The TOE, BEA WebLogic Platform V8.1 SP6 with BEA07-169.00 security advisory patch, is an application server platform for building, extending, integrating, deploying, and managing software applications. It comprises the following components that are used in combination to support end-user developed applications:
\r\nWebLogic Server delivers an application infrastructure for building and integrating distributed multi-tier applications. It is based on standards such as J2EE, Web services, and XML. WebLogic Server includes the WebLogic Workshop® IDE for application development, and also provides enterprise-level security and administration facilities.
\r\nWebLogic Portal is built on WebLogic Server and provides the functionality for developing and running portals. A portal is a Web site that gives users a single point of access to applications and information in a unified interface. A portal lets users view each application or Web page in its own window, called a portlet, and a single browser window can contain multiple portlets. WebLogic Portal provides a portal framework, lifecycle management tools, and business services that allow users to create and manage portals that provide users with audience-specific views of applications and information, while enforcing user business policies and security requirements.
\r\nWebLogic Integration is a product built on WebLogic Server that provides the functionality for integrating business systems within an enterprise. It provides a development and run-time framework that unifies the components of business integration—business process management, data transformation, trading partner integration, connectivity, message brokering, application monitoring, and user interaction—into a single environment.
\r\nThe TOE consists of a single WebLogic Server (WLS) subsystem, a single WebLogic Portal (WLP) subsystem, a single WebLogic Integration (WLI) subsystem, and the following configured WebLogic security providers: Auditing Provider; Authorization Provider; Adjudication Provider; Role Mapping Provider; Authentication Provider; RDBMS Authentication Provider; Identity Assertion Provider; WSRP Identity Assertion Provider; and Credential Mapping Provider.
\r\nThe TOE is supported on the following Java 2 environments: BEA JRockit 1.4.2_10 SDK; and Sun Java 2 SDK 1.4.2_11 with Java HotSpot™ Client VM. The TOE is dependent on the correct operation of the Java 2 environment and on its underlying operating system, neither of which are included within the scope of the evaluation. It should also be noted that the access control policy implemented by the TOE is enforced only on access attempts made through the TOE’s interfaces. The TOE does not and cannot control attempts to access data directly (e.g., via the underlying operating system).
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the BEA WebLogic Platform V8.1 SP6 with BEA07-169.00 security advisory patch TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2 and International Interpretations effective on 3 September 2004. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL2 family of assurance requirements, augmented with ALC_FLR.1 (Basic flaw remediation). The product satisfies all of the security functional requirements stated in the BEA WebLogic Platform Security Target, when configured as specified in the following guidance documents, available from BEA’s edocs website as indicated:
\r\nOne validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in September 2007. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10029-2007) prepared by CCEVS.
","environmental_strengths":"BEA WebLogic Platform V8.1 SP6 with BEA07-169.00 security advisory patch provides a low to moderate level of independently assured security in a conventional TOE and is suitable for a cooperative non-hostile environment with good physical access security and competent administrators.
\r\nThe primary security functionality of the TOE is to provide access control to resources instantiated within each of the component subsystems. Generally, user requests come in from the network and are handled by the WLS security framework. If the user is attempting to access an application associated with either the WLP or WLI subsystem, those subsystems will be invoked in addition to the WLS security framework. As such, they serve to extend the WLS security framework to control access to resources within their control.
\r\nBEA WebLogic Platform V8.1 SP6 supports the following five security functions:
\r\n