System values and commands that affect signed objects

Edit online

This topic provides information about IBM i system values and commands that you can use to manage signed objects or that have an affect on signed objects when you run them.

To manage signed objects effectively, you need to understand how system values and commands affect signed objects. The Verify object signatures during restore (QVFYOBJRST) system value determines how certain restore commands affect signed objects and how your system handles signed objects during restore operations. There are no CL commands that are exclusively designed for working with signed objects on a system. However, there are a number of common CL commands that you use to manage signed objects (or to manage the infrastructure objects that make object signing possible). Other commands can adversely affect signed objects on your system by removing the signature from the objects thereby negating the protection that the signature provides.

System values that affect signed objects

The Verify object signatures during restore (QVFYOBJRST) system value, a member of the restore category of IBM i system values, determines how commands affect signed objects on your system. This system value, which is available through IBM Navigator for i, controls how the system handles signature verification during restore operations. The setting that you use for this system value, in conjunction with two other system value settings, affects restore operations for your system. Depending on the setting you select for this value, it can allow or disallow objects from being restored based on their signature status. (For example, whether the object is unsigned, has an invalid signature, is signed by a trusted source, and so forth.) The default setting for this system value allows unsigned objects to be restored, but ensures that signed objects can be restored only if the objects have a valid signature. The system defines an object as signed only if the object has a signature that your system trusts; the system ignores other, "untrusted" signatures on the object and treats the object as if it is unsigned.

There are several values that you can use for the QVFYOBJRST system value, ranging from ignoring all signatures to requiring valid signatures for all objects that the system restores. This system value only affects executable objects that are being restored, such as programs (*PGM), commands (*CMD), service programs (*SRVPGM), SQL packages (*SQLPKG), and modules (*MODULE). It also applies to stream file (*STMF) objects that have associated Java™ programs created by Create Java Program (CRTJVAPGM) command. It does not apply to save (*SAV) files or integrated file system files.

CL commands that affect signed objects

There are several CL commands that allow you to work with signed objects or that affect signed objects on your system. You can use a variety of commands to view signature information for objects, verify the signature on objects, and save and restore security objects required to verify signatures. Additionally, there are a group of commands that, when run, can remove the signature from objects and negate the security that the signature provides.

Commands for viewing signature information for an object

  • The Display Object Description (DSPOBJD) command.This command shows the names and attributes of specified objects in the specified library or in the libraries of the thread's library list. You can use this command to determine whether an object is signed and to view information about the signature.
  • Display Object Links (DSPLNK) and Work with Object Links (WRKLNK) integrated file system commands. You can use either of these commands to display signature information for an object in the integrated file system.

Commands for verifying object signatures

  • Check Object Integrity (CHKOBJITG) command. This command allows you to determine if objects on your system have integrity violations. You can use this command to verify signatures in much the same way that you use a virus checker to determine when a virus has corrupted files or other objects on your system. To learn more about using this command with signed and signable objects, see Code checker commands to ensure signature integrity.
  • Check Product Option (CHKPRDOPT) command. This command reports differences between the correct structure and the actual structure of a software product. For example, the command reports an error if an object is deleted from an installed product. You can use the CHKSIG parameter to specify how the command is to handle and report possible signature problems for the product. To learn more about using this command with signed and signable objects, see Code checker commands to ensure signature integrity.
  • Save Licensed Program (SAVLICPGM) command. This command saves a copy of the objects that make up a licensed program. It saves the licensed program in a form that can be restored by the Restore Licensed Program (RSTLICPGM) command. You can use the CHKSIG parameter to specify how the command is to handle and report possible signature problems for the product. To learn more about using this command with signed and signable objects, see Code checker commands to ensure signature integrity.
  • Restore (RST) command. This command restores a copy of one or more objects that can be used in the integrated file system. This command also allows you restore certificate stores and their contents on the system. However, you cannot use this command to restore the *SIGNATUREVERIFICATION certificate store. How the restore command handles signed and signable objects is determined by the setting for the Verify object signatures during restore (QVFYOBJRST) system value.
  • Restore Library (RSTLIB) command. This command restores one library or a group of libraries that was saved by the Save Library (SAVLIB) command. The RSTLIB command restores the whole library, which includes the library description, object descriptions, and contents of the objects in the library. How this command handles signed and signable objects is determined by the setting for the Verify object signatures during restore (QVFYOBJRST) system value.
  • Restore Licensed Program (RSTLICPGM) command. This command loads or restores a licensed program, either for initial installation or new-release installation. How this command handles signed and signable objects is determined by the setting for the Verify object signatures during restore (QVFYOBJRST) system value.
  • Restore object (RSTOBJ) command. This command restores one or more objects in a single library, that were saved on diskette, tape, optical volume, or in a save file by using a single command. How this command handles signed and signable objects is determined by the setting for the Verify object signatures during restore (QVFYOBJRST) system value.

Commands for saving and restoring certificate stores

  • Save (SAV) command. This command allows you to save a copy of one or more objects that can be used in the integrated file system, including certificate stores. However, you cannot use this command to save the *SIGNATUREVERIFICATION certificate store.
  • Save Security Data (SAVSECDTA) command. This command allows you to save all security information without requiring the system to be in a restricted state. Using this command allows you to save the *SIGNATUREVERIFICATION certificate store and the certificates that it contains. This command does not save any other certificate store.
  • Save System (SAVSYS) command. This command allows you to save a copy of the licensed internal code and the QSYS library in a format compatible with the installation of the system. It does not save objects from any other library. In addition, it allows you to save the security and configuration objects that you can also save by using the SAVSECDTA and SAVCFG commands. Using this command allows you to save the *SIGNATUREVERIFICATION certificate store and the certificates that it contains.
  • Restore (RST) command. This command allows you restore certificate stores and their contents on the system. However, you cannot use this command to restore the *SIGNATUREVERIFICATION certificate store.
  • Restore User Profiles (RSTUSRPRF) command. This command allows you to restore the basic parts of a user profile or a set of user profiles saved by the Save System (SAVSYS) or the Save Security Data (SAVSECDTA) commands. You can use this command to restore the *SIGNATUREVERIFICATION certificate store and the stashed passwords for this and all other certificate stores. You can restore the *SIGNATUREVERIFICATION certificate store without restoring user profile information by specifying *DCM as the value for the SECDTA parameter and *NONE for the USRPRF parameter. To use this command to restore user profile information and certificate stores and their passwords, specify *ALL for the USRPRF parameter.

Commands that can remove or lose signatures from objects

When you use the following commands on a signed object, you can do so in a manner that might remove or lose the signature from the object. Removing the signature might cause problems with the object affected. At the very least, you will no longer be able to verify the source of the object as a trusted one and will not be able to verify the signature to detect changes to the object. Use these commands only on those signed objects that you have created (as opposed to signed objects that you obtain from others such as IBM or vendors). If you use are concerned that the command removed or lost an object's signature, you can use the Display Object Description (DSPOBJD) command to see if the signature is still there and re-sign it if necessary.
Note: To verify whether a Save command lost an object's signature, you must restore the object into a different library than the one from which you saved it (for example, QTEMP). You can then use the DSPOBJD command to determine if the object on the save media lost its signature.
  • Change Program (CHGPGM) command. This command changes the attributes of a program without requiring that you recompile it. Also, you can use this command to force re-creation of a program even if the attributes being specified are the same as the current attributes.
  • Change Service Program (CHGSRVPGM) command. This command changes the attributes of a service program without requiring that you recompile it. Also, you can use this command to force re-creation of a service program even if the attributes being specified are the same as the current attributes.
  • Clear Save File (CLRSAVF) command. This command clears the contents of a save file; it clears all existing records from the save file and reduces the amount of storage that the file uses.
  • Save (SAV) command. This command saves a copy of one or more objects that can be used in the integrated file system. — When using this command, you might lose the signature from command (*CMD) objects on the save media if you specify a value earlier than V5R2M0 for the TGTRLS parameter. Signature loss occurs because command objects cannot be signed in releases before V5R2.
  • Save Library (SAVLIB) command. This command allows you to save a copy of a one or more libraries. When using this command, you might lose the signature from command (*CMD) objects on the save media if you specify a value earlier than V5R2M0 for the TGTRLS parameter. Signature loss occurs because command objects command objects cannot be signed in releases prior the V5R2.
  • Save Object (SAVOBJ) command. This command saves a copy of a single object or a group of objects located in the same library. When using this command, you might lose the signature from command (*CMD) objects on the save media if you specify a value earlier than V5R2M0 for the TGTRLS parameter. Signature loss occurs because command objects cannot be signed in releases prior the V5R2.