Discussion:
Health Check JES_NJE_SECURITY
(too old to reply)
Jesse 1 Robinson
2018-02-28 19:37:22 UTC
Permalink
Raw Message
APAR OA49171 introduces a new health check called JES_NJE_SECURITY . I understand the motivation for it but I can't figure out how to satisfy the check's requirements. There's plenty of write-up available, but there lots of IFs and BUTs. Furthermore, there's reference to the &RACLNDE profile in the RACFVARS class. We have class RACFVARS active, but it contains no profiles.

I cannot find an example of how to create/update the &RACLNDE profile. Anyone have a clue?

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office <===== NEW
***@sce.com<mailto:***@sce.com>


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Tom Conley
2018-02-28 23:19:46 UTC
Permalink
Raw Message
Post by Jesse 1 Robinson
APAR OA49171 introduces a new health check called JES_NJE_SECURITY . I understand the motivation for it but I can't figure out how to satisfy the check's requirements. There's plenty of write-up available, but there lots of IFs and BUTs. Furthermore, there's reference to the &RACLNDE profile in the RACFVARS class. We have class RACFVARS active, but it contains no profiles.
I cannot find an example of how to create/update the &RACLNDE profile. Anyone have a clue?
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office <===== NEW
Skip,

I ran these on 1/5/18 to fix this check:

RDEFINE RACFVARS &RACLNDE UACC(NONE) OWNER(<sysprog group>)
RALTER RACFVARS &RACLNDE ADDMEM(<your JES node>) (add one for each
node)
SETROPTS CLASSACT(RACFVARS) RACLIST(RACFVARS)

Regards,
Tom Conley

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jesse 1 Robinson
2018-02-28 23:27:14 UTC
Permalink
Raw Message
I did the same thing but get new complaints:

IAZH104I Informational messages issued by IRRNJECK

IAZH105I None of the input node names are matched by a NODES class
profile with a UACC greater than READ.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Tom Conley
Sent: Wednesday, February 28, 2018 3:21 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: Health Check JES_NJE_SECURITY
Post by Jesse 1 Robinson
APAR OA49171 introduces a new health check called JES_NJE_SECURITY . I understand the motivation for it but I can't figure out how to satisfy the check's requirements. There's plenty of write-up available, but there lots of IFs and BUTs. Furthermore, there's reference to the &RACLNDE profile in the RACFVARS class. We have class RACFVARS active, but it contains no profiles.
I cannot find an example of how to create/update the &RACLNDE profile. Anyone have a clue?
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office <===== NEW
Skip,

I ran these on 1/5/18 to fix this check:

RDEFINE RACFVARS &RACLNDE UACC(NONE) OWNER(<sysprog group>) RALTER RACFVARS &RACLNDE ADDMEM(<your JES node>) (add one for each
node)
SETROPTS CLASSACT(RACFVARS) RACLIST(RACFVARS)

Regards,
Tom Conley

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Walt Farrell
2018-03-01 01:19:44 UTC
Permalink
Raw Message
Post by Tom Conley
RDEFINE RACFVARS &RACLNDE UACC(NONE) OWNER(<sysprog group>)
RALTER RACFVARS &RACLNDE ADDMEM(<your JES node>) (add one for each
node)
SETROPTS CLASSACT(RACFVARS) RACLIST(RACFVARS)
You should be careful with that, Tom. &RACLNDE should only contain the names of nodes whose RACF databases are identical to each other, at least with respect to the users, groups, and user-group connections that are defined. Having a node listed in &RACLNDE will have a strong effect on security processing (mainly the propagation of submitter identity) for jobs submitted from that node to other nodes in your JES2 network.
--
Walt

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jesse 1 Robinson
2018-03-01 03:13:20 UTC
Permalink
Raw Message
Ouch. I never saw Walt's proviso mentioned in the doc. Yes, these nodes are all totally under our control. However each node (sysplex) constitutes a different business environment supported by a different RACF data base. A person may have the same userid on sandbox and on production, but they do not necessarily have the same authority on both. Both represent the same person but not necessarily the same role.

We need to reassess our goal here.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Walt Farrell
Sent: Wednesday, February 28, 2018 5:21 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: Health Check JES_NJE_SECURITY
Post by Jesse 1 Robinson
RDEFINE RACFVARS &RACLNDE UACC(NONE) OWNER(<sysprog group>) RALTER
RACFVARS &RACLNDE ADDMEM(<your JES node>) (add one for each
node)
SETROPTS CLASSACT(RACFVARS) RACLIST(RACFVARS)
You should be careful with that, Tom. &RACLNDE should only contain the names of nodes whose RACF databases are identical to each other, at least with respect to the users, groups, and user-group connections that are defined. Having a node listed in &RACLNDE will have a strong effect on security processing (mainly the propagation of submitter identity) for jobs submitted from that node to other nodes in your JES2 network.

