357 lines
24 KiB
HTML
357 lines
24 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Scenario details: Use DCM to sign objects and verify signatures" />
|
|
<meta name="abstract" content="Complete the following task steps to configure and use Digital Certificate Manager to sign objects as this scenario describes." />
|
|
<meta name="description" content="Complete the following task steps to configure and use Digital Certificate Manager to sign objects as this scenario describes." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalzdcmsignsc.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="dcmsigndetails" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Scenario details: Use DCM to sign objects and verify signatures</title>
|
|
</head>
|
|
<body id="dcmsigndetails"><a name="dcmsigndetails"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Scenario details: Use DCM to sign objects and verify signatures</h1>
|
|
<div><p>Complete the following task steps to configure and use Digital
|
|
Certificate Manager to sign objects as this scenario describes.</p>
|
|
<div class="section"><h4 class="sectionscenariobar">Step 1: Complete all prerequisite
|
|
steps</h4><p>You must complete all <a href="rzalzdcmsignsc.htm#dcmsignsc">prerequisite</a> tasks
|
|
to install and configure all needed iSeries™ products before you can perform
|
|
specific configuration tasks for implementing this scenario. </p>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Step 2: Create a Local Certificate
|
|
Authority to issue a private object signing certificate </h4><p>When you
|
|
use Digital Certificate Manager (DCM) to create a Local Certificate Authority
|
|
(CA), the process requires you to complete a series of forms. These forms
|
|
guide you through the process of creating a CA and completing other tasks
|
|
needed to begin using digital certificates for Secure Sockets Layer (SSL),
|
|
object signing, and signature verification. Although in this scenario you
|
|
do not need to configure certificates for SSL, you must complete all forms
|
|
in the task to configure the system to sign objects.</p>
|
|
<p>To use DCM to create
|
|
and operate a Local CA, follow these steps: Now that you have created a Local
|
|
CA and an object signing certificate, you must define an object signing application
|
|
to use the certificate before you can sign objects.</p>
|
|
<ol><li><a href="../rzahu/rzahurzahu66adcmstart.htm">Start</a> DCM.</li>
|
|
<li>In the navigation frame of DCM, select <span class="uicontrol">Create a Certificate
|
|
Authority (CA)</span> to display a series of forms. <div class="note"><span class="notetitle">Note:</span> If you have
|
|
questions about how to complete a specific form in this guided task, select
|
|
the question mark (<span class="uicontrol">?</span>) button at the top of the page
|
|
to access the online help. </div>
|
|
</li>
|
|
<li>Complete all the forms for this guided task. As you perform this task,
|
|
you must do the following: <ol type="a"><li>Provide identifying information for the Local CA. </li>
|
|
<li>Install the Local CA certificate in your browser so that your software
|
|
can recognize the Local CA and validate certificates that the Local CA issues. </li>
|
|
<li>Specify the policy data for your Local CA.</li>
|
|
<li>Use the new Local CA to issue a server or client certificate that your
|
|
applications can use for SSL connections. <div class="note"><span class="notetitle">Note:</span> Although this scenario does
|
|
not make use of this certificate, you must create it before you can use the
|
|
Local CA to issue the object signing certificate that you need. If you cancel
|
|
the task without creating this certificate, you must create your object signing
|
|
certificate and the *OBJECTSIGNING certificate store in which it is stored
|
|
separately.</div>
|
|
</li>
|
|
<li>Select the applications that can use the server or client certificate
|
|
for SSL connections. <div class="note"><span class="notetitle">Note:</span> For the purposes of this scenario, do not select
|
|
any applications and click <span class="uicontrol">Continue</span> to display the
|
|
next form.</div>
|
|
</li>
|
|
<li>Use the new Local CA to issue an object signing certificate that applications
|
|
can use to digitally sign objects. This subtask creates the *OBJECTSIGNING
|
|
certificate store. This is the certificate store that you use to manage object
|
|
signing certificates.</li>
|
|
<li>Select the applications that are to trust your Local CA. <div class="note"><span class="notetitle">Note:</span> For the
|
|
purposes of this scenario, do not select any applications and click <span class="uicontrol">Continue</span> to
|
|
finish the task.</div>
|
|
</li>
|
|
</ol>
|
|
</li>
|
|
</ol>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Step 3: Create an object
|
|
signing application definition</h4><p>After you create your object signing
|
|
certificate, you must use Digital Certificate Manager (DCM) to define an object
|
|
signing application that you can use to sign objects. The application definition
|
|
does not need to refer to an actual application; the application definition
|
|
that you create can describe the type or group of objects that you intend
|
|
to sign. You need the definition so that you can have an application ID to
|
|
associate with the certificate to enable the signing process.</p>
|
|
<p>To use
|
|
DCM to create an object signing application definition, follow these steps: </p>
|
|
<ol><li>In the navigation frame, click <span class="uicontrol">Select a Certificate Store</span> and
|
|
select <span class="uicontrol">*OBJECTSIGNING</span> as the certificate store to open. </li>
|
|
<li>When the Certificate Store and Password page displays, provide the password
|
|
that you specified for the certificate store when you created it and click <span class="uicontrol">Continue</span>.</li>
|
|
<li>In the navigation frame, select <span class="uicontrol">Manage Applications</span> to
|
|
display a list of tasks.</li>
|
|
<li>Select <span class="uicontrol">Add application</span> from the task list to display
|
|
a form for defining the application.</li>
|
|
<li>Complete the form and click <span class="uicontrol">Add</span>. </li>
|
|
</ol>
|
|
<p>Now you must assign your object signing certificate to the application
|
|
that you created.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Step 4: Assign a certificate
|
|
to the object signing application definition </h4><p>To assign the certificate
|
|
to your object signing application, follow these steps:</p>
|
|
<ol><li>In the DCM navigation frame, select <span class="uicontrol">Manage Certificates</span> to
|
|
display a list of tasks.</li>
|
|
<li>From the list of tasks, select <span class="uicontrol">Assign certificate</span> to
|
|
display a list of certificates for the current certificate store.</li>
|
|
<li>Select a certificate from the list and click <span class="uicontrol">Assign to Applications</span> to
|
|
display a list of application definitions for the current certificate store.</li>
|
|
<li>Select one or more applications from the list and click <span class="uicontrol">Continue</span>.
|
|
A message page displays to either confirm the certificate assignment or provide
|
|
error information if a problem occurred. </li>
|
|
</ol>
|
|
<p>When you complete this task, you are ready to use DCM to sign the
|
|
program objects that the company's public Web server (System B) will use. </p>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Step 5: Sign program objects </h4><p>To
|
|
use DCM to sign the program objects for use on the company's public Web server
|
|
(System B), follow these steps:</p>
|
|
<ol><li>In the navigation frame, click <span class="uicontrol">Select a Certificate Store</span> and
|
|
select <span class="uicontrol">*OBJECTSIGNING</span> as the certificate store to open.</li>
|
|
<li>Enter the password for the *OBJECTSIGNING certificate store and click <span class="uicontrol">Continue</span>.</li>
|
|
<li>After the navigation frame refreshes, select <span class="uicontrol">Manage Signable
|
|
Objects</span> to display a list of tasks.</li>
|
|
<li>From the list of tasks, select <span class="uicontrol">Sign an object</span> to
|
|
display a list of application definitions that you can use for signing objects.</li>
|
|
<li>Select the application that you defined in the previous step and click <span class="uicontrol">Sign
|
|
an Object</span>. A form displays that allows you to specify the location
|
|
of the objects that you want to sign.</li>
|
|
<li>In the field provided, enter the fully qualified path and file name of
|
|
the object or directory of objects that you want to sign and click <span class="uicontrol">Continue</span>.
|
|
Or, enter a directory location and click <span class="uicontrol">Browse</span> to
|
|
view the contents of the directory to select objects for signing. <div class="note"><span class="notetitle">Note:</span> You
|
|
must start the object name with a leading slash or you may encounter an error.
|
|
You can also use certain wildcard characters to describe the part of the directory
|
|
that you want to sign. These wildcard characters are the asterisk (<strong>*</strong>),
|
|
which specifies <em>any number of characters</em>, and the question mark (<strong>?</strong>),
|
|
which specifies <em>any single character</em>. For example, to sign all the
|
|
objects in a specific directory, you might enter <samp class="codeph">/mydirectory/*</samp>;
|
|
to sign all the programs in a specific library, you might enter <samp class="codeph">/QSYS.LIB/QGPL.LIB/*.PGM</samp>.
