Follow

EBP Configuration

Introduction

This is part of the Heirloom Computing EBP Elastic Batch Platform forum on paas.heirloomcomputing.com

Configuration parameters may be set by modifying the ebp.properties file in the Web application deployment directory or by using the config Web service. Configuration settings persist until and unless the EBP subsystem is redeployed under the application server. Below is a list of settable configurations.

Warning:  Updating Elastic Batch Platform to a new version will replace your ebp.properties file with the default for that version, removing existing settings.  Use the SAVE button to save configurations and LOAD button after the upgrade.  See Configuration Web Page for more info.

Resource Access Control EBP feature to perform authentication and authoration is enabled when rac.xxxx settings below configured and EBP is running under a secure server requiring changes to the EBP web.xml deployment descriptor.  See Operating EBP in a Security Environment for more info.  Defaults assume local OpenLDAP server operating in anonymous authentication mode (bind protocol) with users, groups (roles) and resources (datasets) adhering to InetOrgPerson LDAP schema.

Parm Description Units, Default
messages Indicates whether messages are generated on the application server's output and error logs. yes|no. Default yes
errorlevel Indicates the level of error messages reported on the application server's output and error logs. Specified asS, E, W, I or D for severe, error, warning, informational, or debugging message level  I
tempspool Specifies the default location of temporary datasets and working directories for running programs. temp_spool
jobspool Specifies the default input spool directory. This directory holds submitted datasets. job_input_queue
outputspool Specifies the default output spool directory. This directory holds output datasets associated with SYSOUT=class DD cards or standard out and error files for scripts and command line programs. job_output_queue
systemlib.n Specifies locations of system library directories where main programs on the EXEC PGM= statement may be found. For example, "systemlib.9=/usr/bin" would allow "EXEC=echo,PARM='hi'" to execute Linux echo command. May be directories or Java packages. May contain environment variables, which themselves may be path-separated (e.g., $PATH).  Special variable $HOME is the Web server's deployment home directory. com.heirloomcomputing.pgm, /data
datalib.n Specifies the location where datasets referenced on DD cards may be found. May contain environment variables.  Special variable $HOME is the Web server's deployment home directory. /data
jcllib.n Specifies the location where system cataloged procedures referenced in EXEC PROC steps are found. May contain environment variables.  Special variable $HOME is the Web server's deployment home directory. $HOME/jcl_system_lib
classlib.n Specifies the CLASSPATH entries passed to programs such as ecobol and java that have a '-cp' option.  They are Java path-separator separated entries of which are either a directory (containing .class files) and jar files.  The Linux path separator is colon and the Windows path separator is semicolon.  For example, "classlib.4=/usr/local/lib/postgresql-9.2-1003.jdbc4.jar:/usr/local/lib/db2jcc4.jar:/home/bud/myclassfiles".
Note J2EE servers and servlet containers such as Tomcat often do not pass $CLASSPATH environment variables through to applications. You may need to explicitly set the directory.
$CLASSPATH
javajarcommand Command to issue to start programs that are contained in a jar file, such as the COBOL executables. java -jar
javacommand Command to issue to start programs that are found ending in .class, such standard utilities. java
ebpstartcommand A command that sets operating system resource restrictions before starting the Java, Python or executable specified on the EXEC card. CPU time specifications in job class and JOB and STEP cards are regulated by EBP with this "wrapper." OS-specific versions are distributed with EBP but must be specified here as a relative path, e.g., "../../bin/ebpstart_Linuxx86_64". Where applicable, other job class restrictions are also enforced this way. Default is no setting -- CPU time specifications are not enforced.  
pythoncommand Command issued to start scripts that are running under a Python interpreter class and by TSO for % Python scripts (found in SYSEXEC DD datasets with .PY suffix). scripts should start with "#!/usr/bin/python" and contain job parameters on the second line, "# //MYJOB JOB 111,CLASS=P" python
shellcommand Command issued to start scripts that are running under a Shell interpreter class and by TSO for % Shell scripts (found in SYSEXEC DD datasets with .sh suffix). scripts should start with "#!/bin/sh", "#!/bin/bash" to indicate the interpreter and contain job parameters on the second line, "# //MYJOB JOB 111,CLASS=P" sh
rexxcommand Command issued by TSO for % REXX scripts (found in SYSEXEC DD datasets with any other suffix) rexx
parmcount As parameters are passed to a program through a JCL PARM= clause of an EXEC, they can be divided into UNIX style argc/argv parameters (based on splitting the parm by spaces) or remain one large character string. This controls the number of args that will be passed to the program. Use 1 for IBM MVS compatibiltiy and 256 for Linux/UNIX compatibility. number 1-256, Default 256
parmempty As parameters are passed to a program through a JCL PARM= clause of an EXEC, parameters evaluating to "" (no value) may be passed either as a single zero-length argument or no argument at all. Use no for IBM MVS compatibility and yes for Linux/UNIX compatibility. yes|no, Default no.
output.XXXX Output class specifiers, by class name (ABC) or DEFAULT when an class configuration is not defined.  The value for each may be none (discard), log log-name (Java log4j to log-name), lpr parms (pipe to lpr), or an arbitrary command, arguments and redirection specification such as cat >>afile (save to file)

