Code checker commands to ensure signature integrity

Learn about using commands to verify object signatures to determine object integrity.

You can use Digital Certificate Manager (DCM) or APIs to verify signatures on objects. You can also use several commands to check signatures. Using these commands allows you to verify signatures in much the same way that you use a virus checker to determine when a virus has corrupted files or other objects on your system. Most signatures are checked as the object is restored or installed on to the system, for example by using the RSTLIB command.

You can choose one of three commands to check signatures on objects that are already on the system. Of these, the Check Object Integrity (CHKOBJITG) command is designed specifically for verifying object signatures. Signature checking for each of these commands is controlled by the CHKSIG parameter. This parameter allows you to check all object types that can be signed for signatures, ignore all signatures, or check only objects that have signatures. This last option is the default value for the parameter.

Check Object Integrity (CHKOBJITG) command

The Check Object Integrity (CHKOBJITG) command allows you to allows you to determine if objects on your system have integrity violations. You can use this command to check for integrity violations for objects that a specific user profile owns, objects that match a specific path name, or all objects on the system. An integrity violation log entry occurs when one of these conditions is met:

If the command detects an integrity violation for an object, it adds the object name, library name (or path name), object type, object owner, and type of failure to a database log file. The command also creates a log entry in certain other cases, although these cases are not integrity violations. For example, the command creates a log entry for objects that are signable but do not have a digital signature, objects that it can not check, and objects in a format that requires changes in order to be used on the current system implementation (IMPI to RISC conversion).

The CHKSIG parameter value controls how the command handles digital signatures on objects. You can specify one of three values for this parameter:

Check Product Option (CHKPRDOPT) command

The Check Product Option (CHKPRDOPT) command reports differences between the correct structure and the actual structure of a software product. For example, the command reports an error if an object is deleted from an installed product.

The CHKSIG parameter value controls how the command handles digital signatures on objects. You can specify one of three values for this parameter:

Save Licensed Program (SAVLICPGM) command

The Save Licensed Program (SAVLICPGM) command allows you to save a copy of the objects that make up a licensed program. It saves the licensed program in a form that can be restored by the Restore Licensed Program (RSTLICPGM) command.

The CHKSIG parameter value controls how the command handles digital signatures on objects. You can specify one of three values for this parameter: