Learn how signed objects affect how you perform save and restore
tasks for your system.
There are several system values that can affect restore operations for your system. Only one of
these system values, the verify object signatures during restore (QVFYOBJRST) system value,
determines how the system handles signed objects when restoring them. The
setting that you choose for this system value lets you determine how the restore
process handles verification of objects without signatures or with signatures
that are not valid.
Some save and restore commands affect signed objects or determine how your
system handles signed and unsigned objects during save and restore operations.
You need to be aware of these commands and their affect on signed objects
so that you can better manage your system and to avoid potential problems
that may occur.
These commands can verify signatures on objects during save and restore
operations:
- The Save Licensed Program (SAVLICPGM) command.
- The Restore (RST)
command.
- The Restore Library (RSTLIB)
command.
- The Restore Licensed Program (RSTLICPGM) command.
- The Restore object (RSTOBJ)
command.
These commands allow you to save and restore certificate stores; certificate
stores are security-sensitive objects that contain the certificates that you
use to sign objects and verify signatures:
- The Save (SAV)
command.
- The Save Security Data (SAVSECDTA) command.
- The Save System (SAVSYS)
command.
- The Restore (RST)
command.
- The Restore User Profiles (RSTUSRPRF) command.
Some save commands, depending on the parameter values that you use, may
lose the signature from an object on the save media, thereby negating the
security that the signature provides. For example,
any save operation
that refers to a command (*CMD) object with a target release before V5R2M0
causes the commands to be saved without signatures. Removing the signature
might cause problems with the objects affected. At the very least, you will
no longer be able to verify the source of the object as a trusted one and
will not be able to verify the signature to detect changes to the object.
Use these commands only on those signed objects that you have created (as
opposed to signed objects that you obtain from others such as IBM
® or vendors).
Note: To verify whether a Save command lost an object's signature, you must
restore the object into a different library than the one from which you saved
it (for example, QTEMP). You can then use the DSPOBJD command to determine
if the object on the save media lost its signature.
You need to be aware of this potential for the following specific save
commands, as well as for save commands in general:
- The Save (SAV)
command.
- The Save Library (SAVLIB)
command.
- The Save Object (SAVOBJ)
command.