Skip,

I ran these on 1/5/18 to fix this check:

RDEFINE RACFVARS &RACLNDE UACC(NONE) OWNER(<sysprog group>)
RALTER RACFVARS &RACLNDE ADDMEM(<your JES node>) (add one for each
node)
SETROPTS CLASSACT(RACFVARS) RACLIST(RACFVARS)

Regards,
Tom Conley

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

I did the same thing but get new complaints:

IAZH104I Informational messages issued by IRRNJECK

IAZH105I None of the input node names are matched by a NODES class
profile with a UACC greater than READ.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Tom Conley
Sent: Wednesday, February 28, 2018 3:21 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: Health Check JES_NJE_SECURITY
Skip,

I ran these on 1/5/18 to fix this check:

RDEFINE RACFVARS &RACLNDE UACC(NONE) OWNER(<sysprog group>) RALTER RACFVARS &RACLNDE ADDMEM(<your JES node>) (add one for each
node)
SETROPTS CLASSACT(RACFVARS) RACLIST(RACFVARS)

Regards,
Tom Conley

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

You should be careful with that, Tom. &RACLNDE should only contain the names of nodes whose RACF databases are identical to each other, at least with respect to the users, groups, and user-group connections that are defined. Having a node listed in &RACLNDE will have a strong effect on security processing (mainly the propagation of submitter identity) for jobs submitted from that node to other nodes in your JES2 network.

On all of my systems that health check ends with
HZS1002E CHECK(IBMJES,JES_NJE_SECURITY):
AN ERROR OCCURRED, DIAG: 00000300_00000004

In the (sysprog) sandplex running mixed with 2.1 and 2.3 we don't get the rc12 anymore, it has downgraded itself to a rc 4 check on both systems. And we haven't done anything to fix anything. NJE isn't even used/active on that sysplex even though there are a few definitions in preparation of NJE.

I read the check as having to give those nodes a password (read: certificate) somewhere. Which may prove interesting since we have an external NJE node in production. Not being very familiar with JES2 or network configuration, I found the explanations in the check text fairly incomprehensible.

Barbara

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

In general you should keep in mind it's ONLY a healthcheck, some general
rule of thumb, but your mileage may vary.
For this case:
1. Do you have NJE?
2. Do you think your NJE configuration is secured properly? Can you
check it with someone responsible for that?

Now details: &RACLNDE may or may not be needed in your setup. Use of
&RACLNDE may or may not be security hole. See RACF Security Guide and
Walt's response.
--
Radoslaw Skorupka
Lodz, Poland




======================================================================


--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: ***@mBank.plSąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2018 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 169.248.488 złotych.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

The immediate goal is to enable a health check, but as Walt pointed out, the JES2 and/or RACF changes required may affect NJE processing in unintended ways. Yes we have NJE, but we're not prepared to take chances with current functionality until we learn more about possible consequences. For now we plan to disable the check as RSU maintenance rolls out.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of R.S.
Sent: Thursday, March 01, 2018 5:47 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: Health Check JES_NJE_SECURITY
In general you should keep in mind it's ONLY a healthcheck, some general rule of thumb, but your mileage may vary.
For this case:
1. Do you have NJE?
2. Do you think your NJE configuration is secured properly? Can you check it with someone responsible for that?

Now details: &RACLNDE may or may not be needed in your setup. Use of &RACLNDE may or may not be security hole. See RACF Security Guide and Walt's response.

--
Radoslaw Skorupka
Lodz, Poland


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Is is possible to add the &RACLNDE profile (with possibly a dummy MEMBER subentry) as WARNING to the RACFVARS Class? Then monitor for the Temporary Access Allowed condition and use that information to build your ADDMEMs to the &RACLNDE profile over time?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

The user's permissions don't really matter. What's important for inclusion in &RACLNDE is that the same user IDs exist (and represent the same human users), and the same groups exist, and the same user-to-group connections exist in the RACF databases for the nodes you list in &RACLNDE.

You should be able to find more in the RACF documentation, or you could inquire on RACF-L since the content of &RACLNDE is more appropriately (in my opinion, at least) a RACF topic not a JES topic :)

No. It's not an access check being done. The &RACLNDE profile is an information repository used by RACF while processing inbound NJE work (jobs, sysout), and the presence of the source node name in the member list controls what processing is done during authentication of the inbound work.

Some of our nodes are connected via store-and-forward, so I don't think we can specify DIRECT=YES without also changing topology. Similar concern for SUBNET, which is not currently defined. All nodes belong to us and are managed by the same group of folks. That means that a userid on one node represents the same individual on another node, but I can't speak to GROUP membership, which could easily vary according to business roles.

SHARE is coming up. I'll buttonhole some JES folks there for their advice.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Walt Farrell
Sent: Thursday, March 01, 2018 1:58 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: Health Check JES_NJE_SECURITY
No. It's not an access check being done. The &RACLNDE profile is an information repository used by RACF while processing inbound NJE work (jobs, sysout), and the presence of the source node name in the member list controls what processing is done during authentication of the inbound work.

--
Walt


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN