ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvdigitalsign.htm

81 lines
5.6 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Use digital signatures to protect software integrity" />
<meta name="abstract" content="Using digital signatures gives you greater control over which software can be loaded onto your system, and allows you more power to detect changes once it has been loaded." />
<meta name="description" content="Using digital signatures gives you greater control over which software can be loaded onto your system, and allows you more power to detect changes once it has been loaded." />
<meta name="DC.Relation" scheme="URI" content="rzamvdevelopintrusiondetectstrat.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="digitalsign" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Use digital signatures to protect software integrity</title>
</head>
<body id="digitalsign"><a name="digitalsign"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Use digital signatures to protect software integrity</h1>
<div><p>Using digital signatures gives you greater control over which software
can be loaded onto your system, and allows you more power to detect changes
once it has been loaded.</p>
<p>All of the security precautions you take are meaningless if someone can
bypass them by introducing tampered data into your system. The server has
many built-in features which you can use to keep tampered software from being
loaded onto your system, and to detect any such software already there. One
of the techniques is <span class="uicontrol">object signing</span>. </p>
<p>Object signing is the implementation of a cryptographic concept known as <span class="uicontrol">digital
signatures</span>. The idea is relatively straightforward: once a software
producer is ready to ship software to customers, the producer <span class="q">"signs"</span> the
software. This signature does not guarantee that the software performs any
specific function. However, it provides a way to prove that the software came
from the producer who signed it, and that the software has not changed since
it was produced and signed. This is particularly important if the software
has been transmitted across the Internet or stored on media which you feel
might have been modified.</p>
<p>The new system value, Verify Object Restore (QVFYOBJRST), provides a mechanism
for setting a restrictive policy which requires all software loaded onto the
system to be signed by known software sources. You can also choose a more
open policy and simply verify signatures if they are present.</p>
<p>All i5/OS™ software,
as well as the software for options and licensed programs, has been signed
by a system trusted source. These signatures help the system protect its integrity,
and they are checked when fixes are applied to the system to ensure that the
fix has come from a system trusted source and that it did not change in transit.
These signatures can also be checked once the software is on the system. The <span class="cmdname">CHKOBJITG</span> (Check
Object Integrity) command checks signatures of the objects on the system.
Additionally, the Digital Certificate Manager has panels that you can use
to check signatures on objects, including objects in the operating system. </p>
<p>Just as the operating system has been signed, you could use digital signatures
to protect the integrity of software which is critical to your business. You
might buy software which has been signed by a software provider, or you might
sign software which you have purchased or written. Part of your security policy,
then, might be to periodically use <span class="cmdname">CHKOBJITG</span>, or the Digital
Certificate Manager, to verify that the signatures on that software are still
valid—that the objects have not changed since they were signed. You can also
require that all software which gets restored on your system be signed by
you or a known source. However, since most server software which is not produced
by IBM<sup>®</sup> is
not currently signed so this method might be too restrictive for your system.
The digital signature function gives you the flexibility to decide how best
to protect your software integrity. </p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvdevelopintrusiondetectstrat.htm" title="The following information is a collection of tips to help you detect potential security exposures.">Prevent and detect security exposures</a></div>
</div>
</div>
</body>
</html>