NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - CA Top Secret r15

Certificate Date:  2016.06.02

Validation Report Number:  CCEVS-VR-VID10735-2016

Product Type:    Enterprise Security Management

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Enterprise Security Management-Access Control Version 2.1
  Protection Profile for Enterprise Security Management - Policy Management Version 2.1

CC Testing Lab:  Booz Allen Hamilton Common Criteria Testing Laboratory

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

CA Top Secret is an Enterprise Security Management product that provides host-based access control to z/OS systems that reside in its Operational Environment. Top Secret enforces administrator-configurable rules that control access to mainframe systems and their data, ensuring that resources are protected from unauthorized access. Top Secret also includes a policy management function that is used to configure a uniform set of access control policies against multiple distinct physical or logical mainframe instances deployed in the enterprise. This is done through the use of the command propagation facility (CPF) method of administration.


Evaluated Configuration


The TOE is a software product. The physical boundary of the TOE includes the CA Top Secret software that is installed on z/OS. It also does not include the third-party software which is required for the TOE to run. The following table lists the software components that are required for the TOE’s use in the evaluated configuration. These Operational Environment components are expected to be patched to include the latest security fixes for each component.





IBM System z mainframe (zEC12, z114, z196, z9 series, z10 series)

System Components

·        INIT/JOB

·        JES2

·        TSO

·        TCP/IP

·        VTAM

·        CA Common Services for z/OS r11 SP6 or above

·        CA LDAP Server for z/OS r15

·        IBM Integrated Cryptographic Module Facility (ICSF)

·        IBM System SSL

·        IBM Ported Tools for z/OS – OpenSSH


In addition to the mainframe requirements, a TN3270e terminal emulator is required for any system used to administer the TOE via TSO or JES2. In the evaluated configuration, the TOE was tested using QWS3270 over an SSH tunnel that was established using CA Common Services and ICSF.

Security Evaluation Summary


The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. CA Top Secret r15 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the CA Top Secret r15 Security Target version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in May 2016. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID10735-2016prepared by CCEVS.

Environmental Strengths

Enterprise Security Management


CA Top Secret provides enterprise security management through its ability to define and enforce access control policies. The TOE provides the ability to define these policies through the command line. Policies can be defined to control access to processes, files, system configuration, and use of the authentication function for mainframe systems. The TOE also defines subject attributes for mainframe users that can affect how access control policies are audited for specific users. Since the TOE can enforce access control against the mainframe’s authentication function, it ensures that all users and administrators are identified and authenticated prior to accessing any objects that reside on the system, including the TSF itself.


Security Audit


The TOE generates audit records of its behavior and administrator activities. Audit data includes date, time, event type, subject identity, and other data as required. Audit data is written to the mainframe’s SYSLOG and SMF audit storage repositories in the Operational Environment. The administrator has some degree of control over the types of events that are audited for access control functionality in order to minimize the volume of audit data.




The TOE can communicate policy rules to remote instances of Top Secret that are located on distributed systems or LPARs using the Command Propagation Facility (CPF). CPF provides transaction receipts to administrators so that the implementation status of transmitted policy rules can be determined. If a remote node is unavailable to receive CPF commands, they will be queued and transmission will be periodically retried until the node is available.


User Data Protection


The TOE has the ability to enforce access control against files, processes, system configuration objects, and the authentication function of a mainframe system. Access control policy rules can be written against arbitrarily-defined subjects and objects so that anything that resides on the system can be protected as needed. The TSF implements a rule sorting algorithm in order to give better matched rules higher priority which prevents rules from coming into conflict with one another. The TSF also defines several exceptions to the rule enforcement engine so that specific overrides can be granted if necessary. By default, the TOE considers the system objects that comprise itself to be protected so that an untrusted user is unable to bypass, terminate, or control the behavior of the access control enforcement mechanism.


Identification and Authentication


The TOE provides mechanisms to minimize the likelihood of a successful brute force attack against the mainframe’s authentication function. Specifically, the TSF can suspend a user account after it has exceeded a configurable number of failed authentication attempts and is locked out until and unlocked by an administrator. Subject attributes are associated with users based on the user’s definition in the mainframe’s internal user database regardless of whether that user is defined by manual administrative commands or by the environmental LDAP server translating LDAP queries into actions that configure the mainframe user database.


Security Management


The TOE is managed by authorized administrators using CLI commands. CLI commands can be issued in batch jobs or interactively using TSO. The TSF provides the ability to manage the TOE’s functionality as well as the access control policies that are enforced by the TSF, both on the local system and on remote nodes using CPF. There are several distinct administrative roles with differing levels of privilege to interact with the TSF.


Protection of the TSF


The TOE does not provide a mechanism to view administrator credential data and does not store any key data. The TOE is able to use the Common Services and ICSF environmental components to encrypt CPF commands sent to remote nodes, preventing replay attacks against transmitted policy data. In a CPF environment, the loss of communications between distributed nodes does not affect the TOE’s ability to enforce the access control policy rules that it has consumed.


Resource Utilization


In a CPF environment, the TOE will queue CPF commands that fail to reach a remote node during a period of communications outage and will periodically attempt to transmit them so that up-to-date configuration of the TSF can be performed automatically once communications are restored.


TOE Access


The TOE’s access control enforcement mechanism can deny session establishment to users and administrators based on policy rules such as day, time, and the method used to access the mainframe system.


Trusted Path/Channels


The TOE relies on the Operational Environment to protect authentication and administration data transferred to the mainframe in the course of remote management and between distributed systems via CPF. The Operational Environment includes several cryptographic components that are used to facilitate trusted communications as follows:

  • IBM Integrated Cryptographic Services Facility (ICSF): provides PKCS#11 services for cryptographic primitives that have been approved by the Cryptographic Algorithm Validation Program (CAVP).

  • IBM System SSL: provides cryptographic services that are used to secure TCP/IP communications using TLS as well as implement the TLS protocol. These services, with the exception of random number generation, have been approved by the CAVP. In the evaluated configuration, System SSL is configured to invoke ICSF’s deterministic random bit generator (DRBG) so that it is only using CAVP-approved services to perform key generation and key exchange.

IBM Ported Tools for z/OS – OpenSSH: provides functionality to implement the SSH protocol. In the evaluated configuration, this component is configured to invoke ICSF to perform all cryptographic services related to the establishment and use of SSH.

Vendor Information

CA Technologies
James Peters
Site Map              Contact Us              Home