Monitoring software integrity

It is recommended to monitor software integrity for security reasons to ensure that the software has not been incorrectly modified. To monitor software integrity, it is also advised to specify event option parameters when starting the software integrity checker. For information on how to do this, see Software Integrity Checker command. Use the following information when monitoring software integrity:
  • Check the system log for messages from the software integrity checker
  • Monitor the events that are issued by the software integrity checker
    Notes:
    • You should register at least for the following events:
      • DNPD1118I indicating that the software integrity checker was started
      • DNPD1111I indicating that there were security findings
    • If you installed an emergency fix (eFix), you should also register for event DNPD1112I indicating that the checksum of a file is not correct (see Emergency fix installation)
    • For information on events issued by the software integrity checker, see the description of messages in DNPD1001E - DNPD1314E
To ensure the integrity of the software integrity checker itself, verify its signature from time to time. To do this:
  1. Issue the following command to check the signature of the software integrity checker's JAR file: 
    jarsigner -verify -certs
          -keystore keystore inst_dir/sub_dir/classes/dnpsic.jar
    where:
    keystore
    The keystore file that you created when executing step 1 as described in Certificate keystore (for example, /var/ftmswift_v300/run/ftmswift_keystore.jks)
    inst_dir
    The directory where FTM SWIFT is installed
    sub_dir
    The subdirectory where the classes directory resides. Possible values:
    run
    Specify this value if you issue the command on the installation or runtime system
    admin
    Specify this value if you issue the command on the customization system
    For example:
    jarsigner -verify -certs
          -keystore /var/ftmswift_v300/run/ftmswift_keystore.jks
          /usr/lpp/IBM/ftmswift/v300/run/classes/dnpsic.jar
  2. Ensure that the output of the jarsigner program contains the following information: 
    jar verified.
    Note: The following warning can be ignored:
    This jar contains signatures that does not include a timestamp.
Without a timestamp, users may not be able to validate this jar
after the signer certificate's expiration date (2022-10-03)
or after any future revocation date.