AWS Mainframe Modernization Service (Managed Runtime Environment experience) is no longer open to new customers. For capabilities similar to AWS Mainframe Modernization Service (Managed Runtime Environment experience) explore AWS Mainframe Modernization Service (Self-Managed Experience). Existing customers can continue to use the service as normal. For more information, see [AWS Mainframe Modernization availability change](https://docs.aws.amazon.com/m2/latest/userguide/mainframe-modernization-availability-change.html).

# Set up Rocket Software (formerly Micro Focus) (on Amazon EC2)
Set up Rocket Software (on Amazon EC2)

AWS Mainframe Modernization provides several Amazon Machine Images (AMIs) that include Rocket Software (formerly Micro Focus) licensed products. These AMIs allow you to quickly provision Amazon Elastic Compute Cloud (Amazon EC2) instances to support Rocket Software environments that you control and manage. This topic provides the steps required to access and launch these AMIs. Using these AMIs is entirely optional and they are not required to complete the tutorials in this user guide.

**Topics**
+ [

# Prerequisites for setting up Rocket Software (formerly Micro Focus) (on Amazon EC2)
](mf-runtime-setup-prereq.md)
+ [

# Create the Amazon VPC endpoint for Amazon S3
](mf-runtime-setup-vpc.md)
+ [

# Request the allowlist update for the account
](mf-runtime-setup-allowlist.md)
+ [

# Create the AWS Identity and Access Management role
](mf-runtime-setup-iam-role.md)
+ [

# Grant License Manager the required permissions
](mf-runtime-setup-lic.md)
+ [

# Subscribe to the Amazon Machine Images
](mf-runtime-setup-ami.md)
+ [

# Launch an AWS Mainframe Modernization Rocket Software (formerly Micro Focus) instance
](mf-runtime-setup-mf-instance.md)
+ [

# Subnet or VPC with no internet access
](mf-runtime-setup-no-access.md)

# Prerequisites for setting up Rocket Software (formerly Micro Focus) (on Amazon EC2)
Rocket Software (on Amazon EC2) prerequisites

When you set up Rocket Software (on Amazon EC2), make sure you meet the following prerequisites.
+ Administrator access to the account where the Amazon EC2 instances will be created.
+ Identify the AWS Region where the Amazon EC2 instances will be created and verify the AWS Mainframe Modernization service is available. See [AWS Services by Region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). Make sure to choose a Region where the service is available.
+ Identify the Amazon Virtual Private Cloud (Amazon VPC) where the Amazon EC2 instances will be created.

# Create the Amazon VPC endpoint for Amazon S3


In this section, you create a Amazon VPC endpoint for Amazon S3 to use. Setting up this endpoint will help you later when setting up internet access for VPC. 

1. Navigate to Amazon VPC in the AWS Management Console.

1. In the navigation pane, choose **Endpoints**.

1. Choose **Create endpoint**.  
![\[VPC endpoints with Create Endpoint active.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-s3-endpoint_1.jpg)

1. Enter a meaningful name tag, for example: “Micro-Focus-License-S3”.

1. Choose **AWS Services** as the Service Category.  
![\[Endpoint Settings with sample name tag entered.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-s3-endpoint_2.png)

1. Under **Services** search for the Amazon S3 Gateway service: **com.amazonaws.[region].s3**.

   For `us-west-1` this would be: `com.amazonaws.us-west-1.s3`.

1. Choose the **Gateway** service.  
![\[Services with Amazon S3 Gateway service selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-s3-endpoint_3.png)

1. For VPC choose the VPC you will be using.  
![\[VPC with a VPC entered.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-s3-endpoint_4.png)

1. Choose all of the route tables for the VPC.  
![\[Route tables with all route tables selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-s3-endpoint_5.png)

1. Under **Policy** choose **Full Access**.  
![\[Policy with Full Access selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-s3-endpoint_6.png)
**Note**  
If you decide to create a custom policy, make sure it has access to the Amazon S3 bucket `s3://aws-supernova-marketplace-<region>-prod`.

