search cancel

Set up for JESINPUT resource class on ACF2 - DISA STIG ACF2-JS-000080

book

Article ID: 230209

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 - MISC ACF2

Issue/Introduction

After following instructions for DISA STIG ACF2-JS-000080, access is not being denied for the DENY rules written for the JESINPUT class. Nothing shows up on the ACFRPTRV report for the resource type that was created.

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

There is an ACF2 internal SAFDEF called APPL that tells ACF2 to ignore the request for the JESINPUT resource class. In order to override this SAFDEF and activate validation for the JESINPUT class, the following SAFDEF will need to be created:

ACF
SET C(GSO)
INSERT SAFDEF.JESINPUT ID(JESINPUT) MODE(GLOBAL) RACROUTE(REQUEST=AUTH CLASS=JESINPUT  REQSTOR=ACF9CSFV)
F ACF2,REFRESH(SAFDEF)                                                       

To comply with the STIG, the same user id has to exist on both systems in order for JESINPUT to validate properly. Otherwise, ACF2 will use the DFTLID specified in the GSO NJE record. If nothing is specified for DFTLID in the NJE record, ACF2 will then try to use the DFTLID specified in the GSO OPTS record. If that also does not exist, it is unable to find a suitable logonid and will substitute ++++++++ for the logonid.