--
Walt

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Barbara Nitz
2018-03-01 06:19:16 UTC
Permalink
Raw Message
Post by Jesse 1 Robinson
Ouch. I never saw Walt's proviso mentioned in the doc. Yes, these nodes are all totally under our control. However each node (sysplex) constitutes a different business environment supported by a different RACF data base. A person may have the same userid on sandbox and on production, but they do not necessarily have the same authority on both. Both represent the same person but not necessarily the same role.
We need to reassess our goal here.
On all of my systems that health check ends with
HZS1002E CHECK(IBMJES,JES_NJE_SECURITY):
AN ERROR OCCURRED, DIAG: 00000300_00000004

In the (sysprog) sandplex running mixed with 2.1 and 2.3 we don't get the rc12 anymore, it has downgraded itself to a rc 4 check on both systems. And we haven't done anything to fix anything. NJE isn't even used/active on that sysplex even though there are a few definitions in preparation of NJE.

I read the check as having to give those nodes a password (read: certificate) somewhere. Which may prove interesting since we have an external NJE node in production. Not being very familiar with JES2 or network configuration, I found the explanations in the check text fairly incomprehensible.

Barbara

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
R.S.
2018-03-01 13:45:55 UTC
Permalink
Raw Message
Post by Jesse 1 Robinson
APAR OA49171 introduces a new health check called JES_NJE_SECURITY . I understand the motivation for it but I can't figure out how to satisfy the check's requirements. There's plenty of write-up available, but there lots of IFs and BUTs. Furthermore, there's reference to the &RACLNDE profile in the RACFVARS class. We have class RACFVARS active, but it contains no profiles.
I cannot find an example of how to create/update the &RACLNDE profile. Anyone have a clue?
In general you should keep in mind it's ONLY a healthcheck, some general
rule of thumb, but your mileage may vary.
For this case:
1. Do you have NJE?
2. Do you think your NJE configuration is secured properly? Can you
check it with someone responsible for that?

Now details: &RACLNDE may or may not be needed in your setup. Use of
&RACLNDE may or may not be security hole. See RACF Security Guide and
Walt's response.
--
Radoslaw Skorupka
Lodz, Poland




======================================================================


--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: ***@mBank.plSąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2018 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 169.248.488 złotych.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jesse 1 Robinson
2018-03-01 17:10:43 UTC
Permalink
Raw Message
The immediate goal is to enable a health check, but as Walt pointed out, the JES2 and/or RACF changes required may affect NJE processing in unintended ways. Yes we have NJE, but we're not prepared to take chances with current functionality until we learn more about possible consequences. For now we plan to disable the check as RSU maintenance rolls out.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of R.S.
Sent: Thursday, March 01, 2018 5:47 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: Health Check JES_NJE_SECURITY
Post by Jesse 1 Robinson
APAR OA49171 introduces a new health check called JES_NJE_SECURITY . I understand the motivation for it but I can't figure out how to satisfy the check's requirements. There's plenty of write-up available, but there lots of IFs and BUTs. Furthermore, there's reference to the &RACLNDE profile in the RACFVARS class. We have class RACFVARS active, but it contains no profiles.
I cannot find an example of how to create/update the &RACLNDE profile. Anyone have a clue?
In general you should keep in mind it's ONLY a healthcheck, some general rule of thumb, but your mileage may vary.
For this case:
1. Do you have NJE?
2. Do you think your NJE configuration is secured properly? Can you check it with someone responsible for that?

Now details: &RACLNDE may or may not be needed in your setup. Use of &RACLNDE may or may not be security hole. See RACF Security Guide and Walt's response.

--
Radoslaw Skorupka
Lodz, Poland


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
David Magee
2018-03-01 18:45:23 UTC
Permalink
Raw Message
Is is possible to add the &RACLNDE profile (with possibly a dummy MEMBER subentry) as WARNING to the RACFVARS Class? Then monitor for the Temporary Access Allowed condition and use that information to build your ADDMEMs to the &RACLNDE profile over time?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Lou Losee
2018-03-01 19:33:13 UTC
Permalink
Raw Message
Hi David,
The problem with that approach is that checks against the &RACLNDE profile
will also be made for NJE jobs that are not local to the RACF database.
The purpose of the profile is to allow JES/RACF to make a decision as to
whether the submitter is a local user.

Lou

--
Artificial Intelligence is no match for Natural Stupidity
- Unknown
Post by David Magee
Is is possible to add the &RACLNDE profile (with possibly a dummy MEMBER
subentry) as WARNING to the RACFVARS Class? Then monitor for the
Temporary Access Allowed condition and use that information to build your
ADDMEMs to the &RACLNDE profile over time?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Walt Farrell
2018-03-01 21:53:21 UTC
Permalink
Raw Message
Post by Jesse 1 Robinson
Ouch. I never saw Walt's proviso mentioned in the doc. Yes, these nodes are all totally under our control. However each node (sysplex) constitutes a different business environment supported by a different RACF data base. A person may have the same userid on sandbox and on production, but they do not necessarily have the same authority on both. Both represent the same person but not necessarily the same role.
We need to reassess our goal here.
The user's permissions don't really matter. What's important for inclusion in &RACLNDE is that the same user IDs exist (and represent the same human users), and the same groups exist, and the same user-to-group connections exist in the RACF databases for the nodes you list in &RACLNDE.

