The Target of Evaluation is the Actional Security Gateway (ASG) version 3.1.2.5, the product formally known as: “Westbridge XML Message Server (XMS) version 3.1.2.5”. The ASG is infrastructure software that provides security and management for XML Web Services and Service-Oriented Architecture (SOA) networks. The ASG processes XML-based messages, secures each message, provides interoperability with existing and future standards and leverages existing infrastructure to provide security and management support for XML networks.
\r\nThe architecture includes an ASG Manager which is the administrative console for managing policies and viewing reports. Actional Security Gateways are the policy enforcement points which intercept and process the messages. Using the centralized ASG Manager User Interface (UI), an authorized administrator is able to monitor, secure and manage the environment of Actional Security Gateway(s). Additionally, an authorized administrator can configure the TOE through the ASG Manager UI console via a web browser using Secure Sockets Layer (SSL).
\r\nThe ASG Manager can control one or many Actional Security Gateway(s). Multiple ASG Managers may exist in an organization; they control their own policy and rule-sets. Each ASG Manager has its own configuration which may be transmitted or pushed to any number of Actional Security Gateways. The ASG ServiceGate is a deployment option for the Actional Security Gateway where the Actional Security Gateway is installed at the Web Service endpoint.
\r\nFor this evaluation, it was appropriate for the Security Target to claim compliance with the following cryptographic algorithms: Data Encryption Standard (DES), Triple DES; Advanced Encryption Standard (AES); RSA; Digital Signature Algorithm (DSA); Secure Hash Algorithm (SHA-1); and Keyed-Hash Message Authentication Code (HMAC SHA‑1). There are many ways of determining compliance with a standard. Actional Security Gateway has chosen to make a developer claim of compliance. This means that there has been no independent verification (by either the evaluators or a third party standards body, such as a FIPS laboratory) that the implementation of the cryptographic algorithms actually meets the claimed standards. Potential users of this product should confirm that the cryptographic capabilities are suitable to meet the user's requirements.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Actional Security Gateway TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1 and International Interpretations effective on 08, December 2003. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0 and Common Methodology for Information Technology Security Evaluation, Supplement: ALC_FLR - Flaw Remediation, Version 1.1. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 family of assurance requirements augmented with ADV_SPM.1, ALC_FLR.2, and AVA_MSU.1. The product, when configured as specified in the configuration guide and release notes, satisfies all of the security functional requirements stated in the Actional Security Gateway Security Target. Two validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in December 2004. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report for Actional Security Gateway Version 3.1.2.5, prepared by CCEVS.
","environmental_strengths":"Actional Security Gateway is a communications infrastructure that provides enterprises with centralized security, monitoring, brokering, reliability, and management for XML Web Services networks.
","features":[]}