{"product_id":10288,"v_id":10288,"product_name":"IBM WebSphere Application Server Network Deployment V6.1.0.2","certification_status":"Not Certified","certification_date":"2007-03-16T00:03:00Z","tech_type":"Miscellaneous","vendor_id":{"name":"IBM Corporation","website":"https://www.ibm.com"},"vendor_poc":"Melvin Bryant","vendor_phone":"512.838.0714","vendor_email":"melbry@us.ibm.com","assigned_lab":{"cctl_name":"Leidos Common Criteria Testing Laboratory"},"product_description":"<p>WebSphere Application Server Network Deployment (32-bit) V6.1.0.2. Requires interim fixes for APARs, PK29847, PK29933, PK30347, PK30831, PK31490, and PK33753. For the Solaris and HP platforms, APAR PK27217 is also required.</p>\r\n<p><strong>TOE Identification:</strong> WebSphere Application Server Network Deployment configured according to WebSphere Application Server EAL4 AGD &ndash; Guidance document (version 16).</p>\r\n<p>The WebSphere Application Server Network Deployment TOE is a subset of the WebSphere Application Server Network Deployment product. The WebSphere Application Server Network Deployment TOE consists of the following WebSphere Application Server Network Deployment product components:</p>\r\n<ul>\r\n    <li>Product Application Server </li>\r\n    <li>Product Client </li>\r\n    <li>Product wsadmin Tool </li>\r\n    <li>Product Deployment Manager Server </li>\r\n    <li>Product Node Agent Server </li>\r\n    <li>Product HTTP Server and Product HTTP Server Plug-in </li>\r\n    <li>Product Proxy Server </li>\r\n</ul>\r\n<p>Other WebSphere Application Server Network Deployment product components that are not part of the TOE do not implement the primary purpose of the product and are not required to facilitate the product management functions. </p>\r\n<p><strong>TOE Environment: </strong>WebSphere Application Server Network Deployment relies upon the environment to perform cryptographic key generation, cryptographic key destruction, cryptographic operations (digital signature generation/verification, encryption/decryption), maintenance of security attributes associated with users (user ID, Group ID, Password or Certificate), audit, TOE security protection and authentication. </p>\r\n<p>The following Operating Systems (OS) are supported but outside the scope of this evaluation:</p>\r\n<ul>\r\n    <li>AIX&reg; 5.3 (64-bit); </li>\r\n    <li>HP-UX 11i v2 (64-bit PA-RISC); </li>\r\n    <li>Linux&reg; Redhat 4 on PPC (64-bit) / Intel&trade; / z/OS&reg; </li>\r\n    <li>Linux SuSE Enterprise Edition 9 (SLES 9) on PPC (64-bit) / z/OS; </li>\r\n    <li>Sun Solaris 10 (64-bit); </li>\r\n    <li>Microsoft&reg; Windows&reg; 2003. </li>\r\n</ul>\r\n<p><strong>TOE Description:</strong> The WebSphere Application Server Network Deployment TOE is a Java 2 Enterprise Edition (J2EE) 1.4 compliant run-time environment. The primary purpose of the product is to provide an environment for running and managing user-supplied enterprise applications and their components. J2EE is a comprehensive set of specifications for designing, developing and deploying multi-tier, server-based applications. </p>\r\n<p>The WebSphere Application Server Network Deployment TOE supports the following security functions: Identification, Access Control, Security Management, and Invocation of SSL.</p>\r\n<p>The TOE identifies a client before performing any other TSF mediated action for the client with the exception of access to a method or static web content that is not configured with a security constraint or specifically allows access to &ldquo;Everyone&rdquo;. The environment is depended upon to authenticate and maintain security attributes associated with users.</p>\r\n<p>The TOE provides access control functions that allow only authorized remote callers access to the sensitive resources. The TOE permits a client to access a protected resource only if a user or group ID of the user is mapped to a role that has permission to access the resource. The resources protected by the TOE are:</p>\r\n<ul>\r\n    <li>methods in deployed enterprise beans </li>\r\n    <li>methods and HTML pages in deployed web server applications </li>\r\n    <li>Naming Directory </li>\r\n    <li>TOE configuration data and TOE runtime state </li>\r\n    <li>Transactions and activities </li>\r\n    <li>Messaging resources (e.g. local bus, queue destinations) </li>\r\n    <li>UDDI resources </li>\r\n    <li>location service resources </li>\r\n    <li>methods and attributes in user MBeans </li>\r\n</ul>\r\n<p>The authorized role can use the TOE to map user and group IDs to roles which are the attributes used by the access control function.</p>\r\n<p>The TOE provides an invocation of SSL function that requires a remote caller to invoke SSL using the configured algorithms to allow for the session to be encrypted when the remote caller issues a request to the TOE over the remote interface of the IBM HTTP Server component. Note: This function does not perform the actual SSL encryption, yet provides a mechanism for requiring requests from remote callers to be encrypted.</p>","evaluation_configuration":null,"security_evaluation_summary":"<p>The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the WebSphere Application Server Network Deployment TOEmeets the security requirements contained in the Security Target. The criteria against which the WebSphere Application Server Network Deployment TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2. Science Application International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the WebSphere Application Server Network Deployment TOE is EAL 4 augmented with ALC_FLR.1. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target. Several validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in January 2007. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report<em> for </em>WebSphere Application ServerNetwork Deployment prepared by CCEVS.</p>\r\n<p>The WebSphere Application Server Network Deployment EAL4+ Security Target makes a claim that the TOE can be supported on multiple operating systems platforms and are considered to be outside the scope of the TOE.</p>","environmental_strengths":"<p>The WebSphere Application Server Network Deployment TOE is a commercial product that provides identification, access control and the management of access control to protective resources. Additionally, the TOE provides a mechanism for requiring requests from remote callers to be encrypted using SSL (note that SSL is outside the scope of the TOE). The WebSphere Application Server Network Deployment TOE provides a level of protection that is appropriate for IT environments where the WebSphere Application Server Network Deployment TOE and the platform upon which it is installed can be appropriately protected from physical attacks.</p>\r\n<!-- InstanceEndEditable -->","features":[]}