CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

The Target of Evaluation (TOE) is Imprivata OneSign Version 7.9 Hot Fix 9 (HF9) (build 7.9.009.58). OneSign is a policy management product developed by Imprivata, Inc. for managing endpoints in an enterprise. It manages access to endpoint features through the use of policies and provides single sign-on (SSO) capabilities for endpoints. The product consists of two main components:

1.     Imprivata Appliance—A virtual appliance (a.k.a. appliance) containing software called OneSign that performs policy management (i.e., the TOE)

2.     Imprivata Agent—Agent software (a.k.a. agent) for enforcing policies on endpoints

The TOE is the Imprivata Appliance. The Imprivata Agents and endpoints reside in the operational environment.

The TOE is a single virtual appliance instance running in a VMware ESXi virtual machine. The TOE contains the SUSE Linux Enterprise Server (SLES) OS as its base OS, an Apache HTTP Server, Apache SSHD using Apache Multipurpose Infrastructure for Network Applications (MINA), Java, OpenJDK, and syslog-ng.

In ESM Protection Profile terms, the TOE is a Policy Manager. The Access Control products are the agents located on each endpoint. The TOE is used to create, manage, and provide policies to the enrolled endpoints. The agents enforce the policies on the endpoints.

The evaluated configuration consists of Imprivata OneSign Version 7.9 Hot Fix 9 (HF9) (build 7.9.009.58) running as a virtual appliance in a VMware ESXi virtual machine. The following configuration specifics apply to the evaluated configuration of the TOE:

·       The TOE is a single virtual appliance instance

·       Offline Authentication mode is disabled in the Computer Policies and User Policies

·       Only the internal password authentication mechanism is supported (i.e., external authentication servers were not tested)

·       Only users in the Imprivata domain are supported

·       Temporary codes for Windows Access are disallowed

·       Apache HTTP Server TLS 1.3 support is disabled

·       Network Time Protocol (NTP) is disabled

·       File servers for backup functionality are disallowed

·       Computer Policy Settings as specified in the Security Target

·       User Policy settings as specified in the Security Target

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the Imprivata OneSign Version 7.9 was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 R5. The evaluation methodology used by the evaluation team to conduct the evaluation was the Common Methodology for Information Technology Security Evaluation, Version 3.1, R5 supplemented by that found in the Protection Profile cited above. The product, when delivered and configured as identified in the Imprivata OneSign Version 7.9 Common Criteria Administration Guide, meets the requirements of the Standard Protection Profile for Enterprise Security Management Policy Management, Version 2.1.

Imprivata OneSign Version 7.9

The Imprivata OneSign Version 7.9 Common Criteria Administration Guide document satisfies all of the security functional requirements stated in the Imprivata OneSign Version 7.9 Security Target, version 1.3. The evaluation was subject to CCEVS Validator review. The evaluation was completed in October 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report number CCEVS-VR-VID11178-2023, prepared by CCEVS.

The TOE provides the security functions described below.

Enterprise Security Management

The TOE supports policy definition and transmission. It allows administrators to define security policies and distribute the policies over a secure connection to the managed endpoints.

The TOE supports the following policies:

·       Computer Policy – Capabilities and restrictions placed on the endpoint

·       User Policy – Capabilities and restrictions placed on the user

The agent combines and enforces the two policies when a user authenticates an endpoint.

Computer Policy

In general, Computer Policies apply to every user attempting to use the endpoint. These policies define the set of features accessible to any user on that endpoint.

The TOE supports the creation (including modification and deletion) of multiple Computer Policies and the application of different Computer Policies to different endpoints.

User Policy

User Policies apply to a specific user attempting to use any endpoint. These policies define the set of endpoint features the user is allowed to use on any endpoint.

The TOE supports the creation (including modification and deletion) of multiple User Policies and the application of different User Policies to different users.

Auditing

The TOE generates audit records for the PP-required events.

The TOE supports two separate mechanisms for storing its audit records externally. Some audit records can be transmitted as individual audit records to an external audit server (a.k.a. syslog server) over a protected communications channel. The remaining audit records can be transmitted in log files to external audit log storage over a protected communications channel.

Cryptographic Support

The TOE employs the HTTPS protocol, SSH (a.k.a. SSHv2) protocol, and TLS protocol to protect communication channels.

The HTTPS protocol is implemented by the Apache HTTP Server which uses Apache's Network Security Services (NSS) for both the TLS protocol and cryptographic algorithms.

The SSH protocol is implemented using Apache SSHD which uses the Java Secure Socket Extension (JSSE) application programming interface (API) to perform its cryptographic operations in the SSH protocol.

The syslog-ng client uses OpenSSL which implements both the TLS protocol and cryptographic algorithms.

Identification and Authentication

Admin Console

For the Admin Console, the TOE contains an internal authentication server used to authenticate users. The authentication server uses an internal database to store user data and credentials. The TOE requires the Admin Console users to be identified and authenticated prior to accessing any management functions.

The Admin Console supports multiple administrator roles.

Appliance Console

For the Appliance Console, the TOE uses a separate password file to store and authenticate users. The TOE also enforces authentication failure handling on the Appliance Console.

The Appliance Console supports two administrator accounts: Super Administrator and Administrator. These accounts are used to perform low-level configuration and maintenance.

Security Management

The TOE supports multiple security management functions including user account management and policy management functions.

Protection of the TSF

The TOE obscures authentication data before storing them in non-volatile memory. No interface is provided by the TOE to view the passwords in plaintext. Similarly, the TOE provides no interface to view pre-shared keys, symmetric keys, and private keys.

The TOE also provides its own reliable time stamp capabilities.

TOE Access

The TOE terminates the remote sessions of the Admin Console and Appliance Console after an administrator-configurable time interval of inactivity. It also allows administrators to terminate their own sessions on the Admin Console and Appliance Console (i.e., logout).

The Admin Console and Appliance Console display configurable advisory messages prior to authentication. Depending on which console, administrators can deny session establishment based on day, time, duration, or username.

Trusted Path/Channels

The TOE acts as an HTTPS server supporting TLS 1.2 when communicating with the agents. Administrators externally manage the TOE using a web browser (i.e., Admin Console and Appliance Console) over HTTPS with TLS 1.2.

The TOE uses the secure copy protocol (SCP) (i.e., SSHv2) to protect the communication channel when transferring audit data from the TOE to external audit log storage.

The TOE uses TLS 1.2 to protect the communication channel when transferring audit data from the TOE to the external audit server (syslog).

Vendor Information