The WebSphere Application Server TOE is a Java 2 Enterprise Edition (J2EE) 1.3 compliant run-time environment. The primary purpose of the product is to provide an environment for running and managing the components of user-supplied enterprise applications. J2EE is a comprehensive set of specifications for designing, developing and deploying multi-tier, server-based applications. The J2EE specifications are the result of an industry-wide effort that involves a large number of contributors.
\r\n
\r\nThe WebSphere Application Server TOE supports the following security functions: Identification, Access Control, Security Management.
\r\n
\r\nThe TOE identifies a client before performing any other TSF mediated action for the client. The client passes its user ID to the TOE. The TOE issues a request to the operating system to validate the user ID and password. If the TOE receives a response that the user ID and password are valid, the TOE issues a request to the operating system for the groups to which the client is a member. If the client does not supply a user ID and password or if the operating system determines that the user ID and password are not valid, the TOE does not process the request.
\r\n
\r\nThe TOE permits a client to access a protected resource only if a user or group ID of the user is mapped to a role that has permission to access the resource. The resources protected by the TOE are:
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the WebSphere Application Server TOE meets the security requirements contained in the Security Target. The criteria against which the WebSphere Application Server TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1 and National and International Interpretations effective on August, 2003. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Application International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the WebSphere Application Server TOE is EAL 2 augmented with ALC_FLR.1. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target. Several validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in November 2004. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report for WebSphere Application Server prepared by CCEVS.
\r\nThe WebSphere Application Server EAL2 Security Target makes a claim that the TOE can be supported on multiple operating systems platforms and are considered to be outside the scope of the TOE.
","environmental_strengths":"The WebSphere Application Server TOE is a commercial product that provides identification, access control and the management of access control to protective resources. The WebSphere Application Server TOE provides a level of protection that is appropriate for IT environments where the WebSphere Application Server TOE and the platform upon which is installed can be appropriately protected from physical attacks.
","features":[]}