rse.env, the RSE configuration file
The RSE server processes (RSE daemon, RSE thread pool, and RSE
server) use the definitions in rse.env
.
Remote Systems Explorer (RSE) provides core services such as connecting the client to the host system and starting other servers for specific services.
rse.env
is located in /etc/zexpl/
,
unless you specified a different location when you customized and
submitted the FEK.SFEKSAMP(FEKSETUP)
job. For more
details, see Customization setup. You can
edit the file with the TSO OEDIT command.
See the following sample rse.env
file, which can
be customized to match your system environment. Default
values are provided for all variables that are not explicitly specified.
The syntax of the file follows standard z/OS® UNIX shell syntax rules. For example,
comments start with a number sign (#) when using a US code page, and
spaces around the equal sign (=) are not supported.
- _RSE_RSED_PORT
- RSE daemon port number. The default is 4035. Uncomment
and change to match your needs.Note:
- Before selecting a port, verify that the port is available on your system by using the TSO commands NETSTAT and NETSTAT PORTL.
- This port is used for client-host communication.
- The RSED started task can override the port number specified here.
- _RSE_JMON_PORT
- JES Job Monitor port number. The default is
6715
. Uncomment and change to match your needs.Note:- This value must match the port number set for JES Job Monitor
in the
FEJJCNFG
configuration file. If these values differ, RSE cannot connect the client to JES Job Monitor. To learn how to define the variable for JES Job Monitor, see FEJJCNFG, the JES Job Monitor configuration file. - Before selecting a port, verify that the port is available on your system by using the TSO commands NETSTAT and NETSTAT PORTL.
- All communication on this port is confined to your z/OS host system.
- This value must match the port number set for JES Job Monitor
in the
- RSE_LOGS
- RSE log directory. The default is
/var/zexpl/logs
. Uncomment and change to match your needs.Note: If you did not use theSFEKSAMP(FEKSETUP)
sample job to build the customizable environment, verify that the last directory in the path specified in RSE_LOGS has read, write, and execute permission for owner, group, and other (permission bitmask 777). - RSE_HOME
- RSE home directory. The default is the directory specified in
the HOME variable of the RSED started task (default
/usr/lpp/IBM/zexpl
). Uncomment and change to match your z/OS Explorer installation.Note: RSE daemon startup will fail if RSE_HOME is not equal to the HOME variable of the RSED started task. - JAVA_HOME
- Java™ home directory. The default is
/usr/lpp/java/J8.0
. Uncomment and change to match your Java installation. - CGI_ISPHOME
- Home directory for the ISPF code that provides the ISPF
Gateway service. The default is
/usr/lpp/ispf
. Uncomment and change to match your ISPF installation. - RSE_HLQ
- The high-level qualifier used to install z/OS Explorer.
The default is
FEK
. Uncomment and change to match the location of your z/OS Explorer data sets. - _RSE_JAVAOPTS
- Additional RSE-specific Java options. For more information about this definition, see Defining extra Java startup parameters with _RSE_JAVAOPTS.
- CGI_ISPCONF
- ISPF base configuration directory. The default is
$RSE_CFG
, which holds the z/OS Explorer configuration directory name. When using defaults,CGI_ISPCONF
is set to/etc/zexpl.
Uncomment and change to match the location ofISPF.conf
, the Legacy ISPF Gateway customization file. - CGI_ISPWORK
- ISPF base work directory. The default is
$RSE_LOGS/..
, which holds the z/OS Explorer log directory name. When using defaults,CGI_ISPWORK
is set to/var/zexpl
. Uncomment and change to match the location of the WORKAREA directory used by the Legacy ISPF Gateway.Note:- The Legacy ISPF Gateway adds
/WORKAREA
to the path specified inCGI_ISPWORK
. Do not add it yourself. - If you did not use the
SFEKSAMP(FEKSETUP)
sample job to build the customizable environment, verify that the WORKAREA directory exists in the path specified inCGI_ISPWORK
. The directory permission bits must allow read, write, and execute for owner, group, and other (permission bitmask 777).
- The Legacy ISPF Gateway adds
- _RSE_ISPF_OPTS
- Additional Legacy
ISPF Gateway-specific Java options.
