threadpool.process=1"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.threadpool.process=100"
## logs
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Ddaemon.log=$RSE_LOGS"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Duser.log=$RSE_LOGS"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_LOG_DIRECTORY="
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlog.file.mode=RW.N.N"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlog.retention.period=5"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dkeep.all.logs=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dkeep.last.log=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlog.secure.mode=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.standard.log=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_TRACING_ON=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_MEMLOGGING_ON=true"
## audit
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.audit.log=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.cycle=30"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.retention.period=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.log.mode=RW.R.N"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.action=<user exit>"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.action.id=<userid>"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.display.attributes=true"
## security
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.port.of.entry=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.certificate.mapping=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDENY_PASSWORD_SAVE=true"
## connect
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dipv6=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.dDVIPA=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Ddeny.nonzero.port=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsingle.logon=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlogon.action=<user exit>"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlogon.action.id=<userid>"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dreject.logon.threshold=1000000"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_TCP_NO_DELAY=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_IDLE_SHUTDOWN_TIMEOUT=3600000"
## system
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dbackupfiles=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dbackup.in.user.prefs=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDISABLE_MIGRATE_HRECALL_HDELETE=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DHIDE_ZOS_UNIX=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DSHOW_SSH_TERMINAL=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.automount=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Ddisplay.users=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dprocess.cleanup.interval=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dkeep.stats.copy.local=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_USE_THREADED_MINERS=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.ispf.sessions=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dinclude.info.msg=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Duse.fastpath.getattributes=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dallow.retry.on.failed.saf.check=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaxthreadtasks.threshold=60"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dseqsosi.to.spaces=true"
## search
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.hits=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.scanned_objects=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.lines=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.timeout=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.errcount=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.MaxFilterResults=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDISABLE_TEXT_SEARCH=true"

# Location of the Legacy ISPF Gateway configuration and work files
#-------------------------------------------------------------
#CGI_ISPCONF=$RSE_CFG
#CGI_ISPWORK=$(dirname $RSE_LOGS)

# Specify Legacy ISPF Gateway options
#-------------------------------------------------------------
#_RSE_ISPF_OPTS=""    # uncomment to disable reusable sessions
#_RSE_ISPF_OPTS="$_RSE_ISPF_OPTS&ISPPROF=&SYSUID..ISPPROF"
#CGI_ISPPREF="&SYSPREF..ISPF.VCMISPF"

# Use STEPLIB to access TSO SEND exit within Legacy ISPF Gateway
#-------------------------------------------------------------
#STEPLIB=$STEPLIB:$RSE_HLQ.SFEKAUTH

# Specify Interactive ISPF Gateway options
#-------------------------------------------------------------
#CGI_CEATSO=TRUE
#CGI_CEATSO_KEEPALIVE=FALSE

# Specify the local time zone
#-------------------------------------------------------------
#TZ=EST5EDT

# Specify additional command search directories
#-------------------------------------------------------------
#PATH=$PATH:/bin

# Specify the directory for storing temporary files
#-------------------------------------------------------------
#TMPDIR=/tmp

# Specify the target destination for Java dumps
#-------------------------------------------------------------
#_CEE_DMPTARG=/tmp

# Specify the umask for z/OS UNIX files
#-------------------------------------------------------------
#_RSE_UMASK=RWX.N.N

# Specify the TCP/IP stack to be used
#-------------------------------------------------------------
#_BPXK_SETIBMOPT_TRANSPORT=TCPIP

# Specify the port range for RSE client connections
#-------------------------------------------------------------
#_RSE_PORTRANGE=8108-8118

# Specify the security class where FEK.* profiles are defined
#-------------------------------------------------------------
#_RSE_FEK_SAF_CLASS=FACILITY

# Specify System SSL variables to limit protocol/cipher selection
#-------------------------------------------------------------
#GSK_PROTOCOL_TLSV1_3=ON
#GSK_V3_CIPHERS=GSK_V3_CIPHERS_CHAR4
#GSK_V3_CIPHER_SPECS=352F
#GSK_V3_CIPHER_SPECS_EXPANDED=130113021303C02CC02BC030C02F
#GSK_SERVER_TLS_KEY_SHARES=002300250029
#GSK_FIPS_STATE=OFF

