Digital certificates for verifying object signatures

IBM® i provides support for using certificates to verify digital signatures on objects. Anyone who wants to ensure that a signed object has not been changed in transit and that the object originated from an accepted source can use the signing certificate's public key to verify the original digital signature.

If the signature no longer matches, the data may have been altered. In such a case, the recipient can avoid using the object and can instead contact the signer to obtain another copy of the signed object.

The signature on an object represents the system that signed the object, not a specific user on that system. As part of the process of verifying digital signatures, you must decide which Certificate Authorities you trust and which certificates you trust for signing objects. When you elect to trust a Certificate Authority (CA), you can elect whether to trust signatures that someone creates by using a certificate that the trusted CA issued. When you elect not to trust a CA, you also are electing not to trust certificates that the CA issues or signatures that someone creates by using those certificates.

Verify object restore (QVFYOBJRST) system value

If you decide to perform signature verification, one of the first important decisions you must make is to determine how important signatures are for objects being restored to your system. You control this with a system value called Verify object signatures during restore (QVFYOBJRST). The default setting for this system value allows unsigned objects to be restored, but ensures that signed objects can be restored only if the objects have a valid signature. The system defines an object as signed only if the object has a signature that your system trusts; the system ignores other, "untrusted" signatures on the object and treats the object as if it is unsigned.

There are several values that you can use for the QVFYOBJRST system value, ranging from ignoring all signatures to requiring valid signatures for all objects that the system restores. This system value only affects executable objects that are being restored, not save files or integrated file system files. To learn more about using this and other system values, see the System Value Finder in the IBM i Information Center.

You use Digital Certificate Manager (DCM) to implement your certificate and CA trust decisions as well as to manage the certificates that you use to verify object signatures. You can also use DCM to sign objects and to verify object signatures.