Manage Learn to apply best practices and optimize your operations.

Signed and unsigned objects

I have an iSeries server on which I noticed A SYSVAL QVFYOBJRST. What's the use of this value? Could you brief us about signed and unsigned objects for which this value is getting affected.

V5R1 includes new support for "object signing" through digital signatures. The QVFYOBJRST system value is used to control how your system should react to signed and/or unsigned objects depending on the presence or absence of a digital signature and the validity of a signature.

OS/400 has had superior security features built in to it from the beginning. However, as internetworking increases and "open" protocols and servers become the norm even for OS/400, additional protection is needed. Programs and certain other objects can be associated with digital signatures so that you can feel confident that the objects came from where they were supposed to come from and that they were not modified while in transit.

The QVFYOBJRST system value specifies the action to take when restoring an object whose signature doesn't match what it should. In V5R1, the values you can specify are:

1 = Do not verify object signatures on restore.

2 = Verify object signatures on restore; allow restore of objects without signatures and with signatures that are not valid.

3 = Verify object signatures on restore; allow restore of objects without signatures.

4 = Verify object signatures on restore; allow restore of objects with signatures that are not valid.

5 = Verify object signatures on restore; do not allow restore of objects without signatures or with signatures that are not valid.

All OS/400 software, as well as the software for options and iSeries licensed programs, has been signed by IBM. Existing signatures can be checked through an expanded ability of the CHKOBJITG (Check Object Integrity) command as well as through panels of the Digital Certificate Manager.

If needed, you can use digital signatures to protect your own software or you might require 3rd-party vendors to supply only signed software.

However, since most iSeries software is not currently signed, these requirements are likely too restrictive. The QVFYOBJRST system value defaults to "3 = Verify object signatures on restore; allow restore of objects without signatures." This is probably the best setting for most sites.

The iSeries Information Center contains pretty good sections about QVFYOBJRST and related items. Try searching on "qvfyobjrst tips for object signing" (without the quotes). The sections from 'Tips and Tools for Securing Your iSeries' seemed most useful to me for good background.


The Best Web Links: Tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Read this Search400 Featured Topic: Secure your iSeries

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.