IBM Rational Developer for System z

Host Configuration Guide

Figures

1. JMON - JES Job Monitor started task
2. RSED - RSE daemon started task
3. LOCKD - Lock daemon started task
4. RSED - alternate RSE daemon startup
5. rsed.stdin.sh - alternate RSE daemon startup
6. FEJJCNFG, JES Job Monitor configuration file
7. rsed.envvars - RSE configuration file
8. (continued)
9. ISPF.conf - ISPF configuration file
10. CRASRV.properties - CARMA configuration file
11. CRASRV.properties - CARMA startup using batch submit
12. CRASUBMT - CARMA startup using batch submit
13. CRASRV.properties - *CRASTART alternative CARMA startup
14. crastart.conf - *CRASTART alternative CARMA startup
15. CRASRV.properties - *ISPF alternative CARMA startup
16. ISPF.conf - *ISPF alternative CARMA startup
17. ISPF.conf updates for SCLMDT
18. rsed.envvars updates for SCLMDT
19. FLM02LST - long/short name translation setup JCL
20. ELAXMSAM - DB2 stored procedure task
21. ELAXMJCL - DB2 stored procedure definition
22. ssl.properties - SSL configuration file
23. rsecomm.properties - Logging configuration file
24. propertiescfg.properties - Host-based property groups configuration file
25. projectcfg.properties - Host-based projects configuration file
26. FMIEXT.properties - File Manager configuration file
27. uchars.settings - Uneditable characters configuration file
28. REXX for APPC ISPF panels
29. START JMON operator command
30. START RSED operator command
31. START LOCKD operator command
32. MODIFY JMON operator command
33. MODIFY RSED operator command
34. MODIFY LOCKD operator command
35. STOP operator command
36. TCP/IP ports
37. Component overview
38. RSE as a Java application
39. Connection flow
40. Lock daemon flow
41. z/OS UNIX directory structure
42. Maximum number of address spaces
43. Number of address spaces per client
44. Maximum number of processes
45. Number of processes per client
46. Maximum number of RSE thread pool threads
47. Maximum number of JES Job Monitor threads
48. Resource usage with 5 logons
49. Resource usage with 5 logons (continued)
50. Resource usage while editing a PDS member
51. z/OS UNIX file system space usage
52. ADNJSPAU - CICSTS administrative utility
53. FEKAPPCC - create a second APPC transaction
54. RSEDSSL - RSE daemon user job for SSL
55. Import Host Certificate dialog
56. Preferences dialog - SSL
57. INETD startup JCL
58. JCL to create APPC VSAMs
59. SYS1.SAMPLIB(ATBAPPL)
60. SYS1.PARMLIB(APPCPMxx)
61. SYS1.PARMLIB(ASCHPMxx)

Tables

1. Required resources
2. Optional resources
3. Administrators needed for required tasks
4. Administrators needed for optional tasks
5. Client checklist - mandatory parts
6. Client checklist - optional parts
7. Sample ELAXF* procedures
8. ELAXF* high level qualifier checklist
9. LIMIT_COMMANDS command permission matrix
10. crastart.conf variables
11. Default CRD server transaction IDs
12. Default CRD server transaction IDs
13. SCLM administrator checklist
14. SSL certificate storage mechanisms
15. Valid keystore types
16. APPC transaction checklist
17. IVPs for services
18. Thread pool error status
19. RSE console messages
20. JAVA_DUMP_TDUMP_PATTERN variables
21. JES Job Monitor console commands
22. LIMIT_COMMANDS command permission matrix
23. Extended JESSPOOL profiles
24. LIMIT_VIEW browse permission matrix
25. SSL certificate storage mechanisms
26. Security setup variables
27. JES2 Job Monitor operator commands
28. JES3 Job Monitor operator commands
29. Common resource usage
30. User-specific requisite resource usage
31. User-specific resource usage
32. Address space count
33. Address space limits
34. Process count
35. Process limits
36. Thread count
37. Thread limits
38. Log output directives
39. Version 7.6 customizations
40. Version 7.5 customizations
41. Version 7.1 customizations
42. SSL certificate storage mechanisms
43. Local definitions available to resolver
44. Referenced publications
45. Referenced Web sites
46. Informational publications

About this document

This document discusses the configuration of the IBM Rational Developer for System z functions. It includes instructions on how to configure IBM Rational Developer for System z Version 7.6 on your z/OS® host system.

From here on, the following names are used in this manual:

• IBM Rational Developer for System z is called Developer for System z.
• Common Access Repository Manager is abbreviated to CARMA.
• Software Configuration and Library Manager Developer Toolkit is called SCLM Developer Toolkit, abbreviated to SCLMDT.
• z/OS UNIX® System Services is called z/OS UNIX.
• Customer Information Control System Transaction Server is called CICSTS, abbreviated to CICS®.

For earlier releases, including IBM WebSphere Developer for System z, IBM WebSphere Developer for zSeries and IBM® WebSphere Studio Enterprise Developer, use the configuration information found in the Host Configuration Guide and Program Directories for those releases.

Who should use this document

This document is intended for system programmers installing and configuring IBM Rational Developer for System z Version 7.6, FMID HHOP760, on their z/OS host system.

It lists in detail the different steps needed to do a full setup of the product, including some non-default scenarios. To use this document, you need to be familiar with the z/OS UNIX System Services and MVS™ host systems.

Developer for System z customization

Planning

Use the information in this chapter, together with the information in Appendix E. Requisites, to plan the installation and deployment of Developer for System z®. The following subjects are described:

• Migration considerations
• Planning considerations
• Preinstallation considerations
• Pre-configuration considerations
• Predeployment considerations
• Client checklist

Migration considerations

Migration guide describes installation and configuration changes compared to previous releases of the product. Use this information to plan your migration to the current release of Developer for System z.

1. If you are a previous user of IBM Rational Developer for System z, IBM WebSphere Developer for System z, IBM WebSphere Developer for zSeries or IBM WebSphere Studio Enterprise Developer, it is recommended that you save the related customized files BEFORE installing IBM Rational Developer for System z Version 7.6. Refer to Migration guide for an overview of files that required customization.
2. Refer to Running multiple instances, if you plan on running multiple instances of Developer for System z.

Planning considerations

Product overview

Developer for System z consists of a client, installed on the user's personal computer, and a server, installed on one or more hosts. This documentation will focus on the host being a z/OS system. However, other operating systems, such as AIX® and z/Linux, are also supported.

The client provides developers an Eclipse-based development environment that facilitates a uniform graphical interface to the host, and that, among other things, can offload work from the host to the client, saving resources on the host.

The host portion consists of several permanently active tasks and tasks that are started ad-hoc. These tasks allow the client to work with the various components of your z/OS host, such as MVS data sets, TSO commands, z/OS UNIX files and commands, job submit, and job output.

Developer for System z can also interact with subsystems and other application software on the host, such as CICS, Debug Tool, and Software Configuration Managers (SCMs), if Developer for system z is configured to do so, and if these (corequisite) products are available.

Refer to Understanding Developer for System z to get a basic understanding of the Developer for System z design.

Refer to the Developer for System z website, http://www-01.ibm.com/software/awdtools/rdz/, or your local IBM representative to learn more about the functionality offered by Developer for System z.

Skill requirements

Minimal SMP/E skills are needed for a Developer for System z host installation.

The configuration of Developer for System z requires more than the typical system programming permissions and expertise, so assistance from others may be needed. Table 3 and Table 4 list the administrators needed for the required and optional customization tasks.

Time requirements

The amount of time required to install and configure the Developer for System z host components depends on various factors, such as:

• the current z/OS UNIX and TCP/IP configuration
• the availability of prerequisite software and maintenance
• whether or not OMVS segments are defined for Developer for System z users
• the availability of a user, who has successfully installed the client, to test the install and report any problems that might occur

Experience has shown that the installation and configuration process of the Developer for System z host requires from one to four days to complete. This time requirement is for a clean installation performed by an experienced system programmer. If problems are encountered, or if the required skills are not available, then the setup will take longer.

Preinstallation considerations

Refer to Program Directory for IBM Rational® Developer for System z (GI11-8298) for detailed instructions on the SMP/E installation of the product.

Refer to Running multiple instances if you plan on running multiple instances of Developer for System z.

Setup choice

Developer for System z provides a choice on how to access the TSO Commands service. The choice made here impacts the required configuration of prerequisites. One of the following methods must be selected and configured:

• ISPF's TSO/ISPF Client Gateway service, which requires a minimum ISPF service level. This is the default method used in the provided samples.
• An APPC transaction (as in pre-version 7.1 releases)

Requisite products

Appendix E. Requisites has a list of prerequisite software that must be installed and operational before Developer for System z will work. There is also a list of corequisite software to support specific features of Developer for System z. These requisites must be installed and operational at runtime for the corresponding feature to work as designed.

Refer to Rational Developer for System z Prerequisites (SC23-7659) in the Developer for System z online library at http://www-01.ibm.com/software/awdtools/rdz/library/ for an up-to-date list of prerequisite and corequisite products for your version of Developer for System z. Plan ahead to have these requisite products available, as it might take some time, depending on the policies at your site. The key requisites for a basic setup are the following:

• z/OS 1.8 or higher
• ISPF APAR OA27721 (TSO/ISPF Client Gateway)
• 31-bit Java™ 5.0 or higher

Required resources

Developer for System z requires the allocation of the systems resources listed in Table 1. The resources listed in Table 2 are required for optional services. Plan ahead to have these resources available, as it might take some time to get them, depending on the policies at your site.

The configuration of Developer for System z requires more than the typical system programming permissions and expertise, so minimal assistance from others may be needed. Table 3 and Table 4 list the administrators needed for the required and optional customization tasks.

Pre-configuration considerations

Resource usage and system limits

When in use, Developer for System z will use a variable number of system resources like address spaces and z/OS UNIX processes and threads. The availability of these resources is limited by various system definitions. Refer to Tuning considerations to estimate the usage of key resources, so you can plan your system configuration accordingly.

Required configuration of requisite products

Consult your MVS system programmer, security administrator and TCP/IP administrator to check if the requisite products and software are installed, tested, and working. Some requisite customization tasks that are easily overlooked are listed below:

• All Developer for System z users must have READ and EXECUTE access to the Java directories.
• All Developer for System z users must have READ, WRITE and EXECUTE access to the /tmp/ directory.
• Remote (host based) actions for z/OS UNIX subprojects require that z/OS UNIX version of REXEC or SSH is active on the host.

User ID considerations

The user ID of a Developer for System z user must have (at least) the following attributes:

• TSO access (with a normal region size).
  Note:
  A large region size is required for the user ID that executes the Installation Verification Programs (IVPs), because functions requiring a lot of memory (such as Java) will be executed. You should set the region size to 131072 kilobytes (128 megabytes) or higher.
• An OMVS segment defined to the security system (for example, RACF®), both for the user ID and its default group.
  • The HOME field must refer to a home directory allocated for the user (with READ, WRITE and EXECUTE access).
  • The PROGRAM field in the OMVS segment should be /bin/sh or other valid z/OS UNIX shell, such as /bin/tcsh.
  • The ASSIZEMAX field should not be set, so that system defaults will be used.
  • The user ID does not require UID 0.

    Example (command LISTUSER userid NORACF OMVS):

    USER=userid
    
    OMVS INFORMATION
    ----------------
    UID= 0000003200
    HOME= /u/userid
    PROGRAM= /bin/sh
    CPUTIMEMAX= NONE
    ASSIZEMAX= NONE
    FILEPROCMAX= NONE
    PROCUSERMAX= NONE
    THREADSMAX= NONE
    MMAPAREAMAX= NONE

  • The user ID's default group requires a GID.

    Example (command LISTGRP group NORACF OMVS):

    GROUP group
    
    OMVS INFORMATION
    ----------------
    GID= 0000003243

• READ and EXECUTE access to the Developer for System z installation and configuration directories and files, default /usr/lpp/rdz/*, /etc/rdz/*, and /var/rdz/*.
• READ, WRITE, and EXECUTE access to the Developer for System z WORKAREA directory, default /var/rdz/WORKAREA.
• READ access to the Developer for System z installation data sets, default FEK.SFEK*.

Server considerations

Developer for System z consists of 3 permanently active servers, which can be started tasks or user jobs. These servers provide the requested services themselves, or start other servers (as z/OS UNIX threads or user jobs) to provide the service.

• JES Job Monitor (JMON) provides all JES-related services.
• Lock Daemon (LOCKD) provides tracking services for data set locks.
• Remote Systems Explorer (RSE) provides core services such as connecting the client to the host and starting other servers for specific services. RSE consists of 2 logical entities:
  • RSE daemon (RSED), which manages connection setup and which is responsible for running in single server mode.
  • RSE server, which handles individual client request.

JES Job Monitor (JMON) provides all JES related services.

• The security mechanisms used by JES Job Monitor rely on the data sets it resides in being secure. This implies that only trusted system administrators should be able to update the libraries and configuration files.

Remote Systems Explorer (RSE) is the Developer for System z component that provides core services such as connecting the client to the host.

• Since version 7.5, RSE daemon is no longer an INETD managed process but a started task.
• Since version 7.5, RSE server uses a single server model whereas with previous versions, each client-host connection had a private RSE server.
• Different levels of communication security are supported by RSE:
  • External (client-host) communication can be limited to specified ports. This feature is disabled by default.
  • External (client-host) communication can be encrypted using SSL. This feature is disabled by default.
  • Port Of Entry (POE) checking can be used to allow access only to trusted TCP/IP addresses. This feature is disabled by default.
• RSE also supports multiple client authentication methods:
  • User ID and password
  • User ID and one-time password
  • X.509 certificate
• The security mechanisms used by RSE rely on the file system it resides in being secure. This implies that only trusted system administrators should be able to update the libraries and configuration files.

As documented in TCP/IP ports, certain host services, and thus their ports, must be available for the client to connect to, and must be defined to your firewall protecting the host. All other ports used by Developer for System z have host-only traffic. Listed below are the ports needed for a basic Developer for System z setup.

• RSE daemon for client-host communication setup (using the tcp protocol), default port 4035.
• RSE server for client-host communication (using the tcp protocol). By default, any available port is used, but this can be limited to a specified range.

Predeployment considerations

Developer for System z supports cloning an installation to a different system, avoiding the need for a SMP/E install on each system.

The following data sets, directories, and files are mandatory for deployment to other systems. If you copied a file to a different location, then this file must replace its counterpart in the lists below.

• FEK.SFEKAUTH(*)
• FEK.SFEKLOAD(*)
• FEK.SFEKPROC(*)
• FEK.#CUST.PARMLIB(*)
• FEK.#CUST.PROCLIB(*)
• /usr/lpp/rdz/*
• /etc/rdz/*
• /var/rdz/* (directory structure only)
• optional parts:
  • FEK.SFEKLPA(*)
  • FEK.#CUST.CNTL(*)
  • definitions, data sets, files, and directories resulting from customization jobs in FEK.#CUST.JCL

1. FEK and /usr/lpp/rdz are the high level qualifier and path used during the installation of the product. FEK.#CUST, /etc/rdz and /var/rdz are the default locations used during the customization of the product (see Customization setup for more information).
2. You should install Developer for System z in a private file system (HFS or zFS) to easy deploying the z/OS UNIX parts of the product.
3. If you can not use a private file system, you should use an archiving tool such as the z/OS UNIX tar command to transport the z/OS UNIX directories from system to system. This to preserve the attributes (such as program control) for the Developer for System z files and directories.

   Refer to UNIX System Services Command Reference (SA22-7802) for more information on the following sample commands to archive and restore the Developer for System z installation directory.

   • Archive: cd /SYS1/usr/lpp/rdz; tar -cSf /u/userid/rdz.tar
   • Restore: cd /SYS2/usr/lpp/rdz; tar -xSf /u/userid/rdz.tar

Client checklist

Users of the Developer for System z client must know the result of certain host customizations, such as TCP/IP port numbers, for the client to work properly. Use these checklists to gather the information needed.

The checklist in Table 5 lists the required results of mandatory customization steps. Table 6 list the required results of optional customization steps.

Basic customization

The customization steps below are for a basic Developer for System z setup. Refer to the chapters about the optional components for their customization requirements.

Requirements and checklist

You will need the assistance of a security administrator and a TCP/IP administrator to complete this customization task, which requires the following resources and special customization tasks:

• APF authorized data set
• Various PARMLIB updates
• Various security software updates
• Various TCP/IP ports for internal and client-host communication

In order to verify the installation and to start using Developer for System z at your site, you must perform the following tasks. Unless otherwise indicated, all tasks are mandatory.

1. Create customizable copies of samples and create the work environment for Developer for system z. For details, see Customization setup.
2. Update z/OS UNIX system limits, start started tasks, define APF authorized and LINKLIST data sets and optionally LPA data sets. For details, see PARMLIB changes.
3. Create started task procedures and compile/link procedures. For details, see PROCLIB changes.
4. Update security definitions. For details, see Security definitions. You must also be aware of and understand how PassTickets are used to establish thread security. See Using PassTickets for details.
5. Customize Developer for System z configuration files. For details, see:
   • FEJJCNFG, JES Job Monitor configuration file
   • rsed.envvars, RSE configuration file
   • ISPF.conf, ISPF's TSO/ISPF Client Gateway configuration file

Customization setup

Developer for System z comes with several sample configuration files and sample JCL. To avoid overwriting your customizations when applying maintenance, you should copy all these members and z/OS UNIX files to a different location and to customize the copy.

Some functions of Developer for System z also require the existence of certain directories in z/OS UNIX, which must be created during the customization of the product. To ease the installation effort, a sample job, FEKSETUP, is provided to create the copies and the required directories.

Customize and submit sample member FEKSETUP in data set FEK.SFEKSAMP to create customizable copies of configuration files and configuration JCL, and to create required z/OS UNIX directories. The required customization steps are described within the member.

This job performs the following tasks:

• Create FEK.#CUST.PARMLIB and populate it with sample configuration files.
• Create FEK.#CUST.PROCLIB and populate it with sample SYS1.PROCLIB members.
• Create FEK.#CUST.JCL and populate it with sample configuration JCL.
• Create FEK.#CUST.CNTL and populate it with sample server startup scripts.
• Create FEK.#CUST.ASM and populate it with sample assembler source code.
• Create FEK.#CUST.COBOL and populate it with sample COBOL source code.
• Create /etc/rdz/* and populate it with sample configuration files.
• Create /var/rdz/* as work directories for various Developer for System z functions.

1. The configuration steps in this publication use the member/file locations created by the FEKSETUP job, unless noted otherwise. The original samples, which should not be updated, can be found in FEK.SFEKSAMP and /usr/lpp/rdz/samples/.
2. If you want to keep all Developer for System z z/OS UNIX files in the same file system (HFS or zFS), but also want the configuration files placed in /etc/rdz, you can use symbolic links to solve this problem. The following sample z/OS UNIX commands create a new directory in the existing file system (/usr/lpp/rdz/cust) and define a symbolic link (/etc/rdz) to it:

   mkdir /usr/lpp/rdz/cust
   ln -s /usr/lpp/rdz/cust /etc/rdz

PARMLIB changes

Refer to MVS Initialization and Tuning Reference (SA22-7592) for more information on the PARMLIB definitions listed below. Refer to MVS System Commands (SA22-7627) for more information on the sample console commands.

Set z/OS UNIX limits in BPXPRMxx

Remote Systems Explorer (RSE), which provides core services such as connecting the client to the host, is a z/OS UNIX based process. Therefore it is important to set correct values for the z/OS UNIX system limits in BPXPRMxx, based upon the number of concurrently active Developer for System z users and their average workload.

Refer to Tuning considerations for more information on different BPXPRMxx defined limits and their impact on Developer for System z.

MAXASSIZE specifies the maximum address space (process) region size. Set MAXASSIZE in SYS1.PARMLIB(BPXPRMxx) to 2G. This is the maximum value allowed. This is a system-wide limit, and thus active for all z/OS UNIX address spaces. If this is not what you want, then you can set the limit also just for Developer for System z in your security software, as described in Define the Developer for System z started tasks.

MAXTHREADS specifies the maximum number of active threads for a single process. Set MAXTHREADS in SYS1.PARMLIB(BPXPRMxx) to 1500 or higher. This is a system-wide limit, and thus active for all z/OS UNIX address spaces. If this is not what you want, then you can set the limit also just for Developer for System z in your security software, as described in Define the Developer for System z started tasks.

MAXTHREADTASKS specifies the maximum number of active MVS tasks for a single process. Set MAXTHREADTASKS in SYS1.PARMLIB(BPXPRMxx) to 1500 or higher. This is a system-wide limit, and thus active for all z/OS UNIX address spaces. If this is not what you want, then you can set the limit also just for Developer for System z in your security software, as described in Define the Developer for System z started tasks.

MAXPROCUSER specifies the maximum number of processes that a single z/OS UNIX user ID can have concurrently active. Set MAXPROCUSER in SYS1.PARMLIB(BPXPRMxx) to 50 or higher. This setting is intended to be a system-wide limit, as it should be active for each client using Developer for System z.

These values can be checked and set dynamically (until the next IPL) with the following console commands:

• DISPLAY OMVS,O
• SETOMVS MAXASSIZE=2G
• SETOMVS MAXTHREADS=1500
• SETOMVS MAXTHREADTASKS=1500
• SETOMVS MAXPROCUSER=50

1. Refer to Address Space size for more information on other locations where address space sizes can be set or limited.
2. The MAXPROCUSER value used above is based upon users having a unique z/OS UNIX user ID (UID). Increase this value if your users share the same UID.
3. Ensure that other BPXPRMxx values, such as those for MAXPROCSYS and MAXUIDS, are sufficient to handle the expected amount of concurrently active Developer for System z users. Refer to Tuning considerations for more details.

Add started tasks to COMMNDxx

Add start commands for the Developer for System z RSED, LOCKD, and JMON servers to SYS1.PARMLIB(COMMANDxx) to start them automatically at next system IPL.

Once the servers are defined and configured, they can be started dynamically (until the next IPL) with the following console commands:

• S RSED
• S LOCKD
• S JMON

LPA definitions in LPALSTxx

The (optional) Common Access Repository Manager (CARMA) service supports alternative server startup methods that do not require the usage of a JES initiator. The most flexible of these alternatives requires that module CRASTART in the FEK.SFEKLPA load library is in the Link Pack Area (LPA).

LPA data sets are defined in SYS1.PARMLIB(LPALSTxx).

LPA definitions can be set dynamically (until the next IPL) with the following console commands:

• SETPROG LPA,ADD,DSN=FEK.SFEKLPA

APF authorizations in PROGxx

In order for JES Job Monitor to access JES spool files, module FEJJMON in the FEK.SFEKAUTH load library and the Language Environment® (LE) runtime libraries (CEE.SCEERUN*) must be APF authorized.

In order for the (optional) SCLM Developer Toolkit service to work, module BWBTSOW in the FEK.SFEKAUTH load library and the REXX™ runtime library (REXX.*.SEAGLPA) must be APF authorized.

In order for ISPF to create the TSO/ISPF Client Gateway, module ISPZTSO in SYS1.LINKLIB must be APF authorized. The TSO/ISPF Client Gateway is used by Developer for System z's TSO Commands service, SCLM Developer Toolkit and optionally CARMA.

APF authorizations are defined in SYS1.PARMLIB(PROGxx), if your site followed IBM recommendations.

APF authorizations can be set dynamically (until the next IPL) with the following console commands, where volser is the volume on which the data set resides if it is not SMS managed:

• SETPROG APF,ADD,DSN=FEK.SFEKAUTH,SMS
• SETPROG APF,ADD,DSN=CEE.SCEERUN,VOL=volser
• SETPROG APF,ADD,DSN=CEE.SCEERUN2,VOL=volser
• SETPROG APF,ADD,DSN=REXX.V1R4M0.SEAGLPA,VOL=volser
• SETPROG APF,ADD,DSN=SYS1.LINKLIB,VOL=volser

1. When you use the Alternate Library for REXX product package, the default REXX runtime library name is REXX.*.SEAGALT, instead of REXX.*.SEAGLPA as used in the preceding sample.
2. LPA libraries, such as REXX.*.SEAGLPA, are automatically APF authorized when located in LPA, and thus do not require explicit definitions.
3. Some of the corequisite products, such as IBM Debug Tool, also require APF authorization. Refer to the related product customization guides for more information on this.

LINKLIST definitions in PROGxx

LINKLIST definitions for Developer for System z can be grouped in 3 categories:

• Developer for System z load libraries needed for Developer for System z functions. These definitions are described in this section.
• Requisite load libraries needed for Developer for System z functions. These definitions are described in Requisite LINKLIST and LPA definitions.
• Developer for System z load libraries needed by other products. These definitions are described in LINKLIST definitions for other products.

In order for the (optional) SCLM Developer Toolkit service to work, all BWB* modules in the FEK.SFEKAUTH and FEK.SFEKLOAD load libraries must be made available either through STEPLIB or LINKLIST.

If you opt to use STEPLIB, you must define the libraries not available through LINKLIST in the STEPLIB directive of rsed.envvars, the RSE configuration file. Be aware, however, that:

• using STEPLIB in z/OS UNIX has a negative performance impact.
• If one STEPLIB library is APF authorized, then all must be authorized. Libraries lose their APF authorization when they are mixed with non-authorized libraries in STEPLIB.

LINKLIST data sets are defined in SYS1.PARMLIB(PROGxx), if your site followed IBM recommendations.

The required definitions will look like the following, where listname is the name of the LINKLIST set that will be activated, and volser is the volume on which the data set resides if it is not cataloged in the master catalog:

• LNKLST ADD NAME(listname) DSNAME(FEK.SFEKAUTH) VOLUME(volser)
• LNKLST ADD NAME(listname) DSNAME(FEK.SFEKLOAD)

LINKLIST definitions can be created dynamically (until the next IPL) with the following group of console commands, where listname is the name of the current LINKLIST set, and volser is the volume on which the data set resides if it is not cataloged in the master catalog:

1. LNKLST DEFINE,NAME=LLTMP,COPYFROM=CURRENT
2. LNKLST ADD NAME=LLTMP,DSN=FEK.SFEKAUTH,VOL=volser
3. LNKLST ADD NAME=LLTMP,DSN=FEK.SFEKLOAD
4. LNKLST ACTIVATE,NAME=LLTMP
5. LNKLST UNDEFINE,NAME=listname
6. LNKLST UPDATE,JOB=*

Requisite LINKLIST and LPA definitions

Remote Systems Explorer (RSE) is a z/OS UNIX process that requires access to MVS load libraries. The following (prerequisite) libraries must be made available, either through STEPLIB or LINKLIST/LPALIB:

• System load library
  • SYS1.LINKLIB
• Language Environment runtime
  • CEE.SCEERUN
  • CEE.SCEERUN2
• C++'s DLL class library
  • CBC.SCLBDLL
• ISPF's TSO/ISPF Client Gateway
  • ISP.SISPLOAD
  • ISP.SISPLPA

The following additional libraries must be made available, either through STEPLIB or LINKLIST/LPALIB, to support the use of optional services. This list does not include data sets that are specific to a product that Developer for System z interacts with, such as IBM Debug Tool:

• REXX runtime library (for SCLM Developer Toolkit)
  • REXX.*.SEAGLPA
• System load library (for SSL encryption)
  • SYS1.SIEALNKE
• TCP/IP load library (when using APPC for the TSO Commands service)
  • TCPIP.SEZALOAD

1. When you use the Alternate Library for REXX product package, the default REXX runtime library name is REXX.*.SEAGALT, instead of REXX.*.SEAGLPA as used in the preceding sample.
2. Libraries that are designed for LPA placement, such as REXX.*.SEAGLPA, might require additional program control and/or APF authorizations if they are accessed through LINKLIST or STEPLIB.
3. Some of the corequisite products, such as IBM Debug Tool, also require STEPLIB or LINKLIST/LPALIB definitions. Refer to the related product customization guides for more information on this.
4. If CEE.SCEELKED is in LINKLIST or STEPLIB, TCPIP.SEZALOAD must be placed before CEE.SCEELKED. Failure to do so will result in a 0C1 system abend for the TCP/IP REXX socket calls.

LINKLIST data sets are defined in SYS1.PARMLIB(PROGxx), if your site followed IBM recommendations. LPA data sets are defined in SYS1.PARMLIB(LPALSTxx).

If you opt to use STEPLIB, you must define the libraries not available through LINKLIST/LPALIB in the STEPLIB directive of rsed.envvars, the RSE configuration file. Be aware, however, that:

• Using STEPLIB in z/OS UNIX has a negative performance impact.
• If one STEPLIB library is APF authorized, then all must be authorized. Libraries lose their APF authorization when they are mixed with non-authorized libraries in STEPLIB.
• Libraries added to the STEPLIB DD in a JCL are not propagated to the z/OS UNIX processes started by the JCL.

LINKLIST definitions for other products

The Developer for System z client has a code generation component called Enterprise Service Tools (EST). In order for the generated code to issue diagnostic error messages, all IRZ* and IIRZ* modules in the FEK.SFEKLOAD load library must be made available either through STEPLIB or LINKLIST.

LINKLIST data sets are defined in SYS1.PARMLIB(PROGxx), if your site followed IBM recommendations.

If you opt to use STEPLIB, you must define the libraries not available through LINKLIST in the STEPLIB directive of the task that executes the code (IMS™ or batch job). However, be aware of the following:

• If one STEPLIB library is APF authorized, then all must be authorized. Libraries loose their APF authorization when they are mixed with non-authorized libraries in STEPLIB.

PROCLIB changes

The started task and remote build procedures listed below must reside in a system procedure library defined to your JES subsystem. In the instructions below, the IBM default procedure library, SYS1.PROCLIB, is used.

JES Job Monitor

Customize the sample started task member FEK.#CUST.PROCLIB(JMON), as described within the member, and copy it to SYS1.PROCLIB. As shown in the code sample below, you have to provide the following:

• The high level qualifier of the (authorized) load library, default FEK
• The JES Job Monitor configuration file, default FEK.#CUST.PARMLIB(FEJJCNFG)

//*
//* JES JOB MONITOR
//*
//JMON     PROC PRM=,             * PRM='-TV' TO START TRACING
//            LEPRM='RPTOPTS(ON)', 
//            HLQ=FEK,
//            CFG=FEK.#CUST.PARMLIB(FEJJCNFG)
//*
//JMON     EXEC PGM=FEJJMON,REGION=0M,TIME=NOLIMIT,
//            PARM=('&LEPRM,ENVAR("_CEE_ENVFILE=DD:ENVIRON")/&PRM')
//STEPLIB  DD DISP=SHR,DSN=&HLQ..SFEKAUTH
//ENVIRON  DD DISP=SHR,DSN=&CFG
//SYSPRINT DD SYSOUT=*
//SYSOUT   DD SYSOUT=*
//         PEND
//*

1. Refer to Operator commands for more information on the startup parameters.
2. The sample JCL is initially shipped as FEK.SFEKSAMP(FEJJJCL) and is renamed to FEK.#CUST.PROCLIB(JMON) in Customization setup.
3. Tracing can also be controlled by console commands, as described in Operator commands.
4. This task must be assigned to SYSSTC or equivalent goal in Workload Manager (WLM).

RSE daemon

Customize the sample started task member FEK.#CUST.PROCLIB(RSED), as described within the member, and copy it to SYS1.PROCLIB. As shown in the code sample below, you have to provide the following:

• The RSE daemon port, default 4035.
• The home directory where Developer for System z is installed, default /usr/lpp/rdz.
• The location of the configuration files, default /etc/rdz

//*
//* RSE DAEMON
//*
//RSED     PROC IVP='',              * 'IVP' to do an IVP test
//            PORT=4035,
//            HOME='/usr/lpp/rdz',
//            CNFG='/etc/rdz'
//*
//RSE      EXEC PGM=BPXBATSL,REGION=0M,TIME=NOLIMIT,
//            PARM='PGM  &HOME/bin/rsed.sh &IVP &PORT &CNFG'
//STDERR   DD SYSOUT=*
//STDOUT   DD SYSOUT=*
//         PEND
//*

1. Refer to Operator commands for more information on the startup parameters.
2. The sample JCL is initially shipped as FEK.SFEKSAMP(FEKRSED) and is renamed to FEK.#CUST.PROCLIB(RSED) in Customization setup.
3. Limit the length of the job name to 7 characters or less. The modify and stop operator commands will fail with message "IEE342I MODIFY REJECTED-TASK BUSY" if an 8 character name is used. This behavior is caused by the z/OS UNIX design for child processes.
4. This task, and the child processes it creates, must be assigned to SYSSTC or equivalent goal in Workload Manager (WLM). The child processes have the same name as the parent task, RSED, appended with a random 1-digit number, for example RSED8.

