System values and commands that affect signed objects

Learn about system values and commands that you can use to manage signed objects or that have an affect on signed objects when you run them.

To manage signed objects effectively, you need to understand how system values and commands affect signed objects. The Verify object signatures during restore (QVFYOBJRST) system value determines how certain restore commands affect signed objects and how your system handles signed objects during restore operations. There are no CL commands that are exclusively designed for working with signed objects on a system. However, there are a number of common CL commands that you use to manage signed objects (or to manage the infrastructure objects that make object signing possible). Other commands can adversely affect signed objects on your system by removing the signature from the objects thereby negating the protection that the signature provides.

System values that affect signed objects

The Verify object signatures during restore (QVFYOBJRST) system value, a member of the restore category of i5/OS™ system values, determines how commands affect signed objects on your system. This system value, which is available through iSeries™ Navigator, controls how the system handles signature verification during restore operations. The setting that you use for this system value, in conjunction with two other system value settings, affects restore operations for your system. Depending on the setting you select for this value, it can allow or disallow objects from being restored based on their signature status. (For example, whether the object is unsigned, has an invalid signature, is signed by a trusted source, and so forth.) The default setting for this system value allows unsigned objects to be restored, but ensures that signed objects can be restored only if the objects have a valid signature. The system defines an object as signed only if the object has a signature that your system trusts; the system ignores other, "untrusted" signatures on the object and treats the object as if it is unsigned.

There are several values that you can use for the QVFYOBJRST system value, ranging from ignoring all signatures to requiring valid signatures for all objects that the system restores. This system value only affects executable objects that are being restored, such as programs (*PGM), commands (*CMD), service programs (*SRVPGM), SQL packages (*SQLPKG), and modules (*MODULE). It also applies to stream file (*STMF) objects that have associated Java™ programs created by Create Java Program (CRTJVAPGM) command. It does not apply to save (*SAV) files or integrated file system files.

System values that affect signed objects

The Verify object signatures during restore (QVFYOBJRST) system value, a member of the restore category of i5/OS system values, determines how commands affect signed objects on your system. This system value, which is available through iSeries Navigator, controls how the system handles signature verification during restore operations. The setting that you use for this system value, in conjunction with two other system value settings, affects restore operations for your system. Depending on the setting you select for this value, it can allow or disallow objects from being restored based on their signature status. (For example, whether the object is unsigned, has an invalid signature, is signed by a trusted source, and so forth.) The default setting for this system value allows unsigned objects to be restored, but ensures that signed objects can be restored only if the objects have a valid signature. The system defines an object as signed only if the object has a signature that your system trusts; the system ignores other, "untrusted" signatures on the object and treats the object as if it is unsigned.

There are several values that you can use for the QVFYOBJRST system value, ranging from ignoring all signatures to requiring valid signatures for all objects that the system restores. This system value only affects executable objects that are being restored, such as programs (*PGM), commands (*CMD), service programs (*SRVPGM), SQL packages (*SQLPKG), and modules (*MODULE). It also applies to stream file (*STMF) objects that have associated Java programs created by Create Java Program (CRTJVAPGM) command. It does not apply to save (*SAV) files or integrated file system files.

CL commands that affect signed objects

There are several CL commands that allow you to work with signed objects or that affect signed objects on your system. You can use a variety of commands to view signature information for objects, verify the signature on objects, and save and restore security objects required to verify signatures. Additionally, there are a group of commands that, when run, can remove the signature from objects and negate the security that the signature provides.

Commands for viewing signature information for an object

Commands for verifying object signatures

Commands for saving and restoring certificate stores

Commands that can remove or lose signatures from objects

When you use the following commands on a signed object, you can do so in a manner that might remove or lose the signature from the object. Removing the signature might cause problems with the object affected. At the very least, you will no longer be able to verify the source of the object as a trusted one and will not be able to verify the signature to detect changes to the object. Use these commands only on those signed objects that you have created (as opposed to signed objects that you obtain from others such as IBM® or vendors). If you use are concerned that the command removed or lost an object's signature, you can use the Display Object Description (DSPOBJD) command to see if the signature is still there and re-sign it if necessary.
Note: To verify whether a Save command lost an object's signature, you must restore the object into a different library than the one from which you saved it (for example, QTEMP). You can then use the DSPOBJD command to determine if the object on the save media lost its signature.
Related concepts
Save and restore considerations for signed objects
Related information
System value finder