Administering the RPC Server for CICS IPIC with Local Scripts

The EntireX RPC Server for CICS® IPIC allows standard RPC clients to communicate with CICS programs running on IBM CICS® without installing EntireX components on the mainframe (Zero Footprint). The CICS interface types Channel Container and DFHCOMMAREA are supported.

Customizing the RPC Server
Configuring the RPC Server Side
Configuring the CICS IPIC Side
Using SSL/TLS with the RPC Server
Starting the RPC Server
Stopping the RPC Server
Pinging the RPC Server
Running an EntireX RPC Server as a Windows Service
Application Identification

Customizing the RPC Server

The following are used to set up the RPC Server for CICS IPIC:

Configuration File
Start Script

Configuration File

The default name of the configuration file is entirex.cicsipic.properties. The RPC Server for CICS IPIC searches for this file in the current working directory.

You can set the name of the configuration file with -Dentirex.server.properties=<your file name> with "/" as file separator.

The configuration file contains the configuration for both parts of the RPC Server for CICS IPIC.

graphics/ipicRpc_config.png

Configuring more than one RPC Server

If you configure more than one RPC Server for CICS IPIC that connect to the same broker, the following items must be distinct:

the trace output file (property entirex.server.logfile)
the log for the Windows Service (property entirex.server.serverlog)

Start Script

The start script for the RPC Server for CICS IPIC is called cicsipicserver.bsh (Linux) or cicsipicserver.bat (Windows) and is provided in the bin folder of the installation directory. You may customize this file.

Configuring the RPC Server Side

The RPC Server for CICS IPIC uses the properties that start with "entirex.server" for configuring the RPC server side.

Alternatively to the properties, you can use the command-line options. These have a higher priority than the properties set as Java system properties, and these have higher priority than the properties in the configuration file.

Property Name Command-line Option Default Explanation

entirex.server.brokerid -broker localhost Broker ID. More info

entirex.server.serveraddress -server RPC/SRV1/CALLNAT Server address.

entirex.server.userid -user RPCServer The user ID for access to the broker.

entirex.server.fixedservers

no

NO The number of worker threads balances between what is specified in entirex.server.minservers and what is specified in entirex.server.maxservers. This is done by a so-called attach thread. At startup, the number of worker threads is the number specified in entirex.server.minservers. A new worker thread starts if the broker has more requests than there are worker threads waiting. If more than the number specified in entirex.server.minservers are waiting for requests, a worker thread stops if its receive call times out. The timeout period is configured with entirex.server.waitserver.
See worker model DYNAMIC.

YES The number of worker threads specified in entirex.server.minservers is started and the server can process this number of parallel requests.
See worker model FIXED.

entirex.server.minservers 1 Minimum number of server threads.

entirex.server.maxservers 32 Maximum number of server threads.

entirex.server.restartcycles -restartcycles 15 Number of restart attempts if the Broker is not available. This can be used to keep the RPC Server for CICS IPIC running while the Broker is down for a short time.

entirex.server.password

-password

yes

The password for secured access to the broker. The password is encrypted and written to the property entirex.server.password.e.

To change the password, set the new password in the properties file.
To disable password encryption, set entirex.server.passwordencrypt=no. Default=yes.

entirex.server.security -security no Valid values:
no | yes | auto | name of BrokerSecurity object.

entirex.server.compresslevel

-compresslevel

0 (no compression)

Enter the text or the numeric value:

`BEST_COMPRESSION`	`9`
`BEST_SPEED`	`1`
`DEFAULT_COMPRESSION` (mapped to	`-1` `6`)
`DEFLATED`	`8`
`NO_COMPRESSION`	`0`
`N`	`0`
`Y`	`8`

More info

entirex.server.waitattach 600S Wait timeout for the attach server thread.

entirex.server.waitserver 300S Wait timeout for the worker threads.

entirex.timeout 20 TCP/IP transport timeout. More info

-help Display usage of the command-line parameters.

entirex.server.logfile -logfile standard output Name of the log file.

entirex.trace

-trace

0

Trace level. graphics/toc_closed.png

More info

0	No tracing, default.
1	Trace all broker calls and other major actions.
2	Dump the send and receive buffer.
3	Dump the buffers sent to the broker and received from the broker.

