Validated Product - BEA Weblogic Integration V8.1 SP6 with BEA07-169.00 security advisory patch

PRODUCT DESCRIPTION

The TOE, BEA WebLogic Integration V8.1 SP6 with BEA07-169.00 security advisory patch, is an application server that provides a foundation for an enterprise to build and integrate applications and databases. It comprises a WebLogic Integration (WLI) subsystem and also a single supporting BEA WebLogic ServeR® (WLS) subsystem.

WebLogic Server delivers an application infrastructure for building and integrating distributed multi-tier applications. It is based on standards such as J2EE, Web services, and XML. WebLogic Server includes the WebLogic Workshop® IDE for application development, and also provides enterprise-level security and administration facilities.

WebLogic Integration is a product built on WebLogic Server that provides the functionality for integrating business systems within an enterprise. It provides a development and run-time framework that unifies the components of business integration—business process management, data transformation, trading partner integration, connectivity, message brokering, application monitoring, and user interaction—into a single environment.

The TOE consists of a single WebLogic Server subsystem, a single WebLogic Integration subsystem, and the following configured WebLogic security providers: Auditing Provider; Authorization Provider; Adjudication Provider; Role Mapping Provider; Authentication Provider; Identity Assertion Provider; and Credential Mapping Provider.

The TOE is supported on the following Java 2 environments: BEA JRockit 1.4.2_10 SDK; and Sun Java 2 SDK 1.4.2_11 with Java HotSpot™ Client VM. The TOE is dependent on the correct operation of the Java 2 environment and on its underlying operating system, neither of which are included within the scope of the evaluation. It should also be noted that the access control policy implemented by the TOE is enforced only on access attempts made through the TOE’s interfaces. The TOE does not and cannot control attempts to access data directly (e.g., via the underlying operating system).

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the BEA WebLogic Integration V8.1 SP6 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2 and International Interpretations effective on 3 September 2004. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL2 family of assurance requirements, augmented with ALC_FLR.1 (Basic flaw remediation). The product satisfies all of the security functional requirements stated in the BEA WebLogic Integration Security Target, when configured as specified in the following guidance documents (available for download as indicated):

• Managing WebLogic Security (http://edocs.bea.com/wls/docs81/index.html)
• Managing WebLogic Integration Solutions (http://edocs.bea.com/wli/docs81/index.html)
• Deploying WebLogic Integration Solutions (http://edocs.bea.com/wli/docs81/index.html).

One validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in September 2007. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10029-2007) prepared by CCEVS.

ENVIRONMENTAL STRENGTHS

BEA WebLogic Integration V8.1 SP6 with BEA07-169.00 security advisory patch provides a low to moderate level of independently assured security in a conventional TOE and is suitable for a cooperative non-hostile environment with good physical access security and competent administrators.

The primary security functionality of the TOE is to provide access control to WLI and WLS resources. Generally, user requests come in from the network and are handled by the WLS security framework. If the user is attempting to access an application associated with the WLI subsystem, the WLI subsystem will be invoked in addition to the WLS security framework. As such, the WLI subsystem serves to extend the WLS security framework to control access to the following WLI objects: Message Broker Channels; Business Processes; Application Views; Trading Partner Profiles; Trading Partner Services; Service Profiles; and Worklists.

BEA WebLogic Integration V8.1 SP6 supports the following five security functions:

• Security Audit
  The TOE generates audit records of security relevant events as they occur within the security framework. The audit records are stored in the environment in which the TOE operates (i.e., the underlying operating system) and can be viewed by any text editor provided by the underlying operating system. The WebLogic Auditing Provider furnishes the TOE’s audit record generation capability.
   
• User Data Protection
  The TOE controls access to WLI and WLS resources based on user identity, group membership, dynamically assigned roles, and resource security policy. The TOE assigns a default security policy to each of the resource types it controls. A TOE administrator can override the default security policy to make it more or less restrictive according to the needs of the installation. When a resource is created, it inherits the policy of the resource type, but this too can be overridden by an administrator specifying a new policy specific to the resource. Security policies can be specified to restrict access to the resource based on combinations of user identity, user group memberships, dynamically assigned roles, and hours of access. The WebLogic Authorization Provider determines whether or not access to a resource should be granted.
  
  The WebLogic Role Mapping Provider computes the set of roles granted to a user for a given resource. The TOE defines eight global roles by default: Admin; Deployer; Operator; Monitor; IntegrationAdmin; IntegrationOperator; IntegrationMonitor; and Anonymous. The first seven roles represent various levels of administrative access, while all users are granted the Anonymous role. In addition to these default roles, a TOE administrator can define new roles, based on logical combinations of the following role conditions: user name of the caller; group membership of the caller; hours of access. Roles can be scoped to the entire security realm or to specific deployed resources (such as Web Applications and Enterprise Java Beans).
  
  It is possible (though not supported in the evaluated configuration) to configure multiple Authorization Providers. The WebLogic Adjudication Provider determines if a user request for access to a protected resource will be granted in the case when multiple Authorization Providers are configured and return different responses to the request for access.
   
• Identification and Authentication
  The TOE supports multiple identification and authentication mechanisms: username and password; token-based (using X.509 certificates or CORBA Common Secure Interoperability version 2 (CSIv2) identity assertion); and credential mapping. The WebLogic Authentication Provider supports password-based authentication. The WebLogic Identity Assertion Provider supports identity assertion using X.509 certificates and CSIv2. The WebLogic Credential Mapping Provider supports the process whereby the authentication and authorization mechanisms of a remote system (for example, a legacy system or application) are used to obtain an appropriate set of credentials to authenticate users to a target WLS resource.
   
• Security Management
  The TOE provides security management capability via the browser-based Administrator Console GUI and the weblogic.Admin command-line tool (although all security management capability provided by the command-line tool is also available through the GUI). In addition, the TOE provides the WebLogic Integration Administrator Console, a web application used by administrators to manage Integration resources. In order to successfully invoke and login to the TSF via the Administrator Console or command-line tool, the user must be assigned one of the following global default management roles: Administrator; Deployer; Operator; or Monitor. A user can login to the WebLogic Integration Administration Console if the user is assigned any of the global default management roles (i.e., Administrator, Deployer, Operator, Monitor, IntegrationAdmin, IntegrationOperator, or IntegrationMonitor).
  
  The TOE provides a security provider database to store data used by the various security providers. In the evaluated configuration, an embedded LDAP server is used for the security provider database, and the TOE is designed to ensure that only a user acting in an appropriate role can modify or review TOE configuration data.
   
• Protection of the TSF
  The TOE encapsulates the applications it protects within the WebLogic Server security framework (and using Integration extensions) to ensure that the security mechanisms are always invoked when resources are requested through WebLogic supported applications. The TOE operates as a collection of Java applications that operate in their own domains distinct from one another and also from other potentially untrusted entities. This arrangement necessarily depends upon good configuration and administration for protection from such untrusted entities.