To run RCE on a system, the only prerequisite is an installed Java Runtime Environment
(JRE), version 8u161 or above. If you do not already have one on your machine, you can download it from
and install
it. Starting with RCE 8.x we only publish 64 bit packages of RCE. Therefore, please
make sure to install the 64 bit version of the JRE.http://www.java.com/download/
Some pre-installed components of RCE have additional dependencies. Please refer to Section 2.3 (Workflow Components) for more details.
Any software can be tampered with by a malicious attacker. For RCE, the consequences of such tampering may be worse than with other software, since its intended behavior already includes executing arbitrary processes, opening outgoing network connections, and listening for incoming ones. One common safeguard against such tampering is software signing. If the developers sign a software artifact, e.g., a zip-archive or an executable file, the user can verify the signature. This verification confirms that the artifact downloaded onto their machine is identical to the artifact prepared by the software developers and has not been tampered with.
In order to sign a software artifact, the developers combine the artifact and a so-called signing key to form a signature file. The user can then verify the signature using the artifact, the signature file, and a part of the signing key that can only be used for verification, but not for signing. A technical introduction to the minutiae of software signing is out of the scope of this user guide and we refer to the literature for more information on this topic.
While verifying the downloaded artifact is optional, we strongly recommend doing so.
In order to verify the signature of a software, you require
the artifact that you want to verify (in this case a .zip-file)
a signature file provided by the signer (in this case provided by us)
the verification part of the signing key.
You can find the former two items at https://rcenvironment.de under the menu
item Download. The signature file is called SHA256SUM.asc
and is available in the same directory as the artifacts.
The latter item, i.e., the signing key, is not available via https://rcenvironment.de or linked to in this
user guide on purpose: Recall that the purpose of software signing is to protect against
compromised communication channels between developers and users. Thus, if the artifact,
the signatures, and the signing key were available at the same location, an attacker
that takes control over that location could easily forge all three components.
One common way to distribute such keyfiles is via so-called public keyservers. We have
thus published the signing key for RCE at the SKS-keyservers (https://sks-keyservers.net/). In case you
are unable to access those keyservers, we have furthermore published the keyfile via
https://github.com in the repository called
rce-signing owned by the organization rcenvironment.
Please verify the integrity of the obtained keyfile by checking its fingerprint against
the one published by us via a trusted channel (e.g., the RCE Twitter account). We omit
giving direct links as well as the key's fingerprint here on purpose. This slightly
decreases the chance of attackers directing you toward a forged key.
The precise steps required for signature verification differ from system to system. Commonly, key retrieval and verification is handled by gpg4win (available at https://www.gpg4win.org). Please refer to its documentation in order to verify your downloaded software artifact.
On Windows, we provide a single .zip-file to set up both client and server installations. This file is available at
https://software.dlr.de/updates/rce/10.x/products/standard/releases/latest/zip/Installing RCE amounts to simply extracting the zip file to a location on your file system.
Due to restrictions of the standard Windows file system (NTFS), you should choose a destination path that is as short as possible. Long paths are known to cause problems, as some RCE files may not be properly extracted from the zip file.
To use RCE with a graphical user interface (GUI), simply start the "rce" executable from Windows Explorer. Optionally, create a desktop icon from the right-click menu using the "send to > desktop" option.
Once your RCE instance has started, you can open the configuration file with the menu option "Configuration > Open Configuration File". Edit the file, save it, and then restart RCE using the "File > Restart" menu option to apply the changes. There are configuration templates and other information available via the "Configuration > Open Configuration Information" option. The available configuration settings are described in the configuration chapter.
RCE can also be run from the command line without a graphical user interface (which is called "headless" mode), which uses less system resources and is therefore recommended when the GUI is not needed.
To run a headless RCE instance, open a command prompt and run the command
rce --headless -console
While RCE is running, you can
enter various console commands described in Section 3.3, “Commands”; note that
you need to prefix all RCE commands with "rce" here. To perform a clean shutdown, for
example, type rce stop and press enter.
For ad-hoc or temporary RCE network setups, running a headless RCE from the command line is perfectly fine. For more permanent installations, however, we recommend installing RCE as a Windows service instead. This has the advantage that RCE automatically shuts down when the server is shut down, and automatically restarts when the server does.
Executing the following steps will install RCE as service. An RCE service will start automatically on system boot and stop before system shutdown.
Navigate to the extras\windows_service folder inside your
installation folder of RCE named rce
Open the file install_as_service.bat and adjust these
settings:
Set RCE_ROOT_PATH to the location of your RCE installation (typically, the location which you are editing these files in). RCE must already be present (and unpacked) in this location; the daemon installer does not copy any files there.
Set RCE_SERVICE_USER to the name of the existing user account that the RCE service should run as.
This user account will be used to run RCE and all local tools that are invoked by it. Make sure that this user has appropriate system permissions to run these tools' executables, and read/write all related files.
Execute with administrator rights
install_as_service.bat
by double-clicking or on the command line
Open the Windows Service Managment Console (e.g. execute "services.msc" on the command line)
Look for entry "RCE Service", do a right-click and click "Properties"
Click on the "Log On" tab and fill in the correspondig password for the user account set to the RCE_SERVICE_USER variable. By clicking the "Apply" button a message should inform you that the privilege to "Log on as service" was added to the account.
To add the "Log on as a service" right to an account on your local computer manually:
Open Local Security Policy.
In the console tree, double-click Local Policies, and then click User Rights Assignments.
In the details pane, double-click Log on as a service.
Click Add User or Group and add the appropriate account to the list of accounts that possess the Log on as a service right.
Close the properties dialog by clicking "Ok"
To manually start the RCE service:
Open the Windows Service Managment Console (e.g. execute
services.msc on the command line)
Right-click on the entry "RCE Service" and select "Start"
To stop the RCE service:
Open the Windows Service Managment Console (e.g. execute
services.msc on the command line)
Right-click on the entry "RCE Service" and select "Stop"
To uninstall the RCE service:
Navigate to the extras\windows_service folder inside your
installation folder of RCE named rce
Open the file uninstall_service.bat and set the absolute
path of the variable RCE_ROOT_PATH to the location of your RCE
installation
Execute with administrator rights
uninstall_service.bat
by double-clicking or on the command line
After installation, the service instance will be started automatically. This will create a default configuration file if it does not exist yet.
To configure the service instance, locate the RCE configuration file
in the service user's home directory - by default, it is located at
C:\users\<user id>\.rce\default\configuration.json. Edit this
file and restart the service to apply the changes.
For importing SSH credentials and authorization group keys into a service, please refer to section Section 2.2.5, “Importing authorization data without GUI access”. As of RCE 10, file-based imports are only processed on startup, so a restart is required for this, too.
The need to restart the service is temporary; future versions of RCE will apply configuration changes as soon as configuration files are changed or new import files are placed in the respective folders.