# Specify System SSL variables for certificate validation using CRL
#-------------------------------------------------------------
#GSK_CRL_SECURITY_LEVEL=HIGH
#GSK_LDAP_SERVER=ldap_server_url
#GSK_LDAP_PORT=ldap_server_port
#GSK_LDAP_USER=ldap_userid
#GSK_LDAP_PASSWORD=ldap_server_password

# Specify LDAP variables for push-to-client
#-------------------------------------------------------------
#_RSE_LDAP_SERVER=ldap_server_url
#_RSE_LDAP_PORT=389
#_RSE_LDAP_PTC_GROUP_SUFFIX="O=PTC,C=zOSexplorer"

# Specify if server accepts only connections using
# client certificate authentication. Default to false.
#-------------------------------------------------------------
#_RSE_CLIENT_CERT_AUTH_ONLY=true

# Use LINKLIST (default) or STEPLIB to access MVS system libraries
#-------------------------------------------------------------
#STEPLIB=$STEPLIB:CEE.SCEERUN:CEE.SCEERUN2:CBC.SCLBDLL

# Use LINKLIST (default) or STEPLIB to access MVS ISPF libraries
#-------------------------------------------------------------
#STEPLIB=$STEPLIB:ISP.SISPLOAD:ISP.SISPLPA:SYS1.LINKLIB

# Specify extended lock tracker options
#-------------------------------------------------------------
#RSE_EXTENDED_LOCK=TRUE
#RSE_EXTENDED_LOCK_DSN=FEK.#CUST.LOCKS.VSAM
#RSE_EXTENDED_LOCK_TIMEOUT=120000
#RSE_EXTENDED_LOCK_ANYUSER_ADD_SKIP="false"
#RSE_EXTENDED_LOCK_DELAY_RETRIES="true"

# Turn on ISPF STATS for PDS member when saved if it is not
# already on. Default to FALSE.
#-------------------------------------------------------------
#RSE_AUTO_ISPF_STATS_SAVE=TRUE

# Specify the maximum size of the work area used in catalog CSI
# query. Default to 262144.
#-------------------------------------------------------------
#RSE_MAX_CSI_WORK_AREA_SIZE=262144

# Customize the second qualifier of temporary data set names used
# in load module copy. Default values are used if not set.
#-------------------------------------------------------------
#RSE_MVS_TEMP_QUALIFIER=

# To enable the Common Properties service, this variable needs to
# set to a shared UNIX directory on the system.
#-------------------------------------------------------------
#RSE_COMMON_PROPERTIES=

# To enable the private Common Properties service, this variable
# needs to set to a UNIX directory relative to a given user
# home directory.  Private Common Properties for a user will be
# stored under /<user home>/RSE_COMMON_PROPERTIES_PRIVATE_RELATIVE
#-------------------------------------------------------------
#RSE_COMMON_PROPERTIES_PRIVATE_RELATIVE=private_common_properties

# To control cache validity period when using the Common Properties
# service, the following variable can be overridden.  This value
# is the time in milliseconds a cached version of a namespace will
# be considered valid.
#-------------------------------------------------------------
#RSE_COMMON_PROPERTIES_TIMEOUT=5000

# Specify this variable to TRUE to disable the default
# Active Jobs filter under the JES from the clients.
# Specify this variable to FALSE to restore the default
# Active Jobs filter under the JES in the client.
# The default value for this variable is FALSE if it is not set.
#-------------------------------------------------------------
#_RSE_JES_DISABLE_ACTIVE_JOBS_FILTER=TRUE

# Specify this variable to configure the maximum 
# number of lines with a JCL being submitted. The
# default is no limit.
#-------------------------------------------------------------
#_RSE_JES_JOB_SUBMIT_JCL_RECORD_LIMIT=

The following definitions are optional. If omitted, default values are used.

_RSE_RSED_PORT

RSE daemon port number. The default is 4035. Uncomment and change to match your needs.

Note:

Before selecting a port, verify that the port is available on your system by using the TSO commands NETSTAT and NETSTAT PORTL.
This port is used for client-host communication.
The RSED started task can override the port number specified here.

_RSE_JMON_PORT

JES Job Monitor port number. The default is 6715. Uncomment and change to match your needs.

Note:

This value must match the port number set for JES Job Monitor in the FEJJCNFG configuration file. If these values differ, RSE cannot connect the client to JES Job Monitor. To learn how to define the variable for JES Job Monitor, see FEJJCNFG, the JES Job Monitor configuration file.
Before selecting a port, verify that the port is available on your system by using the TSO commands NETSTAT and NETSTAT PORTL.
All communication on this port is confined to your z/OS host system.

