Remote workstations (RJP/RJE consoles)

Your JES system programmer can require that remote workstation operators enter a password during workstation logon. This can be done through RACF® or by using JES initialization statement parameters.

Note: In JES2, remote workstations are called RJE consoles. In JES3, they are called RJP consoles. If the workstation is connected using BSC, the operator must issue a /*SIGNON statement. If the workstation is connected using SNA, the operator must issue a LOGON statement.

If you want RACF to check LOGON or /*SIGNON passwords, you must activate the FACILITY class and define a profile for each workstation in both the FACILITY and USER classes. You should also ask your JES system programmer for the workstation name. If JES2 is installed, the workstation name has the form RMTnnnn, where nnnn is the remote workstation number. If JES3 is installed, the workstation name is derived from the RJPWS initialization statement for an SNA workstation or the RJPTERM initialization statement for BSC. This workstation name serves as the user ID for the workstation console. Users of the RJP console have to log on using this terminal ID and supply the same password.

You might also need similar support for NJE nodes for command and user ID authorization from the network. NJE nodes do not sign on as RJE workstations do, but rather perform the FACILITY/USERID verification as each command is issued. Also see Authorizing the use of operator commands.

Command validation in JES is composed of two parts:
  1. Validating that the originator of the command can issue the command.
  2. Validating that the originator is authorized to the object of the command.
RACF control is only applied to the issuance of the command. JES continues to validate what object a particular workstation or node can affect.
Note:
  1. JES password protection or command authorization is used instead of RACF protection if any of the following conditions exist:
    • RACF is not installed.
    • No NJE node or remote workstation profile exists in the FACILITY class.
    • RACF is active, but the FACILITY class is not active.
  2. If RACF is installed but not active, control returns to JES, and JES does its own password checking or command authorization.
  3. Workstation operators can change their user passwords only at logon time.
  4. RACF password protection replaces JES password protection for remote workstations. That is, either RACF or JES, but not both, verifies logons and passwords. Similarly, RACF command authorization across the network replaces JES NJE command authorization. That is, RACF or JES, but not both, verifies these commands.
  5. The password for an RJE workstation must be changed the first time the workstation issues a LOGON or SIGNON.
  6. Because the remote workstation or node name is also used as a port of entry, it needs to be defined to the JESINPUT class (if active). If it is not defined and the class is later activated, RJE signons or NJE command authorizations fail because of incorrect port of entry. For more information, see MVS/ESA and RACF 1.9 Security Implementation Guide.
To use RACF to check LOGON or /*SIGNON passwords, perform the following steps:
  1. For each remote workstation or node to be protected, ask your JES system programmer for the following:
    • The ID of the remote workstation. The ID serves as the user ID of the remote workstation. All users using a particular remote workstation must log on using this ID and supply the same password. (The password will never expire.) The ID is one of the following:
      • If JES2 is installed, the remote ID of the RJE console to be protected, which takes the form RMTnnnn.
      • If JES3 is installed, the ID of the console you want to protect.
      • For NJE nodes, the name of the node to be used as the user ID of that node.
  2. For each remote workstation or NJE node, create a user profile: 
    ADDUSER userid
        DATA('data')
        PASSWORD(initial-password)
        DFLTGRP(groupname)
    where:
    userid
    is the RJE remote ID or NJE node name.
    data
    is installation-defined, for example: 
    DATA('RJE console at xxx, phone yyy')
    initial-password
    is the initial password (to be changed immediately to another password that will never expire).
    groupname
    is a group that you allow to use certain RACF-protected resources, such as commands.
    Specify that the passwords for these profiles will never expire: 
    PASSWORD USER(userid) NOINTERVAL
  3. For each workstation for which you want RACF to check the user's password, create a profile in the FACILITY class, as follows: 
    RDEFINE FACILITY RJE.workstation

    where workstation has been supplied by the JES system programmer.

    Note: The existence of a profile in the FACILITY class for a remote workstation forces the user to enter a password to be checked by RACF, rather than by JES. The specification of UACC for these profiles has no effect.
  4. For each NJE node for which you want RACF to check the user's command authorization, create a profile in the FACILITY class, as follows: 
    RDEFINE FACILITY NJE.nodename

    where nodename has been supplied by the JES system programmer. The specification of UACC for these profiles has no effect.

  5. Run a batch job with old and new passwords specified to set a new password (which will never expire).
  6. When you are ready to start using the protection provided by the profiles you have created, activate the FACILITY class: 
    SETROPTS CLASSACT(FACILITY)
  7. If the class is active, define the workstation or node name to the JESINPUT class, as follows: 
    RDEFINE JESINPUT workstation UACC(appropriate-access)
RDEFINE JESINPUT nodename    UACC(appropriate-access)

    If the workstation or node name is not defined and the class is later activated, sign on or command authorization fails because of incorrect port of entry. For more information, see MVS/ESA and RACF 1.9 Security Implementation Guide.