You should be able to find more in the RACF documentation, or you could inquire on RACF-L since the content of &RACLNDE is more appropriately (in my opinion, at least) a RACF topic not a JES topic :)
--
Walt

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Walt Farrell
2018-03-01 21:57:06 UTC
Permalink
Raw Message
Is is possible to add the &RACLNDE profile (with possibly a dummy MEMBER subentry) as WARNING to the RACFVARS Class? Then monitor for the >Temporary Access Allowed condition and use that information to build your ADDMEMs to the &RACLNDE profile over time?
No. It's not an access check being done. The &RACLNDE profile is an information repository used by RACF while processing inbound NJE work (jobs, sysout), and the presence of the source node name in the member list controls what processing is done during authentication of the inbound work.
--
Walt

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jesse 1 Robinson
2018-03-01 22:45:26 UTC
Permalink
Raw Message
Some of our nodes are connected via store-and-forward, so I don't think we can specify DIRECT=YES without also changing topology. Similar concern for SUBNET, which is not currently defined. All nodes belong to us and are managed by the same group of folks. That means that a userid on one node represents the same individual on another node, but I can't speak to GROUP membership, which could easily vary according to business roles.

SHARE is coming up. I'll buttonhole some JES folks there for their advice.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Walt Farrell
Sent: Thursday, March 01, 2018 1:58 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: Health Check JES_NJE_SECURITY
Is is possible to add the &RACLNDE profile (with possibly a dummy MEMBER subentry) as WARNING to the RACFVARS Class? Then monitor for the >Temporary Access Allowed condition and use that information to build your ADDMEMs to the &RACLNDE profile over time?
No. It's not an access check being done. The &RACLNDE profile is an information repository used by RACF while processing inbound NJE work (jobs, sysout), and the presence of the source node name in the member list controls what processing is done during authentication of the inbound work.

--
Walt


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Robert S. Hansel , RSH
2018-03-02 14:23:06 UTC
Permalink
Raw Message
Hi Skip,

If you define &RACLNDE and add the name of a node to it, JES will 'trust' and accept any job coming from that node and propagate the submitter's ID and group as is. Adding a node to &RACLNDE is the equivalent of creating NODES profiles of node.USERJ.* UACC(UPDATE), node.GROUPJ.* UACC(READ), and node.SECLJ.* UACC(READ). Note that NODES profiles are ignored for nodes listed in &RACLNDE, so you can't do any submitting user or group translations using NODES profiles. &RACLNDE is very powerful, and nodes should only be defined to it that are under your control.

If a job is received from an &RACLNDE trusted node, and on the receiving system (a) the submitting user isn't defined, (b) the submitter's group isn't defined, or (c) the submitting user isn't connected to the group, the submitter is treated as an undefined user and the job may fail. This is why, as Walt indicated, you should only define nodes to &RACLNDE whose RACF databases are aligned for users, groups, and connects. For systems that aren't so aligned, don't include their nodes in &RACLNDE and use NODES profiles instead.

I recommend you define &RACLNDE in each of your RACF databases and in each such profile include only the nodes for the systems sharing that particular database. Do so even on standalone systems or Multi-Access Spool configurations. This will facilitate spool reloads.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
https://twitter.com/RSH_RACF
www.rshconsulting.com
--------------------------------------------------------------------------------
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - SEPT 10-14, 2018
- RACF Level I Administration - APR 10-13, 2018 ** Date Change **
- RACF Level II Administration - JUN 4-8, 2018
- RACF Level III Admin, Audit, & Compliance - OCT 1-5, 2018
- RACF - Securing z/OS UNIX - APR 23-27, 2018
--------------------------------------------------------------------------------

-----Original Message-----
Date: Wed, 28 Feb 2018 19:38:33 +0000
From: Jesse 1 Robinson <***@SCE.COM>
Subject: Health Check JES_NJE_SECURITY

APAR OA49171 introduces a new health check called

Date: Thu, 1 Mar 2018 03:14:36 +0000
From: Jesse 1 Robinson <***@SCE.COM>
Subject: Re: Health Check JES_NJE_SECURITY

Ouch. I never saw Walt's proviso mentioned in the doc. Yes, these nodes are all totally under our control. However each node (sysplex) constitutes a different business environment supported by a different RACF data base. A person may have the same userid on sandbox and on production, but they do not necessarily have the same authority on both. Both represent the same person but not necessarily the same role.

We need to reassess our goal here.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Walt Farrell
Sent: Wednesday, February 28, 2018 5:21 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: Health Check JES_NJE_SECURITY
Post by Jesse 1 Robinson
RDEFINE RACFVARS &RACLNDE UACC(NONE) OWNER(<sysprog group>) RALTER
RACFVARS &RACLNDE ADDMEM(<your JES node>) (add one for each
node)
SETROPTS CLASSACT(RACFVARS) RACLIST(RACFVARS)
You should be careful with that, Tom. &RACLNDE should only contain the names of nodes whose RACF databases are identical to each other, at least with respect to the users, groups, and user-group connections that are defined. Having a node listed in &RACLNDE will have a strong effect on security processing (mainly the propagation of submitter identity) for jobs submitted from that node to other nodes in your JES2 network.

--
Walt

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...