DEFAULT=hold
L=log
P=lpr
Y=hold
Z=none

parmlib.XXXX Various user-definable PARMLIB values, such as a company wide DEPT code of 3250. None
alias.XXXX Replace EXEC PGM names with aliases, such as SORT having a value SYNCSORT, to force SYNCSORT as the default over Linux sort  
application Schedule tasks for this application name from 'hciservice' portal; '*' all tasks my-scheduled-tasks
hciservice RESTful service end-point for cloud (global or local) scheduler https://paas.heirloomcomputing.com/rest/2015-02-01/
maxjobage Automatically purge completed jobs after an amount of time in minutes 0 (never purge)
newdsndirectory New DSNs created as directory hierarchies; 'A.B.C(D)' becomes 'A/B/C/D' if yes, 'A.B.C/D' if no no
newdsnlowercase New DSNs created as lower case; 'A.B.C(D)' becomes 'a/b/c/D' or 'a.b.c/D' if yes no
quiesced System is in Quiesced state (read only) no
scheduling Currently polling scheduler for incoming jobs (read only) yes
scheduler Poll the scheduler at 'hciservice' every few seconds yes
taskscope Scope of tasks to be retrieved from scheduler (user, group or all) based on subscriber ID user
ebpplexnode When operating a multi-node EBP (EBP-Plex), the Web service location of this node (e.g., http://10.20.30.40:8080/ebp)  
ebpplexpeer When operating a multi-node EBP, the Web service location of one other node in the EBP-Plex (e.g., http://10.20.30.41:8080/ebp)  
ebpplexauth When operating a multi-node EBP, the basic HTTP authentication string (before encryption) used between secure servers (e.g., "myuser:mypassword").  
immediatesymbol
replacement
Replace symbolic parameters (e.g., &DEPT) inside immediate file (DD *) data if yes no
jobstepdelay Delay up to n milliseconds between steps within a job 100 (0.1sec)
jobdelay Delay up to n milliseconds between jobs within an initiator 10000 (10sec)
initiatordelay Delay up to n milliseconds while idle or quiesced initiators look for jobs 30000 (30sec)
sysname Banner setting on console and logs HCI EBP
language International locale codes indicating alternative EBP error message language (set to blank to use server/JVM locale) en
country International locale codes indicating alternative EBP error message files (set to blank to use server/JVM locale) US
timezone Timezone for dates within MSG and SYSOUT dataset messages GMT
builddate EBP Build Date (read only)  
buildversion EBP Build Version (read only)  
rac.alternateurl If a socket connection can not be made to the provider at the connectionurl an attempt will be made to use the alternateurl.

