Each instance of RCE reads its configurations from the profile
directory, or profile for short. In this document, if the
distinction is irrelevant or clear from context, we use these terms interchangeably. On
Linux systems, the
profile is, by default, located in the main RCE directory
~/.rce/default, where ~ denotes the path to your
home directory. Normally, this is /home/<username>/.
If this directory or any of its parent directories do not exist, RCE creates them at first
startup and populates them with a default configuration. RCE creates the directory
.rce as a hidden directory. Thus, you will have to enable the display of
hidden directories in order to see that directory.
Since RCE uses the profile directory to load its configuration at startup, it is not
possible to change the profile directory at runtime. Instead, when running RCE via the
commandline, you can use the commandline switch -p to change the profile at
startup. Currently, there is no way to select the profile via the graphical interface of
RCE.
You can temporarily (i.e., for a single execution of RCE) change the profile directory
by supplying its path as a parameter for the commandline switch -p. If you
supply a relative path (i.e., one not starting with /), RCE resolves that path relative to its main
directory, i.e., to ~/.rce. If you supply an absolute path, RCE treats that
path as the path to its profile directory.
Note
You can change the path to which RCE resolves relative profile directories by
editing the file rce.ini in the main folder of your RCE installation. Add the
line -Drce.profiles.parentDir="<directory>" and replace
<directory> with the absolute path to a directory which
contains your profiles.
In either case, RCE creates the profile directory and its parents if they do not
exist. The range of valid profile names is mainly restricted by your OS's range of valid
directory names. We strongly recommend to restrict your profile names to the range of
printable ASCII characters. Furthermore, the profile name common is
reserved for internal use of RCE.
If you want to change the profile location permanently, you can do so by supplying the
commandline switch -p without a parameter. In this case, RCE starts with a
text-based profile selection UI which allows you to set a new location of the default
profile. We show this profile selection UI in the following figure.
Choosing the second option ("Select the default profile for future runs") will present a list of available profiles. On selection of one of these profiles, RCE will not be started using this profile, but instead the selected profile will be marked as the default profile for future runs. This selection is only stored for the current user and for the current installation location of RCE. Different users on the same machine can therefore configure different default profiles. Furthermore, different installations of RCE can have different default profiles configured.
Note
The Profile Selection UI will only display profiles if they have been started once with RCE 7.0 or newer.
No two instances of RCE may use the same profile simultaneously. Upon startup, RCE checks whether some other instance of RCE is already running which uses the given profile. In this case, RCE displays an error message stating that it "failed to lock profile directory" and shuts down. If you want to start multiple instances of RCE simultaneously on the same machine, you have to specify a different profile for each instance.
Example 2.1. Choosing the Profile Directory
Install RCE on some system that has not had RCE installed previously. For the sake
of this example, we assume the current user to be called rceuser and to have its home directory set to
/home/rceuser.
Start RCE without any parameters (i.e., via ./rce). RCE will use the profile /home/rceuser/.rce. Execute that command a second
time in a second terminal while the first instance is still running. Startup of RCE
will fail, since the profile is already used by the first instance of RCE.
Now execute the command ./rce -p
secondinstance in a second terminal. You will have two instances
of RCE running, one using the profile /home/rceuser/.rce/default, the other using the
profile /home/rceuser/.rce/secondinstance.
Finally, execute the command ./rce -p. RCE will offer you a list of profiles
that you have most recently used. Pick the profile secondinstance as
the default profile. If you now close all running instances of RCE and restart RCE
without any parameters (i.e., via ./rce),
RCE will start using the profile secondinstance.
As stated above, each profile contains the static configuration of RCE as well as its
integrated tools. The former is defined via the JSON-file
configuration.json. For an in-depth introduction to the JSON file
format, please refer to https://www.json.org/.
The file configuration.json is located in the root of the profile directory,
while the integrated tools are defined in the directory integration and its
subdirectories.
To change the static configuration of RCE, change the contents of the file configuration.json and restart RCE. You can either change the contents of this file manually using your favorite text editor, or from the GUI of RCE via the toolbar or the menu entry Configuration.
