Automated synchronizing

In Different rse.env, the rse.env changes between the non-encrypted and encrypted RSE daemon are minimal, which makes it possible to automate the process of keeping their rse.env files synchronized. This simplifies service roll-out, because only one rse.env file must be maintained. The automated synchronization described here uses some ideas documented in Nearly identical rse.env.

The following example dynamically determines the RSED port number, adds the RSED port number to the log directory names and updates the CLASSPATH so that clones will find the remaining configuration files. Then the example updates both started task to pass in the desired port number and enhances the started task JCL of the encrypted RSE daemon to clone the rse.env of the non-encrypted RSE daemon upon startup, updating the DENY_PASSWORD_SAVE variable in the process. Since the port number is embedded in the log directory name, it is automatically different between both daemons.

1. Prepare the master rse.env.

   $ oedit /etc/zexpl/rse.env
         -> change:_RSE_RSED_PORT=$RSE_PORT
         -> change: –Ddaemon.log=/var/zexpl/logs/$RSE_RSED_PORT
         -> change: –Duser.log=/var/zexpl/logs/$RSE_RSED_PORT
         -> add at the END:
            # -- NEEDED BY CLONES TO FIND THE REMAINING CONFIGURATION FILES IN_CFG_BASE
            CFG_BASE=/etc/zexpl
            CLASSPATH=.:$CFG_BASE:$CLASSPATH
   # -- 

2. Prepare the other configuration files (that are not rse.env files) that differ between the master (non-encrypted) and the clone (encrypted).

   $ mkdir /etc/zexpl/secure
   $ cp /etc/zexpl/ssl.properties /etc/zexpl/secure/ 
   $ oedit /etc/zexpl/secure/ssl.properties
   -> change: change as needed

3. Update existing RSED started task to pass in the port number.

   SYS1.PROCLIB(RSED)
   //RSED     PROC IVP=,                         * 'IVP' to do an IVP test
   //            PORT=4035,
   //            CNFG='/etc/zexpl',
   //            HOME='/usr/lpp/IBM/zexpl'
   //*
   //RSED     EXEC PGM=BPXBATSL,REGION=0M,TIME=NOLIMIT,
   // PARM='PGM &HOME./bin/rsed.sh &IVP –C&CNFG –P&PORT' 
   //STDOUT   DD SYSOUT=* 
   //STDERR   DD SYSOUT=* 
   //         PEND 
   //*

4. Create an RSED started task with a unique port number that will clone the base rse.env and alter the DENY_PASSWORD_SAVE variable. The sample shown here also has a sample instruction to change the value of a variable instead of uncommenting a line. When choosing a filter-key, keep in mind that it must be unique, and that JCL has a 100 character limitation for the PARM field.

   SYS1.PROCLIB(RSEDSEC)
   //*
   //* RSE DAEMON – ENCRYPTED COMMUNICATION, DENY PASSWORD SAVE
   //*
   //RSED     PROC IVP=,                * 'IVP' to do an IVP test
   //            PORT=4036,
   //            HOME='/usr/lpp/IBM/zexpl',
   //            CNFG='/etc/zexpl/secure'
   //*
   //UNCOMENT SET SED='"/DENY_PASSWORD/s!.*\(_RSE_JAVAOPTS=.*\)!\1!"'
   //*CHANGE  SET SED='"/JAVA_HOME=/s/J8.0/"'
   //         SET FILE='rse.env'
   //*
   //* copy /etc/zexpl/rse.env to /etc/zexpl/secure/rse.env
   //* and alter it
   //*
   //CLONE    EXEC PGM=BPXBATCH,REGION=0M,COND=(4,LT),
   //  PARM='SH cd &CNFG;sed &SED ../&FILE>&FILE'  
   //STDOUT   DD SYSOUT=*  
   //STDERR   DD SYSOUT=*  
   //*  
   //* start RSED with the newly created rse.env  
   //*  
   //RSED     EXEC PGM=BPXBATSL,REGION=0M,TIME=NOLIMIT,COND=(4,LT),  
   //  PARM='PGM &HOME./bin/rsed.sh &IVP –C&CNFG –P&PORT'  
   //STDOUT   DD SYSOUT=*  
   //STDERR   DD SYSOUT=*  
   //         PEND  
   //*