CICS_RESOURCE_CONFIGURATION

CICS_RESOURCE_CONFIGURATION checks that configuration of the CICS® resources aligns to best practice recommendations for production regions.

Description
This check reviews a set of CICS resource configuration settings to ensure alignment to best practice.
Reason for check:
Validate that access to key resources aligns to best practice recommendations for production regions.

See Table 1 for details.

z/OS® releases the check applies to:
Any z/OS release that supports CICS TS 6.1 or later.
Minimum CICS TS release required:
CICS TS 6.1 or later.
Type of check (local, remote, or Rexx):
Local.
User override of IBM® values:
No.
Debug support:
  • 6.2 and later Yes.
  • 6.1 No.
Verbose support:
No.
Parameters accepted:
None.
Reference:
For more information about applicable guidance, see Table 1.
Messages:
Table 1 displays the list of messages for this check. See also Reference: IBM Health Checker for z/OS messages related to CICS.
The rule checks for these conditions:
Table 1. Conditions checked
Condition checked Related risk or concern and applicable guidance Message displayed
CEDF, CECI, or CEMT transactions are installed and the default user can access. It is a potential security risk if the default user can run any of the checked transactions in a production region.

You are advised to remove access for the default user.

 DFHH0501 (Exception)
Review TCPIPSERVICE definitions for use of the IPIC protocol with a user replaceable module (URM) of DHISAPI. Using this URM allows any client to connect and automatically install a connection.

Learn more about Defining IPIC connections

 DFHH0502 (Exception)
Validate if clones of sensitive transactions exist. The list of transactions that are checked for clones is:
  • CEMT
  • CEDA
  • CECI
  • CEDF
  • CEDX
  • CETR
  • CLER
 Unauthorized users might run the cloned transaction, which represents a security risk to the region.

You are advised to review access to the cloned transactions or remove them.

 DFHH0503 (Exception)
Evaluate if any TCPIPSERVICES exist that do not use SSL and defined with AUTHENTICATE=NONE or AUTHENTICATE=BASIC. Any TCPIPSERVICE not configured with TLS and set up with either AUTHENTICATION(NO) or AUTHENTICATE(BASIC) is not secure.

Learn more about TCPIPSERVICE resource

 DFHH0504 (Exception)
6.3 beta If XCMD=YES, a check is made for transactions that specify CMDSEC(NO). XCMD=YES and a transaction is defined with CMDSEC(NO), security checking is unavailable for those transactions. You are advised to review access and secure transactions. DFHH0505 (Warning)