Digital certificates for signing objects

IBM® i provides support for using certificates to digitally "sign" objects. Digitally signing objects provides a way to verify both the integrity of the object's contents and its source of origin.

Object signing support augments traditional IBM i model tools for controlling who can change objects. Traditional controls cannot protect an object from unauthorized tampering while the object is in transit across the Internet or other untrusted network, or while the object is stored on a system other than the IBM i platform. Also, traditional controls cannot always determine whether unauthorized changes to or tampering with an object has occurred. Using digital signatures on objects provides a sure means of detecting changes to the signed objects.

Placing a digital signature on an object consists of using a certificate's private key to add an encrypted mathematical summary of the data in an object. The signature protects the data from unauthorized changes. The object and its contents are not encrypted and made private by the digital signature; however, the summary itself is encrypted to prevent unauthorized changes to it. Anyone who wants to ensure that the object has not been changed in transit and that the object originated from an accepted, legitimate source can use the signing certificate's public key to verify the original digital signature. If the signature no longer matches, the data may have been altered. In such a case, the recipient can avoid using the object and can instead contact the signer to obtain another copy of the signed object.

If you decide that using digital signatures fits your security needs and policies, you need to evaluate whether you need to use public certificates versus issuing private certificates. If you intend to distribute objects to users in the general public, you might consider using certificates from a well-known public Certificate Authority (CA) to sign objects. Using public certificates ensures that others can easily and inexpensively verify the signatures that you place on objects that you distribute to them. If, however, you intend to distribute objects solely within your organization, you may prefer to use Digital Certificate Manager (DCM) to operate your own local CA to issue certificates for signing objects. Using private certificates from a local CA to sign objects is less expensive than purchasing certificates from a well-known public CA.

The signature on an object represents the system that signed the object, not a specific user on that system (although the user must have the appropriate authority to use the certificate for signing objects). You use DCM to manage the certificates that you use to sign objects and to verify object signatures. You can also use DCM to sign objects and to verify object signatures.