Configuring Rochade Server
Initialization File for Starting the Server
These are the sections of the server initialization file. For a detailed description of all server settings, see Description of Server Settings.
<server_start> Section
This section contains settings that are necessary for the server operation, where <server_start> is the name that you specify when calling the server. For more information, see Starting Rochade Server.
Settings of the <server_start> Section table lists the relevant settings of the <server_start> section. The settings either define specific values or refer to other sections that contain further settings. An S in the second column marks settings that the server writes to the initialization file.
Settings of the <server_start> Section
| Setting | [o]ptional/[m]andatory/[S]erver | Description |
|---|---|---|
|
ACCESS |
m |
Refers to <comm_section> Section. |
|
ADB |
o |
Administration database. |
|
ADBX |
o |
Activates external authentication and refers to <alt_auth> Section. |
|
AUDITLOGPARMS |
o |
Refers to <audit_log> Section. |
|
CODEPAGE |
m |
Code page. |
|
CODEPAGE_FILES |
m |
Code page for access to external files. |
|
COMPANY |
m |
Company name. |
|
DATABASE<n> |
o |
Refers to <db_section> Section. |
|
DBCACHESIZE |
o |
z/OS only. Size of the database cache (in KB). |
|
DBLOCK |
o |
Toggles file locking for databases on and off. |
|
ERRBUFFERSIZE |
o |
Buffer size for information on refused requests. |
|
EVENTLOG |
o |
Server event log. |
|
EVENTLOGBACKUP |
o |
Backup file for server event log. |
|
EVENTLOGOPT |
o |
Scope of the server event log. |
|
KERBEROS |
o |
Activates Kerberos authentication and refers to a section containing additional settings. For more information, see Kerberos Authentication. |
|
LASTRC |
S/o |
Stores the server’s return code at shutdown. If LASTRC=NOSAVE is specified, the return code is not saved. |
|
LICENSE |
m |
License number. |
|
LOG_ALARM |
o |
User program for exceeding the limit. |
|
LOG_CONSUMED_SEG |
o |
Last LOG file number processed |
|
LOG_CURRENT_RECO_TIME |
S |
Time that would be required for restore. |
|
LOG_CURRENT_SEG |
S |
Current LOG file number. |
|
LOG_CURRENT_SIZE |
S |
Current size of LOG files. |
|
LOG_MAX_SEG |
o |
Maximum number of possible LOG files. |
|
LOG_MAX_SIZE |
o |
Maximum size for single LOG file. |
|
LOG_MAX_TIME |
o |
Time after which the current LOG file is closed. |
|
LOG_NAME |
m/o |
Name of LOG file. |
|
LOG_RECO_TIME_LIMIT |
o |
Maximum amount of time a restore may take. |
|
LOG_RESERVE |
o |
Threshold for warning the user about approaching LOG_MAX_SEG. |
|
LOG_SIZE_LIMIT |
o |
Maximum total size of all LOG files. |
|
NUMA_MODE |
o |
The server’s operating mode for Non-Uniform Memory Access (NUMA) systems. |
|
ONLINE_BACKUP_DATABASE |
o |
Buffer database for online backup. Refers to the section that describes the buffer database. |
|
ONLINE_BACKUP_MODE |
o |
Online backup mode on server start. |
|
PERF |
o |
Perfomance measurement. |
|
ROSRVMSG.<lang> |
m |
Name of server message file. |
|
SERVERACCESSPERMISSIONS |
o |
Restricts access to the server to users who a have one of the specified LDAP roles. |
|
SERVICE<n> |
o |
Refers to <rpc_service> Section. |
|
SETLASTLOGONTIME |
o |
Updates the logon time in the attribute PWD_LAST_LOGON_TIME. |
|
STATE |
S |
Server status. |
|
SUPPRESS_MSG |
o |
z/OS only. Turns off server error messages if server cannot write to the initialization files. |
|
TERMINATION_HANDLER |
o |
Termination routine. |
|
TRACEFILEPATH |
o |
Trace file directory. |
|
TRUSTED_SITES |
o |
Refers to <trusted_sites> Section. |
<comm_section> Section
The communication section contains the communication parameters for the server. These are the relevant settings of the <comm_section> section:
| Setting | [o]ptional/[m]andatory | Description |
