IBM Health Checker for z/OS
IBM® Health Checker for z/OS® is a z/OS component that installations can use to gather information about their system environment and system parameters to help identify potential configuration problems before they impact availability or cause outages. Individual products, z/OS components, or ISV software can provide checks that take advantage of the IBM Health Checker for z/OS framework.
For more information about IBM Health Checker for z/OS, see IBM Health Checker for z/OS: User's Guide.
- CSAPP_FTPD_ANONYMOUS_JES
- Checks whether the following statements have been configured for an FTP server:
- ANONYMOUS
- ANONYMOUSLEVEL 3
- ANONYMOUSFILETYPEJES FALSE
- CSAPP_MVRSHD_RHOSTS_DATA
- Checks whether the MVRSHD server is active and if an RSH client has been detected using RHOSTS.DATA datasets for authentication. The MVRSHD server supports the RSH and REXEC protocols which transfer user ID and password information in the clear. There is also the potential of weak authentication for RSH clients that use RHOSTS.DATA datasets. This authentication method allows remote command execution without requiring the RSH client to supply a password.
- CSAPP_SNMPAGENT_PUBLIC_COMMUNITY
- Checks whether the SNMP agent has been configured with a community name of public. The community name of public is a well-known name and should not be used with community-based security due to security considerations.
- CSRES_AUTOQ_GLOBALTCPIPDATA
- Checks whether the AUTOQUIESCE operand has been specified on the UNRESPONSIVETHRESHOLD resolver setup statement and that the GLOBALTCPIPDATA resolver setup statement has not been specified in the resolver setup file.
- CSRES_AUTOQ_RESOLVEVIA
- Checks whether the RESOLVEVIA statement has been specified with the value TCP in the global TCPIP.DATA file when the autonomic quiescing of unresponsive name servers function is active.
- CSRES_AUTOQ_TIMEOUT
- Checks whether the configured resolver timeout value in the global TCPIP.DATA file exceeds the optimal setting when the autonomic quiescing of unresponsive name servers function is active. By default, this check is performed once when the resolver is initialized and whenever a MODIFY REFRESH command is issued. This default value can be overridden on either a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command.
- CSTCP_CINET_PORTRNG_RSV_TCPIPstackname
- Checks whether the port range specified by INADDRANYPORT and INADDRANYCOUNT in the BPXPRMxx parmlib member is reserved for OMVS on this stack, when operating in a CINET environment. A port range is reserved on a TCP/IP stack using the PORTRANGE TCP/IP profile statement. By default, this check is performed once at stack initialization. This default can be overridden on either a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command. The check name is suffixed by TCPIPstackname, which is the job name of each TCP/IP stack that is started, to define a separate check for each stack.
- CSTCP_IPMAXRT4_TCPIPstackname
- Checks whether the total number of IPv4 indirect routes in the
TCP/IP stack routing table has exceeded the maximum threshold. When
this threshold is exceeded, OMPROUTE and the TCP/IP stack can potentially
experience high CPU consumption from routing changes. A large routing
table is considered to be inefficient in network design and operation.
By default, this check is performed at the following times:
- Whenever the total number of indirect routes exceeds the maximum threshold (default 2000)
- 30 minutes after stack initialization (provided that the maximum threshold has not been exceeded)
- Specified interval (default 168 hours for weekly)
- CSTCP_IPMAXRT6_TCPIPstackname
- Checks whether the total number of IPv6 indirect routes in the
TCP/IP stack routing table has exceeded the maximum threshold. When
this threshold is exceeded, OMPROUTE and the TCP/IP stack can potentially
experience high CPU consumption from routing changes. A large routing
table is considered to be inefficient in network design and operation.
By default, this check is performed at the following times:
- Whenever the total number of indirect routes exceeds the maximum threshold (default 2000)
- 30 minutes after stack initialization (provided that the maximum threshold has not been exceeded)
- Specified interval (default 168 hours for weekly)
The defaults for the maximum threshold and interval can be overridden on either a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command. The check name is suffixed by TCPIPstackname, which is the job name of each TCP/IP stack that is started, to define a separate check for each stack.
- CSTCP_IWQ_IPSEC_TCPIPstackname
- Checks whether a QDIO interface defined on a TCP/IP stack has support for inbound workload
queueing (IWQ) of IPSec traffic (this is supported by OSA-Express6S and beyond), and whether the
TCP/IP stack is configured to have IPSec enabled. If these conditions are met, an additional
ancillary input queue (AIQ) is established for IPSec inbound traffic. Each AIQ increases fixed
storage utilization. It should be ensured that there is sufficient fixed storage for the AIQ for
IPSec traffic. See IP services: Ensure storage availability for IWQ IPSec
traffic in z/OS Upgrade Workflow for information on how
much storage is needed for IWQ for IPSec.
By default, this check will be performed once at stack initialization. The check name is suffixed by TCPIPstackname, which is the job name of each TCP/IP stack that is started, to define a separate check for each stack.
- CSTCP_SYSTCPIP_CTRACE_TCPIPstackname
- Checks whether TCP/IP Event Trace (SYSTCPIP) is active with options other than the default options (MINIMUM, INIT, OPCMDS, or OPMSGS). By default, this check will be performed once at stack initialization and then will be repeated once every 24 hours. This default can be overridden on either a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command. The check name is suffixed by TCPIPstackname, which is the job name of each TCP stack that is started, to define a separate check for each stack.
- CSTCP_SYSPLEXMON_RECOV_TCPIPstackname
- Checks whether the IPCONFIG DYNAMICXCF or IPCONFIG6 DYNAMICXCF parameters have been specified and the GLOBALCONFIG SYSPLEXMONITOR RECOVERY parameter has been specified. This check produces an exception message if the IPCONFIG DYNAMICXCF or IPCONFIG6 DYNAMICXCF parameters were specified, but the GLOBALCONFIG SYSPLEXMONITOR NORECOVERY parameter is in effect. By default, this check is performed once at stack initialization. This default can be overridden on either a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command. The check name is suffixed by TCPIPstackname, which is the job name of each TCP stack that is started, to define a separate check for each stack.
- CSTCP_TCPMAXRCVBUFRSIZE_TCPIPstackname
- Checks whether the configured TCP maximum receive buffer size is sufficient to provide optimal support to the z/OS Communications Server FTP Server. By default, this check is performed once at stack initialization and whenever a VARY TCPIP,,OBEYFILE command changes the TCPMAXRCVBUFRSIZE parameter. By default, it checks that TCPMAXRCVBUFRSIZE is at least 180K. These defaults can be overridden on either a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command. The check name is suffixed by TCPIPstackname, which is the job name of each TCP stack that is started, to define a separate check for each stack.
- ZOSMIGV2R4PREV_CS_IWQSC_TCPIPstackname
- This is a migration health check. It checks whether the TCP/IP stack has IWQ and IPSec enabled,
and whether any of the QDIO interfaces configured on the stack do not support IWQ IPSec. If IWQ and
IPSec are enabled, but a QDIO interface does not support IWQ IPSec, then this check will trigger an
exception. In case of migration to an OSA-Express6S, IWQ IPSec support will automatically turn on,
and an additional ancillary input queue (AIQ) will be established for IPSec inbound traffic. Each
AIQ increases fixed storage utilization. It should be ensured that there is sufficient fixed storage
for the AIQ for IPSec traffic. See IP services: Ensure storage
availability for IWQ IPSec traffic in z/OS Upgrade Workflow
for information on how much storage is needed for IWQ for IPSec.
The check name is suffixed by TCPIPstackname, which is the job name of each TCP/IP stack that is started, to define a separate check for each stack.
- ZOSMIGV2R4_NEXT_CS_DCAS_NTVSSL
- Checks whether native TLS/SSL support is in use for Digital Certificate Access Server (DCAS). By default, this check is inactive. This default can be overridden on a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command. If an IBM Health Checker for z/OS exception message is generated, migration must be performed.
- ZOSMIG2R4_NEXT_CS_FTPSRV_NTVSSL
- Checks whether native TLS/SSL support is in use for any active FTP servers. By default, this check is inactive. This default can be overridden on a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command. If an IBM Health Checker for z/OS exception message is generated, migration must be performed.
- ZOSMIG2R4_NEXT_CS_FTPSRV_RFCLVL
- Checks whether one or more active FTP servers are configured with TLSRFCLEVEL CCCNONOTIFY, TLSMECHANISM ATTLS, and EXTENSIONS AUTH_TLS. By default, this check is inactive. This default can be overridden on a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command. If an IBM Health Checker for z/OS exception message is generated, migration must be performed.
- ZOSMIGV2R4_NEXT_CS_FTPCLI_RFCLVL
- Checks whether one or more active FTP clients are configured with TLSRFCLEVEL CCCNONOTIFY, TLSMECHANISM ATTLS, and SECURE_MECHANISM TLS. By default, this check is inactive. This default can be overridden on a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command. If an IBM Health Checker for z/OS exception message is generated, migration must be performed.
- ZOSMIGV2R4_NEXT_CS_TN3270_NTVSSL
- Checks whether native TLS/SSL support is in use for any active TN3270 servers. By default, this check is inactive. This default can be overridden on a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command. If an IBM Health Checker for z/OS exception message is generated, migration must be performed.