IBM Support

PI76965: CICS HEALTHCHECKER

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • New function
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS users                               *
    ****************************************************************
    * PROBLEM DESCRIPTION: This APAR introduces 3 new Health       *
    *                      Checker for z/OS checks.                *
    ****************************************************************
    This APAR introduces 3 new Health Checker for z/OS checks aimed
    at checking that your CICS regions are correctly configured to
    stop an unauthorised user from submitting JCL to run under
    the region userid.
    
    At CICS TS 5.4 the code is already available in the base.
    This APAR makes a change to the reason codes displayed
    on the Health Checker for z/OS display for each check:
    CICS_CEDA_ACCESS
     CEDA can be used by unauthenticated users
    CICS_JOBSUB_SPOOL
     Jobs can be run with regionid authority
     by unauthenticated users using the SPOOL
    CICS_JOBSUB_TDQINTRDR
     Jobs can be run with regionid authority
     by unauthenticated users using a TDQ
    

Problem conclusion

Temporary fix

Comments

  • This APAR introduce 3 new Health Checker for z/OS checks aimed
    at checking that your CICS regions are correctly configured to
    stop an unauthorised user from submitting JCL to run under the
    region userid. These new checks are called:
    
    CICS_CEDA_ACCESS
    CICS_JOBSUB_SPOOL
    CICS_JOBSUB_TDQINTRDR
    
    If the checks find any regions which are not correctly
    configured, the Health Checker for z/OS will issue message
    HZS0001I CHECK(checkname) to the console; checkname is one of
    the 3 new checks. This will be followed by a message DFHH000nE
    (n is 1-3) giving details of the configuration problem.
    
    Any checks which have failed on any region on the LPAR will
    result in the Health Checker for z/OS displaying an EXCEPTION
    status for the check.
    Further details of the regions which have failed the check,
    and the problem with the configuration,
    can be seen in the Health Checker for z/OS display by selecting
    the check.
    
    New Health Checker for z/OS messages relating to CICS
    
    DFHH0001E The CEDA transaction is accessible to unauthenticated
     users.
    
     Explanation: The IBM supplied transaction CEDA is accessible
      to the  default user or CICS security is turned off.
    
     This means anyone who can connect to the IP address and
     port number  of one of the CICS regions listed below can
     change the configuration of CICS.
    
     The regions listed below have a RC/RSN with more specific
     information about why the region failed the check:
     0801 CEDA installed and SEC=NO
     0802 CEDA installed and DFLTUSER can run it
     0807 The checking module can't be linked to
    
     System Action: The system continues processing.
    
     Operator Response: Report this error to the System Programmer.
    
     System Programmer Response: Correct the security exposure
     which has  been identified.
    
     Reference Documentation: Look at the CICS Knowledge Centre
     for advice on best practice
    
    
    DFHH0002E The spool is accessible to unauthenticated users.
    
     Explanation: The SPOOL=YES is defined and the IBM supplied
     transaction CECI is accessible to the default user or CICS
     security is turned off.
    
     This means anyone who can connect to the IP address and
     port number of one of the CICS regions listed below can submit
     jobs to run on the z/OS system remotely without
     authentication.
    
     The regions listed below have a RC/RSN with more specific
     information about why the region failed the check:
     0803 SPOOL=YES, CECI installed and SEC=NO
     0804 SPOOL=YES, CECI installed and DFLTUSER can run it
     0807 The checking module can't be linked to
    
     System Action: The system continues processing.
    
     Operator Response: Report this error to the System Programmer.
    
     System Programmer Response: Correct the security exposure
     which has been identified.
    
     Reference Documentation: Look at the CICS Knowledge Centre
     for advice on best practice
    
    
    DFHH0003E A TDQ defined to the internal reader
    is accessible to unauthenticated users.
    
     Explanation: At least one TD QUEUE defined to the internal
      reader and the IBM supplied transaction CECI are
      accessible to the default user
     or CICS security is turned off.
    
     This means anyone who can connect to the IP address and
     port number of one of the CICS regions listed below can
     submit jobs to run on the z/OS system remotely
     without authentication.
    
     The regions listed below have a RC/RSN with more specific
     information about why the region failed the check:
     0805 A TDQ accesses INTRDR, CECI is installed and the DLFTUSER
     can run it
     0806 The SVC99 does not support inquire of SYSOUT
     0807 The checking module can't be linked to
     0808 A TDQ accesses INTRDR, CECI is installed and SEC=NO
    
     System Action: The system continues processing.
    
     Operator Response: Report this error to the System Programmer.
    
     System Programmer Response: Correct the security exposure which
     has been identified.
    
     Reference Documentation: Look at the CICS Knowledge Centre for
     advice on best practice
    
    
    DFHH0200E The CICS Health Checker cannot run due to error:
    
     Explanation: The CICS Health Checker was unable to find the
     storage used by CICS regions to record health checks.
    
     System Action: The system continues processing,
    but cannot report on any CICS regions.
    
     Operator Response: Report this error to the System Programmer.
    
     System Programmer Response: Use the debug option on the
     health check to find further details about the problem.
     Report the problem to IBM Service.
    
    
    DFHH0301I All CEDA transactions are protected from
    unauthenticated users.
    
     Explanation: No problems were found with the configuration of
     CEDA which would allow default users access.
     This applies to all CICS regions on this LPAR running
     during the last health check interval.
    
     System Action: The system continues processing.
    
    
    DFHH0302I The spool is protected from unauthenticated users.
    
     Explanation: No problems were found with the configuration of
     the spool which would allow default users access.
     This applies to all CICS regions on this LPAR
    running during the last health check interval.
    
     System Action: The system continues processing.
    
    DFHH0303I No TDQs defined to the internal reader can be
    written to by unauthenticated users.
    
     Explanation: No problems were found with the configuration of
    TDQs defined to the internal reader which would allow
    default users access.
    This applies to all CICS regions on this LPAR running
    during the last health check interval.
    
     System Action: The system continues processing.
    ×**** PE17/11/02 PTF IN ERROR. SEE APAR PI87204  FOR DESCRIPTION
    

APAR Information

  • APAR number

    PI76965

  • Reported component name

    CICS TS Z/OS V5

  • Reported component ID

    5655Y0400

  • Reported release

    800

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-02-21

  • Closed date

    2017-08-15

  • Last modified date

    2017-11-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI49540 UI49541 UI49542 UI49543 UI49544 UI49545 UI49546

Modules/Macros

  • DFH$CAT1 DFHAPJVM DFHAXIS2 DFHCDJNI DFHFORMS DFHHCADD DFHHCC1
    DFHHCC2  DFHHCC3  DFHHCCHK DFHHCHK  DFHHZMSG DFHMEHCC DFHMEHCE
    DFHMEHCK DFHMET1  DFHSTNDD DFHXSDM  DFHXSIDT DFHXSIS  DFHXSIST
    DFHXSJNI DFHXSRC  DFHXSSA  DFHXSSAT DFHXSSI  DFHXSSIT DFHXSSJ
    DFHXSSJT DFJ@H356 DFJ@H360 DFJ@H386 DFJ@H427 DFJ@H467 DFJ@H468
    DFJDTCOE DFJOUTRE DFJWLPPL
    

Publications Referenced
GC34286100 GC34728300 GC34741800    

Fix information

  • Fixed component name

    CICS TS Z/OS V5

  • Fixed component ID

    5655Y0400

Applicable component levels

  • R000 PSY UI49544

       UP17/08/18 P F708

  • R00D PSY UI49545

       UP17/08/18 P F708

  • R100 PSY UI49546

       UP17/08/18 P F708

  • R800 PSY UI49540

       UP17/08/17 P F708

  • R80D PSY UI49541

       UP17/08/17 P F708

  • R900 PSY UI49542

       UP17/08/18 P F708

  • R90D PSY UI49543

       UP17/08/18 P F708

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: CICS Transaction Server

Software version: 5.1

Reference #: PI76965

Modified date: 02 November 2017