Question & Answer
Question
Using CICS Transaction Sever for z/OS (CICS TS) V5.3, z/OS V2.2 and CA ACF2, I am seeing health check flags for CICS_CEDA_ACCESS and CICS_JOB_SPOOL in the IBM z/OS Health Checker output. I also see the following Health Checker messages and associated return codes:
DFHH0001E The CEDA transaction is accessible to unauthenticated users.
0802 CEDA installed and DFLTUSER can run it
DFHH0002E The spool is accessible to unauthenticated users
0804 SPOOL=YES, CECI installed and DFLTUSER can run it
When I attempt to run the CEDA transaction in these CICS regions, I am prompted for sign-on due to GMTRAN=CESN being set in the system initialization table (DFHSIT). I also have SEC=YES turned on in the DFHSIT. What else do I need to do to ensure that proper signon is required before the CEDA and CECI transactions can be used in our CICS regions?
Answer
The z/OS Health Checker flagged CEDA and CECI as unprotected. However, any attempt to utilize these transactions without signing onto the CICS region would have failed with the following message:
DFHAC2002 To use this transaction tranid you must sign on or have the right security level.
CICSKEY definitions in the CA ACF2 master or overide parms tell ACF2 which types of CICS resources you want to protect. The Health Checker is flagging the bad access to CEDA and CECI transactions because the CA ACF2 CICSKEY settings for the transactions was in a DISABLED state making the resources appear unprotected.
The CA ACF2 master or overide parms should have the following string present:
CICSKEY OPTION=VALIDATE,TYPE=CKC, RESOURCE=TRANS.
With this string present the resources will move to a protected state where DISABLED is now shown as "VALIDATE". Then you should no longer receive message DFHAC2002, DFHH0001E, or DFHH0002E.
Product Synonym
CICS/TS CICSTS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
07 November 2018
UID
dwa1479280