RSS server configuration parameters
Server member configuration parameters (SRVSYS1)
These parameters define the protocol used by the browser interface.
The HTTP server parameters must be defined within an HTTPServer group:
Parameter | Description |
|---|---|
HTTPServer | Head of a block of HTTP server definitions |
Authenticate MFA | (Optional) Enables multi-factor authentication (MFA) compound in-band support for the server If you do not use MFA authentication on the local external security manager (ESM), authentication is processed through the normal password validation routines. If you use standard MFA, where the password is just an MFA token, you do not need to specify this parameter. If you omit Authenticate, this feature is not enabled. |
BufferSize size | Overrides the default maximum buffer size for receiving HTTP header data If you omit BufferSize, the default is 4096. |
CustomApp name dllName | (Custom RSS solutions, only) Additional menu item that is required for some custom solutions Note: The values for name and dllName are supplied by BMC as part of the custom solution delivery. Using alternate names might prevent the custom service from running.
|
InactivityTimeout seconds | Number of seconds before a logged-in user times out after a period of inactivity If you omit InactivityTimeout, the default is 900. |
IPAddress hostName|ipAddress | (Optional) Host name or IP address on which the HTTP server listens for incoming browser connections |
JSONEncoding encodingValue | (Optional) JSON character encoding value You can translate the following UTF-8 special characters from the mainframe: ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ Valid values are UTF8 or none (default). |
MinimumTokenSize | (Optional) Minimum token size used in a compound MFA Define a size from 9 to 31. Compound tokens use the format (mfaToken:esmPassword). Confirm with your security administrator that a minimum token size can be set before using this parameter. If you omit MinimumTokenSize, the default is 14. |
MultiSessionAlert Enable|Disable | (Optional) Enables and disables multi-session alert messages Specifying Enable triggers a pop-up message at login, alerting users if they are running multiple sessions (browser instances or browser tabs) that are using the same user ID. It also sends message RSS0189I to RSSPRINT. If you omit MultiSessionAlert, the default is Disable. |
Port nnnnn | Port number on which the RSS server listens for incoming browser connections Make sure that the port number is available and valid; otherwise, users cannot log in and use RSS. If you omit Port, the default is 8181. |
Protocol | HTTP protocol Use the IBM AT-TLS option to secure connections. |
ResetExpiredPW Enable|Disable | (Optional) Enables resetting an expired user ID password Specifying Disable causes RSS to issue an error message when users try to log on. If you omit this parameter, the default value is Disable. |
EndHTTPServer | Termination of a block of HTTP server definitions |
Server list member configuration parameters (SRVLIST)
Use these parameters to specify the details of remote RSS servers running on another LPAR or sysplex. They are typically used by RSS applications to replicate commands or requests to remote RACF databases.
The servers must be defined within a Servers block:
Parameter | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Servers | Head of a block of servers definitions | ||||||||||
name protocol IPAddress:port | Server entry definition with the following options:
| ||||||||||
EndServers | Termination of a block of server definitions |
Event targets member configuration parameters (TARGETS)
Use these parameters to specify the details of external systems to receive events generated by RSS applications. Every event generated by an RSS application is assigned a severity.
Multiple target systems can be defined to receive events, filtered by severity.
RSS also supports routing events to the MVS Console and the local Syslog Daemon as well as external SIEM systems.
The target systems must be defined within an EventTarget block. One EventTarget block is required for each target system.