Configuring the CICS IPIC Side

These properties are used to configure the connection to CICS IPIC.

Alternatively, you can use the command-line options. These have a higher priority than the properties set as Java system properties, and these have higher priority than the properties in the configuration file.

Name	Default Value	Explanation
`cics.ipic.host`		Host name or IP address where CICS is running.
`cics.ipic.port`		TCP or SSL port number (1-65535) of CICS IPIC.
`cics.ipic.transaction`	`CPMI`	Transaction ID (1-4 chars). Name of the CICS mirror transaction that will receive transactions.
`cics.ipic.networkid`		Client Network ID (max. 8 chars) to match target IPCONN. See your IBM documentation for more information.
`cics.ipic.applid`		Client Application ID (max. 8 chars) to match target IPCONN. See your IBM documentation for more information.
`cics.ipic.sendsessions`	`100`	Number of simultaneous transactions (1-999) allowed over the CICS connection. See your IBM documentation for more information.
`entirex.bridge.targetencoding`	`cp037`	Specify the appropriate EBCDIC encoding used by your CICS installation. Default is codepage `cp037` with full Latin-1 character set.
`cics.ipic.sockettimeout`	`10000`	Socket timeout for connection to CICS IPIC (in milliseconds).
`cics.ipic.userid`		The user ID (max. 8 chars) as defined in your underlying mainframe security system (e.g. RACF).
`cics.ipic.password`	`yes`	Password/passphrase as defined in your underlying mainframe security system (e.g. RACF). The password or passphrase is encrypted and written to the property `cics.ipic.password.e`. To change the password or passphrase, set the new password in the properties file. To disable password, passphrase and/or secured signon key encryption, set entirex.server.passwordencrypt=no.
`cics.ipic.sslparams`		SSL parameters. Same syntax as Broker ID.
`cics.ipic.application.name ⁽¹⁾`		Required if PassTicket is to be used instead of a password. Application name (1-8 chars) as defined in your RACF system. This property is ignored if RACF password is set.
`cics.ipic.secured.signonkey ⁽¹⁾`	`yes`	Required if PassTicket is to be used instead of a password. Secured signon key as defined in your RACF system. Must be exactly 16 characters long. The secured signon key is encrypted and written to the property `cics.slipic.secured.signonkey.e`. To change the secured signon key, set the new secured signon key in the properties file. To disable password, passphrase and/or secured signon key encryption, set entirex.server.passwordencrypt=no. This property is ignored if `cics.ipic.password` is set.

Notes:

By default, PassTickets can only be used once during a one-second time interval. They are protected against replay. This limits the workload to one request per second.

Warning:
IBM provides a mechanism to bypass the PassTicket's replay mechanism, allowing higher workloads, but this introduces security risks. The option to bypass the PassTicket's replay mechanism should only be used in secure environments where access to generated PassTickets is limited to a secure or internal network. See your IBM documentation for more information.

Using SSL/TLS with the RPC Server

To use SSL with the RPC Server for CICS IPIC, you need to configure two sides:

CICS Side
See parameter cics.sl.sslparams.
RPC Server Side
RPC servers can use Secure Sockets Layer/Transport Layer Security (SSL/TLS) as the transport medium. The term "SSL" in this section refers to both SSL and TLS. RPC-based servers are always SSL clients. The SSL server can be either the EntireX Broker or Broker SSL Agent. For an introduction see SSL/TLS, HTTP(S), and Certificates with EntireX in the platform-independent Administration documentation.

To use SSL
1. To operate with SSL, certificates need to be provided and maintained. Depending on the platform, Software AG provides sample certificates, but we strongly recommend that you create your own. See SSL/TLS Sample Certificates Delivered with EntireX in the EntireX Security documentation.
2. Set up the RPC Server for CICS IPIC for an SSL connection.
  
  Use the URL-style Broker ID with protocol ssl:// for the Broker ID. If no port number is specified, port 1958 is used as default. Example:
```
ssl://localhost:22101?trust_store=C:\SoftwareAG\EntireX\etc\ExxCACert.p12&trust_passwd=ExxCACert&verify_server=no
```
  If the SSL client checks the validity of the SSL server only, this is known as one-way SSL. Two SSL parameters must be specified on the SSL client side: trust_store and trust_passwd. The mandatory trust_store parameter specifies the file name of a PKCS#12 certificate store that must contain the certificate chain of the trusted certificate authority (CA) that issued the SSL server's certificate.
  To unlock this certificate store, the password has to be set with SSL parameter trust_passwd.
  By default a check is made that the certificate of the SSL server is issued for the hostname specified in the Broker ID. The common name of the subject entry in the server's certificate is checked against the hostname. If they do not match, the connection will be refused.
  You can disable this check with SSL parameter verify_server=no.
  
  If the SSL server additionally checks the identity of the SSL client, this is known as two-way SSL. In this case the SSL server requests a client certificate (the parameter verify_client=yes is defined in the configuration of the SSL server). Two additional SSL parameters must be specified on the SSL client side: key_store and key_passwd. This keystore must contain the private key of the SSL client. The password that protects the private key is specified with key_passwd.
  
  The ampersand (&) character cannot appear in the password.
  
  SSL parameters are separated by ampersand (&). See also SSL/TLS Parameters for SSL Clients.
3. Make sure the SSL server to which the RPC side connects is prepared for SSL connections as well. The SSL server can be EntireX Broker or Broker SSL Agent. See:
  - Running Broker with SSL/TLS Transport under z/OS | Linux | Windows
  - Broker SSL Agent (Linux | Windows)

Starting the RPC Server

Start of instruction set To start the RPC Server for CICS IPIC

Use the Start Script.

Stopping the RPC Server

Start of instruction set To stop the RPC Server for CICS IPIC

Use the command stopService. See Stop Running Services in Command Central's Command-line Interface.

Or:
Stop the service using Command Central's Graphical User Interface. See Stopping a Service.

Or:
Use the command-line utility etbcmd. See ETBCMD under z/OS | Linux | Windows | BS2000.

Or:
Use CTRL-C in the session where you started the RPC server instance.

Or:
Under Linux, enter command kill -process-id.

Pinging the RPC Server

Start of instruction set To ping the RPC Server for CICS IPIC

Enter the following command:

java -classpath "$EXXDIR/classes/entirex.jar" com.softwareag.entirex.rpcping.RPCServerPing -p <admin_port>

where admin_port is the number of the administration port.

The ping command returns "0" if the server is reachable, and "1" if the server cannot be accessed.

Running an EntireX RPC Server as a Windows Service

For general information see Running an EntireX RPC Server as a Windows Service in the Windows Administration documentation.

Start of instruction set To run the RPC Server for CICS IPIC as a Windows Service

Customize the Start Script according to your system installation.

See also Starting the RPC Server.
Test your RPC server to see whether it will start if you run your script file.
Use the EntireX RPC Service Tool and install the RPCService with some meaningful extension, for example MyServer. If your Start Script is cicsipicserver.bat, the command will be
```
RPCService -install -ext MyServer -script install_path\EntireX\bin\cicsipicserver.bat
```
The log file will be called RPCservice_MyServer.log.
In Windows Services menu (Control Panel > Administrative Tools > Services) select the service: Software AG EntireX RPC Service [MyServer] and change the property Startup Type from "Manual" to "Automatic".

Application Identification

The application identification is sent from the RPC Server for CICS IPIC to the Broker. It is visible with Broker Command and Information Services.

The identification consists of four parts: name, node, type, and version. These four parts are sent with each Broker call and are visible in the trace information.

For the RPC Server for CICS IPIC, these values are:

Identification Part	Value
Application name	`ANAME=RPC Server for CICS IPIC`
Node name	`ANODE=<host name>`
Application type	`ATYPE=Java`
Version	`AVERS=10.9.0.0`