Verify object on restore

The Verify Object on Restore (QVFYOBJRST) system value determines whether objects are required to have digital signatures in order to be restored to your system.

You can prevent anyone from restoring an object, unless that object has a proper digital signature from a trusted software provider. This value applies to objects of types: *PGM, *SRVPGM, *SQLPKG, *CMD and *MODULE. It also applies to *STMF objects which contain Java™ programs.

When an attempt is made to restore an object onto the system, three system values work together as filters to determine if the object is allowed to be restored. The first filter is the verify object on restore QVFYOBJRST system value. It is used to control the restore of some objects that can be digitally signed. The second filter is the force conversion on restore QFRCCVNRST system value. This system value allows you to specify whether or not to convert programs, service programs, SQL packages, and module objects during the restore. It can also prevent some objects from being restored. Only objects that can get past the first two filters are processed by the third filter. The third filter is the allow object on restore (QALWOBJRST) system value. It specifies whether or not objects with security-sensitive attributes can be restored.

If Digital Certificate Manager, (i5/OS™ option 34, is not installed on the system, all objects except those signed by a system trusted source are treated as unsigned when determining the effects of the QVFYOBJRST system value during a restore operation. A change to this system value takes effect immediately.

Note:

This system value is a restricted value. See Security System Values for details on how to restrict changes to security system values and a complete list of the restricted system values.
When your system is shipped, the QVFYOBJRST system value is set to 3. If you change the value of QVFYOBJRST, it is important to set the QVFYOBJRST value to 3 or lower before installing a new release of the i5/OS operating system.

Possible values for the QVFYOBJRST system value
1	Do not verify signatures on restore. Restore all objects regardless of their signature. This value should not be used unless you have signed objects to restore which will fail their signature verification for some acceptable reason.
2	Verify objects on restore. Restore unsigned commands and user-state objects. Restore signed commands and user-state objects, even if the signatures are not valid. This value should be used only if there are specific objects with signatures that are not valid which you want to restore. In general, it is dangerous to restore objects with signatures that are not valid on your system.
3	Verify signatures on restore. Restore unsigned commands and user-state objects. Restore signed commands and user-state objects only if the signatures are valid. This value may be used for normal operations, when you expect some of the objects you restore to be unsigned, but you want to ensure that all signed objects have signatures that are valid. Commands and programs you have created or purchased before digital signatures were available will be unsigned. This value allows those commands and programs to be restored. This is the default value.
4	Verify signatures on restore. Do not restore unsigned commands and user-state objects. Restore signed commands and user-state objects, even if the signatures are not valid. This value should be used only if there are specific objects with signatures that are not valid which you want to restore, but you do not want the possibility of unsigned objects being restored. In general, it is dangerous to restore objects with signatures that are not valid on your system.
5	Verify signatures on restore. Do not restore unsigned commands and user-state objects. Restore signed commands and user-state objects only if the signatures are valid. This value is the most restrictive value and should be used when the only objects you want to be restored are those which have been signed by trusted sources.

Objects which have the system-state attribute and objects which have the inherit-state attribute are required to have valid signatures from a system trusted source. The only value which will allow a system-state or inherit-state object to restore without a valid signature is 1. Allowing such a command or program represents an integrity risk to your system. If you change the QVFYOBJRST system value to 1 to allow such an object to restore on your system, be sure to change the QVFYOBJRST system value back to its previous value after the object has been restored.

Some commands use a signature that does not cover all parts of the object. Some parts of the command are not signed while other parts are only signed when they contain a non-default value. This type of signature allows some changes to be made to the command without invalidating its signature. Examples of changes that will not invalidate these types of signatures include:

Changing command defaults.
Adding a validity checking program to a command that does not have one.
Changing the where allowed to run parameter.
Changing the allow limited user parameter.

If you wish, you can add your own signature to these commands that includes these areas of the command object.

Recommended Value: 3.