|
|
You can use these wildcards only in the last part of the path name; for example, <samp class="codeph">/mydirectory*/filename</samp> results
|
|
in an error message. If you want to use the <span class="uicontrol">Browse</span> function
|
|
to see a list of library or directory contents, you must enter the wildcard
|
|
as part of the path name before clicking <span class="uicontrol">Browse</span>.</div>
|
|
</li>
|
|
<li>Select the processing options that you want to use for signing the selected
|
|
object or objects and click <span class="uicontrol">Continue</span>. <div class="note"><span class="notetitle">Note:</span> If you
|
|
choose to wait for job results, the results file displays directly in your
|
|
browser. Results for the current job are appended to the end of the results
|
|
file. Consequently, the file may contain results from any previous jobs, in
|
|
addition to those of the current job. You can use the date field in the file
|
|
to determine which lines in the file apply to the current job. The date field
|
|
is in YYYYMMDD format. The first field in the file can be either the message
|
|
ID (if an error occurred during processing the object) or the date field (indicating
|
|
the date on which the job processed). </div>
|
|
</li>
|
|
<li>Specify the fully qualified path and file name to use for storing job
|
|
results for the object signing operation and click <span class="uicontrol">Continue</span>.
|
|
Or, enter a directory location and click <span class="uicontrol">Browse</span> to
|
|
view the contents of the directory to select a file for storing the job results.
|
|
A message displays to indicate that the job was submitted to sign objects.
|
|
To view the job results, see job <span class="uicontrol">QOBJSGNBAT</span> in the
|
|
job log.</li>
|
|
</ol>
|
|
<p>To ensure that you or others can verify the signatures, you must export
|
|
the necessary certificates to a file and transfer the certificate file to
|
|
System B. You must also complete all signature verification configuration
|
|
tasks on System B before you transfer the signed program objects to System
|
|
B. Signature verification configuration must be completed before you can successfully
|
|
verify signatures as you restore the signed objects on System B.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Step 6: Export certificates
|
|
to enable signature verification on System B</h4><p>Signing objects to
|
|
protect the integrity of the contents requires that you and others have a
|
|
means of verifying the authenticity of the signature. To verify object signatures
|
|
on the same system that signs the objects (System A), you must use DCM to
|
|
create the *SIGNATUREVERIFICATION certificate store. This certificate store
|
|
must contain a copy of both the object signing certificate and a copy of the
|
|
CA certificate for the CA that issued the signing certificate.</p>
|
|
<p>To allow
|
|
others to verify the signature, you must provide them with a copy of the certificate
|
|
that signed the object. When you use a Local Certificate Authority (CA) to
|
|
issue the certificate, you must also provide them with a copy of the Local
|
|
CA certificate. </p>
|
|
<p>To use DCM so that you can verify signatures on the
|
|
same system that signs the objects (System A in this scenario), follow these
|
|
steps:</p>
|
|
<ol><li>In the navigation frame, select <span class="uicontrol">Create New Certificate Store</span> and
|
|
select <span class="uicontrol">*SIGNATUREVERIFICATION</span> as the certificate store
|
|
to create. </li>
|
|
<li>Select <span class="uicontrol">Yes</span> to copy existing object signing certificates
|
|
into the new certificate store as signature verification certificates.</li>
|
|
<li>Specify a password for the new certificate store and click <span class="uicontrol">Continue</span> to
|
|
create the certificate store. Now you can use DCM to verify object signatures
|
|
on the same system that you use to sign objects. </li>
|
|
</ol>
|
|
<p>To use DCM to export a copy of the Local CA certificate and a copy
|
|
of the object signing certificate as a signature verification certificate
|
|
so that you can verify object signatures on other systems (System B), follow
|
|
these steps:</p>
|
|
<ol><li>In the navigation frame, select <span class="uicontrol">Manage Certificates</span>,
|
|
and then select the <span class="uicontrol">Export certificate</span> task.</li>
|
|
<li>Select <span class="uicontrol">Certificate Authority (CA)</span> and click <span class="uicontrol">Continue</span> to
|
|
display a list of CA certificates that you can export. </li>
|
|
<li>Select the Local CA certificate that you created earlier from the list
|
|
and click <span class="uicontrol">Export</span>. </li>
|
|
<li>Specify <span class="uicontrol">File</span> as your export destination and click <span class="uicontrol">Continue</span>.</li>
|
|
<li>Specify a fully qualified path and file name for the exported Local CA
|
|
certificate and click <span class="uicontrol">Continue</span> to export the certificate.</li>
|
|
<li>Click <span class="uicontrol">OK</span> to exit the Export confirmation page.
