Digital signatures

This topic provides information about what IBM i digital signatures are and what protection they provide.

IBM i provides support for using digital certificates to digitally "sign" objects. A digital signature on an object is created by using a form of cryptography and is like a personal signature on a written document. A digital signature provides proof of the object's origin and a means by which to verify the object's integrity. A digital certificate owner "signs" an object by using the certificate's private key. The recipient of the object uses the certificate's corresponding public key to decrypt the signature, which verifies the integrity of the signed object and verifies the sender as the source.

Object signing support augments traditional system tools for controlling who can change objects. Traditional controls cannot protect an object from unauthorized tampering while the object is in transit across the Internet or other untrusted network. Because you can detect whether the contents of an object have been changed since they were signed, you can more easily determine whether to trust objects that you obtain in cases such as these.

A digital signature is an encrypted mathematical summary of the data in an object. The object and its contents are not encrypted and made private by the digital signature; however, the summary itself is encrypted to prevent unauthorized changes to it. Anyone who wants to ensure that the object has not been changed in transit and that the object originated from an accepted, legitimate source can use the signing certificate's public key to verify the original digital signature. If the signature no longer matches, the data may have been altered. In such a case, the recipient can avoid using the object and can instead contact the signer to obtain another copy of the signed object.

The signature on an object represents the system that signed the object, not a specific user on that system (although the user must have the appropriate authority to use the certificate for signing objects).

If you decide that using digital signatures fits your security needs and policies, you need to evaluate whether to use public certificates versus issuing local certificates. If you intend to distribute objects to users in the general public, you need to consider using certificates from a well-known public Certificate Authority (CA) to sign objects. Using public certificates ensures that others can easily and inexpensively verify the signatures that you place on objects that you distribute to them. If, however, you intend to distribute objects solely within your organization, you may prefer to use Digital Certificate Manager (DCM) to operate your own Local CA to issue certificates for signing objects. Using private certificates from a Local CA to sign objects is less expensive than purchasing certificates from a well-known public CA.

Types of digital signatures

You can sign command (*CMD) objects; you also can choose one of two types of signatures for *CMD objects: core object signatures or entire object signatures.

  • Entire object signatures This type of signature includes all but a few nonessential bytes of the object.
  • Core object signatures This type of signature includes the essential bytes of the *CMD object. However, the signature does not include those bytes that are subject to more frequent changes. This type of signature allows some changes to be made to the command without invalidating the signature. Which bytes the core object signature does not include vary based on the specific *CMD object; core signatures do not include parameter defaults on the *CMD objects, for example. Examples of changes that will not invalidate a core object signature include:
    • Changing command defaults.
    • Adding a validity checking program to a command that does not have one.
    • Changing the Where allowed to run parameter.
    • Changing the Allow limited users parameter.