A fix is available
APAR status
Closed as new function.
Error description
New function
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users * **************************************************************** * PROBLEM DESCRIPTION: This APAR introduces 3 new Health * * Checker for z/OS checks. * **************************************************************** This APAR introduces 3 new Health Checker for z/OS checks aimed at checking that your CICS regions are correctly configured to stop an unauthorised user from submitting JCL to run under the region userid. At CICS TS 5.4 the code is already available in the base. This APAR makes a change to the reason codes displayed on the Health Checker for z/OS display for each check: CICS_CEDA_ACCESS CEDA can be used by unauthenticated users CICS_JOBSUB_SPOOL Jobs can be run with regionid authority by unauthenticated users using the SPOOL CICS_JOBSUB_TDQINTRDR Jobs can be run with regionid authority by unauthenticated users using a TDQ
Problem conclusion
Temporary fix
Comments
This APAR introduce 3 new Health Checker for z/OS checks aimed at checking that your CICS regions are correctly configured to stop an unauthorised user from submitting JCL to run under the region userid. These new checks are called: CICS_CEDA_ACCESS CICS_JOBSUB_SPOOL CICS_JOBSUB_TDQINTRDR If the checks find any regions which are not correctly configured, the Health Checker for z/OS will issue message HZS0001I CHECK(checkname) to the console; checkname is one of the 3 new checks. This will be followed by a message DFHH000nE (n is 1-3) giving details of the configuration problem. Any checks which have failed on any region on the LPAR will result in the Health Checker for z/OS displaying an EXCEPTION status for the check. Further details of the regions which have failed the check, and the problem with the configuration, can be seen in the Health Checker for z/OS display by selecting the check. New Health Checker for z/OS messages relating to CICS DFHH0001E The CEDA transaction is accessible to unauthenticated users. Explanation: The IBM supplied transaction CEDA is accessible to the default user or CICS security is turned off. This means anyone who can connect to the IP address and port number of one of the CICS regions listed below can change the configuration of CICS. The regions listed below have a RC/RSN with more specific information about why the region failed the check: 0801 CEDA installed and SEC=NO 0802 CEDA installed and DFLTUSER can run it 0807 The checking module can't be linked to System Action: The system continues processing. Operator Response: Report this error to the System Programmer. System Programmer Response: Correct the security exposure which has been identified. Reference Documentation: Look at the CICS Knowledge Centre for advice on best practice DFHH0002E The spool is accessible to unauthenticated users. Explanation: The SPOOL=YES is defined and the IBM supplied transaction CECI is accessible to the default user or CICS security is turned off. This means anyone who can connect to the IP address and port number of one of the CICS regions listed below can submit jobs to run on the z/OS system remotely without authentication. The regions listed below have a RC/RSN with more specific information about why the region failed the check: 0803 SPOOL=YES, CECI installed and SEC=NO 0804 SPOOL=YES, CECI installed and DFLTUSER can run it 0807 The checking module can't be linked to System Action: The system continues processing. Operator Response: Report this error to the System Programmer. System Programmer Response: Correct the security exposure which has been identified. Reference Documentation: Look at the CICS Knowledge Centre for advice on best practice DFHH0003E A TDQ defined to the internal reader is accessible to unauthenticated users. Explanation: At least one TD QUEUE defined to the internal reader and the IBM supplied transaction CECI are accessible to the default user or CICS security is turned off. This means anyone who can connect to the IP address and port number of one of the CICS regions listed below can submit jobs to run on the z/OS system remotely without authentication. The regions listed below have a RC/RSN with more specific information about why the region failed the check: 0805 A TDQ accesses INTRDR, CECI is installed and the DLFTUSER can run it 0806 The SVC99 does not support inquire of SYSOUT 0807 The checking module can't be linked to 0808 A TDQ accesses INTRDR, CECI is installed and SEC=NO System Action: The system continues processing. Operator Response: Report this error to the System Programmer. System Programmer Response: Correct the security exposure which has been identified. Reference Documentation: Look at the CICS Knowledge Centre for advice on best practice DFHH0200E The CICS Health Checker cannot run due to error: Explanation: The CICS Health Checker was unable to find the storage used by CICS regions to record health checks. System Action: The system continues processing, but cannot report on any CICS regions. Operator Response: Report this error to the System Programmer. System Programmer Response: Use the debug option on the health check to find further details about the problem. Report the problem to IBM Service. DFHH0301I All CEDA transactions are protected from unauthenticated users. Explanation: No problems were found with the configuration of CEDA which would allow default users access. This applies to all CICS regions on this LPAR running during the last health check interval. System Action: The system continues processing. DFHH0302I The spool is protected from unauthenticated users. Explanation: No problems were found with the configuration of the spool which would allow default users access. This applies to all CICS regions on this LPAR running during the last health check interval. System Action: The system continues processing. DFHH0303I No TDQs defined to the internal reader can be written to by unauthenticated users. Explanation: No problems were found with the configuration of TDQs defined to the internal reader which would allow default users access. This applies to all CICS regions on this LPAR running during the last health check interval. System Action: The system continues processing. ×**** PE17/11/02 PTF IN ERROR. SEE APAR PI87204 FOR DESCRIPTION
APAR Information
APAR number
PI76965
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
800
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-02-21
Closed date
2017-08-15
Last modified date
2017-11-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI49540 UI49541 UI49542 UI49543 UI49544 UI49545 UI49546
Modules/Macros
DFH$CAT1 DFHAPJVM DFHAXIS2 DFHCDJNI DFHFORMS DFHHCADD DFHHCC1 DFHHCC2 DFHHCC3 DFHHCCHK DFHHCHK DFHHZMSG DFHMEHCC DFHMEHCE DFHMEHCK DFHMET1 DFHSTNDD DFHXSDM DFHXSIDT DFHXSIS DFHXSIST DFHXSJNI DFHXSRC DFHXSSA DFHXSSAT DFHXSSI DFHXSSIT DFHXSSJ DFHXSSJT DFJ@H356 DFJ@H360 DFJ@H386 DFJ@H427 DFJ@H467 DFJ@H468 DFJDTCOE DFJOUTRE DFJWLPPL
GC34286100 | GC34728300 | GC34741800 |
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R000 PSY UI49544
UP17/08/18 P F708
R00D PSY UI49545
UP17/08/18 P F708
R100 PSY UI49546
UP17/08/18 P F708
R800 PSY UI49540
UP17/08/17 P F708
R80D PSY UI49541
UP17/08/17 P F708
R900 PSY UI49542
UP17/08/18 P F708
R90D PSY UI49543
UP17/08/18 P F708
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 November 2017