Lock daemon

Customize the sample started task member FEK.#CUST.PROCLIB(LOCKD), as described within the member, and copy it to SYS1.PROCLIB. As shown in the code sample below, you have to provide the following:

• The home directory where Developer for System z is installed, default /usr/lpp/rdz.
• The location of the configuration files, default /etc/rdz.
• The initial log detail level, default 1.

//*
//* RSE LOCK DAEMON
//*
//LOCKD    PROC HOME='/usr/lpp/rdz',
//            CNFG='etc/rdz',
//            LOG=1
//*
//LOCKD    EXEC PGM=BPXBATSL,REGION=0M,TIME=NOLIMIT,
              PARM=PGM &HOME./bin/lockd.sh &CNFG &LOG'
//STDOUT   DD SYSOUT=*
//STDERR   DD SYSOUT=*
//         PEND
//*

1. Refer to Operator commands for more information on the startup parameters.
2. The sample JCL is initially shipped as FEK.SFEKSAMP(FEKLOCKD) and is renamed to FEK.#CUST.PROCLIB(LOCKD) in Customization setup.
3. This task must be assigned to SYSSTC or equivalent goal in Workload Manager (WLM).

JCL limitations for the PARM variable

The maximum length for the PARM variable is 100 characters, which might cause problems if you use custom directory names. To bypass this problem, you can either:

• Use symbolic links

  Symbolic links can be used as shorthand for a long directory name. The following sample z/OS UNIX command defines a symbolic link (/usr/lpp/rdz) to another directory (/long/directory/name/usr/lpp/rdz).

  ln -s /long/directory/name/usr/lpp/rdz /usr/lpp/rdz

• Use STDIN

  When the PARM field is empty, BPXBATSL will start a z/OS UNIX shell and execute the shell script that is provided by STDIN. Note that STDIN must be a z/OS UNIX file (allocated as ORDONLY) and that using STDIN disables the usage of PROC variables for the port etc. Also note that the shell will execute the shell logon scripts /etc/profile and $HOME/.profile.

  To use this method, you must first update the startup JCL to match something like the following sample:

  Figure 4. RSED - alternate RSE daemon startup

  //*
  //* RSE DAEMON - USING STDIN
  //*
  //RSED     PROC CNFG='/etc/rdz'
  //*
  //RSE      EXEC PGM=BPXBATSL,REGION=0M,TIME=NOLIMIT
  //STDOUT   DD SYSOUT=*
  //STDERR   DD SYSOUT=*
  //STDIN    DD PATHOPTS=(ORDONLY),PATH='&CNFG./rsed.stdin.sh'
  //STDENV   DD PATHOPTS=(ORDONLY),PATH='&CNFG./rsed.envvars'
  //         PEND
  //*

  Second, you must create the shell script (/etc/rdz/rsed.stdin.sh in this example) that will start the RSE daemon. The content of this script will look like the following sample:

  Figure 5. rsed.stdin.sh - alternate RSE daemon startup

  /long/directory/name/usr/lpp/rdz/bin/rsed.sh 4035 /etc/rdz

  Note:
  You should allocate rsed.envvars to STDENV in the daemon startup JCL, as it defines some z/OS UNIX directives that help save system resources when using this startup method.

ELAXF* remote build procedures

Developer for System z provides sample JCL procedures that can be used for the JCL generation, remote project builds, and remote syntax check features of CICS BMS maps, IMS MFS screens, COBOL, PL/I, Assembler, and C/C++ programs. These procedures allow installations to apply their own standards, and ensure that developers use the same procedures with the same compiler options and compiler levels.

The sample procedures and their function are listed in Table 7.

The names of the procedures and the names of the steps in the procedures match the default properties that are shipped with the Developer for System z client. If you decide to change the name of a procedure or the name of a step in a procedure, the corresponding properties file on all the clients should also be updated. We recommend that you do not change the procedure and step names.

Customize the sample build procedure members, FEK.#CUST.PROCLIB(ELAXF*), as described within the members, and copy them to SYS1.PROCLIB. You have to provide the correct high level qualifiers for different product libraries, as described in Table 8.

If the ELAXF* procedures cannot be copied into a system procedure library, ask the Developer for System z users to add a JCLLIB card (right after the JOB card) to the job properties on the client.

//MYJOB    JOB <job parameters>
//PROCS    JCLLIB ORDER=(FEK.#CUST.PROCLIB)

Security definitions

Customize and submit sample member FEKRACF in data set FEK.#CUST.JCL to create the security definitions for Developer for System z. The user submitting this job must have security administrator privileges, such as being RACF SPECIAL.

The following list of mandatory and optional security-related definitions for Developer for System z are discussed in detail in Security considerations. This chapter also discusses general security-related aspects of Developer for System z, including security aspects of requisite products that are not covered by the sample FEKRACF job.

• Activate security settings and classes
• Define an OMVS segment for Developer for System z users
• Define data set profiles
• Define the JMON, RSED, and LOCKD started tasks
• Define JES command security
• Define RSE as a secure z/OS UNIX server
• Define MVS program controlled libraries for RSE
• Define application security for RSE
• Define PassTicket support for RSE
• Define z/OS UNIX program controlled files for RSE

FEJJCNFG, JES Job Monitor configuration file

JES Job Monitor (JMON) provides all JES-related services. The behavior of JES Job Monitor can be controlled with the definitions in FEJJCNFG.

FEJJCNFG is located in FEK.#CUST.PARMLIB, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

Customize the sample JES Job Monitor configuration member FEJJCNFG, as shown in the following sample. Comment lines start with a pound sign (#), when using a US code page. Data lines can only have a directive and its assigned value, comments are not allowed on the same line.

HOST_CODEPAGE=IBM-1047
SERV_PORT=6715
TZ=EST5EDT
#_BPXK_SETIBMOPT_TRANSPORT=TCPIP
#APPLID=FEKAPPL
#AUTHMETHOD=SAF
#CODEPAGE=UTF-8
#CONCHAR=$
#CONSOLE_NAME=JMON
#GEN_CONSOLE_NAME=OFF
#LIMIT_COMMANDS=NOLIMIT
#LIMIT_VIEW=USERID
#LISTEN_QUEUE_LENGTH=5
#MAX_DATASETS=32
#MAX_THREADS=200
#TIMEOUT=3600
#TIMEOUT_INTERVAL=1200
#SUBMITMETHOD=TSO
#TSO_TEMPLATE=FEK.#CUST.CNTL(FEJTSO)

HOST_CODEPAGE

The host codepage. The default is IBM-1047. Change to match your host codepage.

SERV_PORT

The port number for JES Job Monitor host server. The default port is 6715. Change as desired, however, BOTH the server and the Developer for System z clients must be configured with the same port number. If you change the server port number, all clients must also change the JES Job Monitor port for this system in the Remote Systems View.

Notes:

1. Before selecting a port, verify that the port is available on your system with the TSO commands NETSTAT and NETSTAT PORTL.
2. When using a version 7.1 or higher client, all communication on this port is confined to your z/OS host machine.

TZ

Time zone selector. The default is EST5EDT. The default time zone is UTC +5 hours (Eastern Standard Time (EST) Eastern Daylight Savings Time (EDT)). Change this to represent your time zone. Additional information can be found in the UNIX System Services Command Reference (SA22-7802).

The following definitions are optional. If omitted, default values will be used as specified below:

_BPXK_SETIBMOPT_TRANSPORT=<tcpip stack name>

Specifies the name of the TCPIP stack to be used. The default is TCPIP. Uncomment and change to the requested TCPIP stack name, as defined in the TCPIPJOBNAME statement in the related TCPIP.DATA.

Note:

Coding a SYSTCPD DD statement in the server JCL does not set the requested stack affinity.

APPLID

Specifies the application identifier used for identifying JES Job Monitor to your security software. The default is FEKAPPL. Uncomment and change to the desired application ID.

Note:

This value must match the application ID set for RSE in the rsed.envvars configuration file. If these values differ, RSE cannot connect the client to JES Job Monitor.

AUTHMETHOD

The default is SAF, which means that the System Authorization Facility (SAF) security interface is used. Do not change unless directed to do so by the IBM support center.

CODEPAGE

The workstation codepage. The default is UTF-8. The workstation codepage is set to UTF-8 and generally should not be changed. You might need to uncomment the directive and change UTF-8 to match the workstation's codepage if you have difficulty with NLS characters, such as the currency symbol.

CONCHAR

Specifies the JES console command character. CONCHAR defaults to CONCHAR=$ for JES2, or CONCHAR=* for JES3. Uncomment and change to the requested command character.

CONSOLE_NAME

Specifies the name of the EMCS console used for issuing commands against jobs (Hold, Release, Cancel, and Purge). The default is JMON. Uncomment and change to the desired console name, using the guidelines below.

• CONSOLE_NAME must be either a console name consisting of 2 to 8 alphanumeric characters, or '&SYSUID' (without quotes).
• If a console name is specified, a single console by that name is used for all users. If the console by that name happens to be in use, then the command issued by the client will fail.
• If &SYSUID is specified, the client user ID is used as the console name. Thus a different console is used for each user. If the console by that name happens to be in use (for example, the user is using the SDSF ULOG), then the command issued by the client might fail, depending on the GEN_CONSOLE_NAME setting.

No matter which console name is used, the user ID of the client requesting the command is used as the LU of the console, leaving a trace in syslog messages IEA630I and IEA631.

IEA630I OPERATOR console NOW ACTIVE,   SYSTEM=sysid, LU=id
IEA631I OPERATOR console NOW INACTIVE, SYSTEM=sysid, LU=id

GEN_CONSOLE_NAME

Enables or disables automatic generating of alternative console names. The default is OFF. Uncomment and change to ON to enable alternative console names.

This directive is only used when CONSOLE_NAME equals &USERID and the user ID is not available as console name.

If GEN_CONSOLE_NAME=ON, an alternative console name is generated by appending a single numeric digit to the user ID. The digits 0 through 9 are attempted. If no available console is found, the command issued by the client fails.

If GEN_CONSOLE_NAME=OFF, the command issued by the client fails.

Note:

The only valid settings are ON and OFF.

LIMIT_COMMANDS

Defines against which jobs the user can issue selected JES commands (Show JCL, Hold, Release, Cancel, and Purge). The default (LIMIT_COMMANDS=USERID) limits the commands to jobs owned by the user. Uncomment this directive and specify LIMITED or NOLIMIT to allow the user to issue commands against all spool files, if permitted by your security product.

Table 9. LIMIT_COMMANDS command permission matrix

	Job owner
LIMIT_COMMANDS	User	Other
USERID (default)	Allowed	Not allowed
LIMITED	Allowed	Allowed only if explicitly permitted by security profiles
NOLIMIT	Allowed	Allowed if permitted by security profiles or when the JESSPOOL class is not active

Note:

The only valid settings are USERID, LIMITED, and NOLIMIT.

LIMIT_VIEW

Defines what output the user can view. The default (LIMIT_VIEW=NOLIMIT) allows the user to view all JES output, if permitted by your security product. Uncomment this directive and specify USERID to limit the view to output owned by the user.

Note:

The only valid settings are USERID and NOLIMIT.

LISTEN_QUEUE_LENGTH

The TCP/IP listen queue length. The default is 5. Do not change unless directed to do so by the IBM support center.

MAX_DATASETS

The maximum number of spooled output data sets that JES Job Monitor will return to the client (for example, SYSOUT, SYSPRINT, SYS00001, and so on). The default is 32. The maximum value is 2147483647.

MAX_THREADS

Maximum number of users that can be using one JES Job Monitor at a time. The default is 200. The maximum value is 2147483647. Increasing this number may require you to increase the size of the JES Job Monitor address space.

TIMEOUT

The length of time, in seconds, before a thread is killed due to lack of interaction with the client. The default is 3600 (1 hour). The maximum value is 2147483647. TIMEOUT=0 disables the function.

TIMEOUT_INTERVAL

The number of seconds between timeout checks. The default is 1200. The maximum value is 2147483647.

SUBMITMETHOD=TSO

Submit jobs through TSO. The default (SUBMITMETHOD=JES) submits jobs directly into JES. Uncomment this directive and specify TSO to submit the job through TSO SUBMIT command. This method allows TSO exits to be invoked; however, it has a performance drawback and for that reason it is not recommended.

Notes:

1. The only valid settings are TSO and JES.
2. If SUBMITMETHOD=TSO is specified, then TSO_TEMPLATE must also be defined.

TSO_TEMPLATE

Wrapper JCL for submitting the job through TSO. The default value is FEK.#CUST.CNTL(FEJTSO). This statement refers to the fully qualified member name of the JCL to be used as a wrapper for the TSO submit. See the SUBMITMETHOD statement for more information.

Notes:

1. A sample wrapper job is provided in FEK.#CUST.CNTL(FEJTSO). Refer to this member for more information on the customization needed.
2. TSO_TEMPLATE has no effect unless SUBMITMETHOD=TSO is also specified.

rsed.envvars, RSE configuration file

The RSE lock daemon and the RSE server processes (RSE daemon, RSE thread pool, and RSE server) use the definitions in rsed.envvars. Optional Developer for System z and third-party services can use this configuration file also to define environment variables for their use.

Remote Systems Explorer (RSE) provides core services such as connecting the client to the host and starting other servers for specific services. Lock daemon provides tracking services for data set locks.

rsed.envvars is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command.

See the following sample rsed.envvars file, which must be customized to match your system environment. Comment lines start with a pound sign (#), when using a US code page. Data lines can only have a directive and its assigned value, comments are not allowed on the same line. Line continuations and spaces around the equal sign (=) are not supported.

#=============================================================
# (1) required definitions
JAVA_HOME=/usr/lpp/java/J5.0
RSE_HOME=/usr/lpp/rdz
_RSE_LOCKD_PORT=4036
_RSE_HOST_CODEPAGE=IBM-1047
TZ=EST5EDT
LANG=C
PATH=/bin:/usr/sbin
_CEE_DMPTARG=/tmp
STEPLIB=NONE
#STEPLIB=$STEPLIB:CEE.SCEERUN:CEE.SCEERUN2:CBC.SCLBDLL
_RSE_SAF_CLASS=/usr/include/java_classes/IRRRacf.jar
_RSE_JAVAOPTS=""
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Xms1m -Xmx256m"
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Ddaemon.log=/var/rdz/logs"
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Duser.log=/var/rdz/logs"
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_LOG_DIRECTORY="
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.clients=60"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.threads=1000"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dminimum.threadpool.process=1"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.threadpool.process=100"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dipv6=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dkeep.last.log=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.standard.log=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.port.of.entry=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.certificate.mapping=false"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.audit.log=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.cycle=30"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.retention.period=0"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DAPPLID=OMVSAPPL"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDENY_PASSWORD_SAVE=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DHIDE_ZOS_UNIX=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_IDLE_SHUTDOWN_TIMEOUT=3600000"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_TRACING_ON=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_MEMLOGGING_ON=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DTSO_SERVER=APPC"
#=============================================================
# (2) required definitions for TSO/ISPF Client Gateway
_CMDSERV_BASE_HOME=/usr/lpp/ispf
_CMDSERV_CONF_HOME=/etc/rdz
_CMDSERV_WORK_HOME=/var/rdz
#STEPLIB=$STEPLIB:ISP.SISPLOAD:ISP.SISPLPA:SYS1.LINKLIB
_RSE_CMDSERV_OPTS=""
#_RSE_CMDSERV_OPTS="$_RSE_CMDSERV_OPTS&ISPPROF=&SYSUID..ISPPROF" 
#============================================================= 
# (3) required definitions for SCLM Developer Toolkit 
_SCLMDT_CONF_HOME=/var/rdz/sclmdt   
#STEPLIB=$STEPLIB:FEK.SFEKAUTH:FEK.SFEKLOAD  
#_SCLMDT_TRANTABLE=FEK.#CUST.LSTRANS.FILE  
#ANT_HOME=/usr/lpp/Apache/Ant/apache-ant-1.7.1  
#=============================================================  
# (4) optional definitions  
#_RSE_PORTRANGE=8108-8118  
#_BPXK_SETIBMOPT_TRANSPORT=TCPIP  
#_FEKFSCMD_TP_NAME_=FEKFRSRV 
#_FEKFSCMD_PARTNER_LU_=lu_name 
#GSK_CRL_SECURITY_LEVEL=HIGH 
#GSK_LDAP_SERVER=ldap_server_url 
#GSK_LDAP_PORT=ldap_server_port 
#GSK_LDAP_USER=ldap_userid 
#GSK_LDAP_PASSWORD=ldap_server_password 
#============================================================= 

# (5) do not change unless directed by IBM support center 
_CEE_RUNOPTS="ALL31(ON) HEAP(32M,32K,ANYWHERE,KEEP,,) TRAP(ON)" 
_BPX_SHAREAS=YES 
_BPX_SPAWN_SCRIPT=YES 
JAVA_PROPAGATE=NO 
RSE_LIB=$RSE_HOME/lib 
PATH=.:$JAVA_HOME/bin:$RSE_HOME/bin:$_CMDSERV_BASE_HOME/bin:$PATH 
LIBPATH=$JAVA_HOME/bin:$JAVA_HOME/bin/classic:$RSE_LIB:$RSE_LIB/icuc 
LIBPATH=.:/usr/lib:$LIBPATH 
CLASSPATH=$RSE_LIB:$RSE_LIB/dstore_core.jar:$RSE_LIB/clientserver.jar 
CLASSPATH=$CLASSPATH:$RSE_LIB/dstore_extra_server.jar 
CLASSPATH=$CLASSPATH:$RSE_LIB/zosserver.jar 
CLASSPATH=$CLASSPATH:$RSE_LIB/dstore_miners.jar 
CLASSPATH=$CLASSPATH:$RSE_LIB/universalminers.jar:$RSE_LIB/mvsminers.jar 
CLASSPATH=$CLASSPATH:$RSE_LIB/carma.jar:$RSE_LIB/luceneminer.jar 
CLASSPATH=$CLASSPATH:$RSE_LIB/mvsluceneminer.jar:$RSE_LIB/cdzminer.jar 
CLASSPATH=$CLASSPATH:$RSE_LIB/mvscdzminer.jar:$RSE_LIB/jesminers.jar 
CLASSPATH=$CLASSPATH:$RSE_LIB/FAMiner.jar 
CLASSPATH=$CLASSPATH:$RSE_LIB/mvsutil.jar:$RSE_LIB/jesutils.jar 
CLASSPATH=$CLASSPATH:$RSE_LIB/lucene-core-2.3.2.jar 
CLASSPATH=$CLASSPATH:$RSE_LIB/cdtparser.jar 
CLASSPATH=$CLASSPATH:$RSE_LIB/wdzBidi.jar:$RSE_LIB/fmiExtensions.jar 
CLASSPATH=$CLASSPATH:$_RSE_SAF_CLASS 
CLASSPATH=.:$CLASSPATH 
_RSE_CMDSERV_OPTS="&SESSION=SPAWN$_RSE_CMDSERV_OPTS"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DISPF_OPTS='$_RSE_CMDSERV_OPTS'" 
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DA_PLUGIN_PATH=$RSE_LIB"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Xbootclasspath/p:$RSE_LIB/bidiTools.jar"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dfile.encoding=$_RSE_HOST_CODEPAGE" 
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dconsole.encoding=$_RSE_HOST_CODEPAGE"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_SPIRIT_ON=true"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DSPIRIT_EXPIRY_TIME=6" 
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DSPIRIT_INTERVAL_TIME=6"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dcom.ibm.cacheLocalHost=true"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Duser.home=$HOME"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dclient.username=$RSE_USER_ID" 
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlow.heap.usage.ratio=15"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.heap.usage.ratio=40"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_KEEPALIVE_ENABLED=true"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_KEEPALIVE_RESPONSE_TIMEOUT=60000" 
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_IO_SOCKET_READ_TIMEOUT=180000"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlock.daemon.port=$_RSE_LOCKD_PORT"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlock.daemon.cleanup.interval=1440"  
_RSE_JAVAOPTS="$_RSE_JAVAOPTS -showversion"  
_RSE_SERVER_CLASS=org.eclipse.dstore.core.server.Server  
_RSE_DAEMON_CLASS=com.ibm.etools.zos.server.RseDaemon  
_RSE_POOL_SERVER_CLASS=com.ibm.etools.zos.server.ThreadPoolProcess  
_RSE_LOCKD_CLASS=com.ibm.ftt.rse.mvs.server.miners.MVSLockDaemon 
_RSE_SERVER_TIMEOUT=120000 
_SCLMDT_BASE_HOME=$RSE_HOME 
_SCLMDT_WORK_HOME=$_CMDSERV_WORK_HOME 
CGI_DTWORK=$_SCLMDT_WORK_HOME 
#============================================================= 
# (6) additional environment variables

The following definitions are required:

JAVA_HOME

Java home directory. The default is /usr/lpp/java/J5.0. Change to match your Java installation.

RSE_HOME

RSE home directory. The default is /usr/lpp/rdz. Change to match your Developer for System z installation.

_RSE_LOCKD_PORT

RSE lock daemon port number. The default is 4036. Can be changed if desired.

Notes:

1. Before selecting a port, verify that the port is available on your system with the TSO commands NETSTAT and NETSTAT PORTL.
2. All communication on this port is confined to your z/OS host machine.

_RSE_HOST_CODEPAGE

The host codepage. The default is IBM-1047. Change to match your host codepage.

TZ

Time zone selector. The default is EST5EDT. The default time zone is UTC +5 hours (Eastern Standard Time (EST) Eastern Daylight Savings Time (EDT)). Change to match your time zone.

Additional information can be found in the UNIX System Services Command Reference (SA22-7802).

LANG

Specifies the name of the default locale. The default is C. C specifies the POSIX locale and (for example) Ja_JP specifies the Japanese locale. Change to match your locale.

PATH

Command path. The default is /bin:/usr/sbin:.. Can be changed if desired.

_CEE_DMPTARG

Language Environment (LE) z/OS UNIX dump location used by the Java Virtual Machine (JVM). The default is /tmp.

STEPLIB

Access MVS data sets not in LINKLIST/LPALIB. The default is NONE.

You can bypass the need of having (prerequisite) libraries in LINKLIST/LPALIB by uncommenting and customizing one or more of the following STEPLIB directives. Refer to PARMLIB changes for more information on the usage of the libraries listed below:

STEPLIB=$STEPLIB:CEE.SCEERUN:CEE.SCEERUN2:CBC.SCLBDLL
STEPLIB=$STEPLIB:ISP.SISPLOAD:ISP.SISPLPA:SYS1.LINKLIB
STEPLIB=$STEPLIB:FEK.SFEKAUTH:FEK.SFEKLOAD

Note:

• Using STEPLIB in z/OS UNIX has a negative performance impact.
• If one STEPLIB library is APF authorized, then all must be authorized. Libraries lose their APF authorization when they are mixed with non-authorized libraries in STEPLIB.
• Libraries that are designed for LPA placement might require additional program control and APF authorizations if they are accessed through LINKLIST or STEPLIB.
• Coding a STEPLIB DD statement in the server JCL does not set the requested STEPLIB concatenation.

RSE_SAF_CLASS

Specifies the Java interface to your security product. The default is /usr/include/java_classes/IRRRacf.jar. Change to match your security software setup.

Note:

Since z/OS 1.10, /usr/include/java_classes/IRRRacf.jar is part of SAF, which ships with base z/OS, so it is available also to non-RACF customers.

RSE_JAVAOPTS

Additional RSE-specific Java options. . See Defining extra Java startup parameters with _RSE_JAVAOPTS for more information on this definition.

Developer for System z uses ISPF's TSO/ISPF Client Gateway by default for the TSO Commands service. An APPC transaction is used instead when the following _RSE_JAVAOPTS option is uncommented:

RSE_JAVAOPTS="$_RSE_JAVAOPTS -DTSO_SERVER=APPC"

The following definitions are required if ISPF's TSO/ISPF Client Gateway is used for the TSO Commands service, SCLM Developer Toolkit or CARMA.

_CMDSERV_BASE_HOME

Home directory for the ISPF code that provides the TSO/ISPF Client Gateway service. The default is /usr/lpp/ispf. Change to match your ISPF installation. This directive is only required when ISPF's TSO/ISPF Client Gateway is used.

_CMDSERV_CONF_HOME

ISPF base configuration directory. The default is /etc/rdz. Change to match the location of ISPF.conf, the TSO/ISPF Client Gateway customization file. This directive is only required when ISPF's TSO/ISPF Client Gateway is used.

_CMDSERV_WORK_HOME

ISPF base work directory. The default is /var/rdz. Change to match the location of the WORKAREA directory used by the TSO/ISPF Client Gateway. This directive is only required when ISPF's TSO/ISPF Client Gateway is used.

Notes®:

• The TSO/ISPF Client Gateway will add /WORKAREA to the path specified in _CMDSERV_WORK_HOME. Do not add it yourself.
• If you did not use the SFEKSAMP(FEKSETUP) sample job to build the customizable environment, then you should verify that the WORKAREA directory exists in the path specified in _CMDSERV_WORK_HOME. The directory permission bits must be 777.

STEPLIB

STEPLIB is described previously in the required definitions section.

RSE_CMDSERV_OPTS

Additional TSO/ISPF Client Gateway specific Java options. The default is "". See Defining extra Java startup parameters with _RSE_CMDSERV_OPTS for more information on this definition. This directive is only required when ISPF's TSO/ISPF Client Gateway is used.

The following definitions are required if SCLM Developer Toolkit is used.

SCLMDT_CONF_HOME

SCLM Developer Toolkit base configuration directory. The default is /var/rdz/sclmdt. Change to match the location of the CONFIG directory used by SCLMDT to store SCLM project information. This directive is only required when SCLMDT is used.

Note:

SCLMDT will add /CONFIG and /CONFIG/PROJECT to the path specified in SCLMDT_CNF_HOME. Do not add it yourself.

STEPLIB

STEPLIB is described previously in the required definitions section.

_SCLMDT_TRANTABLE

Name of the long/short name translation VSAM. The default is FEK.#CUST.LSTRANS.FILE. Uncomment and change to match the name used in the SCLM sample job ISP.SISPSAMP(FLM02LST). This directive is only required if the long/short name translation in SCLM Developer Toolkit is used.

ANT_HOME

Home directory for your Ant installation. The default is /usr/lpp/Apache/Ant/apache-ant-1.7.1. Change to match your Ant installation. This directive is only required when the JAVA/J2EE build support is used with SCLM Developer Toolkit.

The following definitions are optional. If omitted, default values will be used:

_RSE_PORTRANGE

Specifies the port range that the RSE server can open for communication with a client. Any port can be used by default. See Defining the PORTRANGE available for RSE for more information on this definition. This is an optional directive.

BPXK_SETIBMOPT_TRANSPORT

Specifies the name of the TCP/IP stack to be used. The default is TCPIP. Uncomment and change to the requested TCP/IP stack name, as defined in the TCPIPJOBNAME statement in the related TCPIP.DATA. . This is an optional directive.

Note:

Coding a SYSTCPD DD statement in the server JCL does not set the requested stack affinity.

_FEKFSCMD_TP_NAME_

APPC transaction program name. The default value is FEKFRSRV. Uncomment and change this definition if you did not use the default transaction program name when defining the APPC transaction. This is an optional directive.

_FEKFSCMD_PARTNER_LU_

Force RSE server to use this APPC partner LU. The default is the base LU specified during APPC configuration. This is an optional directive.

GSK_CRL_SECURITY_LEVEL

Specifies the level of security SSL applications will use when contacting LDAP servers to check CRLs for revoked certificates during certificate validation. The default is MEDIUM. Uncomment and change to enforce the usage of the specified value. This is an optional directive. The following values are valid:

• LOW - Certificate validation will not fail if the LDAP server cannot be contacted.
• MEDIUM - Certificate validation requires the LDAP server to be contactable, but does not require a CRL to be defined. This is the default
• HIGH - Certificate validation requires the LDAP server to be contactable and a CRL to be defined.

Note:

This directive requires z/OS 1.9 or higher.

GSK_LDAP_SERVER

Specifies one or more blank-separated LDAP server host names. Uncomment and change to enforce the usage of the specified LDAP servers to obtain their CRL. This is an optional directive.

The host name can either be a TCP/IP address or an URL. Each host name can contain an optional port number separated from the host name by a colon (:).

GSK_LDAP_PORT

Specifies the LDAP server port. The default is 389. Uncomment and change to enforce the usage of the specified value. This is an optional directive.

GSK_LDAP_USER

Specifies the distinguished name to use when connecting to the LDAP server. Uncomment and change to enforce the usage of the specified value. This is an optional directive.

GSK_LDAP_PASSWORD

Specifies the password to use when connecting to the LDAP server. Uncomment and change to enforce the usage of the specified value. This is an optional directive.

The following definitions are required, and should not be changed unless directed by the IBM support center:

_CEE_RUNOPTS

Language Environment (LE) runtime options. The default is "ALL31(ON) HEAP(32M,32K,ANYWHERE,KEEP,,) TRAP(ON)". Do not modify.

_BPX_SHAREAS

Run foreground processes in the same address space as the shell. The default is YES. Do not modify.

_BPX_SPAWN_SCRIPT

Run shell scripts directly from the spawn() function. The default is YES. Do not modify.

JAVA_PROPAGATE

Propagates the security and workload context during thread creation (Java version 1.4 and older only). The default is NO. Do not modify.

RSE_LIB

RSE library path. The default is $RSE_HOME/lib. Do not modify.

PATH

Command path. The default is .:$JAVA_HOME/bin:$RSE_HOME/bin:$_CMDSERV_BASE_HOME/bin:$PATH. Do not modify.

LIBPATH

Library path. The default is too long to repeat. Do not modify.

CLASSPATH

Class path. The default is too long to repeat. Do not modify.

_RSE_CMDSERV_OPTS

Additional TSO Commands service-specific Java options. The default is "&SESSION=SPAWN$_RSE_CMDSERV_OPTS". Do not modify.

_RSE_JAVAOPTS

Additional RSE-specific Java options. The default is too long to repeat. Do not modify.

_RSE_SERVER_CLASS

Java class for the RSE server. The default is org.eclipse.dstore.core.server.Server. Do not modify.

_RSE_DAEMON_CLASS

Java class for the RSE daemon. The default is com.ibm.etools.zos.server.RseDaemon. Do not modify.

_RSE_POOL_SERVER_CLASS

Java class for the RSE thread pool. The default is com.ibm.etools.zos.server.ThreadPoolProcess. Do not modify.

_RSE_LOCKD_CLASS

Java class for the RSE lock daemon. The default is com.ibm.ftt.rse.mvs.server.miners.MVSLockDaemon. Do not modify.

_RSE_SERVER_TIMEOUT

Time out value for the RSE server (waiting on the client) in milliseconds. The default is 120000 (2 minutes). Do not modify.

SCLMDT_BASE_HOME

Home directory for SCLM Developer Toolkit code. The default is $RSE_HOME. Do not modify.

SCLMDT_WORK_HOME

SCLM Developer Toolkit base work directory. The default is $_CMDSERV_WORK_HOME. Do not modify.

CGI_DTWORK

SCLM Developer Toolkit support for older clients. The default is $_SCLMDT_WORK_HOME. Do not modify.

Defining the PORTRANGE available for RSE

This is a part of rsed.envvars customization that specifies the ports on which the RSE server can communicate with the client. This range of ports has no connection with the RSE daemon port.

To help understand the port usage, a brief description of RSE's connection process follows:

1. The client connects to host port 4035, RSE daemon.
2. The RSE daemon creates an RSE server thread.
3. The RSE server opens a host port for the client to connect. The selection of this port can be configured by the user, either on the client in the subsystem properties tab (this is not recommended) or through the _RSE_PORTRANGE definition in rsed.envvars.
4. The RSE daemon returns the port number to the client.
5. The client connects to the host port.

To specify the port range, for the client to communicate with z/OS, uncomment and customize the following line in rsed.envvars:

#_RSE_PORTRANGE=8108-8118

The format of PORTRANGE is: _RSE_PORTRANGE=min-max (max is non-inclusive; for example _RSE_PORTRANGE=8108-8118 means port numbers from 8108 up to 8117 are usable). The port number used by the RSE server is determined in the following order:

1. If a nonzero port number is specified in the subsystem properties on the client, then the specified port number is used. If the port is not available connect will fail. This setup is not recommended.
2. If the port number in the subsystem properties is 0, and if _RSE_PORTRANGE is specified in rsed.envvars, then the port range specified by _RSE_PORTRANGE is used. If no port in the range is available, connect will fail.
3. If the port number in the subsystem properties is 0, and _RSE_PORTRANGE is not specified in rsed.envvars, then any available port is used.

Defining extra Java startup parameters with _RSE_JAVAOPTS

With the different _RSE_*OPTS directives, rsed.envvars provides the possibility to give extra parameters to Java when it starts the RSE processes. The sample options included in rsed.envvars can be activated by uncommenting them.

_RSE_JAVAOPTS defines standard and RSE-specific Java options.

_RSE_JAVAOPTS=""

Variable initialization. Do not modify.

_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Xms1m -Xmx256m"

Set initial (Xms) and maximum (Xmx) heap size. The defaults are 1M and 256M respectively. Change to enforce the desired heap size values. If this directive is commented out, the Java default values will be used, which are 1M and 64M respectively.

Note:

Refer to Tuning considerations to determine the optimal values for this directive.

_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Ddaemon.log=/var/rdz/logs"

Directory holding the RSE daemon and server logging and RSE audit data. The default is /var/rdz/logs. Change to enforce the desired location. If this directive is commented out, the home directory of the user ID assigned to RSE daemon will be used. The home directory is defined in the OMVS security segment of the user ID.

_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Duser.log=/var/rdz/logs"

Directory leading to the user-specific logs. The default is /var/rdz/logs. Change to enforce the desired location. If this directive is commented out, the home directory of the client user ID will be used. The home directory is defined in the OMVS security segment of the user ID.

Notes:

1. The complete path to the user logs is userlog/dstorelog/$LOGNAME/, where userlog is the value of the user.log directive, dstorelog is the value of the DSTORE_LOG_DIRECTORY directive and $LOGNAME is the client's user ID in uppercase.
2. Ensure that the permission bits for userlog/dstorelog are set so that each client can create $LOGNAME.

_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_LOG_DIRECTORY="

This directory is appended to the path specified in the user.log directive. Together they create the path leading to the user-specific logs. The default is a null-string. Change to enforce the usage of the specified directory. If this directive is commented out, .eclipse/RSE/ will be used.

Notes:

1. The complete path to the user logs is userlog/dstorelog/$LOGNAME/, where userlog is the value of the user.log directive, dstorelog is the value of the DSTORE_LOG_DIRECTORY directive, and $LOGNAME is the client's user ID in uppercase.
2. The directory specified here is relative to the directory specified in user.log, and thus may not start with a forward slash (/).
3. Ensure that the permission bits for userlog/dstorelog are set so that each client can create $LOGNAME.

The following directives are commented out by default.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.clients=60"

Maximum amount of clients serviced by one thread pool. The default is 60. Uncomment and customize to limit the number of clients per thread pool. Note that other limits may prevent RSE from reaching this limit.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.threads=1000"

Maximum amount of threads serviced by one thread pool. The default is 1000. Uncomment and customize to limit the number of threads per thread pool. Note that each client connection uses multiple threads (16 or more) and that other limits may prevent RSE from reaching this limit.

Note:

This value must be lower than the setting for MAXTHREADS and MAXTHREADTASKS in SYS1.PARMLIB(BPXPRMxx).

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dminimum.threadpool.process=1"

The minimum number of active thread pools. The default is 1. Uncomment and customize to start at least the listed number of thread pool processes. Thread pool processes are used for load balancing the RSE server threads. More new processes are started when they are needed. Starting the new processes up front helps prevent connection delays but uses more resources during idle times.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.threadpool.process=100"

The maximum number of active thread pools. The default is 100. Uncomment and customize to limit the number of thread pool processes. Thread pool processes are used for load balancing the RSE server threads, so limiting them will limit the amount of active client connections.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dipv6=true"

TCP/IP version. The default is false, which means that an IPv4 interface will be used. Uncomment and specify true to use an IPv6 interface.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dkeep.last.log=true"

Keep a copy of the host log files belonging to the previous session. The default is false. Uncomment and specify true to rename the previous log files to *.last during server startup and client connect.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.standard.log=true"

Write the stdout and stderr streams of the thread pools to a log file. The default is false. Uncomment and specify true to save the stdout and stderr streams. The resulting log files are located in the directory referenced by the daemon.log directive.

Notes:

1. The MODIFY RSESTANDARDLOG operator command can be used to dynamically stop or start the update of the stream log files.
2. There are no user-specific stdout.log and stderr.log log files when the enable.standard.log directive is active. The user-specific data is now written to the matching RSE thread pool stream.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.port.of.entry=true"

Port Of Entry (POE) check option. The default is false. Uncomment and specify true to enforce POE checking for client connections. During POE checking, the IP address of the client is mapped into a network access security zone by your security software. The client user ID must have permission to use the profile that defines the security zone.

Notes:

1. POE checking must also be enabled in your security product.
2. Enabling POE checking will enable it for other z/OS UNIX services also, such as INETD.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.certificate.mapping=false"

Use your security software to authenticate a logon with a X.509 certificate. The default is true. Uncomment and specify false to have RSE daemon do the authentication without relying on the X.509 support of your security software.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.audit.log=true"

Audit option. The default is false. Uncomment and specify true to enforce audit logging of actions done by clients. Audit logs are written to the RSE daemon log location. See the daemon.log option of the _RSE_JAVAOPTS variable to know where this is.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.cycle=30"

Number of days stored in 1 audit log file. The default is 30. Uncomment and customize to control how much audit data is written to 1 audit log file. The maximum value is 365.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.retention.period=0"

Number of days audit logs are kept. The default is 0 (no limit). Uncomment and customize to delete audit logs after a given number of days. The maximum value is 365.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DAPPLID=OMVSAPPL"

RSE server application ID. The default is FEKAPPL. Uncomment and customize this option to enforce the use of the desired application ID. OMVSAPPL is used by z/OS UNIX itself and z/OS UNIX based processes that do not create a unique application ID.

Note:

The application ID must be defined to your security software. Failure to do so will prevent the client from logging on.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDENY_PASSWORD_SAVE=true"

Password save option. The default is false. Uncomment and specify true to prevent users from saving their host password on the client. Previously saved passwords will be removed. This option only works with clients version 7.1 and higher.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DHIDE_ZOS_UNIX=true"

Hide z/OS UNIX option. The default is false. Uncomment and specify true to prevent users from seeing z/OS UNIX elements (directory structure and command line) on the client. This option only works with clients version 7.6 and higher.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_IDLE_SHUTDOWN_TIMEOUT=3600000"

Disconnect idle clients. By default, idle clients are not disconnected. Uncomment and customize to disconnect clients who are idle for the listed amount of milliseconds (3600000 equals 1 hour).

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_TRACING_ON=true"

Start dstore tracing. Use only when directed by the IBM support center. Note that the resulting .dstoreTrace log file is created in Unicode (ASCII), not EBCDIC.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DDSTORE_MEMLOGGING_ON=true"

Start dstore memory tracing. Use only when directed by the IBM support center. Note that the resulting .dstoreMemLogging log file is created in Unicode (ASCII), not EBCDIC.

#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DTSO_SERVER=APPC"

Use an APPC transaction for the TSO Commands service. By default, ISPF's TSO/ISPF Client Gateway is used. Uncomment to use an APPC transaction instead. Do not change the assigned value.

Defining extra Java startup parameters with _RSE_CMDSERV_OPTS

With the different _RSE_*OPTS directives, rsed.envvars provides the possibility to give extra parameters to Java when it starts the RSE processes. The sample options included in rsed.envvars can be activated by uncommenting them.

The _RSE_CMDSERV_OPTS directives are RSE-specific Java options and are only in effect when ISPF's TSO/ISPF Client Gateway is used by the Developer for System z. (This is the default.)

_RSE_CMDSERV_OPTS=""

Variable initialization. Do not modify.

_RSE_CMDSERV_OPTS="$_RSE_CMDSERV_OPTS &ISPROF=&SYSUID..ISPROF="

Use an existing ISPF profile for the ISPF initialization. Uncomment and change the data set name to use the specified ISPF profile.

The following variables can be used in the data set name:

• &SYSUID, to substitute the developer's user ID
• &SYSPREF, to substitute the developer's TSO prefix

ISPF.conf, ISPF's TSO/ISPF Client Gateway configuration file

ISPF's TSO/ISPF Client Gateway uses the definitions in ISPF.conf to create a valid environment to execute batch TSO and ISPF commands. Developer for System z uses this environment to run some MVS based services. These services include the TSO Commands service, SCLM Developer Toolkit service and an alternate CARMA startup method.

ISPF.conf is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command.

Comment lines start with an asterisk (*) when using a US code page. Data lines can only have a directive and its assigned value. Comments are not allowed on the same line. Line continuations are not supported. When concatenating data set names, add them on the same line and separate the names with a comma (,).

In addition to providing the correct names for the ISPF data sets, you must also add the TSO Commands service data set name, FEK.SFEKPROC, to the SYSPROC or SYSEXEC statement, as shown in the following example.

* REQUIRED:
sysproc=ISP.SISPCLIB,FEK.SFEKPROC
ispmlib=ISP.SISPMENU
isptlib=ISP.SISPTENU
ispplib=ISP.SISPPENU
ispslib=ISP.SISPSLIB

* OPTIONAL:
*allocjob = FEK.#CUST.CNTL(CRAISPRX)
*ISPF_timeout = 900

1. You can add your own DD-like statements and data set concatenations to customize the TSO environment, thus mimicking a TSO logon procedure. See Customizing the TSO environment for more details.
2. The TSO/ISPF Client Gateway may not function properly if you use a (third party) product that intercepts ISPF commands, such as ISPSTART. Check the documentation for that product on how it can be disabled for Developer for System z. If the product requires the allocation of a specific DD statement to DUMMY, you can simulate this in ISPF.conf by allocating that DD statement to nullfile.

   For example:

   ISPTRACE=nullfile

3. When using the allocjob directive, be careful not to undo the DD definitions done earlier in ISPF.conf.
4. System abend 522 for module ISPZTSO is to be expected if the JWT parameter in the SMFPRMxx parmlib member is set lower than the ISPF_timeout value in ISPF.conf. This does not impact Developer for System z operations, as the TSO/ISPF Client Gateway is restarted automatically when needed.
5. Changes are active for all new invocations. No server restart is needed.

Optional components

The customization steps above are for a basic Developer for System z setup. Refer to the chapters about the optional components for their customization requirements:

• (Optional) Common Access Repository Manager (CARMA)
• (Optional) Application Deployment Manager
• (Optional) SCLM Developer Toolkit
• (Optional) DB2 stored procedure
• (Optional) CICS bidirectional language support
• (Optional) RSE SSL encryption
• (Optional) RSE tracing
• (Optional) Host based property groups
• (Optional) Host based projects
• (Optional) File Manager integration
• (Optional) Uneditable characters
• (Optional) Using REXEC (or SSH)
• (Optional) APPC transaction for the TSO Commands service
• (Optional) WORKAREA cleanup

(Optional) Common Access Repository Manager (CARMA)

Common Access Repository Manager (CARMA) is a productivity aid for developers who are creating Repository Access Managers (RAMs). A RAM is an Application Programming Interface (API) for z/OS based Software Configuration Managers (SCMs).

In turn, user-written applications can start a CARMA server which loads the RAMs and provides a standard interface to access the SCM.

Developer for System z supports multiple methods to start a CARMA server, each with their own benefits and drawbacks.

• The "batch submit" method starts the CARMA server by submitting a job. This is the default method used in the provided sample configuration files. The benefit of this method is that the CARMA logs are easily accessible in the job output. It also allows the use of custom server JCL for each developer, which is maintained by the developer himself. However, this method uses one JES initiator per developer starting a CARMA server.
• The "CRASTART" method starts the CARMA server as a subtask within RSE. It provides a very flexible setup by using a separate configuration file that defines data set allocations and program invocations needed to start a CARMA server. This method provides the best performance and uses the fewest resources, but requires that module CRASTART is located in LPA.
• The "TSO/ISPF Client Gateway" method uses ISPF's TSO/ISPF Client Gateway to create a TSO or ISPF environment, in which the CARMA server is started. It allows for flexible data set allocations using the possibilities of ISPF.conf. However, this method is not suited to access SCMs that interfere with normal TSO or ISPF operations.

Requirements and checklist

You will need the assistance of a security administrator and a TCP/IP administrator to complete this customization task, which requires the following resources or special customization tasks:

• TCP/IP port range for internal communication
• Security rule to allow developers update to CARMA VSAM files
• (Optional) Security rule to allow users to submit CRA* jobs
• (Optional) LPA update

In order to start using CARMA at your site, you must perform the following tasks. Unless otherwise indicated, all tasks are mandatory.

1. Create required CARMA components. For details, see CARMA components.
2. Initial customization of RSE configuration files to interface with CARMA. The complete customization is dependent on the method chosen to start CARMA. For details, see RSE interface to CARMA.
3. Choose a method to start CARMA and do the required customization of the related configuration files. For details see:
   • CARMA server startup using batch submit
   • (Optional) Alternative CARMA server startup using CRASTART
   • (Optional) Alternative CARMA server startup using TSO/ISPF Client Gateway
4. Optionally activate sample Repository Access Managers (RAMs). For details see (Optional) Activating the sample Repository Access Managers (RAMs).
5. Optionally activate CA Endevor® RAM. For details see (Optional) Activating the CA Endevor® RAM.
6. Optionally create CRAXJCL as replacement for IRXJCL. For details, see (Optional) IRXJCL versus CRAXJCL.

CARMA components

The following CARMA components must be customized, regardless of the chosen startup method. The sample members referenced below are located in FEK.#CUST.JCL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

1. Customize and submit the FEK.#CUST.JCL(CRA$VDEF) JCL. Refer to the documentation within CRA$VDEF for customization instructions. CRA$VDEF creates and primes the CARMA configuration VSAM data set, CRADEF.
2. Customize and submit the FEK.#CUST.JCL(CRA$VMSG) JCL. Refer to the documentation within CRA$VMSG for customization instructions. CRA$VMSG creates and primes the CARMA message VSAM data set, CRAMSG.
3. Customize and submit the FEK.#CUST.JCL(CRA$VSTR) JCL. Refer to the documentation within CRA$VSTR for customization instructions. CRA$VSTR creates and primes the CARMA custom information VSAM data set, CRASTRS.

RSE interface to CARMA

The CARMA server provides a standard API for other host-based products to access one or more Software Configuration Managers (SCMs). However, it does not provide methods for direct communication with a client PC. For this, it relies on other products, such as the RSE server. The RSE server uses the settings in CRASRV.properties to start and connect to a CARMA server.

CRASRV.properties is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command.

# CRASRV.properties - CARMA configuration options
#
port.start=5227
port.range=100
startup.script.name=/usr/lpp/rdz/bin/carma.startup.rex
clist.dsname='FEK.#CUST.CNTL(CRASUBMT)'
crastart.stub=/usr/lpp/rdz/bin/CRASTART
crastart.configuration.file=/etc/rdz/crastart.conf
crastart.syslog=Partial
crastart.timeout=420
#crastart.steplib=FEK.SFEKLPA
#crastart.tasklib=TASKLIB

port.start

First port used for communication between CARMA and the RSE server. The default port is 5227. Communication on this port is confined to your host machine.

Note:

Before selecting a port, verify that the port is available on your system with the NETSTAT and NETSTAT PORTL commands. See Reserved TCP/IP ports for more information.

port.range

Range of ports, starting at port.start, which will be used for CARMA communication. The default is 100. For example, when using the defaults, port 5227 until 5326 (inclusive) can be used by CARMA.

startup.script.name

Defines the absolute path of the CARMA startup script. The default is /usr/lpp/rdz/bin/carma.startup.rex. This REXX exec will trigger the startup of a CARMA server.

clist.dsname

Defines the startup method for the CARMA server.

• *CRASTART indicates that the CARMA server should be started as a subtask within RSE using CRASTART. Refer to (Optional) Alternative CARMA server startup using CRASTART for more details. If you specify *CRASTART, you must also specify the crastart.* directives.
• *ISPF indicates that the CARMA server should be started using ISPF's TSO/ISPF Client Gateway. Refer to(Optional) Alternative CARMA server startup using TSO/ISPF Client Gateway for more details.
• Any other value defines the location of the CRASUBMT CLIST, using TSO-like naming conventions. With quotes (') the data set name is an absolute reference, without quotes (') the data set name is prefixed with the client's user ID, not the TSO prefix. The latter requires that all CARMA users must maintain their own CRASUBMT CLIST.

The default is 'FEK.#CUST.CNTL(CRASUBMT)'. This CLIST will start a CARMA server when opening a connection using the batch submit method.

crastart.stub

z/OS UNIX stub for calling CRASTART. The default is /usr/lpp/rdz/bin/CRASTART. This stub makes the MVS based CRASTART load module available to z/OS UNIX processes. This directive is only used if the clist.dsname directive has *CRASTART as value.

crastart.configuration.file

Specifies the name of the CRASTART configuration file. The default is /etc/rdz/crastart.conf. This file specifies the data set allocations and program invocations needed to start a CARMA server. This directive is only used if the clist.dsname directive has *CRASTART as value.

crastart.syslog

Specifies how much information is written to the system log while CRASTART starts a CARMA server. The default is Partial. Valid values are:

A (All)	All tracing information is printed to SYSLOG
P (Partial)	Only connect, disconnect, and error information is printed to SYSLOG
anything else	Only error conditions are printed to SYSLOG

This directive is only used if the clist.dsname directive has *CRASTART as value.

crastart.timeout

The length of time, in seconds, before a CARMA server ends due to lack of activity. The default is 420 (7 minutes). This directive is only used if the clist.dsname directive has *CRASTART as value.

crastart.steplib

The location of the CRASTART module when accessed through the STEPLIB directive in rsed.envvars. The default is FEK.SFEKLPA. Uncomment and customize this directive if the CRASTART module cannot be part of LPA or LINKLIST. Note that program control and APF issues may arise if the CRASTART module is not in LPA. This directive is only used if the clist.dsname directive has *CRASTART as value.

crastart.tasklib

Alternate name for the TASKLIB DD name in crastart.conf. The default is TASKLIB. Uncomment and customize this directive if DD name TASKLIB has a special meaning for your SCM or RAM and cannot be used as STEPLIB replacement. This directive is only used if the clist.dsname directive has *CRASTART as value.

CARMA server startup using batch submit

The information in this section describes how to configure the default method for Developer for System z to start a CARMA server. This customization step can be bypassed if you use another startup method.

Developer for System z uses by default the batch submit CARMA server startup method that does not require the CRASTART module to be in LPA and does not depend on the TSO/ISPF Client Gateway. The method submits the CARMA server as a long-running batch job in your JES.

Adjust CRASRV.properties

RSE server uses the settings in /etc/rdz/CRASRV.properties to start and connect to a CARMA server, as documented in RSE interface to CARMA. You can edit the file with the TSO OEDIT command. Note that RSE must be restarted for the changes to take effect.

Change the value of the clist.dsname directive to the data set and member name of the CRASUBMT CARMA server startup CLIST, as shown in the following example:

port.start=5227
port.range=100
startup.script.name=/usr/lpp/rdz/bin/carma.startup.rex
clist.dsname='FEK.#CUST.CNTL(CRASUBMT)'

Adjust CRASUBMT

Customize the CRASUBMT CLIST, as shown in the following code sample. Refer to the documentation within CRASUBMT for customization instructions. The CRASUBMT CLIST submits a CARMA server.

CRASUBMT is located in FEK.#CUST.CNTL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

PROC 1 PORT TIMEOUT(420)
SUBMIT * END($$)
//CRA&PORT JOB CLASS=A,MSGCLASS=A,MSGLEVEL=(1,1)
//RUN      EXEC PGM=IKJEFT01,DYNAMNBR=25,REGION=1024K,TIME=NOLIMIT
//STEPLIB  DD DISP=SHR,DSN=FEK.SFEKLOAD
//*        DD DISP=SHR,DSN=FEK.#CUST.LOAD
//CRADEF   DD DISP=SHR,DSN=FEK.#CUST.CRADEF
//CRAMSG   DD DISP=SHR,DSN=FEK.#CUST.CRAMSG
//CRASTRS  DD DISP=SHR,DSN=FEK.#CUST.CRASTRS
//*CRARAM1  DD DISP=SHR,DSN=FEK.#CUST.CRARAM1
//*
//ISPPROF  DD DISP=(NEW,DELETE,DELETE),DSN=&&PROF,
//            SPACE=(TRK,(1,1,5)),LRECL=80,RECFM=FB,UNIT=SYSALLDA
//ISPMLIB  DD DISP=SHR,DSN=ISP.SISPMENU
//ISPPLIB  DD DISP=SHR,DSN=ISP.SISPPENU
//ISPSLIB  DD DISP=SHR,DSN=ISP.SISPSENU
//ISPTLIB  DD DISP=SHR,DSN=ISP.SISPTENU
//ISPEXEC  DD DISP=SHR,DSN=ISP.SISPEXEC
//SYSPROC  DD DISP=SHR,DSN=ISP.SISPCLIB
//*
//CARMALOG DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
ISPSTART PGM(CRASERV) PARM(&PORT &TIMEOUT)
//*
$$
EXIT CODE(0)

1. You can add your own DD statements and data set concatenations to customize the CARMA TSO environment, thus mimicking a TSO logon procedure.
2. You can optionally change CARMA's timeout value by modifying the PROC 1 PORT TIMEOUT(420) line in FEK.#CUST.CNTL(CRASUBMT) CLIST. The timeout value is the number of seconds CARMA will wait for the next command from the client. Setting a value of 0 results in the default timeout value, currently 420 seconds (7 minutes).
3. Details of the CARMA startup process are shown in rsecomm.log. Refer to (Optional) RSE tracing for more information on setting the detail level of rsecomm.log.
4. Changes are in effect for all CARMA servers started after the update.

(Optional) Alternative CARMA server startup using CRASTART

The information in this section describes how to configure an alternative method for Developer for System z to start a CARMA server. This customization step can be bypassed if you use another startup method.

Developer for System z supports an alternative CARMA server startup method that does not depend on the TSO/ISPF Client Gateway and that does not submit a server job using a JES initiator. The method uses CRASTART to start the CARMA server as a subtask within RSE and is similar to the TSO/ISPF Client Gateway service.

Adjust CRASRV.properties

RSE server uses the settings in /etc/rdz/CRASRV.properties to start and connect to a CARMA server, as documented in RSE interface to CARMA. You can edit the file with the TSO OEDIT command. Note that RSE must be restarted for the changes to take effect.

Change the value of the clist.dsname directive to *CRASTART and provide the correct values for the crastart.* directives, as shown in the following example:

port.start=5227
port.range=100
startup.script.name=/usr/lpp/rdz/bin/carma.startup.rex
clist.dsname=*CRASTART
crastart.stub=/usr/lpp/rdz/bin/CRASTART
crastart.configuration.file=/etc/rdz/crastart.conf
crastart.syslog=Partial
crastart.timeout=420
#crastart.steplib=FEK.SFEKLPA
#crastart.tasklib=TASKLIB

Adjust crastart.conf

Keep a printout of the customized CRASUBMT (see CARMA server startup using batch submit) handy for easy reference during this customization step. The printout will be valuable even if you have not customized the member.

CRASTART uses the definitions in crastart.conf to create a valid environment to execute batch TSO and ISPF commands. Developer for System z uses this environment to run the CARMA server called CRASERV.

crastart.conf is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command.

The following customization steps are needed to adjust the configuration file shown in the code sample below.

• Add the data sets allocated to the STEPLIB concatenation of the CRASUBMT procedure to the TASKLIB statement in crastart.conf.
• Create entries for the mandatory CARMA VSAM DD's, CRADEF, CRAMSG, and CRSTRS. Use the data set names provided in the (customized) CRASUBMT procedure.
• Add any custom DD statement and the related data set concatenations, available in the (customized) CRASUBMT procedure. For example, add the CRARAM1 DD statement and data set name if you use the sample PDS RAM. Note that you can use data set names (allocated with DISP=SHR), SYSOUT and DUMMY constructs.
• Optionally add any BPXWDYN command using the -COMMAND statement. There can be multiple -COMMAND statements. BPXWDYN allows you to do more complex allocations, including creating temporary data sets, dispositions other than SHR, allocations to other subsystems, and so on. Refer to Using REXX and z/OS UNIX System Services (SA22-7806) for more information on BPXWDYN.
• Select the desired program invocation method using the PROGRAM statement. The advised method is "PROGRAM=IKJEFT01 CRASERV &CRAPRM1. &CRAPRM2.", as it gives you a TSO environment that can handle a mixture of APF and non-APF data sets. See the sample crastart.conf for other methods.

* crastart.conf - CARMA allocation options

TASKLIB  = FEK.SFEKLOAD
CRADEF   = FEK.#CUST.CRADEF
CRAMSG   = FEK.#CUST.CRAMSG
CRASTRS  = FEK.#CUST.CRASTRS
*CRARAM1  = FEK.#CUST.CRARAM1
*
CARMALOG = SYSOUT(H)
SYSTSPRT = SYSOUT(H)
SYSTSIN  = DUMMY
-COMMAND=ALLOC FI(SCRATCH) NEW DELETE DSORG(PS) RECFM(F,B) LRECL(80) UNIT(VIO)
*
PROGRAM=IKJEFT01 CRASERV &CRAPRM1. &CRAPRM2.

The following variables can be used in the configuration file:

(Optional) Alternative CARMA server startup using TSO/ISPF Client Gateway

The information in this section describes how to configure an alternative method for Developer for System z to start a CARMA server. This customization step can be bypassed if you use another startup method.

Developer for System z supports an alternative CARMA server startup method that does not require the CRASTART module to be in LPA and that does not submit a server job using a JES initiator. The method uses ISPF's TSO/ISPF Client Gateway and is similar to the default way of accessing the TSO Commands service.

Adjust CRASRV.properties

RSE server uses the settings in /etc/rdz/CRASRV.properties to start and connect to a CARMA server, as documented in RSE interface to CARMA. You can edit the file with the TSO OEDIT command. Note that RSE must be restarted for the changes to take effect.

Change the value of the clist.dsname directive to *ISPF, as shown in the following example:

port.start=5227
port.range=100
startup.script.name=/usr/lpp/rdz/bin/carma.startup.rex
clist.dsname=*ISPF

Adjust ISPF.conf

Keep a printout of the customized CRASUBMT (see CARMA server startup using batch submit ) handy for easy reference during this customization step. The printout will be valuable even if you have not customized the member.

ISPF's TSO/ISPF Client Gateway uses the definitions in ISPF.conf to create a valid environment to execute batch TSO and ISPF commands. Developer for System z uses this environment to run the CARMA server.

ISPF.conf is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command.

The following customization steps are needed to adjust the configuration file shown in the code sample below.

• Provide the correct names for the mandatory ISPF data sets (do not allocate ISPPROF however, this one is allocated dynamically).
• Append the Developer for System z proclib, FEK.SFEKPROC, to the SYSPROC or SYSEXEC statement, so that the CRASRVI exec can be found by the system. This exec starts the CARMA server (and thus replaces CRASUBMT's SYSTSIN DD).
• Append the DD STEPLIB concatenation of the CRASUBMT procedure to the ispllib statement.
• Create entries for the mandatory CARMA VSAM DDs, CRADEF, CRAMSG, and CRSTRS. Use the data set names provided in the (customized) CRASUBMT procedure.
• Add any custom DD statement and the related data set concatenation, available in the (customized) CRASUBMT procedure. For example, add the CRARAM1 DD statement and data set name if you use the sample PDS RAM. Note that you can only use data set names (allocated with DISP=SHR).
• Optionally uncomment and customize the allocexec directive to do additional allocations using an exec.

sysproc=ISP.SISPCLIB,FEK.SFEKPROC
ispllib=FEK.SFEKLOAD
ispmlib=ISP.SISPMENU
isptlib=ISP.SISPTENU
ispplib=ISP.SISPPENU
ispslib=ISP.SISPSLIB
CRADEF =FEK.#CUST.CRADEF
CRAMSG =FEK.#CUST.CRAMSG
CRASTRS=FEK.#CUST.CRASTRS
*CRARAM1=FEK.#CUST.CRARAM1
allocjob=FEK.#CUST.CNTL(CRAISPRX)

DD CARMALOG refers to SYSOUT=* by default, which cannot be mapped in ISPF.conf. You cannot map the DD directly to a data set either, since all Developer for System z users will be using the same ISPF.conf file and thus the same data sets.

However, as described in Customizing the TSO environment, section Advanced - Using an allocation exec, you can use an allocation exec to create and allocate a data set based upon the active user ID. See sample member CRAISPRX in data set FEK.#CUST.CNTL as an example that allocates DD CARMALOG to data set name TSOPREFIX'.'USERID'.CRA.'TIMESTAMP'.CARMALOG'.

(Optional) Activating the sample Repository Access Managers (RAMs)

Repository Access Managers (RAMs) are user-written APIs to interface with z/OS Software Configuration Managers (SCMs). Follow the instructions in the sections below for the sample RAMs you want to activate.

Refer to Rational Developer for System z Common Access Repository Manager Developer's Guide (SC23-7660) for more information on the sample RAMs and sample source code provided.

The sample members referenced below are located in FEK.#CUST.JCL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

Activating the PDS RAM

The PDS RAM gives a data set list similar to MVS Files -> My Data Sets in the Remote Systems view. The PDS RAM uses RAM ID 0 by default.

1. Customize and submit the FEK.#CUST.JCL(CRA#VPDS) JCL. Refer to the documentation within CRA#VPDS for customization instructions. CRA#VPDS creates and primes the PDS RAM message VSAM data set.
2. Add the CRARAM1 DD statement to the selected CARMA startup method and provide the data set name of the PDS RAM message VSAM.

Activating the SCLM RAM

The SCLM RAM gives a basic entry into SCLM, ISPF's Software Configuration Manager. The SCLM RAM uses RAM ID 1 by default.

1. Customize and submit the FEK.#CUST.JCL(CRA#VSLM) JCL. Refer to the documentation within CRA#VSLM for customization instructions. CRA#VSLM creates and primes the SCLM RAM message VSAM data set.
2. Add the CRARAM2 DD statement to the selected CARMA startup method and provide the data set name of the SCLM RAM message VSAM.
3. Customize the FEK.#CUST.JCL(CRA#ASLM) JCL. Refer to the documentation within CRA#ASLM for customization instructions. CRA#ASLM allocates data sets needed by SCLM RAM clients.
   Note:
   Each user must submit FEK.#CUST.JCL(CRA#ASLM) once before using CARMA with the SCLM RAM. Failing to do so will result in an allocation error.

Activating the skeleton RAM

The skeleton RAM gives a skeleton framework that can be used to develop your own RAMs. The skeleton RAM uses RAM ID 3 by default.

1. Customize and submit the FEK.#CUST.JCL(CRA#CRAM) JCL. Refer to the documentation within CRA#CRAM for customization instructions. CRA#CRAM compiles the skeleton RAM.
2. Add the load library holding the compiled skeleton RAM module, CRARAMSA, to the STEPLIB DD of the selected CARMA startup method (TASKLIB DD for the CRASTART method).

(Optional) Activating the CA Endevor® RAM

The IBM® Rational® Developer for System z Interface for CA Endevor® SCM gives Developer for System z clients direct access to CA Endevor®. From here on, IBM® Rational® Developer for System z Interface for CA Endevor® SCM is abbreviated to CA Endevor® RAM (Repository Access Manager).

In contradiction with the sample RAMs documented in this publication, CA Endevor® RAM is a production type RAM. You should not activate both types of RAM in the same setup.

Define the CA Endevor® RAM

The following CARMA components must be customized, regardless of the chosen startup method. The sample members referenced below are located in FEK.#CUST.JCL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

1. Customize and submit the FEK.#CUST.JCL(CRA#VCAD) JCL. Refer to the documentation within CRA$VDEF for customization instructions. CRA#VCAD creates and primes the CARMA configuration VSAM data set, CRADEF.
2. Customize and submit the FEK.#CUST.JCL(CRA$VMSG) JCL. Refer to the documentation within CRA$VMSG for customization instructions. CRA$VMSG creates and primes the CARMA message VSAM data set, CRAMSG.
   Note:
   This is the same job as for the sample RAMs.
3. Customize and submit the FEK.#CUST.JCL(CRA#VCAS) JCL. Refer to the documentation within CRA$VSTR for customization instructions. CRA#VCAS creates and primes the CARMA custom information VSAM data set, CRASTRS.

Update the CARMA server startup - batch submit

Do not execute this step if you use the CRASTART method to start the CARMA server with the CA Endevor® RAM.

The following customizations to FEK.#CUST.CNTL(CRASUBMT) are specific to the CA Endevor® RAM and must be done on top of the customizations described in CARMA server startup using batch submit.

• Ensure that the region size is sufficient (min 2048K).

  //RUN      EXEC PGM=IKJEFT01,DYNAMNBR=25,REGION=0K,TIME=NOLIMIT

• Place load module FEK.SFEKLOAD(CRARNDVR) in the STEPLIB DD of your CARMA server. Note that SFEKLOAD is already part of this DD if you used the defaults during CARMA customization. The CA Endevor® authorized load libraries must also be available, either by way of LINKLIST or STEPLIB. When using STEPLIB, all libraries in the STEPLIB must be APF-authorized.