1. Choose **Create Endpoint**.

# Request the allowlist update for the account


Work with your AWS representative to have your account allowlisted for the AWS Mainframe Modernization AMIs. Please provide the following information:
+ The AWS account ID.
+ The AWS Region where the Amazon VPC endpoint was created.
+ The Amazon VPC Amazon S3 endpoint ID created in [Create the Amazon VPC endpoint for Amazon S3](mf-runtime-setup-vpc.md). This is the `vpce-xxxxxxxxxxxxxxxxx` id for the **com.amazonaws.[region].s3 Gateway** endpoint.
+ The number of licenses required across all Rocket Software Enterprise Suite AMI Amazon EC2 instances.

  One license is required per CPU core (per 2 vCPUs for most Amazon EC2 instances).

  For more information, see [Optimize CPU options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-optimize-cpu.html#cpu-options-compute-optimized).

  The requested number can be adjusted in the future by AWS.

**Note**  
Reach out to your AWS representative or AWS Support who will open the support ticket for the Allowlist request on your behalf. It can't be requested directly by you and the request may take several days to complete.

# Create the AWS Identity and Access Management role


Create an AWS Identity and Access Management policy and role to be used by the AWS Mainframe Modernization Amazon EC2 instances. Creating the role through the IAM console will create an associated instance profile of the same name. Assigning this instance profile to the Amazon EC2 instances allows Rocket Software Licenses to be assigned. For more information on instance profiles, see [Using an IAM role to grant permissions to applications running on Amazon EC2 instances](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html).

## Create an IAM policy


An IAM policy is created first and then attached to the role.

1. Navigate to AWS Identity and Access Management in the AWS Management Console.

1. Choose **Policies** and then **Create Policy**.  
![\[Policy page with no filters applied.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-iam-policy_1.png)

1. Choose the **JSON** tab.  
![\[JSON tab with no content\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-iam-policy_2.png)

1. Replace `us-west-1` in the following JSON with the AWS Region where the Amazon S3 endpoint was defined, then copy and paste the JSON into the policy editor.

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "S3WriteObject",
               "Effect": "Allow",
               "Action": [
                   "s3:PutObject"
               ],
               "Resource": [
                   "arn:aws:s3:::aws-supernova-marketplace-us-west-1-prod/*"
               ]
           },
           {
               "Sid": "OtherRequiredActions",
               "Effect": "Allow",
               "Action": [
                   "sts:GetCallerIdentity",
                   "ec2:DescribeInstances",
                   "license-manager:ListReceivedLicenses"
               ],
               "Resource": [
                   "*"
               ]
           }
       ]
   }
   ```

------
**Note**  
The Actions under the Sid `OtherRequiredActions` do not support resource-level permissions and must specify `*` in the resource element.  
![\[JSON tab with policy entered and us-west-1 highlighted.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-iam-policy_3.png)

1. Choose **Next: Tags**.  
![\[Tags with no data entered.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-iam-policy_4.png)

1. Optionally enter any tags, then choose **Next: Review**.

1. Enter a name for the policy, for example “Micro-Focus-Licensing-policy”. Optionally enter a description, for example “A role that includes this policy must be attached to each AWS Mainframe Modernization Amazon EC2 instance.”  
![\[Review policy with name and description entered.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-iam-policy_5.png)

1. Choose **Create Policy**.

## Create the IAM role


After creating an IAM policy, you create an IAM role and attach it to the policy. 

1. Navigate to IAM in the AWS Management Console.

1. Choose **Roles** and then **Create Role**.  
![\[Roles with no filter applied.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-iam-role_1.png)

1. Leave **Trusted entity type** as **AWS service** and choose the **EC2** common use case.  
![\[Select trusted entity with AWS service and EC2 selected\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-iam-role_2.png)

1. Choose **Next**.

1. Enter “Micro” into the filter and press enter to apply the filter.

1. Choose the policy that was just created, for example the “Micro-Focus-Licensing-policy”. 

1. Choose **Next**.  
![\[Add permissions with Micro Focus policy selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-iam-role_3.png)

1. Enter the Role name, for example “Micro-Focus-Licensing-role”. 

1. Replace the description with one of your own, for example “Allows Amazon EC2 instances with this role to obtain Micro Focus Licenses”.   
![\[Role details with name and description entered.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-iam-role_4.png)

1. Under **Step 1: Select trusted entities** review the JSON and confirm it has the following values:

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "sts:AssumeRole"
               ],
               "Principal": {
                   "Service": [
                       "ec2.amazonaws.com"
                   ]
               }
           }
       ]
   }
   ```

