Question:

After upgrading to CA Top Secret r16, batch jobs submitted from a remote node started receiving TSS7102E Password Missing error messages? Why?

Answer:

If you are using JES(NOVERIFY) under r16 you willl need RO88932 which allows JES(NOVERIFY) control option.

With NJE when a job is submitted to a remote node, you need a permit on the remote node TSS PER(ALL) NODES(node.USERJ) ACCESS(acclevel).

If access level is READ, then jobs need USER= and PASSWORD= on the JOB card.

If access level is UPDATE, then you need a cross authorization permit on the remote node too.

If access level is CONTROL or ALL the no further checking is done on the remote node (that is, no cross authorization is needed and no PASSWORD= is needed).

For example, if you wanted all jobs submitted from node NODEA to run on NODEB without PASSWORD= on the JOB card and with no cross authorization permit on NODEB, then on NODEB you need the permission

TSS PER(ALL) NODE(NODEA.USERJ) ACCESS(ALL)

You can also be more specific on the NODES permit on the remote node depending on your security needs.

If you do not have a NODES permit on the remote node then processing occurs as if you had a NODES permit with ACCESS(READ).

With r16, the PASSWORD= is no longer inserted on the job card. If the submitting user has a PERMIT for NODE(NODEA.USERJ) ACCESS(UPDATE), you will need a cross submit authorization on the node where the batch job will be running.

If you have a NODE(NODEA.USERJ) ACCESS(ALL), the cross submit authorization is not needed on the node where the job will be running.

Under r15, the PASSWORD= was put on the JOB card by TSS. Since the password was on the JOB card, no cross submit authorization security checking was being done.

Under r16, the PASWORD= is no longer added on the JOB card. Why? It has been decided that it is a security exposure.

With no PASSWORD= onm the JOB card, a cross submit authorization security check will be done unless the user has ACC(ALL) or ACC(CONTROL) for a NODE(NODEA.USERJ) PERMIT.