Compliant Product - BMC Remedy Action Request System 7.5.00
Certificate Date: 18 November 2011
Validation Report Number: CCEVS-VR-VID10383-2011
Product Type: Miscellaneous
Conformance Claim: EAL4
PP Identifiers: None
CC Testing Lab: SAIC Common Criteria Testing Laboratory
The AR System provides a consolidated Service Process Management platform for automating and managing Service Management business processes. With its request-centric, workflow-based architecture, AR System is optimized for efficiencies in Service Management business process delivery, and includes pre-built functionality for notifications, escalations, and approvals. AR System is compatible with existing IT infrastructures, and includes various integration capabilities, including support for Web Services.
It also gives customers with or without programming experience the ability to design and customize workflow-based applications to automate business processes. Using AR System, nonprogrammers can build powerful business workflow applications and deploy them simultaneously in web, Windows, UNIX®, and Linux® environments. One of the most common uses of AR System is to automate internal service desks.
Note that this evaluation did not cover the service process management functions but focused on the IA-enabled capabilities related to the definition and use of that function.
The TOE consists of BMC Remedy Action Request System 7.5.00 (AR System), with BMC Remedy Premium Encryption Security 7.5.00 or with BMC Remedy Performance Encryption Security 7.5.00. and consists of both server and client components. Certain components of AR System are required for all AR System installations, while other components are optional according to the customer’s intended use of AR System. The optional components of AR System do not provide any security. The evaluated configuration must include either BMC Remedy Encryption Premium Security or BMC Remedy Encryption Performance Security. The Security Target should be consulted for more information about the combinations of components included in the TOE.
The TOE does not include the hardware, database, operating systems, email servers, or directory service protocols with which or on which the TOE components run, and also does not include third-party components of the mid tier, such as a web server, JSP servlet engine, or browser. However, these components are described in the Security Target as TOE dependencies on its operational environment.
BMC Remedy Action Request System 7.5.00 Patch 007 with BMC Remedy Premium Encryption Security 7.5.00 or with BMC Remedy Performance Encryption Security 7.5.00 (English version)
- BMC Remedy Action Request System server 7.5.00 (Patch 007)
- BMC Remedy Approval Server 7.5.00 (Patch 007)
- BMC Remedy Email Engine 7.5.00 (Patch 007)
- BMC Remedy Flashboards Server 7.5.00 (Patch 007)
- Action Request System External Authentication LDAP plug-in 7.5.00 (Patch 007)
- Action Request System Database Connectivity plug-in (Patch 007)
- BMC Remedy Mid Tier 7.5.00 (Patch 007)
- BMC Remedy Developer Studio 7.5.00 (Patch 007)
- BMC Remedy User 7.5.00 (Patch 007)
- BMC Remedy Data Import 7.5.00 (Patch 007)
- BMC Remedy Alert 7.5.00 (Patch 007)
- BMC Remedy Mid Tier Configuration Tool 7.5.00 (Patch 007)
- BMC Remedy Encryption Security 7.5.00 products (no patch)
- BMC Remedy Distributed Server Option 7.5.00 (Patch 007)
- BMC Remedy Assignment Engine 7.5.00 (Patch 007)
The following components serve as execution hosts and other supporting components used by the TOE:
- Microsoft Windows Server 2003 (32- or 64-bit) or higher
- Sun™ Solaris™ 9 or higher
- Oracle 10G (R2) or higher
- Microsoft SQL Server 2005 and higher
- Tomcat 5.5.28 or higher
- Java SDK/JRE 1.5.0 and 1.6.0_06 or higher
- Any mail server using SMTP or MAPI standard protocols such as Microsoft Exchange (Windows Server 2003)
- Any directory service using the LDAP standard protocol such as Microsoft Active Directory (Windows Server 2003)
- Microsoft Internet Explorer 6 and 7
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, revision 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, version 3.1, revision 3. Science Application International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the TOE is EAL 4. The TOE, configured as specified in the evaluated configuration guide, satisfies all of the security functional requirements stated in the Security Target. Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in September 2011. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report for BMC Remedy Action Request System 7.5.00 (VID 10383) prepared by the CCEVS.
The TOE is a series of software components with the AR System server component implementing the core, centralized security functions. The AR System server requires that every request is subject to identification and authentication as well as access control policies in order to ensure that only appropriate resource access is granted. While not FIPS certified itself, the AR System employs FIPS-certified libraries to perform cryptographic operations, including ensuring that all communication between its distributed components are protected from disclosure and modification. Note that as a series of software components, the TOE is dependent upon its environment for support.