143 lines
9.2 KiB
HTML
143 lines
9.2 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<!DOCTYPE html
|
||
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
<html lang="en-us" xml:lang="en-us">
|
||
<head>
|
||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
<meta name="security" content="public" />
|
||
<meta name="Robots" content="index,follow" />
|
||
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
<meta name="DC.Type" content="concept" />
|
||
<meta name="DC.Title" content="Code checker commands to ensure signature integrity" />
|
||
<meta name="abstract" content="Learn about using commands to verify object signatures to determine object integrity." />
|
||
<meta name="description" content="Learn about using commands to verify object signatures to determine object integrity." />
|
||
<meta name="DC.Relation" scheme="URI" content="rzalzmanageobjects.htm" />
|
||
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
|
||
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />
|
||
<meta name="DC.Format" content="XHTML" />
|
||
<meta name="DC.Identifier" content="codechecker" />
|
||
<meta name="DC.Language" content="en-us" />
|
||
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
<!-- US Government Users Restricted Rights -->
|
||
<!-- Use, duplication or disclosure restricted by -->
|
||
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
<title>Code checker commands to ensure signature integrity</title>
|
||
</head>
|
||
<body id="codechecker"><a name="codechecker"><!-- --></a>
|
||
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
<h1 class="topictitle1">Code checker commands to ensure signature integrity</h1>
|
||
<div><p>Learn about using commands to verify object signatures to determine
|
||
object integrity.</p>
|
||
<p>You can use Digital Certificate Manager (DCM) or APIs to verify signatures
|
||
on objects. You can also use several commands to check signatures. Using these
|
||
commands allows you to verify signatures in much the same way that you use
|
||
a virus checker to determine when a virus has corrupted files or other objects
|
||
on your system. Most signatures are checked as the object is restored or installed
|
||
on to the system, for example by using the RSTLIB command. </p>
|
||
<p>You can choose one of three commands to check signatures on objects that
|
||
are already on the system. Of these, the Check Object Integrity (CHKOBJITG)
|
||
command is designed specifically for verifying object signatures. Signature
|
||
checking for each of these commands is controlled by the CHKSIG parameter.
|
||
This parameter allows you to check all object types that can be signed for
|
||
signatures, ignore all signatures, or check only objects that have signatures.
|
||
This last option is the default value for the parameter.</p>
|
||
<div class="section"><h4 class="sectiontitle">Check Object Integrity (CHKOBJITG) command</h4><p>The Check
|
||
Object Integrity (<a href="../cl/chkobjitg.htm">CHKOBJITG</a>)
|
||
command allows you to allows you to determine if objects on your system have
|
||
integrity violations. You can use this command to check for integrity violations
|
||
for objects that a specific user profile owns, objects that match a specific
|
||
path name, or all objects on the system. An integrity violation log entry
|
||
occurs when one of these conditions is met: </p>
|
||
<ul><li>A command, a program, a module object, or a library's attributes, has
|
||
been altered. </li>
|
||
<li>The digital signature on an object is determined to be invalid. The signature
|
||
is an encrypted mathematical summary of the data in the object; therefore,
|
||
the signature is considered to match and be valid if the data in the object
|
||
during verification matches the data in the object when it was signed. An
|
||
invalid signature is determined based on a comparison of the encrypted mathematical
|
||
summary that is created when the object is signed and the encrypted mathematical
|
||
summary done during signature verification. The signature verification process
|
||
compares the two summary values. If the values are not the same, the contents
|
||
of object have changed since it was signed and the signature is considered
|
||
to be invalid.</li>
|
||
<li>An object has an incorrect domain attribute for the object type.</li>
|
||
</ul>
|
||
<p>If the command detects an integrity violation for an object, it adds
|
||
the object name, library name (or path name), object type, object owner, and
|
||
type of failure to a database log file. The command also creates a log entry
|
||
in certain other cases, although these cases are not integrity violations.
|
||
For example, the command creates a log entry for objects that are signable
|
||
but do not have a digital signature, objects that it can not check, and objects
|
||
in a format that requires changes in order to be used on the current system
|
||
implementation (IMPI to RISC conversion).</p>
|
||
<p>The CHKSIG parameter value
|
||
controls how the command handles digital signatures on objects. You can specify
|
||
one of three values for this parameter: </p>
|
||
<ul><li>*SIGNED – When you specify this value, the command checks objects with
|
||
digital signatures. The command creates a log entry for any object with a
|
||
signature that is not valid. This is the default value.</li>
|
||
<li>*ALL – When you specify this value, the command checks all <a href="rzalzsignableobjects.htm#signableobjects">signable
|
||
objects</a> to determine whether they have a signature. The command creates
|
||
a log entry for any signable object that does not have a signature and for
|
||
any object with a signature that is not valid.</li>
|
||
<li>*NONE – When you specify this value, the command does not check digital
|
||
signatures on objects.</li>
|
||
</ul>
|
||
</div>
|
||
<div class="section"><h4 class="sectiontitle">Check Product Option (CHKPRDOPT) command</h4><p>The Check
|
||
Product Option (<a href="../cl/chkprdopt.htm ">CHKPRDOPT</a>)
|
||
command reports differences between the correct structure and the actual structure
|
||
of a software product. For example, the command reports an error if an object
|
||
is deleted from an installed product. </p>
|
||
<p>The CHKSIG parameter value controls
|
||
how the command handles digital signatures on objects. You can specify one
|
||
of three values for this parameter: </p>
|
||
<ul><li>*SIGNED – When you specify this value, the command checks objects with
|
||
digital signatures. The command verifies the signatures on any signed objects.
|
||
If the command determines that the signature on an object is not valid, the
|
||
command sends a message to the job log and the identifies the product as being
|
||
in an erroneous state. This is the default value.</li>
|
||
<li>*ALL – When you specify this value, the command checks all <a href="rzalzsignableobjects.htm#signableobjects">signable
|
||
objects</a> to determine whether they have a signature and verifies the
|
||
signature on these objects. The command sends a message to the job log for
|
||
any signable object that does not have a signature; however, the command does
|
||
not identify the product as erroneous. If the command determines that a signature
|
||
on an object is not valid, it sends a message to the job log and sets the
|
||
product as erroneous. </li>
|
||
<li>*NONE – When you specify this value, the command does not check digital
|
||
signatures on product objects.</li>
|
||
</ul>
|
||
</div>
|
||
<div class="section"><h4 class="sectiontitle">Save Licensed Program (SAVLICPGM) command</h4><p>The
|
||
Save Licensed Program (<a href="../cl/savlicpgm.htm">SAVLICPGM</a>)
|
||
command allows you to save a copy of the objects that make up a licensed program.
|
||
It saves the licensed program in a form that can be restored by the Restore
|
||
Licensed Program (RSTLICPGM) command. </p>
|
||
<p>The CHKSIG parameter value controls
|
||
how the command handles digital signatures on objects. You can specify one
|
||
of three values for this parameter: </p>
|
||
<ul><li>*SIGNED – When you specify this value, the command checks objects with
|
||
digital signatures. The command verifies the signatures on any signed objects
|
||
but does not check unsigned objects. If the command determines that the signature
|
||
on an object is not valid, the command sends a message to the job log to identify
|
||
the object and the save will fail. This is the default value.</li>
|
||
<li>*ALL – When you specify this value, the command checks all <a href="rzalzsignableobjects.htm#signableobjects">signable
|
||
objects</a> to determine whether they have a signature and verifies the
|
||
signature on these objects. The command sends a message to the job log for
|
||
any signable object that does not have a signature; however, the save process
|
||
does not end. If the command determines that a signature on an object is not
|
||
valid, it sends a message to the job log and the save will fail. </li>
|
||
<li>*NONE – When you specify this value, the command does not check digital
|
||
signatures on product objects.</li>
|
||
</ul>
|
||
</div>
|
||
</div>
|
||
<div>
|
||
<div class="familylinks">
|
||
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalzmanageobjects.htm" title="Use this information to learn about system commands and system values that you can use to work with signed objects and how signed objects affect backup and recovery processes.">Manage signed objects</a></div>
|
||
</div>
|
||
</div>
|
||
</body>
|
||
</html> |