  //STEPLIB  DD DISP=SHR,DSN=FEK.SFEKLOAD
  //*        DD DISP=SHR,DSN=#ca.NDVR.AUTHLIB
  //*        DD DISP=SHR,DSN=#ca.NDVRU.AUTHLIB

• Use the CA Endevor® NDVRC1 load module instead of ISPSTART to start ISPF and the CARMA server.

  //SYSTSIN  DD *
     NDVRC1   PGM(CRASERV) PARM(&PORT &TIMEOUT) 
  //*ISPSTART PGM(CRASERV) PARM(&PORT &TIMEOUT)

• Add CA Endevor® specific DD statements.

  //CONLIB   DD DISP=SHR,DSN=#ca.NDVR.CONLIB
  //MSG3FILE DD DSN=&&MSG3FILE,DISP=(NEW,DELETE),UNIT=SYSALLDA, 
  //            RECFM=FB,LRECL=133,SPACE=(TRK,(5,5)) 
  //EXT1ELM  DD DSN=&&EXT1ELM,DISP=(NEW,DELETE),UNIT=SYSALLDA, 
  //            RECFM=VB,LRECL=4096,SPACE=(TRK,(5,5))

Update the CARMA server startup - CRASTART

Do not execute this step if you use the batch submit method to start the CARMA server with the CA Endevor® RAM.

The following customizations to /etc/rdz/crastart.conf are specific to the CA Endevor® RAM and must be done on top of the customizations described in (Optional) Alternative CARMA server startup using CRASTART.

• Place load module FEK.SFEKLOAD(CRARNDVR) in the TASKLIB DD directive. Note that SFEKLOAD is already part of this directive if you used the defaults during CARMA customization. The CA Endevor® authorized load libraries must also be available, either via LINKLIST or TASKLIB. When using TASKLIB, all TASKLIB'd libraries must be APF authorized.

  TASKLIB = FEK.SFEKLOAD
  *TASKLIB = FEK.SFEKLOAD,#ca.NDVR.AUTHLIB,#ca.NDVRU.AUTHLIB

• Use the CA Endevor® NDVRC1 load module instead of ISPSTART to start ISPF and the CARMA server.

  PROGRAM=IKJEFT01 NDVRC1   PGM(CRASERV) PARM(&CRAPRM1. &CRAPRM2.)

• Add CA Endevor® specific DD directives.

  CONLIB  = #ca.NDVR.CONLIB
  -COMMAND=ALLOC FI(MSG3FILE) NEW DELETE DSORG(PS) RECFM(F,B)
  LRECL(133) UNIT(VIO)
  -COMMAND=ALLOC FI(EXT1ELM) NEW DELETE DSORG(PS) RECFM(V,B)
  LRECL(4096) UNIT(VIO)

(Optional) IRXJCL versus CRAXJCL

If the CARMA server is started using TSO (IKJEFTxx), you may experience problems if your RAMs call services which in turn call the IRXJCL REXX batch interface. The problem can occur when the processors called by the RAM previously ran either without TSO, or only in online TSO and dynamically allocates DD SYSTSIN or SYSTSPRT. A sample program, CRAXJCL, is provided to work around this problem.

Your processor might fail if it attempts to allocate SYSTSIN or SYSTSPRT (required for IRXJCL) because batch TSO (required for CARMA) already has those DD names allocated and open. The CRAXJCL replacement module attempts to allocate SYSTSIN and SYSTSPRT to DUMMY but ignores the errors which occur if the allocations fail.

This means that when your processors run in a CARMA environment started by TSO, the allocations to SYSTSIN and SYSTSPRT are the same as those used by CARMA. When the processors are run outside of TSO/CARMA, the SYSTSIN and SYSTSPRINT allocations will be created by CRAXJCL. Therefore, your processors must not rely on the contents of the data set allocated to SYSTSIN.

It is assumed that calls to IRXJCL use the PARM field to pass the REXX name and startup parameters, as documented in TSO/E REXX Reference (SA22-7790). This means that SYSTSIN can safely be used by CARMA. Any output sent to SYSTSPRT by IRXJCL will end up in CARMA's log.

Processors that call the CRAXJCL replacement module should not attempt to allocate DD SYSTSIN or SYSTSPRT before calling CRAXJCL.

Create CRAXJCL

The CRAXJCL replacement module is shipped in source format because you will need to customize it to specify the specific allocations you want to use for SYSTSPRT. SYSTSIN should usually be allocated to a dummy data set.

Sample assembler source code and a sample compile/bind job are shipped as FEK.#CUST.ASM(CRAXJCL) and FEK.#CUST.JCL(CRA#CIRX) respectively, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

Customize the CRAXJCL assembler source code per your needs, using the documentation within the member. Afterwards, customize and submit the CRA#CIRX JCL to create the CRAXJCL load module. Refer to the documentation within CRA#CIRX for customization instructions.

(Optional) Application Deployment Manager

Developer for System z uses certain functions of Application Deployment Manager as a common deployment approach for various components. The customization steps listed in this chapter are required if your developers use any of the following functions:

• Enterprise Service Tools (EST)
• BMS Screen Designer
• MFS Screen Designer
• CICSTS Code Generation

Customizing Application Deployment Manager adds the CICS Resource Definition (CRD) server, which runs as a CICS application on z/OS to support the following functions:

• CICS resource queries
• CICS resource definition install and uninstall requests in both CICSplex SM and non-CICSplex SM environments
• Program and mapset phase-in requests
• Pipeline scan requests
• Manifest export, import, and update requests

CICS administrators can find more information on the CRD server in CICSTS considerations.

Requirements and checklist

You will need assistance of a CICS administrator, a TCP/IP administrator and a security administrator to complete this customization task, which requires the following resources or special customization tasks:

• TCP/IP port for external communication
• Update CICS region JCL
• Update CICS region CSD
• Define group to CICS region
• Security rule to allow administrators update to an Application Deployment Manager VSAM
• CICSTS security setup
• (Optional) Define CICS transaction names
• (Optional) Security rule to allow users update to an Application Deployment Manager VSAM

In order to start using Application Deployment Manager at your site, you must perform the following tasks. Unless otherwise indicated, all tasks are mandatory.

1. Create the CRD repository. For details, see CRD repository.
2. Choose the CICS interface (RESTful or Web Service) to be used. (The interfaces can co-exist). For details see RESTful versus Web Service.
3. If desired, do the RESTful specific customizations. For details see CRD server using the RESTful interface.
   • Define the CRD server to the CICS primary connection region
   • Optionally define the CRD server to CICS non-primary connection regions.
   • Optionally customize the CRD server transaction IDs.
4. If desired, do the Web Service specific customizations. For details see CRD server using the Web Service interface.
   • Add the (possibly customized) pipeline message handler to the CICS RPL concatenation.
   • Define the CRD server to the CICS primary connection region.
   • Optionally define the CRD server to CICS non-primary connection regions.
5. Optionally create the manifest repository. For details, see (Optional) Manifest repository.

CRD repository

Customize and submit job ADNVCRD to allocate and initialize the CRD repository VSAM data set. Refer to the documentation within the member for customization instructions.

ADNVCRD is located in FEK.#CUST.JCL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

You should create a separate repository for each CICS primary connection region. Sharing the repository implies that all related CICS regions will use the same values stored in the repository.

CICS administrative utility

Developer for System z provides the administrative utility to let CICS administrators provide the default values for CICS resource definitions. These defaults can be read-only, or can be editable by the application developer.

The administrative utility is invoked by sample job ADNJSPAU. The usage of this utility requires UPDATE access to the CRD repository.

ADNJSPAU is located in FEK.#CUST.JCL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

More information is available in CICSTS considerations.

RESTful versus Web Service

CICS Transaction Server provides in version 4.1 and higher support for an HTTP interface designed using Representational State Transfer (RESTful) principles. This RESTful interface is now the strategic CICSTS interface for use by client applications. The older Web Service interface has been stabilized, and enhancements will be for the RESTful interface only.

Application Deployment Manager follows this statement of direction and requires the RESTful CRD server for all services that are new to Developer for System version 7.6 or higher.

The RESTful and Web Service interfaces can be active concurrently in a single CICS region, if desired. In this case, there will be two CRD servers active in the region. Both servers will share the same CRD repository. Note that CICS will issue some warnings about duplicate definitions when the second interface is defined to the region.

CRD server using the RESTful interface

The information in this section describes how to define the CRD server that uses the RESTful interface to communicate with the Developer for System z client.

The RESTful and Web Service interfaces can be active concurrently in a single CICS region, if desired. In this case, there will be two CRD servers active in the region. Both servers will share the same CRD repository. Note that CICS will issue some warnings about duplicate definitions when the second interface is defined to the region.

CICS primary connection region

The CRD server must be defined to the primary connection region. This is the Web Owning Region (WOR) that will process Web Service requests from Developer for System z.

• Place the load modules FEK.SFEKLOAD(ADNCRD*, ADNANAL and ADNREST) in the CICS RPL concatenation (DD statement DFHRPL) of the CICS primary connection region. It is recommended that you do this by adding the installation data set to the concatenation so that applied maintenance is automatically available to CICS.
• Customize and submit job ADNCSDRS to update the CICS System Definition (CSD) for the CICS primary connection region. Refer to the documentation within the member for customization instructions.

  ADNCSDRS is located in FEK.#CUST.JCL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

• Use the appropriate CEDA command to install the Application Deployment Manager group for this region, for example:

  CEDA INSTALL GROUP(ADNPCRGP)

CICS non-primary connection regions

The CRD server can also be used with one or more additional non-primary connection regions, which are usually Application Owning Regions (AOR).

• Place the Application Deployment Manager load module FEK.SFEKLOAD(ADNCRD*) in the CICS RPL concatenation (DD statement DFHRPL) of these non-primary connection regions. It is recommended that you do this by adding the installation data set to the concatenation so that applied maintenance is automatically available to CICS.
• Customize and submit job ADNCSDAR to update the CSD for these non-primary, connection regions. Refer to the documentation within the member for customization instructions.

  ADNCSDAR is located in FEK.#CUST.JCL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

• Use the appropriate CEDA command to install the Application Deployment Manager group for these regions, for example:

  CEDA INSTALL GROUP(ADNARRGP)

(Optional) Customize CRD server transaction IDs

Developer for System z supplies multiple transactions that are used by the CRD server when defining and inquiring CICS resources.

You can change the transaction IDs to match your site standards by following these steps:

1. Customize and submit ADNTXNC to create load module ADNRCUST. Refer to the documentation within the member for customization instructions.
2. Place the resulting ADNRCUST load module in the CICS RPL concatenation (DD statement DFHRPL) of the CICS regions where the CRD server is defined.
3. Customize and submit ADNCSDTX to define ADNRCUST as program to the CICS regions where the CRD server is defined. Refer to the documentation within the member for customization instructions.

CRD server using the Web Service interface

The information in this section describes how to define the CRD server that uses the Web Service interface to communicate with the Developer for System z client.

The RESTful and Web Service interfaces can be active concurrently in a single CICS region, if desired. In this case, there will be two CRD servers active in the region. Both servers will share the same CRD repository. Note that CICS will issue some warnings about duplicate definitions when the second interface is defined to the region.

Pipeline message handler

The pipeline message handler (ADNTMSGH) is used for security by processing the user ID and password in the SOAP header. ADNTMSGH is referenced by the sample pipeline configuration file and must therefore be placed into the CICS RPL concatenation. Refer to CICSTS considerations to learn more about the pipeline message handler and the required security setup.

Developer for System z supplies multiple transactions that are used by the CRD server when defining and inquiring CICS resources. These transaction IDs are set by ADNTMSGH, depending on the requested operation. Sample COBOL source code is provided to allow site-specific customizations to ADNTMSGH:

Using the default:

• Place the FEK.SFEKLOAD(ADNTMSGH) load module in the CICS RPL concatenation (DD statement DFHRPL) of the CICS primary connection region. It is recommended that you do this by adding the installation data set to the concatenation so that applied maintenance is automatically available to CICS.

Customizing ADNTMSGH:

Sample members ADNMSGH* are located in FEK.#CUST.JCL and FEK.#CUST.COBOL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

• Customize the sample Pipeline Message Handler (COBOL) source code, FEK.#CUST.COBOL(ADNMSGHS), to match your site's standards.
• Customize and submit job FEK.#CUST.JCL(ADNMSGHC) to compile the customized ADNMGHS source. Refer to the documentation within ADNMSGHC for customization instructions. Note that the resulting load module must be named ADNTMSGH.
• Place the resulting ADNTMSGH load module in the CICS RPL concatenation (DD statement DFHRPL) of the CICS primary connection region.

CICS primary connection region

The CRD server must be defined to the primary connection region. This is the region that will process service requests from Developer for System z.

• Place the load modules FEK.SFEKLOAD(ADNCRD*, ADNANAL and ADNREST) in the CICS RPL concatenation (DD statement DFHRPL) of the CICS primary connection region. It is recommended that you do this by adding the installation data set to the concatenation so that applied maintenance is automatically available to CICS. Note that the pipeline message handler load module, ADNTMSGH, must also be placed in the RPL concatenation, as described in Pipeline message handler.
• Customize and submit job ADNCSDWS to update the CICS System Definition (CSD) for the CICS primary connection region. Refer to the documentation within the member for customization instructions. Note that the transaction IDs used in this job must match the ones used by the Pipeline message handler (which may have been customized).

  ADNCSDWS is located in FEK.#CUST.JCL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

• Use the appropriate CEDA command to install the Application Deployment Manager group for this region, for example:

  CEDA INSTALL GROUP(ADNPCRGP)

CICS non-primary connection regions

The CRD server can also be used with one or more additional non-primary connection regions, which are usually Application Owning Regions (AOR).

• Place the Application Deployment Manager load modules FEK.SFEKLOAD(ADNCRD*) in the CICS RPL concatenation (DD statement DFHRPL) of these non-primary connection regions. You should do this by adding the installation data set to the concatenation so that applied maintenance is automatically available to CICS.
• Customize and submit job ADNCSDAR to update the CSD for these non-primary, connection regions. Refer to the documentation within the member for customization instructions.

  ADNCSDAR is located in FEK.#CUST.JCL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

• Use the appropriate CEDA command to install the Application Deployment Manager group for these regions, for example:

  CEDA INSTALL GROUP(ADNARRGP)

(Optional) Manifest repository

Developer for System z allows clients to browse and optionally change manifests describing selected CICS resources. Depending on permissions set by the CICS administrator, changes can be done directly or exported to the manifest repository for further processing by a CICS administrator.

Customize and submit job ADNVMFST to allocate and initialize the manifest repository VSAM data set, and to define it to the CICS primary connection region. Refer to the documentation within the member for customization instructions. A separate manifest repository must be created for each CICS primary connection region. All users need UPDATE access to the manifest repository.

ADNVMFST is located in FEK.#CUST.JCL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

(Optional) SCLM Developer Toolkit

SCLM Developer Toolkit provides the tools needed to extend the capabilities of SCLM to the client. SCLM itself is a host-based source code manager that is shipped as part of ISPF.

The SCLM Developer Toolkit has an Eclipse-based plugin that interfaces to SCLM and provides for access to all SCLM processes for legacy code development as well as support for full Java and J2EE development on the workstation with synchronization to SCLM on the mainframe including building, assembling, and deployment of the J2EE code from the mainframe.

Requirements and checklist

You will need assistance of an SCLM administrator and optionally a security administrator to complete this customization task, which requires the following resources and/or special customization tasks:

• APF and LINKLIST updates
• Define SCLM language translators for JAVA/J2EE support
• Define SCLM types for JAVA/J2EE support
• (Optional) Security rule to allow users update to an SCLM VSAM
• (Optional) Installation of Ant

In order to start using SCLM Developer Toolkit at your site, you must perform the following tasks. Unless otherwise indicated, all tasks are mandatory.

1. Verify and adjust prerequisites and PARMLIB updates. For details, see Prerequisites.
2. Customize Developer for System z configuration files. For details see:
   • ISPF.conf updates for SCLMDT
   • rsed.envvars updates for SCLMDT
3. Optionally define long/short name translation support. For details, see (Optional) Long/short name translation.
4. Optionally install and customize Ant to use the JAVA/J2EE build support. For details, see (Optional) Install and customize Ant.
5. Update SCLM to define SCLMDT-specific parts. For details, see SCLM updates for SCLMDT.
6. Optionally set up automation to periodically clean up the SCLMDT work area. For details, see Remove old files from WORKAREA.

Prerequisites

Refer to Appendix E. Requisites for a list of required SCLM maintenance.

This appendix also documents the Ant specifications needed for JAVA/J2EE builds in SCLM Developer Toolkit.

As described in PARMLIB changes, SCLM Developer Toolkit requires additional customization of system settings. These changes include:

• (BPXPRMxx) Increase the maximum number of processes per z/OS UNIX user ID.
• (PROGxx) APF authorize SYS1.LINKLIB and the REXX runtime, REXX.V1R4M0.SEAGLPA or REXX.V1R4M0.SEAGALT.
• (PROGxx/LPALSTxx) Place ISP.SISPLPA, ISP.SISPLOAD, SYS1.LINKLIB and the REXX runtime in LINKLIST/LPALIB.

Also, SCLM Developer Toolkit uses SDSF or the TSO OUTPUT command to retrieve job completion status and job output. Both methods require some additional attention:

• SDSF must be ordered, installed, and configured separately. It also requires the usage of JES2.
• The default settings for the TSO OUTPUT command let a user retrieve job output that begins with his user ID only. If you want to use the OUTPUT facility fully, then the sample TSO/E exit IKJEFF53 might need to be modified so that a user can retrieve job output he owns, but that does not begin with his user ID. For more information about this exit, refer to TSO/E Customization (SA22-7783).

Users require READ, WRITE, and EXECUTE permission to the z/OS UNIX directories /tmp/ and /var/rdz/WORKAREA/. Directory WORKAREA/ is located in /var/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

ISPF.conf updates for SCLMDT

SCLM Developer Toolkit uses the standard ISPF/SCLM skeletons, so ensure that skeleton library ISP.SISPSLIB is allocated to the ISPSLIB concatenation in ISPF.conf. The usage of the ISP.SISPSENU data set is optional.

ISPF.conf is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command.

The following sample code shows the ISPF.conf file, which must be customized to match your system environment. Comment lines start with an asterisk (*). Add data sets to the concatenation on the same line and separate the names with a comma (,). See ISPF.conf, ISPF's TSO/ISPF Client Gateway configuration file for more details on customizing ISPF.conf.

* REQUIRED:
sysproc=ISP.SISPCLIB,FEK.SFEKPROC
ispmlib=ISP.SISPMENU
isptlib=ISP.SISPTENU
ispplib=ISP.SISPPENU
ispslib=ISP.SISPSLIB

* OPTIONAL:
*allocjob = FEK.#CUST.CNTL(CRAISPRX)
*ISPF_timeout = 900

1. You can add your own DD-like statements and data set concatenations to customize the TSO environment, thus mimicking a TSO logon procedure. See Customizing the TSO environment for more details.
2. When you are doing batch builds, ensure that the customized version of the FLMLIBS skeleton is concatenated before the ISPF/SCLM skeleton library.

   ispslib=hlq.USERSKEL,ISP.SISPSLIB

rsed.envvars updates for SCLMDT

SCLM Developer Toolkit uses some directives set in rsed.envvars to locate data sets and directories.

rsed.envvars is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command.

The following code sample shows the SCLMDT directives in rsed.envvars, which must be customized to match your system environment. See rsed.envvars, RSE configuration file for more details on customizing rsed.envvars.

_SCLMDT_CONF_HOME=/var/rdz/sclmdt
#STEPLIB=$STEPLIB:FEK.SFEKAUTH:FEK.SFEKLOAD
#_SCLMDT_TRANTABLE=FEK.#CUST.LSTRANS.FILE
#ANT_HOME=/usr/lpp/Apache/Ant/apache-ant-1.7.1
_SCLMDT_BASE_HOME=$RSE_HOME
_SCLMDT_WORK_HOME=$_CMDSERV_WORK_HOME 
CGI_DTWORK=$_SCLMDT_WORK_HOME

(Optional) Long/short name translation

SCLM Developer Toolkit provides the ability to store long name files (which are files with names greater than 8 characters or in mixed case) into SCLM. This is achieved through the use of a VSAM file that contains the mapping of the long file name to the 8 character member name used in SCLM.

1. For versions previous to z/OS 1.8, this facility is provided through a base ISPF/SCLM PTF that addresses APAR OA11426.
2. The long/short name translation is also used by other SCLM-related products, such as IBM SCLM Administrator Toolkit.

Create LSTRANS.FILE, the long/short name translation VSAM

Customize and submit sample member FLM02LST in the ISPF sample library ISP.SISPSAMP, to create the long/short name translation VSAM. The configuration steps in this publication expect the VSAM to be named FEK.#CUST.LSTRANS.FILE, as shown in the following sample setup JCL.

//FLM02LST JOB <job parameters>
//*
//* CAUTION: This is neither a JCL procedure nor a complete job.
//* Before using this sample, you will have to make the following
//* modifications:
//* 1. Change the job parameters to meet your system requirements.
//* 2. Change ****** to the volume that will hold the VSAM.
//* 3. Change all references of FEK.#CUST.LSTRANS.FILE to 
//*    match your naming convention for the SCLM translate VSAM.
//*
//CREATE   EXEC PGM=IDCAMS
//SYSPRINT DD SYSOUT=*
//SYSIN    DD *
  DELETE FEK.#CUST.LSTRANS.FILE
  SET MAXCC=0
  DEFINE CLUSTER(NAME(FEK.#CUST.LSTRANS.FILE) -
                 VOLUMES(******) -
                 RECORDSIZE(58 2048) -
                 SHAREOPTIONS(3 3) -
                 CYLINDERS(1 1) -
                 KEYS(8 0) -
                 INDEXED) -
         DATA   (NAME(FEK.#CUST.LSTRANS.FILE.DATA)) -
         INDEX  (NAME(FEK.#CUST.LSTRANS.FILE.INDEX))

  /* DEFINE ALTERNATE INDEX WITH NONUNIQUE KEYS -> ESDS */

  DEFINE ALTERNATEINDEX(-
                 NAME(FEK.#CUST.LSTRANS.FILE.AIX) -
                 RELATE(FEK.#CUST.LSTRANS.FILE) -
                 RECORDSIZE(58 2048) -
                 VOLUMES(******) -
                 CYLINDERS(1 1) -
                 KEYS(50 8) -
                 UPGRADE -
                 NONUNIQUEKEY) -
         DATA   (NAME(FEK.#CUST.LSTRANS.FILE.AIX.DATA)) -
         INDEX  (NAME(FEK.#CUST.LSTRANS.FILE.AIX.INDEX))
/*
//*
//PRIME    EXEC PGM=IDCAMS,COND=(0,LT)
//SYSPRINT DD SYSOUT=*
//INITREC  DD *
INITREC1
/*
//SYSIN    DD *
  REPRO INFILE(INITREC) -
        OUTDATASET(FEK.#CUST.LSTRANS.FILE)
  IF LASTCC = 4 THEN SET MAXCC=0

  BLDINDEX IDS(FEK.#CUST.LSTRANS.FILE) -
           ODS(FEK.#CUST.LSTRANS.FILE.AIX)

  IF LASTCC = 0 THEN -
    DEFINE PATH (NAME(FEK.#CUST.LSTRANS.FILE.PATH) -
           PATHENTRY (FEK.#CUST.LSTRANS.FILE.AIX))
/*

rsed.envvars updates for long/short name translation

Before using the long/short name translation, uncomment and set the rsed.envvars environment variable _SCLMDT_TRANTABLE to match the name of the long/short name translation VSAM.

rsed.envvars is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command.

(Optional) Install and customize Ant

This step is only required if you plan to use the JAVA/J2EE build support in SCLM.

Apache Ant is an open source Java build tool and can be downloaded from http://ant.apache.org/. Ant consists of text files and scripts which are distributed in ASCII format and thus require an ASCII/EBCDIC translation to run in z/OS UNIX.

Perform the following steps to implement Ant on z/OS, and to define it to Developer for System z:

• Download, in binary format, the latest Ant compressed file into the z/OS UNIX file system. It is recommended that you download the .zip version of ANT due to problems that might be encountered on z/OS when extracting versions of suffix format tar.gz or tar.bz2.
• Open a z/OS UNIX command-line session to continue the installation, for example with the TSO OMVS command.
• Make a home directory for the Ant install with the mkdir -p /home-dir command and make it your current directory with the cd /home-dir command.
• Use the JAR extract command jar -xf apache-ant-1.7.1.zip to extract the file to the current directory. A Java bin directory must be in your local z/OS UNIX PATH to use the jar command. Otherwise, fully qualify the command with the Java bin location (for example, /usr/lpp/java/J5.0/bin/jar -xf apache-ant-1.7.1.zip).
• Convert all Ant text files to EBCDIC by (optionally customizing and) executing sample script /usr/lpp/rdz/samples/BWBTRANT.
  Note:
  Execute this script only once. Multiple runs will corrupt your Ant install.
• To check for successful translation, locate and browse a text file within the ANT directory, such as apache-ant-1.7.1/README. If the file is readable, then the translation was successful.
• Use the chmod -R 755 * command to enable all users to READ and EXECUTE files in the ANT directory.
• Before using Ant, set the rsed.envvars environment variables JAVA_HOME and ANT_HOME.
  • JAVA_HOME is required to point to the Java home directory, for example:

    JAVA_HOME=/usr/lpp/java/IBM/J5.0

  • ANT_HOME is required to point to the Ant home directory, for example:

    ANT_HOME=/usr/lpp/Apache/Ant/apache-ant-1.7.1

For example:

• TSO OMVS
• mkdir -p /usr/lpp/Apache/Ant
• cd /usr/lpp/Apache/Ant
• jar -xf /u/userid/apache-ant-1.7.1
• /usr/lpp/rdz/samples/BWBTRANT
• cat ./apache-ant-1.7.1/README
• chmod -R 755 *
• oedit /etc/rsed.envvars

To test that the Ant initialization has been successful:

• Add the Ant and Java bin directories to the environment variable PATH.

  Example:

  export PATH=/usr/lpp/Apache/Ant/apache-ant-1.7.1/bin:/usr/lpp/java/IBM/J5.0/bin:$PATH

• Execute ant -version to display the version, if successfully installed.

  Example:

    ant -version

SCLM updates for SCLMDT

SCLM itself also requires customization to work with SCLM Developer Toolkit. Refer to IBM Rational Developer for System z SCLM Developer Toolkit Administrator's Guide (SC23-9801) for more information on the required customization tasks:

• Define language translators for JAVA/J2EE support
• Define SCLM types for JAVA/J2EE support

To complete the customization and project definition tasks, the SCLM administrator needs to know several Developer for System z customizable values, as described in Table 13.

Remove old files from WORKAREA

SCLM Developer Toolkit and ISPF's TSO/ISPF Client Gateway share the same WORKAREA, which might need a periodical cleanup. Refer to (Optional) WORKAREA cleanup for more information on this.

(Optional) Other customization tasks

This section combines a variety of optional customization tasks. Follow the instructions in the appropriate section to configure the desired service.

• (Optional) DB2 stored procedure
• (Optional) Enterprise Service Tools (EST) support
• (Optional) CICS bidirectional language support
• (Optional) Diagnostic IRZ error messages
• (Optional) RSE SSL encryption
• (Optional) RSE tracing
• (Optional) Host based property groups
• (Optional) Host based projects
• (Optional) File Manager integration
• (Optional) Uneditable characters
• (Optional) Using REXEC (or SSH)
• (Optional) APPC transaction for the TSO Commands service
• (Optional) WORKAREA cleanup

(Optional) DB2 stored procedure

Developer for System z provides a sample DB2 stored procedure (PL/I and COBOL Stored Procedure Builder) for building COBOL and PL/I Stored Procedures from within the Developer for System z client.

Workload Manager (WLM) changes

Use the workload management (WLM) panels to associate an application environment with the JCL procedure of the WLM address space for the PL/I and COBOL Stored Procedure Builder. Refer to MVS Planning Workload Management (SA22-7602) for information on how to do this.

PROCLIB changes

Customize the sample Stored Procedure task FEK.#CUST.PROCLIB(ELAXMSAM), as described within the member, and copy it to SYS1.PROCLIB. As shown in the following code sample, you have to provide the following:

• The name of the application environment defined in WLM for this Stored Procedure
• The DB2 subsystem name
• The high-level qualifier of various data sets

//ELAXMSAM PROC RGN=0M,
//            NUMTCB=1,
//            APPLENV=#wlmwd4z,
//            DB2SSN=#ssn,
//            DB2PRFX='DSN810',
//            COBPRFX='IGY.V3R4M0',
//            PLIPRFX='IBMZ.V3R6M0',
//            LIBPRFX='CEE',
//            LODPRFX='FEK'
//*
//DSNX9WLM EXEC PGM=DSNX9WLM,REGION=&RGN,TIME=NOLIMIT,DYNAMNBR=10,
//            PARM='&DB2SSN,&NUMTCB,&APPLENV'
//STEPLIB  DD DISP=SHR,DSN=&DB2PRFX..SDSNEXIT
//         DD DISP=SHR,DSN=&DB2PRFX..SDSNLOAD
//         DD DISP=SHR,DSN=&LIBPRFX..SCEERUN
//         DD DISP=SHR,DSN=&COBPRFX..SIGYCOMP
//         DD DISP=SHR,DSN=&PLIPRFX..SIBMZCMP
//SYSEXEC  DD DISP=SHR,DSN=&LODPRFX..SFEKPROC
//SYSTSPRT DD SYSOUT=*
//CEEDUMP  DD SYSOUT=*
//SYSABEND DD DUMMY
//SYSUT1   DD UNIT=SYSALLDA,SPACE=(CYL,(1,1))
//SYSUT2   DD UNIT=SYSALLDA,SPACE=(CYL,(1,1))
//SYSUT3   DD UNIT=SYSALLDA,SPACE=(CYL,(1,1))
//SYSUT4   DD UNIT=SYSALLDA,SPACE=(CYL,(1,1))
//SYSUT5   DD UNIT=SYSALLDA,SPACE=(CYL,(1,1))
//SYSUT6   DD UNIT=SYSALLDA,SPACE=(CYL,(1,1))
//SYSUT7   DD UNIT=SYSALLDA,SPACE=(CYL,(1,1))
//*

1. The DB2 stored procedure uses REXX exec ELAXMREX, located in FEK.SFEKPROC. Do not change this location if you want possible SMP/E maintenance to be activated automatically.
2. See Running multiple instances if you want to rename members ELAXMSAM or ELAXMREX.

DB2 changes

Customize and submit sample member ELAXMJCL in data set FEK.#CUST.JCL to define the Stored Procedure to DB2. Refer to the documentation within the member for customization instructions.

//ELAXMJCL JOB <job parameters>
//JOBPROC  JCLLIB ORDER=(#hlq.SDSNPROC)
//JOBLIB   DD DISP=SHR,DSN=#hlq.SDSNEXIT
//         DD DISP=SHR,DSN=#hlq.SDSNLOAD
//*
//RUNTIAD  EXEC PGM=IKJEFT01,DYNAMNBR=20
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
 DSN S(#ssn) R(1) T(1)
 RUN PROGRAM(DSNTIAD) PLAN(DSNTIAD) -
 LIB('#hlq.RUNLIB.LOAD')
//SYSPRINT DD SYSOUT=*
//SYSIN    DD *
 CREATE PROCEDURE SYSPROC.ELAXMREX
  ( IN  FUNCTION_REQUEST   VARCHAR(20)      CCSID EBCDIC
  , IN  SQL_ROUTINE_NAME   VARCHAR(27)      CCSID EBCDIC
  , IN  SQL_ROUTINE_SOURCE VARCHAR(32672)   CCSID EBCDIC
  , IN  BIND_OPTIONS       VARCHAR(1024)    CCSID EBCDIC
  , IN  COMPILE_OPTIONS    VARCHAR(255)     CCSID EBCDIC
  , IN  PRECOMPILE_OPTIONS VARCHAR(255)     CCSID EBCDIC
  , IN  PRELINK_OPTIONS    VARCHAR(32672)   CCSID EBCDIC
  , IN  LINK_OPTIONS       VARCHAR(255)     CCSID EBCDIC
  , IN  ALTER_STATEMENT    VARCHAR(32672)   CCSID EBCDIC
  , IN  SOURCE_DATASETNAME VARCHAR(80)      CCSID EBCDIC
  , IN  BUILDOWNER         VARCHAR(8)       CCSID EBCDIC
  , IN  BUILDUTILITY       VARCHAR(18)      CCSID EBCDIC
  , OUT RETURN_VALUE       VARCHAR(255)     CCSID EBCDIC )
 PARAMETER STYLE GENERAL  RESULT SETS 1
 LANGUAGE REXX            EXTERNAL NAME   ELAXMREX
 COLLID   DSNREXCS        WLM ENVIRONMENT ELAXMSAM
 PROGRAM TYPE MAIN        MODIFIES SQL DATA
 STAY RESIDENT NO         COMMIT ON RETURN NO
 ASUTIME NO LIMIT         SECURITY USER;

 COMMENT ON PROCEDURE SYSPROC.ELAXMREX IS
 'PLI & COBOL PROCEDURE PROCESSOR (ELAXMREX), INTERFACE LEVEL 0.01';

 GRANT EXECUTE ON PROCEDURE SYSPROC.ELAXMREX TO PUBLIC;
//*

(Optional) Enterprise Service Tools (EST) support

The Developer for System z client has a code generation component called Enterprise Service Tools (EST). Depending on the type of code being generated, this code relies on functions provided by the Developer for System z host install. Making these host functions available is described in the following sections:

• (Optional) Application Deployment Manager
• (Optional) CICS bidirectional language support
• (Optional) Diagnostic IRZ error messages

(Optional) CICS bidirectional language support

The Developer for System z Enterprise Service Tools (EST) component supports different formats of Arabic and Hebrew interface messages, as well as bidirectional data presentation and editing in all editors and views. In terminal applications, both left-to-right and right-to-left screens are supported, as well as numeric fields and fields with opposite-to-screen orientation.

