BEA WebLogic Server is an application server that provides a foundation for an enterprise to build and integrate applications and databases. BEA WebLogic Server is designed to have a J2EE-compliant tiered architecture, and support for tool sets facilitate the separation of presentation, business logic, and data, providing the underlying core functionality necessary for the development and deployment of business-driven applications. BEA WebLogic Server centralizes application services such as Web server functionality, business components, and access to backend enterprise systems. BEA WebLogic Server also provides enterprise-level security and administration facilities.
\r\nSecurity functionality is provided by the WebLogic Security Subsystem (known hereafter as WebLogic Security Framework (WSF)), which provides security services for BEA WebLogic Server V7.0 SP6 with BEA05-107.00 advisory patch and hosted application programs. The WSF is an integral subset of the BEA WebLogic Server product.
\r\nWebLogic Server is made up of various components that may be accessed by clients using various protocols. When a client connects to WebLogic Server to access a WebLogic entity (e.g., application, Enterprise JavaBeans), the various WebLogic Server components first check the security policy with the WSF. This ensures that only authorized callers will be granted access to the WebLogic entity. WSF allows WebLogic Server components to check access for the following types of entities: Administrative, Application, Component Object Model, Enterprise Information System, Enterprise JavaBeans, Java Database Connectivity, Java Message Service, Java Naming and Directory Interface, Server, Web (URL), Web Services.
\r\nIf an entity attempts to access other entities within WebLogic Server, the WSF mediates access based on the access controls configured by a WebLogic Server administrator. The implementation of WSF security policy decisions by the WebLogic Server components is outside the scope of this evaluation.
\r\nThe TOE specifically includes: The WebLogic Security Framework from WebLogic Server V7.0 SP6 with BEA05-107.00 advisory patch installed, Administration Console GUI, WebLogic Server embedded LDAP, and the WebLogic Security Providers (Authentication, Identity Assertion, Credential Mapping, Authorization, Adjudication, Role Mapping, Auditing).
\r\nThe TOE does not include: Command line interfaces used after installation, WebLogic Server containers used to enforce access control decisions made via the WSF, or any of the entities mentioned above.
","evaluation_configuration":null,"security_evaluation_summary":"WebLogic Server V7.0 SP6 with BEA05-107.00 advisory patch TOE was evaluated against the Common Criteria for Information Technology Security Evaluation, Version 2.2, by the CygnaCom Solutions Common Criteria Testing Laboratory (CCTL). The evaluation methodology used was the Common Methodology for Information Technology Security Evaluation, Version 2.2. The CCTL concluded that the TOE was Common Criteria Part 2 extended and Part 3 conformant with EAL2 being augmented with ALC_FLR.1, and is recommending that a certificate be issued. The validation was conducted by NIAP’s Common Criteria Evaluation and Validation Scheme (CCEVS). The evaluation was completed on January 27, 2006.
","environmental_strengths":"The TOE provides the following security features:
\r\nSecurity Audit – The TOE provides its own auditing capabilities separate from those of the operating system. These are in the form of text files stored on the IT environment-provided file system.
\r\nUser data protection – The TOE implements access control decision functionality, which WebLogic Server containers use to restrict access to protected WebLogic entities. In the scope of this testing the containers were not included in the TOE definition. The access control decision services are supplied by the Authorization, Role Mapping, and Adjudication security providers.
\r\nIdentification and authentication - Both administrative users and users associated with applications are identified and authenticated by the TOE. The TOE also may be configured to allow anonymous users (but not anonymous administrative users). The TOE implements identification and authentication using the services supplied by the Authentication and Identity Assertion security providers.
\r\nSecurity Management- The Administration Console is the interface for performing TOE security management functions. The TOE supports four global roles: administrator, deployer, operator, and monitor. These roles provide the capabilities needed to manage the TOE security functions. An anonymous user cannot be assigned a role, and hence, cannot perform any security management functions.
\r\nThe TOE includes a security provider database to store data used by the security providers. In the evaluated configuration, an embedded LDAP server is used for the security provider database. WebLogic Server, including the TOE, is designed to ensure that only a user acting in an appropriate role can modify or review TOE configuration data. The Role Mapping security provider specifically supports this service.
\r\nProtection of TSF Security Functions - The WebLogic Server encapsulates the applications it protects within the WebLogic Server security framework to ensure that the security mechanisms are always invoked when resources are requested. WebLogic Server operates as a collection of Java applications that operate in their own domains distinct from one another and also from other potentially untrusted entities. Hence, the TOE relies on the IT environment for the majority of the services that protect the TSF. The TSF does ensure that, when invoked, it performs its security policy enforcement functions successfully.
","features":[]}