Verify Object on Restore (QVFYOBJRST)

The Verify Object on Restore (QVFYOBJRST) system value determines whether objects are required to have digital signatures in order to be restored to your system.

You can prevent anyone from restoring an object, unless that object has a correct digital signature from a trusted software provider. This value applies to objects of types: *PGM, *SRVPGM, *SQLPKG, *CMD and *MODULE. It also applies to *STMF objects which contain Java™ programs.

When an attempt is made to restore an object onto the system, three system values work together as filters to determine if the object is allowed to be restored. The first filter is the Verify Object on Restore (QVFYOBJRST) system value. It is used to control the restore of some objects that can be digitally signed. The second filter is the Force Conversion on Restore (QFRCCVNRST) system value. This system value allows you to specify whether to convert programs, service programs, SQL packages, and module objects during the restore. It can also prevent some objects from being restored. Only objects that can get past the first two filters are processed by the third filter. The third filter is the Allow Object on Restore (QALWOBJRST) system value. It specifies whether objects with security-sensitive attributes can be restored.

If Digital Certificate Manager (IBM i option 34) is not installed on the system, all objects except those signed by a system trusted source are treated as unsigned when determining the effects of the QVFYOBJRST system value during a restore operation.

Program, service program and module objects that are created or converted on a system with a release before V6R1 are treated as unsigned when they are restored to a V6R1 or later system. Likewise, program, service program and module objects that are created or converted on a V6R1 or later release are treated as unsigned when they are restored to a system before V6R1.

A change to this system value takes effect immediately.

Notes:
  1. This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
  2. Objects that have the system-state attribute and objects that have the inherit-state attribute are required to have a valid signature from a system-trusted source. Objects in Licensed Internal Code PTFs are also required to have a valid signature from a system-trusted source. If these objects do not have a valid signature, they cannot be restored, regardless of the value of the QVFYOBJRST system value.
Attention: When your system is shipped, the QVFYOBJRST system value is set to 3. If you change the value of QVFYOBJRST, it is important to set the QVFYOBJRST value to 3 or lower before installing a new release of the IBM i operating system.
Table 1. Possible values for the QVFYOBJRST system value:
Value Description
1 Do not verify signatures on restore. Restore all user-state objects regardless of their signature.

Do not use this value unless you have signed objects to restore which will fail their signature verification for some acceptable reason.
2 Verify objects on restore. Restore unsigned commands and user-state objects. Restore signed commands and user-state objects, even if the signatures are not valid.

Use this value only if certain objects that you want to restore contain signatures that are not valid. In general, it is not recommended to restore objects with signatures that are not valid on your system.
3 Verify signatures on restore. Restore unsigned commands and user-state objects. Restore signed commands and user-state objects only if the signatures are valid.

Use this value for normal operations, when you expect some of the objects you restore to be unsigned, but you want to ensure that all signed objects have signatures that are valid. Commands and programs you have created or purchased before digital signatures were available will be unsigned. This value allows those commands and programs to be restored. This is the default value.
4 Verify signatures on restore. Do not restore unsigned commands and user-state objects. Restore signed commands and user-state objects, even if the signatures are not valid.

Use this value only if certain objects that you want to restore contain signatures that are not valid, but you do not want the possibility of unsigned objects being restored. In general, it is not recommended to restore objects with signatures that are not valid on your system.
5 Verify signatures on restore. Do not restore unsigned commands and user-state objects. Restore signed commands and user-state objects only if the signatures are valid.

This value is the most restrictive value and should be used when the only objects you want to be restored are those which have been signed by trusted sources
Some commands use a signature that does not include all parts of the object. Some parts of the command are not signed while other parts are only signed when they contain a non-default value. This type of signature allows some changes to be made to the command without invalidating its signature. Examples of changes that will not invalidate these types of signatures include:
  • Changing command defaults.
  • Adding a validity checking program to a command that does not have one.
  • Changing the "where allowed to run" parameter.
  • Changing the "allow limited user" parameter.

If you like, you can add your own signature to these commands that includes these areas of the command object.

Recommended value: 3