Additional bidirectional features and functionality include the following:

• The EST service requestor dynamically specifies bidirectional attributes of interface messages.
• Bidirectional data processing in service flows is based on bidirectional attributes (text type, text orientation, numeric swapping, and symmetric swapping). These attributes can be specified in different stages of flow creation for both interface and terminal flows.
• EST-generated runtime code includes conversion of data between fields in messages that have different bidirectional attributes.

Additionally, EST-generated code can support bidi transformation in environments other than CICS SFR (Service Flow Runtime). One example is batch applications. You can make the EST generators to include calls to the bidirectional conversion routines by specifying the appropriate bidi transformation options in the EST generation wizards and linking the generated programs with the appropriate bidirectional conversion library, FEK.SFEKLOAD.

Perform the following tasks to activate CICS Bidirectional language support:

1. Place the FEK.SFEKLOAD load modules FEJBDCMP and FEJBDTRX in the CICS RPL concatenation (DD statement DFHRPL). You should do this by adding the installation data set to the concatenation so that applied maintenance is automatically available to CICS.
   Note:
   If you do not concatenate the installation data set but copy the modules into a new or existing data set, keep in mind that those modules are DLLs and MUST reside in a PDSE library.
2. Define FEJBDCMP and FEJBDTRX as programs to CICS using the appropriate CEDA command, for example:

   CEDA DEF PROG(FEJBDCMP) LANG(LE) G(xxx)
   CEDA DEF PROG(FEJBDTRX) LANG(LE) G(xxx)

(Optional) Diagnostic IRZ error messages

The Developer for System z client has a code generation component called Enterprise Service Tools (EST). In order for code generated by EST to issue diagnostic error messages, all IRZ* and IIRZ* modules in the FEK.SFEKLOAD load library must be made available to the generated code. EST can generate code for the following environments:

• CICS
• IMS
• MVS batch

When the generated code is executed in a CICS transaction, then add all IRZ* and IIRZ* modules in FEK.SFEKLOAD to the DFHRPL DD of the CICS region. You should do this by adding the installation data set to the concatenation so that applied maintenance is automatically available to CICS.

In all other situations, make all IRZ* and IIRZ* modules in FEK.SFEKLOAD available either through STEPLIB or LINKLIST. You should do this by adding the installation data set to the concatenation so that applied maintenance is automatically available to CICS.

If you decide to use STEPLIB, you must define the modules not available through LINKLIST in the STEPLIB directive of the task that executes the code.

If the load modules are not available and an error is encountered by the generated code, then following message will be issued:

IRZ9999S Failed to retrieve the text of a Language Environment runtime
message. Check that the Language Environment runtime message module for
facility IRZ is installed in DFHRPL or STEPLIB.

(Optional) RSE SSL encryption

External (client-host) communication can be encrypted using SSL (Secure Socket Layer). This feature is disabled by default and is controlled by the settings in ssl.properties.

ssl.properties is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command. Note that RSE must be restarted for the changes to take effect.

The client communicates with RSE daemon during connection setup and with RSE server during the actual session. Both data streams are encrypted when SSL is enabled.

RSE daemon and RSE server support different mechanisms to store certificates due to architectural differences between the two. This implies that SSL definitions are required for both RSE daemon and RSE server. A shared certificate can be used if RSE daemon and RSE server use the same certificate management method.

RSE daemon uses System SSL functions to manage SSL. This implies that SYS1.SIEALNKE must be program controlled by your security software and available to RSE via LINKLIST or the STEPLIB directive in rsed.envvars.

The following code sample shows the sample ssl.properties file, which must be customized to match your system environment. Comment lines start with a pound sign (#), when using a US code page. Data lines can only have a directive and its assigned value, comments are not allowed on the same line. Line continuations are not supported.

# ssl.properties - SSL configuration file
enable_ssl=false

# Daemon Properties

#daemon_keydb_file=
#daemon_keydb_password=
#daemon_key_label=

# Server Properties

#server_keystore_file=
#server_keystore_password=
#server_keystore_label=
#server_keystore_type=JCERACFKS

The daemon and server properties only need to be set if you enable SSL. Refer to Appendix A. Setting up SSL and X.509 authentication for more information on SSL setup.

enable_ssl

Enable or disable SSL communication. The default is false. The only valid options are true and false.

daemon_keydb_file

RACF (or similar security product) key ring name. Provide the key database name if you used gskkyman to create a key database instead of using a key ring. Uncomment and customize this directive if SSL is enabled.

daemon_keydb_password

Leave commented out or blank if you use a key ring, otherwise provide the key database password. Uncomment and customize this directive if SSL is enabled and you are using a gskkyman key database.

daemon_key_label

The certificate label used in the key ring or key database, if it is not defined as the default one. Must be commented out if the default is used. Uncomment and customize this directive if SSL is enabled and you are not using the default security certificate.

server_keystore_file

Name of the key store created by Java's keytool command, or the RACF (or similar security product) key ring name if server_keystore_type=JCERACFKS. Uncomment and customize this directive if SSL is enabled.

server_keystore_password

Leave commented out or blank if you use a key ring, otherwise provide the key store password. Uncomment and customize this directive if SSL is enabled and you are using a keytool key store.

server_keystore_label

The certificate label used in the key ring or key store. The default is the first valid certificate encountered. Uncomment and customize this directive if SSL is enabled and you are not using the default security certificate.

server_keystore_type

Key store type. The default is JKS. Valid values are:

Table 15. Valid keystore types

Keyword	Key store type
JKS	Java key store
JCERACFKS	SAF-compliant key ring, where the certificate's private key is stored in the security database.
JCECCARACFKS	SAF-compliant key ring, where the certificate's private key is stored using ICSF, the interface to System z cryptographic hardware.

security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA

security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL 

(Optional) RSE tracing

Developer for System z supports different levels of tracing the internal program flow for problem solving purposes. RSE, and some of the services called by RSE, use the settings in rsecomm.properties to know the desired detail level in the output logs.

rsecomm.properties is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command.

The following code sample shows the rsecomm.properties file, which can be customized to match your tracing needs. Comment lines start with a pound sign (#), when using a US code page. Data lines can only have a directive and its assigned value, comments are not allowed on the same line. Line continuations are not supported.

# server.version - DO NOT MODIFY!
server.version=5.0.0

# Logging level
# 0 - Log error messages
# 1 - Log error and warning messages
# 2 - Log error, warning and info messages
debug_level=1

# Log location
# Log_To_StdOut
# Log_To_File
log_location=Log_To_File

server.version

Logging server version. The default is 5.0.0. Do not modify.

debug_level

Detail level for output logs. The default is 1 (log error and warning messages). Note that debug_level controls the detail level of multiple services (and thus multiple output files). Increasing the detail level will cause performance degradations and should only be done under the direction of the IBM support center. Refer to RSE tracing for more information on which logs are controlled by this directive.

The valid values are the following:

0	Log error messages only.
1	Log error and warning messages.
2	Log error, warning, and informational messages.

Note:

debug_level can be changed dynamically with the modify rsecommlog operator command, as described in Operator commands.

log_location

Output medium for RSE related logging. The default is Log_To_File. Do not change when using the RSE daemon connection method (default), unless directed by the IBM support center.

The valid values are the following:

Log_To_File	Send log messages to a separate file in the log output directory. RSE daemon: rsedaemon.log in daemonlog RSE thread pools: rseserver.log in daemonlog User: rsecomm.log in userlog/.eclipse/RSE/$LOGNAME
Log_To_StdOut	Send log messages to stdout. RSE daemon: rerouted to DD STDOUT in the RSED started task RSE thread pools: undefined User: rerouted to stdout.log in userlog/.eclipse/RSE/$LOGNAME

daemonlog is the value of the daemon.log directive in rsed.envvars. If the daemon.log directive is commented out or not present, the home path of the user ID assigned to the RSED started task is used. The home path is defined in the OMVS security segment of the user ID.

User-specific logs go to userlog/.eclipse/RSE/$LOGNAME, where userlog is the value of the user.log directive in rsed.envvars, and $LOGNAME is the logon user ID (uppercase). If the user.log directive is commented out or not present, the home path of the user is used. The home path is defined in the OMVS security segment of the user ID.

(Optional) Host based property groups

Developer for System z clients can define property groups which hold default values for various properties (for example, the COBOL compiler options to use when compiling COBOL source code). Developer for System z has some default values built in, but also allows defining custom, system-specific defaults.

The location of the custom property group and default value configuration files is defined in propertiescfg.properties, which is located in/etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command. Note that RSE must be restarted for the changes to take effect.

The following code sample shows the propertiescfg.properties file, which must be customized to match your system environment. Comment lines start with a pound sign (#), when using a US code page. Data lines can only have a directive and its assigned value. Comments are not allowed on the same line. Line continuations are not supported.

#
# host based property groups - root configuration file
#
ENABLED=FALSE
RDZ-VERSION=7.5.0.0
PROPERTY-GROUP=/var/rdz/properties
DEFAULT-VALUES=/var/rdz/properties

ENABLED

Indicates whether Developer for System z will use the property group and default value configuration files. The default is FALSE. The only valid options are TRUE and FALSE.

RDZ-VERSION

Minimum Developer for System z client level to use host-based property groups. The default is 7.5.0.0. Do not modify.

PROPERTY-GROUP

The location of the property group configuration file. The default is /var/rdz/properties.

DEFAULT-VALUES

The location of the default value configuration file. The default is /var/rdz/properties.

Refer to the Developer for System z Information Center (http://publib.boulder.ibm.com/infocenter/ratdevz/v7r6/index.jsp) for more information on creating the property group configuration file (propertygroups.xml) and the default value configuration file (defaultvalues.xml).

(Optional) Host based projects

z/OS Projects can be defined individually through the z/OS Projects perspective on the client or can be defined centrally on the host and propagated to the client on a per user basis. These "host-based projects" look and function exactly like projects defined on the client except that their structure, members, and properties cannot be modified by the client and they are only accessible when connected to the host.

The location of the project definitions is defined in projectcfg.properties, which is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command. Note that RSE must be restarted for the changes to take effect.

The following code sample shows the projectcfg.properties file, which must be customized to match your system environment. Comment lines start with a pound sign (#), when using a US code page. Data lines can only have a directive and its assigned value. Comments are not allowed on the same line. Line continuations are not supported.

#
# host based projects - root configuration file
#
# WSED-VERSION - do not modify !
WSED-VERSION=7.0.0.0
# specify the location of the host based project definition files
PROJECT-HOME=/var/rdz/projects

WSED-VERSION

Minimum Developer for System z client level to use host-based projects. The default is 7.0.0.0. Do not modify.

PROJECT-HOME

The base directory for the project definitions. The default is /var/rdz/projects.

Refer to Developer for System z Information Center (http://publib.boulder.ibm.com/infocenter/ratdevz/v7r6/index.jsp) for more information on host-based projects.

(Optional) File Manager integration

Developer for System z supports direct access from the client to a limited set of IBM File Manager for z/OS functions. IBM File Manager for z/OS provides comprehensive tools for working with MVS data sets, z/OS UNIX files, DB2, IMS and CICS data. These tools include the familiar browse, edit, copy, and print utilities found in ISPF, enhanced to meet the needs of application developers. In the current version of Developer for System z, only browse and edit of MVS data sets (including all types of VSAM), creating and editing MVS data set templates (including dynamic templates), and advanced copy utilities are supported.

Note that the IBM File Manager for z/OS product must be ordered, installed and configured separately. Refer to Rational Developer for System z Prerequisites (SC23-7659) to know which level of File Manger is required for your version of Developer for System z. The installation and customization of this product is not described in this manual.

Note that both Developer for System z and File Manger no longer support the batch interface to access File Manager services. Usage of the File Manager listener is now required.

The File Manager Integration definitions needed by Developer for System z are stored in FMIEXT.properties, which is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup more details. You can edit the file with the TSO OEDIT command. Note that RSE must be restarted for the changes to take effect.

The following code sample shows the FMIEXT.properties file, which must be customized to match your system environment. Comment lines start with a pound sign (#), when using a US code page. Data lines can only have a directive and its assigned value. Comments are not allowed on the same line. Line continuations are not supported.

# File Manager Integration (FMI) Extension properties
#
enabled=false    
fmlistenport=1960

enabled

Indicates whether the File Manager listener is available on the same host system or not. The default value is false. The only values allowed are true and false.

fmlistenport

Port used by the File Manager listener. The default is 1960. Communication on this port is confined to your host machine.

(Optional) Uneditable characters

Some characters do not translate well between host code pages (EBCDIC based) and client code pages (ASCII based). The Developer for System z client editor uses the definitions in uchars.settings file to identify these uneditable characters.

uchars.settings is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details. You can edit the file with the TSO OEDIT command. Note that RSE must be restarted for the changes to take effect. Also note that it is advised not to change this file, unless directed by IBM support center.

# uchars.settings - uneditable code points
#
# By default everything below x'40' is uneditable
*          *          00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                      10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
                      20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
                      30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F;
# SBCS
IBM-037    Cp1252     0D 15 25;
IBM-037    UTF-8      0D 15 25;
IBM-424    Cp1255     0D 15 25;
IBM-424    UTF-8      0D 15 25;
# DBCS
IBM-939    MS932      0D 15 1E 1F 25;

The file consists of multiple entries in the following format:

HOST-CODEPAGE  LOCAL-CODEPAGE  HEX-CODEPOINTS ;

Where HEX-CODEPOINTS is a blank-delimited list of 2-digit hexadecimal code points which identify the uneditable characters. The list must end with a semicolon (;).

The following syntax rules apply:

• Comment lines start with a pound sign (#), when using a US code page.
• Data lines can only have data, comments are not allowed on the same line.
• An asterisk (*) can be used for HOST-CODEPAGE and/or LOCAL-CODEPAGE. It acts as a wildcard and represents all codepages.
• Specific entries take precedence over generic (wildcard) entries.
• "host-cp *" takes precedence if "host-cp *" and "* local-cp" are both specified and not overridden by "host-cp local-cp".
• If the same codepage pair is specified more than once, then the last entry will be used.

(Optional) Using REXEC (or SSH)

REXEC (Remote Execution) is a TCP/IP service to let clients execute a command on the host. SSH (Secure Shell) is a similar service, but here all communication is encrypted using SSL (Secure Socket Layer). Developer for System z uses either service for doing remote (host-based) actions in z/OS UNIX subprojects.

Developer for System z can also be configured to use REXEC (or SSH) to start an RSE server on the host. Note, however, that each connection started this way will result in a separate RSE server, each using a fair amount of system resources. Therefore, this alternate connection method is only viable for a small number of connections.

Also, since the REXEC (or SSH) alternative connection method bypasses the RSE daemon, it does not have access to all host services described in this publication, such as single server processing and audit. Contact IBM support to learn if a specific host service is supported by the REXEC alternate connection method.

Remote (host-based) actions for z/OS UNIX subprojects

Remote (host-based) actions for z/OS UNIX subprojects require that REXEC or SSH is active on the host. If REXEC/SSH is not configured to use the default port, the Developer for System z client must define the correct port for use by z/OS UNIX subprojects. This can be done by selecting the Window > Preferences... > z/OS Solutions > USS Subprojects > Remote Action Options preference page. Refer to REXEC (or SSH) set up to know which port is used.

Alternate RSE connection method

Developer for System z clients need to know two values to start an RSE connection through REXEC (or SSH), as follows:

• The directory where the server.zseries startup script is located.

  server.zseries is located in /etc/rdz/, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

• The port that is being used.

  Refer to REXEC (or SSH) set up to know which port is used.

REXEC (or SSH) set up

Communications Server IP Configuration Guide (SC31-8775) describes the steps required to set up REXEC (or SSH). Refer to Appendix C. Setting up INETD for Developer for System z specific setup considerations (there are no Developer for System z specific setup steps).

A common port used by REXEC is 512. To verify this, you can check /etc/inetd.conf and /etc/services to find the port number used.

• Find the service name (1st word, exec in this example) of the rexecd server (7th word) in /etc/inetd.conf.

  exec  stream tcp nowait OMVSKERN /usr/sbin/orexecd rexecd -LV

• Find the port (2nd word, 512 in this example) attached to this service name (1st word) in /etc/services.

  exec      512/tcp      #REXEC   Command Server

The same principle applies to SSH. Its common port is 22, and the server name is sshd.

(Optional) APPC transaction for the TSO Commands service

The TSO Commands service can be implemented as an APPC transaction program, FEKFRSRV. This transaction acts as a host server to execute TSO and ISPF commands that are issued from the workstation. APPC is not required on the workstation because the client communicates with FEKFRSRV through RSE. Each client can have an active connection to multiple hosts at the same time.

1. By default, Developer for System z uses ISPF's TSO/ISPF Client Gateway to access the TSO Commands service.
2. If you are unfamiliar with APPC, refer toAppendix D. Setting up APPC before continuing with this section.
3. RSE uses the TCP/IP REXX socket API to communicate with FEKFRSRV. This implies that the TCP/IP load library, default TCPIP.SEZALOAD, must be available either via LINKLIST or the STEPLIB directive in rsed.envvars.
4. RSE must be restarted for the described changes to take effect.

Preparation

• The following tasks are a prerequisite and must be completed before configuring the TSO Commands Server. The mentioned publications describe these tasks.
  1. Install, configure, and start VTAM® on your z/OS system. Refer to Communications Server IP SNA Network Implementation Guide (SC31-8777) for more information.
  2. Install, configure, and start TCP/IP on your z/OS system. Refer to Appendix B. Setting up TCP/IP for more information.
  3. Configure and start APPC and the APPC transaction scheduler (ASCH) subsystem. Refer to Appendix D. Setting up APPC for more information.
• The following sample REXX can be used to manage APPC through ISPF panels.
  Figure 28. REXX for APPC ISPF panels

  /* REXX -- APPC administration using ISPF panels */
  address ISPEXEC
  "LIBDEF ISPMLIB DATASET ID('ICQ.ICQMLIB') STACK"
  "LIBDEF ISPPLIB DATASET ID('ICQ.ICQPLIB') STACK"
  "LIBDEF ISPSLIB DATASET ID('ICQ.ICQSLIB') STACK"
  "LIBDEF ISPTLIB DATASET ID('ICQ.ICQTLIB') STACK"
  address TSO "ALTLIB ACT APPLICATION(CLIST)",
              "DSN('ICQ.ICQCCLIB') UNCOND QUIET"
  "SELECT CMD(%ICQASRM0) NEWAPPL(ICQ) PASSLIB"
  address TSO "ALTLIB DEACT APPLICATION(CLIST) QUIET"
  "LIBDEF ISPMLIB"
  "LIBDEF ISPPLIB"
  "LIBDEF ISPSLIB"
  "LIBDEF ISPTLIB"
  exit

  Note:
  Be aware that you can deactivate the APPC transaction with this tool; the transaction is still there but will not accept any connections.
• The definition of the APPC transaction requires skills in various fields of the MVS operating system. Consult with experienced administrators using following checklist before continuing.

  Table 16. APPC transaction checklist

  Expertise	Required information: Default value Where to find the answer	Value
  APPC	Data set name of TPDATA Default: SYS1.APPCTP Value is listed in SYS1.PARMLIB(APPCPMxx)
  APPC	Transaction name to be used (may not exist) Default: FEKFRSRV Existing transactions can be queried by selecting "TP Profile Administration" in the APPC ISPF menu
  APPC	APPC transaction class to be used Default: A APPC classes are defined in SYS1.PARMLIB(ASCHPMxx)
  WLM/SRM	TSO performance group and domain No IBM default (site-dependent)
  RACF	Every Developer for System z user has access to an OMVS segment (this is required) No IBM default (site-dependent) TSO RACF command LU userid OMVS will display an existing personal OMVS segment
  RACF	Every Developer for System z user must have READ access to hlq.SFEKPROC(FEKFRSRV) No IBM default (site-dependent) TSO RACF command LD AUTHUSER DATASET('hlq.SFEKPROC.**') will display users and groups and their access level for the data sets covered by the data set profile

Refer to MVS Planning Workload Management (SA22-7602) for more information on WLM/SRM management. Refer to Security Server RACF Security Administrator's Guide (SA22-7683) for more information on OMVS segments and data set protection profiles.

Implementation

1. Define the scheduling information (class) for the APPC transaction scheduler if you are not using an existing transaction class. Include a definition in SYS1.PARMLIB(ASCHPMxx) for the class to be used by the transaction program FEKFRSRV. This class is used in sample JCL FEK.#CUST.JCL(FEKAPPCC). Therefore the class in FEKAPPCC must match the class defined in SYS1.PARMLIB(ASCHPMxx). For example:

   CLASSADD
     CLASSNAME(A)
     MAX(20)
     MIN(1)
     MSGLIMIT(200)
    

   Notes:
   1. The TSO Commands service needs the default specifications to be specified in the OPTIONS and TPDEFAULT sections of SYS1.PARMLIB(ASCHPMxx). Refer to Appendix D. Setting up APPC for more information.
   2. The APPC transaction class used must have enough APPC initiators to allow one initiator for each concurrent user of Developer for System z.
2. Define the APPC transaction that will act as a command server. You can use the sample JCL FEK.#CUST.JCL(FEKAPPCC) to define this transaction. Instructions on how to customize this JCL are located within the JCL.
   Notes:
   1. If you changed the transaction program name (default FEKFRSRV) in this step, the new name must be assigned to _FEKFSCMD_TP_NAME_ in rsed.envvars, as described in rsed.envvars, RSE configuration file.
   2. The APPC transaction uses the REXX exec FEKFRSRV, located in FEK.SFEKPROC. Do not change this location if you want possible SMP/E maintenance to be activated automatically.
   3. Sample JCL is also provided to display, FEK.#CUST.JCL(FEKAPPCL), or delete, FEK.#CUST.JCL(FEKAPPCX), the transaction.
3. Enable RSE to use APPC by uncommenting the RSE_JAVAOPTS="$_RSE_JAVAOPTS -DTSO_SERVER=APPC" directive in rsed.envvars, as described in rsed.envvars, RSE configuration file.
4. Control the dispatching priority of the transaction program by associating FEKFRSRV with a domain and performance group in Workload Manager (WLM). Because FEKFRSRV issues TSO commands, it should be assigned to a TSO performance group.
5. Define a default OMVS segment for the system or an individual one for each user of Developer for System z.
6. Give Developer for System z users READ access to FEK.SFEKPROC, the Developer for System z TSO executable library.

APPC usage considerations

• When using APPC for the TSO Commands service, Developer for System z is dependent upon TCP/IP having the correct hostname when it is initialized. This implies that the different TCP/IP and Resolver configuration files must be set up correctly. For TCP/IP and Resolver customization information, refer to Appendix B. Setting up TCP/IP and TCPIP.DATA configuration statements in the Communications Server IP Configuration Reference (SC31-8776).

  You can test your TCP/IP configuration by starting the RSE daemon with the IVP=IVP parameter or with the fekfivpt installation verification program (IVP), as documented in Installation verification .

• When using APPC for the TSO Commands service, Developer for System z requires an extra socket (TCP/IP port) for host-confined communication per opened MVS file. Any available port will be used. This port selection mechanism cannot be changed.
• When using APPC for the TSO Commands service, reading and writing an MVS data set requires the use of a socket physical file system domain. If the file system is not properly defined or it has not enough sockets, the lock manager (FFS) might fail read/write requests. See Opening MVS data sets fails.
• When using APPC for the TSO Commands service to avoid setting up ISPF's TSO/ISPF Client Gateway, be aware that other services, such as SCLM Developer Toolkit, rely on the TSO/ISPF Client Gateway.
• Refer to Appendix D. Setting up APPC for general APPC usage considerations

(Optional) WORKAREA cleanup

ISPF's TSO/ISPF Client Gateway and the SCLM Developer Toolkit function use the WORKAREA directory to store temporary work files, which are removed before the session is closed. However, temporary output is sometimes left behind, for example, if there is a communication error while processing. For this reason, it is recommended that you clear out the WORKAREA directory from time to time.

z/OS UNIX provides a shell script, skulker, that deletes files based upon the directory they are in and their age. Combined with the z/OS UNIX cron daemon, which runs commands at specified dates and times, you can set up an automated tool that periodically cleans out the WORKAREA directory. Refer to UNIX System Services Command Reference (SA22-7802) for more information on the skulker script and the cron daemon.

Installation verification

Verify started tasks

JMON, JES Job Monitor

Start the JMON started task (or user job). The startup information in DD STDOUT should end with the following message:

JM200I Server initialization complete.

If the job ends with return code 66, then FEK.SFEKAUTH is not APF authorized.

LOCKD, Lock daemon

Start the LOCKD started task (or user job). The lock daemon issues the following console message upon successful startup:

FEK501I Lock daemon started, port=4036, cleanup interval=1440,
 log level=1

RSED, RSE daemon

Start the RSED started task (or user job) with the IVP=IVP parameter. With this parameter, the server will end after doing some installation verification tests. The output of these tests is available in DD STDOUT. In case of certain errors, data will also be available in DD STDERR. The STDOUT data should look like the following sample:

FEK002I RseDaemon started. (port=4035)

RSE daemon IVP test

Wed Jul 2 17:11:52 2008 UTC
uid=8(STCRSE) gid=1(STCGROUP)

RSE daemon port is 4035
RSE configuration files located in /etc/rdz

-------------------------------------------------------------
current environment variables
-------------------------------------------------------------
@="/usr/lpp/rdz/bin/rsed.sh" @[1]="4035" @[2]="/etc/rdz"
CGI_DTCONF="/var/rdz/sclmdt"
CGI_DTWORK="/var/rdz"
CGI_TRANTABLE="FEK.#CUST.LSTRANS.FILE"
CLASSPATH=".:/usr/lpp/rdz/lib:/usr/lpp/rdz/lib/dstore_core.jar:/usr/lpp/
ERRNO="0"
HOME="/tmp"
IFS="
"
JAVA_HOME="/usr/lpp/java/J5.0"
JAVA_PROPAGATE="NO"
LANG="C"
LIBPATH=".:/usr/lib:/usr/lpp/java/J5.0/bin:/usr/lpp/java/J5.0/bin/classi
LINENO="66"
LOGNAME="STCRSE"
MAILCHECK="600"
OLDPWD="/tmp"
OPTIND="1"
PATH=".:/usr/lpp/java/J5.0/bin:/usr/lpp/rdz/bin:/usr/lpp/ispf/bin:/bin:/
PPID="33554711"
PS1="\$ "
PS2="> "
PS3="#? "
PS4="+ "
PWD="/etc/rdz"
RANDOM="27298"
RSE_CFG="/etc/rdz"
RSE_HOME="/usr/lpp/rdz"
RSE_LIB="/usr/lpp/rdz/lib"
SECONDS="0"
SHELL="/bin/sh"
STEPLIB="NONE"
TZ="EST5EDT"
_BPX_SHAREAS="YES"
_BPX_SPAWN_SCRIPT="YES"
_CEE_DMPTARG="/tmp"
_CEE_RUNOPTS="ALL31(ON) HEAP(32M,32K,ANYWHERE,KEEP,,) TRAP(ON)"
_CMDSERV_BASE_HOME="/usr/lpp/ispf"
_CMDSERV_CONF_HOME="/etc/rdz"
_CMDSERV_WORK_HOME="/var/rdz"
_RSE_CMDSERV_OPTS="&SESSION=SPAWN"
_RSE_DAEMON_CLASS="com.ibm.etools.zos.server.RseDaemon"
_RSE_DAEMON_IVP_TEST="1"
_RSE_DAEMON_PORT="4035"
_RSE_JAVAOPTS=" -DISPF_OPTS='&SESSION=SPAWN' -DA_PLUGIN_PATH=/usr/lpp/rd
_RSE_POOL_SERVER_CLASS="com.ibm.etools.zos.server.ThreadPoolProcess"
_RSE_PWD="/tmp"
_RSE_SERVER_CLASS="org.eclipse.dstore.core.server.Server"
_RSE_SERVER_TIMEOUT="120000"
_SCLMDT_BASE_HOME="/usr/lpp/rdz"
_SCLMDT_CONF_HOME="/var/rdz/sclmdt"
_SCLMDT_TRANTABLE="FEK.#CUST.LSTRANS.FILE"
_SCLMDT_WORK_HOME="/var/rdz"
_SCLM_BASE="/var/rdz/WORKAREA"
_SCLM_BWBCALL="/usr/lpp/rdz/bin/BWBCALL"
_SCLM_DWGET="/var/rdz/WORKAREA"
_SCLM_DWTRANSFER="/var/rdz/WORKAREA"
_SCLM_J2EEPUT="/var/rdz/WORKAREA"

-------------------------------------------------------------
java startup test...
-------------------------------------------------------------
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build pmz31dev-2008031
IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 z/OS s390-31 j9vmmz3123-2008
J9VM - 20080314_17962_bHdSMr
JIT  - 20080130_0718ifx2_r8
GC   - 200802_08)
JCL  - 20080314

-------------------------------------------------------------
TCP/IP IVP test...
-------------------------------------------------------------

Wed Jul  2 13:11:54 EDT 2008
uid=8(STCRSE) gid=1(STCGROUP)
using /etc/rdz/rsed.envvars

-------------------------------------------------------------
TCP/IP resolver configuration (z/OS UNIX search order):
-------------------------------------------------------------
Resolver Trace Initialization Complete -> 2008/07/02 13:11:54.745964

res_init Resolver values:
 Global Tcp/Ip Dataset  = None
 Default Tcp/Ip Dataset = None
 Local Tcp/Ip Dataset   = /etc/resolv.conf
 Translation Table      = Default
 UserId/JobName         = STCRSE
 Caller API             = LE C Sockets
 Caller Mode            = EBCDIC
 (L) DataSetPrefix = TCPIP
 (L) HostName      = CDFMVS08
 (L) TcpIpJobName  = TCPIP
 (L) DomainOrigin  = RALEIGH.IBM.COM
 (L) NameServer    = 9.42.206.2
                     9.42.206.3
 (L) NsPortAddr    = 53            (L) ResolverTimeout    = 10
 (L) ResolveVia    = UDP           (L) ResolverUdpRetries = 1
 (*) Options NDots = 1
 (*) SockNoTestStor
 (*) AlwaysWto     = NO            (L) MessageCase        = MIXED
 (*) LookUp        = DNS LOCAL
res_init Succeeded
res_init Started: 2008/07/02 13:11:54.755363
res_init Ended: 2008/07/02 13:11:54.755371
************************************************************************
MVS TCP/IP NETSTAT CS V1R9       TCPIP Name: TCPIP           13:11:54
Tcpip started at 01:28:36 on 06/23/2008 with IPv6 enabled

-------------------------------------------------------------
host IP address:
-------------------------------------------------------------
hostName=CDFMVS08
hostAddr=9.42.112.75
bindAddr=9.42.112.75
localAddr=9.42.112.75

Success, addresses match

-------------------------------------------------------------
PassTicket IVP test...
-------------------------------------------------------------

Success, PassTicket IVP finished normally

-------------------------------------------------------------RSE daemon IVP ended

Verify services

The Developer for System z installation provides several Installation Verification Programs (IVP) for the basic and optional services. The IVP scripts are located in the installation directory, default /usr/lpp/rdz/bin/.

The tasks described below expect you to be active in z/OS UNIX. This can be done by issuing the TSO command OMVS. Use the exit command to return to TSO.

A large region size is required for the user ID that executes the IVPs, because functions such as Java, which require a lot of memory, will be executed. You should set the region size to 131072 kilobytes (128 megabytes) or higher.

The following sample error is a clear indication of an insufficient region size. (But other errors can occur, too. For example, Java may fail to start.)

CEE5213S The signal SIGPIPE was received.
%z/OS UNIX command%: command was killed by signal number 13
    %line-number% *-*   %REXX command%
       +++ RC(137) +++ 

IVP initialization

All sample commands in this section expect that certain environment variables are set. This way, the IVP scripts are available through the PATH statement and the location of the customized configuration files is known. Use the pwd and cd commands to verify and change your current directory to the directory with the customized configuration files. The ivpinit shell script can then be used to set the RSE environment variables, such as in the following sample ($ is the z/OS UNIX prompt):

$ pwd
/u/userid
$ cd /etc/rdz
$ . ./ivpinit
RSE configuration files located in /etc/rdz --default
added /usr/lpp/rdz/bin to PATH

The first "." (dot) in . ./ivpinit is a z/OS UNIX command to run the shell in the current environment, so that the environment variables set in the shell are effective even after exiting the shell. The second one is referring to the current directory.

For information on diagnosing RSE connection problems, see Troubleshooting configuration problems or the Technotes on the Developer for System z Support Page http://www-306.ibm.com/software/awdtools/rdz/support/.

Port availability

The JES Job Monitor, RSE daemon, and optionally REXEC or SSH port availability can be verified by issuing the netstat command. The result should show the ports used by these services, as in the following samples ($ is the z/OS UNIX prompt):

IPv4

$ netstat
MVS TCP/IP NETSTAT CS VxRy    TCPIP Name: TCPIP       13:57:36
User Id  Conn     Local Socket      Foreign Socket    State
-------  ----     ------------      --------------    -----
INETD4   00000014 0.0.0.0..22       0.0.0.0..0        Listen
INETD4   00000030 0.0.0.0..512      0.0.0.0..0        Listen
RSED     0000004B 0.0.0.0..4035     0.0.0.0..0        Listen
LOCKD    0000004C 0.0.0.0..4036     0.0.0.0..0        Listen
JMON     00000037 0.0.0.0..6715     0.0.0.0..0        Listen

IPv6

$ netstat
MVS TCP/IP NETSTAT CS VxRy    TCPIP Name: TCPIP       14:03:35
User Id  Conn     State
-------  ----     -----
INETD4   00000018 Listen
  Local Socket:   0.0.0.0..22
  Foreign Socket: 0.0.0.0..0
INETD4   00000046 Listen
  Local Socket:   0.0.0.0..512
  Foreign Socket: 0.0.0.0..0
RSED     0000004B Listen
  Local Socket:   0.0.0.0..4035
  Foreign Socket: 0.0.0.0..0
LOCKD    0000004C Listen
  Local Socket:   0.0.0.0..4036
  Foreign Socket: 0.0.0.0..0
JMON     00000037 Listen
  Local Socket:   0.0.0.0..6715
  Foreign Socket: 0.0.0.0..0

TCP/IP setup

When using APPC for the TSO Commands service, Developer for System z is dependent upon TCP/IP having the correct hostname when it is initialized. This implies that the different TCP/IP and Resolver configuration files must be set up correctly. Refer to Appendix B. Setting up TCP/IP for more information on TCP/IP and Resolver setup. Verify the current settings by executing the following command:

fekfivpt

The command should return an output like that in this sample ($ is the z/OS UNIX prompt):

$ fekfivpt

Wed Jul  2 13:11:54 EDT 2008
uid=1(USERID) gid=0(GROUP)
using /etc/rdz/rsed.envvars

current address space size limit is 1914675200 (1826.0 MB)
maximum address space size limit is 2147483647 (2048.0 MB)

-------------------------------------------------------------
TCP/IP resolver configuration (z/OS UNIX search order):
-------------------------------------------------------------
Resolver Trace Initialization Complete -> 2008/07/02 13:11:54.745964

res_init Resolver values:
 Global Tcp/Ip Dataset  = None
 Default Tcp/Ip Dataset = None
 Local Tcp/Ip Dataset   = /etc/resolv.conf
 Translation Table      = Default
 UserId/JobName         = USERID
 Caller API             = LE C Sockets
 Caller Mode            = EBCDIC
 (L) DataSetPrefix = TCPIP
 (L) HostName      = CDFMVS08
 (L) TcpIpJobName  = TCPIP
 (L) DomainOrigin  = RALEIGH.IBM.COM
 (L) NameServer    = 9.42.206.2
                     9.42.206.3
 (L) NsPortAddr    = 53            (L) ResolverTimeout    = 10
 (L) ResolveVia    = UDP           (L) ResolverUdpRetries = 1
 (*) Options NDots = 1
 (*) SockNoTestStor
 (*) AlwaysWto     = NO            (L) MessageCase        = MIXED
 (*) LookUp        = DNS LOCAL
res_init Succeeded
res_init Started: 2008/07/02 13:11:54.755363
res_init Ended: 2008/07/02 13:11:54.755371
************************************************************************
MVS TCP/IP NETSTAT CS V1R9       TCPIP Name: TCPIP           13:11:54
Tcpip started at 01:28:36 on 06/23/2008 with IPv6 enabled

-------------------------------------------------------------
host IP address:
-------------------------------------------------------------
hostName=CDFMVS08
hostAddr=9.42.112.75
bindAddr=9.42.112.75
localAddr=9.42.112.75

Success, addresses match

RSE daemon connection

Verify the RSE daemon connection by executing the following command. Replace 4035 with the port used by the RSE daemon and USERID by a valid user ID.

fekfivpd 4035 USERID

After prompting you for a password, the command should return an output like that in the following sample ($ is the z/OS UNIX prompt):

$ fekfivpd 4035 USERID

Wed Jul  2 15:00:27 EDT 2008
uid=1(USERID) gid=0(GROUP)
using /etc/rdz/rsed.envvars

current address space size limit is 1914675200 (1826.0 MB)
maximum address space size limit is 2147483647 (2048.0 MB)

Password:
SSL is disabled
connected
8108
570655399
Success

JES Job Monitor connection

Verify the JES Job Monitor connection by executing the following command. Replace 6715 with the JES Job Monitor port number.

fekfivpj 6715

The command should return the JES Job Monitor acknowledge message, like that in the following sample ($ is the z/OS UNIX prompt):

$ fekfivpj 6715

Wed Jul  2 15:00:27 EDT 2008
uid=1(USERID) gid=0(GROUP)
using /etc/rdz/rsed.envvars

current address space size limit is 1914675200 (1826.0 MB)
maximum address space size limit is 2147483647 (2048.0 MB)

hostName=CDFMVS08
hostAddr=9.42.112.75
Waiting for JES Job Monitor response...
ACKNOWLEDGE01v03

Success

Lock daemon connection

Verify the lock daemon connection by executing the following command.

fekfivpl

The command should return an output like that in the following sample ($ is the z/OS UNIX prompt):

$ fekfivpl

Mon Jun 29 08:00:38 EDT 2009
uid=1(USERID) gid=0(GROUP)
using /etc/rdz/rsed.envvars

current address space size limit is 1914675200 (1826.0 MB)
maximum address space size limit is 2147483647 (2048.0 MB)

hostName=CDFMVS08
hostAddr=9.42.112.75

Registering user to Lock Daemon...
Waiting for Lock Daemon response...

Querying to Lock Daemon...
Waiting for Lock Daemon response...
USERID


Unregistering user from Lock Daemon...
Waiting for Lock Daemon response...

Querying to Lock Daemon...
Waiting for Lock Daemon response...


Success

ISPF's TSO/ISPF Client Gateway connection

Verify the connection to ISPF's TSO/ISPF client Gateway by executing the following command:

fekfivpi

The command should return the result of ISPF's TSO/ISPF client Gateway-related checks (variables, HFS modules, starting and stopping TSO/ISPF session), like that in the following sample ($ is the z/OS UNIX prompt):

$ fekfivpi
 
Wed Jul  2 15:00:27 EDT 2008
uid=1(USERID) gid=0(GROUP)
using /etc/rdz/rsed.envvars
 
current address space size limit is 1914675200 (1826.0 MB)
maximum address space size limit is 2147483647 (2048.0 MB)

-------------------------------------------------------------
/etc/rdz/ISPF.conf content:
-------------------------------------------------------------
 
ispmlib=ISP.SISPMENU 
isptlib=ISP.SISPTENU 
ispplib=ISP.SISPPENU 
ispslib=ISP.SISPSLIB 
sysproc=ISP.SISPCLIB,FEK.SFEKPROC 
 
-------------------------------------------------------------
Host install verification for RSE
Review IVP log messages from HOST below :
-------------------------------------------------------------

RSE connection and base TSO/ISPF session initialization check only

*** CHECK : ENVIRONMENT VARIABLES - key variables displayed below :

Server PATH         = 
/usr/lpp/java/J5.0/bin:/usr/lpp/rdz/lib:/usr/lpp/ispf/bin:
/bin:/usr/sbin:.

STEPLIB             = FEK.SFEKAUTH:FEK.SFEKLOAD

_CMDSERV_BASE_HOME  = /usr/lpp/ispf
_CMDSERV_CONF_HOME  = /etc/rdz
_CMDSERV_WORK_HOME  = /var/rdz
-------------------------------------------------------------
*** CHECK : USS MODULES
Checking ISPF Directory : /usr/lpp/ispf
Checking modules in /usr/lpp/ispf/bin directory
Checking for ISPF configuration file ISPF.conf
RC=0
MSG: SUCCESSFUL

-------------------------------------------------------------
*** CHECK : TSO/ISPF INITIALIZATION
( TSO/ISPF session will be initialized )
RC=0
MSG: SUCCESSFUL

-------------------------------------------------------------
*** CHECK: Shutting down TSO/ISPF IVP session
RC=0
MSG: SUCCESSFUL

-------------------------------------------------------------
Host installation verification completed successfully
-------------------------------------------------------------

fekfivpi has the following optional, non-positional, parameters:

-file

fekfivpi can produce large amounts of output (hundreds of lines). The -file parameter sends this output to a file, userlog/.eclipse/RSE/$LOGNAME/fekfivpi.log, where userlog is the value of the user.log directive in rsed.envvars, and $LOGNAME is your user ID (uppercase). If the user.log directive is commented out or not present, your home path is used. The home path is defined in your OMVS security segment.

-debug

The -debug parameter creates detailed test output. Do not use this option unless directed by the IBM support center.

(Optional) TSO Commands service connection using APPC

Verify the connection to the TSO Command server (using APPC) by executing the following command. Replace USERID with a valid user ID:

fekfivpa USERID

After prompting you for a password, the command should return the APPC conversation, like that in the following sample ($ is the z/OS UNIX prompt):

$ fekfivpa USERID
Enter password:
 
Wed Jul  2 15:00:27 EDT 2008
uid=1(USERID) gid=0(GROUP)
using /etc/rdz/rsed.envvars
 
current address space size limit is 1914675200 (1826.0 MB)
maximum address space size limit is 2147483647 (2048.0 MB)

20070607 13:57:18.584060 /usr/lpp/rdz/bin/fekfscmd: version=Oct 2003
20070607 13:57:18.584326 Input parms: 1.2.3.4 * NOTRACE USERID ********
20070607 13:57:18.586800 APPC: Allocate succeeded
20070607 13:57:18.587022  Conversation id is 0DDBD3F80000000D
20070607 13:57:18.587380 APPC: Set Send Type succeeded
20070607 13:57:26.736674 APPC: Confirm succeeded
20070607 13:57:26.737027  Req to send recd value is  0
20070607 13:57:26.737546 APPC: SEND_DATA return_code = 0
20070607 13:57:26.737726  request_to_send_received =  0
20070607 13:57:26.737893  Send Data succeeded
20070607 13:57:26.738169 APPC: Set Prepare to Receive type succeeded
20070607 13:57:26.738580 APPC: Prepare to Receive succeeded
20070607 13:57:26.808899 APPC: Receive data
20070607 13:57:26.809122  RCV return_code = 0
20070607 13:57:26.809270  RCV data_received= 2
20070607 13:57:26.809415  RCV received_length= 29
20070607 13:57:26.809556  RCV status_received= 4
20070607 13:57:26.809712  RCV req_to_send= 0
20070607 13:57:26.809868  Receive succeeded
:IP: 0 9.42.112.75 1674 50246
20070607 13:57:26.810533 APPC: CONFIRMED succeeded

(Optional) SCLMDT connection

Verify the connection to SCLM Developer Toolkit by executing the following command:

fekfivps

The command should return the result of SCLM Developer Toolkit related checks (variables, HFS modules, REXX runtime, starting and stopping TSO/ISPF session), like that in the following sample ($ is the z/OS UNIX prompt):

$ fekfivps

Wed Jul  2 15:00:27 EDT 2008
uid=1(USERID) gid=0(GROUP)
using /etc/rdz/rsed.envvars
 
current address space size limit is 1914675200 (1826.0 MB)
maximum address space size limit is 2147483647 (2048.0 MB)

-------------------------------------------------------------
/etc/rdz/ISPF.conf content:
-------------------------------------------------------------
 
ispmlib=ISP.SISPMENU 
isptlib=ISP.SISPTENU 
ispplib=ISP.SISPPENU 
ispslib=ISP.SISPSLIB 
sysproc=ISP.SISPCLIB,FEK.SFEKPROC 
-------------------------------------------------------------
Host install verification for RSE
Review IVP log messages from HOST below :
-------------------------------------------------------------


*** CHECK : ENVIRONMENT VARIABLES - key variables displayed below :

Server PATH         = /usr/lpp/java/J5.0/bin:/usr/lpp/rdz/lib:/usr/lpp/ispf/bin:
/bin:/usr/sbin:.

STEPLIB             = FEK.SFEKAUTH:FEK.SFEKLOAD

_CMDSERV_BASE_HOME  = /usr/lpp/ispf
_CMDSERV_CONF_HOME  = /etc/rdz
_CMDSERV_WORK_HOME  = /var/rdz
_SCLMDT_CONF_HOME  = /var/rdz/sclmdt
_SCLMDT_WORK_HOME  = /var/rdz
_SCLMDT_TRANTABLE  = FEK.#CUST.LSTRANS.FILE 

-------------------------------------------------------------
*** CHECK : JAVA PATH SETUP VERIFICATION
RC=0
MSG: SUCCESSFUL

-------------------------------------------------------------
*** CHECK : USS MODULES
Checking ISPF Directory : /usr/lpp/ispf
Checking modules in /usr/lpp/ispf/bin directory
Checking for ISPF configuration file ISPF.conf
Checking install bin Directory : /usr/lpp/rdz/bin
RC=0
MSG: SUCCESSFUL

-------------------------------------------------------------
*** CHECK : REXX RUNTIME ENVIRONMENT
RC=0
MSG: SUCCESSFUL

-------------------------------------------------------------
*** CHECK : TSO/ISPF INITIALIZATION
( TSO/ISPF session will be initialized )
RC=0
MSG: SUCCESSFUL

-------------------------------------------------------------
*** CHECK: Shutting down TSO/ISPF IVP session
RC=0
MSG: SUCCESSFUL

-------------------------------------------------------------
Host installation verification completed successfully
-------------------------------------------------------------

fekfivps has the following optional, non-positional, parameters:

-file

fekfivps can produce large amounts of output (hundreds of lines). The -file parameter sends this output to a file, userlog/.eclipse/RSE/$LOGNAME/fekfivps.log, where userlog is the value of the user.log directive in rsed.envvars, and $LOGNAME is your user ID (uppercase). If the user.log directive is commented out or not present, your home path is used. The home path is defined in your OMVS security segment.

-debug

The -debug parameter creates detailed test output. Do not use this option unless directed by the IBM support center.

(Optional) REXEC connection

Verify the REXEC connection by executing the following command. Replace 512 with the port used by REXEC and USERID by a valid user ID.

fekfivpr 512 USERID

After prompting you for a password, the command should return the REXEC trace, a timeout warning, the Java version, and the RSE server message, like that in the following sample ($ is the z/OS UNIX prompt):

$ fekfivpr 512 USERID
Enter password:
 
Wed Jul  2 15:00:27 EDT 2008
uid=1(USERID) gid=0(GROUP)
using /etc/rdz/rsed.envvars
 
current address space size limit is 1914675200 (1826.0 MB)
maximum address space size limit is 2147483647 (2048.0 MB)

$ EZYRC01I  Calling function rexec_af with the following:
EZYRC02I  Host: CDFMVS08, user USERID, cmd cd /etc/rdz;export RSE_USER_ID=USERI
D;./server.zseries -ivp, port 512
EZYRC19I  Data socket = 4, Control socket = 6.

RSE server IVP test

CDFMVS08 -- Wed Jul  2 15:00:27 EDT 2008
uid=1(USERID) gid=0(GROUP)

RSE configuration files located in /etc/rdz --default
 
RSE userid is USERID --default

-------------------------------------------------------------
Address Space size limits
-------------------------------------------------------------
current address space size limit is 2147483647 (2048.0 MB)
maximum address space size limit is 2147483647 (2048.0 MB)

-------------------------------------------------------------
service history
-------------------------------------------------------------
Fri Jun 19 00:01:00 2009 -- COPY -- HHOP760 v7600 created 18 Jun 2009

-------------------------------------------------------------
expect to see time out messages after a successful IVP test

-------------------------------------------------------------
starting RSE server in background -- Fri Jun 19 15:59:05 EDT 2009
-------------------------------------------------------------
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build pmz31dev-20070201 (SR4))
IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 z/OS s390-31 j9vmmz3123-20070201 (JI
T enabled)
J9VM - 20070131_11312_bHdSMr
JIT  - 20070109_1805ifx1_r8
GC   - 200701_09)
JCL  - 20070126

DStore Server Starting... 
Server Started Successfully
8108
Server running on: CDFMVS08

1. If you do not get any Java and RSE server output, the INETD region size is probably too small (must be 2096128 or larger if started from a TSO/OMVS shell session, or region size 0 for BPXBATCH).
2. You can test the shell script used by REXEC separately, as described in the next IVP test, (Optional) REXEC/SSH shell script.
3. The server is started without a client trying to connect, so it will time out (after 5 seconds). This results in a Connection error message that looks like the following sample:

   Connection error
   Server: error initializing socket: java.net.SocketTimeoutException: 
   			Accept timed out

(Optional) REXEC/SSH shell script

This IVP test can be skipped if the previous test outlined in, (Optional) REXEC connection, completed successfully.

Verify the shell script used by the REXEC and SSH connection by executing the following command:

fekfivpz

The command should return a timeout warning, the Java version and the RSE server message, like that in the following sample ($ is the z/OS UNIX prompt):

$ fekfivpz

Wed Jul  2 15:00:27 EDT 2008
uid=1(USERID) gid=0(GROUP)

using /etc/rdz/rsed.envvars

current address space size limit is 1914675200 (1826.0 MB)
maximum address space size limit is 2147483647 (2048.0 MB)

-------------------------------------------------------------

RSE server IVP test

CDFMVS08 -- Wed Jul  2 15:00:27 EDT 2008
uid=1(USERID) gid=0(GROUP)

RSE configuration files located in /etc/rdz --default
RSE userid is USERID --default

-------------------------------------------------------------
Address Space size limits
-------------------------------------------------------------
current address space size limit is 2147483647 (2048.0 MB)
maximum address space size limit is 2147483647 (2048.0 MB)

-------------------------------------------------------------
service history
-------------------------------------------------------------
Fri Jun 19 00:01:00 2009 -- COPY -- HHOP760 v7600 created 18 Jun 2009

-------------------------------------------------------------
expect to see time out messages after a successful IVP test

-------------------------------------------------------------
starting RSE server in background -- Fri Jun 19 15:59:05 EDT 2009
-------------------------------------------------------------
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build pmz31dev-20070201 (SR4))
IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 z/OS s390-31 j9vmmz3123-20070201 (JI
T enabled)
J9VM - 20070131_11312_bHdSMr
JIT  - 20070109_1805ifx1_r8
GC   - 200701_09)
JCL  - 20070126

DStore Server Starting... 
Server Started Successfully
8108
Server running on: CDFMVS08

1. If you do not get any output, your (TSO) region size is probably too small (must be 2096128).
2. The server is started without a client trying to connect, so it will time out (after 5 seconds). This results in a Connection error message that looks like the following sample:

   Connection error
   Server: error initializing socket: java.net.SocketTimeoutException: 
           Accept timed out

Developer for System z information

Operator commands

This appendix provides an overview of the available operator (or console) commands for Developer for System z. Refer to How to read a syntax diagram if you are unfamiliar with the syntax diagrams used to explain the command format.

Start (S)

Use the START command to dynamically start a started task (STC). The abbreviated version of the command is the letter S.

JES Job Monitor

Figure 29. START JMON operator command

procname

The name of the member in a procedure library that is used to start the server. The default name used during the host configuration is JMON.

HLQ=install_hlq

High-level qualifier used to install Developer for System z. The default is FEK.

CFG=config_member

Absolute data set and member name of the JES Job Monitor configuration file. The default is FEK.#CUST.PARMLIB(FEJJCNFG).

PRM=-TV

Enable verbose (trace) mode. Tracing will cause performance degradations and should only be done under the direction of the IBM support center.

RSE daemon

Figure 30. START RSED operator command

procname

The name of the member in a procedure library that is used to start the server. The default name used during the host configuration is RSED.

PORT=port

The port used by the RSE daemon for the clients to connect. The default is 4035.

HOME='install_path'

Path prefix and the mandatory /usr/lpp/rdz used to install Developer for System z. The default is '/usr/lpp/rdz'. Note that the z/OS UNIX path is case sensitive and that it must be enclosed in single quotes (') to preserve lower case characters.

CNFG='config_path'

Absolute location of the configuration files stored in z/OS UNIX. The default is '/etc/rdz'. Note that the z/OS UNIX path is case sensitive and that it must be enclosed in single quotes (') to preserve lower case characters.

IVP=IVP

Do not start the server but run the RSE daemon installation verification program (IVP).

Lock daemon

Figure 31. START LOCKD operator command

procname

The name of the member in a procedure library that is used to start the server. The default name used during the host configuration is LOCKD.

HOME='install_path'

Path prefix and the mandatory /usr/lpp/rdz used to install Developer for System z. The default is '/usr/lpp/rdz'. Note that the z/OS UNIX path is case sensitive and that it must be enclosed in single quotes (') to preserve lower case characters.

CNFG='config_path'

Absolute location of the configuration files stored in z/OS UNIX. The default is '/etc/rdz'. Note that the z/OS UNIX path is case sensitive and that it must be enclosed in single quotes (') to preserve lower case characters.

LOG=log_level

The detail level of output in DD STDOUT.

• 0 : Log error messages only.
• 1 : Log error and warning messages (default).
• 2 : Log error, warning and informational messages.

Modify (F)

The MODIFY command allows you to dynamically query and change the characteristics of an active task. The abbreviated version of the command is the letter F.

JES Job Monitor

Figure 32. MODIFY JMON operator command

procname

The name of the member in a procedure library that was used to start the server. The default name used during the host configuration is JMON.

-TV

Enable verbose (trace) mode. Tracing will cause performance degradations and should only be done under the direction of the IBM support center.

-TN

Disable verbose (trace) mode.

RSE daemon

Figure 33. MODIFY RSED operator command

procname

The name of the member in a procedure library that was used to start the server. The default name used during the host configuration is RSED.

DISPLAY CLIENT

Display the active clients.

<clientid> : <userid> : <connected since>

DISPLAY PROCESS[,CLEANUP]

Display the RSE thread pool processes. There can be multiple processes, which are used for load balancing the connected users.

ProcessId(<processid>) Memory Usage(<java heap usage>%)
                        Clients(<number of clients>) <error status>

Note:

• <processid> can be used in process specific z/OS UNIX operator commands.
• Each process has its own Java heap, whose size can be set in rsed.envvars.

In normal situations, <error status> is blank. Table 18___ documents the possible non-blank values for <error status>.

Table 18. Thread pool error status

Status	Description
*severe error*	The thread pool process encountered an unrecoverable error and halted operations. The other status fields show the last known values. Use the CLEANUP option of the DISPLAY PROCESS modify command to remove this entry from the table.
*killed process*	The thread pool process was killed by Java, z/OS UNIX or an operator command. The other status fields show the last known values. Use the CLEANUP option of the DISPLAY PROCESS modify command to remove this entry from the table.
*timeout*	The thread pool process did not respond in a timely manner to RSE daemon during a client connect request. The other status fields show the current values. The thread pool is excluded for future client connect requests. The *timeout* status is reset when a client served by this thread pool logs off.

CANCEL ID=clientid

Cancel a client connection based upon the client ID, which is shown in the DISPLAY CLIENT modify command.

CANCEL USER=userid

Cancel a client connection based upon the client's user ID, which is shown in the DISPLAY CLIENT modify command.

RSECOMMLOG {ON,OFF,I,W,E,2,1,0}

Control the trace detail level for RSE server (rsecomm.log) and the MVS data set services (lock.log and ffs*.log). The startup default is defined in rsecomm.properties. There are three detail levels available:

E or 0 or OFF	Error messages only.
W or 1	Error and Warning messages. This is the default setting in rsecomm.properties.
I or 2 or ON	Error, Warning and Informational messages.

Detailed tracing will cause performance degradations and should only be done under the direction of the IBM support center.

RSEDAEMONLOG {ON,OFF,I,E,2,0}

Control the trace detail level for RSE daemon (rsedaemon.log). The startup default is defined in rsecomm.properties. There are two detail levels available:

E or 0 or OFF	Error messages only.
I or 2 or ON	Error, Warning, and Informational messages.

Detailed tracing will cause performance degradations and should only be done under the direction of the IBM support center.

RSESERVERLOG {ON,OFF,I,E,2,0}

Control the trace detail level for RSE thread pools (rseserver.log). The startup default is defined in rsecomm.properties. There are two detail levels available:

E or 0 or OFF	Error messages only.
I or 2 or ON	Error, Warning, and Informational messages.

Detailed tracing will cause performance degradations and should only be done under the direction of the IBM support center.

RSESTANDARDLOG {ON,OFF}

Disable (OFF) or enable (ON) updating the log files holding the stdout and stderr streams of the thread pools (stdout.*.log and stderr.*.log). The startup default is defined by the enable.standard.log directive in rsed.envvars.

Detailed tracing will cause performance degradations and should only be done under the direction of the IBM support center.

SWITCH

Switch to a new audit log file.

1. Refer to Log files in Troubleshooting configuration problems for more information on the log files mentioned above.
2. Refer to Audit logging in Security considerations for more information on audit.

Lock daemon

Figure 34. MODIFY LOCKD operator command

procname

The name of the member in a procedure library that was used to start the server. The default name used during the host configuration is LOCKD.

QUERY dataset[(member)]

Query the lock status of the listed data set or member. The server will reply with one of the following messages:

BPXM023I (stclock) dataset[(member)] NOT LOCKED 
BPXM023I (stclock) dataset[(member)] LOCKED BY userid 

Notes:

1. The server will also report locks held by other products, such as ISPF.
2. Locks held by Developer for System z clients who were unable to register with the lock daemon will result in the thread pool server address space (RSEDx) being reported as lock owner.

   Console message FEK513W is generated when RSE server is unable to register the client with the lock daemon. The ASID and TCB values mentioned in this message can be compared against the output of the D GRS,RES=(*,dataset[(member)]) operator command in order to find the actual user holding the lock.

Stop (P)

Use the STOP command to stop an active task. The abbreviated version of the command is the letter P.

Figure 35. STOP operator command

procname

The name of the member in a procedure library that was used to start the server. The default names used during the host configuration are JMON, RSED, and LOCKD for JES Job Monitor, RSE daemon, and the lock daemon, respectively.

Console messages

JES Job Monitor

JES Job Monitor does not have product-specific console messages. The server relies on z/OS and JES to generate console messages for actions done by Developer for System z clients.

RSE daemon, RSE thread pool server, and lock daemon

Table 19 lists the product-specific console messages generated by RSE daemon, RSE thread pool server, and the lock daemon.

How to read a syntax diagram

The syntax diagram shows you how to specify a command so that the operating system can correctly interpret what you type. Read the syntax diagram from left to right and from top to bottom, following the horizontal line (the main path).

Symbols

The following symbols are used in syntax diagrams:

Operands

The following types of operands are used in syntax diagrams:

• Required operands are displayed on the main path line:

  >>--REQUIRED_OPERAND--><

• Optional operands are displayed below the main path line:

  >>-*------------------*-><
     *-OPTIONAL_OPERAND-*

• Default operands are displayed above the main path line:

     *-DEFAULT_OPERAND-*
  >>-*-----------------*-><

Operands are classified as keywords or variables:

• Keywords are constants that must be provided. If the keyword appears in the syntax diagram in both uppercase and lowercase, the uppercase portion is the abbreviation for the keyword (for example, KEYword). Keywords are not case-sensitive. You can code them in uppercase or lowercase.
• Variables are italicized, appear in lowercase letters, and represent names or values you supply. For example, a data set name is a variable. Variables can be case sensitive.

Syntax example

In the following example, the USER command is a keyword. The required variable parameter is user_id, and the optional variable parameter is password. Replace the variable parameters with your own values:

>>--USER--user_id-*----------*----------------------------------><
                  *-password-*

Nonalphanumeric characters and blank spaces

If a diagram shows a character that is not alphanumeric (such as parentheses, periods, commas, equal signs, and blank spaces), you must code the character as part of the syntax. In this example, you must code OPERAND=(001 0.001):

>>--OPERAND--=--(--001-- --0.001--)------------------------><

Selecting more than one operand

An arrow returning to the left in a group of operands means that more than one can be selected, or that a single one can be repeated:

>>--*----------------------*----------------------------><
    *-REPEATABLE_OPERAND_1-*
    *-REPEATABLE_OPERAND_2-*
    *-<--------------------*

Longer than one line

If a diagram is longer than one line, the first line ends with a single arrowhead and the second line begins with a single arrowhead:

>>--| The first line of a syntax diagram that is longer than one line |-->
>--| The continuation of the subcommands, parameters, or both |---------><

Syntax fragments

Some diagrams might contain syntax fragments, which serve to break up diagrams that are too long, too complex, or too repetitious. Syntax fragment names are in mixed case and are shown in the diagram and in the heading of the fragment. The fragment is placed below the main diagram:

 >>--| Syntax fragment |---------------------------------------><

Syntax fragment:
|--1ST_OPERAND--,--2ND_OPERAND--,--3RD_OPERAND--|

Troubleshooting configuration problems

This chapter is provided to assist you with some common problems that you may encounter during your configuration of Developer for System z, and has the following sections:

• Log and setup analysis using FEKLOGS
• Log files
• Dump files
• Tracing
• z/OS UNIX permission bits
• Reserved TCP/IP ports
• Address Space size
• APPC transaction and TSO Commands service
• Miscellaneous information

More information is available through the Support section of the Developer for System z Web site (http://www-306.ibm.com/software/awdtools/rdz/support/) where you can find Technotes that bring you the latest information from our support team.

In the Library section of the Web site (http://www-306.ibm.com/software/awdtools/rdz/library/) you can also find the latest version of the Developer for System z documentation, including whitepapers.

The Developer for System z Information Center (http://publib.boulder.ibm.com/infocenter/ratdevz/v7r6/index.jsp) documents the Developer for System z client, and how it interacts with the host (from a client's perspective).

Valuable information can also be found in the z/OS internet library, available at http://www-03.ibm.com/servers/eserver/zseries/zos/bkserv/.

Please notify us if you think that Developer for System z misses a certain function. You can open a Request For Enhancement (RFE) at

https://www.ibm.com/developerworks/support/rational/rfe/

Log and setup analysis using FEKLOGS

Developer for System z provides a sample job, FEKLOGS, which gathers all z/OS UNIX log files as well as Developer for System z installation and configuration information.

Sample job FEKLOGS is located in FEK.#CUST.JCL, unless you specified a different location when you customized and submitted job FEK.SFEKSAMP(FEKSETUP). See Customization setup for more details.

The customization of FEKLOGS is described within the JCL. The customization encompasses the provision of a few key variables.

Log files

Developer for System z creates log files that can assist you and IBM support center in identifying and solving problems. The following list is an overview of log files that can be created on your z/OS host system. Next to these product-specific logs, be sure to check the SYSLOG for any related messages.

MVS based logs can be located through the appropriate DD statement. z/OS UNIX based log files are located in the following directories:

• userlog/$LOGNAME/

  User-specific log files are located in userlog/$LOGNAME/, where userlog is the combined value of the user.log and DSTORE_LOG_DIRECTORY directives in rsed.envvars, and $LOGNAME is the logon user ID (uppercase). If the user.log directive is commented out or not present, the home path of the user is used. The home path is defined in the OMVS security segment of the user ID. If the DSTORE_LOG_DIRECTORY directive is commented out or not present, then .eclipse/RSE/ is appended to the user.log value.

