Diagnosing multilevel security consistency check messages (EZD1215-EZD1234)

Secure communication in a multilevel secure environment requires configuration of several statements in the TCPIP.PROFILE and security server resource profiles in the SERVAUTH, SECLABEL and STARTED classes. Inconsistencies in this configuration can allow unintended communication or prevent intended communication. When the RACF® MLACTIVE option is set, TCP/IP checks the TCPIP.PROFILE and security server resource profiles for consistency. Consistency checking occurs at TCP/IP initialization, when a VARY TCPIP,,OBEYFILE command is processed and when RACF sends an ENF signal specifying that a RACLIST REFRESH was done on the SERVAUTH or SECLABEL class.

TCP/IP writes an informational message to the job log for each inconsistency detected. If inconsistencies are found, a final message, EZD1217I, summarizing the number of problems found is written to the system console. You should check the job log for messages in the range EZD1219I-EZD1234I whenever message EZD1217I appears on the system console. You should correct your configuration as indicated by the job log messages until TCP/IP no longer detects any errors.

TCP/IP's default behavior is to continue running when inconsistent security configurations are detected. If you plan to run in a multilevel-secure environment, it is recommended that you specify GLOBALCONFIG MLSCHKTERMINATE in your TCPIP.PROFILE when running production workloads and GLOBALCONFIG NOMLSCHKTERMINATE while you are making planned changes to your security environment.