Verifying WebSphere Application Server release packages
Verify the authenticity and integrity of a WebSphere® Application Server release package by using the signature files and the corresponding public key. These signature files are produced for every package of a WebSphere Application Server release.
IBM® uses its private key to digitally sign each WebSphere Application Server release. You can use the WebSphere Application Server public key to check the signature, verify that the package was released by IBM Fix Central, and that it was not modified since its release.
In version 9.0.5.19 and later, you can also verify the authenticity of the WebSphere Application Server public key by using a certificate (.cer) file.
Before you begin
.sig
) file,
and the WebSphere Application Server public key file. The following table
describes the resources that you need to verify a WebSphere Application Server release package and where to find them.
Resource | Description | Source |
---|---|---|
WebSphere Application Server release package | A release package can be one of the following resources:
|
Obtain your release package from one of the following sources:
|
Signature (.sig ) file |
IBM provides a signature file for each release package. You can use this file together with the WebSphere Application Server public key to verify the digital signature of the package. |
Your signature file is available from the same source that you download your release package from, either Passport Advantage or IBM Fix Central. |
WebSphere Application Server public key |
For versions before 9.0.5.19, the public key is a .pem file that corresponds to the WebSphere Application Server private key that is used to sign each release package. In version 9.0.5.19 and later, the public key is embedded in a .cer file that corresponds to the WebSphere Application Server private key that is used to sign each release package. You can use the .cer file to verify the authenticity of the WebSphere Application Server public key. |
For versions before 9.0.5.19, obtain the WebSphere Application Server
public key file as a .pem file from one of the following sources:
In version 9.0.5.19 and later, obtain the WebSphere Application Server public key file as a .cer file
from one of the following sources:
|
About this task
In the following task, steps 1 and 2 apply only to WebSphere Application Server 9.0.5.19 and later releases. In these releases, the WebSphere Application Server public key is embedded in a .cer file. You can use this file to verify the authenticity of the WebSphere Application Server public key before you extract it to a new .pem file, which you use to verify the release package.
In versions before 9.0.5.19, the WebSphere Application Server public key is available only as a .pem file. To verify a release package for these versions, skip to step 3.
In the following examples, replace the WebSphere_certificate and WebSphere_release_package variables with the public key and release package files that you are using to verify a release package.
Procedure
Results
If the verification is successful, the command produces the following console output:
Verified OK