_RSE_JES_DISABLE_ACTIVE_JOBS_FILTER

Specify this variable to true to disable the default Active Jobs filter under the JES subsystem in the client. It is set to false by default.

RSE_LOGS

RSE log directory. The default is /var/zexpl/logs. Uncomment and change to match your needs.

Note: If you did not use the SFEKSAMP(FEKSETUP) sample job to build the customizable environment, verify that the last directory in the path specified in RSE_LOGS has read, write, and execute permission for owner, group, and other (permission bitmask 777).

RSE_HOME

RSE home directory. The default is the directory specified in the HOME variable of the RSED started task (default /usr/lpp/IBM/zexpl). Uncomment and change to match your z/OS Explorer installation.

Note: RSE daemon startup will fail if RSE_HOME is not equal to the HOME variable of the RSED started task.

JAVA_HOME

Java™ home directory. The default is /usr/lpp/java/J8.0. Uncomment and change to match your Java installation.

CGI_ISPHOME

Home directory for the ISPF code that provides the ISPF Gateway service. The default is /usr/lpp/ispf. Uncomment and change to match your ISPF installation.

RSE_HLQ

The high-level qualifier used to install z/OS Explorer. The default is FEK. Uncomment and change to match the location of your z/OS Explorer data sets.

RSE_PLUGIN_PATH

Reference to the plug-in products that are not installed in the plugin/ directory. The default is an empty string. Uncomment and change to match the installation paths of products that extend z/OS Explorer. Use a semicolon (:) to separate multiple paths.

Products that are installed in the plugin/ subdirectory are detected automatically and you do not need to be added to RSE_PLUGIN_PATH.

RSE_DSN_SEARCH_REGEX

This option allows a system programmer to add constraints on the data set name of a client search. To enable the option, uncomment the RSE_DSN_SEARCH_REGEX variable in the rse.env file and specify a regular expression to the desired data set name constraint. Then, restart the server so that the changes in rse.env can take effect. After that, when users work with the z/OS Remote Search dialog, they are prevented from invoking searches that do not match the data set name criteria specified in rse.env.

The following are some basic examples:

# no constraints (accept anything)
RSE_DSN_SEARCH_REGEX=.*

# allowed to search under ABC
RSE_DSN_SEARCH_REGEX=ABC\..*

# allowed to search when the 2nd qualifier is COBOL
RSE_DSN_SEARCH_REGEX=.*\.COBOL\..*

# allowed search under ABC.XYZ
RSE_DSN_SEARCH_REGEX=ABC\.XYZ\..*

In addition to regular expression syntax, a system programmer might also use a special {UserID} variable in the pattern, and then the variable is replaced by client's user ID before the expression is evaluated. For example, the system programmer might use this to let users only search under their own HLQs:

# allows users to only search under their own HLQ
RSE_DSN_SEARCH_REGEX={UserID}\..*

This means that when Bob is doing a search, he can only search under HLQ, BOB. When Mary is doing a search, she can only search under HLQ, MARY.

_RSE_JAVAOPTS

Additional RSE-specific Java options. For more information about this definition, see Defining extra Java startup parameters with _RSE_JAVAOPTS.

CGI_ISPCONF

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.ispf.sessions=0"

ISPF base configuration directory. The default is $RSE_CFG, which holds the z/OS Explorer configuration directory name. When using defaults, CGI_ISPCONF is set to /etc/zexpl. Uncomment and change to match the location of ISPF.conf, the Legacy ISPF Gateway customization file.

CGI_ISPWORK

ISPF base work directory. The default is $RSE_LOGS/.., which holds the z/OS Explorer log directory name. When using defaults, CGI_ISPWORK is set to /var/zexpl. Uncomment and change to match the location of the WORKAREA directory used by the Legacy ISPF Gateway.

Note:

The Legacy ISPF Gateway adds /WORKAREA to the path specified in CGI_ISPWORK. Do not add it yourself.
If you did not use the SFEKSAMP(FEKSETUP) sample job to build the customizable environment, verify that the WORKAREA directory exists in the path specified in CGI_ISPWORK. The directory permission bits must allow read, write, and execute for owner, group, and other (permission bitmask 777).

