rse.env, the RSE configuration file

The RSE server processes (RSE daemon, RSE thread pool, and RSE server) use the definitions in rse.env.

Remote Systems Explorer (RSE) provides core services such as connecting the client to the host system and starting other servers for specific services.

rse.env is located in /etc/zexpl/, unless you specified a different location when you customized and submitted the FEK.SFEKSAMP(FEKSETUP) job. For more details, see Customization setup. You can edit the file with the TSO OEDIT command.

See the following sample rse.env file, which can be customized to match your system environment. Default values are provided for all variables that are not explicitly specified. The syntax of the file follows standard z/OS® UNIX shell syntax rules. For example, comments start with a number sign (#) when using a US code page, and spaces around the equal sign (=) are not supported.

Note: For your changes to take effect, the RSED started task must be restarted.

Figure 1. rse.env: RSE configuration file

#_RSE_RSED_PORT=4035   # override by port specified as startup argument
#_RSE_JMON_PORT=6715
#RSE_LOGS=/var/zexpl/logs
#RSE_HOME=/usr/lpp/IBM/zexpl
#JAVA_HOME=/usr/lpp/java/J8.0
#CGI_ISPHOME=/usr/lpp/ispf
#RSE_HLQ=FEK

## load balancing
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Xms128m -Xmx512m"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.clients=10"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.threads=250"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dminimum.threadpool.process=1"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.threadpool.process=100"
## logs
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Ddaemon.log=$RSE_LOGS"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Duser.log=$RSE_LOGS"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_LOG_DIRECTORY="
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlog.file.mode=RW.N.N"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlog.retention.period=5"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dkeep.all.logs=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dkeep.last.log=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlog.secure.mode=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.standard.log=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_TRACING_ON=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_MEMLOGGING_ON=true"
## audit
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.audit.log=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.cycle=30"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.retention.period=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.log.mode=RW.R.N"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.action=<user exit>"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.action.id=<userid>"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.display.attributes=true"
## security
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DAPPLID=FEKAPPL"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.port.of.entry=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.certificate.mapping=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDENY_PASSWORD_SAVE=true"
## connect
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dipv6=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.dDVIPA=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Ddeny.nonzero.port=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsingle.logon=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlogon.action=<user exit>"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlogon.action.id=<userid>
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dreject.logon.threshold=1000000"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_TCP_NO_DELAY=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_IDLE_SHUTDOWN_TIMEOUT=3600000"
## system
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dbackupfiles=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDISABLE_MIGRATE_HRECALL_HDELETE=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DHIDE_ZOS_UNIX=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DSHOW_SSH_TERMINAL=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.automount=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Ddisplay.users=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dprocess.cleanup.interval=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dkeep.stats.copy.local=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_USE_THREADED_MINERS=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.ispf.sessions=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Duse.fastpath.getattributes=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dallow.retry.on.failed.saf.check=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaxthreadtasks.threshold=60"
## search
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.hits=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.scanned_objects=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.lines=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.timeout=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.errcount=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.MaxFilterResults=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDISABLE_TEXT_SEARCH=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dseqsosi.to.spaces=true"

## ispf
#CGI_ISPCONF=$RSE_CFG
#CGI_ISPWORK=$RSE_LOGS/..
#_RSE_ISPF_OPTS=""
#_RSE_ISPF_OPTS="$_RSE_ISPF_OPTS&ISPPROF=&SYSUID..ISPPROF"
#CGI_ISPPREF="&SYSPREF..ISPF.VCMISPF"
#CGI_CEATSO=TRUE
#CGI_CEATSO_KEEPALIVE=FALSE

## system
#TZ=EST5EDT
#LANG=C
#PATH=$PATH:/bin
#TMPDIR=/tmp
#_CEE_DMPTARG=/tmp
#_RSE_UMASK=RWX.N.N


## connect
#_BPXK_SETIBMOPT_TRANSPORT=TCPIP
#_RSE_PORTRANGE=8108-8118

## security
#_RSE_FEK_SAF_CLASS=FACILITY
#GSK_PROTOCOL_TLSV1_3=OFF
#GSK_V3_CIPHERS=GSK_V3_CIPHERS_CHAR2
#GSK_V3_CIPHER_SPECS=3538392F3233
#GSK_V3_CIPHER_SPECS_EXPANDED=003500380039002F00320033
#GSK_FIPS_STATE=OFF
#GSK_CRL_SECURITY_LEVEL=HIGH
#GSK_LDAP_SERVER=ldap_server_url
#GSK_LDAP_PORT=ldap_server_port
#GSK_LDAP_USER=ldap_userid
#GSK_LDAP_PASSWORD=ldap_server_password

## push-to-client 
#_RSE_LDAP_SERVER=ldap_server_url
#_RSE_LDAP_PORT=389
#_RSE_LDAP_PTC_GROUP_SUFFIX="O=PTC,C=zOSexplorer"

#STEPLIB=$STEPLIB:CEE.SCEERUN:CEE.SCEERUN2:CBC.SCLBDLL
#STEPLIB=$STEPLIB:ISP.SISPLOAD:ISP.SISPLPA:SYS1.LINKLIB

The following definitions are optional. If omitted, default values are used.

_RSE_RSED_PORT

RSE daemon port number. The default is 4035. Uncomment and change to match your needs.

Note:

Before selecting a port, verify that the port is available on your system by using the TSO commands NETSTAT and NETSTAT PORTL.
This port is used for client-host communication.
The RSED started task can override the port number specified here.

_RSE_JMON_PORT

JES Job Monitor port number. The default is 6715. Uncomment and change to match your needs.

Note:

This value must match the port number set for JES Job Monitor in the FEJJCNFG configuration file. If these values differ, RSE cannot connect the client to JES Job Monitor. To learn how to define the variable for JES Job Monitor, see FEJJCNFG, the JES Job Monitor configuration file.
Before selecting a port, verify that the port is available on your system by using the TSO commands NETSTAT and NETSTAT PORTL.
All communication on this port is confined to your z/OS host system.

RSE_LOGS

RSE log directory. The default is /var/zexpl/logs. Uncomment and change to match your needs.

Note: If you did not use the SFEKSAMP(FEKSETUP) sample job to build the customizable environment, verify that the last directory in the path specified in RSE_LOGS has read, write, and execute permission for owner, group, and other (permission bitmask 777).

RSE_HOME

RSE home directory. The default is the directory specified in the HOME variable of the RSED started task (default /usr/lpp/IBM/zexpl). Uncomment and change to match your z/OS Explorer installation.

Note: RSE daemon startup will fail if RSE_HOME is not equal to the HOME variable of the RSED started task.

JAVA_HOME

Java™ home directory. The default is /usr/lpp/java/J8.0. Uncomment and change to match your Java installation.

CGI_ISPHOME

Home directory for the ISPF code that provides the ISPF Gateway service. The default is /usr/lpp/ispf. Uncomment and change to match your ISPF installation.

RSE_HLQ

The high-level qualifier used to install z/OS Explorer. The default is FEK. Uncomment and change to match the location of your z/OS Explorer data sets.

_RSE_JAVAOPTS

Additional RSE-specific Java options. For more information about this definition, see Defining extra Java startup parameters with _RSE_JAVAOPTS.

CGI_ISPCONF

ISPF base configuration directory. The default is $RSE_CFG, which holds the z/OS Explorer configuration directory name. When using defaults, CGI_ISPCONF is set to /etc/zexpl. Uncomment and change to match the location of ISPF.conf, the Legacy ISPF Gateway customization file.

CGI_ISPWORK

ISPF base work directory. The default is $RSE_LOGS/.., which holds the z/OS Explorer log directory name. When using defaults, CGI_ISPWORK is set to /var/zexpl. Uncomment and change to match the location of the WORKAREA directory used by the Legacy ISPF Gateway.

Note:

The Legacy ISPF Gateway adds /WORKAREA to the path specified in CGI_ISPWORK. Do not add it yourself.
If you did not use the SFEKSAMP(FEKSETUP) sample job to build the customizable environment, verify that the WORKAREA directory exists in the path specified in CGI_ISPWORK. The directory permission bits must allow read, write, and execute for owner, group, and other (permission bitmask 777).

_RSE_ISPF_OPTS

Additional Legacy ISPF Gateway-specific Java options. The default is "". For more information about this definition, see Defining extra Java startup parameters with _RSE_ISPF_OPTS.

CGI_ISPPREF

High-level qualifier for the temporary data set created by the Legacy ISPF Gateway. The default is "&SYSPREF..ISPF.VCMISPF". Uncomment and change to match your data set naming conventions.

