ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahucertstoverifysign.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Digital certificates for verifying object signatures" />
<meta name="abstract" content="This information explains how to use certificates to verify the digital signature on an object to verify its authenticity." />
<meta name="description" content="This information explains how to use certificates to verify the digital signature on an object to verify its authenticity." />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4aagetstarteddcm.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahusignsigningobjects.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzakz/rzakzfinder.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="certs_to_verify_sign" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Digital certificates for verifying object signatures</title>
</head>
<body id="certs_to_verify_sign"><a name="certs_to_verify_sign"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Digital certificates for verifying object signatures</h1>
<div><p>This information explains how to use certificates to verify the
digital signature on an object to verify its authenticity.</p>
<p><span class="keyword">IBM<sup>®</sup> i5/OS™</span> provides support
for using certificates to verify digital signatures on objects. Anyone who
wants to ensure that a signed object has not been changed in transit and that
the object originated from an accepted source can use the signing certificate's
public key to verify the original digital signature. If the signature no longer
matches, the data may have been altered. In such a case, the recipient can
avoid using the object and can instead contact the signer to obtain another
copy of the signed object.</p>
<p>The signature on an object represents the system that signed the object,
not a specific user on that system. As part of the process of verifying digital
signatures, you must decide which Certificate Authorities you trust and which
certificates you trust for signing objects. When you elect to trust a Certificate
Authority (CA), you can elect whether to trust signatures that someone creates
by using a certificate that the trusted CA issued. When you elect not to trust
a CA, you also are electing not to trust certificates that the CA issues or
signatures that someone creates by using those certificates. </p>
<p><span class="uicontrol">Verify object restore (QVFYOBJRST) system value</span></p>
<p>If you decide to perform signature verification, one of the first important
decisions you must make is to determine how important signatures are for objects
being restored to your system. You control this with a system value called
Verify object signatures during restore (QVFYOBJRST). The default setting
for this system value allows unsigned objects to be restored, but ensures
that signed objects can be restored only if the objects have a valid signature.
The system defines an object as signed only if the object has a signature
that your system trusts; the system ignores other, "untrusted" signatures
on the object and treats the object as if it is unsigned.</p>
<p>There are several values that you can use for the <a href="../rzakz/rzakzqvfyobjrst.htm">QVFYOBJRST</a> system value, ranging from ignoring all signatures
to requiring valid signatures for all objects that the system restores. This
system value only affects executable objects that are being restored, not
save files or integrated file system files. To learn more about using this
and other system values, see the System Value Finder in the <span class="keyword">iSeries™ Information Center</span>.</p>
<p>You use Digital Certificate Manager (DCM) to implement your
certificate and CA trust decisions as well as to manage the certificates that
you use to verify object signatures. You can also use DCM to sign objects
and to verify object signatures.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4aagetstarteddcm.htm" title="Use this information to help you decide how and when you might use digital certificates to meet your security goals. Use this information to learn about any prerequisites you need to install, as well as other requirements that you must consider before using DCM.">Plan for DCM</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzahurzahusignsigningobjects.htm" title="Use this information to learn how to use certificates to ensure an object's integrity or to verify the digital signature on an object to verify its authenticity.">Digital certificates for signing objects</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzakz/rzakzfinder.htm">System Vaule Finder</a></div>
</div>
</div>
</body>
</html>