Digital Signatures

This page discusses two aspects of digital signatures relevant to our products: digital signatures generated by our products and digital signatures that insure the integrity of our products. It provides background and i5/OS information that is important to these two aspects.

There are two definitions that are important to the discussion:

Digital Signature

A digital signature is a string of bytes that can be used by a recipient to verify the identity of the person sending an email, signing a document, or signing an object. The signature can also be used by the recipient to verify that the email, document, or object has not been changed since it was signed.

Digital Certificate

A digital certificate is a string of bytes containing information about the owner and used by the owner to create digital signatures and by a recipient to verify digital signatures.

Several of our products have the ability to digitally sign the email or PDF documents they create. Our products never handle digital certificates directly. In order to generate a digital signature we make calls to i5/OS APIs which securely handle the certificates and signature generation, without exposing sensitive information to your user or our software.

The i5/OS facility that allows you to create, store and manage digital certificates is "Digital Certificate Manager" (DCM). This is a free optional part of i5/OS (5722SS1 option 34). In order to use the digital signing capabilities of our products you must install and understand how to use DCM to create or store digital certificates, and make them available for use by our products. To find complete details on Digital Certificate Manager, go to IBM's^® Information Center and search on "DCM".

With DCM you make digital certificates available to our products by adding them to the "object signing certificate store". When you add them you associate an "Application ID" with the digital certificate. To generate digital signatures with our products, you specify this "Application ID" on the product's "signing key" command parameter. The product, in turn, passes the "Application ID" to i5/OS's APIs for processing.

You control the users that have access to a particular "Application ID" with i5/OS's"Change Function Usage" (CHGFCNUSG) command.

All (applicable) objects in our products are digitally signed, allowing you to verify their integrity. Modifications that could jeopardize the security of your system are easily detected with i5/OS's Check Object Integrity (CHKOBJITG) command. In addition, save files contained in product downloads and cumulative PTF packages are digitally signed allowing you to verify that what we shipped is what you received.

The i5/OS facility that allows you to create, store and manage digital certificates is "Digital Certificate Manager" (DCM). This is a free optional part of i5/OS (5722SS1 option 34). In order to use i5/OS's object integrity checking (signature verification) on our products you must install and understand how to use DCM to import our digital certificates. To find complete details on Digital Certificate Manager, go to IBM's^® Information Center and search on "DCM".

With DCM you import our object signing and root CA certificates into i5/OS's"signature verification certificate store". Our certificates can be found in each product and PTF download, on every CD-ROM and in each product's /doc directory.

American Bar Association's Digital Signature Guidelines Tutorial