|
|
Now you can export a copy of the object signing certificate.</li>
|
|
<li>Re-select the <span class="uicontrol">Export certificate</span> task.</li>
|
|
<li>Select <span class="uicontrol">Object signing </span> to display a list of object
|
|
signing certificates that you can export. </li>
|
|
<li>Select the appropriate object signing certificate from the list and click <span class="uicontrol">Export</span>. </li>
|
|
<li>Select <span class="uicontrol">File, as a signature verification certificate</span> as
|
|
your destination and click <span class="uicontrol">Continue</span>.</li>
|
|
<li>Specify a fully qualified path and file name for the exported signature
|
|
verification certificate and click <span class="uicontrol">Continue</span> to export
|
|
the certificate.</li>
|
|
</ol>
|
|
<p>Now you can transfer these files to the endpoint systems on which
|
|
you intend to verify signatures that you created with the certificate.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Step 7: Transfer certificate
|
|
files to company public server, System B</h4><p>You must transfer the certificate
|
|
files that you created on System A to System B, the company's public Web server
|
|
in this scenario before you can configure them to verify the objects that
|
|
you sign. You can use several different methods to transfer the certification
|
|
files. For example, you might use File Transfer Protocol (FTP) or Management
|
|
Central package distribution to transfer the files. </p>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Step 8: Signature verification
|
|
tasks: Create *SIGNATUREVERIFICATION certificate store</h4><p>To verify
|
|
object signatures on System B (the company's public Web server), System B
|
|
must have a copy of the corresponding signature verification certificate in
|
|
the *SIGNATUREVERIFICATION certificate store. Because you used a certificate
|
|
issued by a Local to sign the objects, this certificate store must also contain
|
|
a copy of the Local CA certificate. </p>
|
|
<p>To create the *SIGNATUREVERIFICATION
|
|
certificate store, follow these steps:</p>
|
|
<ol><li><a href="../rzahu/rzahurzahu66adcmstart.htm">Start</a> DCM.</li>
|
|
<li>In the Digital Certificate Manager (DCM) navigation frame, select <span class="uicontrol">Create
|
|
New Certificate Store</span> and select <span class="uicontrol">*SIGNATUREVERIFICATION</span> as
|
|
the certificate store to create. <div class="note"><span class="notetitle">Note:</span> If you have questions about how to
|
|
complete a specific form while using DCM, select the question mark (<span class="uicontrol">?</span>)
|
|
at the top of the page to access the online help. </div>
|
|
</li>
|
|
<li>Specify a password for the new certificate store and click <span class="uicontrol">Continue</span> to
|
|
create the certificate store. Now you can import certificates into the store
|
|
and use them to verify object signatures. </li>
|
|
</ol>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Step 9: Signature verification
|
|
tasks: Import certificates</h4><p>To verify the signature on an object,
|
|
the *SIGNATUREVERIFICATION store must contain a copy of the signature verification
|
|
certificate. If the signing certificate is a private one, this certificate
|
|
store must also have a copy of the Local Certificate Authority (CA) certificate
|
|
that issued the signing certificate. In this scenario, both certificates were
|
|
exported to a file and that file was transferred to each endpoint system.</p>
|
|
<p>To
|
|
import these certificates into the *SIGNATUREVERIFICATION store, follow these
|
|
steps:You can now use DCM on System B to verify signatures on objects that
|
|
you created with the corresponding signing certificate on System A. </p>
|
|
<ol><li>In the DCM navigation frame, click <span class="uicontrol">Select a Certificate Store</span> and
|
|
select <span class="uicontrol">*SIGNATUREVERIFICATION</span> as the certificate store
|
|
to open. </li>
|
|
<li>When the Certificate Store and Password page displays, provide the password
|
|
that you specified for the certificate store when you created it and click <span class="uicontrol">Continue</span>. </li>
|
|
<li>After the navigation frame refreshes, select <span class="uicontrol">Manage Certificates</span> to
|
|
display a list of tasks. </li>
|
|
<li>From the task list, select <span class="uicontrol">Import certificate</span>. </li>
|
|
<li>Select <span class="uicontrol">Certificate Authority (CA)</span> as the certificate
|
|
type and click <span class="uicontrol">Continue</span>. <div class="note"><span class="notetitle">Note:</span> You must import the
|
|
Local CA certificate before you import a private signature verification certificate;
|
|
otherwise, the import process for the signature verification certificate will
|
|
fail.</div>
|
|
</li>
|
|
<li>Specify the fully qualified path and file name for the CA certificate
|
|
file and click <span class="uicontrol">Continue</span>. A message displays that either
