Ensure that the IWM4HLTH service is used properly

Description

As of z/OS® V2R2, the minimum authorization requirements for callers of the Workload Management service, IWM4HLTH (setting the server health indicator), are changed. Problem state with any PSW key is sufficient only for setting the health indicator for the home address space of the calling application.

To set the health indicator for another address space, the caller must have at least one of the following authorizations:
  • Supervisor state
  • Program key mask (PKM) with at least one of the keys 0 - 7
  • UPDATE authority to the resource IWM.SERVER.HEALTH in the FACILITY class.
Also, callers of the IWM4HLTH service are recommended to avoid setting the health value to less than 100 for any purposes other than for server health. In z/OS V2R2, a server health value of less than 100 can result in false positives, as follows:
  • Runtime Diagnostics creates a diagnostic event for each address space with a server health value less than 100, regardless of the reason. Events that are created for reasons other than server health might be considered as false events by the user of Runtime Diagnostics.
  • Predictive Failure Analysis (PFA) issues exceptions for Runtime Diagnostics events that are received for server health values less than 100. PFA exceptions that are issued for these events might be considered as false positive exceptions by the user of PFA.

Table 1 provides more details about this migration action. Use this information to plan your changes to the system.

Table 1. Information about this migration action
Element or feature: BCP.
When change was introduced: z/OS V2R2, z/OS V2R1, and z/OS V1R13, all with APAR OA46280.
Applies to migration from: z/OS V2R1 and z/OS V1R13, both without APAR OA46280.
Timing: Before the first IPL of z/OS V2R2.
Is the migration action required? Yes, if you have
  • Unauthorized applications that call this service
  • Callers that set health values of less than 100 for reasons other than server health
Target system hardware requirements: None.
Target system software requirements: None.
Other system (coexistence or fallback) requirements: None.
Restrictions: None.
System impacts: None.
Related IBM® Health Checker for z/OS check: None.

Steps to take

To identify unauthorized callers of the IWM4HLTH service who set the health indicator for an address space other than the caller's home address space, you can temporarily define the resource profile IWM.SERVER.HEALTH with the parameter WARNING. After the first IPL of z/OS V2R2, RACF issues the following warning message for callers of the service with insufficient authorization: 
ICH408I USER(user) IWM.SERVER.HEALTH CL(FACILITY) 
WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
Take one of the following steps for unauthorized callers:
  • Change the program so that it no longer calls the IWM4HLTH service or no longer runs the program.
  • Change the caller authorization to supervisor state or PKM, with at least one of the keys 0-7.
  • Give the user ID associated with the program UPDATE authority to the resource profile IWM.SERVER.HEALTH or an appropriate generic profile when generic profile checking is active.

After the necessary steps are taken, modify the resource profile and specify NOWARNING. Or, if there are no unauthorized callers of the IWM4HLTH service, delete the profile.

Also, ensure that callers of the IWM4HLTH service do not set health values of less than 100 for reasons other than server health.

Reference information

For more information, For more information, see z/OS MVS Programming: Workload Management Services.

Parent topic: BCP actions to perform before the first IPL of z/OS V2R2