ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakz_5.4.0.1/rzakzqvfyobjrst.htm

175 lines
11 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Save and restore system values: Verify object signatures during restore" />
<meta name="abstract" content="Specifies whether objects without signatures and/or with signatures that are not valid are restored. (QVFYOBJRST)" />
<meta name="description" content="Specifies whether objects without signatures and/or with signatures that are not valid are restored. (QVFYOBJRST)" />
<meta name="DC.Relation" scheme="URI" content="rzakzrestoreoverview.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakzlocksecurity.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzalz/rzalzosintro.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakzrestoreoperation.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakzfinder.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakzrestoreoperation.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakzconfigurerestore.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakzqvfyobjrst" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Save and restore system values: Verify object signatures during restore</title>
</head>
<body id="rzakzqvfyobjrst"><a name="rzakzqvfyobjrst"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Save and restore system values: Verify object signatures during restore</h1>
<div><p>Specifies whether objects without signatures and/or with signatures
that are not valid are restored. (QVFYOBJRST)</p>
<p><span class="uicontrol">Verify object signatures during restore</span>, also known
as <span class="uicontrol">QVFYOBJRST</span>, is a member of the save and restore
category of i5/OS™ system
values. You can use this system value to specify whether to restore objects
without signatures or with signatures that are not valid. To learn more, keep
reading.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><thead align="left"><tr><th colspan="2" valign="top" class="firstcol" id="d0e37">Quick reference</th>
</tr>
</thead>
<tbody><tr><th valign="top" class="firstcol" id="d0e41" headers="d0e37 ">Location</th>
<td valign="top" headers="d0e41 d0e37 ">In iSeries™ Navigator,
select your system, <span class="menucascade"><span class="uicontrol"></span> &gt; <span class="uicontrol">Configuration
and Service</span> &gt; <span class="uicontrol">System Values</span> &gt; <span class="uicontrol">Save
and Restore</span> &gt; <span class="uicontrol">Signatures</span></span></td>
</tr>
<tr><th valign="top" class="firstcol" id="d0e59" headers="d0e37 ">Special authority</th>
<td valign="top" headers="d0e59 d0e37 ">All object (*ALLOBJ) and security administrator (*SECADM)</td>
</tr>
<tr><th valign="top" class="firstcol" id="d0e64" headers="d0e37 ">Default value</th>
<td valign="top" headers="d0e64 d0e37 ">Verify object signatures on restore; allow restore of objects without
signatures</td>
</tr>
<tr><th valign="top" class="firstcol" id="d0e69" headers="d0e37 ">Changes take effect</th>
<td valign="top" headers="d0e69 d0e37 ">Immediately</td>
</tr>
<tr><th valign="top" class="firstcol" id="d0e74" headers="d0e37 ">Lockable</th>
<td valign="top" headers="d0e74 d0e37 ">Yes Lock function of security-related system values<br /><img src="rzakz503.gif" alt="Lockable system value" /><br /> (Click for details)</td>
</tr>
</tbody>
</table>
</div>
<div class="section"><h4 class="sectiontitle">What can I do with this system value?</h4><p>Specifies
the policy to be used for object signature verification during a restore operation.
This value applies to the following types of objects: programs (*PGM), commands
(*CMD), service programs (*SRVPGM), SQL packages (*SQLPKG), and modules (*MODULE).
It also applies to stream file (*STMF) objects that contain Java™ programs.</p>
<p>If
Digital Certificate Manager is not installed on the system, all objects are
treated as unsigned when determining the effects of this system value on those
objects during a restore operation.</p>
<p>The following are possible options:</p>
<ul><li><span class="uicontrol">Do not verify object signatures on restore. (1)</span> <p>Do
not verify signatures on restore. Restore all objects regardless of their
signature.</p>
<p>This value should not be used unless you have a large number
of signed objects to restore which will fail their signature verification
for some acceptable reason. In general, it is dangerous to restore objects
with signatures that are not valid on your system.</p>
</li>
<li><span class="uicontrol">Verify object signatures on restore; allow restore of objects
without signatures and with signatures that are not valid. (2)</span> <p>Verify
signatures on restore. Restore unsigned commands and user-state objects. Restore
signed commands and user-state objects, even if signatures are not valid.</p>
<p>This
value should be used only if there are specific objects with signatures that
are not valid which you want to restore. In general, it is dangerous to restore
objects with signatures that are not valid on your system.</p>
</li>
<li><span class="uicontrol">Verify object signatures on restore; allow restore of objects
without signatures. (3)</span> <p>Verify signatures on restore. Restore
unsigned commands and user-state objects. Restore signed commands and user-state
objects only if signatures are valid.</p>
<p>This value may be used for normal
operations, when you expect some of the objects you load to be unsigned, but
you want to ensure that all signed objects have signatures that are valid.
