NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - CA ACF2 r15

Certificate Date:  2016.05.10

Validation Report Number:  CCEVS-VR-VID10736-2016

Product Type:    Enterprise Security Management

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Enterprise Security Management-Access Control Version 2.1
  Protection Profile for Enterprise Security Management - Policy Management Version 2.1

CC Testing Lab:  Booz Allen Hamilton Common Criteria Testing Laboratory

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

CA ACF2 is an Enterprise Security Management product that provides host-based access control to z/OS systems that reside in its Operational Environment. ACF2 enforces administrator-configurable rules that control access to mainframe systems and their data, ensuring that resources are protected from unauthorized access. ACF2 also includes a policy management function that is used to configure a uniform set of access control policies against multiple distinct physical or logical mainframe instances deployed in the enterprise. This is done through the use of the command propagation facility (CPF) method of administration.

Evaluated Configuration

The TOE is a software product. The physical boundary of the TOE includes the CA ACF2 software that is installed on z/OS. It also does not include the third-party software which is required for the TOE to run. The following table lists the software components that are required for the TOE’s use in the evaluated configuration. These Operational Environment components are expected to be patched to include the latest security fixes for each component.




IBM System z mainframe (zEC12, z114, z196, z9 series, z10 series)

System Components

·         INIT/JOB

·         JES2

·         TSO

·         TCP/IP

·         VTAM

·         CA Common Services for z/OS r11 SP6 or above

·         CA LDAP Server for z/OS r15

·         IBM Integrated Cryptographic Module Facility (ICSF)

·         IBM System SSL

·         IBM Ported Tools for z/OS – OpenSSH

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. CA ACF2 r15 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the CA ACF2 r15 Security Target version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in February 2016. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID10736-2016 prepared by CCEVS.

Environmental Strengths

Enterprise Security Management

CA ACF2 provides enterprise security management through its ability to define and enforce access control policies. The TOE provides the ability to define these policies through ISPF panels and the command line. Policies can be defined to control access to processes, files, system configuration, and use of the authentication function for mainframe systems. The TOE also defines subject attributes for mainframe users that can affect how access control policies are audited for specific users. Since the TOE can enforce access control against the mainframe’s authentication function, it ensures that all users and administrators are identified and authenticated prior to accessing any objects that reside on the system, including the TSF itself.

Security Audit

The TOE generates audit records of its behavior and administrator activities. Audit data includes date, time, event type, subject identity, and other data as required. Audit data is written to the mainframe’s SYSLOG and SMF audit storage repositories in the Operational Environment. The administrator has some degree of control over the types of events that are audited for access control functionality in order to minimize the volume of audit data.


The TOE can communicate policy rules to remote instances of ACF2 that are located on distributed systems or LPARs using the Command Propagation Facility (CPF). CPF provides transaction receipts to administrators so that the implementation status of transmitted policy rules can be determined. If a remote node is unavailable to receive CPF commands, they will be queued and transmission will be periodically retried until the node is available.

User Data Protection

The TOE has the ability to enforce access control against files, processes, system configuration objects, and the authentication function of a mainframe system. Access control policy rules can be written against arbitrarily-defined subjects and objects so that anything that resides on the system can be protected as needed. The TSF implements a rule sorting algorithm in order to give better matched rules higher priority which prevents rules from coming into conflict with one another. The TSF also defines several exceptions to the rule enforcement engine so that specific overrides can be granted if necessary. By default, the TOE considers the system objects that comprise itself to be protected so that an untrusted user is unable to bypass, terminate, or control the behavior of the access control enforcement mechanism.

Identification and Authentication

The TOE provides mechanisms to minimize the likelihood of a successful brute force attack against the mainframe’s authentication function. Specifically, the TSF can suspend a user account after it has exceeded a certain number of failed authentication attempts in a given day. Subject attributes are associated with users based on the user’s definition in the mainframe’s internal user database regardless of whether that user is defined by manual administrative commands or by the environmental LDAP server translating LDAP queries into actions that configure the mainframe user database.

Security Management

The TOE is managed by authorized administrators using Interactive System Productivity Facility (ISPF) menu selections or through CLI commands. CLI commands can be issued in batch jobs or interactively using TSO. The TSF provides the ability to manage the TOE’s functionality as well as the access control policies that are enforced by the TSF, both on the local system and on remote nodes using CPF. There are several distinct administrative roles with differing levels of privilege to interact with the TSF.

Protection of the TSF

The TOE does not provide a mechanism to view administrator credential data and does not store any key data. The TOE is able to use the Common Services and ICSF environmental components to encrypt CPF commands sent to remote nodes, preventing replay attacks against transmitted policy data. In a CPF environment, the loss of communications between distributed nodes does not affect the TOE’s ability to enforce the access control policy rules that it has consumed.

Resource Utilization

In a CPF environment, the TOE will queue CPF commands that fail to reach a remote node during a period of communications outage and will periodically attempt to transmit them so that up-to-date configuration of the TSF can be performed automatically once communications are restored.

TOE Access

The TOE’s access control enforcement mechanism can deny session establishment to users and administrators based on policy rules such as day, time, and the method used to access the mainframe system.

Trusted Path/Channels

The TOE does not provide its own cryptography. In the evaluated configuration, CA Common Services is used to provide TCP/IP configurations between the TOE and remote entities and the following components are used to establish trusted communications:

·         ICSF and System SSL to secure TLS  communications

·         IBM Ported Tools for z/OS – OpenSSH and ICSF to secure SSH communications

The TSF is able to rely on the Operational Environment to secure remote CPF commands using TLS and remote administrative sessions using SSH.

Vendor Information

CA Technologies
James Peters
Site Map              Contact Us              Home