 
rac.authentication A string specifying the type of authentication to use. "none", "simple", "strong" or a provider specific definition can be used. If no value is given the providers default is used  
rac.cachesize Cache in memory the most recently used resource access permissions and users (separately) up to this number of entries 5000
rac.cachetime Cache in memory the resource access permissions and user authentications for a period of time before checking again with the directory server for updates.
Note:  Some Java App Servers also have caching, which may have to be disabled for the RAC settings to have a practical effect, e.g. WildFly cache-type.
480 minutes
rac.class The RAC module adhering to the com.heirloomcomputing.ecc.IRAC interface that will be instantiated to handle authorization and authentication requests from EBP or ETP. com.heirloomcomputing.ecc.RAC
rac.classpath The classpath to a jar file used to locate the rac.class if the JEE Application Server or Servlet Container class path settings aren't already including a path to the RAC module.  
rac.commonrole A role name assigned to each successfully authenticated user in addition to the roles retrieved from LDAP. If not specified, only the roles retrieved via LDAP are used  
rac.connectionname The directory distinguished name (i.e., cn=Manager,dc=my-domain,dc=com) to use when establishing a connection to the directory for LDAP search operations. If not specified an anonymous connection is made, which is often sufficient unless you specify the userpassword property  
rac.connectionpassword The directory password to use when establishing a connection to the directory for LDAP search operations. If not specified an anonymous connection is made, which is often sufficient unless you specify the userpassword property  
rac.connectiontimeout The timeout in milliseconds to use when establishing the connection to the LDAP directory 5000 (5 seconds)
rac.connectionurl The connection URL to be passed to the JNDI driver when establishing a connection to the directory ldap://localhost:389
rac.contextfactory Fully qualified Java class name of the factory class used to acquire our JNDI InitialContext com.sun.jndi.ldap.LdapCtxFactory
rac.protocol A string specifying the security protocol to used  ldap
rac.debug Set to 'true' if you want detailed LDAP communication messages on the EBP log. Requires errorlevel to be 'D'  false
rac.resourcename The attribute name that designates the name of the resource cn
rac.resourcebase The base directory entry for performing resource searches. If not specified the top-level element in the directory context will be used. If includes pattern replacements "{0}" indicating the resource name, "{1}" indicating one of the resourcetypes corresponding to this RAC request and, optionally, "{2}".."{n}" corresponding to the name parts of the authenticated user's distinguished name (as returned by javax.naming.Name.get()) cn={0},ou={1},dc=my-domain,dc=com
rac.resourcememberattribute The name of the attribute that contains group names and their permission rules. uniqueMember
rac.resourceruleattribute The name of the attribute on the resource and within the members defining the permission rules for that resource or member businessCategory
rac.resourcesearch he directory lookup search pattern to use, where {0} is substituted with a resource name (uniqueMember={0})
rac.resourcesearchasuser When searching for user resources, should the search be performed as the authenticated user? If false, connectionname and connectionpassword will be used if specified, else an anonymous lookup is performed. If not specified, the default value of false is used. false
rac.resourcetypes Set to a comma-separated list of attribute names for the controlled resource types DD dataset names, JOB input class, SYSOUT output class datasets,jobclasses,outputclasses, transactions
rac.rgbase The base directory entry for performing resource group searches. If not specified the top-level element in the directory context will be used. If specified it may optionally include pattern replacements "{0}".."{n}" corresponding to the name parts of the user's distinguished name (as returned by javax.naming.Name.get()) ou=groups,dc=my-domain,dc=com
rac.rgmemberattribute The attribute name for the member uniqueMember
rac.rgname The name of the attribute that contains resource group names in the directory entries found by a resource group search cn
rac.rgruleattribute The attribute name for the access rule businessCategory
rac.rgsearch The LDAP filter expression used for performing resource group searches. Use {0} to substitute the distinguished name (DN) of the user. (uniqueMember={0})
rac.rolebase The base directory entry for performing role searches. If not specified the top-level element in the directory context will be used. If specified it may optionally include pattern replacements "{0}".."{n}" corresponding to the name parts of the user's distinguished name (as returned by javax.naming.Name.get()) ou=groups,dc=my-domain,dc=com
rac.rolename The name of the attribute that contains role names in the directory entries found by a role search. In addition you can use the userrolename property to specify the name of an attribute, in the user's entry, containing additional role names cn
rac.roleested Set to true if you want to nest roles into roles. When a role search is performed and the value of this property is true, the search will be repeated recursively to find all the roles that belong to the user either directly or indirectly. If not specified, the default value of false is used false
