{"product_id":10735,"v_id":10735,"product_name":"CA Top Secret r15","certification_status":"Certified","certification_date":"2016-06-02T00:00:00Z","tech_type":"Enterprise Security Management","vendor_id":{"name":"CA Technologies","website":"www.ca.com"},"vendor_poc":"James Peters","vendor_phone":"(630)050-5065","vendor_email":"james.peters@ca.com","assigned_lab":{"cctl_name":"Booz Allen Hamilton Common Criteria Testing Laboratory"},"product_description":"<p><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">CA Top Secret is an Enterprise Security Management product that provides host-based access control to z/OS systems that reside in its Operational Environment. Top Secret enforces administrator-configurable rules that control access to mainframe systems and their data, ensuring that resources are protected from unauthorized access. Top Secret also includes a policy management function that is used to configure a uniform set of access control policies against multiple distinct physical or logical mainframe instances deployed in the enterprise. This is done through the use of the command propagation facility (CPF) method of administration.</span></p>\r\n<p>&nbsp;</p>","evaluation_configuration":"<p>&nbsp;</p>\r\n<div style=\"border-width: medium medium 1pt; border-style: none none dotted; border-color: currentColor currentColor #666666; padding: 0in; mso-element: para-border-div; mso-border-bottom-alt: dotted #666666 .75pt;\">\r\n<p style=\"margin: 0in 0in 0pt; padding: 0in; border: currentColor; line-height: 12pt; mso-border-bottom-alt: dotted #666666 .75pt; mso-margin-top-alt: auto; mso-outline-level: 3; mso-padding-alt: 0in 0in 0in 0in;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">The TOE is a software product. The physical boundary of the TOE includes the CA Top Secret software that is installed on z/OS. It also does not include the third-party software which is required for the TOE to run. The following table lists the software components that are required for the TOE&rsquo;s use in the evaluated configuration. These Operational Environment components are expected to be patched to include the latest security fixes for each component.</span></p>\r\n</div>\r\n<p>&nbsp;</p>\r\n<table style=\"border: currentColor; border-collapse: collapse; mso-padding-alt: 0in 5.75pt 0in 5.75pt; mso-border-alt: solid #7BA0CD 1.0pt; mso-yfti-tbllook: 1184; mso-border-insideh: 1.0pt solid #7BA0CD; mso-border-insidev: 1.0pt solid #7BA0CD;\" border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\r\n<tbody>\r\n<tr style=\"mso-yfti-irow: 0; mso-yfti-firstrow: yes;\">\r\n<td style=\"background: black; padding: 0in 5.75pt; border: 1pt solid windowtext; width: 150.75pt; mso-border-alt: solid windowtext .5pt;\" width=\"251\">\r\n<p style=\"margin: 6pt 0in; line-height: 115%; mso-add-space: auto;\"><strong><span style=\"color: white; line-height: 115%; font-family: 'Times New Roman','serif'; font-size: 10pt; mso-fareast-font-family: Calibri; mso-bidi-font-size: 11.0pt;\">Component</span></strong></p>\r\n</td>\r\n<td style=\"background: black; border-width: 1pt 1pt 1pt 0px; border-style: solid solid solid none; border-color: windowtext windowtext windowtext #000000; padding: 0in 5.75pt; width: 292.75pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt;\" width=\"488\">\r\n<p style=\"margin: 6pt 0in; text-align: center; line-height: 115%; mso-add-space: auto;\" align=\"center\"><strong><span style=\"color: white; line-height: 115%; font-family: 'Times New Roman','serif'; font-size: 10pt; mso-fareast-font-family: Calibri; mso-bidi-font-size: 11.0pt;\">Requirement</span></strong></p>\r\n</td>\r\n</tr>\r\n<tr style=\"mso-yfti-irow: 1;\">\r\n<td style=\"background: #d9d9d9; border-width: 0px 1pt 1pt; border-style: none solid solid; border-color: #000000 windowtext windowtext; padding: 0in 5.75pt; width: 150.75pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt;\" width=\"251\">\r\n<p style=\"margin: 6pt 0in; line-height: 115%; mso-add-space: auto;\"><strong><span style=\"line-height: 115%; font-family: 'Times New Roman','serif'; font-size: 10pt; mso-fareast-font-family: Calibri; mso-bidi-font-size: 11.0pt;\">Platform</span></strong></p>\r\n</td>\r\n<td style=\"background: #d9d9d9; border-width: 0px 1pt 1pt 0px; border-style: none solid solid none; border-color: #000000 windowtext windowtext #000000; padding: 0in 5.75pt; width: 292.75pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt;\" width=\"488\">\r\n<p style=\"margin: 6pt 0in; text-align: center; line-height: 115%; mso-add-space: auto;\" align=\"center\"><span style=\"line-height: 115%; font-family: 'Times New Roman','serif'; font-size: 10pt; mso-fareast-font-family: Calibri; mso-bidi-font-size: 11.0pt;\">IBM System z mainframe (zEC12, z114, z196, z9 series, z10 series)</span></p>\r\n</td>\r\n</tr>\r\n<tr style=\"mso-yfti-irow: 2; mso-yfti-lastrow: yes;\">\r\n<td style=\"border-width: 0px 1pt 1pt; border-style: none solid solid; border-color: #000000 windowtext