i5/OS: Code checker commands to ensure signature integrity

Code checker commands to ensure signature integrity

Learn about using i5/OS^® commands to verify object signatures to determine object integrity.
You can use Digital Certificate Manager (DCM) or APIs to verify signatures on objects. You can also use several commands to check signatures. Using these commands allows you to verify signatures in much the same way that you use a virus checker to determine when a virus has corrupted files or other objects on your system. Most signatures are checked as the object is restored or installed on to the system, for example by using the RSTLIB command.
You can choose one of three commands to check signatures on objects that are already on the system. Of these, the Check Object Integrity (CHKOBJITG) command is designed specifically for verifying object signatures. Signature checking for each of these commands is controlled by the CHKSIG parameter. This parameter allows you to check all object types that can be signed for signatures, ignore all signatures, or check only objects that have signatures. This last option is the default value for the parameter.

Check Object Integrity (CHKOBJITG) command

The Check Object Integrity (CHKOBJITG) command allows you to allows you to determine if objects on your system have integrity violations. You can use this command to check for integrity violations for objects that a specific user profile owns, objects that match a specific path name, or all objects on the system. An integrity violation log entry occurs when one of these conditions is met:

A command, a program, a module object, or a library's attributes, has been altered.
The digital signature on an object is determined to be invalid. The signature is an encrypted mathematical summary of the data in the object; therefore, the signature is considered to match and be valid if the data in the object during verification matches the data in the object when it was signed. An invalid signature is determined based on a comparison of the encrypted mathematical summary that is created when the object is signed and the encrypted mathematical summary done during signature verification. The signature verification process compares the two summary values. If the values are not the same, the contents of object have changed since it was signed and the signature is considered to be invalid.
An object has an incorrect domain attribute for the object type.

If the command detects an integrity violation for an object, it adds the object name, library name (or path name), object type, object owner, and type of failure to a database log file. The command also creates a log entry in certain other cases, although these cases are not integrity violations. For example, the command creates a log entry for objects that are signable but do not have a digital signature, objects that it can not check, and objects in a format that requires changes in order to be used on the current system implementation (IMPI to RISC conversion).
The CHKSIG parameter value controls how the command handles digital signatures on objects. You can specify one of three values for this parameter:

*SIGNED – When you specify this value, the command checks objects with digital signatures. The command creates a log entry for any object with a signature that is not valid. This is the default value.
*ALL – When you specify this value, the command checks all signable objects to determine whether they have a signature. The command creates a log entry for any signable object that does not have a signature and for any object with a signature that is not valid.
*NONE – When you specify this value, the command does not check digital signatures on objects.

Check Product Option (CHKPRDOPT) command

The Check Product Option (CHKPRDOPT) command reports differences between the correct structure and the actual structure of a software product. For example, the command reports an error if an object is deleted from an installed product.
The CHKSIG parameter value controls how the command handles digital signatures on objects. You can specify one of three values for this parameter:

*SIGNED – When you specify this value, the command checks objects with digital signatures. The command verifies the signatures on any signed objects. If the command determines that the signature on an object is not valid, the command sends a message to the job log and the identifies the product as being in an erroneous state. This is the default value.
*ALL – When you specify this value, the command checks all signable objects to determine whether they have a signature and verifies the signature on these objects. The command sends a message to the job log for any signable object that does not have a signature; however, the command does not identify the product as erroneous. If the command determines that a signature on an object is not valid, it sends a message to the job log and sets the product as erroneous.
*NONE – When you specify this value, the command does not check digital signatures on product objects.

Save Licensed Program (SAVLICPGM) command

The Save Licensed Program (SAVLICPGM) command allows you to save a copy of the objects that make up a licensed program. It saves the licensed program in a form that can be restored by the Restore Licensed Program (RSTLICPGM) command.
The CHKSIG parameter value controls how the command handles digital signatures on objects. You can specify one of three values for this parameter:

*SIGNED – When you specify this value, the command checks objects with digital signatures. The command verifies the signatures on any signed objects but does not check unsigned objects. If the command determines that the signature on an object is not valid, the command sends a message to the job log to identify the object and the save will fail. This is the default value.
*ALL – When you specify this value, the command checks all signable objects to determine whether they have a signature and verifies the signature on these objects. The command sends a message to the job log for any signable object that does not have a signature; however, the save process does not end. If the command determines that a signature on an object is not valid, it sends a message to the job log and the save will fail.
*NONE – When you specify this value, the command does not check digital signatures on product objects.

Parent topic:
Managing signed objects