Protecting JES2 NODES per IBM Health Checker recommendations

Document ID : KB000109756
Last Modified Date : 15/08/2018
Show Technical Document Details
Introduction:
APPCLU Support and hints on implementing it in JES2 environment 
Question:
I'm in a process of solving IBM Health Checker recommendations regarding JES2 .
One of the low/medium severity errors reported is CHECK(IBMJES,JES_NJE_SECURITY) SYSPLEX:
KSVPLEX SYSTEM: SYSA START TIME: 07/17/2018 07:46:13.759168 CHECK DATE: 20170201 CHECK SEVERITY:
MEDIUM-DYNAMIC CHECK PARM: NJEEXEC(IRRNJECK) IAZH403I Error encountered trying to determine the list of trusted nodes, IRRNJECK RC=32 ---
Information for Non-Trusted Nodes ---
Node Issue Message -------- --------------------------------------------------- --------
N8 NODE has no PASSWORD and specified SIGNON=COMPAT IAZH121E -------- --------------------------------------------------- --------
SYSMKSV NODE has no PASSWORD and specified SIGNON=COMPAT IAZH121E -------- --------------------------------------------------- --------
TLVSYSH NODE has no PASSWORD and specified SIGNON=COMPAT IAZH121E IAZH121E 3
nodes that can be or are currently connected have no password and have
specified SIGNON=COMPAT
Following is IBM recommendation to solve this error :
System Programmer Response: Passwords at the NJE node level verify the identity of NJE nodes as they connect to your network.
Using the secure signon process with the APPCLU class (in the security product) is the preferred method because it keeps the password out of the JES initialization statements and
ensures all password data is exchanged in non-clear text.
I looked for APPCLU in Support database and in CA communities for hints on implementing it in JES2 environment but no document was found .
Can you add some details on such implementation ? 
Environment:
z/os
Answer:
The APPCLU security class must be active on both nodes. 
The SESSION parameter in the APPCLU security class on both nodes must specify a 
session key and both session keys must be the same. 
The name of the APPCLU security profile is NJE.homenode.rmtnode. 


For Top Secret 
TSS ADD(APPCLU) LINKID(NJE.AACSYT.AACSYM) SESSKEY(password) 

On the other node: 

TSS ADD(APPCLU) LINKID(NJE.AACSYM.AACSYT) SESSKEY(same password) 

Also here is a link to the Top Secret documentation 
https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/
resources/appclu-resource-classsecure-appclu-links 

Which supplies further information on APPCLU 


the security call to check the APPCLU record only occurs when JES2 SIGNON=SECURE is set.