CA Layer 7 Security Target
Contents
1. 48 6 1 Access Control Policy Definition 48 6 2 Access Control Policy 50 6 3 Policy 51 6 4 System 52 6 5 Robust Administrative 5 53 6 6 Continuity of 54 6 7 TLSaAnd SSH D tails icies eaka 54 7 Serera a aE EDENE I TAEA EE E 56 7 1 Conformance Claim Rationale 56 7 2 Security Objectives Rationale cccccceecceceeeeeeeeeceeeeeseeeeeeaeeeeaeeseeeeeseaeeeeaeeeeneeseenees 59 7 3 Security Requirements 59 7 4 TOE Summary Specification 59 Annex A Assurance ACTIVITIES 62 Annex A 1 ESM Policy Manager PP Assurance 62 Annex A 2 ESM Access Control PP Assurance Activities 70 List of Tables Table 1 Evaluation identifiers2. detailed to satisfy the Data Protection requirements for one or more technology types in the Standard Protection Profile for Enterprise Security Management Access Control Page 26 of 74 CA Layer 7 Security Target Identifier Description O ROBUST The TOE will provide mechanisms to reduce the ability for an attacker to impersonate a legitimate user during authentication O SELFID The TOE will be able to confirm its identity to the ESM deployment upon sending data to other processes within the ESM deployment 58 Table 13 identifies the security objectives for the TOE drawn from the ESM Policy Manager PP Table 13 Security objectives ESM Access Control PP Identifier Description O MONITOR The TOE will monitor the behavior of itself for anomalous activity e g provide measures for generating security relevant events that will detect access attempts to TOE protected resources by users O DATAPROT The TOE will protect data from unauthorized modification by enforcing an access control policy produced by a Policy Management product O INTEGRITY The TOE will contain the ability to verify the integrity of transferred data from Operational Environment components using secure hash algorithms in hashing and keyed message authentication modes O RESILIENT If the TOE mediates actions performed by a user against resources on an operating system the system administrator or user shall not be
3. hs 2 Minimum password length shall settable by an administrator and support passwords of 16 characters or greater and 3 Password composition rules specifying the types and numbers of required characters that comprise the password shall be settable by an administrator and 4 Passwords shall have a maximum lifetime configurable by an administrator and 5 New passwords must contain a minimum of an administrator specified number of character changes from the previous password and Page 37 of 74 CA Layer 7 Dependencies FIA_UAU 2 Hierarchical to FIA_UAU 2 1 Dependencies FIA_UID 2 Hierarchical to FIA_UID 2 1 Dependencies FIA_USB 1 Hierarchical to FIA_USB 1 1 FIA_USB 1 2 FIA_USB 1 3 Dependencies Application note Security Target 6 Passwords must not be reused within the last administrator settable number of passwords used by that user b For non password based authentication the following rules apply 1 The probability that a secret can be obtained by an attacker during the lifetime of the secret is less than 2 20 No dependencies User authentication before any action FIA_UAU 1 Timing of authentication The TSF shall require each user to be successfully authenticated before allowing any other TSF mediated actions on behalf of that user FIA_UID 1 Timing of identification User identification before any action FIA_UID 1 Timing of identification The TSF shal
4. ATE_IND 29 FMT_SMR 1 The evaluator shall review the ST and operational guidance to determine the roles that are defined for the TOE The evaluator shall use the TOE to associate different users with different roles This may be tested concurrently with other requirements if being assigned to a role impacts how the user interacts with the TSF For example the TSF s internal access control mechanisms may grant different levels of authority to users who have different roles only the super user can create new users an auditor can only view policies and not change them etc and so the effects of changing the user s role attribute would already have been tested by FMT_MSA 1 1 AGD_OPE ATE_IND 30 FPT_STM 1 The evaluation team must determine through the evaluation of operational guidance how the TOE initializes and initiates the clock The evaluation team must then follow those instructions to set the clock to a Known value and observe that the clock monotomically increments in a reliable fashion comparison to a reference timepiece is sufficient Through its exercise of other TOE functions the evaluation team must confirm that the value of the timestamp is used appropriately AGD_OPE ATE_IND 31 FTA_TAB 1 The evaluator shall review the operational guidance to determine how the TOE banner is displayed and configured If the banner is not displayed by default the evaluator shall configure the TOE in accordan
5. No other components The TSF shall be able to select the set of events to be audited from the set of all auditable events based on the following attributes a event type and b no additional attributes FAU_GEN 1 Audit data generation FMT_MTD 1 Management of TSF data The selective audit capability is exercised by the Policy Manager not by a user directly accessing the Gateway Page 34 of 74 CA Layer 7 FAU_SEL 1 Hierarchical to FAU_SEL_EXT 1 1 Dependencies Application Note FAU_STG 1 Hierarchical to FAU_STG 1 1 FAU_STG 1 2 Dependencies FAU_STG_EXT 1 Hierarchical to FAU_STG_EXT 1 1 FAU_STG_EXT 1 2 FAU_STG_EXT 1 3 Dependencies 5 3 3 FCO_NRR 2 Security Target External selective audit No other components The TSF shall be able to select the set of events to be audited by an ESM Access Control product from the set of all auditable events based on the following attributes a event type and no additional attributes FAU_GEN 1 Audit data generation FMT_MTD 1 Management of TSF data The external selective audit capability is exercised by the Policy Manager not by a user directly accessing the Gateway Protected Audit Trail Storage Local Storage No other components The TSF shall protect 200 mb locally stored audit records in the audit trail from unauthorized deletion The TSF shall be able to prevent unauthorized modifications to the stored audit
6. OE Table2 aaae aE Page 3 of 74 CA Layer 7 Security Target Table 3 Scope of evaluated policy assertions 17 Table 4 Threats ESM Policy Manager 22 Table 5 Threats ESM Access Control 22 Table 6 OSPs ESM Policy Manager 2 23 Table 7 OSPs ESM Access Control 23 Table 8 Assumptions ESM Policy Manager PP 23 Table 9 Assumptions ESM Access Control 24 Table 10 Operational environment objectives ESM Policy Manager 25 Table 11 Operational environment objectives ESM Access Control 25 Table 12 Security objectives ESM Policy Manager 26 Table 13 Security objectives ESM Access Control 27 Table 14 Extended 28 155 50 bande cg anges yaay ca E aE heartened 29 Table 16 Auditable encra n a E E E A E AA
7. ESM Policy Manager PP FAU_STG_EXT 1 External Audit Trail Storage ESM Policy Manager PP ESM Access Control PP FCO_NRR 2 Enforced Proof of Receipt ESM Access Control PP FDP_ACC 1 Access Control Policy ESM Access Control PP FDP_ACF 1 Access Control Functions ESM Access Control PP FIA_AFL 1 Authentication Failure Handling ESM Policy Manager PP FIA_SOS 1 Verification of Secrets ESM Policy Manager PP FIA_UAU 2 User Authentication Before Any Action ESM Policy Manager PP FIA_UID 2 User Identification Before Any Action ESM Policy Manager PP FIA_USB 1 User Subject Binding ESM Policy Manager PP FMT_MOF 1 1 Management of Functions Behavior ESM Access Control PP FMT_MOF 1 2 Management of Functions Behavior ESM Access Control PP FMT_MOF_EXT 1 External Management of Functions Behavior ESM Policy Manager PP FMT_MSA 1 1 Management of Security Attributes internal attributes ESM Policy Manager PP Page 29 of 74 CA Layer 7 Security Target Requirement Title Source FMT_MSA 1 2 Management of Security Attributes external attributes ESM Policy Manager PP ESM Access Control PP FMT_MSA 3 Static Attribute Initialization ESM Policy Manager PP ESM Access Control PP FMT_MSA_EXT 5 Consistent Security Attributes ESM Policy Manager PP FMT_SMF 1 Specification of Management Functions ESM Policy Manager PP ESM Access Control
8. The evaluator shall test this capability by running a packet sniffer application such as Wireshark on the local network with the TOE sending a valid policy to it and observing the packets that comprise this policy The evaluator can then take these packets and re transmit them to the TOE Once this has been done the evaluator shall execute an appropriate subset of User Data Protection testing with the expectation that the policy enforced will be the first policy transmitted If the expected results are met the TOE is sufficiently resilient to rudimentary policy forgery ATE_IND 24 FRU_FLTS 1 The evaluator shall test this capability by severing the network connection between the TOE and the Policy Management product defining an updated policy and re establishing the connection will determine if the TOE appropriately receives the new policy data within the time interval specified in FCO_NRR 2 3 The evaluator shall devise a scenario such that the old policy allows a specific action and that the new policy denies that same action The evaluator shall then perform that action observe that it is allowed sever connection with the Policy Management product define the new policy during that outage re establish the connection wait for the interval defined by FCO_NRR 2 3 perform the same action again and observe that it is no longer allowed ATE_IND Page 74 of 74
9. allowed to perform an operation in the Operational Environment that would disable or otherwise modify the behavior of the TOE O MAINTAIN The TOE will be capable of maintaining policy enforcement if disconnected from the Policy Management product O OFLOWS The TOE will be able to recognize and discard invalid or malicious input provided by users O SELFID The TOE will be able to confirm its identity to the Policy Management product while sending receipt of a new policy arrival O MNGRID The TOE will be able to identify and authorize a Policy Management product prior to accepting policy data from it Page 27 of 74 CA Layer 7 Security Target 5 Security Requirements 5 1 Conventions 59 This document uses the following font conventions to identify the operations defined by the CC a Assignment Indicated with italicized text b Refinement Indicated with bold text and strikethroughs Selection Indicated with underlined text d Assignment within a Selection Indicated with italicized and underlined text Iteration Indicated by appending the iteration number in parenthesis e g 1 2 3 5 2 Extended Components Definition 60 Table 14 identifies the extended components which are incorporated into this ST All extended components are reproduced directly from the Protection Profiles to which this ST claims conformance and therefore no further definition is provided in this document Table
10. re establish communications between the TOE and the Policy Management product change the SFP behavior that the TOE should implement in the event of a communications outage sever the connection between the TOE and the Policy Management product perform the same action that was originally performed and observe that the modified way of handling the action is correctly applied Once this has been done the evaluator shall reconfigure the TOE and Policy Management product such that the Policy Management product is no longer authorized to configure the TOE The evaluator shall then attempt to use the Policy Management product to configure the TOE and observe that it is either disallowed or that the option is not even present ATE_IND 12 FMT_MOF 1 2 The evaluator shall test this capability by deploying the TOE in an environment where there is a Policy Management product that is able to communicate with it The evaluator must configure this environment such that the Policy Management product is authorized to issue commands to the TOE Once this has been done the evaluator must use the Policy Management product to ATE_IND Page 72 of 74 CA Layer 7 Security Target Source Requirement Assurance Family query the policy being implemented by the TOE Once this has been done the evaluator shall reconfigure the TOE and Policy Management product such that the Policy Management product is no longer au
11. 2 The evaluator shall test this capability by performing for each defined attribute and operation an operation on the TSF that manipulates the attribute They should also verify that the mechanism of session establishment is defined so that it s understood how permissions to operate the TSF come to be assigned to users who provide a collection of external identification and authentication information to it ATE_IND 23 FMT_MSA 3 The evaluator shall review the operational guidance in order to determine that it defines what the default values are for managed attributes AGD_OPE 24 FMT_MSA 3 The evaluator shall test this capability by performing activities against the TSF that involve the instantiation of new security attributes and verifying that the default values are consistent with the description in the guidance and that they can collectively be described in the manner defined by the ST ATE_IND 25 FMT_MSA_ EXT 5 The evaluator shall review the operational guidance in order to determine that it explains what potential contradictions in policy data may exist For example a policy could potentially contain two rules that permit and forbid the same subject from accessing the same object Alternatively the TOE may define an unambiguous hierarchy that makes it impossible for contradictions to occur AGD_OPE 26 FMT_MSA_ EXT 5 The evaluator shall test this capability by defining policies
12. ESM Policy Manager PP Identifier Description T ADMIN_ERROR An administrator may unintentionally install or configure the TOE incorrectly resulting in ineffective security mechanisms T CONDTRADICT A careless administrator may create a policy that contains contradictory rules for access control enforcement T EAVES A malicious user could eavesdrop on network traffic to gain unauthorized access to TOE data T FORGE A malicious user may exploit a weak or nonexistent ability for the TOE to provide proof of its own identity in order to send forged policies to an Access Control product T UNAUTH A malicious user could bypass the TOE s identification authentication or authorization mechanisms in order to illicitly utilize the TOE s management functions T WEAKPOL A Policy Administrator may be incapable of using the TOE to define policies in sufficient detail to facilitate robust access control causing an Access Control product to behave in a manner that allows illegitimate activity or prohibits legitimate activity T WEAKIA A malicious user could be illicitly authenticated by the TSF through brute force guessing of authentication credentials 47 Table 5 identifies the threats drawn from the ESM Access Control PP Table 5 Threats ESM Access Control PP Identifier Description T DISABLE A malicious user or careless user may suspend or terminate the TOE s operation thus making it unable to enforce its access controls upon the environmen
13. For example the policy may define a rule that allows one user to visit a certain URL and another that forbids a different user from visiting the same URL Once this policy is implemented the evaluator will access a system as each of these users and observe that the ability to visit the specified URL is appropriately allowed or denied Additionally for each conditional attribute such as a time of day restriction that is supported the evaluator will devise a positive and negative test that proves that the conditional attribute affects whether or not the requested operation is allowed This activity is then repeated for each other ATE_IND Page 71 of 74 CA Layer 7 Security Target Source Requirement Assurance Family subject object operation attribute tuple 11 FMT_MOF 1 1 The evaluator shall test this capability by deploying the TOE in an environment where there is a Policy Management product that is able to communicate with it The evaluator must configure this environment such that the Policy Management product is authorized to issue commands to the TOE Once this has been done the evaluator must use the Policy Management product to modify the behavior of the functions specified in the requirement above For each function the evaluator must verify that the modification applied appropriately by using the Policy Management product to query the behavior for and after the modification The evaluator m
14. Gateway immediately after creation A trusted channel TLS is established between the Policy Manager and the Gateway to protect the transmission of policy data TLS provides replay detection and will reject the replayed packets and generate an audit event when detection occurs TLS also provides certificate based mutual authentication between the Policy Manager and the Gateway Page 51 of 74 CA Layer 7 81 82 83 84 6 4 Security Target Access to the Policy Manager and the Gateway requires user identification and authentication username amp password as described in section 6 5 The Policy Manager is a thick client Java application executed on a general purpose operating system Remote access to the Policy Manager application is not supported The Gateway Configuration Utility may be accessed locally or remotely Remote access is secured using SSH refer to section 6 7 for detail The TOE relies on FIPS validated third party cryptographic modules for both TLS and SSH as identified in section 2 3 2 Refer to section 6 7 for TLS and SSH details The Gateway generates an audit record when a policy is received from the Policy Manager providing proof of receipt Refer to Gateway Confirmation of Policy Versions section of the Security Installation Guide for the contents and formatting of the receipt audit record The Policy Manager is used to view generated audit records As documented above the Policy Manager and Gateway ar
15. Resource Against SiteMinder Assertion X Exchange Credentials using WS Trust Assertion X Extract Attributes from Certificate Assertion X Extract Attributes for Authenticated User Assertion X Page 17 of 74 CA Layer 7 Security Target Assertion S g 2 8518 Perform JDBC Query Assertion X Query LDAP Assertion X Require Encrypted Username Token Profile Credentials Assertion X Require FTP Credentials Assertion X Require HTTP Cookie Assertion X Require Remote Domain Identity Assertion X Require NTLM Authentication Credentials Assertion X Require SSH Credentials Assertion X Require Windows Integrated Authentication Credentials Assertion X Require WS Secure Conversation Assertion X Require WS Security Kerberos Token Profile Credentials Assertion X Require WS Security Password Digest Credentials Assertion X Require WS Security Signature Credentials Assertion X Require WS Security UsernameToken Profile Credentials Assertion X Require XPath Credentials Assertion X Retrieve Credentials from Context Variable Assertion X Retrieve Kerberos Authentication Credentials Assertion X Retrieve SAML Browser Artifact Assertion X Use WS Federation Credential Assertion X Transport Layer Security Assertions Require SSL or TLS Transport same as Access Control assertion x Require SSL or TLS Transport Assertion with Client Authentication XML Security Assertions X Message Val
16. for web services To achieve this the SecureSpan SOA Gateway utilizes a policy assertion language All available policy assertions are defined in the Policy Authoring User Manual Not all policies are related to access control or security order to clarify the relationship between policy assertions and the scope of evaluation the following table classifies each policy assertion as one of the following a Enforcing Assertions that enforce the TOE security policy and are the focus of this evaluation b Unevaluated Functional Assertions that facilitate product functionality and may be present in the evaluated configuration but that do not interfere with the security functions of the TOE Such assertions have not been evaluated Unevaluated Security Assertions that are security related but have not been evaluated Table 3 Scope of evaluated policy assertions 93 i os 165 Assertion a ofc 3 SR Access Control Assertions Authenticate User or Group Assertion X Authenticate Against Identity Provider Assertion X Require HTTP Basic Credentials Assertion X Require SAML Token Profile Assertion X Require SSL or TLS Transport Assertion with Client Authentication same as Transport Layer Security assertion Require SSL or TLS X Transport Assertion Authenticate Against SiteMinder Assertion X Authorize via SiteMinder Assertion X Check Protected
17. includes logging to the internal database and or an external Syslog server The internal database is part of the TOE Hardware Security Module HSM Optional hardware module for cryptographic operations See section 2 3 2 below HSMs are not part of the TOE but may be used in the evaluated configuration Database Layer The MySQL database may reside a Processing Node Database node The database is part of the TOE d System Layer In the evaluated configuration the Gateway component of the TOE may be deployed on a hardware or virtual appliance however the hardware and virtualization layers are not part of the TOE Page 11 of 74 CA Layer 7 2 3 2 20 21 2 3 3 22 23 2 4 24 2 4 1 25 Security Target Keystore amp Cryptographic Operations The TOE requires a keystore which may be implemented in a number of ways The TOE does not provide its own internal cryptographic functionality but relies on third party software libraries or hardware modules to perform cryptographic operations for the TOE Software cryptographic libraries are shipped with the TOE All of the options below are included in the evaluated configuration the cryptographic functions are provided by FIPS 140 validated modules i Software internal DB This is a software keystore that is built into every Gateway database Cryptographic operations provided by RSA BSAFE Crypto J Toolkit CMVP Certificate No 1786 ii PCI HSM O
18. load balancer Each layer in Figure 2 below is described in the following sections Figure 2 uses the abbreviation SSG to refer to the SecureSpan SOA Gateway Figure 2 is not intended to illustrate TOE scope refer to sections 2 5 and 2 6 The Policy Manager is not shown LALA Swatch Routing Sprayer Processing aver HSM Database RHEL SLES System Solaris Figure 2 Gateway architecture Page 9 of 74 CA Layer 7 2 2 1 2 2 3 Security Target Routing Layer External to the TOE the Routing Layer represents an industry standard load balancer configured to provide TCP level load balancing and failover It is not required for a standalone Gateway Processing Layer The Processing Layer represents the Gateway s core runtime component When a request message is received the Gateway executes a service resolution process that attempts to identify the targeted destination service When a published service is resolved the Gateway executes the Policy Manager configured policy for the service If the policy assertions succeed then the request is routed if one or more policy assertions fail then the request is either denied with a SOAP fault or the connection is dropped In a Gateway cluster systems that are installed with this runtime component are referred to as Processing Nodes The Processing Layer may also involve the following components a Identity providers The Gate
19. operates with the following components in the environment Federated Identity components When using a Federated Identity Provider the following components must be present in the environment i Certificate Authority CA capable of signing X 509 certificates for use by service clients b Audit server The TOE can utilize Syslog servers to store audit records Time server The can utilize Network Time Protocol NTP server to synchronize its system clock with a central time source d PKI server The TOE can make use of Public Key Infrastructure related servers for X 509 certificate import verification and revocation checking Page 15 of 74 CA Layer 7 2 6 2 6 1 42 43 2 6 2 44 Security Target Email server The TOE can periodically poll a POP or IMAP email server for SOAP messages to process Hardware Security Module The TOE can utilize third party HSMs for the keystore see section 2 3 2 for supported HSMs SecureSpan XML VPN Client A Layer 7 software product optionally deployed on the client side to enable secure and optimized communication between the Gateway and service clients Note This client has not been evaluated Service clients entities that access web services via the Gateway Service clients do not log into the TOE Service endpoints entities that provide SOAP web services via the Gateway Logical Scope Evaluated Features The l
20. records in the audit trail FAU_GEN 1 Audit data generation External audit trail storage No other components The TSF shall be able to transmit the generated audit data to a Syslog server and or TOE internal storage The TSF shall ensure that transmission of generated audit data to any external IT entity uses a trusted channel defined in FTP_ITC 1 The TSF shall ensure that any TOE internal storage of generated audit data a protects the stored audit records in the TOE internal audit trail from unauthorised deletion and b prevent unauthorised modifications to the stored audit records in the TOE internal audit trail FAU_GEN 1 Audit data generation FTP_ITC 1 Inter TSF Trusted Channel Class FCO Communication Enforced proof of receipt Page 35 of 74 CA Layer 7 Hierarchical to FCO_NRR 2 1 FCO_NRR 2 2 FCO_NRR 2 3 Dependencies Security Target FCO_NRR 1 Selective proof of receipt The TSF shall enforce the generation of evidence of receipt for received policies at all times The TSF shall be able to relate the software name version node time policy update message user source of the originator of the information and the stored internal data identifying allowable Policy Management products of the information to which the evidence applies The TSF shall provide a capability to verify the evidence of receipt of information to the Policy Management product given 30 seconds FIA_UID 1 Timing
21. restricting service access based on the IP address of the requesting service client Refer to Restrict Access to IP Address Range Assertion section of the Policy Authoring User Manual for a list of related attributes and behavior Policy Logic Assertions The following subset of policy logic assertions are evaluated in support of the above assertions a All Assertions Must Evaluate to True The All assertions must evaluate to true assertion is a folder that organizes and defines the processing conditions for the assertions that it contains and for the overall policy When assertions are grouped into one of these folders each successive child assertion is processed until all assertions succeed yielding a success outcome for the folder Processing in this assertion folder will stop when the first child assertion fails yielding a fail outcome for the folder Refer to Assertions Must Evaluate to True Assertion section of the Policy Authoring User Manual for a list of related attributes and behavior At Least One Assertion Must Evaluate to True The At least one assertion must evaluate to true assertion is a folder that organizes and defines the processing conditions for the assertions that it contains and for the overall policy When assertions are grouped into one of these folders in the policy window each successive child assertion is processed until a single assertion succeeds yielding a success outcome for the folder If all chil
22. shall be able to associate users with roles FIA_UID 1 Timing of Authentication 5 3 8 Class FPT Protection of the TSF FPT_FLS_EXT 1 Hierarchical to FPT_FLS_EXT 1 1 Dependencies FPT_RPL 1 Hierarchical to FPT_RPL 1 1 FPT_RPL 1 2 Dependencies FPT_STM 1 Hierarchical to FPT_STM 1 1 Dependencies Application note Failure of Communications No other components The TSF shall maintain policy enforcement in the following manner when the communication between the TSF and the Policy Management product encounters a failure state enforce the last policy received No dependencies Replay Detection No other components The TSF shall detect replay for the following entities TLS protected data The TSF shall perform reject the data when replay is detected No dependencies Reliable Time Stamps No other components The TSF shall be able to provide reliable time stamps for its own use No dependencies The TOE can use NTP to synchronize its internal clock with a time server 5 3 9 Class FRU Resource Utilization FRU_FLT 1 Degraded fault tolerance Page 44 of 74 CA Layer 7 Hierarchical to FRU_FLT 1 1 Dependencies 5 3 10 FTA_TAB 1 Hierarchical to FTA_TAB 1 1 Dependencies Application note FTA_SSL_EXT 1 Hierarchical to FTA_SSL_EXT 1 1 Dependencies Application note FTA_SSL 4 Hierarchical to FTA_SSL 4 1 Dependencies 5 3 11 1
23. that contain the contradictions indicated in the operational guidance and observing if the TSF responds by detecting the contradictions and reacting in the manner prescribed in the ST If the TSF behaves in a manner that prevents contradictions from occurring the evaluator shall review the operational guidance in order to determine if the mechanism for preventing contradictions is described and if this feature is communicated to administrators This feature should be tested in ATE_IND Page 67 of 74 CA Layer 7 Security Target Source Requirement Assurance Family conjunction with a compatible Access Control product in other words if the TOE has a mechanism that prevents contradictions for example if a deny rule always supersedes an allow rule then correct enforcement of such a policy by a compatible Access Control product is both a sufficient and a necessary condition for demonstrating the effectiveness of this mechanism 27 FMT_SMF 1 The evaluator shall check the operational guidance in order to determine that it defines all of the management functions that can be performed against the TSF how to perform them and what they accomplish AGD_OPE 28 FMT_SMF 1 The evaluator shall test this capability by accessing the TOE and verifying that all of the defined management functions exist that they can be performed in the prescribed manner and that they and accomplish the documented capability
24. the Policy Manager Gateway logging is performed during runtime and those logs can also be viewed through the Policy Manager The Manager also features a Dashboard that allows administrators to monitor activity through the Gateway in real time e Hardware Security Module HSM Optional hardware module for cryptographic operations See section 2 3 2 below Database Layer The Gateway stores policies processing audits Internal Identity Provider keystore configuration details and other information in a MySQL database In a typical configuration this database will reside on the same physical system as a Processing Node although in rare circumstances it may reside on a separate system In a Gateway cluster systems that are installed with the database component are referred to as Database Nodes There will typically be two replicated Database Nodes in a cluster Primary and Secondary The Processing Nodes are configured to Page 10 of 74 CA Layer 7 2 3 1 Security Target communicate with one of the Database Nodes normally the Primary and then fail over to the Secondary Database Node should the Primary become unavailable System Layer The System Layer represents the Operating System Red Hat Enterprise Linux Java Virtual Machine Sun JDK and hardware virtual platform Evaluated Configuration The following sections describe the high level configuration of the TOE Assurance gained from evaluation is only applicable
25. to the configurations and components that are identified within Detailed guidance for establishing the evaluated configuration is provided in the CA Layer 7 SecureSpan SOA Gateway v8 0 Secure Installation Guide Architecture The evaluated configuration of the TOE reflects the following architectural decisions a Routing Layer The presence of a load balancer is determined by whether the TOE is deployed in a standalone or cluster configuration Both standalone and cluster Gateway deployments are included in the evaluated configuration The load balancer is not part of the TOE b Processing Layer i Identity providers The evaluated configuration supports the Internal Identity Provider and Federated Identity Providers with an 509 credential source LDAP based identity providers Federated Identity Providers with SAML credential source and custom identity assertions are excluded from the evaluated configuration The Internal Identity Provider is part of the TOE Federated Identity Providers require an identity server to be present in the environment In the evaluated configuration TOE administrative users may only authenticate against the Internal Identity Provider ii Trust store The Gateway is configured to perform revocation checking for certificates using either CRL or OCSP The trust store is part of the TOE ili UDDI UDDI functionality is not within the scope of the TOE iv Logging and auditing The evaluated configuration
26. until the periodic period has passed and then confirm that the new policy is present in the Access Control component or c if the section is completed to transmit upon the request of a compatible Secure Configuration Management component the evaluator shall create the policy use the Secure Configuration Management component to request transmission and the confirm that the Access Control component has received and installed the policy If the ST author has specified other circumstances then a similar test shall be executed to confirm transmission under those circumstances The evaluator shall then make a change to the previously created policy and Page 62 of 74 CA Layer 7 Security Target Source Requirement Assurance Family then repeat the previous procedure to ensure that the updated policy is transmitted to the Access Control component in accordance with the SFR specified circumstances Lastly as updating a policy encompasses deletion of a policy the evaluator shall repeat the process a third time this time deleting the policy to ensure it is removed as an active policy from the Access Control component Note This testing will likely be performed in conjunction with the testing of ESM_ACD 1 FAU_GEN 1 The evaluator shall check the operational guidance and ensure that it lists all of AGD_OPE the auditable events and provides description of the content of each type of ADV FSP audit record Each audi
27. 1 The evaluator shall check the operational guidance to verify that a discussion on authentication failure handling is present and consistent with the representation in the Security Target AGD_OPE 11 FIA_AFL 1 The evaluator shall test this capability by using the authentication function of the TSF to deliberately enter incorrect credentials The evaluator should observe that the proper action occurs after a sufficient number of incorrect authentication attempts The evaluator should also use the TSF to reconfigure the threshold value in a manner consistent with operational guidance to verify that it can be changed ATE_IND 12 FIA_SOS 1 The evaluator shall examine the ST and operational guidance in order to identify whether password or non password based authentication is used a For password based authentication the evaluator shall identify that all password composition configuration and aging requirements specified in the ST are discussed in the TSS and AGD and test these capabilities one at a time for example set minimum password length to 6 observe that a 7 character password and a 16 character password are both accepted then change the minimum length to 8 observe that a 7 character password is rejected but that a 16 character password is accepted b For non password based authentication the evaluator shall perform a basic strength of function analysis to determine the solution space of the