Parameter | Description |
|---|---|
EventTarget | Head of a block of definitions for a single target system |
Encoding ASCII|EBCDIC | Specifies the encoding used to convert the event text before sending it to the target system |
Format formatType | Defines the format in which the event is forwarded to the target system Specify one of the following format types:
|
Host Local|ipAddress|hostName | Defines the host name or IP address of the target system to which the event is to be set Local should be specified (with Format Syslog) to write the event to the z/OS SyslogD daemon. |
Name targetName | Name that you assign to the target system This name is used only for reference purposes and does not have to match any name on the target system. There are two reserved names for use by RSS:
|
Port portNumber | Defines the port on the target system to which the event will be sent |
Protocol UDP|TCP | Defines whether the event will be sent to the target system using the TCP or UDP protocol |
Severity severity severity severity | Specifies one or more event severity filters for events forwarded to this target system. The severity is set by the RSS application generating the event/alert. The severity name follows the priority value defined in the Syslog RFC 5424. Valid Severity names are:
|
EndEventTarget | Termination of a block of definitions for a single target system |
AutoStart configuration parameters (AUTOLOG)
(For BMC AMI Security Privileged Access Manager and BMC AMI Security Self Service Password Reset only)
Use the parameters of the AutoStart block to create started tasks that automatically start and stop other address spaces when the server address space is started. You can use this option to configure the product TSO address spaces to perform REXX services on behalf of the server address space.
Parameter | Description |
|---|---|
AutoStart | Head of a block of Auto Start definitions |
RetryDelay seconds | The time period, in seconds, between retry sequences for starting a TSO address space RSS attempts to start the specified TSO address spaces every minute. After five failed attempts, RSS waits for the specified time period before starting a new retry sequence. Enter 0 to disable retries after the initial five attempts. |
Start sysID procName procStep | Defines the started task Include the following values:
|
EndAutoStart | Termination of a block of Auto Start definitions |
Email configuration parameters (EMAILDEF)
You can use these parameters when an RSS application tries to generate emails. Emails can be sent directly to an SMTP server or can be routed via the JES spool and processed by standard IBM email systems, such as SMTP and CSSMTP.
The parameters defin the default email settings which, except for the SMTPServer address, you can override in the application.
The definitions must be defined within an EmailProfile block:
Parameter | Description |
|---|---|
EmailProfile | Head of a block of email defaults definitions |
EmailCustomField fieldName | Specifies the name of the RACF custom field that contains the email address of the user Various RSS applications use this custom field to determine the email address for a specific user. |
FromEmail originEmailAddress | Defines the email address to be used as the origin or sender email address |
FromName nameOfSender | Defines the name of the email sender |
SMTPServer ipAddress | Used to send email directly to an SMTP server Specify the IP address of the SMTP server. |
Subject subjectText | Defines the default email subject text |
SysoutClass class|Default | Used to direct emails to the JES spool Specify either the target sysout class or Default. Default is the equivalent of Sysout=* in JCL. |
SysoutDest sysid | Used to direct emails to the JES spool Specify the ID of the destination system. This must be a valid JES node name on which the IBM SMTP/CSSMTP job is running. This parameter is equivalent to the JCL DEST= statement. |
SysoutWriter writerName | Used to direct emails to the JES spool Specify the external writer name for the IBM SMTP/CSSMTP job. This parameter is equivalent to the JCL DEST=(dest,writername) statement. |
EndEmailProfile | Terminates a block of email definitions |
Alias table parameters (ALIASTAB)
The alias table is optional and defines alias definitions used by RSS applications and REXX procedures. The alias name is used by the application to translate a generic name into a system specific value.
The alias definitions must be defined within an AliasTable block:
Parameter | Description |
|---|---|
AliasTable | Head of a block of alias definitions |
Alias aliasName specificName | Alias name and the specific name it will be translated into The alias names are defined by the application or REXX procedure using this feature. |
EndAliasTable | Termination of a block of alias definitions |
Syslogd member configuration parameters (SYSLOGD)
These parameters are required when RSS is to operate as a SyslogD server. The configuration of a remote syslogd server (on z/OS or other operating systems) can specify these details to forward syslogd messages to RSS for post-processing.
