Validation of programs being restored

When a program is created, the system calculates a validation value, which is stored with the program. When the program is restored, the validation value is calculated again and compared to the validation value that is stored with the program.

If the validation values do not match, the system takes action according to the Force Conversion on Restore (QFRCCVNRST) and Allow Object Restore (QALWOBJRST) system values.

In addition to a validation value, a program might optionally have a digital signature that can be verified on restore. Any system actions related to digital signatures are controlled by the QVFYOBJRST and QFRCCVNRST system values. The three system values, Verify Object on Restore (QVFYOBJRST), QFRCCVNRST and QALWOBJRST, act as a series of filters to determine whether a program will be restored without change, whether it will be re-created (converted) as it is restored, or whether it will not be restored to the system.

The first filter is the QVFYOBJRST system value. It controls the restore operation on some objects that can be digitally signed. After an object is successfully checked and is validated by this system value, the object proceeds to the second filter, the QFRCCVNRST system value. With this system value you specify whether to convert programs, service programs, or module objects during a restore operation. This system value also prevents certain objects from being restored. Only when the objects have passed the first two filters do they proceed to the final filter, the QALWOBJRST system value. This system value controls whether objects with security sensitive attributes can be restored.