Tip

Object signing, what's that all about?


Rich Loeber
All of the security measures you implement could easily be brought down if someone can introduce tampered data or programs into your system without your knowledge. To address this, i5/OS (OS/400) has supported object signing ever since release V5R1 became available. Object signing, simply stated, works by having each object on your system signed by the originator that guarantees that the object is what it claims to be and that it has not been altered.

More Information

Most systems today, several years after release of this feature, still only have the IBM operating system carrying signatures. Run the WRKOBJ for *PGM objects on your system in the QSYS library. When the list comes up, place and '8' next to one of the objects and then scroll up to the second panel. You should see the following fields displayed:

 
    Auditing/Integrity information: 
      Object auditing value  . . . . . . :   *NONE 
      Digitally signed . . . . . . . . . :   YES 
        System-trusted source  . . . . . :   YES 
        Multiple signatures  . . . . . . :   NO 

Note that the object is showing as being digitally signed and that it is from a system-trusted source.

Similarly, if you do the same for some of your own programs, you will most likely find that there is no signing in effect. In fact, most System i family implementations today that are not from IBM carry no signature.

So, what's the big deal and how can this help you?

For now, probably not much. The current implementation of this is clearly designed to help IBM protect its operating system. IBM has provided some tools in the operating system to give users control. The system value QVFYOBJRST can be set to only allow restore of objects that are signed. You can differentiate this for objects that are system state and user state. In fact, the recommended setting level of three will prevent any unsigned system state programs from being loaded onto your system, thereby adding a level of protection to the operating system's integrity.

There is also the ability to scan your system for object integrity by using the Check Object Integrity (CHKOBJITG) command. An option on this command will let you verify objects that are signed to make sure that operating system components have not been tampered with since they were loaded. Scanning the operating system on your server can produce a database list of all objects on the system that have bad signatures. Finding these could indicate that the operating system has been tampered with.

To add an additional layer of security to your own applications, this technology is available for user state programs, as well. But, seeing that the software developer community has not embraced this to date, you may just be asking for a headache by doing your own implementation while other third-party software on your system does not comply.

If you have specific questions about this topic, e-mail me at rich@kisco.com. All e-mail messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.


This was first published in May 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.