|
|
confirms that the import process succeeded or provide error information if
|
|
the process failed.</li>
|
|
<li>Re-select the <span class="uicontrol">Import certificate</span> task.</li>
|
|
<li>Select <span class="uicontrol">Signature verification</span> as the certificate
|
|
type to import and click <span class="uicontrol">Continue</span>.</li>
|
|
<li>Specify the fully qualified path and file name for the signature verification
|
|
certificate file and click <span class="uicontrol">Continue</span>. A message displays
|
|
that either confirms that the import process succeeded or provides error information
|
|
if the process failed.</li>
|
|
</ol>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Step 10: Signature verification
|
|
tasks: Verify signature on program objects</h4><p>To use DCM to verify
|
|
the signatures on the transferred program objects, follow these steps: </p>
|
|
<ol><li>In the navigation frame, click <span class="uicontrol">Select a Certificate Store</span> and
|
|
select <span class="uicontrol">*SIGNATUREVERIFICATION</span> as the certificate store
|
|
to open.</li>
|
|
<li>Enter the password for the *SIGNATUREVERIFICATION certificate store and
|
|
click <span class="uicontrol">Continue</span>.</li>
|
|
<li>After the navigation frame refreshes, select <span class="uicontrol">Manage Signable
|
|
Objects</span> to display a list of tasks.</li>
|
|
<li>From the list of tasks, select <span class="uicontrol">Verify object signature</span> to
|
|
specify the location of the objects for which you want to verify signatures.</li>
|
|
<li>In the field provided, enter the fully qualified path and file name of
|
|
the object or directory of objects for which you want to verify signatures
|
|
and click <span class="uicontrol">Continue</span>. Or, enter a directory location
|
|
and click <span class="uicontrol">Browse</span> to view the contents of the directory
|
|
to select objects for signature verification. <div class="note"><span class="notetitle">Note:</span> You can also use certain
|
|
wildcard characters to describe the part of the directory that you want to
|
|
verify. These wildcard characters are the asterisk (<strong>*</strong>), which specifies <em>any
|
|
number of characters</em>, and the question mark (<strong>?</strong>), which specifies <em>any
|
|
single character</em>. For example, to sign all the objects in a specific directory,
|
|
you might enter <samp class="codeph">/mydirectory/*</samp>; to sign all the programs
|
|
in a specific library, you might enter <samp class="codeph">/QSYS.LIB/QGPL.LIB/*.PGM</samp>.
|
|
You can use these wildcards only in the last part of the path name; for example, <samp class="codeph">/mydirectory*/filename</samp> results
|
|
in an error message. If you want to use the Browse function to see a list
|
|
of library or directory contents, you must enter the wildcard as part of the
|
|
path name before clicking <span class="uicontrol">Browse</span>.</div>
|
|
</li>
|
|
<li>Select the processing options that you want to use for verifying the signature
|
|
on the selected object or objects and click <span class="uicontrol">Continue</span>. <div class="note"><span class="notetitle">Note:</span> If
|
|
you choose to wait for job results, the results file displays directly in
|
|
your browser. Results for the current job are appended to the end of the results
|
|
file. Consequently, the file may contain results from any previous jobs, in
|
|
addition to those of the current job. You can use the date field in the file
|
|
to determine which lines in the file apply to the current job. The date field
|
|
is in YYYYMMDD format. The first field in the file can be either the message
|
|
ID (if an error occurred during processing the object) or the date field (indicating
|
|
the date on which the job processed). </div>
|
|
</li>
|
|
<li>Specify the fully qualified path and file name to use for storing job
|
|
results for the signature verification operation and click <span class="uicontrol">Continue</span>.
|
|
Or, enter a directory location and click <span class="uicontrol">Browse</span> to
|
|
view the contents of the directory to select a file for storing the job results.
|
|
A message displays to indicate that the job was submitted to verify object
|
|
signatures. To view the job results, see job <span class="uicontrol">QOBJSGNBAT</span> in
|
|
the job log.</li>
|
|
</ol>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalzdcmsignsc.htm" title="This scenario describes a company that wants to sign vulnerable application objects on their public Web server. They want to be able to more easily determine when there are unauthorized changes to these objects. Based on the company's business needs and security goals, this scenario describes how to use Digital Certificate Manager (DCM) as the primary method for signing objects and verifying object signatures.">Scenario: Use DCM to sign objects and verify signatures</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |