Validated Product - CA SiteMinder Federation Security Services r12 sp1 CR3Certificate Date: 28 June 2010 Validation Report Number: CCEVS-VR-VID10365-2010 Product Type: Network Access Control, System Access Control Conformance Claim: EAL3 Augmented with ALC_FLR.1,ASE_TSS.2,CAP-B PP Identifiers: None CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
PRODUCT DESCRIPTIONThis Security Target (ST) defines the Information Technology (IT) security requirements for the CA SiteMinder Federation Security Services r12 SP1 CR3 (CA FSS). The product is an identity and access management application consisting of CA’s Federation Security Services built on top of CA SiteMinder Web Access Manager r12 SP1 CR3. The product allows partnerships to be established between two organizations in order to share user identification information and facilitate single sign-on (SSO) and single logout (SLO) across multiple domains, where each domain has its own Policy Server/Web Agent. CA SiteMinder provides users the ability to easily and securely access the data and applications of these federated entities once they have been authenticated based on the identification supplied in the federation assertion. Note: For more information on CA SiteMinder Web Access Manager r12 SP1 CR3, see the CA SiteMinder Web Access Manager r12 SP1 CR3 Security Target v0.8. EVALUATED CONFIGURATIONThe TOE was evaluated on the following platforms: SiteMinder Federation Security Services running on Linux Red Hat Advanced Server 4.0
SiteMinder Federation Security Services running on Solaris 10
SiteMinder Federation Security Services running on Windows Server 2003 R2 SP2
Attack Machine
SECURITY EVALUATION SUMMARYThe evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. CA SiteMinder® Federation Security Services r12 SP1 CR3 software was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 3. It has been determined that the product meets the security criteria in the Security Target, which specifies an assurance level of EAL3 augmented with ALC_FLR.1 and ASE_TSS.2. ). In addition, the evaluation was performed against CAP-B for integration with validated product CA SiteMinder Web Access Manager r12 SP1 CR3.Validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in May 2010. ENVIRONMENTAL STRENGTHS Identification and Authentication The TOE relies on the CA SiteMinder product to determine how a user must authenticate to access a protected resource. CA Federation provides for the standards–based portability of identity information across otherwise autonomous security domains to allow CA SiteMinder to authenticate users and enforce access policies across domains. Security Audit The TOE generates audit records for selected security events. Events are tracked based on occurrence and who triggered them. Audit data is written to local files on the machine to which CA SiteMinder Federation Security Services has been installed. Anyone who wishes to review the audit data must have Administrator (or root) privileges on that machine. Security Management Security Management is handled by a remote administrator using the Web-based CA FSS Applet UI. The local machine onto which CA SiteMinder Federation Security Services is installed contains a Policy Server Management Console, but this is only used for the initial configuration of the TOE. Protected Data Transmission The TOE uses an encryption scheme known as the TLI handshake protocol. This protocol uses vendor-asserted AES and RSA algorithms to protect data transmitted between the networked components of the TOE. TOE Access The TOE enacts the process of single logout (SLO) (also known as cross-domain single log out) which results in the simultaneous end of all sessions for a particular user within the federation to which the user authenticated. ENVIRONMENTAL STRENGTHSIdentification and Authentication The TOE relies on the CA SiteMinder product to determine how a user must authenticate to access a protected resource. CA Federation provides for the standards–based portability of identity information across otherwise autonomous security domains to allow CA SiteMinder to authenticate users and enforce access policies across domains. Security Audit The TOE generates audit records for selected security events. Events are tracked based on occurrence and who triggered them. Audit data is written to local files on the machine to which CA SiteMinder Federation Security Services has been installed. Anyone who wishes to review the audit data must have Administrator (or root) privileges on that machine. Security Management Security Management is handled by a remote administrator using the Web-based CA FSS Applet UI. The local machine onto which CA SiteMinder Federation Security Services is installed contains a Policy Server Management Console, but this is only used for the initial configuration of the TOE. Protected Data Transmission The TOE uses an encryption scheme known as the TLI handshake protocol. This protocol uses vendor-asserted AES and RSA algorithms to protect data transmitted between the networked components of the TOE. TOE Access The TOE enacts the process of single logout (SLO) (also known as cross-domain single log out) which results in the simultaneous end of all sessions for a particular user within the federation to which the user authenticated |
![[X]](/assets/images/button_close.gif){kind=small}
![[PDF]](http://www.niap-ccevs.org:80/assets/images/icon_pdf.gif){kind=icon}