The syslogd server definitions must be defined within a SyslogServer block:
Parameter | Description |
|---|---|
SyslogServer | Head of a block of syslogd server definitions |
IPaddress hostName|ipAddress | Host name or IP address on which the RSS syslogd server listens Make sure that you use a valid IP address on the LPAR on which RSS is running. If a syslogd server is already running on the LPAR, you can use a VIPA or application-specific VIPA address to route specific syslogd messages to RSS. |
Port port | Defines the UDP port number on which the RSS syslogd server will listen Typically, the port number is 514. |
EndSyslogServer | Termination of a block of syslogd server definitions |
Audit log parameters
Use the following audit log parameters to specify the details of the audit log maintained by the RSS server:
Parameter | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AuditLogDBName mask | (Optional) Overrides the default HFS or zFS audit log database name format This parameter is valid only when writing the audit log to a database file. Specify a valid file name format for the mask. You can include symbolic variables, such as &SYSNAME. Use the following variables to represent the date on which the file is created:
For example, rss.&SYSNAME..audit%y%m%d.ddname | ||||||||||||
AuditLogFileName mask | (Optional) Overrides the default HFS/ZFS auditlog file name format This parameter is valid only when writing the audit log to the HFS/ZFS file system. Specify a valid file name format for the mask. You can include symbolic variables, such as &SYSNAME. Use the following variables to represent the date on which the file is created:
Example: rss.&SYSNAME..audit%y%m%d.txt | ||||||||||||
AuditLogPath pathName | Specify the fully qualified path of the audit log file in the HFS or ZFS file system. The file is created the first time that the RSS server is started. The RSS server address space must have read/write access to the directory and file. | ||||||||||||
AuditLogOptions Database | option | Additional AuditLog options to control the type or types of audit log output If no options are specified, the audit log is written to the SQL database on the path defined on the AuditLogPath statement. To add more than one option, you must write multiple AuditLogOptions statements and must not add all options to a single AuditLogOptions statement.
| ||||||||||||
AuditLogRetention days | Number of days that audit log records are held in the database before they are deleted by RSS |
Custom server configuration parameters
A custom server configuration is required only for custom RSS-based applications. It is not required for any of the BMC-supplied product set.
These parameters define the protocol used by the browser interface and the additional parameters required when using a secured HTTPS connection to the browser.
The custom server parameters must be defined within a CustomServer group:
Parameter | Description |
|---|---|
CustomServer | Heads a block of custom server definitions |
Handler dllName | This mandatory parameter specifies the name of the DLL routine to handle the custom server operations. This DLL will be supplied as part of the custom project. |
IPAddress | The IP address of the custom server |
Keyring RACF_keyringName|HFSpath HFSstash | This parameter is relevant only if the custom server communicates over TLS or SSL. For connections secured through AT-TLS, the certificate to be used is defined in the AT-TLS policy. RSS supports both RACF and HFS based keyrings for private keys and certificates. If you are using these in your Installation, specify this parameter to tell RSS where to obtain certificate/password data. |
Label certificateLabelName | This parameter is relevant only if the custom server communicates over TLS or SSL. For connections secured through -AT-TLS, the certificate to be used is defined in the AT-TLS policy. Specify the label of the certificate to be used by RSS. If this parameter is omitted, RSS uses the default label in the keyring. This parameter is case-sensitive and if specified must exactly match the label as originally defined irrespective of the keyring type. For HFS keyrings, if a single certificate exists, it is assumed to be the default certificate. RACF keyrings have no default certificate unless one of the certificates was added with the DEFAULT keyword. Therefore, for RACF keyrings, the Label parameter might be mandatory. |
Port nnnnn | This parameter defines the port on which the custom server listens for incoming connections.You can use any available and valid port number. |
Protocol protocol | This parameter defines the protocol used by the custom server. The values supported are defined in the specific custom server definition. |
ServerID name | This mandatory parameter assigns a name to this RSS custom server. If multiple custom servers are defined, this name must be unique. |
EndCustomServer | Terminates the block of custom server definitions |