28. 1 Hierarchical to FTP_ITC 1 1 1 Security Target No other components The TSF shall ensure the operation of enforcing the most recent policy when the following failures occur failure of communications with the Policy Management product after an outage FPT_FLS 1 Failure with preservation of secure state Class FTA TOE Access TOE access banner No other components Before establishing a user session the TSF shall display an advisory warning message regarding unauthorized use of the TOE No dependencies This is only relevant to the Policy Manager interface TSF initiated session locking No other components The TSF shall for local interactive sessions e terminate the session after an Authorized Administrator specified time period of inactivity No dependencies This requirement is only applicable to the Policy Manager User initiated termination No other components The TSF shall allow Administrator initiated termination of the Administrator s own interactive session No dependencies Class FTP Trusted Paths Channels Inter TSF trusted channel Prevention of Disclosure No other components The TSF shall use TLS in conjunction with the ciphersuites specified at section 6 7 to provide a trusted communication channel between Page 45 of 74 CA Layer 7 FTP_ITC 1 2 1 FTP_ITC 1 3 1 Dependencies 1 2 Hierarchical to FTP_ITC 1 1 2 FTP_ITC 1 2 2 FTP_ITC 1 3 2 Depen
29. 14 Extended Components Component Title Source ESM_ACD 1 Access Control Policy Definition ESM Policy Manager PP ESM_ACT 1 Access Control Policy Transmission ESM Policy Manager PP ESM_ATD 1 Object Attribute Definition ESM Policy Manager PP ESM_ATD 2 Subject Attribute Definition ESM Policy Manager PP FAU_SEL_EXT 1 External Selective Audit ESM Policy Manager PP FAU_STG_EXT 1 External Audit Trail Storage ESM Policy Manager PP ESM Access Control PP FMT_MOF_EXT 1 External Management of Functions Behavior ESM Policy Manager PP FMT_MSA_EXT 5 Consistent Security Attributes ESM Policy Manager PP FTA_SSL_EXT 1 TSF initiated session locking ESM Policy Manager PP FPT_FLS_EXT 1 Failure of Communications ESM Access Control PP Page 28 of 74 CA Layer 7 5 3 Functional Requirements Table 15 Summary of SFRs Security Target Requirement Title Source ESM_ACD 1 Access Control Policy Definition ESM Policy Manager PP ESM_ACT 1 Access Control Policy Transmission ESM Policy Manager PP ESM_ATD 1 Object attribute definition ESM Policy Manager PP ESM_ATD 2 Subject attribute definition ESM Policy Manager PP FAU_GEN 1 Audit Data Generation ESM Policy Manager PP ESM Access Control PP FAU_SEL 1 Selective Audit ESM Access Control PP FAU_STG 1 Protected Audit Trail Storage Local Storage ESM Access Control PP FAU_SEL_EXT 1 External Selective Audit
30. 2 2 akg ap ade 8 2 2 Architectures 2 vines ened 9 2 3 Evaluated 11 2 4 Security FUNCHONS vs iii wees deed ue edt 12 2 5 Physical SGope dace hho even ae eee at 14 2 6 Logical Scope isnin wait eet a en het i hee 16 3 Problem Definition ccccssccseseeeeeeeeeeeeseseeeeeeeeeeeeeeeseaeseseeeeneeeeseeesesnaeenseeeeeeeeeas 22 3 1 22 3 2 Organizational Security 23 3 3 ASSUIMPTIOMS icc sat RRA FARRA AEEA E EEE KAO sites 23 4 Security Objectives cisco ede ah T 25 4 1 Objectives for the Operational 25 4 2 Obj ctives for the biel 26 5 Security 28 5 1 eats 28 5 2 Extended Components 28 5 3 Functional Requirement sereis riisto iaaa T a EE RTEA 29 5 4 Assurance REQUIFEIMENTS ssori mess riana rE aA TEETER 47 6 Summary
31. 2 3 Identification Table 1 Evaluation identifiers Target of Evaluation CA Layer 7 SecureSpan SOA Gateway v8 0 Security Target CA Layer 7 SecureSpan SOA Gateway v8 0 Security Target v1 7 1 3 Conformance Claims 4 This ST supports the following conformance claims a CC version 3 1 Release 3 July 2009 b CC Part 2 extended CC Part conformant d Standard Protection Profile for Enterprise Security Management Policy Management v1 4 23 May 2012 ESM Policy Manager PP Standard Protection Profile for Enterprise Security Management Access Control v2 0 22 February 2012 ESM Access Control PP 1 4 Terminology Table 2 Terminology Term Definition CA Certificate Authority CC Common Criteria DMZ Demilitarized Zone EAL Evaluation Assurance Level ESM Enterprise Security Management Page 5 of 74 CA Layer 7 Security Target Term Definition FTP File Transfer Protocol HSM Hardware Security Module HTTP Hypertext Transfer Protocol ICAP Internet Content Adaptation Protocol Identity Provider A user database internal or external within the context of the TOE JDBC Java Database Connectivity JMS Java Message Service LDAP Lightweight Directory Access Protocol MQ Native Refers to MQ Native Queues that can be used by the Layer 7 Gateway to natively communicate with IBM WebSphere MQ message oriented middlew
32. 32 Table 17 Roles PermMiSSiOns aseran a T 40 Table 18 Management Functions within the TOE 43 Table 19 Assurance Requirements 47 Table 20 Duplicate SERS bee egattenenstt s oeesy canes ex ang nagar a AE Segui anu ee ens 56 Fable 212 Optional SERS 2 E 57 Table 22 Map of SFRs to TSS Security 59 List of Figures Figure 1 TOE deployment 8 Figure 2 Gateway architecture 9 Page 4 of 74 CA Layer 7 1 1 1 2 Security Target Introduction Overview The SecureSpan SOA Gateway is an enterprise security management solution that provides centralized management and access control over web services and related resources The Gateway is designed to protect web services and mediate communications between Service Oriented Architecture SOA clients and endpoints residing in different identity security or middleware domains This Security Target ST defines the SecureSpan SOA Gateway v8 0 Target of Evaluation TOE for the purposes of Common Criteria CC evaluation For a precise statement of the scope of incorporated security features refer to section
33. 6_CBC_SHA ii TLS_RSA_WITH_AES_128_CBC_SHA 6 7 2 SSH 104 The TOE makes use of SSH to secure remote administrator access to the Gateway 105 The SSH implementation has the following characteristics when configured in accordance with the Secure Installation Guide a The TOE implements SSHv2 b Password authentication is supported The TOE supports the following SSH encryption algorithms i AES CBC 256 Page 54 of 74 CA Layer 7 Security Target ii AES CBC 192 iii AES CBC 128 iv 3DES CBC d In FIPS mode the TOE supports the following SSH data integrity algorithms i HMAC SHA1 96 ii HMAC SHA1 The TOE is configured to negotiate the above algorithms in order of preference If a connecting client does not support the listed algorithms the connection will be refused Page 55 of 74 CA Layer 7 7 Security Target Rationale 7 1 Conformance Claim Rationale 106 The following rationale is presented with regard to the PP conformance claims a TOE type As identified in section 2 1 the TOE is an enterprise security management solution that provides centralized management and access control over web services The Policy Manager is consistent with the TOE type identified by the ESM Policy Manager PP and the Gateway is consistent with the TOE type identified in the ESM Access Control PP b Security problem definition As shown in section 3 the threats OSPs and assumptions are identical to those of the E
34. ASE_TSS AGD_OPE ATE_IND Page 64 of 74 CA Layer 7 Security Target Source Requirement Assurance Family authentication mechanism and the frequency with which password attempts can be made For example if the authentication is a 4 digit PIN that can be attempted once an hour this requirement would not pass If the strength of the authentication mechanism can t be determined by strength of function metrics at face value for example if a biometric authentication mechanism is being used the vendor should provide some evidence of the strength of function 13 FIA_UAU 2 The evaluator shall check the operational guidance in order to determine how the TOE determines whether a interactive user requesting access to it has been authenticated and how the TOE validates authentication credentials or identity assertions that it receives The evaluator shall test this capability by accessing the TOE without having provided valid authentication information and observe that access to the TSF is subsequently denied This SFR also applies to authorized IT entities exchanging information with the TOE such as authorized access control components To address this the evaluator shall review operational guidance and the TSS to determine the mechanism used to authorize communication with IT entities and shall configure that mechanism to permit at least one IT entity to communicate with the TOE The evaluator shall then attempt co
35. CA Layer 7 SecureSpan SOA Gateway v8 0 Security Target May 2014 os a PP LAYER 7 TECHNOLOGIES a CA Technologies company Document prepared by BUSINESS SOLUTIONS TECHNOLOGY OUTSOURCING CA Layer 7 Security Target Document History Version Date Author Description 1 0 29 January 2013 L Turner Initial release for evaluation 1 1 12 April 2013 L Turner Update to address EDRO01 1 2 11 December 2013 L Turner Update to address validator comments and re branding 1 3 13 December 2013 L Turner Update FAU_SEL and add build numbers 1 4 5 March 2014 L Turner Update to address validator sync session comments 1 5 14 April 2014 L Turner Update to address validator comments scope revised 1 6 15 May 2014 L Turner Update to address lab observations 1 7 28 May 2014 L Turner Release for publication Page 2 of 74 CA Layer 7 Security Target Table of Contents 1 as 5 1 1 OV 5 1 2 dentitiCations e 5 1 3 Conformance Claims ie dal eh aia 5 14 Terminology wats aida el adda ea et dn a 5 27 CPOE DOSCription prea a Ea a pae aa 8 2 1 Type and Usage
36. Capture Identity of Requestor Assertion X Customize Error Response Assertion X Customize SOAP Fault Response Assertion X Send Email Alert Assertion X Send SNMP Trap Assertion X Policy Logic Assertions Add Comment to Policy Assertion X All Assertions Must Evaluate to True Assertion X At Least One Assertion Must Evaluate to True Assertion X Compare Expression Assertion X Continue Processing Assertion X Create Routing Strategy Assertion X Execute Routing Strategy Assertion X Export Variables from Fragment Assertion X Generate UUID Assertion Include Policy Fragment Assertion X Join Variable Assertion X Look Up Context Variable X Page 20 of 74 CA Layer 7 Security Target Assertion S g 8518 Look Up Item by Value Assertion X Look Up Item by Index Position Assertion X Manipulate Multivalued Variable Assertion X Map Value Assertion X Process Routing Strategy Result Assertion X Run All Assertions Concurrently Assertion X Run Assertions for Each Item Assertion X Set Context Variable Assertion Split Variable Assertion X Stop Processing Assertion X Threat Protection Assertions X Internal Assertions X Custom Assertions X Page 21 of 74 CA Layer 7 Security Target 3 Security Problem Definition 3 1 Threats 46 Table 4 identifies the threats drawn from the ESM Policy Manager PP Table 4 Threats
37. E deployment scenario Page 8 of 74 CA Layer 7 2 2 Security Target Figure 1 shows the following non TOE components a Service client An external IT entity that accesses web services via the Gateway Service clients do not log into the TOE b SecureSpan XML VPN Client A Layer 7 software product optionally deployed on the client side to enable secure and optimized communication between the Gateway and service clients Firewalls Corporate firewalls providing traditional perimeter security d Service endpoints An internal IT entity that provides SOAP web services via the Gateway Corporate identity server An internal IT entity that provides identity services such as an LDAP directory Architecture Endpoints and clients that communicate via the Gateway are Hypertext Transfer Protocol HTTP Java Message Service JMS File Transfer Protocol FTP or raw Transmission Control Protocol TCP socket accessible applications Clients access the Gateway via a Universal Resource Locator URL queue or socket that is compatible with one of the above protocols The Gateway functions as a reverse proxy for service requests and should be the single web service traffic enforcement point in a network Figure 2 below illustrates the architectural layers and deployment options of the Gateway component of the Standalone Gateway dark blue Basic Cluster Gateway yellow Extended Gateway Cluster green excluding the
38. OE 54 Note OE PROTECT is included for PP conformance however it is addressed by the requirements of the ESM Access Control PP The Gateway performs the ESM Access Control functions 55 Table 11 identifies the objectives for the operational environment drawn from the ESM Access Control PP Table 11 Operational environment objectives ESM Access Control PP Identifier Description OE AUDIT The Operational Environment will provide a remote location for storage of audit data OE INSTAL Those responsible for the TOE must ensure that the TOE is delivered installed managed and operated in a manner that is consistent with IT security OE POLICY The Operational Environment will provide a policy that the TOE will enforce OE PROTECT The Operational Environment will protect the TOE from unauthorized modifications and access to its functions and data Page 25 of 74 CA Layer 7 Security Target Identifier Description OE USERID The Operational Environment must be able to identify the user and convey validation of this to the TOE OE TIME The Operational Environment must provide a reliable timestamp to the TOE 56 Note The environmental objective OE POLICY is included for PP conformance however it is addressed by the requirements of the ESM Policy Manager PP see security objective O POLICY The Policy Manager provides policy data 4 2 Objectives for the TOE 57 Table 12 ide
39. PP FMT_SMR 1 Security Management Roles ESM Policy Manager PP ESM Access Control PP FPT_FLS_EXT 1 Failure of Communications ESM Access Control PP FPT_RPL 1 Replay Detection ESM Access Control PP FPT_STM 1 Reliable Time Stamps ESM Policy Manager PP FRU_FLT 1 Degraded Fault Tolerance ESM Access Control PP FTA_SSL_EXT 1 TSF initiated Session Locking and Termination ESM Policy Manager PP FTA_SSL 4 User initiated termination ESM Policy Manager PP ESM Access Control PP FTA_TAB 1 TOE Access Banner ESM Policy Manager PP FTP_ITC 1 1 Inter TSF Trusted Channel prevention of ESM Policy Manager PP ESM Access Control FTP_ITC 1 2 Inter TSF Trusted Channel detection of ESM Policy Manager PP modification ESM Access Control PP FTP_TRP 1 Trusted Path ESM Policy Manager PP 5 3 1 Enterprise Security Management ESM ESM_ACD 1 Hierarchical to ESM_ACD 1 1 Access Control Policy Definition No other components The TSF shall provide the ability to define access control policies for consumption by one or more compatible Access Control products Page 30 of 74 CA Layer 7 ESM_ACD 1 2 ESM_ACD 1 3 Dependencies Application Note ESM_ACT 1 Hierarchical to ESM_ACT 1 1 Dependencies ESM_ATD 1 Hierarchical to ESM_ATD 1 1 ESM_ATD 1 2 Security Target Access control policies defined by the TSF must be capable of containing the following a Su
40. SM Policy Manager PP and the ESM Access Control PP Security objectives As shown in section 4 the security objectives are identical to those of the ESM Policy Manager PP and the ESM Access Control PP d Security requirements Section 5 of this ST defines the claimed security requirements SARs have been reproduced directly from the claimed PPs There were a number of duplicate SFRs included in both the ESM Policy Manager PP and the ESM Access Control PP Table 20 below describes how this duplication has been addressed In addition the claimed PPs included a number of optional SFRs Table 21 below describes how these have been addressed No additional requirements have been specified 107 The conformance of this ST to both the ESM Policy Manager PP and the ESM Access Control PP is consistent with the PP application notes presented in section 6 1 1 of each document which states The ESM PPs represent a family of related Protection Profiles written to encompass the variable capabilities of ESM products For an ST that claims conformance to multiple PPs within the ESM PP family it is recommended that the ST author clarify how the ESM components relate to one another through usage of application notes This will assist the reader in determining how the parts of the product that are to be evaluated correspond with the CC s notion of different ESM capabilities Table 20 Duplicate SFRs Requirement How the duplication of SFRs is handle
41. STAL There will be a competent and trusted administrator who will follow the guidance provided in order to install the TOE 52 Note The assumption A POLICY is included for PP conformance however it is addressed by the requirements of the ESM Policy Manager PP see security objective O POLICY The Policy Manager provides policy data Page 24 of 74 CA Layer 7 Security Target 4 Security Objectives 4 1 Objectives for the Operational Environment 53 Table 10 identifies the objectives for the operational environment drawn from the ESM Policy Manager PP Table 10 Operational environment objectives ESM Policy Manager PP Identifier Description OE ADMIN There will be one or more administrators of the Operational Environment that will be responsible for providing subject identity to attribute mappings within the TOE OE AUDIT The Operational Environment will provide a remote location for storage of audit data OE INSTAL Those responsible for the TOE must ensure that the TOE is delivered installed managed and operated in a secure manner OE PERSON Personnel working as TOE administrators shall be carefully selected and trained for proper operation of the TOE OE PROTECT One or more ESM Access Control products will be deployed in the Operational Environment to protect organizational assets OE USERID The Operational Environment must be able to identify a user requesting access to the T
42. T 1 xX FMT_MSA 1 1 FMT_MSA 1 2 xX X FMT_MSA 3 xX FMT_MSA_EXT 5 xX FMT_SMF 1 xX FMT_SMR 1 xX FPT_FLS_EXT 1 X Page 60 of 74 Security Target CA Layer 7 Continuity of Enforcement Robust Administrative Access System Monitoring Policy Security Access Control Policy Enforcement Access Control Policy Definition SFR FPT_RPL 1 FPT_STM 1 FRU_FLT 1 FTA_SSL_EXT 1 FTA_SSL 4 FTA_TAB 1 1 FTP_ITC 1 2 FTP_TRP 1 FTP_ITC 1 Page 61 of 74 CA Layer 7 Security Target Annex A Assurance Activities Annex A 1 ESM Policy Manager PP Assurance Activities Source Requirement Assurance Family ESM_ACD 1 The evaluator must do the following ASE e Verify that the ST identifies compatible Access Control products e Verify that the ST describes the scope and granularity of the entities that define policies subjects objects operations attributes e Review STs for the compatible Access Control products and verify that there is correspondence between the policies the TOE is capable of creating and the policies the Access Control products are capable of consuming ESM_ACD 1 Verify that the design documentation indicates how policies are identified ADV_FSP ESM_ACD 1 The evaluator will test this capability by using the TOE to create a policy that ATE_IND utilizes the full range o
43. T_FLS_E 1 The evaluator shall check the operational guidance developmental evidence if available in order to determine that it discusses how the TOE is AGD_OPE Page 73 of 74 CA Layer 7 Security Target Source Requirement Assurance Family deployed in relation to other ESM products This is done so that the evaluator can determine the expected behavior if the TOE is unable to interact with its accompanying Policy Management product 21 FPT_FLS_E 1 The evaluator shall test this capability by terminating the product that distributes policy to the TOE and also by severing the network connection between the TOE and this product if applicable The evaluator will then interact with the TOE while these communications are suspended in order to determine that the behavior it exhibits in this state is consistent with the expected behavior ATE_IND 22 FPT_RPL 1 1 The evaluator shall check the administrative guidance and TSS developmental evidence if available in order to determine that it describes the method by which the TSF detects replayed data For example it may provide a certificate or other value that can be validated by the TSF to verify that the policy is consistent with some anticipated schema Alternatively the TOE may utilize a protocol such as SSL for transmitting data that immunizes it from replay threats ASE_TSS AGS_OPE 23 FPT_RPL 1 1
44. and delete Manage UDDI Create read update and UDDI registries Registries delete Note UDDI not within scope of the TOE This role is listed for completeness Manage Web Services Publish edit delete Web Service Read Existing Users Edit Global Policy Assertions for web service policies Page 41 of 74 CA Layer 7 Security Target Role Operations Attributes Publish External Create External Identity Provider Identity Providers Publish Web Services Publish Web Service Search Users and Read Users and Groups Groups View name Folder Read Policies within a defined folder View name Log Sink Read Audit events View Audit Records Read Audit events Note For additional detail related to roles and terms above refer to the Predefined Roles and Permissions section of the Policy Manager User Manual FMT_MSA 3 Hierarchical to FMT_MSA 3 1 FMT_MSA 3 2 Dependencies FMT_MSA_EXT 5 Hierarchical to FMT_MSA_EXT 5 1 FMT_MSA_EXT 5 2 Dependencies FMT_SMF 1 Hierarchical to FMT_SMF 1 1 Static attribute initialization No other components The TSF shall enforce the access control SFP to provide restrictive default values for security attributes that are used to enforce the SFP The TSF shall allow the Administrator to specify alternative initial values to override the default values when an object or information is created FMT_MSA 1 Management
45. are NTP Network Time Protocol PKI Public Key Infrastructure PP Protection Profile SOA Service Oriented Architecture SOAP Simple Object Access Protocol SOAP defines the message format used in web services requests SSH Secure Shell ST Security Target TCP Transmission Control Protocol TLS Transport Layer Security TSF TOE Security Functions TOE Target of Evaluation UDDI Universal Description Discovery and Integration URL Universal Resource Locator WSDL Web Services Description Language WS Security WS Security Web Services Security is an extension to SOAP Page 6 of 74 CA Layer 7 Security Target Term Definition to apply security to web services The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats such as SAML Kerberos and X 509 Its main focus is the use of XML Signature and XML Encryption to provide end to end security XML Extensible Markup Language XSL Extensible Stylesheet Language Page 7 of 74 CA Layer 7 2 2 1 Security Target TOE Description Type and Usage The TOE is an enterprise security management solution that provides centralized management and access control over SOAP web services The TOE controls how SOAP web services are exposed to and accessed by external client applications The TOE is comprised of two main components for policy definition and policy con
46. based on the following additional rules if a requested object is not explicitly allowed by policy then the access to the requested object is denied by default FDP_ACC 1 Subset access control FMT_MSA 3 Static attribute initialization 5 3 6 Class FIA Identification and Authentication FIA_AFL 1 Hierarchical to FIA_AFL 1 1 FIA_AFL 1 2 Dependencies Application note FIA_SOS 1 Hierarchical to FIA_SOS 1 1 Authentication failure handling No other components The TSF shall detect when an administrator configurable positive integer within a range of 1 and 20 unsuccessful authentication attempts occur related to login at the Policy Manager When the defined number of unsuccessful authentication attempts has been met the TSF shall lock the account for an administrator defined period of time FIA_UAU 1 Timing of authentication This requirement relates only to the Policy Manager component of the TOE as the SFR is drawn from the ESM Policy Manager PP Verification of secrets No other components The TSF shall provide a mechanism to verify that secrets meet the following a For password based authentication the following rules apply 1 Passwords shall be able to be composed of a subset of the following character sets all printable ASCII characters that include the following values 26 uppercase letters 26 lowercase letters 10 numbers and 10 special characters RAT amp a i
47. bjects e Service Clients Source Identity Provider and b Objects e SOAP Web Services Source TOE Published Services and c Operations e Service Request Source Service Client d Attributes e Access Control assertion attributes Authentication Credentials Source Service Client via Service Request o User Group Source Identity Provider e Service Availability assertion attributes Context attributes time or day Source the Gateway Source IP address Source Service Client via Service Request The TSF shall associate unique identifying information with each policy No dependencies The Policy Manager defines access control policies for consumption by the Gateway Access Control Policy Transmission No other components The TSF shall transmit policies to compatible and authorized Access Control products under the following circumstances immediately following creation of a new or updated policy no other circumstances ESM_ACD 1 Access control policy definition Object attribute definition No other components The TSF shall maintain the following list of security attributes belonging to individual objects e Object SOAP Web Services Attributes Associated policy assertions The TSF shall be able to associate security attributes with individual objects Page 31 of 74 CA Layer 7 Dependencies ESM_ATD 2 Hierarchical to ESM_ATD 2 1 ESM_ATD 2 2 Dependencies Security Tar
48. ce with the operational guidance in order to enable its display The evaluator shall then attempt to access the TOE and verify that a TOE banner exists If applicable the evaluator will also attempt to utilize the functionality to modify the TOE access banner as per the standards defined in FMT_SMF 1 and verify that the TOE access banner is appropriately updated AGD_OPE ATE_IND 32 FTA_SSL_E XT 1 1 The evaluator follows the operational guidance to configure several different values for the inactivity time period referenced in the component For each period configured the evaluator establishes a local interactive session with the TOE The evaluator then observes that the session is either locked or terminated after the configured time period If locking was selected from the component the evaluator then ensures that re authentication is needed when trying to unlock the session AGD_OPE ATE_IND 33 FTA_SSL 3 The evaluator follows the operational guidance to configure several different values for the inactivity time period referenced in the component these shall consist at least of the minimum and maximum allowed values as specified in AGD_OPE ATE_IND Page 68 of 74 CA Layer 7 Security Target Source Requirement Assurance Family the operational guidance as well as one other value For each period configured the evaluator establishes a remote interactive session wi
49. context of an audit message Refer to the Add Audit Detail Assertion section of the Policy Authoring User Manual for a list of related attributes and behavior Customize SOAP Fault Response Allows customization of the SOAP fault response on a policy by policy basis Refer to the Customize SOAP Fault Response Assertion section of the Policy Authoring User Manual for a list of related attributes and behavior Robust Administrative Access Related SFRs FIA_AFL 1 FIA_SOS 1 FTA_SSL_EXT 1 FTA_SSL 4 FIA_UAU 2 FIA_UID 2 FIA_USB 1 FMT_MSA 1 1 FMT_SMR 1 FTP_TRP 1 FTA_TAB 1 93 94 95 96 97 98 99 Access to the TOE can be achieved via the Policy Manager application or the Gateway Configuration Utility Users must authenticate prior to being granted access Users may authenticate via username and password The TOE administrative user database may be a Internal User details are maintained on an internal TOE database refer to the Internal Identity Provider Users and Groups section of the Policy Manager User Manual The TOE determines the username from the credentials presented at authentication and associates the defined role with the corresponding username The TOE maintains the roles and associated access permissions defined in Table 17 For configuration details refer to the Managing Roles section of the Policy Manager User Manual The TOE detects when an administrator defined threshold of unsuccessf
50. d assertions in the folder fail then the overall folder fails Refer to At Least One Assertion Must Evaluate to True Assertion section of the Policy Authoring User Manual for a list of related attributes and behavior Access Control Policy Enforcement Related SFRs FDP_ACC 1 FDP_ACF 1 FMT_MOF 1 1 FMT_MOF 1 2 FMT_MOF_EXT 1 FMT_MSA 1 2 FMT_MSA 3 FMT_SMF 1 FMT_SMR 1 FTA_SSL 4 Page 50 of 74 CA Layer 7 73 74 75 76 77 78 79 6 3 Security Target The Gateway enforces polices defined by the Policy Manager see section 6 1 for policy types In the evaluated configuration the Gateway may only consume policies from the Layer 7 SecureSpan Policy Manager although it is compatible with other means as described in section 2 3 3 The Gateway authenticates the Policy Manager using TLS endpoint authentication refer to section 6 7 for TLS details The Gateway performs the following message processing for a typical policy a Service request arrives b Request is run through the WS Security processor i Encrypted sections are decrypted and WS Security Signatures are verified The sign and or encrypt order is chosen by the sender in the evaluated configuration only signature verification is applicable when SAML envelope signatures are in use ii Default security header can be optionally removed before routing Request is run through the policy assertions linear order d Response is run thro
51. d in the ST FAU_GEN 1 Same base requirement in both PPs SFR specified once in the ST and events combined in Table 16 FAU_STG_EXT 1 SFR from the ESM Policy Manager PP included the ST as itis a superset of the SFR defined by the ESM Access Control PP FCS_CKM 1 Same requirement in both PPs Not claimed optional optional FCS_CKM_EXT 4 Same requirement in both PPs Not claimed optional optional FCS_COP 1 1 Same requirement in both PPs Not claimed optional optional Page 56 of 74 CA Layer 7 Security Target Requirement How the duplication of SFRs is handled in the ST FCS 1 2 optional Same requirement in both PPs Not claimed optional FCS_COP 1 3 optional Same requirement in both PPs Not claimed optional FCS 1 4 optional Same requirement in both PPs Not claimed optional FCS_RBG_EXT 1 Same requirement in both PPs Not claimed optional optional FMT_MSA 1 FMT_MSA 1 2 from the ESM Policy Manager PP covers the required functionality that is defined by FMT_MSA 1 of the ESM Access Control PP FMT_MSA 3 FMT_MSA 3 from the ESM Policy Manager PP covers the required functionality that is defined by FMT_MSA 1 of the ESM Access Control PP FMT_MSA 3 Same requirement in both PPs SFR specified once in the ST FMT_SMF 1 Same base requirement in both PPs SFR specified once in the ST and managem
52. dencies Application note FTP_TRP 1 Hierarchical to FTP_TRP 1 1 FTP_TRP 1 2 Security Target itself and authorized IT entities that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure The TSF shall permit the TSF or the authorized IT entities to initiate communication via the trusted channel The TSF shall initiate communication via the trusted channel for transfer of policy data and for the following functions when configured by the administrator e service client connections e Syslog server communication No dependencies Inter TSF trusted channel Detection of Modification No other components The TSF shall use TLS in conjunction with the ciphersuites specified at section 6 7 providing trusted communication channel between itself and authorized IT entities that is logically distinct from other communication channels and provides assured identification of its end points and detection of the modification of data The TSF shall permit the TSF or the authorized IT entities to initiate communication via the trusted channel The TSF shall initiate communication via the trusted channel for transfer of policy data and for the following functions when configured by the administrator e service client connections e Syslog server communication No dependencies Use of TLS for se
53. determine that the audit records were written to the repository and contain the attributes as defined by the ST This testing may be done in conjunction with the exercise of other functionality For example if the ST specifies that an audit record will be generated when an incorrect authentication secret is entered then audit records will be expected to be generated as a result of testing identification and authentication The evaluator shall also check to ensure that the content of the logs are consistent with the activity performed on the TOE For example if a test is performed such that a policy is defined the corresponding audit record should correctly indicate the definition of policy FAU_SEL The evaluator shall check the operational guidance in order to determine the AGD_OPE XT 1 selections that are capable of being made to the set of auditable events and shall confirm that it contains all of the selections identified in the Security Target FAU_SEL The evaluator shall test this capability by configuring a compatible Access ATE_IND XT 1 Control product to have Page 63 of 74 CA Layer 7 Security Target Source Requirement Assurance Family e All selectable auditable events enabled e All selectable auditable events disabled e Some selectable auditable events enabled For each of these configurations the evaluator shall perform all selectable auditable events and determine by revie
54. e Policy Manager can detect inconsistencies in the application of policies so that policies are unambiguously defined The Policy Manager uniquely identifies the policies it creates so that it can be used to determine what policies are being implemented by remote products Page 13 of 74 CA Layer 7 2 4 2 28 2 4 3 29 30 31 2 4 4 32 33 2 4 5 34 2 4 6 35 2 5 36 Security Target Access Control Policy Enforcement The Gateway enforces the policies defined by the Policy Manager The Gateway inspects messages sent between service clients request messages and service endpoints response messages to evaluate and enforce compliance with the defined policies Policy Security Communication between the Policy Manager and the Gateway is protected from disclosure and modification A trusted channel is established to identify and authenticate each end point using TLS client server authentication The Gateway validates the integrity of the policy data it receives and rejects any invalid or replayed data The Gateway generates evidence of receipt of policies The TOE protects the integrity of policy identity credential attribute and other security information obtained from other trusted IT entities System Monitoring The TOE provides the ability to keep an audit log trail to provide administrative insight into system management and operation including identifying what policies are being defined and enf
55. e mutually authenticated using TLS certificates The node field of the receipt identifies the name of the Gateway to which the policy was applied System Monitoring Related SFRs FAU_GEN 1 FAU_SEL 1 FAU_SEL_EXT 1 FAU_STG 1 FAU_STG_EXT 1 FPT_STM 1 85 86 87 88 89 90 91 The TOE generates the audit events identified in Table 16 a full list of TOE audit message codes is provided in Appendix F of the Policy Manager User Manual The TOE may store logs in an internal database or an external Syslog server Communication with the Syslog server may be secured using TLS refer to section 6 7 for detail Authorized users may view audit events via the Policy Manager The set of events to be audited may be filtered based on event type Event type is based on Severity Level INFO WARNING SEVERE with allowable selections being as follows Selectable is INFO and WARNING Non Selectable is SEVERE i e SEVERE is always logged Additional details are provided in the Overriding the Audit Level section of the Policy Manager User Manual Audit logs cannot be modified via the Policy Manager The Administrator may delete audit events that are more than 7 days old Audit events are recorded until a predefined percentage of the database hard disk space is consumed Once the threshold is reached all message processing ceases until the log size drops below the threshold The threshold is defined in the audit archiverShutdo
