IBM PTF UA92706 for APAR OA49171 adds new Health Check for NJE security. What does ACF2 need?

book

Article ID: 144088

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

IBM PTF UA92706 for APAR OA49171 introduces a new Health Check related to NJE security.   What is needed in ACF2 for this Health Check and mark trusted nodes?

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

PTFs SO00955 and SO04159 added ACF2 support for the JES_NJE_SECURITY Health Check functionality introduced by IBM APAR 0A49171.  

In ACF2, for a node to be considered trusted, the two following conditions are needed from the NJE record in GSO.  VALIN needs to be set to ONLY, and INHERIT needs to be on.  If you issue a SHOW NJE, you will see this represented like this:

-- NJE OPTIONS IN EFFECT --                                         
                                                                    
  NODE    VALIDATE  VALIDATE  INHERIT-    SEND    DEFAULT  SYSOUT   
NAME OR   INCOMING  OUTGOING    ANCE    ENCRYPTED LOGONID  DEFAULT  
  MASK      JOBS      JOBS    ALLOWED   PASSWORD           LOGONID  
 (BOTH)     (IN)      (OUT)     (IN)     (OUT)     (IN)     (IN)    
=======   ========  ========  ========  ========  =======  =======  
PRODSYS     ONLY       NO       YES       NO      <NONE>   <NONE>   

Additional Information

++ HOLD(UA92706) SYS FMID(HBB77A0) REASON(ACTION) DATE(17199)        

   COMMENT                                                           

    (****************************************************************

     * FUNCTION AFFECTED: JES2 and JES3                   (OA49171) *

     ****************************************************************

     * DESCRIPTION      : Update PARM                               *

     ****************************************************************

     * TIMING           : Pre- or Post-APPLY                        *

     ****************************************************************

     For this check to work properly, it has to determine from the   

     security product the NJE nodes that are considered trusted.  By 

     default, this check is set up for installations that use RACF as

     their security product.  RACF users need to install RACF APAR   

     OA51635 to fully enable this health check.  If you are not using

     RACF, you need to alter the parameter NJEEXEC for this health   

     check.  This should be set to either the name of the exec       

     specified by your security product for this check, or the string

     NONE if your security product does not have the concept of      

     trusted nodes.).