Code checker integrity verification function

This topic provides information about how you can verify the integrity of the code checker function that you use to verify the integrity of your system running the IBM i operating system.

In V5R2, IBM i shipped with a code checking function that you can use to verify the integrity of signed objects on your system, including all operating system code that IBM ships and signs for your system. Beginning in V5R3, you can use the new Check System Application Programming Interface (API) to verify the integrity of the code checking function itself, as well as key operating system objects. Now, IBM signs the Licensed Internal Code (LIC) and you can either use the Check System (QydoCheckSystem) API or the Check Object Integrity (CHKOBJITG) command to verify the LIC.

The Check System (QydoCheckSystem) API provides IBM i system integrity verification. You use this API to verify the programs (*PGM) and service programs (*SRVPGM) and selected command (*CMD) objects in the QSYS library. Additionally, the Check System API tests the Restore Object (RSTOBJ) command, the Restore Library (RSTLIB) command, the Check Object Integrity (CHKOBJITG) command, and Verify Object API. This test ensures that these commands and the Verify Object API report signature validation errors when appropriate; for example, when a system supplied object is not signed or contains an invalid signature.

The Check System API reports error messages for verification failures and other errors or verification failures to the job log. However, you can also specify one of two additional error reporting methods, depending on how you set the following options:

  • If the QAUDLVL system value is set to *AUDFAIL, then the Check System API generates auditing records to report any failures and errors that the Restore Object (RSTOBJ), Restore Library (RSTLIB), and Check Object Integrity (CHKOBJITG) commands find.
  • If the user specifies that the Check System API use a results file in the integrated file system, then the API either creates the file if it does not exist or the API appends to the file to report any errors or failures that the API finds.