JES2 security support assumes that the same level of the security product is installed on all members of a MAS and that the security product's data base is the same on all members. Unexpected security failures and inconsistent audit records might occur if this is not the case.

For example, if the security product on member 1 requires SECLABELs and the security product on member 2 does not support SECLABELs, then a job submitted on member 2 but run on member 1 can fail because it has no SECLABEL. Security failures can also occur attempting to access from member 1, a job submitted on member 2 or SYSOUT created on member 2. Accesses that can fail include the JESSPOOL call made when a SPOOL data set is purged. The data set will be purged, but a security violation audit record and message might be generated.

Complete audit records might not be available in this environment. Audit records will only be created by systems with security products that support the appropriate classes. Access from other systems will not be audited.

For these reasons, it is recommended that classes/profiles related to JES2 should not be activated until all members have security products capable of supporting those classes/profiles. Also, those classes should be activated on all members at the same time.

Special consideration must be given to MASes in which one member has a security product and the other does not. Information placed in TOKENs by SAF on a system with no security product has not been authenticated. The security product on the other member must be aware of this and perform appropriate verification.