Discovering if signed programs currently execute on your systems

You can optionally enable SMF logging of signature verification events by performing Steps for discovering if signed programs currently execute on your systems (optional). By doing so, you can later examine the SMF records using the SMF data unload utility (IRRADU00) to discover if any of your controlled programs are digitally signed and if so, by whom. Once you identify a signer, obtain the signer's root CA in preparation for completing Steps for verifying a signed program.

For information about using the SMF data unload utility (IRRADU00), see z/OS Security Server RACF Auditor's Guide.

To enable SMF logging for this purpose, modify one or more PROGRAM profiles to specify the following signature verification options. Using these specific options ensures that no load failures occur due to signature verification failures.

SIGREQUIRED(NO): Specifies that no digital signatures are required.
FAILLOAD(NEVER): Specifies that no program load should fail due to a signature verification failure.
SIGAUDIT(ALL): Specifies that all signature verification events will be logged, regardless of success or failure.

Once you perform Steps for discovering if signed programs currently execute on your systems (optional), if any controlled program is digitally signed, RACF® will attempt to verify the signature upon load. Each signature verification will result in a failure until you complete Steps for preparing RACF to verify signed programs (one-time setup) and Steps for verifying a signed program. Each signature verification failure will be logged to SMF and related error messages will be issued to the console.

Sample error messages:

ICH441I Program signature error 0x00/0x00000074 for program PROGXYZ 
        in library LXYZR11.LIBRARY. Load processing continues.
ICH450I The RACF program verification module is not loaded.        
        Program signature verification is not available.