|---|---|---|
|
COMM |
m |
Type of communication. For more information, see COMM=<communication>. |
|
HOSTNAME |
o |
Identifies the client as a local or remote client. |
|
HOSTRES |
o |
Suppresses output of the name of the client machine in the server event log. |
|
LISTEN |
o |
Port selection for TCP/IP protocol stacks. |
|
PORT |
m |
Port number of the server. |
|
TLS-specific settings |
o |
For information on these settings, see Configuring TLS on the Server Side. |
<alt_auth> Section
This section contains all the settings that are required when user authentication in Rochade is to be handled via an external authentication system. External authentication validates only the user name and the password. All other information (for example, user and operator privileges) must be supplemented from the administration database. These are the relevant settings of the <alt_auth> section:
| Setting |
[o]ptional/ [m]andatory |
Description |
|---|---|---|
|
AUTH_DB |
m |
Name of the system that carries out external authentication. |
|
DOMAIN |
m/o |
Name of the Windows domain against which password and name are to be verified. Only for external authentication via Windows domain (such as, AUTH_DB=WINDOMAIN). |
|
LDAP-specific settings |
o |
For information on these settings, see Settings for LDAP Authentication. |
|
AllowDisabledPasswords |
o |
Enables LDAP users to log into Rochade without password if for the Rochade account password check is disabled. |
|
AllowInternalAccounts |
o |
Enables the definition of internal Rochade user accounts that can be used for logging into Rochade even if external authentication is used. |
|
UserAttributes |
o |
Enables access to LDAP user attributes via Java API and refers to a section containing additional settings. For more information, see <u_section> Section. |
<audit_log> Section
In this section, you can specify which entries are written to the audit log and in what format. These are the relevant settings of the <audit_log> section:
| Setting | [o]ptional/[m]andatory | Description |
|---|---|---|
|
ATTR_CREATE |
o |
Specifies how to log the creation of attributes. |
|
ATTR_DELETE |
o |
Specifies how to log the deletion of attributes. |
|
ATTR_MODIFY |
o |
Specifies how to log the modification of attributes. |
|
ATTR_READ |
o |
Specifies how to log reading of attributes. |
|
AUDITLOG |
o |
Specifies whether an audit log is kept. |
|
AUDITLOGBACKUP |
o |
Specifies the name for the audit log’s backup file. |
|
AUDITLOGDATEFMT |
o |
Specifies the date format. |
|
AUDITLOGESC |
o |
Specifies the escape symbol. |
|
AUDITLOGFAIL |
o |
Specifies a string that will be output in place of FAILURE. |
|
AUDITLOGFILE |
o |
Specifies the file name for the audit log. |
|
AUDITLOGFMT |
o |
Specifies the format identification for the audit log. |
|
AUDITLOGSEP |
o |
Specifies the separator character. |
|
AUDITLOGSUCCESS |
o |
Specifies a string that will be output in place of SUCCESS. |
|
AUDITLOGTMP |
o |
Specifies the temporary file for processing of the Rochade audit log. |
|
ITEM_CREATE |
o |
Specifies how to log the creation of items. |
|
ITEM_DELETE |
o |
Specifies how to log the deletion of items. |
|
ITEM_MODIFY |
o |
Specifies how to log the modification of items. |
|
ITEM_READ |
o |
Specifies how to log reading of items. |
|
LOGOFF |
o |
Specifies how to log the logoff of users. |
|
LOGON |
o |
Specifies how to log the logon of users. |
|
OPER_CMD |
o |
Specifies how to log the calls to operator commands. |
|
OPER_LOGOFF |
o |
Specifies how to log logoff from operator status. |
|
OPER_LOGON |
o |
Specifies how to log logon to operator status. |
|
SETTINGS |
o |
Specifies whether to log the modification of settings. |
|
USER |
o |
Specifies how to log user entries. |
<db_section> Section
