Sign objects

Use this information to learn how to use DCM to manage certificates that you use to digitally sign objects to ensure their integrity.

There are three methods that you can use for signing objects. You can write a program that calls the Sign Object API. You can use Digital Certificate Manager (DCM) to sign objects. In OS/400^® V5R2 or later, you can use iSeries™ Navigator Management Central feature to sign objects as you package them for distribution to other systems.

You can use the certificates that you manage in DCM to sign any object that you store in the system's integrated file system, except objects that are stored in a library. You can sign only these objects that are stored in the QSYS.LIB file system: *PGM, *SRVPGM, *MODULE, *SQLPKG, and *FILE (save file only). In OS/400 V5R2 or later, you can also sign command (*CMD) objects. You cannot sign objects that are stored on other systems.

You can sign objects with certificates that you purchase from a public Internet Certificate Authority (CA) or that you create with a private, Local CA in DCM. The process of signing certificates is the same, regardless of whether you use public or private certificates.

Object signing prerequisites

Before you can use DCM (or the Sign Object API) to sign objects, you must ensure that certain prerequisite conditions are met:

You must have created the *OBJECTSIGNING certificate store, either as part of the process of creating a Local CA or as part of the process of managing object signing certificates from a public Internet CA.
The *OBJECTSIGNING certificate store must contain at least one certificate, either one that you created by using the Local CA or one that you obtained from a public Internet CA.
You must have created an object signing application definition to use for signing objects.
You must have assigned a certificate to the object signing application that you plan to use to sign objects.

Use DCM to sign objects

To use DCM to sign one or more objects, follow these steps:

Start DCM
In the navigation frame, click Select a Certificate Store and select *OBJECTSIGNING as the certificate store to open.
Note: If you have questions about how to complete a specific form while using DCM, select the question mark (?) at the top of the page to access the online help.
Enter the password for the *OBJECTSIGNING certificate store and click Continue.
After the navigation frame refreshes, select Manage Signable Objects to display a list of tasks.
From the list of tasks, select Sign an object to display a list of application definitions that you can use for signing objects.
Select an application and click Sign an Object to view a form for specifying the location of the objects that you want to sign.
Note: If the application that you select does not have a certificate assigned to it, you cannot use it to sign an object. You must first use the Update certificate assignment task under Manage Applications to assign a certificate to the application definition.
In the field provided, enter the fully qualified path and file name of the object or directory of objects that you want to sign and click Continue. Or, enter a directory location and click Browse to view the contents of the directory to select objects for signing.
Note: You must start the object name with a leading slash or you may encounter an error. You can also use certain wildcard characters to describe the part of the directory that you want to sign. These wildcard characters are the asterisk (*), which specifies "any number of characters," and the question mark (?), which specifies "any single character." For example, to sign all the objects in a specific directory, you can enter /mydirectory/*; to sign all the programs in a specific library, you might enter /QSYS.LIB/QGPL.LIB/*.PGM. You can use these wildcard characters only in the last part of the path name; for example, /mydirectory*/filename results in an error message. If you want to use the Browse function to see a list of library or directory contents, you must enter the wildcard as part of the path name before clicking Browse.
Select the processing options that you want to use for signing the selected object or objects and click Continue.
Note: If you choose to wait for job results, the results file displays directly in your browser. Results for the current job are appended to the end of the results file. Consequently, the file may contain results from any previous jobs, in addition to those of the current job. You can use the date field in the file to determine which lines in the file apply to the current job. The date field is in YYYYMMDD format. The first field in the file can be either the message ID (if an error occurred during processing the object) or the date field (indicating the date on which the job processed).
Specify the fully qualified path and file name to use for storing job results for the object signing operation and click Continue. Or, enter a directory location and click Browse to view the contents of the directory to select a file for storing the job results. A message displays to indicate that the job was submitted to sign objects. To view the job results, see job QOBJSGNBAT in the job log.