------
**Note**  
The order of the Effect, Action, and Principal are not significant.

1. Confirm that **Step 2: Add permissions** shows your Licensing policy.  
![\[Step 2: Add permissions with licensing policy selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-create-iam-role_6.png)

1. Choose **Create role**.

After the allowlist request is complete, continue with the following steps.

# Grant License Manager the required permissions


You need to grant permissions to your AWS License Manager to set up Rocket Software runtime engine (on Amazon EC2).

1. Navigate to AWS License Manager in the AWS Management Console.  
![\[AWS License Manager home page.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-license-manager_1.png)

1. Choose **Start using AWS License Manager**.

1. If you see the following pop-up, view the details, then choose the check-box and press **Grant Permissions**.  
![\[IAM permissions one-time setup\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-license-manager_2.png)

# Subscribe to the Amazon Machine Images


After you are subscribed to an AWS Marketplace product, you can launch an instance from the product's AMI. You can also manage your subscribed AMIs when setting up Rocket Software (formerly Micro Focus) runtime engine (on Amazon EC2).

1. Navigate to AWS Marketplace Subscriptions in the AWS Management Console.

1. Choose **Manage subscriptions**.  
![\[AWS Marketplace home page.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-ami-subscription_1.png)

1. Copy and paste one of the following links into the browser address bar.
**Note**  
Only choose a link for one of the products you have been authorized to use.
Make sure your account is allowlisted by following the [Request the allowlist update for the account](mf-runtime-setup-allowlist.md) page to use these links.
   + Enterprise Server: [https://aws.amazon.com/marketplace/pp/prodview-g5emev63l7blc](https://aws.amazon.com/marketplace/pp/prodview-g5emev63l7blc)
   + Enterprise Server for Windows: [https://aws.amazon.com/marketplace/pp/prodview-lwybsiyikbhc2](https://aws.amazon.com/marketplace/pp/prodview-lwybsiyikbhc2)
   + Enterprise Developer: [https://aws.amazon.com/marketplace/pp/prodview-77qmpr42yzxwk](https://aws.amazon.com/marketplace/pp/prodview-77qmpr42yzxwk)
   + Enterprise Developer with Visual Studio 2022: [https://aws.amazon.com/marketplace/pp/prodview-m4l3lqiszo6cm](https://aws.amazon.com/marketplace/pp/prodview-m4l3lqiszo6cm)
   + Enterprise Analyzer: [https://aws.amazon.com/marketplace/pp/prodview-tttheylcmcihm](https://aws.amazon.com/marketplace/pp/prodview-tttheylcmcihm)
   + Enterprise Build Tools for Windows: [https://aws.amazon.com/marketplace/pp/prodview-2rw35bbt6uozi](https://aws.amazon.com/marketplace/pp/prodview-2rw35bbt6uozi)
   + Enterprise Stored Procedures: [https://aws.amazon.com/marketplace/pp/prodview-zoeyqnsdsj6ha](https://aws.amazon.com/marketplace/pp/prodview-zoeyqnsdsj6ha)
   + Enterprise Stored Procedures with SQL Server 2019: [https://aws.amazon.com/marketplace/pp/prodview-ynfklquwubnz4](https://aws.amazon.com/marketplace/pp/prodview-ynfklquwubnz4)

1. Choose **Continue to Subscribe**.  
![\[Enterprise Server offering in AWS Marketplace.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-ami-subscription_2.png)

1. If the Terms and Conditions are acceptable, choose **Accept Terms**.  
![\[Subscription terms and conditions.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-ami-subscription_3.png)

1. The subscription might take a few minutes to process.  
![\[Subscription pending message.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-ami-subscription_4.png)

1. After the Thank you message shows, copy and paste the next link from step 3 to continue adding subscriptions.  
![\[Subscription thank you message.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-ami-subscription_5.png)

1. Stop when **Manage subscriptions** shows all your subscribed AMIs.
**Note**  
The panel preferences (gear icon) are set to show the View as a Table.  

![\[Manage subscriptions with list of subscribed AMIs.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-ami-subscription_6.png)


# Launch an AWS Mainframe Modernization Rocket Software (formerly Micro Focus) instance
Launch a Rocket Software instance

After creating endpoints, IAM policy, IAM role, and subscribing to AMIs, you are ready to launch an AWS Mainframe Modernization Rocket Software (Micro Focus) instance in the AWS Management Console.

1. Navigate to AWS Marketplace Subscriptions in the AWS Management Console.

1. Locate the AMI to be launched and choose **Launch New Instance**.  
![\[Manage subscriptions with Enterprise Server and Enterprise Analyzer ready to launch.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-launch-instance_1.png)

1. In the launch new instance dialog, ensure the allowlisted region is selected.

1. Press **Continue to launch through EC2**.
**Note**  
The following example shows a launch of an Enterprise Developer AMI, but the process is the same for all the AWS Mainframe Modernization AMIs.  

![\[Launch new instance.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-launch-instance_2.png)


1. Enter a name for the server.

1. Choose an instance type.

   The Instance type selected should be determined by the project performance and cost requirements. The following are suggested starting points:
   + For Enterprise Analyzer, an r6i.xlarge
   + For Enterprise Developer, an r6i.large
   + For a standalone instance of Enterprise Server, an r6i.xlarge
   + For Rocket Software Performance Availability Cluster (PAC) with scale-out, an r6i.large
**Note**  
The Application and OS Images section has been collapsed for the screen shot.  
![\[Launch an instance with name and instance type entered.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-launch-instance_3.png)

1. Choose or create (and save) a key-pair (not shown).

   For more information on key pairs for Linux instances, see [Amazon EC2 key pairs and Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html).

   For more information on key pairs for Windows instances, see [Amazon EC2 key pairs and Windows instances](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-key-pairs.html).

1. Edit the Network settings and **choose the allowlisted VPC** and appropriate Subnet.

1. **Choose or create a Security Group**. If this is an Enterprise Server EC2 instance it is typical to allow TCP traffic to ports 86 and 10086 to administer the Rocket Software configuration.

1. Optionally configure the storage for the Amazon EC2 instance.

1. Important - Expand Advanced details and under IAM instance profile choose the Licensing role created earlier, for example “Micro-Focus-Licensing-role”.
**Note**  
If this step is missed, after the instance is created you can modify the IAM role from the Security option of the Action menu for the EC2 instance.  
![\[Advanced Details with IAM instance profile entered.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-launch-instance_4.png)

1. Review the Summary and push **Launch Instance**.  
![\[Summary with selected options.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-launch-instance_5.png)

1. The instance launch will fail if an invalid virtual server type is chosen.

   If this happens, choose **Edit instance config** and change the instance type.  
![\[Launching instance progress message.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-launch-instance_6.png)

1. Once the “Success” message is shown choose **Connect to instance** to get connection details.  
![\[Instance launch success message.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-launch-instance_7.png)

1. Alternatively, navigate to **EC2** in the AWS Management Console.

1. Choose **Instances** to see the status of the new instance.  
![\[List of instances with status.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-launch-instance_8.png)

# Subnet or VPC with no internet access


Make these additional changes if the subnet or VPC does not have outbound Internet access.

The license manager requires access to the following AWS services:
+ com.amazonaws.*region*.s3
+ com.amazonaws.*region*.ec2
+ com.amazonaws.*region*.license-manager
+ com.amazonaws.*region*.sts

The earlier steps defined the com.amazonaws.*region*.s3 service as a gateway endpoint. This endpoint needs a route table entry for any subnets without Internet access.

The additional three services will be defined as interface endpoints.

**Topics**
+ [

## Add the Route table entry for the Amazon S3 endpoint
](#mf-runtime-setup-no-access-route-table)
+ [

## Define the required security group
](#mf-runtime-setup-no-access-security-group)
+ [

## Create the service endpoints
](#mf-runtime-setup-no-access-endpoints)

## Add the Route table entry for the Amazon S3 endpoint


1. Navigate to **VPC** in the AWS Management Console and choose **Subnets**.

1. Choose the subnet where the Amazon EC2 instances will be created and choose the Route Table tab.

1. Note a few trailing digits of the Route table id. For example, the 6b39 in the image below.  
![\[Route table details.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-no-internet_1.png)

1. Choose **Endpoints** from the navigation pane.

1. Choose the endpoint created earlier and then **Manage Route tables**, either from the Route Tables tab for the endpoint, or from the Actions drop down.

1. Choose the Route table using the digits identified earlier and press Modify route tables.  
![\[Route table selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-no-internet_2.png)

## Define the required security group


The Amazon EC2, AWS STS, and License Manager services communicate over HTTPS via port 443. This communication is bi-directional and requires inbound and outbound rules to allow the instance to communicate with the services.

1. Navigate to Amazon VPC in the AWS Management Console.

1. Locate **Security Groups** in the navigation bar and choose **Create security group**.

1. Enter a Security group name and description, for example “Inbound-Outbound HTTPS”.

1. Press the X in the VPC selection area to **remove the default VPC**, and choose the VPC that contains the S3 endpoint.

1. Add an Inbound Rule that **allows TCP traffic on Port 443** from anywhere.
**Note**  
The inbound (and outbound rules) can be restricted further by limiting the Source. For more information, see [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) in the *Amazon VPC User Guide*.  

![\[Basic details with inbound rule entered.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-no-internet_3.png)


1. Press **Create security group**.

## Create the service endpoints


Repeat this process three times – once for each service.

1. Navigate to Amazon VPC in the AWS Management Console and choose **Endpoints**.

1. Press **Create endpoint**.

1. Enter a name, for example “Micro-Focus-License-EC2”, “Micro-Focus-License-STS”, or “Micro-Focus-License-Manager”.

1. Choose the **AWS Services** Service Category.  
![\[Endpoint settings with AWS services selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-no-internet_4.png)

1. Under Services search for the matching Interface service which is one of:
   + “com.amazonaws.*region*.ec2”
   + “com.amazonaws.*region*.sts”
   + “com.amazonaws.*region*.license-manager”

   For example:
   + “com.amazonaws.us-west-1.ec2”
   + “com.amazonaws.us-west-1.sts”
   + “com.amazonaws.us-west-1.license-manager”

1. Choose the matching Interface service.

   **com.amazonaws.*region*.ec2**:  
![\[Services with Amazon EC2 interface service selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-no-internet_5.png)

   **com.amazonaws.*region*.sts:**  
![\[Services with AWS STS interface service selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-no-internet_6.png)

   **com.amazonaws.*region*.license-manager:**  
![\[Services with License Manager interface service selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-no-internet_7.png)

1. For VPC choose the VPC for the instance.  
![\[VPC with the VPC for the instance selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-no-internet_8.png)

1. Choose the **Availability Zone** and the **Subnets** for the VPC.  
![\[Subnets with availability zone and subnet for the VPC selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-no-internet_9.png)

1. Choose the Security Group created earlier.  
![\[Security groups with security group selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-no-internet_10.png)

1. Under Policy choose **Full Access**.  
![\[Policy with Full Access selected.\]](http://docs.aws.amazon.com/m2/latest/userguide/images/mf-no-internet_11.png)

1. Choose **Create Endpoint**.

1. Repeat this process for the remaining interfaces.