This section describes all the databases that are to be assigned to the server data space. These are the relevant settings of the <db_section> section:
| Setting | [o]ptional/[m]andatory/[S]erver | Description |
|---|---|---|
|
AUDITING |
o |
Specifies whether AUDITING should be set to ON or OFF. By setting 'AUDITING=OFF,' audit logging is disabled for the corresponding database. |
|
CACHING_LEVEL_DOC |
o | UNIX and 64-bit Windows only. Specifies whether the server should load item content records into memory. |
|
CACHING_LEVEL_LINK |
o |
UNIX and 64-bit Windows only. Specifies whether the server should load link and namespace index records into memory. |
|
CACHING_LEVEL_NUM |
o |
UNIX and 64-bit Windows only. Specifies whether the server should load name catalog records into memory. |
|
CACHING_RECS_PER_SEC_INITIAL |
o |
UNIX and 64-bit Windows only. Specifies the number of records per second that the server initially loads into memory. |
|
CACHING_RECS_PER_SEC |
o |
UNIX and 64-bit Windows only. Specifies the number of records per second that the server loads into memory after the initial load. |
|
CREATEDB |
S |
Date of creation of the database. |
|
DATACLASS |
o |
z/OS only. Name of the data class. |
|
DFILE |
m |
Physical database name. |
|
MANAGEMENTCLASS |
o |
z/OS only. Name of the management class. |
|
MAXATTRDIRSIZE |
o |
The maximum size up to which attribute content of an item version is stored contiguously |
|
MODE |
m |
Access mode. |
|
NAME |
m |
Logical database name. |
|
PRIMARY |
m/o |
z/OS only. Size of primary allocation of the database on the hard disk. |
|
SECONDARY |
m/o |
z/OS. Size of secondary allocation of the database on the hard disk. |
|
STORAGECLASS |
o |
z/OS only. Name of the storage class. |
|
UPDATE_INDEX_DELETE_LIFETIME |
o |
The time after which DELKIND entries are removed from the update index. |
<rpc_service> Section
In this section, you describe programs that can be called as a service from Rochade. These are the relevant settings of the <rpc_service> section:
| Setting | [o]ptional/[m]andatory | Description |
|---|---|---|
|
CODEPAGE |
m |
Code page for RPC client. |
|
CODEPAGE_FILES |
m |
Code page for access to external files. |
|
KEEP_ACTIVE |
o |
Number of seconds a service instance remains preloaded |
|
MAX_INSTANCES |
o |
The setting controls the availability of preloaded service instances. |
|
NAME |
m |
Logical name of RPC service. |
|
PARAMS |
o |
Runtime parameters for the RPC service. |
|
PRELOAD |
o |
Maximum number of preloaded service instances. |
|
PROGRAM |
m |
Physical name of RPC service. |
|
ROAPIMSG.<lang> |
m/o |
Name of API message file. |
|
ROCLIMSG.<lang> |
m/o |
Name of client message file. |
|
SERVER1 |
m |
Points to the <comm_section>. |
|
SYSUID |
o |
RPC client identification. |
|
THREAD_POOL_PORT |
o |
Port number for the thread pool process. |
|
TIMEOUT |
o |
Time period that a service instance can be inactive. |
|
TIMEOUT_KILL |
o |
Time period after logoff of the service instance. |
|
TIMEOUT_LOGON |
o |
Time period from the start of the service instance until logon to the server. |
|
TIMEOUT_READY |
o |
Time period after which the service instance must inform the server that it is ready for a new task. |
|
TIMEOUT_STAT |
o |
Time period after which the service instance must return a status message if the Watchdog function is activated. |
|
TIMEOUT_TERM |
o |
Time delay following a termination request until removal of the service instance by the server. |
Rochade server 8.92 does not support starting the MVS modules as subtasks. The Parameter PROGRAM must be encoded:
- either to start a Job using an internal reader as displayed below:
PROGRAM=JOB:DSN:<hlq>.ROPROD.CNTL(rpcjob)
- Or to start a HFS program such as java as displayed below:
PROGRAM=$(JAVA_HOME)/bin/java
For more information, see Description of Server Settings.
ROINI-INTERNAL Section
This optional section applies to the initialization file itself. It is relevant only for z/OS. The name of the section is a constant.
LOCKMODE is the only setting of the ROINI_INTERNAL section. This setting is optional and it specifies the lock mode for the initialization file.
<trusted_sites> Section
This section contains settings for the clients that the server should trust. The server assumes that the user authentication takes place on the client side (for example, through a single sign-on [SSO] system).
For each client the server should trust (such as, for which it should accept the client’s logon), you must specify a setting in this format:
<client_address>=[OSUSERONLY;]<public_keyfile>
where:
- <client_address> is an IP address (such as, IPv4 or IPv6) or host name of a client computer or the asterisk character (*). Using the asterisk, you can specify a default RSA key that will be used for all clients that have not specified explicitly.
- <public_keyfile> is the name of the file that contains the public RSA key. The server uses this key to validate the client’s signature. For information on how to create the keys, see Trusted Sites.
OSUSERONLY this parameter is supported only under z/OS. It specifies that the Rochade Server only accepts the client operating system login name for logging in.
This is an example for specifying the trusted clients and the key files under Windows:
[RO_TRUST]
10.10.20:7=@d:\rochade\appl\cli1.data
2001:0db8::7344=@d:\rochade\appl\cli2.data
asg.gchm.com=@d:\rochade\appl\cli3.data
*=@d:\rochade\appl\default.data
Under z/OS, you can store the public RSA keys either in HFS or as sequential data sets. The data sets must have the record format F (fixed length) and a length of 4KB.
Example for specifying keys that are stored in HFS:
<RO_TRUST>
fe80:0:0:0:0:5efe:a21:4c69=&HFS:./ro_publicKey.data
10.33.76.105=&HFS:./ro_publicKey.data
0:0:0:0:0:0:0:1=&HFS:./ro_publicKeyLocal.data
127.0.0.1=&HFS:./ro_publicKeyLocal.data
Example for specifying keys that are stored as sequential data sets:
<RO_TRUST>
fe80:0:0:0:0:5efe:a21:4c69=&DSN:ROCHK.R892.ROPROD.PUBKEY
fd15:e5d:f56d:d0d:20e3:34cb:63e0:c487=&DSN:ROCHK.R892.ROPROD.PUBKEY
10.33.76.105=&DSN:ROCHK.R892.ROPROD.PUBKEY
0:0:0:0:0:0:0:1=&DSN:ROCHK.R892.ROPROD.PUBKEY2
127.0.0.1=&DSN:ROCHK.R892.ROPROD.PUBKEY2
Example for specifying keys that are stored as members in a library:
<RO_TRUST>
clicomp.yourdomain.com=&DSN:ROCHK.R892.ROPROD.TICKETS(TCK00001)
<u_section> Section
This section contains settings that you must specify to access attributes of LDAP user accounts using Java API (such as, method de.rochade.ds.User.getLdapProperties).
For each LDAP attribute that you want to access in Rochade, you must specify a mapping in this format:
<property>=<ldap_attribute> [(binary)]
where:
- <property> is the name of the property through which you can access the value of an LDAP attribute within a Java API application.
- <ldap_attribute> is the name of the LDAP attribute.By indicating the value (binary)next to the LDAP attribute name, Java API provides the value of the LDAP attribute in base64 encoding.
Example:
To access the values of the LDAP attributes memberOf and securityProtocol through the properties ROLE and security within a Java API application, you must specify these settings in the server initialization file:
[LDAPATTRS]
ROLE=memberOf
security=securityProtocol (binary)
Java API supports the mapping of multi-valued LDAP settings. If, for example, the LDAP setting memberOf contains a list of values, the property ROLE will provide access to that list (for example, CN=DevDepartment, OU=Development,DC=ASG,DC=COM).
Java API provides the value of the LDAP attribute securityProtocol in base64 encoding. A Java API application can access the binary value through the property security.