Validated Product - AquaLogic Interaction Publisher 6.4

Certificate Date: 20 February 2009

Validation Report Number: CCEVS-VR-VID10107-2009

Product Type: Sensitive Data Protection

Conformance Claim: EAL2 Augmented with ALC_FLR.2

PP Identifiers: None

CC Testing Lab: SAIC Common Criteria Testing Laboratory

Security Target [PDF]
Validation Report [PDF]
CC Certificate [PDF]

PRODUCT DESCRIPTION

The Target of Evaluation (TOE) is AquaLogic® Interaction Publisher 6.4 MP1 Patch 1, henceforth referred to as Publisher.

Publisher is a web-based software application that functions as a remote server of AquaLogic Interaction (ALI) to provide the services required to deploy content-driven applications, such as a customer support knowledge base or sales support center, where users can create and manage Web content without HTML skills. Publisher is not a stand-alone product; rather it integrates directly with ALI and depends on ALI portal pages and security functions. ALI, in turn, is the base portal application and framework for the BEA AquaLogic User Interaction (ALUI) product family. ALI integrates custom-developed applications and ALUI components into a cohesive web-based work environment that is viewed from a user’s web browser.

Publisher supports the definition of structured content types, web browser form-based data entry, and publishing of content by combining data values with a text presentation template and copying the result to a file system or FTP server. Publisher enables users to:

  • Publish content to published content portlets, to the ALI Knowledge Directory, or to an external web site
  • Publish content immediately or schedule it to be published at a later date
  • Preview content before publishing it to confirm layout and appearance according to pre-defined presentation templates
  • Publish content to the ALI Knowledge Directory using a Publisher content crawler
  • Remove published content from the web server by setting it to expire. This removes it from the web server but keeps it in the Publisher directory. Users can set a published content item to expire immediately or schedule a future expiration.

Publisher also provides a workflow function that enables an organization to manage the review, approval, and publishing of content using structured and repeatable processes. Authorized users define workflows, which consist of an ordered list of workflow activities, each of them assigned to a user or group of users. Publisher provides portlets that enable tracking of personal workflow assignments and content items in workflow by folder

Publisher implements user data protection by applying a role-based access control policy to folders in the folder hierarchy. All objects within a folder are subject to the access controls applied to the containing folder. Additionally, Publisher supports security management by defining security management roles and restricting security management activities to defined roles.

Publisher integration with ALI uses several ALI functions including: user and group management; document storage and management; content search; object security; and user identification and authentication.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the AquaLogic® Interaction Publisher 6.4 MP1 Patch 1 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL2 family of assurance requirements, augmented with ALC_FLR.2 (Flaw reporting procedures). The product satisfies all of the security functional requirements stated in the AquaLogic® Interaction Publisher 6.4 MP1 Patch 1 Security Target, when configured as specified in the AquaLogic® Interaction Publisher 6.4 Installation and Upgrade Guide.

One validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in January 2009. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10107-2009), prepared by CCEVS.

ENVIRONMENTAL STRENGTHS

AquaLogic® Interaction Publisher 6.4 MP1 Patch 1 provides a low to moderate level of independently assured security in a conventional TOE and is suitable for a cooperative non-hostile environment with good physical access security and competent administrators.

AquaLogic® Interaction Publisher 6.4 MP1 Patch 1 supports the following security functions:

  • User Data Protection

    The primary security functionality of the TOE is to provide access control to Publisher resources. Publisher enforces a role-based access control policy based on folder security lists to control users’ access to Publisher objects and capabilities.

  • Security Management

    Publisher provides capabilities for authorized administrators to manage the security functions of the TOE, including: management of the access control function and folder security lists; and management of workflows.

  • Protection of the TSF

    Publisher ensures all requests made through its interfaces to access its objects are mediated by the access control security function before any access is granted.

Vendor Information


Oracle Corporation UK Limited
Shaun Lee
+44 (0) 188 924 3860
+44 (0) 188 924 3171 (Fax)
seceval_us@oracle.com

http://www.oracle.com/index.html