A fix is available
APAR status
Closed as new function.
Error description
CICS Healthchecker
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS Users * **************************************************************** * PROBLEM DESCRIPTION: This APAR introduces 3 new * * HealthChecker for z/OS checks. * **************************************************************** * RECOMMENDATION: * **************************************************************** This APAR introduces 3 new Health Checker for z/OS checks aimed at checking that your CICS regions are correctly configured to stop an unauthorised user from submitting JCL to run under the region userid.
Problem conclusion
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
This APAR introduce 3 new Health Checker for z/OS checks aimed at checking that your CICS regions are correctly configured to stop an unauthorised user from submitting JCL to run under the region userid. These new checks are called: CICS_CEDA_ACCESS CICS_JOBSUB_SPOOL CICS_JOBSUB_TDQINTRDR If the checks find any regions which are not correctly configured, the Health Checker for z/OS will issue message HZS0001I CHECK(checkname) to the console; checkname is one of the 3 new checks. This will be followed by a message DFHH000nE (n is 1-3) giving details of the configuration problem. Any checks which have failed on any region on the LPAR will result in the Health Checker for z/OS displaying an EXCEPTION status for the check. Further details of the regions which have failed the check, and the problem with the configuration, can be seen in the Health Checker for z/OS display by selecting the check. New Health Checker for z/OS messages relating to CICS The full documentation changes for PI76963 will be made available in the next shipment of the CICS Knowledge Center. The following messages can be issued by the Health Checker for z/OS on behalf of CICS. New Health Checker for z/OS messages relating to CICS: DFHH0001E The CEDA transaction is accessible to unauthenticated users. Explanation: The IBM supplied transaction CEDA is accessible to the default user or CICS security is turned off. This means anyone who can connect to the IP address and port number of one of the CICS regions listed below can change the configuration of CICS. The regions listed below have a RC/RSN with more specific information about why the region failed the check: 0801 CEDA installed and SEC=NO 0802 CEDA installed and DFLTUSER can run it 0807 The checking module can't be linked to System Action: The system continues processing. Operator Response: Report this error to the System Programmer. System Programmer Response: Correct the security exposure which has been identified. Reference Documentation: Look at the CICS Knowledge Center for advice on best practice DFHH0002E The spool is accessible to unauthenticated users. Explanation: The SPOOL=YES is defined and the IBM supplied transaction CECI is accessible to the default user or CICS security is turned off. This means anyone who can connect to the IP address and port number of one of the CICS regions listed below can submit jobs to run on the z/OS system remotely without authentication. The regions listed below have a RC/RSN with more specific information about why the region failed the check: 0803 SPOOL=YES, CECI installed and SEC=NO 0804 SPOOL=YES, CECI installed and DFLTUSER can run it 0807 The checking module can't be linked to System Action: The system continues processing. Operator Response: Report this error to the System Programmer. System Programmer Response: Correct the security exposure which has been identified. Reference Documentation: Look at the CICS Knowledge Center for advice on best practice DFHH0003E A TDQ defined to the internal reader is accessible to unauthenticated users. Explanation: At least one TD QUEUE defined to the internal reader and the IBM supplied transaction CECI are accessible to the default user or CICS security is turned off. This means anyone who can connect to the IP address and port number of one of the CICS regions listed below can submit jobs to run on the z/OS system remotely without authentication. The regions listed below have a RC/RSN with more specific information about why the region failed the check: 0805 A TDQ accesses INTRDR, CECI is installed and the DLFTUSER can run it 0806 The SVC99 does not support inquire of SYSOUT 0807 The checking module can't be linked to 0808 A TDQ accesses INTRDR, CECI is installed and SEC=NO System Action: The system continues processing. Operator Response: Report this error to the System Programmer. System Programmer Response: Correct the security exposure which has been identified. Reference Documentation: Look at the CICS Knowledge Center for advice on best practice DFHH0200E The CICS Health Checker cannot run due to error: Explanation: The CICS Health Checker was unable to find the storage used by CICS regions to record health checks. System Action: The system continues processing, but cannot report on any CICS regions. Operator Response: Report this error to the System Programmer. System Programmer Response: Use the debug option on the health check to find further details about the problem. Report the problem to IBM Service. DFHH0301I All CEDA transactions are protected from unauthenticated users. Explanation: No problems were found with the configuration of CEDA which would allow default users access. This applies to all CICS regions on this LPAR running during the last health check interval. System Action: The system continues processing. DFHH0302I The spool is protected from unauthenticated users. Explanation: No problems were found with the configuration of the spool which would allow default users access. This applies to all CICS regions on this LPAR running during the last health check interval. System Action: The system continues processing. DFHH0303I No TDQs defined to the internal reader can be written to by unauthenticated users. Explanation: No problems were found with the configuration of TDQs defined to the internal reader which would allow default users access. This applies to all CICS regions on this LPAR running during the last health check interval. System Action: The system continues processing.
APAR Information
APAR number
PI76963
Reported component name
CICS TS Z/OS V4
Reported component ID
5655S9700
Reported release
600
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2017-02-21
Closed date
2017-08-14
Last modified date
2017-10-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI49521
Modules/Macros
DFH$CAT1 DFHFORMS DFHHCADD DFHHCCHK DFHHCC1 DFHHCC2 DFHHCC3 DFHHCHK DFHHZMSG DFHMEHCC DFHMEHCE DFHMEHCK DFHMET1 DFHMET1E DFHSTNDD DFHXSDM DFHXSIS DFHXSIST DFHXSPW DFHXSRC DFHXSSA DFHXSSI DFHXSSJ DFHXSSJT HCI6700J
| GC34717500 |
Fix information
Fixed component name
CICS TS Z/OS V4
Fixed component ID
5655S9700
Applicable component levels
R700 PSY UI49521
UP17/08/26 P F708
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
10 October 2017