Note
Recall that RCE only parses its configuration during startup. Thus, if you
change the contents of the file configuration.json, you have to
restart RCE to apply these changes.
Configuration parameters are grouped within the configuration file. The configuration parameters are listed below. There is one list per JSON configuration group. Some example snippets are given as well. The complete example configurations can be found in the installation data directory in the sub-directory examples/configuration or by opening the configuration information in RCE.
Table 2.2. "general"
| Configuration key | Comment | Default value |
|---|---|---|
| instanceName | The name of the instance that will be shown to all users in the RCE
network. The following placeholders can be used within the instance name:
Example: "Default instance started by \"${systemUser}\" on ${hostName}". | "<unnamed instance>" |
| isWorkflowHost | If set to true, the local instance can be used as a workflow host by other RCE instances. I.e., the workflow controller can be set to this instance and the workflow data is stored there as well. | false |
| isRelay |
If set to true, the local node will merge all connected nodes into a single network, and forward messages between them. This behaviour is transitive; if a relay node connects to another relay node, both networks will effectively merge into one. If set to false (the default value), the local node can connect to multiple networks at once without causing them to merge. | false |
| tempDirectory | Can be used to override the default path where RCE stores temporary files. Useful if there is little space in the default temp file location. Must be an absolute path to an existing directory, and the path must not contain spaces (to prevent problems with tools accessing such directories). The placeholder ${systemUser} can be used for path construction, e.g. "/tmp/custom-temp-directory/${systemUser}" | An "rce-temp" subdirectory within the user or system temp directory. |
| enableDeprecatedInputTab | If set to true the tab 'Inputs' is enabled again in the properties view of running workflows. It is disabled by default due to robustness and memory issues. It is recommended to use the 'Workflow Data Browser' to see inputs received and outputs sent. | false |
Table 2.3. "backgroundMonitoring"
| Configuration key | Comment | Default value |
|---|---|---|
| enabledIds | Comma-separated list of identifiers referring to certain kind of monitoring data that should be logged continuously in the background. Currently, only 'basic_system_data' is supported. | |
| intervalSeconds | Logging interval | 10 |
Table 2.4. "network"
| Configuration key | Comment | Default value |
|---|---|---|
| requestTimeoutMsec | The timeout (in milliseconds) for network requests that are made by the local node. If this time expires before a response is received, the request fails. | 40000 |
| forwardingTimeout Msec | The timeout (in milliseconds) for network requests that are forwarded by the local node on behalf of another node. If this time expires before a response is received, an error response is sent back to the node that made the request. | 35000 |
| connections | A map of all connections that the local instance tries to establish on startup. This allows the local instance to act as a client. For each connection a unique identifier (id) must be given. | {} (an empty map in JSON format) |
| connections/[id]/host | IP address of the host to connect to. Host names and IPv4 addresses are permitted. | - |
| connections/[id]/port | Port number of the remote RCE instance. | - |
| connections/[id]/connectOnStartup | If set to true, the connection is immediately established on startup. | true |
| connections/[id]/autoRetryInitialDelay | The initial delay, in seconds, to wait after a failed or broken connection before a reconnect attempt is made. This configuration must be present to enable the auto-reconnect feature. | - |
| connections/[id]/autoRetryDelayMultiplier | A decimal-point value >= 1 that the delay time is multiplied with after each consecutive connection failure. This provides an "exponential backoff" feature that reduces the frequency of connection attempts over time. This configuration must be present to enable the auto-reconnect feature. | - |
| connections/[id]/autoRetryMaximumDelay | Defines an upper limit for the delay time, even when applying the multiplier would create a higher value. This can be used to maintain a minimum frequency for retrying the connection. This configuration must be present to enable the auto-reconnect feature. | - |
| serverPorts | A map of all server ports that the local instance registers for other instances to connect to. This allows the local instance to act as a server. For each server port a unique identifier (id) must be given. | {} (an empty map in JSON format) |
| serverPorts/[id]/ip | The IP address for other instances to connect to. | - |
| serverPorts/[id]/port | The IP port number (1024-65535) for other instances to connect to. | - |
| ipFilter | Allows to limit the incoming connections to a set of IP addresses. | - |
| ipFilter/enabled | If set to true, the ip filter active. | false |
| ipFilter/allowedIPs | List of IP addresses, which are allowed to connect to the instance. | [] (an empty list in JSON format) |
Note
IMPORTANT: When setting up a network of RCE instances, keep in mind that the RCE network traffic is currently not encrypted. This means that it is not secure to expose RCE server ports to untrusted networks like the internet. When setting up RCE connections between different locations, make sure that they either connect across a secure network (e.g. your institution's internal network), or that the connection is secured by other means, like SSH tunneling or a VPN. Alternatively, you can set up an uplink connection in RCE instead of the standard RCE connections.