The default is
""
. For more information about this definition, see Defining extra Java startup parameters with _RSE_ISPF_OPTS. - CGI_ISPPREF
- High-level qualifier
for the temporary data set created by the Legacy ISPF Gateway. The
default is
"&SYSPREF..ISPF.VCMISPF"
. Uncomment and change to match your data set naming conventions.The following variables can be used in the data set name:&SYSUID.
to substitute the developer's user ID&SYSPREF.
to substitute the developer's TSO prefix or, if the TSO prefix cannot be determined, the user ID&SYSNAME.
to substitute the system name as specified in theIEASYMxx
parmlib member
Note: This directive requires ISPF APAR OA38740. - CGI_CEATSO
- Activate Interactive ISPF Gateway. The default is
FALSE
. Uncomment and specifyTRUE
to use the Interactive ISPF Gateway when possible. For more information, see (Optional) Interactive ISPF Gateway.Note:- As of z/OS 2.2, Legacy ISPF Gateway, previously named TSO/ISPF Client Gateway, is deprecated and is no longer being enhanced. The functionality is now provided by the Interactive ISPF Gateway.
- Interactive ISPF Gateway requires z/OS 2.2, and the Common Event Adapter (CEA) TSO/E address space manager service.
- CGI_CEATSO_KEEPALIVE
- Prevent an idle Interactive ISPF Gateway session from timing out
after 15 minutes. The default is
TRUE
. Uncomment and specifyFALSE
to allow the session to time out when not used. - TZ
- Time zone selector. The default is
EST5EDT
. The default time zone is UTC -5 hours (Eastern Standard Time (EST) Eastern Daylight Savings Time (EDT)). Uncomment and change to match your time zone.Additional information can be found in the UNIX System Services Command Reference (SA22-7802).
- LANG
- Specifies the name of the default locale. The default is
C
.C
specifies the POSIX locale and (for example)Ja_JP
specifies the Japanese locale. Uncomment and change to match your locale. - PATH
- Additional command path entries. The default is
/bin
plus z/OS Explorer specific directories. Uncomment and add your own directories as needed. - TMPDIR
- Specifies the path used to store temporary files. The default
is
/tmp
. Uncomment and change to use the requested path. - _CEE_DMPTARG
- Language Environment® (LE) z/OS UNIX dump
location used by the Java Virtual
Machine (JVM). The default is
/tmp
. Uncomment and change to match your needs. - _RSE_UMASK
- Specifies the access permission mask for z/OS UNIX files
and directories that are created by users. The default is
RWX.N.N
, which grants the owner read, write, and execute/search access. The owner's default group and everyone else have no access. To set the required access permissions, uncomment and customize this variable.UNIX standards dictate that permissions can be set for three types of users: owner, group, and other. The fields in this variable match this order, and the fields are separated by a period (.). Each field can be empty (which equals N), or have N, or any combination of R, W, and X as values, where N = none, R = read, W = write, and X = execute/search.
- _BPXK_SETIBMOPT_TRANSPORT
- Specifies the name of the TCP/IP stack to be used. The default
is
TCPIP
. Uncomment and change to the requested TCP/IP stack name, as defined in theTCPIPJOBNAME
statement in the related TCPIP.DATA.Note:- Coding a SYSTCPD DD statement in the server JCL does not set the requested stack affinity.
- When this directive is not active, RSE binds to every available stack on the system (BIND INADDRANY).
- _RSE_PORTRANGE
- Specifies the port range that the RSE server can open for communication with a client. Any port can be used by default. For more information about this definition, see Defining the PORTRANGE available for RSE server.
- GSK_PROTOCOL_TLSV1_3
- Specifies whether the specified encryption protocol, TLSV1_3 in this sample, is enabled. A
protocol that is supported by but not enabled in System SSL can be enabled here by specifying
GSK_PROTOCOL_<protocol>=ON. You can disable a protocol by specifying
OFF as value. For a list of supported protocols and the matching variable
names, see Cryptographic Services System SSL Programming (SC24-5901). Note:
- Due to a vulnerability in the SSLv3 (Secure Socket Layer) protocol, support for this protocol is deprecated in z/OS Explorer.
- It requires z/OS 2.4 or later versions to enable the TLSv1.3 (Transport Layer Security) protocol. The usage of 4-character cipher IDs, specific ciphers, and server key shares are also required. If you do not set these definitions, they are set automatically.
- GSK_V3_CIPHERS
- Specifies the size of the ID used by System SSL to reference ciphers.
Valid values are
GSK_V3_CIPHERS_CHAR2
(default) andGSK_V3_CIPHERS_CHAR4
. Uncomment and specifyGSK_V3_CIPHERS_CHAR4
if you also want to use ciphers that only have a 4-character ID. For a list of supported ciphers and their ID, see Cryptographic Services System SSL Programming (SC24-5901).Note: Java 8.0 or higher is required for using 4-character cipher IDs. - GSK_V3_CIPHER_SPECS
- Specifies the encryption cipher selection specifications in order
of preference as a string consisting of one or more 2-character values.