This is the default value.</p>
</li>
<li><span class="uicontrol">Verify object signatures on restore; allow restore of objects
with signatures that are not valid. (4)</span> <p>Does not restore unsigned
user-state objects. Restores signed user-state objects, even if signatures
are not valid.</p>
<p>This value should be used only if there are specific
objects with signatures that are not valid which you want to restore, but
you do not want the possibility of unsigned objects being restored. In general,
it is dangerous to restore objects with signatures that are not valid on your
system.</p>
</li>
<li><span class="uicontrol">Verify object signatures on restore; do not allow restore of
objects without signatures or with signatures that are not valid. (5)</span> <p>Does
not restore unsigned user-state objects. Restores signed user-state objects
only if signatures are valid.</p>
<p>This value is the most restrictive value
and should be used when the only objects you want to allow to be restored
are those which have been signed by trusted sources.</p>
</li>
</ul>
<p>Objects that have the system-state attribute and objects that have
the inherit-state attribute are required to have valid signatures from a system-trusted
source. The only value that will allow a system-state or inherit-state object
to restore without a valid signature is <span class="uicontrol">Do not verify signatures
on restore</span>. Allowing such a command or program represents an integrity
risk to your system. If you must change this system value to <span class="uicontrol">Do
not verify signatures on restore</span> to allow such an object to restore
on your system, be sure to change this system value back to its previous value
after the object has been restored.</p>
<p>Some command (*CMD) objects have
a signature that does not cover all parts of the object. Some parts of the
command are not signed while other parts are only signed when they contain
a non-default value. This type of signature allows some changes to be made
to the command without invalidating its signature. Examples of changes that
will not invalidate these types of signatures include:</p>
<ul><li>Changing command defaults</li>
<li>Adding a validity checking program to a command that does not have one</li>
<li>Changing the 'where allowed to run' parameter</li>
<li>Changing the 'allow limited users' parameter</li>
</ul>
<p>If you want, you can add your own signature to these commands that
includes these areas of the command object.</p>
<p>For more information, see
Object signing and signature verification.</p>
<p>The restore system values
work together when restoring objects. For more information about how these system
values work together, see Effects of system value settings on restore operations.</p>
</div>
<div class="section"><h4 class="sectiontitle">Where can I get more information about this system value?</h4><p>To
learn more, go to the save and restore system values overview topic. If you
are looking for a specific system value or category of system values, try
using the i5/OS system
value finder.</p>
</div>
</div>
<div><div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzakzrestoreoverview.htm" title="Use save and restore system values to control specific restore requiredties.">System values: Save and restore overview</a></div>
<div><a href="rzakzlocksecurity.htm" title="Find information about how to lock and unlock system values. Only some system values can be locked. This will provide you with a description of the lock function, what system values can be locked, and how to lock and unlock them.">Lock function of security-related system values</a></div>
<div><a href="../rzalz/rzalzosintro.htm">Object signing and signature verification</a></div>
<div><a href="rzakzrestoreoperation.htm" title="Describes how to requiredly set the restore system values so they are compatible during a restore operation. This topic also describes how the three restore system values work together when a restore is performed.">Effects of system value settings on restore operations</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzakzconfigurerestore.htm" title="After you plan how you want a restore operation to function, use iSeries Navigator to set the system values to reflect how to handle the restore operation. At this point, your system is ready for a restore command.">Configure system values for a restore operation</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="rzakzfinder.htm">System value finder</a></div>
</div>
</div>
</body>
</html>