175 lines
11 KiB
HTML
175 lines
11 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Save and restore system values: Verify object signatures during restore" />
|
||
|
<meta name="abstract" content="Specifies whether objects without signatures and/or with signatures that are not valid are restored. (QVFYOBJRST)" />
|
||
|
<meta name="description" content="Specifies whether objects without signatures and/or with signatures that are not valid are restored. (QVFYOBJRST)" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakzrestoreoverview.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakzlocksecurity.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="../rzalz/rzalzosintro.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakzrestoreoperation.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakzfinder.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakzrestoreoperation.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakzconfigurerestore.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzakzqvfyobjrst" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Save and restore system values: Verify object signatures during restore</title>
|
||
|
</head>
|
||
|
<body id="rzakzqvfyobjrst"><a name="rzakzqvfyobjrst"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Save and restore system values: Verify object signatures during restore</h1>
|
||
|
<div><p>Specifies whether objects without signatures and/or with signatures
|
||
|
that are not valid are restored. (QVFYOBJRST)</p>
|
||
|
<p><span class="uicontrol">Verify object signatures during restore</span>, also known
|
||
|
as <span class="uicontrol">QVFYOBJRST</span>, is a member of the save and restore
|
||
|
category of i5/OS™ system
|
||
|
values. You can use this system value to specify whether to restore objects
|
||
|
without signatures or with signatures that are not valid. To learn more, keep
|
||
|
reading.</p>
|
||
|
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><thead align="left"><tr><th colspan="2" valign="top" class="firstcol" id="d0e37">Quick reference</th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
<tbody><tr><th valign="top" class="firstcol" id="d0e41" headers="d0e37 ">Location</th>
|
||
|
<td valign="top" headers="d0e41 d0e37 ">In iSeries™ Navigator,
|
||
|
select your system, <span class="menucascade"><span class="uicontrol"></span> > <span class="uicontrol">Configuration
|
||
|
and Service</span> > <span class="uicontrol">System Values</span> > <span class="uicontrol">Save
|
||
|
and Restore</span> > <span class="uicontrol">Signatures</span></span></td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" class="firstcol" id="d0e59" headers="d0e37 ">Special authority</th>
|
||
|
<td valign="top" headers="d0e59 d0e37 ">All object (*ALLOBJ) and security administrator (*SECADM)</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" class="firstcol" id="d0e64" headers="d0e37 ">Default value</th>
|
||
|
<td valign="top" headers="d0e64 d0e37 ">Verify object signatures on restore; allow restore of objects without
|
||
|
signatures</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" class="firstcol" id="d0e69" headers="d0e37 ">Changes take effect</th>
|
||
|
<td valign="top" headers="d0e69 d0e37 ">Immediately</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" class="firstcol" id="d0e74" headers="d0e37 ">Lockable</th>
|
||
|
<td valign="top" headers="d0e74 d0e37 ">Yes Lock function of security-related system values<br /><img src="rzakz503.gif" alt="Lockable system value" /><br /> (Click for details)</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectiontitle">What can I do with this system value?</h4><p>Specifies
|
||
|
the policy to be used for object signature verification during a restore operation.
|
||
|
This value applies to the following types of objects: programs (*PGM), commands
|
||
|
(*CMD), service programs (*SRVPGM), SQL packages (*SQLPKG), and modules (*MODULE).
|
||
|
It also applies to stream file (*STMF) objects that contain Java™ programs.</p>
|
||
|
<p>If
|
||
|
Digital Certificate Manager is not installed on the system, all objects are
|
||
|
treated as unsigned when determining the effects of this system value on those
|
||
|
objects during a restore operation.</p>
|
||
|
<p>The following are possible options:</p>
|
||
|
<ul><li><span class="uicontrol">Do not verify object signatures on restore. (1)</span> <p>Do
|
||
|
not verify signatures on restore. Restore all objects regardless of their
|
||
|
signature.</p>
|
||
|
<p>This value should not be used unless you have a large number
|
||
|
of signed objects to restore which will fail their signature verification
|
||
|
for some acceptable reason. In general, it is dangerous to restore objects
|
||
|
with signatures that are not valid on your system.</p>
|
||
|
</li>
|
||
|
<li><span class="uicontrol">Verify object signatures on restore; allow restore of objects
|
||
|
without signatures and with signatures that are not valid. (2)</span> <p>Verify
|
||
|
signatures on restore. Restore unsigned commands and user-state objects. Restore
|
||
|
signed commands and user-state objects, even if signatures are not valid.</p>
|
||
|
<p>This
|
||
|
value should be used only if there are specific objects with signatures that
|
||
|
are not valid which you want to restore. In general, it is dangerous to restore
|
||
|
objects with signatures that are not valid on your system.</p>
|
||
|
</li>
|
||
|
<li><span class="uicontrol">Verify object signatures on restore; allow restore of objects
|
||
|
without signatures. (3)</span> <p>Verify signatures on restore. Restore
|
||
|
unsigned commands and user-state objects. Restore signed commands and user-state
|
||
|
objects only if signatures are valid.</p>
|
||
|
<p>This value may be used for normal
|
||
|
operations, when you expect some of the objects you load to be unsigned, but
|
||
|
you want to ensure that all signed objects have signatures that are valid.
|
||
|
This is the default value.</p>
|
||
|
</li>
|
||
|
<li><span class="uicontrol">Verify object signatures on restore; allow restore of objects
|
||
|
with signatures that are not valid. (4)</span> <p>Does not restore unsigned
|
||
|
user-state objects. Restores signed user-state objects, even if signatures
|
||
|
are not valid.</p>
|
||
|
<p>This value should be used only if there are specific
|
||
|
objects with signatures that are not valid which you want to restore, but
|
||
|
you do not want the possibility of unsigned objects being restored. In general,
|
||
|
it is dangerous to restore objects with signatures that are not valid on your
|
||
|
system.</p>
|
||
|
</li>
|
||
|
<li><span class="uicontrol">Verify object signatures on restore; do not allow restore of
|
||
|
objects without signatures or with signatures that are not valid. (5)</span> <p>Does
|
||
|
not restore unsigned user-state objects. Restores signed user-state objects
|
||
|
only if signatures are valid.</p>
|
||
|
<p>This value is the most restrictive value
|
||
|
and should be used when the only objects you want to allow to be restored
|
||
|
are those which have been signed by trusted sources.</p>
|
||
|
</li>
|
||
|
</ul>
|
||
|
<p>Objects that have the system-state attribute and objects that have
|
||
|
the inherit-state attribute are required to have valid signatures from a system-trusted
|
||
|
source. The only value that will allow a system-state or inherit-state object
|
||
|
to restore without a valid signature is <span class="uicontrol">Do not verify signatures
|
||
|
on restore</span>. Allowing such a command or program represents an integrity
|
||
|
risk to your system. If you must change this system value to <span class="uicontrol">Do
|
||
|
not verify signatures on restore</span> to allow such an object to restore
|
||
|
on your system, be sure to change this system value back to its previous value
|
||
|
after the object has been restored.</p>
|
||
|
<p>Some command (*CMD) objects have
|
||
|
a signature that does not cover all parts of the object. Some parts of the
|
||
|
command are not signed while other parts are only signed when they contain
|
||
|
a non-default value. This type of signature allows some changes to be made
|
||
|
to the command without invalidating its signature. Examples of changes that
|
||
|
will not invalidate these types of signatures include:</p>
|
||
|
<ul><li>Changing command defaults</li>
|
||
|
<li>Adding a validity checking program to a command that does not have one</li>
|
||
|
<li>Changing the 'where allowed to run' parameter</li>
|
||
|
<li>Changing the 'allow limited users' parameter</li>
|
||
|
</ul>
|
||
|
<p>If you want, you can add your own signature to these commands that
|
||
|
includes these areas of the command object.</p>
|
||
|
<p>For more information, see
|
||
|
Object signing and signature verification.</p>
|
||
|
<p>The restore system values
|
||
|
work together when restoring objects. For more information about how these system
|
||
|
values work together, see Effects of system value settings on restore operations.</p>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectiontitle">Where can I get more information about this system value?</h4><p>To
|
||
|
learn more, go to the save and restore system values overview topic. If you
|
||
|
are looking for a specific system value or category of system values, try
|
||
|
using the i5/OS system
|
||
|
value finder.</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div><div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="rzakzrestoreoverview.htm" title="Use save and restore system values to control specific restore requiredties.">System values: Save and restore overview</a></div>
|
||
|
<div><a href="rzakzlocksecurity.htm" title="Find information about how to lock and unlock system values. Only some system values can be locked. This will provide you with a description of the lock function, what system values can be locked, and how to lock and unlock them.">Lock function of security-related system values</a></div>
|
||
|
<div><a href="../rzalz/rzalzosintro.htm">Object signing and signature verification</a></div>
|
||
|
<div><a href="rzakzrestoreoperation.htm" title="Describes how to requiredly set the restore system values so they are compatible during a restore operation. This topic also describes how the three restore system values work together when a restore is performed.">Effects of system value settings on restore operations</a></div>
|
||
|
</div>
|
||
|
<div class="reltasks"><strong>Related tasks</strong><br />
|
||
|
<div><a href="rzakzconfigurerestore.htm" title="After you plan how you want a restore operation to function, use iSeries Navigator to set the system values to reflect how to handle the restore operation. At this point, your system is ready for a restore command.">Configure system values for a restore operation</a></div>
|
||
|
</div>
|
||
|
<div class="relinfo"><strong>Related information</strong><br />
|
||
|
<div><a href="rzakzfinder.htm">System value finder</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|