Instructions from fix SO04936 when you setup the Top Secret NJE Health Checker


Article ID: 194198


Updated On:


CA Top Secret CA Top Secret - LDAP CA Web Administrator for Top Secret


Activate Top Secret version of NJE_SECURITY health check:



Release : 16.0

Component : CA Top Secret for z/OS


 These are the instructions:

1.  Issue LLA REFRESH after applying APAR                                  
2.  Allocate new local System REXX library with the same attributes as     
    SYS1.SAXREXEC.  Can use SYS1.SAXREXEC if desired and not allocate      
    a new REXXLIB.                                                         
3.  Copy TTSSNJE from your CAKOCLS0 library into the data set allocated    
    in Step #2.                                                            
4.  Create a System REXX "AXRxx" PARMLIB member which adds the data        
    set created in Step #2 into the System REXX REXXLIB library            
    For example:  REXXLIB ADD DSNAME(TSS.SYSREXX)                          
5.  Restart System REXX procs following IBM-documented procedures.         
6.  Issue "F AXR,SYSREXX REXXLIB" and confirm the data set from Step #2    
    appears in the System REXX REXXLIB concatenation.                      
7.  Give the HZSPROC STC ACID a permit for READ access on IBMFAC           
    resource "IRR.RADMIN" so the NJE Health Check Utility can run the      
    necessary TSS commands to perform its duties.                          
    For example:  TSS PERMIT(hzs) IBMFAC(IRR.RADMIN) ACC(READ)             
8.  Give the HZSPROC STC ACID a permit for READ access on the data set     
    used in Step #2.                                                       
9.  Assign the HZSPROC STC ID the following ADMIN authorities:             
    a.  MISC9(GENERIC)                                                     
    b.  NODES(ALL)                                                         
    c.  RESOURCE(INFO)                                                     
    d.  ACID(INFO)                                                         
    e.  FACILITY(ALL)                                                      
    f.  MISC2(TARGET)                                                      
    For example:  TSS ADMIN(hzs) MISC9(GENERIC) NODES(ALL) -  

10. Ensure the HZSPROC STC ID is an unscoped SCA.  Move the ACID to       
    TYPE(SCA) or make a new STC ID that is an SCA and attach it to the    
    For example:  TSS MOVE(hzs) TYPE(SCA)                                 
11. Restart HZSPROC to pick up the new Authorities                        
12. Modify the JES_NJE_SECURITY Health Check NJEEXEC parameter to         
    specify the TSS NJE Health Check utility REXX "TTSSNJE".  This can    
    be done temporarily via the following command:                        
       PARM('NJEEXEC(TTSSNJE)'),DATE('yyyymmdd'),REASON('TSS UPDATE')     
    NOTE: We recommend leaving as a temporary change until Health Check   
          process has been validated.  Step #14 describes making this     
13. Validate the JES_NJE_SECURITY processing.  Can do this by either      
    waiting for the next scheduled check, or by forcing one to happen     
    immediately.  To force the utility to run immediately, use the        
    following command:                                                    
       F HZSPROC,RUN,CHECK=(IBMJES,JES_NJE_SECURITY)                      
14. Modify the HZSPRMxx PARMLIB member to make the NJEEXEC change         
    permanent.  For example, add the following lines to your HZSPRMxx     
       ADDREPLACE POLICY                                                  
       REASON('TSS override of NJEEXEC')                                  
    NOTE:  Adjust SEVERITY and INTERVAL to the appropriate values for     
           your environment.  E.g. (HIGH and 00:30) 

If you are not using the Top Secret version of the JES NJE Health    
Checker utility and apply this APAR, you will at minimum need to     
provide the following permits to the HZSPROC STC ID:                 
    TSS PERMIT(hzs) IBMFAC(IRR.RADMIN) ACCESS(READ)                  
    TSS PERMIT(hzs) DSN(SYS1.SAXREXEC) ACCESS(READ)                  
Without these permits, HZSPROC will fail to start.                   
***End NOTE***