IBM Support

PI76965: CICS HEALTHCHECKER

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • New function

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All CICS users                               *
****************************************************************
* PROBLEM DESCRIPTION: This APAR introduces 3 new Health       *
*                      Checker for z/OS checks.                *
****************************************************************
This APAR introduces 3 new Health Checker for z/OS checks aimed
at checking that your CICS regions are correctly configured to
stop an unauthorised user from submitting JCL to run under
the region userid.

At CICS TS 5.4 the code is already available in the base.
This APAR makes a change to the reason codes displayed
on the Health Checker for z/OS display for each check:
CICS_CEDA_ACCESS
 CEDA can be used by unauthenticated users
CICS_JOBSUB_SPOOL
 Jobs can be run with regionid authority
 by unauthenticated users using the SPOOL
CICS_JOBSUB_TDQINTRDR
 Jobs can be run with regionid authority
 by unauthenticated users using a TDQ

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • This APAR introduce 3 new Health Checker for z/OS checks aimed
at checking that your CICS regions are correctly configured to
stop an unauthorised user from submitting JCL to run under the
region userid. These new checks are called:

CICS_CEDA_ACCESS
CICS_JOBSUB_SPOOL
CICS_JOBSUB_TDQINTRDR

If the checks find any regions which are not correctly
configured, the Health Checker for z/OS will issue message
HZS0001I CHECK(checkname) to the console; checkname is one of
the 3 new checks. This will be followed by a message DFHH000nE
(n is 1-3) giving details of the configuration problem.

Any checks which have failed on any region on the LPAR will
result in the Health Checker for z/OS displaying an EXCEPTION
status for the check.
Further details of the regions which have failed the check,
and the problem with the configuration,
can be seen in the Health Checker for z/OS display by selecting
the check.

New Health Checker for z/OS messages relating to CICS

DFHH0001E The CEDA transaction is accessible to unauthenticated
 users.

 Explanation: The IBM supplied transaction CEDA is accessible
  to the  default user or CICS security is turned off.

 This means anyone who can connect to the IP address and
 port number  of one of the CICS regions listed below can
 change the configuration of CICS.

 The regions listed below have a RC/RSN with more specific
 information about why the region failed the check:
 0801 CEDA installed and SEC=NO
 0802 CEDA installed and DFLTUSER can run it
 0807 The checking module can't be linked to

 System Action: The system continues processing.

 Operator Response: Report this error to the System Programmer.

 System Programmer Response: Correct the security exposure
 which has  been identified.

 Reference Documentation: Look at the CICS Knowledge Centre
 for advice on best practice


DFHH0002E The spool is accessible to unauthenticated users.

 Explanation: The SPOOL=YES is defined and the IBM supplied
 transaction CECI is accessible to the default user or CICS
 security is turned off.

 This means anyone who can connect to the IP address and
 port number of one of the CICS regions listed below can submit
 jobs to run on the z/OS system remotely without
 authentication.

 The regions listed below have a RC/RSN with more specific
 information about why the region failed the check:
 0803 SPOOL=YES, CECI installed and SEC=NO
 0804 SPOOL=YES, CECI installed and DFLTUSER can run it
 0807 The checking module can't be linked to

 System Action: The system continues processing.

 Operator Response: Report this error to the System Programmer.

 System Programmer Response: Correct the security exposure
 which has been identified.

 Reference Documentation: Look at the CICS Knowledge Centre
 for advice on best practice


DFHH0003E A TDQ defined to the internal reader
is accessible to unauthenticated users.

 Explanation: At least one TD QUEUE defined to the internal
  reader and the IBM supplied transaction CECI are
  accessible to the default user
 or CICS security is turned off.

 This means anyone who can connect to the IP address and
 port number of one of the CICS regions listed below can
 submit jobs to run on the z/OS system remotely
 without authentication.

 The regions listed below have a RC/RSN with more specific
 information about why the region failed the check:
 0805 A TDQ accesses INTRDR, CECI is installed and the DLFTUSER
 can run it
 0806 The SVC99 does not support inquire of SYSOUT
 0807 The checking module can't be linked to
 0808 A TDQ accesses INTRDR, CECI is installed and SEC=NO

 System Action: The system continues processing.

 Operator Response: Report this error to the System Programmer.

 System Programmer Response: Correct the security exposure which
 has been identified.

 Reference Documentation: Look at the CICS Knowledge Centre for
 advice on best practice


DFHH0200E The CICS Health Checker cannot run due to error:

 Explanation: The CICS Health Checker was unable to find the
 storage used by CICS regions to record health checks.

 System Action: The system continues processing,
but cannot report on any CICS regions.

 Operator Response: Report this error to the System Programmer.

 System Programmer Response: Use the debug option on the
 health check to find further details about the problem.
 Report the problem to IBM Service.


DFHH0301I All CEDA transactions are protected from
unauthenticated users.

 Explanation: No problems were found with the configuration of
 CEDA which would allow default users access.
 This applies to all CICS regions on this LPAR running
 during the last health check interval.

 System Action: The system continues processing.


DFHH0302I The spool is protected from unauthenticated users.

 Explanation: No problems were found with the configuration of
 the spool which would allow default users access.
 This applies to all CICS regions on this LPAR
running during the last health check interval.

 System Action: The system continues processing.

DFHH0303I No TDQs defined to the internal reader can be
written to by unauthenticated users.

 Explanation: No problems were found with the configuration of
TDQs defined to the internal reader which would allow
default users access.
This applies to all CICS regions on this LPAR running
during the last health check interval.

 System Action: The system continues processing.
×**** PE17/11/02 PTF IN ERROR. SEE APAR PI87204  FOR DESCRIPTION

    



APAR Information




    

  • APAR number
    PI76965
    • 

  • Reported component name
    CICS TS Z/OS V5
    • 

  • Reported component ID
    5655Y0400
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-02-21
    • 

  • Closed date
    2017-08-15
    • 

  • Last modified date
    2017-11-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI49540 UI49541 UI49542 UI49543 UI49544 UI49545 UI49546
    

    • 



Modules/Macros


    

  • DFH$CAT1 DFHAPJVM DFHAXIS2 DFHCDJNI DFHFORMS DFHHCADD DFHHCC1
DFHHCC2  DFHHCC3  DFHHCCHK DFHHCHK  DFHHZMSG DFHMEHCC DFHMEHCE
DFHMEHCK DFHMET1  DFHSTNDD DFHXSDM  DFHXSIDT DFHXSIS  DFHXSIST
DFHXSJNI DFHXSRC  DFHXSSA  DFHXSSAT DFHXSSI  DFHXSSIT DFHXSSJ
DFHXSSJT DFJ@H356 DFJ@H360 DFJ@H386 DFJ@H427 DFJ@H467 DFJ@H468
DFJDTCOE DFJOUTRE DFJWLPPL

    




Publications Referenced


GC34286100GC34728300GC34741800  





Fix information


    

  • Fixed component name
    CICS TS Z/OS V5
    • 

  • Fixed component ID
    5655Y0400
    • 



Applicable component levels


    

  • R000  PSY  UI49544
       UP17/08/18  P  F708
    • 

  • R00D  PSY  UI49545
       UP17/08/18  P  F708
    • 

  • R100  PSY  UI49546
       UP17/08/18  P  F708
    • 

  • R800  PSY  UI49540
       UP17/08/17  P  F708
    • 

  • R80D  PSY  UI49541
       UP17/08/17  P  F708
    • 

  • R900  PSY  UI49542
       UP17/08/18  P  F708
    • 

  • R90D  PSY  UI49543
       UP17/08/18  P  F708
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 November 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback