Protecting JES2 NODES In Top Secret Per IBM Health Checker Recommendations

book

Article ID: 109756

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

IBM Health Checker issues the following recommendations regarding JES2:

One of the low/medium severity errors reported is:

CHECK(IBMJES,JES_NJE_SECURITY) SYSPLEX: xxxxxxx SYSTEM: ssss
START TIME: 07/17/2018 07:46:13.759168 CHECK DATE: 20170201 CHECK SEVERITY:
MEDIUM-DYNAMIC CHECK PARM: NJEEXEC(IRRNJECK) 
IAZH403I Error encountered trying to determine the list of trusted nodes, IRRNJECK RC=32
Information for Non-Trusted Nodes
Node Issue Message 
nn NODE has no PASSWORD and specified SIGNON=COMPAT 
IAZH121E xxxxxxx NODE has no PASSWORD and specified SIGNON=COMPAT 
IAZH121E yyyyyyy NODE has no PASSWORD and specified SIGNON=COMPAT
IAZH121E 3 nodes that can be or are currently connected have no password and have specified SIGNON=COMPAT

This can also show up as follows:

HZS0001I CHECK(IBMJES,JES_NJE_SECURITY): 081                      
IAZH121E 1 nodes that can be or are currently connected have no   
password and have specified SIGNON=COMPAT                         
HZS1002E CHECK(IBMJES,JES_NJE_SECURITY): 082

The IBM recommendation to solve this error is:
System Programmer Response: Passwords at the NJE node level verify the identity of NJE nodes as they connect to your network. Using the secure signon process with the APPCLU class (in the security product) is the preferred method because it keeps the password out of the JES initialization statements and ensures all password data is exchanged in non-clear text.

Is there a concern regarding this message?

What needs to be done for such implementation? 

Environment

z/os

Resolution

The APPCLU security class must be active on both nodes. In Top Secret, this is the APPCLU special (global) ACID. The APPCLU ACID is a reserved or special ACID that identifies which logical units (LUs) can establish a link for processing APPC transactions and conversations. The SESSION parameter in the APPCLU security class on both nodes must specify a session key and both session keys must be the same. The format of the APPCLU security profile name is NJE.homenode.rmtnode. 

The full syntax of the command is:

TSS ADDTO(APPCLU) LINKID(netid.locallu.remotelu)
                  [SESSKEY(nnnnnnnn)]
                  [INTERVAL(nnnnn)]
                  [CONVSEC(NONE|ALREADYV|CONV|PERSISTV|AVPV)]
                  [SESSLOCK]

For example, on node NODEA:

TSS ADD(APPCLU) LINKID(NJE.NODEA.NODEB) SESSKEY(password) 

On NODEB:

TSS ADD(APPCLU) LINKID(NJE.NODEB.NODEA) SESSKEY(same password) 

For more information on the operands in the TSS ADD(APPCLU) command above, see the following link:

LINKID Keyword—Identify LUs for APPC Conversation

NOTE: The security call to check the APPCLU record only occurs when JES2 SIGNON=SECURE is set.