The following variables can be used in the data set name:

&SYSUID. to substitute the developer's user ID
&SYSPREF. to substitute the developer's TSO prefix or, if the TSO prefix cannot be determined, the user ID
&SYSNAME. to substitute the system name as specified in the IEASYMxx parmlib member

Note: This directive requires ISPF APAR OA38740.

CGI_CEATSO

Activate Interactive ISPF Gateway. The default is FALSE. Uncomment and specify TRUE to use the Interactive ISPF Gateway when possible. For more information, see (Optional) Interactive ISPF Gateway.

Note:

As of z/OS 2.2, Legacy ISPF Gateway, previously named TSO/ISPF Client Gateway, is deprecated and is no longer being enhanced. The functionality is now provided by the Interactive ISPF Gateway.
Interactive ISPF Gateway requires z/OS 2.2, and the Common Event Adapter (CEA) TSO/E address space manager service.

CGI_CEATSO_KEEPALIVE

Prevent an idle Interactive ISPF Gateway session from timing out after 15 minutes. The default is TRUE. Uncomment and specify FALSE to allow the session to time out when not used.

TZ

Time zone selector. The default is EST5EDT. The default time zone is UTC -5 hours (Eastern Standard Time (EST) Eastern Daylight Savings Time (EDT)). Uncomment and change to match your time zone.

Additional information can be found in the UNIX System Services Command Reference (SA22-7802).

LANG

Specifies the name of the default locale. The default is C. C specifies the POSIX locale and (for example) Ja_JP specifies the Japanese locale. Uncomment and change to match your locale.

PATH

Additional command path entries. The default is /bin plus z/OS Explorer specific directories. Uncomment and add your own directories as needed.

TMPDIR

Specifies the path used to store temporary files. The default is /tmp. Uncomment and change to use the requested path.

_CEE_DMPTARG

Language Environment® (LE) z/OS UNIX dump location used by the Java Virtual Machine (JVM). The default is /tmp. Uncomment and change to match your needs.

_RSE_UMASK

Specifies the access permission mask for z/OS UNIX files and directories that are created by users. The default is RWX.N.N, which grants the owner read, write, and execute/search access. The owner's default group and everyone else have no access. To set the required access permissions, uncomment and customize this variable.

UNIX standards dictate that permissions can be set for three types of users: owner, group, and other. The fields in this variable match this order, and the fields are separated by a period (.). Each field can be empty (which equals N), or have N, or any combination of R, W, and X as values, where N = none, R = read, W = write, and X = execute/search.

_BPXK_SETIBMOPT_TRANSPORT

Specifies the name of the TCP/IP stack to be used. The default is TCPIP. Uncomment and change to the requested TCP/IP stack name, as defined in the TCPIPJOBNAME statement in the related TCPIP.DATA.

Note:

Coding a SYSTCPD DD statement in the server JCL does not set the requested stack affinity.
When this directive is not active, RSE binds to every available stack on the system (BIND INADDRANY).

_RSE_PORTRANGE

Specifies the port range that the RSE server can open for communication with a client. Any port can be used by default. For more information about this definition, see Defining the PORTRANGE available for RSE server.

GSK_PROTOCOL_TLSV1_3

Specifies whether the specified encryption protocol, TLSV1_3 in this sample, is enabled. A protocol that is supported by but not enabled in System SSL can be enabled here by specifying GSK_PROTOCOL_<protocol>=ON. You can disable a protocol by specifying OFF as value. For a list of supported protocols and the matching variable names, see Cryptographic Services System SSL Programming (SC24-5901).

Note:

Due to a vulnerability in the SSLv3 (Secure Socket Layer) protocol, support for this protocol is deprecated in z/OS Explorer.
It requires z/OS 2.4 or later versions to enable the TLSv1.3 (Transport Layer Security) protocol. The usage of 4-character cipher IDs, specific ciphers, and server key shares are also required. If you do not set these definitions, they are set automatically.

GSK_V3_CIPHERS

Specifies the size of the ID used by System SSL to reference ciphers. Valid values are GSK_V3_CIPHERS_CHAR2 (default) and GSK_V3_CIPHERS_CHAR4. Uncomment and specify GSK_V3_CIPHERS_CHAR4 if you also want to use ciphers that only have a 4-character ID. For a list of supported ciphers and their ID, see Cryptographic Services System SSL Programming (SC24-5901).

Note: Java 8.0 or higher is required for using 4-character cipher IDs.

