IBM WebSphere Portal (WP) is a Java 2 Enterprise Edition (J2EE) application executed in the run-time environment provided by WebSphere Application Server (WAS) version 6.0.2.29 that provides users a consistent view of portal applications and allows users to define specific sets of applications which are presented in a single context.
\r\nWP relies on WAS for the identification and authentication of authorized users. WP also relies on WebSphere Member Manager (WMM) to provide user profile information and group membership information to the TOE. Note that WAS establishes user sessions and maintains those session in order to keep user sessions separate as well as to protect WP when instantiated within WAS.
\r\nWP allows authorized users to establish protected portal resources like pages and portlets. As an example, authorized users (a team) can develop, share, and store information for projects. This allows for fast access to and transfer of information between members of the team working on the same project.
\r\nThe Access Control administration can be performed using corresponding portlets within the running portal, the XmlAccess interface, or via portal scripting.
\r\nWP contains the following components:
\r\nThe following types of resources are protected within the portal:
\r\nUsers (database records) are implicitly protected resources, which means that access to specific user profile data can only be obtained via corresponding privileges on a user group that contains the given user as a member i.e. implicitly protected resources are those resources that are not linked into the protected resource hierarchy. Implicitly protected resources behave in the same way as normal protected resources.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the IBM WebSphere Portal 6.0.0.0 (with APAR PK67104 and APAR PK79436) TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 augmented with ALC_FLR.2 family of assurance requirements. The product, when configured as specified in the WebSphere® Portal Installation and Configuration Version 6.0 and IBM WebSphere Portal 6.0 Administration., satisfies all of the security functional requirements stated in the IBM WebSphere Portal 6.0 Security Target, Version 1.0. Two Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in August 2009. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10205-2009, dated 25 September 2009) prepared by CCEVS.
","environmental_strengths":"The TOE is a commercial product whose users require a low to moderate level of independently assured security. IBM WebSphere Portal 6.0.0.0 (with APAR PK67104 and APAR PK79436) is targeted at a relatively benign environment with good physical access security and competent administrators. Within such environments, it is assumed that attackers will have little attack potential. The security environment also assumes that the TOE components are physically protected.
\r\nIBM WebSphere Portal 6.0.0.0 (with APAR PK67104 and APAR PK79436) supports the following three security functions. Note, the TOE does not include the CC defined FAU_GEN SFR, however an explicitly stated requirement, Logging of security management functions (FMT_LOG_EX.1) was included to support auditing of security management functions.
\r\nUser Data Protection
\r\nThe TOE offers a Portal Access Control (PAC) mechanism that is invoked by the other TOE components and makes access decisions that are enforced by the WP components, for the following resources offered by WP: Web Modules, Portlets (Portlet Definitions), Portlet Application Definitions. Content Nodes (Pages), Application Templates, Template Categories, User Groups, URL Mapping contexts, Policies, and WSRP Producers. Access is controlled based on permissions contained in roles assigned to individual users or user groups.
\r\nSecurity Management
\r\nThe TOE supports roles defined as sets of resource specific permissions. Roles can be assigned to users, groups, and can also be aggregated into other (application) roles. Roles can be used to enable security management functions, such as managing roles and assigning those roles to users and user groups. In general, access to resources is restrictive insofar as a given user must have permission before they can access a resource. While it is possible to authorize anonymous access to a resource, such permission must be explicitly established prior to so doing.
\r\nThe TOE also supports the ability to log the use of the security management functions. While generated by the TOE, the log is stored in ASCII format in a file in the IT environment.
\r\nProtection of the TSF
\r\nThe TOE ensures that its own security policies cannot be bypassed by ensuring that appropriate access checks are made and enforced at all interfaces made available by the TOE.
","features":[]}