_RSE_ISPF_OPTS

Additional Legacy ISPF Gateway-specific Java options. The default is "". For more information about this definition, see Defining extra Java startup parameters with _RSE_ISPF_OPTS.

CGI_ISPPREF

High-level qualifier for the temporary data set created by the Legacy ISPF Gateway. The default is "&SYSPREF..ISPF.VCMISPF". Uncomment and change to match your data set naming conventions.

The following variables can be used in the data set name:

&SYSUID. to substitute the developer's user ID
&SYSPREF. to substitute the developer's TSO prefix or, if the TSO prefix cannot be determined, the user ID
&SYSNAME. to substitute the system name as specified in the IEASYMxx parmlib member

Note: This directive requires ISPF APAR OA38740.

CGI_CEATSO

Activate Interactive ISPF Gateway. The default is FALSE. Uncomment and specify TRUE to use the Interactive ISPF Gateway when possible. For more information, see (Optional) Interactive ISPF Gateway.

Note:

As of z/OS 2.2, Legacy ISPF Gateway, previously named TSO/ISPF Client Gateway, is deprecated and is no longer being enhanced. The functionality is now provided by the Interactive ISPF Gateway.
Interactive ISPF Gateway requires z/OS 2.2, and the Common Event Adapter (CEA) TSO/E address space manager service.

CGI_CEATSO_KEEPALIVE

Prevent an idle Interactive ISPF Gateway session from timing out after 15 minutes. The default is TRUE. Uncomment and specify FALSE to allow the session to time out when not used.

TZ

Time zone selector. The default is EST5EDT. The default time zone is UTC -5 hours (Eastern Standard Time (EST) Eastern Daylight Savings Time (EDT)). Uncomment and change to match your time zone.

Additional information can be found in the UNIX System Services Command Reference (SA22-7802).

PATH

Additional command path entries. The default is /bin plus z/OS Explorer specific directories. Uncomment and add your own directories as needed.

TMPDIR

Specifies the path used to store temporary files. The default is /tmp. Uncomment and change to use the requested path.

_CEE_DMPTARG

Language Environment® (LE) z/OS UNIX dump location used by the Java Virtual Machine (JVM). The default is /tmp. Uncomment and change to match your needs.

_RSE_UMASK

Specifies the access permission mask for z/OS UNIX files and directories that are created by users. The default is RWX.N.N, which grants the owner read, write, and execute/search access. The owner's default group and everyone else have no access. To set the required access permissions, uncomment and customize this variable.

UNIX standards dictate that permissions can be set for three types of users: owner, group, and other. The fields in this variable match this order, and the fields are separated by a period (.). Each field can be empty (which equals N), or have N, or any combination of R, W, and X as values, where N = none, R = read, W = write, and X = execute/search.

_BPXK_SETIBMOPT_TRANSPORT

Specifies the name of the TCP/IP stack to be used. The default is TCPIP. Uncomment and change to the requested TCP/IP stack name, as defined in the TCPIPJOBNAME statement in the related TCPIP.DATA.

Note:

Coding a SYSTCPD DD statement in the server JCL does not set the requested stack affinity.
When this directive is not active, RSE binds to every available stack on the system (BIND INADDRANY).

_RSE_PORTRANGE

Specifies the port range that the RSE server can open for communication with a client. Any port can be used by default. For more information about this definition, see Defining the PORTRANGE available for RSE server.

GSK_PROTOCOL_TLSV1_3

Specifies whether the specified encryption protocol, TLSV1_3 in this sample, is enabled. A protocol that is supported by but not enabled in System SSL can be enabled here by specifying GSK_PROTOCOL_<protocol>=ON. You can disable a protocol by specifying OFF as value. For a list of supported protocols and the matching variable names, see Cryptographic Services System SSL Programming (SC24-5901).

Note:

Due to a vulnerability in the SSLv3 (Secure Socket Layer) protocol, support for this protocol is deprecated in z/OS Explorer.
It requires z/OS 2.4 or later versions to enable the TLSv1.3 (Transport Layer Security) protocol. The usage of 4-character cipher IDs, specific ciphers, and server key shares are also required. If you do not set these definitions, they are set automatically, except the cipher IDs, which you need to set explicitly in the GSK_V3_CIPHER_SPECS_EXPANDED parameter.