56. e that the modified way of handling the action is correctly applied Once this has been done the evaluator shall reconfigure the TOE and Policy Management product such that the Policy Management product is no longer authorized to configure the TOE The evaluator shall then attempt to use the Policy Management product to configure the TOE and observe that it is either disallowed or that the option is not even present 18 FMT_MSA 1 1 The evaluator shall review the ST and operational guidance to determine that it describes how the TSF maintains its own access control internally if I m administrator on the PM TOE how do say who my users are what AC products they can control and to what extent can they control those AC products ASE_TSS AGD_OPE 19 FMT_MSA 1 1 The evaluator shall perform testing to confirm that described behaviors exhibit the documented semantics i e set up a new user give them privileges log in and see that those privileges were granted change some attributes that will affect their privileges log back in and see that those privileges have been changed The evaluator shall also review the ST and operational guidance to determine how the TOE is associated with ESM Access Control products The evaluator ATE_IND Page 66 of 74 CA Layer 7 Security Target Source Requirement Assurance Family shall verify how the TOE discovers AC product
57. ent functions combined in Table 18 FMT_SMR 1 Same requirement in both PPs SFR specified once in the ST FTA_SSL_EXT 1 Same requirement in both PPs SFR specified once in the ST FTA_SSL 3 Same requirement in both PPs SFR specified once in the ST FTA_SSL 4 Same requirement in both PPs SFR specified once in the ST FTA_TSE 1 Not claimed optional FTP_ITC 1 1 Same requirement in both PPs SFR specified once in the ST FTP_ITC 1 2 Same requirement in both PPs SFR specified once in the ST Table 21 Optional SFRs Requirement Source Rationale ESM_ATD 1 ESM Policy Manager Included ESM_ATD 2 ESM Policy Manager PP Included Page 57 of 74 CA Layer 7 Security Target Requirement Source Rationale ESM_DSC 1 ESM Access Control PP Not included Per ESM Access Control PP section C 1 5 this SFR is relevant to Data Loss Prevention or similar TOEs that require automated discovery and inventory of objects In the TOE objects Web Services are manually added by the administrator FCS_CKM 1 ESM Policy Manager PP FCS_CKM 1 ESM Access Control PP FCS_CKM_EXT 4 ESM Policy Manager PP FCS_CKM_EXT 4 ESM Access Control PP FCS_COP 1 1 ESM Policy Manager PP FCS_COP 1 1 ESM Access Control PP FCS_COP 1 2 ESM Policy Manager PP FCS_COP 1 2 ESM Access Control PP FCS_COP 1 3 ESM Policy Manage
58. erve that the audit repository now logs or doesn t log this event based on the modified behavior Repository for remote audit storage observe that audited events are written to a particular repository modify the repository to which the TOE should write audited events perform auditable events and observe that they are no longer written to the original repository Access Control SFP perform an action that is allowed or disallowed by the current Access Control SFP modify the implemented SFP such that that action is now disallowed or allowed perform the same action and observe that the authorization differs from the original iteration of the SFP Policy being implemented by the TSF perform an action that is allowed or disallowed by a specific access control policy provide a TSF policy that now disallows or allows that action perform the same action and observe that the authorization differs from the original iteration of the FSP Access Control SFP behavior to implement in the event of communications outage perform an action that is handled in a certain manner in the event of a communications outage if applicable re establish communications between the TOE and the Policy Management product change the SFP behavior that the TOE should implement in the event of a communications outage sever the connection between the TOE and the Policy Management product perform the same action that was originally performed and observ
59. eshold action FIA_SOS 1 Management of the metric used to verify secrets FIA_UAU 2 Management of authentication data for both interactive users and authorized IT entities FIA_UID 2 Management of user identities for both interactive users and authorized IT entities FIA_USB 1 Definition of default subject security attributes modification of subject security attributes FMT_MOF_EXT 1 Configuration of the behavior of other ESM products FMT_MSA 1 Management of sets of subjects that can interact with security attributes Management of rules by which security attributes inherit specified values FMT_MSA 3 Managing the subjects that can specify initial values Managing the permissive or restrictive setting of default values for a given access control SFP Management of rules by which security attributes inherit specified values FMT_SMR 1 Management of the users that belong to a particular role FTA_TAB 1 Maintenance of the banner FTP_ITC 1 1 Configuration of actions that require trusted channel FTP_ITC 1 2 Configuration of actions that require trusted channel Page 43 of 74 CA Layer 7 Security Target Requirement Management Activities FTP_TRP 1 Configuration of actions that require trusted path FMT_SMR 1 Hierarchical to FMT_SMR 1 1 FMT_SMR 1 2 Dependencies Security Management Roles No other components The TSF shall maintain the roles defined in Table 17 The TSF
60. ette this assertion is labeled Require SSL or TLS Transport and does not have the Require Client Certificate Authentication check box selected by default Require WS Security Signature Credentials Requires that the web service target message includes an X 509 client certificate and has at least one element signed by that client certificate s private key as a proof of possession Note The evaluated configuration defined in the Secure Installation Guide specifies a limited set of attributes that may be used with this assertion multiple signatures are not supported Service availability assertions The following subset of service availability assertions are evaluated i ii Limit Availability to Time Days Enables restricting service access by a time and or day interval When the Gateway receives a request for the service it will check the time and or day restrictions before allowing the message to proceed Restrict Access to IP Address Range Enables restricting service access based on the IP address of the requesting service client Policy logic assertions The following subset of policy logic assertions are evaluated in support of access control i ii All Assertions Must Evaluate to True All associated assertions must evaluate to true to achieve a success outcome At Least One Assertion Must Evaluate to True At least one associated assertion must evaluate to true to achieve a success outcome Th
61. evaluator shall check the development evidence in order to determine how the TOE confirms evidence of received policy data back to the Policy Management product that originally sent it that policy data This should include the contents and formatting of the receipt such that the data that it contains is verifiable ASE_TSS FCO_NRR 2 The evaluator shall test this capability by configuring an environment such that the TOE is allowed to accept a policy from a certain source sending it a policy from that source observing that the policy is subsequently consumed and that an accurate receipt is transmitted back to the Policy Management product within the time interval specified in the ST The evaluator confirms accuracy by using the Policy Management product to view the receipt and ensure that its contents are consistent with known data ATE_IND FDP_ACC 1 FDP_ACF 1 The evaluator shall check the ST and operational guidance in order to verify that the TOE is capable of mediating the activities that are defined ASE_TSS AGD_OPE 10 FDP_ACC 1 FDP_ACF 1 The evaluator shall then use an authorized and compatible Policy Management product to define policies that contain rules for mediating these activities For each subject object operation attribute combination the evaluator shall execute at least one positive and one negative test in order to show that the TSF is capable of appropriately mediating these activities
62. f subjects objects operations and attributes and sending it to a compatible Access Control product for consumption The evaluator will then perform actions that are mediated by the Access Control product in order to confirm that the policy was applied appropriately The evaluator will also verify that a policy identifier is associated with a transmitted policy by querying the policy that is being implemented by the Access Control product ESM_ACT 1 The evaluator shall review the operational guidance to determine how to create AGD_OPE and update policies and the circumstances under which new or updated ATE IND policies are transmitted to consuming ESM products and how those circumstances are managed if applicable The evaluator shall obtain a compatible Access Control product and following the procedures in the operational guidance for both the Policy Manager and the Access Control product create a new policy and ensure that the new policy defined in the Policy Manager is transmitted and installed successfully in the Access Control product in accordance with the circumstances defined in the SFR In other words a if the selection is completed to transmit after creation of a new policy then the evaluator shall create the new policy and ensure that after a reasonable window for transmission the new policy is installed b if the selection is completed to transmit periodically the evaluator shall create the new policy wait
63. get No dependencies Subject attribute definition No other components The TSF shall maintain the following list of security attributes belonging to individual subjects e Subject Service Clients Attributes Authentication Credentials User Group The TSF shall be able to associate security attributes with individual subjects No dependencies 5 3 2 Security Audit FAU FAU_GEN 1 Hierarchical to Audit Data Generation No other components FAU_GEN 1 1 The TSF shall be able to generate an audit record of the following auditable events a Start up and shutdown of the audit functions and b All auditable events identified in Table 16 for the not specified level of audit and c No additional events FAU_GEN 1 2 The TSF shall record within each audit record at least the following information a Date and time of the event type of event subject identity if applicable and the outcome success or failure of the event and b For each audit event type based on the auditable event definitions of the functional components included in the PP ST information specified in column three of Table 16 Dependencies FPT_STM 1 Reliable time stamps Table 16 Auditable events Component Event Additional Information ESM_ACD 1 Creation or modification of Unique policy identifier policy ESM_ACT 1 Transmission of policy to Destination of policy Access Control products ESM_ATD 1 Definition of object attributes Identificatio
64. guration only the enabled events are recorded ATE_IND Page 70 of 74 CA Layer 7 Security Target Source Requirement Assurance Family FAU_STG 1 The evaluator shall examine the TSS to ensure it describes the amount of audit data that are stored locally what happens when the local audit data store is full and how these records are protected against unauthorized access The evaluator shall also examine the operational guidance to determine that it describes the relationship between the local audit data and the audit data that are sent to the audit log server For example when an audit event is generated is it simultaneously sent to the external server and the local store or is the local store used as a buffer and cleared periodically by sending the data to the audit server ASE_TSS FAU_STG_ EXT 1 The evaluator shall examine the administrative guidance to ensure it instructs the administrator how to establish communication with the audit server The guidance must instruct how this channel is established in a secure manner e g IPsec TLS AGD_OPE FAU_STG_ EXT 1 The evaluator shall test the administrative guidance by establishing a link to the audit server and confirming that the audit records generated have been transmitted to that server Note that this will need to be done in order to perform the assurance activities prescribed under FAU_GEN 1 ATE_IND FCO_NRR 2 The
65. ict the ability to query the behavior of modify the behaviour of the functions audited events repository for remote audit storage Access Control SFP policy being implemented by the TSF Access Control SFP behavior to enforce in the event of communications outage no other functions to an authorized and compatible Policy Management product FMT_SMF 1 Specification of management functions FMT_SMR 1 Security roles Management of Functions Behavior No other components The TSF shall restrict the ability to query the behaviour of the functions policy being implemented by the TSF no other functions to an authorized and compatible Enterprise Security Management product FMT_SMF 1 Specification of management functions FMT_SMR 1 Security roles External management of functions behavior No other components The TSF shall restrict the ability to query the behavior of modify the functions of Access Control products audited events repository for remote audit storage Access Control SFP policy version being implemented Access Control SFP behavior to enforce in the event of communications outage Gateway configuration to the roles Administrator query and modify Operator query only FMT_SMF 1 Specification of management functions FMT_SMR 1 Security roles The TOE supports numerous roles refer to Table 17 of which the Administrator and Operator are the superset Management of security attributes internal attributes No other com
66. idation Transformation Assertions X Page 18 of 74 CA Layer 7 Security Target Assertion S 2 g 2 8518 Message Routing Assertions Add Header Assertion X Configure Message Streaming Assertion X Copy Request Message to Response Assertion X Execute Salesforce Operation X Return Template Response to Requestor Assertion X Route via FTP S Assertion Configured with FTP X Route via FTP S Assertion Configured with FTPS X Route via HTTP S Assertion Configured with HTTP X Route via HTTP S Assertion Configured with HTTPS X Route via JMS Assertion X Route via MQ Native Assertion X Route via Raw TCP Assertion X Route via SecureSpan Bridge Assertion X Route via SSH2 Assertion Service Availability Assertions Limit Availability to Time Days Assertion X Restrict Access to IP Address Range Assertion X Apply Rate Limit Assertion X Apply Throughput Quota Assertion X Look Up in Cache Assertion X Query Rate Limit Assertion X Query Throughput Quota Assertion X Page 19 of 74 CA Layer 7 Security Target Assertion S 2 g 2 8518 Resolve Service Assertion X Store to Cache Assertion X Logging Auditing and Alerts Assertions Add Audit Detail Assertion X Audit Messages in Policy Assertion X
67. ification 6 1 Access Control Policy Definition Related SFRs ESM_ACD 1 ESM_ATD 1 ESM_ATD 2 FMT_MSA 1 2 FMT_MSA 3 FMT_MSA_EXT 5 FMT_SMF 1 63 This security function refers to the access control policy definition capabilities of the Policy Manager The Policy Manager is used to configure and define access control policies for the Layer 7 SecureSpan SOA Gateway i e the Gateway is the compatible access control product A summary of the policy definition capability is provided below however an entire manual the Policy Authoring User Manual is dedicated to this topic and should be referenced for detailed information 64 A policy defines restrictions for the consumption of a published Gateway protected service At the highest layer of abstraction the attributes used in policy definition are as defined in ESM_ACD 1 Details for included policy assertions are provided in sections 6 1 1 6 1 2 and 6 1 3 below 65 In the Policy Manager a service policy includes assertions that determine the authentication method identity credentials transport method and routing method for the web service The specific types of assertions their relative location and the other assertions determine the properties and validity of a policy During processing the Gateway scans each policy assertion from top to bottom assigning or fail outcome to each 66 Policies are constructed in a policy development window by mov
68. ing assertions and policy fragments template groups of assertions into a meaningful tree structure resulting 1 level and child assertions There are two special assertions used to refine policy logic a At least one assertion must evaluate to true folder Each child assertion placed in this folder is processed until an assertion succeeds At this point processing of the folder stops and the At least one folder is assigned a successful outcome However if all assertions in the folder fail then the At least one assertion is assigned a failure outcome b All assertions must evaluate to true folder Each child assertion placed in this folder is processed until an assertion fails At this point processing of the folder stops and the All assertions folder is assigned a failure outcome However if all assertions in the folder succeed then the All assertions folder is assigned a successful outcome 67 The TOE restricts the ability to manage security attributes in accordance with Table 17 and provides the management capabilities defined in the Policy Authoring User Manual and the Installation and Maintenance Manual Appliance Edition 68 Policy values are restrictive by default access to objects is denied unless the administrator defines a policy to enable access 69 Policy consistency checking is performed by the Policy Validator within the Policy Manager The Policy Validator detects syntax error unfulfilled depe
69. ivities Source Requirement Assurance Family FAU_GEN 1 As per ESM Policy Manager PP assurance activity in addition This testing may be done in conjunction with the exercise of other functionality For example if the ST specifies that an audit record will be generated when an access request is denied by a policy specified in FDP_ACF 1 then audit records will be expected to be generated as a result of testing the policy s effectiveness The evaluator shall also check to ensure that the content of the logs are consistent with the activity performed on the TOE For example if a test is performed such that an access request is denied by policy the corresponding audit record should correctly indicate the failure ATE_IND FAU_SEL 1 The evaluator shall check the operational guidance in order to determine the selections that are capable of being made to the set of auditable events and shall confirm that it contains all of the selections identified in the Security Target AGD_OPE FAU_SEL 1 The evaluator shall test this capability by using a compatible Policy Management product to configure the TOE in the following manners All selectable auditable events enabled All selectable auditable events disabled Some selectable auditable events enabled For each of these configurations the evaluator shall perform all selectable auditable events and determine by review of the audit data that in each confi
70. l require each user to be successfully identified before allowing any other TSF mediated actions on behalf of that user No dependencies User subject binding No other components The TSF shall associate the following user security attributes with subjects acting on the behalf of that user username role The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users e The TSF determines the username from the credentials presented for authentication e The TSF associates the role with the corresponding username The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users Once a user s session is established the security attributes associated with a subject acting on behalf of a user cannot be changed for the duration of that user s session FIA_ATD 1 User attribute definition This requirement refers to TOE administrative users Page 38 of 74 CA Layer 7 5 3 7 FMT_MOF 1 1 Hierarchical to FMT_MOF 1 1 1 Dependencies FMT_MOF 1 2 Hierarchical to FMT_MOF 1 1 2 Dependencies FMT_MOF_EXT 1 Hierarchical to FMT_MOF_EXT 1 1 Dependencies Application note FMT_MSA 1 1 Hierarchical to FMT_MSA 1 1 1 Security Target Class FMT Security Management Management of Functions Behavior No other components The TSF shall restr
71. lity to the defined quality metrics metric FIA_UAU 2 All use of the authentication None mechanism FIA_UID 2 All use of the identification Provided user identity mechanism Page 33 of 74 CA Layer 7 Security Target Component Event Additional Information FIA_USB 1 Successful and unsuccessful None binding of user attributes to a subject FMT_MOF 1 All modifications to TSF None behavior FMT_MSA 1 All modifications of security None attributes FMT_MSA 3 All modifications of the initial Attribute modified modified value values of security attributes FMT_SMF 1 Use of the management Management function performed functions FMT_SMR 1 Modifications to the members None of the management roles FPT_FLS_EXT 1 Failure of communication between the TOE and Policy Management product Identity of the Policy Management product Reason for the failure trusted path functions FPT_RPL 1 Detection of replay Action to be taken based on the specific actions FTP_ITC 1 1 All use of trusted channel Identity of the initiator and target of functions the trusted channel FTP_ITC 1 2 All use of trusted channel Identity of the initiator and target of functions the trusted channel FTP_TRP 1 All attempted uses of the Identification of user associated with all trusted path functions if available FAU_SEL 1 Selective Audit Hierarchical to FAU_SEL 1 1 Dependencies Application Note
72. m the ESM Policy Manager PP and the ESM Access Control PP A conformance rationale is presented at section 7 1 7 3 Security Requirements Rationale 109 Security requirements are drawn directly from the ESM Policy Manager PP and the ESM Access Control PP A conformance rationale is presented at section 7 1 An unfulfilled dependencies rationale is presented in section 6 1 9 of the ESM Policy Manager PP 7 4 TOE Summary Specification Rationale 110 Table 22 provides a coverage mapping showing that all SFRs are mapped to the security functions described in the TSS Table 22 Map of SFRs to TSS Security Functions 0 amp 5 i mo 2 5 me lt 5 lt 252 5 2 o 5 ere as z S eS os 53 oD lt 2 3 ag SFR ESM_ACD 1 X ESM_ACT 1 X ESM_ATD 1 X ESM_ATD 2 X FAU_GEN 1 X Page 59 of 74 CA Layer 7 Security Target 0 gt m 8 o 5 8 9 5 So 3 5 oe 83 lt 52 5580 2 9 Ona o 0 97s 5 9 328 8 SS 055 55 55 553 OE lt za Ie s lt 22 SFR 5 By FAU_SEL 1 FAU_STG 1 xX FAU_SEL_EXT 1 FAU_STG_EXT 1 X FCO_NRR 2 FDP_ACC 1 X FDP_ACF 1 FIA_AFL 1 X FIA_SOS 1 FIA_UAU 2 xX FIA_UID 2 xX FIA_USB 1 xX FMT_MOF 1 1 FMT_MOF 1 2 xX FMT_MOF_EX
73. mmunication with that IT entity to ensure it successfully is authenticated and identified The evaluator shall also attempt communications with unidentified or unauthenticated entities to ensure that such connections are not successful AGD_OPE ATE_IND 14 FIA_UID 2 This functionality for both interactive users and authorized IT entities is verified concurrently with FIA_UAU 2 ATE_IND 15 FIA_USB 1 The evaluator shall check the operational guidance in order to verify that it describes the mechanism by which external data sources are invoked and mapped to user data that is controlled by the TSF AGD_OPE 16 FIA_USB 1 The evaluator shall test this capability by configuring the TSF to accept user information from external sources as defined by the ST The evaluator shall then perform authentication activities using these methods and validate that authentication is successful in each instance Based on the defined privileges assigned to each of the subjects the evaluator shall then perform various management tests in order to determine that the user authorizations are consistent with their externally defined attributes and the configuration of the TSF s access control policy For example if a user who is defined in an LDAP repository belongs to a certain group and the TSF is configured such that members of that group only have read only access to policy information the evaluator shall authenticate to the TSF a
74. n of the attribute defined Page 32 of 74 CA Layer 7 Security Target Component Event Additional Information ESM_ATD 1 Association of attributes with Identification of the object and the objects attribute ESM_ATD 2 Definition of subject attributes Identification of the attribute defined ESM_ATD 2 Association of attributes with Identification of the subject and the subjects attribute FAU_SEL 1 All modifications to audit None configuration FAU_SEL EXT 1 All modifications to audit None configuration FAU_STG_EXT 1 Establishment and disestablishment of communications with audit server Identification of audit server FCO_NRR 2 The invocation of the non Identification of the information the repudiation service destination and a copy of the evidence provided FDP_ACC 1 Any changes to the enforced Identification of Policy Management policy or policies product making the change FDP_ACF 1 All requests to perform an Subject identity object identity operation on an object covered requested operation by the SFP FIA_AFL 1 The reaching of an Action taken when threshold is unsuccessful authentication reached attempt threshold the actions taken when the threshold is reached and any actions taken to restore the normal state FIA_SOS 1 Rejection or acceptance by the None TSF of any tested secret FIA_SOS 1 Identification of any changes The change made to the qua
75. name Manage name Policy Read update and delete Named Policy Manage name Service Delete view update Web Service Assertions for web service policies Manage Administrative Accounts Configuration Create read and update Cluster properties applicable to administrative account configuration logon maxAllowableAttempts logon lockoutTime logon sessionExpiry logon inactivityPeriod Page 40 of 74 CA Layer 7 Security Target Role Operations Attributes Manage Certificates Create read update and delete Trusted certificates Policies for revocation checking Manage Cluster Properties Create read update and delete Cluster status information Manage Internal Users and Groups Create read update and delete Users Groups used to organize users as a time saving tool Manage Listen Ports Create read update and delete Gateway listen ports both HTTP S and FTP S Manage Log Sinks Create read update and delete Log sinks manage where audit records should be sent Read Folders Identity Providers Listen ports Log files Policies Services Users Manage Password Policies Read and update Password policy Manage Private Keys Create read update and delete Private keys Default SSL key Default CA key Manage Secure Read create update Stored passwords Passwords
76. ndencies and incorrect ordering of assertions The administrator is notified when an error is detected The Policy Validator is not configurable 6 1 1 Access Control Assertions 70 The following subset of assertions are evaluated Page 48 of 74 CA Layer 7 Security Target Authenticate User or Group Require specified users and or groups to be authenticated against a selected identity provider Applies the credentials collected by a require assertion listed below to authenticate a user or group specified in this authenticate assertion Refer to Authenticate User or Group Assertion section of the Policy Authoring User Manual for a list of related attributes and behavior Authenticate against Identity Provider Requires provided client credentials to be successfully authenticated against a selected identity provider Applies the credentials collected by the require assertions to be authenticated Refer to Authenticate against Identity Provider Assertion section of the Policy Authoring User Manual for a list of related attributes and behavior In the evaluated configuration specified by the Secure Installation Guide the following Identity Providers are supported i Internal ii Federated with X 509 credentials Require HTTP Basic Note should be used in conjunction with Require SSL or TLS Require that incoming requests to contain HTTP basic authentication credentials Refer to Require HTTP Basic Credentials Asser
77. ntifies the security objectives for the TOE drawn from the ESM Policy Manager PP Table 12 Security objectives ESM Policy Manager PP Identifier Description O ACCESSID The TOE will contain the ability to validate the identity of other ESM products prior to distributing data to them O AUDIT The TOE will provide measures for generating security relevant events that will detect access attempts to TOE protected resources by users O AUTH The TOE will provide a mechanism to examine human and IT entity user identity data received from the Operational Environment and determine the extent to which the claimed identity should be able to perform TSF management functions O BANNER The TOE will display an advisory warning regarding use of the TOE O CONSISTENT The TSF will provide a mechanism to identify and rectify contradictory policy data O DISTRIB The TOE will provide the ability to distribute policies to trusted IT products using secure channels O MANAGE The TOE will provide the ability to manage the behavior of trusted IT products using secure channels O EAVES The TOE will either leverage a third party cryptographic suite or contain the ability to utilize cryptographic algorithms to secure the communication channels to and from itself O INTEGRITY The TOE will contain the ability to assert the integrity of policy data O POLICY The TOE will provide the ability to generate policies that are sufficiently
78. of identification 5 3 4 FCS Cryptographic Support 61 The TOE utilizes third party cryptographic suites and therefore does not claim any of the optional cryptographic SFRs per guidance at Annex C 4 of the ESM Policy Manager PP and Annex C 3 of the Access Control PP 5 3 5 Class FDP User Data Protection FDP_ACC 1 Access Control Policy Hierarchical to FDP_ACC 1 1 Dependencies Application note FDP_ACF 1 Hierarchical to FDP_ACF 1 1 FDP_ACF 1 2 FDP_ACF 1 3 No other components The TSF shall enforce the access control Security Function Policy SFP on e Subjects Service Clients on behalf of users e Objects SOAP Web Services and e Operations Service Request FDP_ACF 1 Security attribute based access control The Gateway enforces the access control SFP Access Control Functions No other components The TSF shall enforce the access contro SFP to objects based on the following all operations between users and objects based upon the attributes defined in ESM_ACD 1 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed rules received from the Policy Manager The TSF shall explicitly authorize access of subjects to objects based on the following additional rules no additional rules Page 36 of 74 CA Layer 7 FDP_ACF 1 4 Dependencies Security Target The TSF shall explicitly deny access of subjects to objects
79. of security attributes FMT_SMR 1 Security roles Consistent security attributes No other components The TSF shall identify the following internal inconsistencies within a policy prior to distribution incorrect assertion order syntax errors and unfulfilled dependencies The TSF shall take the following action when an inconsistency is detected issue a prompt for an administrator to manually resolve the inconsistency FMT_MOF_EXT 1 External Management of Functions Behavior Specification of Management Functions No other components The TSF shall be capable of performing the following management functions activities listed in Table 18 and Gateway configuration Page 42 of 74 CA Layer 7 Dependencies Security Target No dependencies Table 18 Management Functions within the TOE Requirement Management Activities ESM_ACD 1 Creation of policies ESM_ACT 1 Transmission of policies ESM_ATD 1 Definition of object attributes Association of attributes with objects ESM_ATD 2 Definition of subject attributes Association of attributes with subjects FAU_SEL_EXT 1 Configuration of auditable events for defined external entities FAU_STG_EXT 1 Configuration of external audit storage location FIA_AFL 1 Configuration of authentication failure threshold value configuration of actions to take when threshold is reached execution of restoration to normal state following thr
80. ogical scope of the TOE comprises the security functions defined in section 2 4 based on the evaluated configuration specified in section 2 3 Administrators should configure the TOE according to the CA Layer 7 SecureSpan SOA Gateway v8 0 Secure Installation Guide to establish the Common Criteria evaluated configuration Unevaluated Features The following security related features have not been evaluated a gt 0 Gateway Appliance Firewall IP Tables UDDI Registries Policy Manager Audit Alerts Security Zones SFTP Polling Listeners Working with SiteMinder Use the Gateway as an HTTP Proxy Salesforce Integration Windows Domain Login Gateway Backup and Restore Gateway Patch Management Mediation of access to non SOAP web services Authentication performed by Identity Providers the evaluation ensures that the result of the authentication is enforced but does not evaluate the authentication itself as this can be performed by a variety of third party providers In addition the evaluated configuration does not include use of the following Identity Providers i LDAP Identity Providers ii Federated Identity Provider using SAML credential source Page 16 of 74 CA Layer 7 Security Target n Global Policy Fragments 2 6 3 Scope of Evaluated Policy Assertions 45 The core functionality of the SecureSpan SOA Gateway is its ability to define and enforce policies
81. orced The TOE is capable of sending audit log information to an external trusted entity The following policy assertions are used in support of system monitoring a Audit Message in Policy Enables auditing of messages within a policy It records events pertaining to the processing of a policy e g assertion violations b Add Audit Detail Allows the definition of a custom message that can enhance the context of an audit message Customize SOAP Fault Response Allows customization of the SOAP fault response on a policy by policy basis Robust Administrative Access Administrative access to the TOE requires authentication and is governed by role based access control The TOE protects against attacker attempts to illicitly authenticate using repeated guesses and enforces an administrator define password policy The TOE displays a banner a login Continuity of Enforcement The Gateway will continue policy enforcement in the event of a loss of connectivity with the Policy Manager Physical Scope The TOE consists of the following components a Policy Manager v8 0 Build 4582 The application software running on supported non TOE operating systems b Gateway v8 0 Build 4582 The software including operating system Java Virtual Machine JDK 7u40 and database executing on supported non TOE Page 14 of 74 CA Layer 7 37 2 5 1 38 2 5 2 39 40 41 Security Target hardware and virtual appliances Firm
82. ponents The TSF shall restrict the ability to perform the operations in Table 17 on the security attributes listed in Table 17 to the roles in Table 17 Page 39 of 74 CA Layer 7 Dependencies FMT_MSA 1 2 FMT_MSA 1 1 2 Security Target FDP_ACC 1 Subset access control or FDP_IFC 1 Subset information flow control FMT_SMR 1 Security roles FMT_SMF 1 Specification of Management Functions Management of security attributes external attributes The TSF shall restrict the ability to perform the operations in Table 17 on the security attributes listed in Table 17 to the roles in Table 17 Dependencies FDP_ACC 1 Subset access control FDP_IFC 1 Subset information flow control FMT_SMR 1 Security roles FMT_SMF 1 Specification of Management Functions Table 17 Roles and permissions Role Operations Attributes Administrator Any Policy Manager All Operator Read Policy Manager All ssgconfig Any Gateway Configuration Utility All root Any Gateway Configuration Utility All Privileged Shell CLI All Gateway Maintenance Create read and update FTP Audit Archiver used to back up the audit logs on the Gateway via FTP to a specified host Invoke Audit Viewer Policy Read Audit events Manage name Folder Read update and delete Policies within a defined folder Manage name Identity Provider Read update and delete Identity Provider with a defined
83. ptional Thales nCipher nShield PCI HSM CMVP Certificate No 1742 iii Network HSM Optional network attached HSMs SafeNet Luna SA FIPS Certificate No 1856 1857 or nCipher nShield CMVP Certificate No 1742 iv Policy manager software cryptographic module Policy manager cryptographic operations are provided by RSA BSAFE Crypto J Toolkit CMVP Certificate No 1786 The evaluated configuration assumes that the TOE is configured to be in FIPS mode security fips enabled refer to the Miscellaneous Cluster Properties section of the Policy Manager User Manual Management The SOA Gateway can be managed in by a number of different interfaces applications Only the Policy Manager application and Gateway Configuration Utility are included in the evaluated configuration The Policy Manager web interface and Enterprise Security Manager application are excluded from the evaluated configuration Security Functions The following sections describe the security functions provided by the TOE refer to section 6 for additional detail on each security function Access Control Policy Definition The Policy Manager allows the TOE administrator to define detailed policies to enforce robust access control over web services The following policy assertions are covered by the evaluation a Access control assertions The following subset of access control assertions are evaluated i Authenticate User or Group Require specified use
84. r PP FCS_COP 1 3 ESM Access Control PP FCS_COP 1 4 ESM Policy Manager PP FCS_COP 1 4 ESM Access Control PP FCS_RBG_EXT 1 ESM Policy Manager PP Not included The TOE utilizes third party cryptographic suites and therefore does not claim any of the optional cryptographic SFRs per guidance at Annex C 4 of the ESM Policy Manager PP and Annex C 3 of the Access Control PP FPT_FLS 1 ESM Access Control PP Not included Per ESM Access Control PP sections 4 4 and C 2 2 this SFR is relevant to systems that require continued enforcement mechanisms to counter the threat of disablement by users such as host based access control systems The TOE is not a host based system FPT_STM 1 ESM Policy Manager PP Included FTA_SSL_EXT 1 ESM Policy Manager PP Included FTA_SSL_EXT 1 ESM Access Control PP Not included Timeout not enforced for local Gateway CLI sessions Page 58 of 74 CA Layer 7 Security Target Requirement Source Rationale FTA_SSL 3 ESM Policy Manager Not included No remote access to the Policy Manager Timeout period not configurable for ESM Access Control PP the Gateway FTA_SSL 4 ESM Policy Manager Included ESM Access Control PP FTA_TSE 1 ESM Policy Manager Not included Not required ESM Access Control PP 7 2 Security Objectives Rationale 108 All security objectives are drawn directly fro
85. r required 6 7 TLS and SSH Details 101 This section provides additional detail regarding the TOE s implementation of TLS and SSH All Gateway cryptographic operations for TLS and SSH are performed by the RSA BSAFE Crypto J Toolkit unless a HSM is installed in which case the HSM will provide Gateway cryptographic functions see section 2 3 2 for supported HSMs All Policy Manager cryptographic operations for TLS are performed by the RSA BSAFE Crypto J Toolkit 6 7 1 TLS 102 The TOE makes use of TLS in the following ways a Between service clients and the Gateway in this case the TOE is a TLS server b Between the Policy Manager and the Gateway in this case the TOE is both a TLS client Policy Manager and TLS server Gateway Between the Gateway a Syslog server this case the TOE is TLS client 103 The TLS implementation has the following characteristics when configured in accordance with the Secure Installation Guide a TLS 1 0 RFC 2246 TLS 1 1 RFC 4346 and TLS 1 2 RFC 5246 are supported without extensions b Client authentication is supported i e if configured the client must submit a trusted certificate to the server When acting as either client or server the TOE is configure to negotiate the following ciphersuites in the following order of preference if a listed ciphersuite is not supported by the other party then the connection will be refused i TLS_RSA_WITH_AES_25
86. rs and or groups to be authenticated against a selected identity provider Applies the credentials collected by a require assertion listed below to authenticate a user or group specified in this authenticate assertion ii Authenticate against Identity Provider Requires provided client credentials to be successfully authenticated against a selected identity provider Applies the credentials collected by the require assertions to be authenticated Page 12 of 74 CA Layer 7 26 27 ii vi Security Target Require HTTP Basic Note should be used in conjunction with Require SSL or TLS Require that incoming requests to contain HTTP basic authentication credentials Require SAML Token Profile Requires incoming requests to contain a SAML Security Assertions Markup Language token Note The evaluated configuration defined in the Secure Installation Guide specifies a limited set of SAML attributes that may be used Require SSL or TLS Transport with Client Authentication Requires clients to connect via SSL or TLS and optionally to provide a valid trusted X 509 certificate Note This assertion appears in two different assertion palettes When accessed from the Access Control palette this assertion is labeled Require SSL or TLS Transport with Client Authentication and has the Require Client Certificate Authentication check box selected by default e When accessed from the Transport Layer Security pal
87. rvice client connections is optional based on the configuration specified by the administrator This is achieved via use of the Require SSL or TLS Transport Assertion Trusted path No other components The TSF shall leverage third party cryptographic suites to provide a communication path between itself and remote users that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from modification and disclosure The TSF shall permit remote users to initiate communication via the trusted path Page 46 of 74 CA Layer 7 Security Target FTP_TRP 1 3 The TSF shall require the use of the trusted path for initial user authentication execution of management functions Dependencies No dependencies 5 4 Assurance Requirements 62 The TOE security assurance requirements summarized in Table 19 are drawn from the claimed Protection Profiles Table 19 Assurance Requirements Assurance Class Components Description Development ADV_FSP 1 Basic Functional Specification Guidance Documents AGD_OPE 1 Operational User Guidance AGD_PRE 1 Preparative User Guidance Tests ATE_IND 1 Independent Testing conformance Vulnerability Assessment AVA_VAN 1 Vulnerability Analysis Life Cycle Support ALC_CMC 1 Labelling of the TOE ALC_CMS 1 TOE CM Coverage Page 47 of 74 CA Layer 7 Security Target 6 TOE Summary Spec
88. s in the operational environment and how it is recognized as the valid controller of those products The evaluator shall confirm this behavior with testing One approach to doing this is to place the TOE and two compatible AC products on the same network The evaluator shall follow the documented configuration steps such that one of the AC products is associated with the TOE The evaluator shall then confirm that they now have the ability to manage only that AC product The evaluator shall capture traffic and replaying it against the other AC product and confirm that it has no effect The evaluator shall review the ST and operational guidance to determine if there are any other defined internal security attributes If there are the evaluator shall verify that they can be configured in the manner specified by the evidence and that their configuration has the effect defined in the evidence 20 FMT_MSA 1 2 The evaluator shall review the ST in order to determine that it specifies the operations that can be managed by the TSF For example the TSF must have the ability to create policies The data that can comprise these policies should be defined in the ST ASE_TSS 21 FMT_MSA 1 2 The evaluator shall then check the operational guidance in order to determine that it defines a set of managed attributes consistent with the ST and the TSF mechanisms by which these attributes can be manipulated AGD_OPE 22 FMT_MSA 1
89. s that user and verify that as a subject under the control of the TSF that they do not have write access to policy information This verifies that the aspects of the user s identity data that are pertinent to how the TSF treats the user are appropriately taken from external sources and utilized in order to determine what the user is able to do ATE_IND 17 FMT_MOF_ EXT 1 1 The evaluator shall test this capability by deploying the TOE in an environment where there is an Access Control component that is able to communicate with it The evaluator must configure this environment such that the Policy Management product is authorized to issue commands to the TOE Once this has been done the evaluator must use the Policy Management product to modify the behavior of the functions specified in the requirement above For ATE_IND Page 65 of 74 CA Layer 7 Security Target Source Requirement Assurance Family each function the evaluator must verify that the modification applied appropriately by using the Policy Management product to query the behavior for and after the modification The evaluator must also perform activities that cause the TOE to react ina manner that the modification prescribes These actions include for each function the following activities Audited events perform an event that was previously audited or not audited prior to the modification of the function s behavior and obs
90. sumption as follows a Policy Manager A GUI application that provides the user with the primary administrative interface to the Gateway The Policy Manager is used to construct policies and administer the TOE b Gateway One or more hardware or virtual appliances that enforce policy assertions to control web services Basic configuration is performed using the Gateway Configuration Utility a menu based Command Line Interface CLI The Gateway consumes policies defined by the Policy Manager which also provides the primary administrative interface The Gateway interfaces with client side applications that require communication with web services Client systems send message requests intended for the web service to the Gateway The Gateway then functions as a client side proxy enforcing access control decisions and applying necessary requirements such as identities protocols headers and or transformations to the message as required by the policy in use Policies modified through the Policy Manager are automatically applied in real time by the Gateway to ensure that all subsequent messages conform to the updated policy In a typical network the Gateway resides in the demilitarized zone DMZ shielding downstream services as it enforces policy assertions on incoming and outgoing messages A typical TOE deployment is depicted in Figure 1 gt TA sS S lt a XML VPN Client Gateway Cluster Figure 1 TO
91. t or TOE protected data T EAVES A malicious user could eavesdrop on network traffic to gain unauthorized access to TOE data T FALSIFY A malicious user can falsify the TOE s identity giving the Policy Management product false assurance that the TOE is enforcing a policy T FORGE A malicious user may create a false policy and send it to the TOE to Page 22 of 74 CA Layer 7 Security Target Identifier Description consume adversely altering its behavior T MASK A malicious user may attempt to mask their actions causing audit data to be incorrectly recorded or never recorded T NOROUTE A malicious or careless user may cause the TOE to lose connection to the source of its enforcement policies adversely affecting access control behaviors T OFLOWS A malicious user may attempt to provide incorrect Policy Management data to the TOE in order to alter its access control policy enforcement behavior T UNAUTH A malicious or careless user may access an object in the Operational Environment that causes disclosure of sensitive data or adversely affects the behavior of a system 3 2 Organizational Security Policies 48 Table 6 identifies the Organizational Security Policies OSPs drawn from the ESM Policy Manager PP Table 6 OSPs ESM Policy Manager PP Identifier Description P BANNER The TOE shall display an initial banner describing restrictions of use legal agreements or an
92. t record format type must be covered and must include a brief description of each field The evaluator shall check to make sure that every audit event type mandated by the PP is described and that the description of the fields contains the information required in FAU_GEN 1 2 and the additional information specified in Table 16 The evaluator shall review the operational guidance and any available interface documentation in order to determine the administrative interfaces including subcommands scripts and configuration files that permit configuration including enabling or disabling of the mechanisms implemented in the TOE that are necessary to enforce the requirements specified in the PP The evaluator shall document the methodology or approach taken to do this The evaluator may perform this activity as part of the activities associated with ensuring the AGD_OPE guidance satisfies the requirements Using this list the evaluation shall confirm that each security relevant administrative interface has a corresponding audit event that records the information appropriate for the event FAU_GEN 1 The evaluator shall test the TOE s audit function by having the TOE generate ATE_IND audit records for all events that are defined in the ST and or have been identified in the previous two activities The evaluator should then check the audit repository defined by the ST operational guidance or developmental evidence if available in order to
93. th the TOE The evaluator then observes that the session is terminated after the configured time period 34 FTA_SSL 4 The evaluator shall perform the following tests ATE_IND e Test 1 The evaluator initiates an interactive local session with the TOE The evaluator then follows the operational guidance to exit or log off the session and observes that the session has been terminated e Test 2 The evaluator initiates an interactive remote session with the TOE The evaluator then follows the operational guidance to exit or log off the session and observes that the session has been terminated 35 FTP_ITC 1 The evaluator shall check the operational guidance in order to determine the AGD_OPE 1 mechanism by which secure communications are enabled The evaluator shall ASE TSS also check the TSS operational guidance and other provided evidence to determine the means by which secure communications are facilitated Based on this the following analysis will be required e f cryptography is internal to the TOE the evaluator shall verify that the product has been validated by FIPS 140 2 if evaluating in the United States or Canada or an equivalent national standard for the nation in which the evaluation is being conducted e f cryptography is provided by the Operational Environment the evaluator shall review the operational guidance ST and any available design documentation to see how cryptography is utilized and to verify that the functions
94. thorized to configure the TOE The evaluator shall then attempt to use the Policy Management product to configure the TOE and observe that it is either disallowed or that the option is not even present 13 FMT_MSA 1 The evaluator shall review the TSS and the guidance documentation to confirm that the indicated attributes are maintained by the TOE The evaluation shall also confirm that the documentation indicates that the ability to perform the indicated operations are restricted to the identified roles which is anticipated a function provided by components compliant with the ESM Policy Definition PP ASE_TSS AGD_OPE 14 FMT_MSA 1 The evaluator shall use the associated Policy Definition product to confirm each identified operation against the indicated attributes may be performed and that the TOE interfaces do not provide the ability for any other roles to perform operations against the indicated attributes ATE_IND 15 FMT_MSA 3 The evaluator shall review the TSS and the guidance documentation to confirm that they describe how restrictive default values are put into place for example access control policies should operate in deny by default mode so that the absence of an access control rule doesn t fail to restrict an operation by the TOE ASE_TSS AGD_OPE 16 FMT_MSA 3 The evaluator shall use the associated Policy Definition product to confirm that for each identified security attribute and res
