ACF2 batch job fails using /*ROUTE, to a remote RACF NJE LPAR, when using passphrase, with error- $HASP107 KEYWORD NOT VALID
search cancel

ACF2 batch job fails using /*ROUTE, to a remote RACF NJE LPAR, when using passphrase, with error- $HASP107 KEYWORD NOT VALID

book

Article ID: 203660

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Operating environment 
- z/OS 2.3 with CA-ACF2 r16 participating in an NJE configuration with a z/OS 2.3 RACF system.

-Configuration ;
    User IDs on each system are NOT known to the other system.
    Passwords are in use on the ACF2 system, and phrases are NOT permitted.
    Pass phrases are in use on the RACF system.  Passwords are NOT permitted. 

    A process that submits a batch job from the local ACF2 system and /*ROUTE XEQs to the remote RACF system. 
    The batch job supplies the remote system USERID and PASSWORD (phrase) via the JOB card USER=/PASSWORD=      parameters.

Following (2) issues are observed.

  •     When the JOB card includes ANY parameter(s) AFTER the PASSWORD parameter, that / those parameter(s) is / are ignored,
        and the following error is observed in the system log:

             $HASP107 SYHMFGTU -- NON-VALID JOB          STMT - VALUE FOR PASSWORD    
                              KEYWORD NOT VALID  

    The job is actually submitted and received at the remote site for execution, but without the presence of any parameters specified after PASSWORD. 

    //SYHMFGTU JOB (AB9XYZ,SOFT),'SCCPBLUP',                               
    //         USER=TESTUSR,                                                
    //         PASSWORD='This is not my pass phrase.',                     
    //         NOTIFY=&SYSUID.,REGION=0M,CLASS=X,MSGCLASS=Y    <== All of these parameters are ignored
    //*                                                                    
    /*ROUTE XEQ LPART                                                    
    /*JOBPARM SYSAFF=LPAR1                                                  
    /*ROUTE PRINT LOCAL                                                    
    //*                                                                    
    //UPDATE  EXEC PGM=IEFBR14                                              
    //*                                                                    
  •      If the batch job is submitted with the PASSWORD parameter as the last parameter on the JOB card, 
         no  $HASP107 message received and the job is submitted/routed as expected. 
         However, the job fails on the remote RACF system due to “INVALID PASSWORD”.

In the above situation, because “receiving node is not secured by CA ACF2”, one  must specify NOENCRYPT. 
But as a passphrase is used, CA ACF2 is sending an encrypted password (phrase).

In this specific situation, what would be the recommended configuration to allow batch jobs to process properly when
submitted with USER/PASSWORD using passphrase that are routed to a non-ACF2 system? 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

Use parenthesis to contain the phrase on the JOB card to address the syntax issue.

ACF2 enforces ENCRYPT for phrases because the 8-byte result will fit into the NJE Header.
But, info in the NJE header should only be going to a "similar" JES2 systems, but since this is a RACF system,
Use the /*XMIT technique rather that /*ROUTE so that the parsing  of the JCL/phrase is delayed until it gets received on the RACF system.

Powered by Wolken Software