rac.rolesearch The LDAP filter expression used for performing role searches. Use {0} to substitute the distinguished name (DN) of the user, and/or {1} to substitute the username, and/or {2} for the value of an attribute from the user's directory entry, of the authenticated user. The name of the attribute that provides the value for {2} is configured by the userroleattribute property. When rolenested property is true, this filter expression will be also used to recursively search for other roles, which indirectly belong to this user. To find the roles that match the newly found role, the following values are used: {0} is substituted by the distinguished name of the newly found role, and both {1} and {2} are substituted by the name of the role (see the rolename property). The userroleattribute property is not applicable to this search. If this property is not specified, a role search does not take place and roles are taken only from the attribute in the user's entry specified by the userrolename property  
rac.rolesearchasuser When searching for user roles, should the search be performed as the user currently being authenticated? If false, connectionname and connectionpassword will be used if specified, else an anonymous. If not specified, the default value of false is used. Note that when accessing the directory using delegated credentials, this attribute is always ignored and the search is performed using the delegated credentials  false
rac.rolesubtree Set to true if you want to search the entire subtree of the element specified by the rolebase property for role entries associated with the user. The default value of false causes only the top level to be searched false
rac.sizelimit Specifies the maximum number of records to return when using the usersearch attribute 0, no limit
rac.timelimit Specifies the time (in milliseconds) to wait for records to be returned when using the usersearch attribute 0, no limit
rac.userbase The base element for user searches performed using the usersearch expression. Not used if you are using the userpattern expression unless EBP will be called upon to authorize resource access without users being authenticated first -- which happens if jobs submitted by one user are run under another or if EBP restarts between a job is submitted and the time it is executed  ou=people,dc=my-domain,dc=com
rac.userpassword Name of the attribute in the user's entry containing the user's password. If you specify this value, JNDIRealm will bind to the directory using the values specified by connectionname and connectionpassword properties, and retrieve the corresponding attribute for comparison to the value specified by the user being authenticated. If you do not specify this value, JNDIRealm will attempt a simple bind to the directory using the DN of the user's entry and the password presented by the user, with a successful bind being interpreted as an authenticated user  
rac.userpattern Pattern for the distinguished name (DN) of the user's directory entry, with {0} marking where the actual username should be inserted. You can use this property instead of usersearch, usersubtree and userBase when the distinguished name contains the username and is otherwise the same for all users. Note that when accessing the directory using delegated credentials, this attribute is always ignored and usersearch, usersubtree and userbase are always used instead uid={0},ou=people,dc=my-domain,dc=com
rac.userrolename The name of an attribute in the user's directory entry containing zero or more values for the names of roles assigned to this user. In addition you can use the rolename property to specify the name of an attribute to be retrieved from individual role entries found by searching the directory. If userrolename is not specified all the roles for a user derive from the role search  
rac.userroleattribute The name of an attribute in the user's directory entry containing the value that you wish to use when you search for roles. This is especially useful for RFC 2307 where the role memberUid can be the uid or the uidNumber of the user. This value will be marked as {2} in your role search filter expression. This value will NOT be available for nested role searches  
rac.usersearch The LDAP filter expression to use when searching for a user's directory entry, with {0} marking where the actual username should be inserted. Use this property (along with the userbase and usersubtree properties) instead of userpattern to search the directory for the user's entry. required if EBP jobs will authorize without users actually being authenticated with bind mode first.   (uid={0})
rac.usersearchasuser When searching for a user's entry, should the search be performed as the user currently being authenticated? If false, connectionname and connectionpassword will be used if specified, else an anonymous. If not specified, the default value of false is used. Note that when accessing the directory using delegated credentials, this attribute is always ignored and the search is performed using the delegated credentials  
rac.usersubtree Set to true if you want to search the entire subtree of the element specified by the userbase property for the user's entry. The default value of false causes only the top level to be searched. Not used if you are using the userpattern expression  