95. tion section of the Policy Authoring User Manual for a list of related attributes and behavior Require SAML Token Profile Requires incoming requests to contain a SAML token Refer to Require SAML Token Profile Assertion section of the Policy Authoring User Manual for a list of related attributes and behavior In the evaluated configuration specified by the Secure Installation Guide the allowable attributes are as follows i SAML Version SAML v2 ii SAML Statement Type Authentication iii Authentication Methods Password Password Protected Transport SSL TLS Client Certificate authentication X 509 Public Key XML Digital Signature iv Authorization Statement Not applicable v Attribute Statement Not applicable vi Subject Confirmation Sender Vouches SV or Holder of Key vii Identifier Any viii Conditions Check Assertion Validity Period Require SSL or TLS Transport with Client Authentication Requires clients to connect via SSL or TLS and to provide a valid trusted X 509 certificate Refer to Require SSL or TLS Transport Assertion section of the Policy Authoring User Manual for a list of related attributes and behavior Note This assertion appears in two different assertion palettes i When accessed from the Access Control palette this assertion is labeled Require SSL or TLS Transport with Client Authentication and has the Require Client Certificate Authentication check box selected by defa
96. trictive initial state the TOE implements the correct restrictive value ATE_IND 17 FMT_SMF 1 The evaluator shall check the TOE summary specification in order to determine what Policy Management and Secure Configuration Management product s are compatible with the TOE The evaluator shall deploy the TOE ina configuration with these compatible products and use these products to perform the functions defined in the Security Target and operational guidance For each advertised management function in the ST and operational guidance the evaluator shall use the Policy Management product to execute this management function Then for each management function the evaluator shall attempt this behavior and verify that the behavior observed is consistent with the expectations of the management function executed ATE_IND 18 FMT_SMR 1 The evaluator shall review the TSS and the guidance documentation to confirm that they describe how management authority is delegated via one or more roles and how an authorized Policy Definition product is associated with those roles ASE_TSS AGD_OPE 19 FMT_SMR 1 The evaluator shall use the associated Policy Definition product to connect to the TOE and confirm that it is operating in the assigned role The evaluation shall also confirm that a user or other external entity that has not been authorized for the indicated role cannot assume the indicated role ATE_IND 20 FP
97. ugh the WS Security decorator i Default security header is created ii Signatures specified by the policy are applied only applicable for SAML envelope signatures ili Encryption specified by the policy is performed not applicable in the evaluated configuration Response is sent back to the client All first level assertions in a policy including first level At least and All assertions folders must succeed in order for the overall policy to succeed When the policy succeeds the service requestor receives a response message If the policy fails the service requestor receives an error message Initial Gateway configuration is performed using the Gateway Configuration Utility described in Chapter 3 of the Installation and Maintenance Manual Appliance Edition Subsequent to initial setup configuration in performed by the Policy Manager The Gateway Configuration Utility recognizes only the ssgconfig and root roles The TOE restricts the ability to manage security attributes in accordance with Table 17 Policy values are restrictive by default access to objects is denied unless the administrator defines a policy to enable access A user may terminate their own interactive session at the Gateway Configuration Utility Policy Security Related SFRs ESM_ACT 1 FIA_UID 2 FIA_UAU 2 FTP_ITC 1 1 FTP_ITC 1 2 FTP_TRP 1 FPT_RPL 1 FCO_NRR 2 FIA_SOS 1 80 The Policy Manager transmits policies to the
98. ul authentication attempts has occurred default 5 and locks the associated account for a configurable period of time default 20 minutes For configuration details refer to the Managing Administrative User Account Policy section of the Policy Manager User Manual The TOE allows specification of a password policy in accordance with FIA_SOS 1 and terminates inactive local sessions at the Policy Manager after an administrator defined period of inactivity Users may also terminate their own session For configuration details refer to Managing Password Policy section of the Policy Manager User Manual The Policy Manager is a thick client Java application executed on a general purpose operating system Remote access to the Policy Manager application is not supported The Gateway Configuration Utility may be accessed locally or remotely Remote access is secured using SSH refer to section 6 7 for SSH details The TOE displays an administrator defined banner at logon to the Policy Manager For configuration details refer to the Administrative Account Cluster Properties section of the Policy Manager User Manual Page 53 of 74 CA Layer 7 Security Target 6 6 Continuity of Enforcement Related SFRs FPT_FLS_EXT 1 FRU_FLT 1 100 The Gateway continues policy enforcement in the event of a loss of connectivity with the Policy Manager by enforcing the last policy received Continuous connectivity with the Policy Manager is not expected o
99. ult ii When access from the Transport Layer Security palette this assertion is labeled Require SSL or TLS Transport and does not have the Require Client Certificate Authentication check box selected by default Page 49 of 74 CA Layer 7 6 1 2 71 6 1 3 72 6 2 Security Target Require WS Security Signature Credentials Requires that the web service target message includes an X 509 client certificate and has at least one element signed by that client certificate s private key as a proof of possession Refer to Require WS Security Signature Credentials Assertion section of the Policy Authoring User Manual for a list of related attributes and behavior In the evaluated configuration specified by the Secure Installation Guide the allowable attributes are as follows i Allow multiple signatures Disabled unchecked ii Signature element variable Any ili Signature reference element variable Any Service Availability Assertions The following subset of service availability assertions are evaluated a Limit Availability to Time Days Enables restricting service access by a time and or day interval When the Gateway receives a request for the service it will check the time and or day restrictions before allowing the message to proceed Refer to Limit Availability to Time Days Assertion section of the Policy Authoring User Manual for a list of related attributes and behavior Restrict Access to IP Address Range Enables
100. used have been validated by FIPS 140 2 if evaluating in the United States or Canada or an equivalent national standard for the nation in which the evaluation is being conducted 36 FTP_ITC 1 The evaluator shall test this capability by enabling secure communications on ATE_IND 1 the TOE and placing a packet sniffer on the local network They shall then use the TOE to perform actions that require communications to all trusted IT products with which it communicates and observe the captured packet traffic that is directed to or from the TOE to ensure that their contents are obfuscated 37 FTP_ITC 1 The evaluator shall check the operational guidance in order to determine the AGD_OPE 2 mechanism by which secure communications are enabled The evaluator shall ASE TSS also check the TSS operational guidance and other available evidence to determine the means by which secure communications are facilitated Based on this the following analysis will be required e f cryptography is internal to the TOE the evaluator shall verify that the product has been validated by FIPS 140 2 if evaluating in the United States or Canada or an equivalent national standard for the nation in which the evaluation is being conducted e f cryptography is provided by the Operational Environment the evaluator shall review the operational guidance ST and any available design documentation to see how cryptography is utilized and to verify that the functions used ha
101. ust also perform activities that cause the TOE to react ina manner that the modification prescribes These actions include for each function the following activities Audited events perform an event that was previously audited or not audited prior to the modification of the function s behavior and observe that the audit repository now logs or doesn t log this event based on the modified behavior Repository for remote audit storage observe that audited events are written to a particular repository modify the repository to which the TOE should write audited events perform auditable events and observe that they are no longer written to the original repository Access Control SFP perform an action that is allowed or disallowed by the current Access Control SFP modify the implemented SFP such that that action is now disallowed or allowed perform the same action and observe that the authorization differs from the original iteration of the SFP Policy being implemented by the TSF perform an action that is allowed or disallowed by a specific access control policy provide a TSF policy that now disallows or allows that action perform the same action and observe that the authorization differs from the original iteration of the FSP Access Control SFP behavior to implement in the event of communications outage perform an action that is handled in a certain manner in the event of a communications outage if applicable
102. ve been validated by FIPS 140 2 if evaluating in the United States or Canada or an equivalent national Page 69 of 74 CA Layer 7 Security Target Source Requirement Assurance Family standard for the nation in which the evaluation is being conducted 38 FTP_ITC 1 2 The evaluator shall test this capability by enabling secure communications on the TOE and placing a packet sniffer on the local network They shall then use the TOE to perform actions that require communications to all trusted IT products with which it communicates and observe the captured packet traffic that is directed to or from the TOE to ensure that their contents are obfuscated ATE_IND 39 FTP_TRP 1 The evaluator shall check the operational guidance to verify that it discusses the methods by which users will interact with the TOE such as a web application via HTTPS The evaluator shall check the operational guidance to determine if it discusses the mechanism by which a trusted path to the TOE is established and what environmental components if any the TSF relies on to assist in this establishment AGD_OPE 40 FTP_TRP 1 The evaluator shall test this capability in a similar manner to the assurance activities for FTP_ITC 1 If data transmitted between the user and the TOE is obfuscated the trusted path can be assumed to have been established ATE_IND Annex A 2 ESM Access Control PP Assurance Act
103. w of the audit data that in each configuration only the enabled events are recorded by the Access Control product FAU_STG_ EXT 1 The evaluator shall check the operational and preparatory guidance in order to determine that they describe how to configure and use an external repository for audit storage The evaluator shall also check the operational guidance in order to determine that a discussion on the interface to this repository is provided including how the connection to it is established how data is passed to it and what happens when a connection to the repository is lost and subsequently re established AGD_OPE FAU_STG_ EXT 1 The evaluator shall test this function by configuring this capability performing auditable events and verifying that the local audit storage and external audit storage contain identical data The evaluator shall also make the connection to the external audit storage unavailable perform audited events on the TOE re establish the connection and observe that the external audit trail storage is synchronized with the local storage Similar to the testing for FAU_GEN 1 this testing can be done in conjunction with the exercise of other functionality Finally since the requirement specifically calls for the audit records to be transmitted over the trusted channel established by FTP_ITC 1 verification of that requirement is sufficient to demonstrate this part of this one ATE_IND 10 FIA_AFL
104. ware executing on the appliance hardware is excluded from the physical boundary The various TOE form factors are marketed as Policy Manager software included a CA Layer 7 SecureSpan SOA Gateway Appliance Gateway ships on hardware b CA Layer 7 SecureSpan SOA Gateway Soft Appliance Gateway ships as a virtual appliance ssg appliance 8 0 5 CA Layer 7 SecureSpan SOA Gateway Software Gateway ships as software only for installation on client hardware ssg 8 0 5 Guidance Documents The TOE includes the following guidance documents a CA Layer 7 SecureSpan SOA Gateway v8 0 Installation and Maintenance Manual Appliance Edition b CA Layer 7 SecureSpan SOA Gateway v8 0 Secure Installation Guide Note This is the Common Criteria specific guidance document Layer 7 SecureSpan SOA Gateway v8 0 Policy Manager User Manual d CA Layer 7 SecureSpan SOA Gateway v8 0 Policy Authoring User Manual Non TOE Components The Gateway appliance is available on the following platforms a Hardware appliance Oracle X4170 M3 Server or equivalent b Virtual appliance VMWare Workstation ESXi vSphere The Policy Manager application runs on the following Operating Systems Java Virtual Machine and supporting hardware a Red Hat Enterprise Linux 4 or later Fedora Core 10 later Ubuntu 9 or later SUSE Linux 10 or later Microsoft Windows 7 or Server 2008 f Java Virtual Machine JRE 7u40 The TOE
105. way uses identity providers to authenticate and identify users and groups when authenticating messages and administrative access The Gateway can use its built in identity provider called the Internal Identity Provider or the Federated Identity Provider in an identity bridging scenario or interface directly with any LDAP based identity provider Note LDAP is not supported in the evaluated configuration b Trust store The Gateway maintains a trust store of certificates that do not belong to it but that are trusted and used for one or more vital security functions such as signing client certificates Certificates are imported into the Gateway trust store via the Policy Manager The Gateway can be configured to perform revocation checking for certificates through Certificate Revocation List CRL or Online Certificate Status Protocol OCSP UDDI The Gateway supports publishing of web services by using the Web Services Description Language WSDL located in a Universal Description Discovery and Integration UDDI registry Note UDDI is not supported in the evaluated configuration d Logging and auditing functionality The Gateway provides several logging and auditing features allowing users to monitor the activity and health of the Gateway and the ongoing success or failure of service policy resolution Auditing is provided for all system events and is configurable for individual service policies All audit records can be viewed through
106. wnThreshold cluster property and is 90 by default Additional detail regarding the audit functionality is provided in the Gateway Audit Events section of the Policy Manager User Manual Detail regarding the local system logs on the Gateway appliance is available at the following sections of the Installation and Maintenance Manual Appliance Addition a Viewing Logs on the Gateway Appliance b Configuring the Gateway Logging Functionality By default these local system logs consist of 10 log files of 20 MB each which are used and rolled over as they fill up The TOE uses an internal clock provided by the underlying hardware platform to maintain time If configured the TOE can synchronize the internal clock with an NTP server For configuration details refer to Configuring System Settings of the Installation and Maintenance Manual Appliance Addition Page 52 of 74 CA Layer 7 92 6 5 Security Target When configured in accordance with the Security Installation Guide the following policy assertions are used in support of system monitoring a Audit Message in Policy Enables auditing of messages within a policy It records events pertaining to the processing of a policy e g assertion violations Refer to the Audit Messages in Policy Assertion section of the Policy Authoring User Manual for a list of related attributes and behavior b Add Audit Detail Allows the definition of a custom message that can enhance the
107. y other appropriate information to which users consent by accessing the system 49 Table 7 identifies the OSPs drawn from the ESM Access Control PP Table 7 OSPs ESM Access Control PP Identifier Description P UPDATEPOL The organization will exercise due diligence to ensure that the TOE is updated with relevant policy data 3 3 Assumptions 50 Table 8 identifies the assumptions drawn from the ESM Policy Manager PP Table 8 Assumptions ESM Policy Manager PP Identifier Description A ESM The TOE will be able to establish connectivity to other ESM products in order to share security data A USERID The TOE will receive identity data from the Operational Environment Page 23 of 74 CA Layer 7 Security Target Identifier Description A MANAGE There will be one or more competent individuals assigned to install configure and operate the TOE 51 Table 9 identifies the assumptions drawn from the ESM Access Control PP Table 9 Assumptions ESM Access Control PP Identifier Description A AUDIT A protected repository will exist in the Operational Environment to which audit data can be written A POLICY The TOE will receive policy data from the Operational Environment A USERID The TOE will receive validated identity data from the Operational Environment A TIMESTAMP The TOE will receive a reliable timestamp from the Operational Environment A IN
Download Pdf Manuals
Related Search