Activate Top Secret version of NJE_SECURITY health check:
Release : 16.0
Component : CA Top Secret for z/OS
These are the instructions:
1. Issue LLA REFRESH after applying APAR
2. Allocate new local System REXX library with the same attributes as
SYS1.SAXREXEC. Can use SYS1.SAXREXEC if desired and not allocate
a new REXXLIB.
3. Copy TTSSNJE from your CAKOCLS0 library into the data set allocated
in Step #2.
4. Create a System REXX "AXRxx" PARMLIB member which adds the data
set created in Step #2 into the System REXX REXXLIB library
concatenation.
For example: REXXLIB ADD DSNAME(TSS.SYSREXX)
5. Restart System REXX procs following IBM-documented procedures.
6. Issue "F AXR,SYSREXX REXXLIB" and confirm the data set from Step #2
appears in the System REXX REXXLIB concatenation.
7. Give the HZSPROC STC ACID a permit for READ access on IBMFAC
resource "IRR.RADMIN" so the NJE Health Check Utility can run the
necessary TSS commands to perform its duties.
For example: TSS PERMIT(hzs) IBMFAC(IRR.RADMIN) ACC(READ)
8. Give the HZSPROC STC ACID a permit for READ access on the data set
used in Step #2.
For example: TSS PERMIT(hzs) DSN(TOPSECRT.NJECK.SAXREXEC) ACC(READ)
9. Assign the HZSPROC STC ID the following ADMIN authorities:
a. MISC9(GENERIC)
b. NODES(ALL)
c. RESOURCE(INFO)
d. ACID(INFO)
e. FACILITY(ALL)
f. MISC2(TARGET)
For example: TSS ADMIN(hzs) MISC9(GENERIC) NODES(ALL) -
ACID(INFO) FACILITY(ALL) RESOURCE(INFO) MISC2(TARGET)
10. Ensure the HZSPROC STC ID is an unscoped SCA. Move the ACID to
TYPE(SCA) or make a new STC ID that is an SCA and attach it to the
HZSPROC.
For example: TSS MOVE(hzs) TYPE(SCA)
11. Restart HZSPROC to pick up the new Authorities
12. Modify the JES_NJE_SECURITY Health Check NJEEXEC parameter to
specify the TSS NJE Health Check utility REXX "TTSSNJE". This can
be done temporarily via the following command:
F HZSPROC,UPDATE,CHECK=(IBMJES,
PARM('NJEEXEC(TTSSNJE)'),
NOTE: We recommend leaving as a temporary change until Health Check
process has been validated. Step #14 describes making this
change.
13. Validate the JES_NJE_SECURITY processing. Can do this by either
waiting for the next scheduled check, or by forcing one to happen
immediately. To force the utility to run immediately, use the
following command:
F HZSPROC,RUN,CHECK=(IBMJES,JES_
14. Modify the HZSPRMxx PARMLIB member to make the NJEEXEC change
permanent. For example, add the following lines to your HZSPRMxx
member:
ADDREPLACE POLICY
UPDATE
CHECK(IBMJES,JES_NJE_
SEVERITY(LOW),
INTERVAL(06:00),
EXCEPTINTERVAL(HALF),
PARM('NJEEXEC(TTSSNJE)'),
DATE('yyyymmdd'),
REASON('TSS override of NJEEXEC')
NOTE: Adjust SEVERITY and INTERVAL to the appropriate values for
your environment. E.g. (HIGH and 00:30)
***NOTE***
If you are not using the Top Secret version of the JES NJE Health
Checker utility and apply this APAR, you will at minimum need to
provide the following permits to the HZSPROC STC ID:
TSS PERMIT(hzs) IBMFAC(IRR.RADMIN) ACCESS(READ)
TSS PERMIT(hzs) DSN(SYS1.SAXREXEC) ACCESS(READ)
Without these permits, HZSPROC will fail to start.
***End NOTE***