  • .dstoreMemLogging - DataStore memory usage logging
  • .dstoreTrace - DataStore action logging
  • fa.log - The log of the Fault Analyzer Integration
  • fekfivpi.log - The log of the fekfivpi IVP test
  • fekfivps.log - The log of the fekfivps IVP test
  • ffs.log - The log of the Foreign File System (FFS) server, that executes native MVS functions
  • ffsget.log - The log of the file reader, that reads a sequential data set or a PDS member
  • ffsput.log - The log of the file writer, that writes a sequential data set or a PDS member
  • lock.log - The log of the lock manager, that locks/unlocks a sequential data set or a PDS member
  • rmt_class_loader.cache.jar - The cache of classes loaded by the RSE remote class loader
  • rsecomm.log - The log of the RSE server, that handles commands from the client and the communication logging of all services relying on RSE (may contain Java exception stack trace)
  • stderr.log - The redirected data of stderr, standard error output
  • stdout.log - The redirected data of stdout, standard output
  Note:
  The .eclipse directory and the .dstore* log files start with a dot (.), which makes them hidden. Use z/OS UNIX command ls -lA to list hidden files and directories. When using the Developer for System z client, select the Window > Preferences... > Remote Systems > Files preference page and enable "Show hidden files".
• daemon-home

  The RSE daemon and RSE thread pool specific log files are located in daemon-home, where daemon-home is the value of the daemon.log directive in rsed.envvars. If the daemon.log directive is commented out or not present, the home directory of the user ID assigned to the RSED started task is used. The home directory is defined in the OMVS security segment of the user ID.

  • rsedaemon.log - The log of the RSE daemon
  • rseserver.log - The log of the RSE thread pools
  • audit.log - The RSE audit trail
  • serverlogs.count - Counter for logging RSE thread pool streams
  • stderr.*.log - RSE thread pool standard error stream
  • stdout.*.log - RSE thread pool standard output stream

JES Job Monitor logging

• SYSOUT DD

  Logging of normal operations. The default value in the sample JCL FEK.#CUST.PROCLIB(JMON) is SYSOUT=*.

• SYSPRINT DD

  Trace logging. The default value in the sample JCL FEK.#CUST.PROCLIB(JMON) is SYSOUT=*. Tracing is activated with the -TV parameter, see JES Job Monitor tracing for more details.

Lock daemon logging

• STDOUT DD

  The redirected data of stdout, Java standard output. The default value in the sample JCL FEK.#CUST.PROCLIB(LOCKD) is SYSOUT=*.

• STDERR DD

  The redirected data of stderr, Java standard error output. The default value in the sample JCL FEK.#CUST.PROCLIB(LOCKD) is SYSOUT=*.

RSE daemon and thread pool logging

• STDOUT DD

  The redirected data of stdout, Java standard output of RSE daemon. The default value in the sample JCL FEK.#CUST.PROCLIB(RSED) is SYSOUT=*.

• STDERR DD

  The redirected data of stderr, Java standard error output of RSE daemon. The default value in the sample JCL FEK.#CUST.PROCLIB(RSED) is SYSOUT=*.

• daemon-home

  The RSE daemon and RSE thread pool specific log files are located in daemon-home, where daemon-home is the value of the daemon.log directive in rsed.envvars. If the daemon.log directive is commented out or not present, the home directory of the user ID assigned to the RSED started task is used. The home directory is defined in the OMVS security segment of the user ID.

  • rsedaemon.log - The log of the RSE daemon
  • rseserver.log - The log of the RSE thread pools
  • audit.log - The RSE audit trail
  • serverlogs.count - Counter for logging RSE thread pool streams
  • stderr.*.log - RSE thread pool standard error stream
  • stdout.*.log - RSE thread pool standard output stream

1. serverlogs.count, stderr.*.log, and stdout.*.log are only created if the enable.standard.log directive in rsed.envvars is active, or if the function is dynamically activated with the modify rsestandardlog on operator command.
2. The * in stderr.*.log and stdout.*.log is 1 by default. However, there can be multiple RSE thread pools, in which case the number is incremented for each new RSE thread pool to ensure unique file names.
3. There are no user-specific stdout.log and stderr.log log files when the enable.standard.log directive is active. The user-specific data is now written to the matching RSE thread pool stream.
4. There are operator commands available to control the amount of data written to some of the mentioned log files. Refer to Operator commands for more information.

RSE user logging

• userlog/$LOGNAME/

  There are several log files created by the components related to RSE. All are located in userlog/$LOGNAME/, where userlog is the combined value of the user.log and DSTORE_LOG_DIRECTORY directives in rsed.envvars, and $LOGNAME is the logon user ID (uppercase). If the user.log directive is commented out or not present, the home path of the user is used. The home path is defined in the OMVS security segment of the user ID. If the DSTORE_LOG_DIRECTORY directive is commented out or not present, then .eclipse/RSE/ is appended to the user.log value.

  • .dstoreMemLogging - DataStore memory usage logging
  • .dstoreTrace - DataStore action logging
  • ffs.log - The log of the Foreign File System (FFS) server, which executes native MVS functions
  • ffsget.log - The log of the file reader, that reads a sequential data set or a PDS member
  • ffsput.log - The log of the file writer, that writes a sequential data set or a PDS member
  • lock.log - The log of the lock manager, that locks or unlocks a sequential data set or a PDS member
  • rmt_class_loader.cache.jar - The cache of classes loaded by the RSE remote class loader
  • rsecomm.log - The log of the RSE server, that handles commands from the client and the communication logging of all services relying on RSE (may contain Java exception stack trace)
  • stderr.log - The redirected data of stderr, standard error output
  • stdout.log - The redirected data of stdout, standard output

1. The .eclipse directory and the .dstore* log files start with a dot (.), which makes them hidden. Use z/OS UNIX command ls -lA to list hidden files and directories. When using the Developer for System z client, select the Window > Preferences... > Remote Systems > Files preference page and enable "Show hidden files".
2. The creation of the .dstore* log files is controlled by the -DDSTORE_* Java startup options, as described in Defining extra Java startup parameters with _RSE_JAVAOPTS.
3. The .dstore* log files are created in ASCII. Use z/OS UNIX command iconv -f ISO8859-1 -t IBM-1047 .dstore* to display them in EBCDIC (when using code page IBM-1047).
4. There are no user-specific stdout.log and stderr.log log files when the enable.standard.log directive is active. The user-specific data is now written to the matching RSE thread pool stream.
5. There are operator commands available to control the amount of data written to some of the mentioned log files. Refer to Operator commands for more information.

Fault Analyzer Integration logging

• userlog/$LOGNAME/

  Fault Analyzer Integration logging, where userlog is the combined value of the user.log and DSTORE_LOG_DIRECTORY directives in rsed.envvars, and $LOGNAME is the logon user ID (uppercase). If the user.log directive is commented out or not present, the home path of the user is used. The home path is defined in the OMVS security segment of the user ID. If the DSTORE_LOG_DIRECTORY directive is commented out or not present, then .eclipse/RSE/ is appended to the user.log value.

  • fa.log - The log of the Fault Analyzer Integration
  • rsecomm.log - Communication logging of Fault Analyzer Integration

File Manager Integration logging

• userlog/$LOGNAME/rsecomm.log

  Communication logging of File Manager Integration, where userlog is the combined value of the user.log and DSTORE_LOG_DIRECTORY directives in rsed.envvars, and $LOGNAME is the logon user ID (uppercase). If the user.log directive is commented out or not present, the home path of the user is used. The home path is defined in the OMVS security segment of the user ID. If the DSTORE_LOG_DIRECTORY directive is commented out or not present, then .eclipse/RSE/ is appended to the user.log value.

SCLM Developer Toolkit logging

• userlog/$LOGNAME/rsecomm.log

  Communication logging of SCLM Developer Toolkit, where userlog is the combined value of the user.log and DSTORE_LOG_DIRECTORY directives in rsed.envvars, and $LOGNAME is the logon user ID (uppercase). If the user.log directive is commented out or not present, the home path of the user is used. The home path is defined in the OMVS security segment of the user ID. If the DSTORE_LOG_DIRECTORY directive is commented out or not present, then .eclipse/RSE/ is appended to the user.log value.

CARMA logging

• CARMA server job

  When opening a connection with CARMA, using the batch interface, FEK.#CUST.SYSPROC(CRASUBMT) will start a server job (with the user's user ID as owner) named CRAport, where port is the TCP/IP port used.

• CARMALOG DD

  If DD statement CARMALOG is specified in the chosen CARMA startup method, CARMA logging is redirected to this DD statement in the server job, otherwise it goes to SYSPRINT.

• SYSPRINT DD

  The SYSPRINT of the server job holds the CARMA logging, if DD statement CARMALOG is not defined.

• userlog/$LOGNAME/rsecomm.log

  Communication logging of CARMA, where userlog is the combined value of the user.log and DSTORE_LOG_DIRECTORY directives in rsed.envvars, and $LOGNAME is the logon user ID (uppercase). If the user.log directive is commented out or not present, the home path of the user is used. The home path is defined in the OMVS security segment of the user ID. If the DSTORE_LOG_DIRECTORY directive is commented out or not present, then .eclipse/RSE/ is appended to the user.log value.

APPC transaction (TSO Commands service) logging

• SYSPRINT DD

  When the APPC administration utility adds and modifies a transaction program (TP) profile, it checks the TP profile and its JCL for syntax errors. Output from this phase consists of TP profile syntax error messages, utility processing messages, and JCL conversion statements. Logging for messages from this phase is controlled by the SYSPRINT DD statement for the ATBSDFMU utility. The default value in sample JCL FEK.SFEKSAMP(FEKAPPCC) is SYSOUT=*. Refer to MVS Planning: APPC/MVS Management (SA22-7599) for more details.

• &SYSUID.FEKFRSRV.&TPDATE.&TPTIME.LOG

  When a TP executes, the TP runtime messages, such as allocation and termination messages, go to a log named by the MESSAGE_DATA_SET keyword in its TP profile. The default value in sample JCL FEK.SFEKSAMP(FEKAPPCC) is &SYSUID.FEKFRSRV.&TPDATE.&TPTIME.LOG. Refer to MVS Planning: APPC/MVS Management (SA22-7599) for more details.

  Note:
  Depending on your APPC transaction definitions and site defaults, this log file might not appear unless the KEEP_MESSAGE_LOG(ALWAYS) keyword is added to the transaction definitions. Refer to MVS Planning: APPC/MVS Management (SA22-7599) for more information on this.

fekfivpi IVP test logging

• userlog/$LOGNAME/fekfivpi.log

  Output of the fekfivpi -file command (TSO/ISPF Client Gateway related IVP test), where userlog is the combined value of the user.log and DSTORE_LOG_DIRECTORY directives in rsed.envvars, and $LOGNAME is the logon user ID (uppercase). If the user.log directive is commented out or not present, the home path of the user is used. The home path is defined in the OMVS security segment of the user ID. If the DSTORE_LOG_DIRECTORY directive is commented out or not present, then .eclipse/RSE/ is appended to the user.log value.

fekfivps IVP test logging

• userlog/$LOGNAME/fekfivps.log

  Output of the fekfivps -file command (SCLMDT-related IVP test), where userlog is the combined value of the user.log and DSTORE_LOG_DIRECTORY directives in rsed.envvars, and $LOGNAME is the logon user ID (uppercase). If the user.log directive is commented out or not present, the home path of the user is used. The home path is defined in the OMVS security segment of the user ID. If the DSTORE_LOG_DIRECTORY directive is commented out or not present, then .eclipse/RSE/ is appended to the user.log value.

Dump files

When a product abnormally terminates, a storage dump is created to assist in problem determination. The availability and location of these dumps depends heavily on site-specific settings. So it could be that they are not created, or created in different locations than mentioned below.

MVS dumps

When the program is running in MVS, check the system dump files and check your JCL for the following DD statements (depending on the product):

• SYSABEND
• SYSMDUMP
• SYSUDUMP
• CEEDUMP
• SYSPRINT
• SYSOUT

Refer to MVS JCL Reference (SA22-7597) and Language Environment Debugging Guide (GA22-7560) for more information on these DD statements.

Java dumps

In z/OS UNIX, most Developer for System z dumps are controlled by the Java Virtual Machine (JVM).

The JVM creates a set of dump agents by default during its initialization (SYSTDUMP and JAVADUMP). You can override this set of dump agents using the JAVA_DUMP_OPTS environment variable and further override the set by the use of -Xdump on the command line. JVM command-line options are defined in the _RSE_JAVAOPTS directive of rsed.envvars. Do not change any of the dump settings unless directed by the IBM support center.

The types of dump that can be produced are the following:

SYSTDUMP

Java Transaction dump. An unformatted storage dump generated by z/OS.

The dump is written to a sequential MVS data set, using a default name of the form %uid.JVM.TDUMP.%job.D%y%m%d.T%H%M%S, or as determined by the setting of the JAVA_DUMP_TDUMP_PATTERN environment variable. If you do not want transaction dumps to be created, add environment variable IBM_JAVA_ZOS_TDUMP=NO to rsed.envvars.

Note:

JAVA_DUMP_TDUMP_PATTERN allows the usage of variables, which are translated to an actual value at the time the transaction dump is taken.

Table 20. JAVA_DUMP_TDUMP_PATTERN variables

Variable	Usage
%uid	User ID
%job	Job name
%y	Year (2 digits)
%m	Month (2 digits)
%d	Day (2 digits)
%H	Hour (2 digits)
%M	Minute (2 digits)
%S	Second (2 digits)

CEEDUMP

Language Environment (LE) dump. A formatted summary system dump that shows stack traces for each thread that is in the JVM process, together with register information and a short dump of storage for each register.

The dump is written to a z/OS UNIX file named CEEDUMP.yyyymmdd.hhmmss.pid, where yyyymmdd equals the current date, hhmmss the current time and pid the current process ID. The possible locations of this file are described in z/OS UNIX dump locations.

HEAPDUMP

A formatted dump (a list) of the objects that are on the Java heap.

The dump is written to a z/OS UNIX file named HEAPDUMP.yyyymmdd.hhmmss.pid.TXT, where yyyymmdd equals the current date, hhmmss the current time and pid the current process ID. The possible locations of this file are described in z/OS UNIX dump locations.

JAVADUMP

A formatted analysis of the JVM. It contains diagnostic information related to the JVM and the Java application, such as the application environment, threads, native stack, locks, and memory.

The dump is written to a z/OS UNIX file named JAVADUMP.yyyymmdd.hhmmss.pid.TXT, where yyyymmdd equals the current date, hhmmss the current time and pid the current process ID. The possible locations of this file are described in z/OS UNIX dump locations.

Refer to Java Diagnostic Guide (SC34-6358) for more information on JVM dumps, and Language Environment Debugging Guide (GA22-7560) for LE-specific information.

z/OS UNIX dump locations

The JVM checks each of the following locations for existence and write-permission, and stores the CEEDUMP, HEAPDUMP, and JAVADUMP files in the first one available. Note that you must have enough free disk space for the dump file to be written correctly.

1. The directory in environment variable _CEE_DMPTARG, if found. This variable is set in rsed.envvars as /tmp. It can be changed to /dev/null to avoid creating the dump files.
2. The current working directory, if the directory is not the root directory (/), and the directory is writable.
3. The directory in environment variable TMPDIR (an environment variable that indicates the location of a temporary directory if it is not /tmp), if found.
4. The /tmp directory.
5. If the dump cannot be stored in any of the above, it is put to stderr.

Tracing

JES Job Monitor tracing

JES Job Monitor tracing is controlled by the system operator, as described in Operator commands.

• Starting the JMON started task with the PRM=-TV parameter activates verbose mode (tracing)
• The modify -TV and modify -TN commands activate and deactivate tracing

RSE tracing

There are several log files created by the components related to RSE. Most are located in userlog/$LOGNAME/, where userlog is the combined value of the user.log and DSTORE_LOG_DIRECTORY directives in rsed.envvars, and $LOGNAME is the logon user ID (uppercase). If the user.log directive is commented out or not present, the home path of the user is used. The home path is defined in the OMVS security segment of the user ID. If the DSTORE_LOG_DIRECTORY directive is commented out or not present, then .eclipse/RSE/ is appended to the user.log value.

The amount of data written to ffs*.log, lock.log and rsecomm.log is controlled by the modify rsecommlog operator command, or by setting debug_level in rsecomm.properties. See Operator commands and (Optional) RSE tracing for more details.

The creation of the .dstore* log files is controlled by the -DDSTORE_* Java startup options, as described in Defining extra Java startup parameters with _RSE_JAVAOPTS.

1. The .eclipse directory and the .dstore* log files start with a dot (.), which makes them hidden. Use z/OS UNIX command ls -lA to list hidden files and directories. When using the Developer for System z client, select the Window > Preferences... > Remote Systems > Files preference page and enable "Show hidden files".
2. The .dstore* log files are created in ASCII. Use z/OS UNIX command iconv -f ISO8859-1 -t IBM-1047 .dstore* to display them in EBCDIC (when using code page IBM-1047).

The RSE daemon and RSE thread pool specific log files are located in daemon-home, where daemon-home is the value of the daemon.log directive in rsed.envvars. If the daemon.log directive is commented out or not present, the home directory of the user ID assigned to the RSED started task is used. The home directory is defined in the OMVS security segment of the user ID.

The amount of data written to rsedaemon.log and rseserver.log is controlled by the modify rsedaemonlog and modify rseserverlog operator commands or by setting debug_level in rsecomm.properties . See Operator commands and (Optional) RSE tracing for more details.

serverlogs.count, stderr.*.log, and stdout.*.log are only created if the enable.standard.log directive in rsed.envvars is active, or if the function is dynamically activated with the modify rsestandardlog on operator command..

Lock daemon tracing

The lock daemon-specific log is located in the STDOUT DD of the LOCKD started task. The amount of data written to the log is controlled by the LOG startup parameter. See Operator commands and (Optional) RSE tracing for more details.

CARMA tracing

The user can control the amount of trace info CARMA generates by setting Trace Level in the properties tab of the CARMA connection on the client. The choices for Trace Level are:

• Disable Logging
• Error Logging
• Warning Logging
• Informational Logging
• Debug Logging

The default value is the following:

Error Logging

Refer to Log files for more information on log file locations.

Error feedback tracing

The following procedure allows gathering of information needed to diagnosis error feedback problems with remote build procedures. This tracing will cause performance degradation and should only be done under the direction of the IBM support center. All references to hlq in this section refer to the high-level qualifier used during installation of Developer for System z. The installation default is FEK, but this might not apply to your site.

1. Make a backup copy of your active ELAXFCOC compile procedure. This procedure is default shipped in data set hlq.SFEKSAMP, but could have been copied to a different location, such as SYS1.PROCLIB, as described in ELAXF* remote build procedures.
2. Change the active ELAXFCOC procedure to include the 'MAXTRACE' string on the EXIT(ADEXIT(ELAXMGUX)) compile option.

   //COBOL  EXEC PGM=IGYCRCTL,REGION=2048K,
   //*            PARM=('EXIT(ADEXIT(ELAXMGUX))',
   //             PARM=('EXIT(ADEXIT(''MAXTRACE'',ELAXMGUX))',
   //             'ADATA',
   //             'LIB',
   //             'TEST(NONE,SYM,SEP)',
   //             'LIST',
   //             'FLAG(I,I)'&CICS &DB2 &COMP)

   Note:
   You have to double the apostrophes around MAXTRACE. The option is now: EXIT(ADEXIT(''MAXTRACE'',ELAXMGUX)).
3. Perform a Remote Syntax Check on the COBOL program for which you want detailed tracing.
4. The SYSOUT part of the JES output will start by listing the names of the data sets for SIDEFILE1, SIDEFILE2, SIDEFILE3 and SIDEFILE4.

   ABOUT TOO OPEN SIDEFILE1 - NAME = 'uid.DT021207.TT110823.M0000045.C0000000'
   SUCCESSFUL OPEN SIDEFILE1 - NAME = 'uid.DT021207.TT110823.M0000045.C0000000'
   ABOUT TOO OPEN SIDEFILE2 - NAME = 'uid.DT021207.TT110823.M0000111.C0000001'
   SUCCESSFUL OPEN SIDEFILE2 - NAME = 'uid.DT021207.TT110823.M0000111.C0000001'
   ABOUT TOO OPEN SIDEFILE3 - NAME = 'uid.DT021207.TT110823.M0000174.C0000002'
   SUCCESSFUL OPEN SIDEFILE3 - NAME = 'uid.DT021207.TT110823.M0000174.C0000002'
   ABOUT TOO OPEN SIDEFILE4 - NAME = 'uid.DT021207.TT110823.M0000236.C0000003'
   SUCCESSFUL OPEN SIDEFILE4 - NAME = 'uid.DT021207.TT110823.M0000236.C0000003'

   Note:
   Depending on your settings, SIDEFILE1 and SIDEFILE2 may be pointing to a DD statement (SUCCESSFUL OPEN SIDEFILE1 - NAME = DD:WSEDSF1). Refer to the JESJCL part of the output (which is located before the SYSOUT part) to get the actual data set name.

          22 //COBOL.WSEDSF1 DD DISP=MOD,
             // DSN=uid.ERRCOB.member.SF1.Z682746.XML
          23 //COBOL.WSEDSF2 DD DISP=MOD,
             // DSN=uid.ERRCOB.member.SF1.Z682747.XML

5. Copy these four data sets to your PC, for example, by creating a local COBOL project in Developer for System z and adding the SIDEFILE1->4 data sets.
6. Copy the complete JES job log to your PC, for example, by opening the job output in Developer for System z and saving it to the local project by selecting File > Save As ... .
7. Restore procedure ELAXFCOC to the original state, either by undoing the change (remove the ''MAXTRACE'', string in the compile options) or restoring the backup.
8. Send the collected files (SIDEFILE1->4 and job log) to the IBM support center.

z/OS UNIX permission bits

Developer for System z requires that the z/OS UNIX file system and some z/OS UNIX files have certain permission bits set.

SETUID file system attribute

Remote Systems Explorer (RSE) is the Developer for System z component that provides core services such as connecting the client to the host. It must be allowed to perform tasks such as creating the user's security environment.

The file system (HFS or zFS) in which Developer for System z is installed must be mounted with the SETUID permission bit on (this is the system default). Mounting the file system with the NOSETUID parameter will prevent Developer for System z from creating the user's security environment, and will fail the connection request.

Use the TSO ISHELL command to list the current status of the SETUID bit. In the ISHELL panel, select File_systems > 1. Mount table... to list the mounted file systems. The a line command will show the attributes for the selected file system, where the "Ignore SETUID" field should be 0.

Program Control authorization

Remote Systems Explorer (RSE) is the Developer for System z component that provides core services such as connecting the client to the host. It must run program controlled in order to perform tasks such as switching to the user ID of the client.

The z/OS UNIX program control bit is set during SMP/E install where needed, except for the Java interface to your security product, as documented in Security considerations. These permission bits might get lost if you did not preserve them during a manual copy of the Developer for System z directories.

The following Developer for System z files must be program controlled:

• /usr/lpp/rdz/bin/
  • fekfdivp
• /usr/lpp/rdz/lib/
  • fekfdir.dll
  • libfekdcore.so
  • libfekfmain.so
• /usr/lpp/rdz/lib/icuc/
  • libicudata.dll
  • libicudata34.0.dll
  • libicudata34.dll
  • libicuuc.dll
  • libicuuc34.0.dll
  • libicuuc34.dll

Use z/OS UNIX command ls -E to list the extended attributes, in which the program control bit is marked with the letter p, as shown in the following sample ($ is the z/OS UNIX prompt):

$ cd /usr/lpp/rdz
$ ls -E lib/fekf*
-rwxr-xr-x  -ps-  2 user     group      94208 Jul  8 12:31 lib/fekfdir.dll

Use z/OS UNIX command extattr +p to set the program control bit manually, as shown in the following sample ($ and # are the z/OS UNIX prompt):

$ cd /usr/lpp/rdz
$ su
# extattr +p lib/fekf*
# exit
$ ls -E lib/fekf*
-rwxr-xr-x  -ps-  2 user     group      94208 Jul  8 12:31 lib/fekfdir.dll

Sticky bit

Some of the optional Developer for System z services require that MVS load modules are available to z/OS UNIX. This is done by creating a stub (a dummy file) in z/OS UNIX with the "sticky" bit on. When the stub is executed, z/OS will look for an MVS load module with the same name and execute the load module instead.

The z/OS UNIX sticky bit is set during SMP/E install where needed. These permission bits might get lost if you did not preserve them during a manual copy of the Developer for System z directories.

The following Developer for System z files must have the sticky bit on:

• /usr/lpp/rdz/bin/
  • BWBTSOW
  • CRASTART

Use z/OS UNIX command ls -l to list the permissions, in which the sticky bit is marked with the letter t, as shown in the following sample ($ is the z/OS UNIX prompt):

$ cd /usr/lpp/rdz
$ ls -l bin/CRA*
-rwxr-xr-t   2 user     group         71 Jul  8 12:31 bin/CRASTART

Use z/OS UNIX command chmod +t to set the sticky bit manually, as shown in the following sample ($ and # are the z/OS UNIX prompt):

$ cd /usr/lpp/rdz
$ su
# chmod +t bin/CRA*
# exit
$ ls -l bin/CRA*
-rwxr-xr-t   2 user     group         71 Jul  8 12:31 bin/CRASTART

Reserved TCP/IP ports

With the netstat command (TSO or z/OS UNIX) you can get an overview of the ports currently in use. The output of this command will look similar to the example below. The ports used are the last number (behind the "..") in the "Local Socket" column. Since these ports are already in use, they cannot be used for the Developer for System z configuration.

IPv4

MVS TCP/IP NETSTAT CS VxRy       TCPIP Name: TCPIP           16:36:42
User Id  Conn     Local Socket           Foreign Socket         State
-------  ----     ------------           --------------         -----
BPXOINIT 00000014 0.0.0.0..10007         0.0.0.0..0             Listen
INETD4   0000004D 0.0.0.0..512           0.0.0.0..0             Listen
RSED     0000004B 0.0.0.0..4035          0.0.0.0..0             Listen
JMON     00000038 0.0.0.0..6715          0.0.0.0..0             Listen
 

IPv6

MVS TCP/IP NETSTAT CS VxRy       TCPIP Name: TCPIP           12:46:25
User Id  Conn     State
-------  ----     -----
BPXOINIT 00000018 Listen
  Local Socket:   0.0.0.0..10007
  Foreign Socket: 0.0.0.0..0
INETD4   00000046 Listen
  Local Socket:   0.0.0.0..512
  Foreign Socket: 0.0.0.0..0
RSED     0000004B Listen
  Local Socket:   0.0.0.0..4035
  Foreign Socket: 0.0.0.0..0
JMON     00000037 Listen
  Local Socket:   0.0.0.0..6715
  Foreign Socket: 0.0.0.0..0

Another limitation that can exist is reserved TCP/IP ports. There are the following two common places to reserve TCP/IP ports:

• PROFILE.TCPIP

  This is the data set referred to by the PROFILE DD statement of the TCP/IP started task, often named SYS1.TCPPARMS(TCPPROF).

  • PORT: Reserves a port for specified job names.
  • PORTRANGE: Reserves a range of ports for specified job names.

  Refer to Communications Server: IP Configuration Guide (SC31-8775) for more information on these statements.

• SYS1.PARMLIB(BPXPRMxx)
  • INADDRANYPORT: Specifies the starting port number for the range of port numbers that the system reserves for use with PORT 0, INADDR_ANY binds. This value is only needed for CINET (multiple TCP/IP stacks active on a single host).
  • INADDRANYCOUNT: Specifies the number of ports that the system reserves, starting with the port number specified in the INADDRANYPORT parameter. This value is only needed for CINET (multiple TCP/IP stacks active on a single host).
  Refer to UNIX System Services Planning (GA22-7800) and MVS Initialization and Tuning Reference (SA22-7592) for more information on these statements.

These reserved ports can be listed with the netstat portl command (TSO or z/OS UNIX), which creates an output like that in the example as follows:

MVS TCP/IP NETSTAT CS VxRy       TCPIP Name: TCPIP           17:08:32
Port# Prot User     Flags    Range       IP Address
----- ---- ----     -----    -----       ----------
00007 TCP  MISCSERV DA
00009 TCP  MISCSERV DA
00019 TCP  MISCSERV DA
00020 TCP  OMVS     D
00021 TCP  FTPD1    DA
00025 TCP  SMTP     DA
00053 TCP  NAMESRV  DA
00080 TCP  OMVS     DA
03500 TCP  OMVS     DAR      03500-03519
03501 TCP  OMVS     DAR      03500-03519

Refer to Communications Server: IP System Administrator's Commands (SC31-8781) for more information on the NETSTAT command.

Address Space size

The RSE daemon, which is a z/OS UNIX Java process, requires a large region size to perform its functions. Therefore it is important to set large storage limits for OMVS address spaces.

startup JCL requirements

The RSE daemon is started by JCL using BPXBATSL, whose region size must be 0.

Limitations set in SYS1.PARMLIB(BPXPRMxx)

Set MAXASSIZE in SYS1.PARMLIB(BPXPRMxx), which defines the default OMVS address space (process) region size, to 2G. This is the maximum size allowed. This is a system-wide limit, and thus active for all z/OS UNIX address spaces. If this is not desired, then you can set the limit also just for Developer for System z in your security software.

This value can be checked and set dynamically (until the next IPL) with the following console commands, as described in MVS System Commands (GC28-1781):

1. DISPLAY OMVS,O
2. SETOMVS MAXASSIZE=2G

Limitations stored in the security profile

Check ASSIZEMAX in the daemon's user ID OMVS segment, and set it to 2147483647 or, preferably, to NONE to use the SYS1.PARMLIB(BPXPRMxx) value.

Using RACF, this value can be checked and set with the following TSO commands, as described in Security Server RACF Command Language Reference (SA22-7687):

1. LISTUSER userid NORACF OMVS
2. ALTUSER userid OMVS(NOASSIZEMAX)

Limitations enforced by system exits

Make sure you are not allowing system exits IEFUSI or IEALIMIT to control OMVS address space region sizes. A possible way to accomplish this is by coding SUBSYS(OMVS,NOEXITS) in SYS1.PARMLIB(SMFPRMxx).

SYS1.PARMLIB(SMFPRMxx) values can be checked and activated with the following console commands, as described in MVS System Commands (GC28-1781):

1. DISPLAY SMF,O
2. SET SMF=xx

APPC transaction and TSO Commands service

If you cannot use the APPC version of the TSO Commands service, there are two areas where problems may arise: starting the APPC server transaction and connecting to RSE.

• If you do not see the messages about setting up APPC, check the system log for RACF messages (message id ICHxxxxx) or other messages related to the command that was issued or the user ID that issued it. Common causes of problems include the following:
  • You do not have read authority to the FEK.SFEKPROC data set.
  • TCP/IP is not active, has a wrong DNS name attached or the system is unreachable (not pingable) due to network problems, a bad IP address or other causes.
• If you see the messages about setting up APPC but do not see the message confirming that setup succeeded, the APPC server transaction was probably unable to start. Check the transaction error log (userid.FEKFRSRV.&TPDATE.&TPTIME.LOG). Some of the likely causes of problems are the following:
  • The TCP/IP stack is not using the default name of TCPIP and the SYSTCPD DD card has not been set or is pointing to the wrong data set.
  • The server was unable to allocate SYSPROC or SYSTSPRT.
  • The JCL points to the wrong SYSPROC (SYSPROC must include FEK.SFEKPROC).
  • The server could not open or access the message (log) data set referred to by MESSAGE_DATA_SET.
  • There are not enough APPC scheduler initiators available.
  • APPC or ASCH address spaces are not active.
  • The class used (default named "A") is not defined to the APPC scheduler ASCH.
  • There is no default OMVS segment for the system, and the user does not have a personal OMVS segment, or there is a definition error in either.
  • The default group of the default OMVS segment or the default group of the user does not have a GID number.

The REXX provided in (Optional) APPC transaction for the TSO Commands service can help with solving APPC problems since it gives you the possibility to manage APPC interactively through ISPF panels. Be aware however that you can deactivate the transaction with this tool; the transaction is still there but will not accept any connections.

