Compliant Product - IBM WebSpherePortal 18.104.22.168 (with APAR PK67104 and APAR PK79436)
Certificate Date: 25 September 2009
Validation Report Number: CCEVS-VR-VID10205-2009
Product Type: Sensitive Data Protection
Conformance Claim: EAL4
PP Identifiers: None
CC Testing Lab: SAIC Common Criteria Testing Laboratory
IBM WebSphere Portal (WP) is a Java 2 Enterprise Edition (J2EE) application executed in the run-time environment provided by WebSphere Application Server (WAS) version 22.214.171.124 that provides users a consistent view of portal applications and allows users to define specific sets of applications which are presented in a single context.
WP relies on WAS for the identification and authentication of authorized users. WP also relies on WebSphere Member Manager (WMM) to provide user profile information and group membership information to the TOE. Note that WAS establishes user sessions and maintains those session in order to keep user sessions separate as well as to protect WP when instantiated within WAS.
WP allows authorized users to establish protected portal resources like pages and portlets. As an example, authorized users (a team) can develop, share, and store information for projects. This allows for fast access to and transfer of information between members of the team working on the same project.
The Access Control administration can be performed using corresponding portlets within the running portal, the XmlAccess interface, or via portal scripting.
WP contains the following components:
- Page Aggregation: This is used for generating the content returned to the client e.g. the objects to display on the browser;
- Deployment: This is used for installing new portlets on a running portal and for including remote portlets from remote portals via Web Services for Remote Portals (WSRP);
- WSRP: Implements the WSRP protocol to allow access to remote portlets from a WSRP Producer Portal or to offer local portlets to be included into other remote portals;
- Portal Access Control (PAC): This controls access to all protected portal resources;
- Application Infrastructure consisting of the Collaborative Application Infrastructure (CAI) and a corresponding templating infrastructure (TAI);
- Policy: A concept to manage sets of configuration settings for the portal;
- Administration UIs: These user interfaces provide all of the administration functionality of the portal. The available user interfaces consist of text based scripting interfaces as well as a set of administration portlets including:
- Manage Users and Groups;
- Resource Permission;
- User and Group permission;
- Membership Portlet
- Roles Portlet
- Manage Applications;
- Manage Portlets;
- Manage Pages;
- URL Mapping Portlet
- Global Settings Portlet
The following types of resources are protected within the portal:
- Web Modules: Web modules are portlet archives that are installed on WAS. Web modules can contain multiple portlet applications. If a new Web module is installed, it is automatically a child of the Web Modules virtual resource.
- Portlets (Portlet Definitions): A portlet is an installed portlet having its own portlet configuration. For example, a Mail portlet can be configured to a specific mail server.
- Portlet Application Definitions: Portlet applications provide a logical grouping of individual portlets. If a new Web module is installed, the portlet applications contained within that Web module are automatically child resources of the Portlet Applications virtual resource. Portlets contained within a portlet application appear as child nodes of that portlet application. A two-layer hierarchy consisting of portlet applications and the corresponding portlets exists beneath the Portlet Applications virtual resource.
- Content Nodes (Pages): Pages (also known as content nodes) contain the content that determines the portal navigation hierarchy. A portal page is basically the frame that contains a specific set of individual portlets arranged in a specific layout. If a new top-level page is created, it is automatically a child resource of the Content Nodes virtual resource. If a new page is created beneath an existing page, the new page is automatically child of the existing page.
- Application Template: An application template is the formal description of a portal application represented by an XML document. A template can be instantiated multiple times to create corresponding portal applications.
- Template Category: Individual application templates can be organized into individual categories similar to a folder structure for document organization.
- User Groups: Users can be grouped into user groups (database records). User groups can be nested. Access privileges are propagated with user groups membership. If a new user group is created, it will appear as a corresponding child resource underneath the virtual resource User Groups.
- URL Mapping contexts: URL mapping contexts are user-defined definitions of URL spaces that map to portal content. If a new top-level URL mapping context is created, it is automatically a child resource of the URL Mapping Contexts virtual resource. If a new URL mapping context is created beneath an existing context, the new context is automatically a child the existing context. URL mapping contexts inherit access control configuration from their parent context unless role blocks are used.
- Policy: A policy contains a set of related configuration settings that can be attached to individual users or other portal artifacts in a flexible fashion.
- WSRP Producer: A WSRP Producer identifies a remote portal server that provides individual portlets via the WSRP protocol.
Users (database records) are implicitly protected resources, which means that access to specific user profile data can only be obtained via corresponding privileges on a user group that contains the given user as a member i.e. implicitly protected resources are those resources that are not linked into the protected resource hierarchy. Implicitly protected resources behave in the same way as normal protected resources.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the IBM WebSphere Portal 126.96.36.199 (with APAR PK67104 and APAR PK79436) TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 augmented with ALC_FLR.2 family of assurance requirements. The product, when configured as specified in the WebSphere® Portal Installation and Configuration Version 6.0 and IBM WebSphere Portal 6.0 Administration., satisfies all of the security functional requirements stated in the IBM WebSphere Portal 6.0 Security Target, Version 1.0. Two Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in August 2009. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10205-2009, dated 25 September 2009) prepared by CCEVS.
The TOE is a commercial product whose users require a low to moderate level of independently assured security. IBM WebSphere Portal 188.8.131.52 (with APAR PK67104 and APAR PK79436) is targeted at a relatively benign environment with good physical access security and competent administrators. Within such environments, it is assumed that attackers will have little attack potential. The security environment also assumes that the TOE components are physically protected.
IBM WebSphere Portal 184.108.40.206 (with APAR PK67104 and APAR PK79436) supports the following three security functions. Note, the TOE does not include the CC defined FAU_GEN SFR, however an explicitly stated requirement, Logging of security management functions (FMT_LOG_EX.1) was included to support auditing of security management functions.
User Data Protection
The TOE offers a Portal Access Control (PAC) mechanism that is invoked by the other TOE components and makes access decisions that are enforced by the WP components, for the following resources offered by WP: Web Modules, Portlets (Portlet Definitions), Portlet Application Definitions. Content Nodes (Pages), Application Templates, Template Categories, User Groups, URL Mapping contexts, Policies, and WSRP Producers. Access is controlled based on permissions contained in roles assigned to individual users or user groups.
The TOE supports roles defined as sets of resource specific permissions. Roles can be assigned to users, groups, and can also be aggregated into other (application) roles. Roles can be used to enable security management functions, such as managing roles and assigning those roles to users and user groups. In general, access to resources is restrictive insofar as a given user must have permission before they can access a resource. While it is possible to authorize anonymous access to a resource, such permission must be explicitly established prior to so doing.
The TOE also supports the ability to log the use of the security management functions. While generated by the TOE, the log is stored in ASCII format in a file in the IT environment.
Protection of the TSF
The TOE ensures that its own security policies cannot be bypassed by ensuring that appropriate access checks are made and enforced at all interfaces made available by the TOE.