Operating environment
- z/OS 2.3 with CA-ACF2 r16 participating in an NJE configuration with a z/OS 2.3 RACF system.
-Configuration ;
User IDs on each system are NOT known to the other system.
Passwords are in use on the ACF2 system, and phrases are NOT permitted.
Pass phrases are in use on the RACF system. Passwords are NOT permitted.
A process that submits a batch job from the local ACF2 system and /*ROUTE XEQs to the remote RACF system.
The batch job supplies the remote system USERID and PASSWORD (phrase) via the JOB card USER=/PASSWORD= parameters.
Following (2) issues are observed.
$HASP107 SYHMFGTU -- NON-VALID JOB STMT - VALUE FOR PASSWORD
KEYWORD NOT VALID
The job is actually submitted and received at the remote site for execution, but without the presence of any parameters specified after PASSWORD.
//SYHMFGTU JOB (AB9XYZ,SOFT),'SCCPBLUP',
// USER=TESTUSR,
// PASSWORD='This is not my pass phrase.',
// NOTIFY=&SYSUID.,REGION=0M,CLASS=X,MSGCLASS=Y <== All of these parameters are ignored
//*
/*ROUTE XEQ LPART
/*JOBPARM SYSAFF=LPAR1
/*ROUTE PRINT LOCAL
//*
//UPDATE EXEC PGM=IEFBR14
//*
In the above situation, because “receiving node is not secured by CA ACF2”, one must specify NOENCRYPT.
But as a passphrase is used, CA ACF2 is sending an encrypted password (phrase).
In this specific situation, what would be the recommended configuration to allow batch jobs to process properly when
submitted with USER/PASSWORD using passphrase that are routed to a non-ACF2 system?
Release : 16.0
Component : CA ACF2 for z/OS
Use parenthesis to contain the phrase on the JOB card to address the syntax issue.
ACF2 enforces ENCRYPT for phrases because the 8-byte result will fit into the NJE Header.
But, info in the NJE header should only be going to a "similar" JES2 systems, but since this is a RACF system,
Use the /*XMIT technique rather that /*ROUTE so that the parsing of the JCL/phrase is delayed until it gets received on the RACF system.