IBM Support

PI76963: CICS HEALTHCHECKER

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • CICS Healthchecker
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS Users                               *
    ****************************************************************
    * PROBLEM DESCRIPTION: This APAR introduces 3 new              *
    *                      HealthChecker for z/OS checks.          *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    This APAR introduces 3 new Health Checker for z/OS checks aimed
    at checking that your CICS regions are correctly configured
    to stop an unauthorised user from submitting JCL to run under
    the region userid.
    

Problem conclusion

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

  • This APAR introduce 3 new Health Checker for z/OS checks aimed
    at checking that your CICS regions are correctly configured to
    stop an unauthorised user from submitting JCL to run under the
    region userid. These new checks are called:
    
    CICS_CEDA_ACCESS
    CICS_JOBSUB_SPOOL
    CICS_JOBSUB_TDQINTRDR
    
    If the checks find any regions which are not correctly
    configured, the Health Checker for z/OS will issue message
    
    HZS0001I CHECK(checkname) to the console; checkname is one of
    the 3 new checks. This will be followed by a message DFHH000nE
    (n is 1-3) giving details of the configuration problem.
    
    Any checks which have failed on any region on the LPAR will
    result in the Health Checker for z/OS displaying an EXCEPTION
    status for the check.
    Further details of the regions which have failed the check,
    and the problem with the configuration,
    can be seen in the Health Checker for z/OS display by selecting
    the check.
    
    New Health Checker for z/OS messages relating to CICS
    
    The full documentation changes for PI76963 will be made
    available in the next shipment of the CICS Knowledge Center.
    
    The following messages can be issued by the Health Checker
    for z/OS on behalf of CICS.
    
    New Health Checker for z/OS messages relating to CICS:
    
    DFHH0001E The CEDA transaction is accessible to unauthenticated
     users.
    
     Explanation: The IBM supplied transaction CEDA is accessible
      to the  default user or CICS security is turned off.
    
     This means anyone who can connect to the IP address and
     port number  of one of the CICS regions listed below can
     change the configuration of CICS.
    
     The regions listed below have a RC/RSN with more specific
     information about why the region failed the check:
     0801 CEDA installed and SEC=NO
     0802 CEDA installed and DFLTUSER can run it
     0807 The checking module can't be linked to
    
     System Action: The system continues processing.
    
     Operator Response: Report this error to the System Programmer.
    
     System Programmer Response: Correct the security exposure
     which has  been identified.
    
     Reference Documentation: Look at the CICS Knowledge Center
     for advice on best practice
    
    
    DFHH0002E The spool is accessible to unauthenticated users.
    
     Explanation: The SPOOL=YES is defined and the IBM supplied
     transaction CECI is accessible to the default user or CICS
     security is turned off.
    
     This means anyone who can connect to the IP address and
     port number of one of the CICS regions listed below can submit
     jobs to run on the z/OS system remotely without
     authentication.
    
     The regions listed below have a RC/RSN with more specific
     information about why the region failed the check:
     0803 SPOOL=YES, CECI installed and SEC=NO
     0804 SPOOL=YES, CECI installed and DFLTUSER can run it
     0807 The checking module can't be linked to
    
     System Action: The system continues processing.
    
     Operator Response: Report this error to the System Programmer.
    
     System Programmer Response: Correct the security exposure
     which has been identified.
    
     Reference Documentation: Look at the CICS Knowledge Center
     for advice on best practice
    
    DFHH0003E A TDQ defined to the internal reader
    is accessible to unauthenticated users.
    
     Explanation: At least one TD QUEUE defined to the internal
      reader and the IBM supplied transaction CECI are
      accessible to the default user
     or CICS security is turned off.
    
     This means anyone who can connect to the IP address and
     port number of one of the CICS regions listed below can
     submit jobs to run on the z/OS system remotely
     without authentication.
    
     The regions listed below have a RC/RSN with more specific
     information about why the region failed the check:
     0805 A TDQ accesses INTRDR, CECI is installed and the DLFTUSER
     can run it
     0806 The SVC99 does not support inquire of SYSOUT
     0807 The checking module can't be linked to
     0808 A TDQ accesses INTRDR, CECI is installed and SEC=NO
    
     System Action: The system continues processing.
    
     Operator Response: Report this error to the System Programmer.
    
     System Programmer Response: Correct the security exposure which
     has been identified.
    
     Reference Documentation: Look at the CICS Knowledge Center for
     advice on best practice
    
    DFHH0200E The CICS Health Checker cannot run due to error:
    
     Explanation: The CICS Health Checker was unable to find the
     storage used by CICS regions to record health checks.
    
     System Action: The system continues processing,
    but cannot report on any CICS regions.
    
     Operator Response: Report this error to the System Programmer.
    
     System Programmer Response: Use the debug option on the
     health check to find further details about the problem.
     Report the problem to IBM Service.
    
    DFHH0301I All CEDA transactions are protected from
    unauthenticated users.
    
     Explanation: No problems were found with the configuration of
     CEDA which would allow default users access.
     This applies to all CICS regions on this LPAR running
     during the last health check interval.
    
     System Action: The system continues processing.
    
    DFHH0302I The spool is protected from unauthenticated users.
    
     Explanation: No problems were found with the configuration of
     the spool which would allow default users access.
     This applies to all CICS regions on this LPAR
    running during the last health check interval.
    
     System Action: The system continues processing.
    
    DFHH0303I No TDQs defined to the internal reader can be
    written to by unauthenticated users.
    
     Explanation: No problems were found with the configuration of
    TDQs defined to the internal reader which would allow
    default users access.
    This applies to all CICS regions on this LPAR running
    during the last health check interval.
    
     System Action: The system continues processing.
    

APAR Information

  • APAR number

    PI76963

  • Reported component name

    CICS TS Z/OS V4

  • Reported component ID

    5655S9700

  • Reported release

    600

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2017-02-21

  • Closed date

    2017-08-14

  • Last modified date

    2017-10-10

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI49521

Modules/Macros

  •    DFH$CAT1 DFHFORMS DFHHCADD DFHHCCHK DFHHCC1
    DFHHCC2  DFHHCC3  DFHHCHK  DFHHZMSG DFHMEHCC DFHMEHCE DFHMEHCK
    DFHMET1  DFHMET1E DFHSTNDD DFHXSDM  DFHXSIS  DFHXSIST DFHXSPW
    DFHXSRC  DFHXSSA  DFHXSSI  DFHXSSJ  DFHXSSJT HCI6700J
    

Publications Referenced
GC34717500        

Fix information

  • Fixed component name

    CICS TS Z/OS V4

  • Fixed component ID

    5655S9700

Applicable component levels

  • R700 PSY UI49521

       UP17/08/26 P F708

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: CICS Transaction Server

Software version: 4.1

Reference #: PI76963

Modified date: 10 October 2017


Translate this page: