NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - CA Top Secret r16

Certificate Date:  2017.10.04

Validation Report Number:  CCEVS-VR-VID10810-2017

Product Type:    Enterprise Security Management

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Enterprise Security Management-Access Control Version 2.1
  Protection Profile for Enterprise Security Management - Policy Management Version 2.1

CC Testing Lab:  Booz Allen Hamilton Common Criteria Testing Laboratory

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

CA Top Secret (also referred to as the TOE) is an Enterprise Security Management product that provides host-based access control to z/OS systems that reside in its Operational Environment. The TOE enforces administrator-configurable rules that control access to mainframe systems and their data, ensuring that resources are protected from unauthorized access. The TOE includes a policy management function that is used to configure a uniform set of access control policies against multiple distinct physical or logical mainframe instances deployed in the enterprise. This is done using the command propagation facility (CPF) method of administration.

Evaluated Configuration

The TOE is a software product. The physical boundary of the TOE includes the CA Top Secret software that is installed on the mainframe system. The TOE does not include the hardware or operating systems of the systems on which it is installed. It also does not include the third-party software which is required for the TOE to run. The following table lists the minimum software components that are required to use the TOE:




IBM System z mainframe (zEC12, z114, z196, z9 series, z10 series, z13)

Disk Storage

700 MB or greater

Operating System

IBM z/OS, version 2.1, RSU1506 (Recommended Service Upgrade) or higher

System Components

·         INIT/JOB

·         JES2

·         TSO

·         TCP/IP

·         VTAM

·         CA Common Services for z/OS r14.1 or above

·         CA LDAP Server for z/OS r16

Cryptographic Module

·         IBM ICSF

·         IBM System SSL

·         IBM Ported Tools for z/OS - OpenSSH

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. CA Top Secret r16 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the CA Top Secret r16 Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in October 2017. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10810-2017, dated 10/04/2017) prepared by CCEVS.

Environmental Strengths

Enterprise Security Management

CA Top Secret provides enterprise security management through its ability to define and enforce access control policies. The TOE provides the ability to define these policies through a command line interface. Policies can be defined to control access to processes, files, system configuration, and use of the authentication function for mainframe systems. The TOE also defines subject attributes for mainframe users that can affect how access control policies are audited for specific users. Since the TOE can enforce access control against the mainframe’s authentication function, it ensures that all users and administrators are identified and authenticated prior to accessing any objects that reside on the system, including the TSF itself. Administrators can log on to the TOE through password/passphrase or RSA SecurID token associated with their user ID, known as an ACID. 

Security Audit

The TOE generates audit records of its behavior and administrator activities. Audit data includes date, time, event type, subject identity, and other data as required. Audit data is written to the mainframe’s SYSLOG and SMF audit storage repositories in the Operational Environment. The administrator has some degree of control over the types of events that are audited for access control functionality in order to minimize the volume of audit data. 


The TOE can communicate policy rules to remote instances of Top Secret that are located on distributed systems or LPARs using the Command Propagation Facility (CPF). CPF provides transaction receipts to administrators so that the implementation status of transmitted policy rules can be determined. If a remote node is unavailable to receive CPF commands, they will be queued and transmission will be periodically retried until the node is available. 

User Data Protection

The TOE has the ability to enforce access control against files, processes, system configuration objects, and the authentication function of a mainframe system. Access control policy rules can be written against arbitrarily-defined subjects and objects so that anything that resides on the system can be protected as needed. The TSF implements a rule sorting algorithm in order to give better matched rules higher priority which prevents rules from coming into conflict with one another. The TSF also defines several exceptions to the rule enforcement engine so that specific overrides can be granted if necessary. By default, the TOE considers the system objects that comprise itself to be protected so that an untrusted user is unable to bypass, terminate, or control the behavior of the access control enforcement mechanism. 

Identification and Authentication

The TOE provides mechanisms to minimize the likelihood of a successful brute force attack against the mainframe’s authentication function. Specifically, the TSF can suspend a user account after it has exceeded a certain number of failed authentication attempts in a given day. Subject attributes are associated with users based on the user’s definition in the mainframe’s internal user database regardless of whether that user is defined by manual administrative commands or by the environmental LDAP server translating LDAP queries into actions that configure the mainframe user database. 

Security Management

The TOE is managed by authorized administrators using Interactive System Productivity Facility (ISPF) menu selections or through CLI commands. CLI commands can be issued in batch jobs or interactively using TSO. The TSF provides the ability to manage the TOE’s functionality as well as the access control policies that are enforced by the TSF, both on the local system and on remote nodes using CPF. There are several distinct administrative roles with differing levels of privilege to interact with the TSF. 

Protection of the TSF

The TOE does not provide a mechanism to view administrator credential data and does not store any key data. The TOE is able to use the Common Services and ICSF environmental components to encrypt CPF commands sent to remote nodes, preventing replay attacks against transmitted policy data. In a CPF environment, the loss of communications between distributed nodes does not affect the TOE’s ability to enforce the access control policy rules that it has consumed. 

Resource Utilization

In a CPF environment, the TOE will queue CPF commands that fail to reach a remote node during a period of communications outage and will periodically attempt to transmit them so that up-to-date configuration of the TSF can be performed automatically once communications are restored. 

TOE Access

The TOE’s access control enforcement mechanism can deny session establishment to users and administrators based on policy rules such as day, time, and the method used to access the mainframe system. 

Trusted Path/Channels

The TOE does not provide its own cryptography. In the evaluated configuration, CA Common Services is used to provide TCP/IP configurations between the TOE and remote entities and the following components are used to establish trusted communications:

·         ICSF and System SSL to secure TLS communications

·         IBM Ported Tools for z/OS – OpenSSH and ICSF to secure SSH communications

The TSF is able to rely on the Operational Environment to secure remote CPF commands using TLS and remote administrative sessions using SSH

Vendor Information

CA Technologies
James Peters
Site Map              Contact Us              Home