GSK_V3_CIPHER_SPECS

Specifies the encryption cipher selection specifications in order of preference as a string consisting of one or more 2-character values. Uncomment and specify the desired string if you want to influence cipher selection when 2-character cipher IDs are used (default). Use GSK_V3_CIPHERS to set the desired cipher ID size. For a list of supported ciphers and their 2-character ID, see Cryptographic Services System SSL Programming (SC24-5901).

Note: z/OS Explorer disables ciphers that are known to be insecure.

GSK_V3_CIPHER_SPECS_EXPANDED

Specifies the encryption cipher IDs in order of preference as a string consisting of one or more 4-character values. Uncomment and specify the desired string if you want to influence cipher selection when 4-character cipher IDs are used. Use GSK_V3_CIPHERS to set the desired cipher ID size. For a list of supported ciphers and their 4-character ID, see Cryptographic Services System SSL Programming (SC24-5901).

Note: z/OS Explorer disables ciphers that are known to be insecure.

GSK_SERVER_TLS_KEY_SHARES

Specifies the encryption key share groups in order of preference as a string consisting of one or more 4-character values. Uncomment and specify the desired string if you want to influence key share group selection when protocol TLSv1.3 or a later version is used. For a list of supported key share groups and their 4-character ID, see Cryptographic Services System SSL Programming (SC24-5901).

GSK_FIPS_STATE

Specifies whether the FIPS 140-2 standard for encrypted communication is used. The default is OFF. Uncomment and specify ON to use encrypted communication that conforms to the FIPS 140-2 standard.

GSK_CRL_SECURITY_LEVEL

Specifies the level of security applications use when contacting LDAP servers to check CRLs for revoked certificates during certificate validation. The default is MEDIUM. To enforce the usage of the specified value, uncomment and change. The following values are valid:

LOW: Certificate validation does not fail if the LDAP server cannot be contacted.
MEDIUM: Certificate validation requires the LDAP server to be contactable, but does not require a CRL to be defined. This value is the default.
HIGH: Certificate validation requires the LDAP server to be contactable and a CRL to be defined.

GSK_LDAP_SERVER

Specifies one or more blank-separated LDAP server host names used for certificate validation. To enforce the usage of the specified LDAP servers to obtain their CRL, uncomment and change.

The host name can either be a TCP/IP address or a URL. Each host name can contain an optional port number separated from the host name by a colon sign (:).

GSK_LDAP_PORT

Specifies the LDAP server port used for certificate validation. The default is 389. To enforce the usage of the specified value, uncomment and change.

GSK_LDAP_USER

Specifies the distinguished name to use when connecting to the LDAP server for certificate validation. To enforce the usage of the specified value, uncomment and change.

GSK_LDAP_PASSWORD

Specifies the password to use when connecting to the LDAP server for certificate validation. To enforce the usage of the specified value, uncomment and change.

_RSE_LDAP_SERVER

Specifies the LDAP server host name used by the push-to-client function. The default is the current z/OS host name. To enforce the usage of the specified value, uncomment and change.

_RSE_LDAP_PORT

Specifies the LDAP server port used by the push-to-client function. The default is 389. To enforce the usage of the specified value, uncomment and change.

_RSE_LDAP_PTC_GROUP_SUFFIX

Specifies the “O=<organization>, C=<country>” suffix needed to find the push-to-client groups within the LDAP server. The default is "O=PTC,C=zOSexplorer". To enforce the usage of the specified value, uncomment and change.

STEPLIB

Access MVS™ data sets not in LINKLIST/LPALIB. The default is "NONE".

You can bypass the need of having prerequisite libraries in LINKLIST/LPALIB by uncommenting and customizing one or more of the following STEPLIB directives. For more information about the usage of the libraries in the following list, see PARMLIB changes:

# RSE
STEPLIB=$STEPLIB:CEE.SCEERUN:CEE.SCEERUN2:CBC.SCLBDLL
# ISPF
STEPLIB=$STEPLIB:ISP.SISPLOAD:ISP.SISPLPA:SYS1.LINKLIB

Note:

Using STEPLIB in z/OS UNIX has a negative performance impact.
If one STEPLIB library is APF-authorized, then all the other STEPLIB libraries must be authorized. Libraries lose their APF authorization when they are mixed with non-authorized libraries in STEPLIB.
Libraries that are designed for LPA placement might require additional program control and APF authorizations if they are accessed through LINKLIST or STEPLIB.
Coding a STEPLIB DD statement in the server JCL does not set the requested STEPLIB concatenation.