Most systems today, several years after release of this feature, still only have the IBM operating system carrying signatures. Run the WRKOBJ for *PGM objects on your system in the QSYS library. When the list comes up, place and '8' next to one of the objects and then scroll up to the second panel. You should see the following fields displayed:
Auditing/Integrity information: Object auditing value . . . . . . : *NONE Digitally signed . . . . . . . . . : YES System-trusted source . . . . . : YES Multiple signatures . . . . . . : NO
Note that the object is showing as being digitally signed and that it is from a system-trusted source.
Similarly, if you do the same for some of your own programs, you will most likely find that there is no signing in effect. In fact, most System i family implementations today that are not from IBM carry no signature.
So, what's the big deal and how can this help you?
For now, probably not much. The current implementation of this is clearly designed to help IBM protect its operating system. IBM has provided some tools in the operating system to give users control. The system value QVFYOBJRST can be set to only allow restore of objects that are signed. You can differentiate this for objects that are system state and user state. In fact, the recommended setting level of three will prevent any unsigned system state programs from being loaded onto your system, thereby adding a level of protection to the operating system's integrity.
There is also the ability to scan your system for object integrity by using the Check Object Integrity (CHKOBJITG) command. An option on this command will let you verify objects that are signed to make sure that operating system components have not been tampered with since they were loaded. Scanning the operating system on your server can produce a database list of all objects on the system that have bad signatures. Finding these could indicate that the operating system has been tampered with.
To add an additional layer of security to your own applications, this technology is available for user state programs, as well. But, seeing that the software developer community has not embraced this to date, you may just be asking for a headache by doing your own implementation while other third-party software on your system does not comply.
If you have specific questions about this topic, e-mail me at email@example.com. All e-mail messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
This was first published in May 2006