Network Server Sample:
"network" : {
"serverPorts" : {
"relayPort1" : {
"ip" : "127.0.0.1",
"port" : 21000
}
},
"ipFilter" : {
"enabled" : false,
"allowedIPs" : [
"127.0.0.1",
"127.0.0.2"
]
}
}
Network Client Sample:
"network" : {
"connections" : {
"exampleConnection1" : {
"host" : "127.0.0.1",
"port" : 21000,
"connectOnStartup": false,
"autoRetryInitialDelay" : 5,
"autoRetryMaximumDelay" : 300,
"autoRetryDelayMultiplier" : 1.5
}
}
}
Table 2.5. "componentSettings"
| Configuration key | Comment | Default value |
|---|---|---|
| de.rcenvironment. cluster | Configuration of the cluster workflow component. | - |
| de.rcenvironment. cluster/maxChannels | Maximum number of channels, which are allowed to be opened in parallel to the cluster server. | 8 |
Table 2.6. "thirdPartyIntegration"
| Configuration key | Comment | Default value |
|---|---|---|
| tiglViewer | Configuration of the external TiGL Viewer application integration. This needs to be configured to enable RCE´s TiGL Viewer view and thus, the TiGL Viewer workflow component. Note:TiGL Viewer must be downloaded and installed separately. | - |
| tiglViewer/binaryPath | The path to the TiGL Viewer executable file. Must be an absolute path. | - |
| tiglViewer/startupTimeoutSeconds | The timeout in seconds, to wait for the external TiGL viewer application to start and determine its process id. | 10 |
| tiglViewer/embedWindow | If set to false, the external TiGL Viewer application Window will not be embeded into RCE´s TiGL Viewer view. | true |
| python | Configuration of a external Python installation. This needs to be configured to enable Python script language for the Script Component. Note: Python must be downloaded and installed separately. | - |
| python/binaryPath | The path to a local python installation. This needs to be configured to enable Python script language for the Script Component | - |
Third Party integration Python path example:
"thirdPartyIntegration": {
"python":{
"binaryPath": "/path/to/python/executable"
}
}
Table 2.7. "sshServer"
| Configuration key | Comment | Default value |
|---|---|---|
| enabled | If set to true the local instance acts as an SSH server. | false |
| ip (deprecated alias: "host") | The host's ip address to bind to. If you want to make the SSH server accessible from remote, you should set this to the IP of the machine's external network interface. Alternatively, you can set this to "0.0.0.0" to listen on all available IPv4 addresses, if this is appropriate in your network setup. | 127.0.0.1 |
| port | The IP port number (1024-65535) for SSH or Uplink clients to connect to. | - |
| idleTimeoutSeconds | The time to keep an idle SSH connection alive, in seconds. For typical SSH usage, the default value is usually sufficient. Higher values are, for example, needed when invoking long-running tools using the SSH Remote Access feature. | 10 |
| accounts | A map of accounts. For each account a unique identifier (account name) must be given. | {} (an empty map in JSON format) |
| [account name]/passwordHash | The hashed password for the account, if password authentication is used. If the SSH account is configured using the configuration UI, the hash is automatically computed and stored here. | - |
| [account name]/password (deprecated) | The password for the account. SSH passwords can also be configured as plain text, which is however not recommended. To prevent misuse of the configured login data, any configuration file with SSH accounts must be secured against unauthorized reading (e.g. by setting restrictive filesystem permissions). A more secure alternative is to just store the password hash. | - |
| [account name]/publicKey | The public key for the account, if keyfile authentication is used. Only RSA keys in the OpenSSH format are supported. The public key has to be entered here in the OpenSSH format (a string starting with "ssh-rsa", like it is used for example in authorized_keys files). Only applicable on RCE version 7.1 or newer. | - |
| [account name]/role | The role of the account. See next table for a list of the possible roles. | - |
| [account name]/enabled | If set to true, the account is enabled. | true |
SSH Server Sample:
"sshServer" : {
"enabled" : true,
"ip" : "127.0.0.1",
"port" : 31005,
"accounts" : {
"ra_demo" : {
// hashed form of the "ra_demo" test password; DO NOT reuse this for live accounts!
"passwordHash" : "$2a$10$qxCBuEvq0xWoOlox2dVbCu8zCYsyxQMBe5SAnS2HId0uaEp59aAu2",
"role" : "remote_access_user",
"enabled" : true
}
}
}
Table 2.8. Possible roles for SSH accounts
| Role name | Allowed commands |
|---|---|
| uplink_client (Standard role for using Uplink connections) | Cannot open a command shell or run any commands |
| remote_access_user (Standard role for using SSH remote access tools and workflows) | ra|sysmon (can use Uplink connections) |
| remote access (backwards compatibility alias for remote_access_user) | ra|sysmon (can use Uplink connections) |
| remote_access_admin | ra|ra-admin|sysmon|components |
| workflow_observer | components|net info|sysmon|wf list|wf details |
| workflow_admin | components|net info|sysmon|wf |
| local_admin | cn|components|mail|net|restart|shutdown|stop|stats|tasks|auth |
| instance_management_admin | im|net info|auth |
| instance_management_delegate_user | cn|components|net|restart|shutdown|stop|stats|tasks|wf|ra-admin|auth |
| developer | <all> |
Table 2.9. "uplink"
| Configuration key | Comment | Default value |
|---|---|---|
| uplinkConnections | A map of Uplink connections.This allows the local instance to act as an Uplink client. For each connection a unique identifier (id) must be given. | {} (an empty map in JSON format) |
| uplinkConnections/[id]/displayName | The name for the connection that will be shown in the network view. | - |
| uplinkConnections/[id]/host | The remote RCE instance (Uplink relay) to connect to. Host names and IPv4 addresses are permitted. | - |
| uplinkConnections/[id]/port | Port number of the remote RCE instance. | - |
| uplinkConnections/[id]/loginName | The login name for authentication. | - |
| uplinkConnections/[id]/keyfileLocation | Path to the private key file, if keyfile authentication is used. Only RSA keys in the OpenSSH format are supported. | - |
| uplinkConnections/[id]/noPassphrase | This option should only be set if a private key that requires no passphrase is used for authentication. If set to true, RCE does not ask for a passphrase before connecting. | false |
| uplinkConnections/[id]/clientID | If other RCE instances use the same account to connect to the relay, you have to set a unique client ID here (max. 8 characters) | default |
| uplinkConnections/[id]/isGateway | If set to true, this instance will act as an Uplink gateway (see chapter Section 3.5.2, “Uplink Connections” for further information) | false |
| uplinkConnections/[id]/connectOnStartup | If set to true, the connection is immediately established on startup. (Only possible when the password is stored.) | false |
| uplinkConnections/[id]/autoRetry | If set to true, RCE will try to automatically reconnect the connection (every 5 seconds) if it can not be established or is lost of a network error. (Only possible when the password is stored in the secure store.) | false |
Uplink Connection Sample:
"uplink" : {
"uplinkConnections" : {
"exampleUplinkConnectionID" : {
"displayName" : "example",
"clientID": "client1",
"host" : "127.0.0.1",
"port" : 31005,
"connectOnStartup": false,
"autoRetry" : false,
"isGateway" : false,
"loginName" : "ra_demo"
//The passphrase is not stored here, it has to be entered when connecting.
}
}
}
Table 2.10. "sshRemoteAccess"
| Configuration key | Comment | Default value |
|---|---|---|
| sshConnections | A map of SSH connections.This allows the local instance to act as a SSH remote access client. For each connection a unique identifier (id) must be given. | {} (an empty map in JSON format) |
| sshConnections/[id]/displayName | The name for the connection that will be shown in the network view. | - |
| sshConnections/[id]/host | The remote RCE instance to connect to. Host names and IPv4 addresses are permitted. | - |
| sshConnections/[id]/port | Port number of the remote RCE instance. | - |
| sshConnections/[id]/loginName | The login name for authentication. | - |
| sshConnections/[id]/keyfileLocation | Path to the private key file, if keyfile authentication is used. Only RSA keys in the OpenSSH format are supported. | - |
| sshConnections/[id]/noPassphrase | This option should only be set if a private key that requires no passphrase is used for authentication. If set to true, RCE does not ask for a passphrase before connecting. | false |
| sshConnections/[id]/connectOnStartup | If set to true, the connection is immediately established on startup. (Only possible when the password is stored in the secure store.) | false |
| sshConnections/[id]/autoRetry | If set to true, RCE will try to automatically reconnect the connection (every 10 seconds) if it can not be established or is lost of a network error. (Only possible when the password is stored in the secure store.) | false |
Remote Access Connection Sample
"sshRemoteAccess" : {
"sshConnections" : {
"exampleSSHConnection" : {
"displayName" : "example",
"host" : "127.0.0.1",
"port" : 31005,
"connectOnStartup": false,
"autoRetry" : false,
"loginName" : "ra_demo"
//The passphrase is not stored here, it has to be entered when connecting.
}
}
}
Table 2.11. "smtpServer"
| Configuration key | Comment | Default value |
|---|---|---|
| host | The IP address or hostname of the SMTP server, which should be used for mail delivery. | - |
| port | Port number of the SMTP server. | - |
| encryption | Can either be "explicit" or "implicit". Select "implicit" if you want to connect to the SMTP server using SSL/TLS. Select "explicit" if you want to connect to the SMTP server using STARTTLS. Unencrypted connections are not permitted. | - |
| username | The login name for authentication. | - |
| password | The obfuscated password for authentication. Plaintext password cannot be used here. To create the obfuscated password from the plaintext password, you need to use the Configuration UI described in Section 2.2.4, “Configuration UI” | - |
| sender | Email address, which should be displayed as the sender in the sent email. | - |
Note
The used SMTP server needs to be configured using the Configuration UI described in Section 2.2.4.2, “Mail: SMTP server configuration”, since the password needs to be obfuscated.
If you want to configure SSH accounts with passphrases or you want to configure e-mail support for the instance, you need to use the Configuration UI. You can access the interactive tool by executing RCE from the command line with the option "rce --configure" or by using the "Launch Configuration UI" script in the "extras" folder of your RCE installation directory.
If the RCE instance shall act as a SSH server, you can configure SSH accounts using the Configuration UI, which encrypts the SSH passwords before storing them in the configuration file.
Note
All SSH accounts configured with this tool initially have the role "remote_access_user", which allows to execute commands needed for remote access on tools and workflows. If you want to change the role of an SSH account, you can do this by editing the configuration file manually (see Table 2.8, “Possible roles for SSH accounts” ).
If you use the tool output verification (cf. Section 3.3.8, “Manual Tool Result Verification”) and want RCE to send the verification key via email, you need to configure an SMTP server. RCE does not send e-mails directly to the recipient, but instead sends the e-mails to an SMTP server, which delivers them to the recipient. You need to use the Configuration UI to configure such an SMTP server, since the password used for authentication needs to be obfuscated before it is stored in the configuration file. The SMTP server parameters that need to be configured are described in more detail in Table 2.11, “"smtpServer"”
Note
Due to a known bug on Windows system with a German keyboard layout, the Configuration UI inserts the characters "q@" into a text field if you want to insert the @ sign. You can manually remove the additional character "q".
There are currently two categories of authorization data that should not be simply written into configuration files for security reasons: SSH login passwords and keyfile passphrases, and RCE authorization group keys (the "export/import" strings). To support scenarios where interactive entry is not possible, for example daemon/service installations, a file-based import mechanism is provided as well.
The general usage is the same for all kinds of import data:
-
Locate the folder of the profile that you want to import into.
-
If it does not exist yet, create a folder "
import" within that profile directory. -
Within this "
import" folder, create the sub-folder mentioned in the specific description below; for example, "auth-group-keys". -
To perform an import, create a file inside this specific sub-folder and edit it, or copy a file that you already prepared into that folder. These files are referred to as "import files". The filenames and contents to use for them are described in the specific sections below.
-
Once you have created or copied all import files that you want to processs, (re)start RCE. Currently, all import file processing is done on startup. (Note: Future versions of RCE may be expanded to also detect and process new import files without a restart.)
-
If a file has been successfully imported, it is deleted to minimize the time that it is present in the filesystem (for security), and to prevent it from being processed again on every RCE start. Make sure that this file is not the only reference to the authorization data that you have!
This section focusses on importing or deleting already defined authorization groups via their group keys. Creating groups is explained in Section 3.6, “Tool publishing and authorization”.
-
Group key import files must be placed in
<profile>/import/auth-group-keys/. -
For group keys, the import files can have any name. For each key you wish to import a single file is required.
-
The import file's content must be the group import string; it should look similar to "
MyGroupName:23b0ad9043a39496:1:1K6D5C9BKYu[...]sSMLlj0Tg". -
Deleting groups is also supported. To delete a group, write "
delete" into the file, followed by the full id (name + random part) of the group you want to delete. For convenience, you can also use the full import string as used above. For example, if you wanted to delete the group mentioned above, either of these contents would work:-
"
delete MyGroupName:23b0ad9043a39496" -
"
delete MyGroupName:23b0ad9043a39496:1:1K6D5C9BKYu[...]sSMLlj0Tg"
-
-
After successful import or deletion of a group key, the file is deleted from the profile folder.
-
Uplink password/passphrase import files must be placed in
<profile>/import/uplink-pws/. -
The names of the import files are relevant: These must be the "connection id" used in the Uplink connection configuration. This id is the string right in front of the the part outside of the connection's configuration block (e.g.
"myConnection" : { ...<connection settings>... }). For convenience on Windows, a ".txt" extension can be added to this filename; this will be cut away by the importer. -
The content of the files is the password or keyfile passphrase.
-
When the profile is launched, the password or keyfile passphrase is imported into RCE's secure storage and the import files are deleted to mitigate potential security risks.
-
As this is never actually needed, deleting passwords is not directly supported. If you have imported a password/passphrase you would rather remove from RCE's secure storage, simply import a dummy password for the same connection id. This will overwrite and erase the previous data.
-
Uplink password/passphrase import files must be placed in
<profile>/import/ra-pws/. -
The names of the import files are relevant: These must be the "connection id" used in the Remote Access connection configuration. This id is the string right in front of the the part outside of the connection's configuration block (e.g.
"myConnection" : { ...<connection settings>... }). For convenience on Windows, a ".txt" extension can be added to this filename; this will be cut away by the importer. -
The content of the files is the password or keyfile passphrase.
-
When the profile is launched, the password or keyfile passphrase is imported into RCE's secure storage and the import files are deleted to mitigate potential security risks.
-
As this is never actually needed, deleting passwords is not directly supported. If you have imported a password/passphrase you would rather remove from RCE's secure storage, simply import a dummy password for the same connection id. This will overwrite and erase the previous data.