Uncomment and specify the desired string if you want to influence
cipher selection when 2-character cipher IDs are used
(default). Use
GSK_V3_CIPHERS
to set the desired cipher ID size. For a list of supported ciphers and their 2-character ID, see Cryptographic Services System SSL Programming (SC24-5901).Note: z/OS Explorer disables ciphers that are known to be insecure. - GSK_V3_CIPHER_SPECS_EXPANDED
- Specifies the encryption cipher IDs in order of preference as a string consisting of one or more
4-character values. Uncomment and specify the desired string if you want to influence cipher
selection when 4-character cipher IDs are used. Use
GSK_V3_CIPHERS
to set the desired cipher ID size. For a list of supported ciphers and their 4-character ID, see Cryptographic Services System SSL Programming (SC24-5901).Note: z/OS Explorer disables ciphers that are known to be insecure. - GSK_SERVER_TLS_KEY_SHARES
- Specifies the encryption key share groups in order of preference as a string consisting of one or more 4-character values. Uncomment and specify the desired string if you want to influence key share group selection when protocol TLSv1.3 or a later version is used. For a list of supported key share groups and their 4-character ID, see Cryptographic Services System SSL Programming (SC24-5901).
- GSK_FIPS_STATE
- Specifies whether the FIPS 140-2 standard for encrypted communication is used. The default is OFF. Uncomment and specify ON to use encrypted communication that conforms to the FIPS 140-2 standard.
- GSK_CRL_SECURITY_LEVEL
- Specifies the level of security applications use when
contacting LDAP servers to check CRLs for revoked certificates during
certificate validation. The default is
MEDIUM
. To enforce the usage of the specified value, uncomment and change. The following values are valid:LOW
: Certificate validation does not fail if the LDAP server cannot be contacted.MEDIUM
: Certificate validation requires the LDAP server to be contactable, but does not require a CRL to be defined. This value is the default.HIGH
: Certificate validation requires the LDAP server to be contactable and a CRL to be defined.
- GSK_LDAP_SERVER
- Specifies one or more blank-separated LDAP server host names used
for certificate validation. To enforce the usage of the specified
LDAP servers to obtain their CRL, uncomment and change.
The host name can either be a TCP/IP address or a URL. Each host name can contain an optional port number separated from the host name by a colon sign (:).
- GSK_LDAP_PORT
- Specifies the LDAP server port used for certificate validation.
The default is
389
. To enforce the usage of the specified value, uncomment and change. - GSK_LDAP_USER
- Specifies the distinguished name to use when connecting to the LDAP server for certificate validation. To enforce the usage of the specified value, uncomment and change.
- GSK_LDAP_PASSWORD
- Specifies the password to use when connecting to the LDAP server for certificate validation. To enforce the usage of the specified value, uncomment and change.
- _RSE_LDAP_SERVER
- Specifies the LDAP server host name used by the push-to-client function. The default is the current z/OS host name. To enforce the usage of the specified value, uncomment and change.
- _RSE_LDAP_PORT
- Specifies the LDAP server port used by the push-to-client function.
The default is
389
. To enforce the usage of the specified value, uncomment and change. - _RSE_LDAP_PTC_GROUP_SUFFIX
- Specifies the “O=<organization>, C=<country>”
suffix needed to find the push-to-client groups within the LDAP server.
The default is "
O=PTC,C=zOSexplorer
". To enforce the usage of the specified value, uncomment and change. - STEPLIB
- Access MVS™ data sets not
in LINKLIST/LPALIB. The default is "
NONE
".You can bypass the need of having prerequisite libraries in LINKLIST/LPALIB by uncommenting and customizing one or more of the following STEPLIB directives. For more information about the usage of the libraries in the following list, see PARMLIB changes:# RSE STEPLIB=$STEPLIB:CEE.SCEERUN:CEE.SCEERUN2:CBC.SCLBDLL # ISPF STEPLIB=$STEPLIB:ISP.SISPLOAD:ISP.SISPLPA:SYS1.LINKLIB
Note:- Using STEPLIB in z/OS UNIX has a negative performance impact.
- If one STEPLIB library is APF-authorized, then all the other STEPLIB libraries must be authorized. Libraries lose their APF authorization when they are mixed with non-authorized libraries in STEPLIB.
- Libraries that are designed for LPA placement might require additional program control and APF authorizations if they are accessed through LINKLIST or STEPLIB.
- Coding a STEPLIB DD statement in the server JCL does not set the requested STEPLIB concatenation.