windowtext; padding: 0in 5.75pt; width: 150.75pt; background-color: transparent; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt;\" width=\"251\">\r\n<p style=\"margin: 6pt 0in; line-height: 115%; mso-add-space: auto;\"><strong><span style=\"line-height: 115%; font-family: 'Times New Roman','serif'; font-size: 10pt; mso-fareast-font-family: Calibri; mso-bidi-font-size: 11.0pt;\">System Components</span></strong></p>\r\n</td>\r\n<td style=\"border-width: 0px 1pt 1pt 0px; border-style: none solid solid none; border-color: #000000 windowtext windowtext #000000; padding: 0in 5.75pt; width: 292.75pt; background-color: transparent; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt;\" width=\"488\">\r\n<p style=\"margin: 0in 0in 0pt 20.25pt; text-indent: -2.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1;\"><span style=\"font-family: Symbol; font-size: 10pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"font: 7pt/normal 'Times New Roman'; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style=\"font-size: 10pt; mso-bidi-font-size: 11.0pt;\"><span style=\"font-family: Times New Roman;\">INIT/JOB</span></span></p>\r\n<p style=\"margin: 0in 0in 0pt 20.25pt; text-indent: -2.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1;\"><span style=\"font-family: Symbol; font-size: 10pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"font: 7pt/normal 'Times New Roman'; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style=\"font-size: 10pt; mso-bidi-font-size: 11.0pt;\"><span style=\"font-family: Times New Roman;\">JES2</span></span></p>\r\n<p style=\"margin: 0in 0in 0pt 20.25pt; text-indent: -2.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1;\"><span style=\"font-family: Symbol; font-size: 10pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"font: 7pt/normal 'Times New Roman'; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style=\"font-size: 10pt; mso-bidi-font-size: 11.0pt;\"><span style=\"font-family: Times New Roman;\">TSO</span></span></p>\r\n<p style=\"margin: 0in 0in 0pt 20.25pt; text-indent: -2.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1;\"><span style=\"font-family: Symbol; font-size: 10pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"font: 7pt/normal 'Times New Roman'; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style=\"font-size: 10pt; mso-bidi-font-size: 11.0pt;\"><span style=\"font-family: Times New Roman;\">TCP/IP</span></span></p>\r\n<p style=\"margin: 0in 0in 0pt 20.25pt; text-indent: -2.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1;\"><span style=\"font-family: Symbol; font-size: 10pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"font: 7pt/normal 'Times New Roman'; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style=\"font-size: 10pt; mso-bidi-font-size: 11.0pt;\"><span style=\"font-family: Times New Roman;\">VTAM</span></span></p>\r\n<p style=\"margin: 0in 0in 0pt 20.25pt; text-indent: -2.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1;\"><span style=\"font-family: Symbol; font-size: 10pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"font: 7pt/normal 'Times New Roman'; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style=\"font-size: 10pt; mso-bidi-font-size: 11.0pt;\"><span style=\"font-family: Times New Roman;\">CA Common Services for z/OS r11 SP6 or above</span></span></p>\r\n<p style=\"margin: 0in 0in 0pt 20.25pt; text-indent: -2.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1;\"><span style=\"font-family: Symbol; font-size: 10pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"font: 7pt/normal 'Times New Roman'; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style=\"font-size: 10pt; mso-bidi-font-size: 11.0pt;\"><span style=\"font-family: Times New Roman;\">CA LDAP Server for z/OS r15</span></span></p>\r\n<p style=\"margin: 0in 0in 0pt 20.25pt; text-indent: -2.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1;\"><span style=\"font-family: Symbol; font-size: 10pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"font: 7pt/normal 'Times New Roman'; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style=\"font-size: 10pt; mso-bidi-font-size: 11.0pt;\"><span style=\"font-family: Times New Roman;\">IBM Integrated Cryptographic Module Facility (ICSF)</span></span></p>\r\n<p style=\"margin: 0in 0in 0pt 20.25pt; text-indent: -2.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1;\"><span style=\"font-family: Symbol; font-size: 10pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"font: 7pt/normal 'Times New Roman'; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style=\"font-size: 10pt; mso-bidi-font-size: 11.0pt;\"><span style=\"font-family: Times New Roman;\">IBM System SSL</span></span></p>\r\n<p style=\"margin: 0in 0in 0pt 20.25pt; text-indent: -2.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1;\"><span style=\"font-family: Symbol; font-size: 10pt; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 11.0pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"font: 7pt/normal 'Times New Roman'; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style=\"font-size: 10pt; mso-bidi-font-size: 11.0pt;\"><span style=\"font-family: Times New Roman;\">IBM Ported Tools for z/OS &ndash; OpenSSH </span></span></p>\r\n</td>\r\n</tr>\r\n</tbody>\r\n</table>\r\n<p>&nbsp;</p>\r\n<div style=\"border-width: medium medium 1pt; border-style: none none dotted; border-color: currentColor currentColor #666666; padding: 0in; mso-element: para-border-div; mso-border-bottom-alt: dotted #666666 .75pt;\">\r\n<p style=\"margin: 0in 0in 0pt; padding: 0in; border: currentColor; line-height: 12pt; mso-border-bottom-alt: dotted #666666 .75pt; mso-margin-top-alt: auto; mso-outline-level: 3; mso-padding-alt: 0in 0in 0in 0in;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">In addition to the mainframe requirements, a TN3270e terminal emulator is required for any system used to administer the TOE via TSO or JES2. In the evaluated configuration, the TOE was tested using QWS3270 over an SSH tunnel that was established using CA Common Services and ICSF.</span></p>\r\n</div>","security_evaluation_summary":"<p>&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. CA Top Secret r15 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the <em style=\"mso-bidi-font-style: normal;\">CA Top Secret r15 Security Target version 1.0</em>. The evaluation underwent CCEVS Validator review. The evaluation was completed in May 2016. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID10735-2016prepared by CCEVS.</span></p>","environmental_strengths":"<p><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">Enterprise Security Management</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">CA Top Secret provides enterprise security management through its ability to define and enforce access control policies. The TOE provides the ability to define these policies through the command line. Policies can be defined to control access to processes, files, system configuration, and use of the authentication function for mainframe systems. The TOE also defines subject attributes for mainframe users that can affect how access control policies are audited for specific users. Since the TOE can enforce access control against the mainframe&rsquo;s authentication function, it ensures that all users and administrators are identified and authenticated prior to accessing any objects that reside on the system, including the TSF itself.</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">Security Audit</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">The TOE generates audit records of its behavior and administrator activities. Audit data includes date, time, event type, subject identity, and other data as required. Audit data is written to the mainframe&rsquo;s SYSLOG and SMF audit storage repositories in the Operational Environment. The administrator has some degree of control over the types of events that are audited for access control functionality in order to minimize the volume of audit data.</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">Communications</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">The TOE can communicate policy rules to remote instances of Top Secret that are located on distributed systems or LPARs using the Command Propagation Facility (CPF). CPF provides transaction receipts to administrators so that the implementation status of transmitted policy rules can be determined. If a remote node is unavailable to receive CPF commands, they will be queued and transmission will be periodically retried until the node is available.</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">User Data Protection</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">The TOE has the ability to enforce access control against files, processes, system configuration objects, and the authentication function of a mainframe system. Access control policy rules can be written against arbitrarily-defined subjects and objects so that anything that resides on the system can be protected as needed. The TSF implements a rule sorting algorithm in order to give better matched rules higher priority which prevents rules from coming into conflict with one another. The TSF also defines several exceptions to the rule enforcement engine so that specific overrides can be granted if necessary. By default, the TOE considers the system objects that comprise itself to be protected so that an untrusted user is unable to bypass, terminate, or control the behavior of the access control enforcement mechanism.</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">Identification and Authentication</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">The TOE provides mechanisms to minimize the likelihood of a successful brute force attack against the mainframe&rsquo;s authentication function. </span><span style=\"font-family: 'Arial','sans-serif'; font-size: 10pt;\">Specifically, the TSF can suspend a user account after it has exceeded a configurable number of failed authentication attempts and is locked out until and unlocked by an administrator<span style=\"color: #333333;\">. Subject attributes are associated with users based on the user&rsquo;s definition in the mainframe&rsquo;s internal user database regardless of whether that user is defined by manual administrative commands or by the environmental LDAP server translating LDAP queries into actions that configure the mainframe user database.</span></span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">Security Management</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">The TOE is managed by authorized administrators using CLI commands. CLI commands can be issued in batch jobs or interactively using TSO. The TSF provides the ability to manage the TOE&rsquo;s functionality as well as the access control policies that are enforced by the TSF, both on the local system and on remote nodes using CPF. There are several distinct administrative roles with differing levels of privilege to interact with the TSF.</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">Protection of the TSF</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">The TOE does not provide a mechanism to view administrator credential data and does not store any key data. The TOE is able to use the Common Services and ICSF environmental components to encrypt CPF commands sent to remote nodes, preventing replay attacks against transmitted policy data. In a CPF environment, the loss of communications between distributed nodes does not affect the TOE&rsquo;s ability to enforce the access control policy rules that it has consumed.</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">Resource Utilization</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">In a CPF environment, the TOE will queue CPF commands that fail to reach a remote node during a period of communications outage and will periodically attempt to transmit them so that up-to-date configuration of the TSF can be performed automatically once communications are restored.</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">TOE Access</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">The TOE&rsquo;s access control enforcement mechanism can deny session establishment to users and administrators based on policy rules such as day, time, and the method used to access the mainframe system.</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">Trusted Path/Channels</span></p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\">&nbsp;</p>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">The TOE relies on the Operational Environment to protect authentication and administration data transferred to the mainframe in the course of remote management and between distributed systems via CPF. The Operational Environment includes several cryptographic components that are used to facilitate trusted communications as follows:</span></p>\r\n<ul style=\"list-style-type: disc; direction: ltr;\">\r\n<li style=\"color: #333333; font-style: normal; font-weight: normal;\">\r\n<p style=\"color: #000000; line-height: 14.4pt; font-style: normal; font-weight: normal; margin-top: 6pt; margin-bottom: 6pt; mso-add-space: auto; mso-list: l0 level1 lfo1;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt; mso-fareast-font-family: 'Times New Roman';\">IBM Integrated Cryptographic Services Facility (ICSF): provides PKCS#11 services for cryptographic primitives that have been approved by the Cryptographic Algorithm Validation Program (CAVP).</span></p>\r\n</li>\r\n<li style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt; font-style: normal; font-weight: normal;\">\r\n<p style=\"color: #000000; line-height: 14.4pt; font-family: 'Times New Roman','serif'; font-size: 12pt; font-style: normal; font-weight: normal; margin-top: 6pt; margin-bottom: 6pt; mso-add-space: auto; mso-list: l0 level1 lfo1;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt; mso-fareast-font-family: 'Times New Roman';\">IBM System SSL: provides cryptographic services that are used to secure TCP/IP communications using TLS as well as implement the TLS protocol. These services, with the exception of random number generation, have been approved by the CAVP. In the evaluated configuration, System SSL is configured to invoke ICSF&rsquo;s deterministic random bit generator (DRBG) so that it is only using CAVP-approved services to perform key generation and key exchange.</span></p>\r\n</li>\r\n</ul>\r\n<p style=\"margin: 0in 0in 0pt; line-height: 14.4pt; mso-margin-top-alt: auto; mso-outline-level: 2; mso-margin-bottom-alt: auto;\"><span style=\"color: #333333; font-family: 'Arial','sans-serif'; font-size: 10pt;\">IBM Ported Tools for z/OS &ndash; OpenSSH: provides functionality to implement the SSH protocol. In the evaluated configuration, this component is configured to invoke ICSF to perform all cryptographic services related to the establishment and use of SSH.</span></p>","features":[]}