GSK_V3_CIPHERS

Specifies the size of the ID used by System SSL to reference ciphers. Valid values are


GSK_V3_CIPHERS_CHAR2

(default) and GSK_V3_CIPHERS_CHAR4. Uncomment and specify GSK_V3_CIPHERS_CHAR4 if at least one of the ciphers you want to use has a 4-character ID. For a list of supported ciphers and their ID, see Cryptographic Services System SSL Programming (SC24-5901).

Note: Java 8.0 or higher is required for using 4-character cipher IDs.

GSK_V3_CIPHER_SPECS

When GSK_V3_CIPHERS is set to GSK_V3_CIPHERS_CHAR2, which is the default, GSK_V3_CIPHER_SPECS specifies the encryption cipher selection specifications in order of preference as a string consisting of one or more 2-character values. Uncomment and specify the desired string if you want to influence cipher selection when 2-character cipher IDs are used. For a list of supported ciphers and their 2-character ID, see Cryptographic Services System SSL Programming (SC24-5901).

Note: z/OS Explorer disables ciphers that are known to be insecure.

GSK_V3_CIPHER_SPECS_EXPANDED

When GSK_V3_CIPHERS is set to GSK_V3_CIPHERS_CHAR4, GSK_V3_CIPHER_SPECS_EXPANDED specifies the encryption cipher IDs in order of preference as a string consisting of one or more 4-character values. Uncomment and specify the desired string you want to use. For a list of supported ciphers and their 4-character ID, see Cryptographic Services System SSL Programming (SC24-5901).

Note:

Prefix a 2-character cipher ID with '00' to use it as a 4-character cipher ID in GSK_V3_CIPHER_SPECS_EXPANDED.
z/OS Explorer disables ciphers that are known to be insecure.

GSK_SERVER_TLS_KEY_SHARES

Specifies the encryption key share groups in order of preference as a string consisting of one or more 4-character values. Uncomment and specify the desired string if you want to influence key share group selection when protocol TLSv1.3 or a later version is used. For a list of supported key share groups and their 4-character ID, see Cryptographic Services System SSL Programming (SC24-5901).

GSK_FIPS_STATE

Specifies whether the FIPS 140-2 standard for encrypted communication is used. The default is OFF. Uncomment and specify ON to use encrypted communication that conforms to the FIPS 140-2 standard.

GSK_CRL_SECURITY_LEVEL

Specifies the level of security applications use when contacting LDAP servers to check CRLs for revoked certificates during certificate validation. The default is MEDIUM. To enforce the usage of the specified value, uncomment and change. The following values are valid:

LOW: Certificate validation does not fail if the LDAP server cannot be contacted.
MEDIUM: Certificate validation requires the LDAP server to be contactable, but does not require a CRL to be defined. This value is the default.
HIGH: Certificate validation requires the LDAP server to be contactable and a CRL to be defined.

GSK_LDAP_SERVER

Specifies one or more blank-separated LDAP server host names used for certificate validation. To enforce the usage of the specified LDAP servers to obtain their CRL, uncomment and change.

The host name can either be a TCP/IP address or a URL. Each host name can contain an optional port number separated from the host name by a colon sign (:).

GSK_LDAP_PORT

Specifies the LDAP server port used for certificate validation. The default is 389. To enforce the usage of the specified value, uncomment and change.

GSK_LDAP_USER

Specifies the distinguished name to use when connecting to the LDAP server for certificate validation. To enforce the usage of the specified value, uncomment and change.

GSK_LDAP_PASSWORD

Specifies the password to use when connecting to the LDAP server for certificate validation. To enforce the usage of the specified value, uncomment and change.

_RSE_LDAP_SERVER

Specifies the LDAP server host name used by the push-to-client function. The default is the current z/OS host name. To enforce the usage of the specified value, uncomment and change.

_RSE_LDAP_PORT

Specifies the LDAP server port used by the push-to-client function. The default is 389. To enforce the usage of the specified value, uncomment and change.

_RSE_LDAP_PTC_GROUP_SUFFIX

Specifies the “O=<organization>, C=<country>” suffix needed to find the push-to-client groups within the LDAP server. The default is "O=PTC,C=zOSexplorer". To enforce the usage of the specified value, uncomment and change.

_RSE_CLIENT_CERT_AUTH_ONLY

Configures the server to accept only client certificate authentication connections. When set to true, the server accepts only connections that use client certificate for authentication and fails all connections using user and password authentication. The default value is false.

STEPLIB

Access MVS data sets not in LINKLIST/LPALIB. The default is "NONE".

You can bypass the need of having prerequisite libraries in LINKLIST/LPALIB by uncommenting and customizing one or more of the following STEPLIB directives. For more information about the usage of the libraries in the following list, see PARMLIB changes:

# RSE
STEPLIB=$STEPLIB:CEE.SCEERUN:CEE.SCEERUN2:CBC.SCLBDLL
# ISPF
STEPLIB=$STEPLIB:ISP.SISPLOAD:ISP.SISPLPA:SYS1.LINKLIB

Note:

Using STEPLIB in z/OS UNIX has a negative performance impact.
If one STEPLIB library is APF-authorized, then all the other STEPLIB libraries must be authorized. Libraries lose their APF authorization when they are mixed with non-authorized libraries in STEPLIB.
Libraries that are designed for LPA placement might require additional program control and APF authorizations if they are accessed through LINKLIST or STEPLIB.
Coding a STEPLIB DD statement in the server JCL does not set the requested STEPLIB concatenation.

RSE_EXTENDED_LOCK

Activates the extended lock tracker service. The default is FALSE. Uncomment and specify TRUE to utilize the extended lock tracker service. For more information, see (Optional) Extended lock tracker.

Note: If RSE_EXTENDED_LOCK=TRUE is specified, RSE_EXTENDED_LOCK_DSN must also be defined.

RSE_EXTENDED_LOCK_DSN

The data set name of the VSAM that is used to store lock tracking data. The default is FEK.#CUST.LOCKS.VSAM. This data set is created by using SFEKSAMP(FEKLOCKA). Uncomment and specify the correct data set name when using the extended lock tracker service.

Notes:

RSE_EXTENDED_LOCK_DSN is not used unless RSE_EXTENDED_LOCK=TRUE is also defined.
In a multi-systems setup, all RSE daemons must reference the same lock tracking data set to see the locks that are held by other RSE daemons.

RSE_EXTENDED_LOCK_TIMEOUT

Cache timeout, in milliseconds, for the extended lock tracker service. The default is 120000 (2 minutes). Uncomment and specify how long the lock information that is stored in an in-storage cache remains valid, before reading the data again from the lock data VSAM.

RSE_MAX_CSI_WORK_AREA_SIZE

Specify the maximum upper bound size (in Byte) for the adjustment of the work area size allocation to satisfy the required minimum size for a catalog resume data set query. Default to 262144. A 0 denotes no limit, use with caution.

RSE_AUTO_ISPF_STATS_SAVE

To turn on and set the ISPF STATS for the PDS member when it is edited and saved, if it is not already on. The default setting is FALSE.

RSE_MVS_TEMP_QUALIFIER

Specify a custom value for the second qualifier of the temporary data sets names, used during the load module copy operations. This allows the server to comply with specific system SMS data set naming conventions. When the value is not specified, the default qualifiers SYSIN and SYSPRNT will be used to construct unique names for the temporary data sets used in the load module copy operation respectively.

RSE_COMMON_PROPERTIES

This mechanism allows authenticated users and tools to store and retrieve generic data among the team members in a flexible, shareable manner. When using RSE API, the functionality can be leveraged by REST API calls. For the IBM z/OS Explorer Eclipse client, custom plug-in developers can leverage these APIs using the CommonPropertiesServiceSubSystem. The APIs allow users to access and manipulate namespaces and the JSON data contained within each. Namespaces are physically stored as JSON files in a shared z/OS UNIX folder specified by an administrator. To enable this service, set the RSE_COMMON_PROPERTIES environment variable to a path of a folder accessible by the intended users:

RSE_COMMON_PROPERTIES=<path>

This service is designed to be used like a "bulletin board" for basic information sharing purposes. For example, it can be used for sharing various service ports and installation directories. Common Properties resources should be considered non-restrictive and mutable by authenticated users. As such, this service is amenable to informal data sharing but should not be treated as a formal database substitute.

RSE_COMMON_PROPERTIES_PRIVATE_RELATIVE

To enable the private Common Properties service, set this variable to a UNIX directory relative to a given user home directory. The private Common Properties for a user is stored in /<user home>/RSE_COMMON_PROPERTIES_PRIVATE_RELATIVE.

_RSE_JES_JOB_SUBMIT_JCL_RECORD_LIMIT

Specify this variable to configure the maximum number of lines with a JCL being submitted. The default is no limit.