 Configuration Web Page

The default index page for EBP is a simple user interface into the EBP Web Services.  The config Web service section contains elements for each of the configurations listed above:

ebp-config.png 

Use the OK button to change configuration settings.  For example, adding an additional class library for the MySQL JDBC driver (shown). The SHOW button displays the current values of most items.  To show all parmlib settings, select that check box and use the OK button.  

The form won't update empty fields.  To delete an entry, enter at least one blank before submitting the form.

Not all configuration settings have an input field on this form.  For others (such as changing the default "java" command), update the Other property name and value fields (e.g., javacommand and /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java).

You may want to occasionally backup your EBP configurations, such as when upgrading from one version to the next.  Normally, when upgrading EBP all settings are reverted to their default setting.  Use the SAVE button to save the current configuration in your local file named "config" (your browser may pop-up a dialog box allowing you to rename it).  After upgrading EBP, use CHOOSE FILE to locate that file on disk and LOAD to upload it to EBP.

 

Symbolics and the PARMLIB

Symbolics are available to JCL in the PARMLIB and are referenced with &NAME.  You can set symbolics with the SET statement and initial procedure parameter values on the PROC statement or through the configuration setting parmlib.NAME.  Certain symbolics are "built in" to EBP and generally follow all of those supported by IBM JCL.  The following is list of the built-in symbolics, including some EBP extensions to the standard set.  You can reference the &NAME within an "immediate" file if the configuration flag immediatesymbolreplacement is set. 

 Symbolic Description Origin Example
DATE The current date JES 20160101
DAY The current date JES 31
DS  Thje DS code JES 601
DEPT Your department name (example symbolic) EBP IT
HHMMSS The current time JES 125959
HR The current time JES 12
JDAY The current time in Julian format JES 364
JOBID The currently executing job ID HCI JOB12345
JOBNAME The currently executing job name JES MYJOB
LDATE The current local (timezone) date JES 16.12
LDAY The current local (timezone) date JES 31
LHHMMSS The current local (timezone) time JES 125959
LHR The current local (timezone) time JES  12
LJDAY The current local (timezone) Julian date JES 364
LMIN The current local (timezone) time JES 59
LMON The current local (timezone) date JES 06
LSEC The current local (timezone) time JES 59
LTIME The current local (timezone) time JES 125959
LWDAY The current local (timezone) date JES 3
LYR2 The current local (timezone) date JES 16
LYR4 The current local (timezone) date JES 2016
LYYMMDD The current local (timezone) date JES 161231
MIN The current time JES 59
MON The current date JES 06
SEC The current time JES 59
SEQ A ever increasing sequence number JES 10001
STEPNAME The currently executing step name EBP STEP01
SYSALVL The architecture level of the system (J for Java) JES J
SYSCLONE Shorthand notation for the name of the system JES HC
SYSGID The current group JES EBP
SYSNAME The name of the system JES HCIEBP
SYSPLEX The name of the SYSPLEX JES HCIEBP
SYSR1 The IPL Volume Serial name JES HCI001
SYSUID The current user JES EBP
TIME The current time JES 03
WDAY The current date JES 3
YR2 The current date JES 16
YR4 The current date JES 2016
YYMMDD The current date JES 161231

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk