Overview

This page discusses two aspects of digital signatures relevant to our products: digital signatures generated by our products and digital signatures that insure the integrity of our products. It provides background and IBM i information that is important to these two aspects.

Definitions

Two definitions that are important to the discussion:

Digital Signature
A digital signature is a string of bytes that can be used by a recipient to verify the identity of the person sending an email, signing a document, or signing an object. The signature can also be used by the recipient to verify that the email, document, or object has not been changed since it was signed.
Digital Certificate
A digital certificate is a string of bytes containing information about the owner and used by the owner to create digital signatures and by a recipient to verify digital signatures.

Generated Signatures

Several of our products have the ability to digitally sign the emails or documents they create. Our products never handle digital certificates directly. In order to generate a digital signature we make calls to IBM i APIs which securely handle the certificates and signature generation, without exposing sensitive information to your user or our software.

The IBM i facility that allows you to create, store and manage digital certificates is "Digital Certificate Manager" (DCM). This is a free optional part of IBM i (57xxSS1 option 34). In order to use the digital signing capabilities of our products you must install and understand how to use DCM to create or store digital certificates, and make them available for use by our products. To find complete details on Digital Certificate Manager, go to IBM's® Information Center and search on "DCM".

With DCM, you make digital certificates available to our products by adding them to the "object signing certificate store". When you add them, you associate an "Application ID" with the digital certificate. To generate digital signatures with our products, you specify this "Application ID" on the product's "signing key" command parameter. The product, in turn, passes the "Application ID" to IBM i's APIs for processing.

You control the users that have access to a particular "Application ID" with IBM i's "Change Function Usage" (CHGFCNUSG) command.

Product Integrity

We digitally sign all (applicable) objects in our products. Installing our signing certificates on your system allows you to verify our objects using IBM i's Check Object Integrity (CHKOBJITG) command.

The IBM i facility that allows you to create, store and manage digital certificates is "Digital Certificate Manager" (DCM). This is a free optional part of IBM i (57xxSS1 option 34). In order to use IBM i's object integrity checking (signature verification) on our products you must install and understand how to use DCM to import our digital certificates. To find complete details on Digital Certificate Manager, go to IBM's® Information Center and search on "DCM".

With DCM you import our object signing and root CA certificates into IBM i's "signature verification certificate store". Our certificates can be found in each product and PTF download, on every CD-ROM, in each product's /doc directory and here.

Note: As of May 5th, 2009 we have stopped signing the save files used with product downloads and PTF packages. Since signature verification for save files is not influenced by the QVFYOBJRST system value, installing our certificates was required in order to use the save files. This caused hardship for most of our customers. The objects contained in the downloads and PTFs continue to be signed.

References

American Bar Association's Digital Signature Guidelines Tutorial