IBM PTF UA92706 for APAR OA49171 introduces a new Health Check related to NJE security. What is needed in ACF2 for this Health Check and mark trusted nodes?
Release : 16.0
Component : CA ACF2 for z/OS
PTFs SO00955 and SO04159 added ACF2 support for the JES_NJE_SECURITY Health Check functionality introduced by IBM APAR 0A49171.
In ACF2, for a node to be considered trusted, the two following conditions are needed from the NJE record in GSO. VALIN needs to be set to ONLY, and INHERIT needs to be on. If you issue a SHOW NJE, you will see this represented like this:
-- NJE OPTIONS IN EFFECT --
NODE VALIDATE VALIDATE INHERIT- SEND DEFAULT SYSOUT
NAME OR INCOMING OUTGOING ANCE ENCRYPTED LOGONID DEFAULT
MASK JOBS JOBS ALLOWED PASSWORD LOGONID
(BOTH) (IN) (OUT) (IN) (OUT) (IN) (IN)
======= ======== ======== ======== ======== ======= =======
nodename ONLY NO YES NO <NONE> <NONE>
++ HOLD(UA92706) SYS FMID(HBB77A0) REASON(ACTION) DATE(17199)
COMMENT
(****************************************************************
* FUNCTION AFFECTED: JES2 and JES3 (OA49171) *
****************************************************************
* DESCRIPTION : Update PARM *
****************************************************************
* TIMING : Pre- or Post-APPLY *
****************************************************************
For this check to work properly, it has to determine from the
security product the NJE nodes that are considered trusted. By
default, this check is set up for installations that use RACF as
their security product. RACF users need to install RACF APAR
OA51635 to fully enable this health check. If you are not using
RACF, you need to alter the parameter NJEEXEC for this health
check. This should be set to either the name of the exec
specified by your security product for this check, or the string
NONE if your security product does not have the concept of
trusted nodes.).