Signing objects
There are three different methods you can use for signing objects. To sing an object you can write a program that calls the Sign Object API, use Digital Certificate Manager (DCM), or use the System i® Navigator Management Central feature for packages you distribute to other systems.
You can use the certificates that you manage in DCM to sign any object that you store in the system's integrated file system, except objects that are stored in a library. You can sign only these objects that are stored in the QSYS.LIB file system: *PGM, *SRVPGM, *MODULE, *SQLPKG, and *FILE (save file only). You can also sign command (*CMD) objects. You can not sign objects that are stored on other systems.
You can sign objects with certificates that you purchase from a public Internet Certificate Authority (CA) or that you create with a private, local CA in DCM. The process of signing certificates is the same, regardless of whether you use public or private certificates.
Object signing prerequisites
- You must have created the *OBJECTSIGNING certificate store, either as part of the process of creating a local CA or as part of the process of managing object signing certificates from a public Internet CA.
- The *OBJECTSIGNING certificate store must contain at least one certificate, either one that you created by using the local CA or one that you obtained from a public Internet CA.
- You must have created an object signing application definition to use for signing objects.
- You must have assigned a certificate to the object signing application that you plan to use to sign objects.
Use DCM to sign objects
To use DCM to sign one or more objects, follow these steps: