The Target of Evaluation (TOE) is TIBCO ActiveMatrix BusinessWorks Release 5.8 (also known as ActiveMatrix BusinessWorks™). ActiveMatrix BusinessWorks consists of a development application, an administration application, and a runtime integration engine. These applications utilize common libraries. The following are the software applications that make up the TOE.
\r\nFigure 1-1 TIBCO Components depicts a very general view of the components that make up the TIBCO product. The TIBCO DesignerTM application creates and deploys a definition of a business process and then plays no part in the operation of the deployed business process. The TIBCO Administrator application and TIBCO ActiveMatrix BusinessWorks engine each include an instance of TIBCO Runtime Agent.
\r\nThe TIBCO Designer application creates an Enterprise Archive (EAR) file to describe a business process and associated resource information; in conjunction with the TIBCO Designer application, certain properties may be included in an XML file called ‘bwengine.xml’. Certain aspects of the design elements and all of the aspects of the bwengine.xml file are exposed to the TIBCO administrator application and may be changed prior to deployment.
\r\nTIBCO Runtime Agent is installed on all machines in the network that are participating in the business process.
\r\nThese EAR files are moved[1] from the TIBCO Designer application to the TIBCO Administrator Application. The TIBCO Administrator application is then used to deploy applicable parts of the EAR file to applicable instances of the ActiveMatrix BusinessWorks Application. The TIBCO Administrator application starts the ActiveMatrix BusinessWorks engine to perform activities in the business process.
\r\nTIBCO Runtime Agent is an installation package that provides common functionality in libraries used by other ActiveMatrix BusinessWorks applications, including functions used to communicate between TOE components. Two significant pieces of TIBCO Runtime Agent are subsets of other TIBCO products: TIBCO Hawk® Agent and TIBCO Rendezvous® Daemon. Hawk® Agent is configured for a business process (created by the Domain Utility) to use either Rendezvous® or TIBCO Enterprise Message Service™ as a message carrying protocol to pass messages between subsystems. Hawk Agent is used by each subsystem to facilitate communication between subsystems while enforcing constraints defined for the business process. Rendezvous Daemon-based communication provides message passing similar to message passing using the TCP/IP-based socket programming construct. Rendezvous is a connectionless, transport layer protocol carried by UDP/IP packets. The TIBCO Designer application, the TIBCO Administrator application, and the ActiveMatrix BusinessWorks engine all rely upon software installed by TIBCO Runtime Agent.
\r\nThe TOE supports creation of the Business Process, however, the security requirement described in the ST define the protections that are available once the business process has been deployed.
\r\n\r\n
[1] The method of moving an EAR file depends upon administrative and physical concerns and is outside the scope of this security target.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which TIBCO ActiveMatrix BusinessWorks Release 5.8 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2, September 2007. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 2, September 2007. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL2 augmented with ALC_FLR.2 family of assurance requirements. The product, when configured as specified in the TIBCO ActiveMatrix BusinessWorks Installation, TIBCO ActiveMatrix BusinessWorks Getting Started, TIBCO ActiveMatrix BusinessWorks Administration, and TIBCO ActiveMatrix BusinessWorks (5.8), TIBCO Administrator (5.6), and TIBCO Runtime Agent (5.6) Security Features User’s Guide satisfies all of the security functional requirements stated in the TIBCO ActiveMatrix BusinessWorks Release 5.8 Security Target, Version 2.0, August 19, 2010. Two Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in June 2010. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID10230-2010, dated 30 July 2010.
","environmental_strengths":"EAL2 was selected as the assurance level because the TOE is a commercial product whose users require a low to moderate degree of independently assured security. The TOE is targeted at a relatively benign environment with good physical access security and competent administrators. Within such environments it is assumed that attackers will have little attack potential. TIBCO ActiveMatrix BusinessWorks Release 5.8 supports the following five security functions:
\r\nSecurity Audit: The TOE generates audit records for start-up and shutdown of the audit functions, as well as an unspecified level of audit[1]. The TIBCO Administrator application and ActiveMatrix BusinessWorks engine both generate audit records when security-relevant events occur. Log files are stored in administrator-configured locations in the environment. The TIBCO Administrator application provides the ability to specify a log file name, to specify search conditions (based on date and time of the event, and on type of event), and to view record details. The environment is relied on to provide a reliable time stamp, to protect the audit trail.
\r\nUser Data Protection: The TIBCO ActiveMatrix BusinessWorks engine enforces security policies that are associated with resources by administrators. When a security policy is attached to a resource, the associated security policy is used for that process’ corresponding incoming and outgoing messages[2]. The security policy may define transport characteristics, authentication characteristics, integrity characteristics, confidentiality characteristics, and timeout characteristics. The TOE is permissive by default with respect to message protection which means that in the evaluated configuration, if a security policy is not attached to a resource, no protection is provided. Therefore, in order to enforce the security functions a security policy must always be attached by an administrator to a resource before message transport, authentication, integrity, confidentiality, and timeout characteristics defined in the attached security policy are applied.
\r\nIdentification and Authentication: The TIBCO Administrator application requires authorized administrators to logon using a username and password before it allows access to its interfaces. Authorized TIBCO administrators are uniquely identified and authenticated and associated with TIBCO administrative roles and TIBCO domains after being successfully authenticated. The ActiveMatrix BusinessWorks engine may, depending on business process activity or resource security policy configuration, require that incoming messages be authenticated to support the protection of messages.
\r\nSecurity Management: The TIBCO Administrator application component provides command-line utilities and a web-based administrator console interfaces. These interfaces are used to manage TOE functions, including configuring security policies, deploying distributed applications, and administering distributed applications. The TOE provides administrative roles that correspond to permissions for items that display in the Security console component of the TIBCO Administrator application and that a command-line utility may access.
\r\nProtection of the TSF: Both the TIBCO Administrator application and ActiveMatrix BusinessWorks engine implement web servers. The web server implemented by the TIBCO Administrator application is used to provide an administrative console interface. The web server implemented by the ActiveMatrix BusinessWorks engine is used to provide a transport to send and receive messages. TOE web server instances are designed to ensure that TOE interfaces cannot be bypassed and to ensure that a security domain is provided for both administrative and calling application sessions. The TOE uses HTTPS[3] (provided by the Environment) to protect communication with its TIBCO Administrator application GUI. The TOE also uses HTTPS to protect communication between the TIBCO Administrator application and Runtime Agent. TOE application components otherwise rely on the Environment for protection.
\r\nThe TOE also utilizes mechanisms that are provided by the cryptomodule, operating system, DBMS and LDAP server to protect various pieces of TOE configuration data.
\r\nCryptographic support provided by the environment: The TOE does not contain a cryptomodule but it is packaged with one. In the evaluated configuration, the TOE is delivered to customers with Entrust Authority Security Toolkit for Java 7.2. Authorized administrators can also configure the TOE to use third party cryptographic libraries that are compatible with the Java Cryptography Extension (JCE) standard. JCE defines a standardized Java language framework for implementing cryptographic algorithms and operations. The TOE uses the configured crypto module to perform cryptographic operations according to individual security policy settings. The TOE can perform the following types of cryptographic operations on SOAP messages:
\r\nOnly TIBCO administrative users with appropriate administrative permissions can modify the configuration of cryptographic operations on SOAP messages.
\r\nWithin the Entrust toolkit, there are non-FIPS algorithms that are not used in the evaluated configuration; guidance documentation instructs administrators that only FIPS certified algorithms can be used by the TOE in an evaluated configuration. There is a global setting that configures the minimum strength of the ciphers. If the administrator configures it to be 256, then FIPS mode AES-256 is always used.
\r\nBecause JDBC and LDAP communications utilize JRE services for cryptography, the JRE must be configured to use the Entrust toolkit[5] for communication between the TOE and a DBMS or an LDAP server.
\r\n\r\n
[1] “Unspecified level of audit” refers to the Common Criteria terminology required for proper selection in the FAU_GEN.1audit requirement (see Section 5.2.1.1). The actual set of audited events can be found in Section 5.2.1.
\r\n[2] The term message is used in a generic sense to refer to any distinct communication unit appropriate for the protocol type being used. A message can be a single email, a single data request, a single remote function invocation, a single packet or a single session depending upon the protocol being considered.
\r\n[3] While the product supports several protocols between the TIBCO Administrator application and the ActiveMatrix BusinessWorks engine, only HTTPS can be used by the TOE in the evaluated configuration.
\r\n[4] Administrators only use FIPS certified mechanisms in the evaluated configuration.
\r\n[5] The Security Features Users Guide provides this instruction.
","features":[]}