The following list is a selection of Technotes currently available on the support Web site (http://www-306.ibm.com/software/awdtools/rdz/support/). Refer to the support Web site for additional information:

• APPC verification fails with Return code 2016 - EHOSTNOTFOUND
• APPC verification fails with Return code 1004 - EIBMIUCVERR
• APPC verification fails with Return code 9 - TP Name not recognized
• APPC verification fails with Return code 10 - TP not avail no retry
• APPC verification fails with Return code 19 - Parameter Error
• APPC verification fails with Return code 20 - Product specific error
• APPC verification fails with Return code 26 - Resource failure
• CEE3501S: The module IOSTREAM was not found
• Server Failed to Start: EDC5129I No such file or directory
• exec/tcp: bind: EDC5111I Permission denied, rsn=744C7246
• No response from server, with either one of the following messages:
  • IEA995I SYMPTOM DUMP OUTPUT 473 USER COMPLETION CODE=4093 REASON CODE=0000001C (in SDSF LOG)
  • CEE3512S An HFS load of module libicudata32.0.dll failed. The system return code was 0000000157; the reason code was 0BDF019B. (in CEEDUMP)
  • Get Space failed (in client .log)
• Command C_CONNECT is not available
• "FFS server initialization failed" error message when connecting to the host
• "EDC5139I Operation not permitted" when connecting to the host
• "RSEG1056U FFS server initialization failed" when opening an MVS file

Miscellaneous information

System limits

SYS1.PARMLIB(BPXPRMxx) defines many z/OS UNIX related limitations, which might be reached when several Developer for System z clients are active. Most BPXPRMxx values can be changed dynamically with the SETOMVS and SET OMVS console commands.

Use the SETOMVS LIMMSG=ALL console command to have z/OS UNIX display console messages (BPXI040I) when any of the BPXPRMxx limits is about to be reached.

Connection refused

Each RSE connection starts several processes which are permanently active. New connections can be refused due to the limit set in SYS1.PARMLIB(BPXPRMxx) on the amount of processes, especially when users share the same UID (such as when using the default OMVS segment).

• The limit per UID is set by the MAXPROCUSER keyword and has a default value of 25.
• The system-wide limit is set by the MAXPROCSYS keyword and has a default value of 200.

Another source of refused connections is the limit on the amount of active z/OS address spaces and z/OS UNIX users.

• The maximum amount of Address Space IDs (ASID) is defined in SYS1.PARMLIB(IEASYSxx) with the MAXUSER keyword, and has a default value of 255.
• The maximum amount of z/OS UNIX user IDs (UID) is defined in SYS1.PARMLIB(BPXPRMxx) with the MAXUIDS keyword, and has a default value of 200.

Known requisite issues

Opening MVS data sets fails

When using APPC for the TSO Commands service, reading, and writing an MVS data set requires the use of a socket physical file system domain. If the file system is not properly defined or it has not enough sockets, the lock manager (FFS) might fail read/write requests. The ffs*.log files will show messages like the following:

• Error 127 getting socket pair - setting port to 0.
• Unable to create socket in the UNIX domain. Error is: "The address family is not supported"

Verify that the SYS1.PARMLIB(BPXPRMxx) member contains the following statements:

FILESYSTYPE TYPE(UDS) ENTRYPOINT(BPXTUINT)
NETWORK DOMAINNAME(AF_UNIX)
        DOMAINNUMBER(1)
        MAXSOCKETS(2000)
        TYPE(UDS)

Another probable cause for this problem, when using APPC for the TSO Commands service, is that TCP/IP Resolver cannot resolve the host address properly due to a missing or incomplete resolver configuration file. A clear indication for this problem is the following message in lock.log:

clientip(0.0.0.0) <> callerip(<host IP address>)

Execute the fekfivpt TCP/IP IVP, as described in Installation verification. The resolver configuration section of the output will look like the following sample:

Resolver Trace Initialization Complete -> 2008/07/02 13:11:54.745964

res_init Resolver values:
 Global Tcp/Ip Dataset  = None
 Default Tcp/Ip Dataset = None
 Local Tcp/Ip Dataset   = /etc/resolv.conf
 Translation Table      = Default
 UserId/JobName         = USERID
 Caller API             = LE C Sockets
 Caller Mode            = EBCDIC

Ensure that the definitions in the file (or data set) referenced by "Local Tcp/Ip Dataset" are correct.

This field will be blank if you do not use a default name for the IP resolver file (using the z/OS UNIX search order). If so, add the following statement to rsed.envvars, where <resolver file> or <resolver data> represents the name of your IP resolver file:

RESOLVER_CONFIG=<resolver file>

or

RESOLVER_CONFIG='<resolver data set>'

Host Connect Emulator

• Host Connect Emulator uses TN3270 telnet and not the RSE server to connect to the host.
• When using secure telnet (SSL) and you are working with certificates that are not signed by a well-known CA, every client must add the CA certificate to their Host Connect Emulator list of trusted CAs.
• The NOSNAEXT option of TCP/IP's TELNETPARMS might be necessary to disable the SNA functional extensions. If NOSNAEXT is specified, the TN3270 telnet server does not negotiate for contention resolution and SNA sense functions.

Security considerations

Developer for System z provides mainframe access to users on a non-mainframe workstation. Validating connection requests, providing secure communication between the host and the workstation, and authorizing and auditing activity are therefore important aspects of the product configuration.

The security mechanisms used by Developer for System z servers and services rely on the file system it resides in being secure. This implies that only trusted system administrators should be able to update the program libraries and configuration files.

The following topics are covered in this chapter:

• Authentication methods
• Connection security
• TCP/IP ports
• Using PassTickets
• Audit logging
• JES security
• SSL encrypted communication
• Client authentication using X.509 certificates
• Port Of Entry (POE) checking
• CICSTS security
• SCLM security
• Developer for System z configuration files
• Security definitions

Refer to Understanding Developer for System z to learn about basic Developer for System z design concepts.

Authentication methods

Developer for System z supports multiple ways to authenticate a user ID provided by a client upon connection.

• User ID and password
• User ID and one-time password
• X.509 certificate

Note that the authentication data provided by the client is only used once, during initial connection setup. Once a user ID is authenticated, the user ID and self-generated PassTickets are used for all actions that require authentication.

User ID and password

The client provides a user ID and matching password upon connection. The user ID and password are used to authenticate the user with your security product.

User ID and one-time password

Based upon a unique token, a one-time password can be generated by a third-party product. One-time passwords improve your security setup as the unique token cannot be copied and used without the user's knowledge, and an intercepted password is useless because it is valid only once.

The client provides a user ID and the one-time password upon connection, which is used to authenticate the user ID with the security exit provided by the third party. This security exit is expected to ignore the PassTickets used to satisfy authentication requests during normal processing. The PassTickets must be processed by your security software.

X.509 certificate

A third party can provide one or more X.509 certificates that can be used for authenticating a user. When stored on secure devices, X.509 certificates combine a secure setup with ease of use for the user (no user ID or password needed).

Upon connection, the client provides a selected certificate, and optionally a selected extension, which is used to authenticate the user ID with your security product.

Note that this authentication method is only supported by the RSE daemon connection method, and that SSL must be enabled.

JES Job Monitor authentication

Client authentication is done by RSE daemon (or REXEC/SSH) as part of the client's connection request. Once the user is authenticated, self-generated PassTickets are used for all future authentication requests, including the automatic logon to JES Job Monitor.

In order for JES Job Monitor to validate the user ID and PassTicket presented by RSE, JES Job Monitor must be allowed to evaluate the PassTicket. This implies the following:

• Load module FEJJMON, by default located in load library FEK.SFEKAUTH, must be APF authorized.
• Both RSE and JES Job Monitor must use the same application ID (APPLID). By default both servers use FEKAPPL as APPLID, but this can be changed by the APPLID directive in rsed.envvars for RSE and in FEJJCNFG for JES Job Monitor.

Connection security

Different levels of communication security are supported by RSE, which controls all communication between the client and Developer for System z services:

• External (client-host) communication can be limited to specified ports. This feature is disabled by default.
• External (client-host) communication can be encrypted using SSL. This feature is disabled by default.
• Port Of Entry (POE) checking can be used to allow host access only to trusted TCP/IP addresses. This feature is disabled by default.

Limit external communication to specified ports

The system programmer can specify the ports on which the RSE server can communicate with the client. By default, any available port is used. This range of ports has no connection with the RSE daemon port.

To help understand the port usage, a brief description of RSE's connection process follows:

1. The client connects to host port 4035, RSE daemon.
2. The RSE daemon creates an RSE server thread.
3. The RSE server opens a host port for the client to connect. The selection of this port can be configured by the user, either on the client in the subsystem properties tab (this is not recommended) or through the _RSE_PORTRANGE definition in rsed.envvars.
4. The RSE daemon returns the port number to the client.
5. The client connects to the host port.

Communication encryption using SSL

All external Developer for System z data streams that pass through RSE can be encrypted using Secure Socket Layer (SSL). The usage of SSL is controlled by the settings in the ssl.properties configuration file, as described in SSL encrypted communication.

The Host Connect Emulator on the client connects to a TN3270 server on the host. The usage of SSL is controlled by TN3270, as documented in the Communications Server IP Configuration Guide (SC31-8775).

The Application Deployment Manager client uses the CICS TS Web Service or the RESTful interface to invoke the Application Deployment Manger host services. The usage of SSL is controlled by CICS TS, as documented in RACF Security Guide for CICS TS.

Port Of Entry checking

Developer for System z supports Port Of Entry (POE) checking, which allows host access only to trusted TCP/IP addresses. The usage of POE is controlled by the definition of specific profiles in your security software and the enable.port.of.entry directive in rsed.envvars, as described in Port Of Entry (POE) checking.

Note that activating POE will impact other TCPIP applications that support POE checking, such as INETD.

TCP/IP ports

Figure 36. TCP/IP ports

Figure 36 shows the TCP/IP ports that can be used by Developer for System z. The arrows show which party does the bind (arrowhead side) and which one connects.

External communication

Define the following ports to your firewall protecting the z/OS host, as they are used for client-host communication (using the tcp protocol):

• RSE daemon for client-host communication setup, default port 4035. Communication on this port can be encrypted using SSL.
• RSE server for client-host communication. By default, any available port is used, but this can be limited to a specified range with the _RSE_PORTRANGE definition in rsed.envvars. Communication on this port can be encrypted using SSL.
• (optional) Either INETD service for remote (host-based) actions in z/OS UNIX subprojects:
  • REXEC (z/OS UNIX version), default port 512.
  • SSH (z/OS UNIX version), default port 22. Communication on this port is encrypted using SSL.
• (optional) TN3270 Telnet service for the Host Connect Emulator, default port 23. Communication can be encrypted using SSL (default port 992). The default port assigned to the TN3270 Telnet service depends on whether or not the user chooses to use encryption.
• (optional) Either or both CICSTS application interfaces for Application Deployment Manager:
  • RESTful interface, default port 5130.
  • Web Services interface, default port 5129. Communication on this port can be encrypted using SSL.

1. Previous clients (version 7.0 and older) communicate directly with JES Job Monitor, default port 6715.
2. During a remote debug session for Cobol, PL/I or Assembler, IBM Debug Tool for z/OS is invoked. This product communicates directly with the client. This communication is initiated on the host, and connects to port 8001 on the client.

Internal communication

Several Developer for System z host services run in separate threads or address spaces and are using TCP/IP sockets as communication mechanism. All these services use RSE for communicating with the client, making their data stream confined to the host only. For some services any available port will be used, for others the system programmer can choose the port or port range that will be used:

• JES Job Monitor for JES-related services, default port 6715. The port can be set in the FEJJCNFG configuration member.
• (optional) File Manager Integration for interacting with IBM File Manager, default port 1960.
• (optional) CARMA communication, default port range 5227-5326 (100 ports). The port range can be set in the CRASRV.properties configuration file.
• (optional) The APPC version of the TSO Commands service uses any socket available to communicate with the lock manager (which enqueues MVS data sets for clients). You cannot set a specific port range to be used.

CARMA and TCP/IP ports

In most cases, like for RSE daemon, a server binds to a port and listens for connection requests. CARMA however uses a different approach, as the CARMA server is not active yet when the client initiates the connection request.

When the client sends a connection request, the CARMA miner, which is active as a user thread in a RSE thread pool, will find a free port in the range specified in the CRASRV.properties configuration file and binds to it. The miner then starts the CARMA server and passes the port number, so that the server knows to which port to connect. Once the server is connected, the client can send requests to the server and receive the results.

So from a TCP/IP perspective, RSE (via the CARMA miner) is the server that binds to the port, and the CARMA server is the client connecting to it.

Using PassTickets

After logon, PassTickets are used to establish thread security within the RSE server. This feature cannot be disabled. PassTickets are system generated passwords with a lifespan of about 10 minutes. The generated PassTickets are based upon the DES encryption algorithm, the user ID, the application ID, a time and date stamp, and a secret key. This secret key is a 64 bit number (16 hex characters) that must be defined to your security software.

To help understand the PassTicket usage, a brief description of RSE's security process follows:

1. The client connects to host port 4035, RSE daemon.
2. The RSE daemon authenticates the client, using the credentials presented by the client.
3. The RSE daemon creates a unique client ID and an RSE server thread.
4. The RSE server generates a PassTicket and creates a security environment for the client, using the PassTicket as password.
5. The client connects to the host port returned by the RSE daemon.
6. The RSE server validates the client using the client ID.
7. The RSE server uses a newly generated PassTicket as password for all future actions requiring a password.

The actual password of the client is no longer needed after initial authentication because SAF-compliant security products can evaluate both PassTickets and regular passwords. RSE server generates and uses a PassTicket each time a password is required, resulting in a (temporary) valid password for the client.

Using PassTickets allows RSE to set up a user-specific security environment at will, without the need of storing all user IDs and passwords in a table, which could be compromised. It also allows for client authentication methods that do not use reusable passwords, such as X.509 certificates.

Security profiles in the APPL and PTKTDATA classes are required to be able to use PassTickets. These profiles are application specific and thus do not impact your current system setup.

PassTickets being application specific implies that both RSE and JES Job Monitor must use the same application ID (APPLID). By default both servers use FEKAPPL as APPLID, but this can be changed by the APPLID directive in rsed.envvars for RSE and in FEJJCNFG for JES Job Monitor.

Audit logging

Developer for System z supports audit logging of actions that are managed by the RSE daemon. The audit logs are stored as text files in the daemon log directory, using the CSV (Comma Separated Value) format.

Audit control

Multiple options in rsed.envvars influence the audit function, as documented in Defining extra Java startup parameters with _RSE_JAVAOPTS.

• The audit function is enabled/disabled by the enable.audit.log option.
• The audit defaults are controlled by the audit.* options.
• The location of the audit log files is controlled by the daemon.log option.
• The code page used for writing the audit log is controlled by the _RSE_HOST_CODEPAGE directive, as documented in rsed.envvars, RSE configuration file.

The modify switch operator command can be used to manually switch to a new audit log file, as documented in Operator commands.

A warning message is sent to the console when the file system holding the audit log files is running low on free space. This console message (FEK103E) is repeated regularly until the low space issue is resolved. Refer to Console messages for a list of console messages generated by RSE.

Audit data

A new audit log file is started after a predetermined time or when the modify switch operator command is issued. The old log file is saved as audit.log.yyyymmdd.hhmmss, where yyyymmdd.hhmmss is the date/timestamp when this log was closed. The system date/timestamp assigned to the file indicates the creation of the log file. The combination of the two dates shows the time period covered by this audit log file.

The following actions are logged:

• System access (connect, disconnect)
• JES spool access (submit, display, hold, release, cancel, purge)
• Data set access (read, write, create, delete, rename, compress, migration, recall)
• Execution of TSO commands

Each logged action is stored (with a date/timestamp) using the CSV (Comma Separated Value) format, which can be read by an automation or data analysis tool.

Audit log files have permission bit mask 640 (-rw-r-----), which means that the owner (RSE daemon z/OS UNIX uid) has read and write access, and the owner's (default) group has read access. All other access attempts are denied, unless it is done by a super user (UID 0) or somebody with sufficient permission to the SUPERUSER.FILESYS profile in the UNIXPRIV class.

JES security

Developer for System z allows clients access to the JES spool through the JES Job Monitor. The server provides basic access limitations, which can be extended with the standard spool file protection features of your security product. Operator actions (Hold, Release, Cancel, and Purge) against spool files are done through an EMCS console, for which conditional permits must be set up.

Actions against jobs - target limitations

JES Job Monitor does not provide Developer for System z users full operator access to the JES spool. Only the Hold, Release, Cancel, and Purge commands are available, and by default, only for spool files owned by the user. The commands are issued by selecting the appropriate option in the client menu structure (there is no command prompt). The scope of the commands can be widened, using security profiles to define for which jobs the commands are available.

Similar to the SDSF SJ action character, JES Job Monitor also supports the Show JCL command to retrieve the JCL that created the selected job output, and show it in an editor window. JES Job Monitor retrieves the JCL from JES, making it a useful function for situations in which the original JCL member is not easily located.

The available JES commands listed in Table 21 are by default limited to jobs owned by the user. This can be changed with the LIMIT_COMMANDS directive, as documented in FEJJCNFG, JES Job Monitor configuration file.

JES uses the JESSPOOL class to protect SYSIN/SYSOUT data sets. Similar to SDSF, JES Job Monitor extends the use of the JESSPOOL class to protect job resources as well.

If LIMIT_COMMANDS is not USERID, then JES Job Monitor will query for permission to the related profile in the JESSPOOL class, as shown in the following table.

Use the following substitutions in the preceding table:

If the JESSPOOL class is not active, then there is different behavior for the LIMITED and NOLIMIT value of LIMIT_COMMANDS, as described in Table 9. The behavior is identical when JESSPOOL is active, since the class, by default, denies permission if a profile is not defined.

Actions against jobs - execution limitations

The second phase of JES spool command security, after specifying the permitted targets, includes the permits needed to actually execute the operator command. This execution authorization is enforced by the z/OS and JES security checks.

Note that Show JCL is not an operator command such as the other JES Job Monitor commands (Hold, Release, Cancel, and Purge), so the limitations below do not apply because there is no further security check.

JES Job Monitor issues all JES operator commands requested by a user through an extended MCS (EMCS) console, whose name is controlled with the CONSOLE_NAME directive, as documented in FEJJCNFG, JES Job Monitor configuration file.

This setup allows the security administrator to define granular command execution permits using the OPERCMDS and CONSOLE classes.

• In order to use an EMCS console, a user must have (at least) READ authority to the MVS.MCSOPER.console-name profile in the OPERCMDS class. Note that if no profile is defined, the system will grant the authority request.
• In order to execute a JES operator command, a user must have sufficient authority to the JES%.** (or more specific) profile in the OPERCMDS class. Note that if no profile is defined, or the OPERCMDS class is not active, JES will fail the command.
• The security administrator can also require that a user must use JES Job Monitor when executing the operator command by specifying WHEN(CONSOLE(JMON)) on the PERMIT definition. The CONSOLE class must be active for this setup to work. Note that the CONSOLE class being active is sufficient; no profiles are checked for EMCS consoles.

Assuming the identity of the JES Job Monitor server by creating a JMON console from a TSO session is prevented by your security software. Even though the console can be created, the point of entry is different (JES Job Monitor versus TSO). JES commands issued from this console will fail the security check, if your security is set up as documented in this publication and the user does not have authority to JES commands through other means.

Note that JES Job Monitor cannot create the console when a command must be executed if the console name is already in use. To prevent this, the system programmer can set the GEN_CONSOLE_NAME=ON directive in the JES Job Monitor configuration file or the security administrator can define security profiles to stop TSO users from creating a console. The following sample RACF commands prevent everyone (except those permitted) from creating a TSO or SDSF console:

• RDEFINE TSOAUTH CONSOLE UACC(NONE)
• PERMIT CONSOLE CLASS(TSOAUTH) ACCESS(READ) ID(#userid)
• RDEFINE SDSF ISFCMD.ODSP.ULOG.* UACC(NONE)
• PERMIT ISFCMD.ODSP.ULOG.* CLASS(SDSF) ACCESS(READ) ID(#userid)

Refer to Security Server RACF Security Administrator's Guide (SA22-7683) for more information on operator command protection.

Access to spool files

JES Job Monitor allows browse access to all spool files by default. This can be changed with the LIMIT_VIEW directive, as documented in FEJJCNFG, JES Job Monitor configuration file.

To limit users to their own jobs on the JES spool, define the "LIMIT_VIEW=USERID" statement in the JES Job Monitor configuration file, FEJJCNFG. If the users need access to a wider range of jobs, but not all, use the standard spool file protection features of your security product, such as the JESSPOOL class.

When defining further protection, keep in mind that JES Job Monitor uses SAPI (SYSOUT application program interface) to access the spool. This implies that the user needs at least UPDATE access to the spool files, even for browse functionality. This requisite does not apply if you run z/OS 1.7 (z/OS 1.8 for JES3) or higher. Here READ permission is sufficient for browse functionality.

Refer to Security Server RACF Security Administrator's Guide (SA22-7683) for more information on JES spool file protection.

SSL encrypted communication

External (client-host) communication can be encrypted using SSL (Secure Socket Layer). This feature is disabled by default and is controlled by the settings in ssl.properties, as documented in (Optional) RSE SSL encryption.

RSE daemon and RSE server support different mechanisms to store certificates due to architectural differences between the two. This implies that SSL definitions and certificates are required for both RSE daemon and RSE server. A shared certificate can be used if RSE daemon and RSE server use the same certificate management method.

RSE daemon uses System SSL functions to manage SSL encrypted communications. This implies that SYS1.SIEALNKE must be program controlled by your security software and available to RSE via LINKLIST or the STEPLIB directive in rsed.envvars.

The RSE user ID (STCRSE in the sample commands below) needs authorization to access his key ring and the related certificates when SAF-compliant key rings are used for either RSE daemon or RSE server.

• RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
• RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
• PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ACCESS(READ) ID(stcrse)
• PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ACCESS(READ) ID(stcrse)
• SETROPTS RACLIST(FACILITY) REFRESH

Refer to Appendix A. Setting up SSL and X.509 authentication for more details on activating SSL for Developer for System z.

Client authentication using X.509 certificates

RSE daemon supports users authenticating themselves with an X.509 certificate. Using SSL encrypted communication is a prerequisite for this function, as it is an extension to the host authentication with a certificate used in SSL.

RSE daemon starts the client authentication process by validating the client certificate. Some key aspects that are checked are the dates the certificate is valid and the trust-worthiness of the Certificate Authority (CA) used to sign the certificate. Optionally, a (third party) Certificate Revocation List (CRL) can also be consulted.

After RSE daemon validates the certificate, it is processed for authentication. The certificate is passed on to your security product for authentication, unless rsed.envvars directive enable.certificate.mapping is set to false, at which point RSE daemon will do the authentication.

If successful, the authentication process will determine the user ID to be used for this session, which is then tested by RSE daemon to ensure it is usable on the host system where RSE daemon is running

The last check (which is done for every authentication mechanism, not just X.509 certificates) verifies that the user ID is allowed to use Developer for System z.

If you are familiar with the SSL security classifications used by TCP/IP, the combination of these validation steps match the "Level 3 Client authentication" specifications (the highest available).

Certificate Authority (CA) validation

Part of the certificate validation process includes checking that the certificate was signed by a Certificate Authority (CA) you trust. In order to do so, RSE daemon must have access to a certificate that identifies the CA.

When using the gskkyman key database for your SSL connection, the CA certificate must be added to the key database.

When using an SAF key ring (which is the advised method), you must add the CA certificate to your security database as a CERTAUTH certificate with the TRUST or HIGHTRUST attribute, as shown in this sample RACF command:

• RACDCERT CERTAUTH ADD(dsn) HIGHTRUST WITHLABEL('label')

Note that most security products already have the certificates for well known CA's available in their database with a NOTRUST status. Use the following sample RACF commands to list the existing CA certificates and mark one as trusted based on the label assigned to it.

• RACDCERT CERTAUTH LIST
• RACDCERT CERTAUTH ALTER(LABEL('HighTrust CA')) HIGHTRUST

Once the CA certificate is added to your security database, it must be connected to the RSE key ring, as shown in this sample RACF command:

• RACDCERT ID(stcrse) CONNECT(CERTAUTH LABEL('HighTrust CA') RING(rdzssl.racf))

Refer to Security Server RACF Command Language Reference (SA22-7687) for more information on the RACDCERT command.

(Optional) Query a Certificate Revocation List (CRL)

If desired, you can instruct RSE daemon to check one or more Certificate Revocation List(s) (CRL) to add extra security to the validation process. This is done by adding CRL-related environment variables to rsed.envvars. Refer to rsed.envvars, RSE configuration file for information on these sample variables:

• GSK_CRL_SECURITY_LEVEL
• GSK_LDAP_SERVER
• GSK_LDAP_PORT
• GSK_LDAP_USER
• GSK_LDAP_PASSWORD

Refer to the Cryptographic Services System Secure Sockets Layer Programming (SC24-5901) for more information on these and other environment variables used by z/OS System SSL.

Authentication by your security software

RACF performs several checks to authenticate a certificate and return the associated user ID. Note that other security products might do this differently. Refer to your security product documentation for more information on the initACEE function used to do the authentication (query mode).

1. RACF checks if the certificate is defined in the DIGTCERT class. If so, RACF returns the user ID that was associated with this certificate when it was added to the RACF database.

   Certificates are defined to RACF using the RACDCERT command, as in the following example:

   RACDCERT ID(userid) ADD(dsn) TRUST WITHLABEL('label')

2. If the certificate is not defined, RACF checks to see if there is a matching certificate name filter defined in the DIGTNMAP or DIGTCRIT classes. If so, it returns the user ID associated with the most specific matching filter.
   Note:
   It is advised not to use name filters for certificates used by Developer for System z, as these filters map all certificates to a single user ID. The result is that all your Developer for System z users will log on with the same user ID.
3. If there is no matching name filter, RACF locates the HostIdMappings certificate extension and extracts the embedded user ID and host name pair. If found and validated, RACF returns the user ID defined within the HostIdMappings extension.

   The user ID and host name pair is valid if all these conditions are true:

   • The CA certificate used to sign this certificate is marked as HIGHTRUST in the DIGTCERT class.
   • The user ID stored in the extension has a valid length (1 to 8 characters).
   • The user ID assigned to RSE daemon has (at least) READ authority to the IRR.HOST.hostname profile in the SERVAUTH class, where hostname is the host name stored in the extension. This is usually a domain name, such as CDFMVS08.RALEIGH.IBM.COM.

   The definition of the HostIdMappings extension in ASN.1 syntax is:

   id-ce-hostIdMappings OBJECT IDENTIFIER::= {1 3 18 0 2 18 1}
   HostIdMappings::= SET OF HostIdMapping
   HostIdMapping::= SEQUENCE{
      hostName        IMPLICIT[1] IA5String,
      subjectId       IMPLICIT[2] IA5String,
      proofOfIdPossession IdProof OPTIONAL
    }
    IdProof::= SEQUENCE{
      secret        OCTET STRING,
      encryptionAlgorithm OBJECT IDENTIFIER
    }

   Note:
   A HostIdMappings extension is not honored if the target user ID was created after the start of the validity period for the certificate containing the HostIdMappings extension. Therefore, if you are creating user IDs specifically for certificates with HostIdMappings extensions, make sure that you create the user IDs before the certificate requests are submitted.

   Refer to Security Server RACF Security Administrator's Guide (SA22-7683) for more information on X.509 certificates, how they are managed by RACF, and how to define certificate name filters. Refer to Security Server RACF Command Language Reference (SA22-7687) for more information on the RACDCERT command.

Authentication by RSE daemon

Developer for System z can do basic X.509 certificate authentication without relying on your security product. Authentication done by RSE daemon requires a user ID and host name to be defined in a certificate extension, and is only activated if the enable.certificate.mapping directive in rsed.envvars is set to FALSE.

This function is intended to be used if your security product does not support authenticating a user based upon an X.509 certificate, or if your certificate would fail the test(s) done by your security product (for example, the certificate has a faulty identifier for the HostIdMappings extension and there is no name filter or definition in DIGTCERT).

The client will query the user for the extension identifier (OID) to use, which is by default the HostIdMappings OID, {1 3 18 0 2 18 1}.

RSE daemon will extract the user ID and host name from it using the format of the HostIdMappings extension. This format is described in Authentication by your security software .

The user ID and host name pair is valid if all these conditions are true:

• The user ID stored in the extension has a valid length (1 to 8 characters).
• The user ID assigned to RSE daemon has (at least) READ authority to the IRR.HOST.hostname profile in the SERVAUTH class, where hostname is the host name stored in the extension. This is usually a domain name, such as CDFMVS08.RALEIGH.IBM.COM.

Port Of Entry (POE) checking

Developer for System z supports Port Of Entry (POE) checking, which allows host access only to trusted TCP/IP addresses. This feature is disabled by default and requires the definition of the BPX.POE security profile, as shown in the following sample RACF commands:

• RDEFINE FACILITY BPX.POE UACC(NONE)
• PERMIT BPX.POE CLASS(FACILITY) ACCESS(READ) ID(STCRSE)
• SETROPTS RACLIST(FACILITY) REFRESH

1. RSE must be configured to use POE by uncommenting the "enable.port.of.entry=true" option in rsed.envvars, as documented in Defining extra Java startup parameters with _RSE_JAVAOPTS.
2. The RSE user ID STCRSE requires UID(0) when this profile is not defined and POE checking is enabled in rsed.envvars.
3. Defining BPX.POE will impact other TC/PIP applications that support POE checking, such as INETD.
4. Security zones (EZB.NETACCESS.** profiles, which are IP address ranges) should be set up in the SERVAUTH class to use the full strength of POE checking.

Refer to Communications Server IP Configuration Guide (SC31-8775) for more information on network access control using POE checking.

CICSTS security

Developer for System z allows, through Application Deployment Manager, CICS administrators to control which CICS resource definitions are editable by the developer, their default values, and the display of a CICS resource definition by means of the CICS Resource Definition (CRD) server. Refer to CICSTS considerations for more information on the required CICS TS security definitions.

CRD repository

The CRD server repository VSAM data set holds all the default resource definitions and must therefore be protected against updates, but developers must be allowed to read the values stored here.

CICS transactions

Developer for System z supplies multiple transactions that are used by the CRD server when defining and inquiring CICS resources. When the transaction is attached, CICS resource security checking, if enabled, insures that the user ID is authorized to run the transaction ID.

SSL encrypted communication

The Application Deployment Manager client uses CICS TS Web Services or the RESTful interface to invoke the CRD server. The usage of SSL for this communication is controlled by the CICS TS TCPIPSERVICE definition, as documented in and RACF Security Guide for CICS TS.

SCLM security

The SCLM Developer Toolkit service offers optional security functionality for the Build, Promote, and Deploy functions.

If security is enabled for a function by the SCLM administrator, SAF calls are made to verify authority to execute the protected function with the caller's or a surrogate user ID.

Refer to SCLM Developer Toolkit Administrator's Guide (SC23-9801), for more information on the required SCLM security definitions.

Developer for System z configuration files

There are several Developer for System z configuration files whose directives impact the security setup. Based upon the information in this chapter, the security administrator and systems programmer can decide what the settings should be for the following directives.

JES Job Monitor - FEJJCNFG

• LIMIT_COMMANDS={USERID | LIMITED | NOLIMIT}

  Define against which jobs actions can be done (excluding browse and submit). For more information, see Actions against jobs - target limitations.

• LIMIT_VIEW={USERID | NOLIMIT}

  Define which spool files can be browsed. For more information, see Access to spool files.

• APPLID={FEKAPPL | *}

  Application ID used for PassTicket creation/validation. For more information, see Using PassTickets.

RSE - rsed.envvars

• (_RSE_JAVAOPTS) -DDENY_PASSWORD_SAVE={true | false}

  Deny users to save their host password on the client. For more information, see Defining extra Java startup parameters with _RSE_JAVAOPTS.

• (_RSE_JAVAOPTS) -DDSTORE_IDLE_SHUTDOWN_TIMEOUT=value

  Timer to disconnect idle clients. For more information, see Defining extra Java startup parameters with _RSE_JAVAOPTS.

• (_RSE_JAVAOPTS) -DAPPLID={FEKAPPL | *}

  Application ID used for PassTicket creation/validation. For more information, see Using PassTickets.

• (_RSE_JAVAOPTS) -Denable.port.of.entry={true | false}

  Enable Port Of Entry checking. For more information, see Port Of Entry (POE) checking.

• (_RSE_JAVAOPTS) -Denable.certificate.mapping={true | false}

  Use your security product to authenticate users with an X.509 certificate. For more information, see Client authentication using X.509 certificates.

• (_RSE_JAVAOPTS) -Ddaemon.log={/var/rdz/logs | *}

  Location of the audit log files. For more information, see Audit logging.

RSE - ssl.properties

• daemon_keydb_file={SAF key ring name | gskkyman key database name}

  Location of the RSE daemon certificate. For more information, see SSL encrypted communication.

• daemon_key_label=certificate label

  Name of the RSE daemon certificate. For more information, see SSL encrypted communication.

• server_keystore_file={SAF key ring name | Java key store name}

  Location of the RSE server certificate. For more information, see SSL encrypted communication.

• server_keystore_label=certificate label

  Name of the RSE server certificate. For more information, see SSL encrypted communication.

• server_keystore_type={JKS | JCERACFKS | JCECCARACFKS}

  Type of key store used (Java key store or SAF key ring). For more information, see SSL encrypted communication.