0
s
Hewlett Packard Enterprise Development LP
HPE Operations Bridge Premium v2016.05 including HPE
Operations Manager i v10.11, HPE Operations Agent
v12.01, and HPE Operations Bridge Reporter v10.01
Security
Target
Evaluation Assurance Level (EAL): EAL2+
Document Version: 1.2
Prepared for: Prepared by:
Hewlett Packard Enterprise
Development LP
Corsec Security, Inc.
3000 Hanover Street 13921 Park Center Road, Suite 460
Palo Alto, CA 94304 Herndon, VA 20171
United States of America United States of America
Email: info@hpe.com Email: info@corsec.com
www.hpe.com www.corsec.com
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 2 of 71
Table of Contents
1. Introduction.......................................................................................................................................................5
1.1 Purpose .....................................................................................................................................................5
1.2 Security Target and TOE References.........................................................................................................6
1.3 Product Overview......................................................................................................................................6
1.3.1 HPE Operations Bridge Premium Overview .....................................................................................6
1.4 TOE Overview............................................................................................................................................7
1.4.1 HPE OMi 10.11..................................................................................................................................7
1.4.2 HPE OA 12.01....................................................................................................................................8
1.4.3 HPE OBR v10.01................................................................................................................................9
1.4.4 Brief Description of the Components of the TOE.......................................................................... 10
1.4.5 TOE Environment........................................................................................................................... 10
1.4.6 Product Physical/Logical Features and Functionality not included in the TOE............................. 15
1.5 TOE Description...................................................................................................................................... 15
1.5.1 Physical Scope ............................................................................................................................... 16
1.5.2 Logical Scope ................................................................................................................................. 17
2. Conformance Claims....................................................................................................................................... 20
3. Security Problem............................................................................................................................................. 21
3.1 Threats to Security................................................................................................................................. 21
3.2 Organizational Security Policies............................................................................................................. 22
3.3 Assumptions........................................................................................................................................... 22
4. Security Objectives ......................................................................................................................................... 23
4.1 Security Objectives for the TOE ............................................................................................................. 23
4.2 Security Objectives for the Operational Environment........................................................................... 23
4.2.1 IT Security Objectives.................................................................................................................... 23
4.2.2 Non-IT Security Objectives............................................................................................................ 24
5. Extended Components ................................................................................................................................... 25
5.1 Extended TOE Security Functional Components ................................................................................... 25
5.1.1 Class FDC: Data Collection and Analysis........................................................................................ 25
5.2 Extended TOE Security Assurance Components.................................................................................... 29
6. Security Requirements.................................................................................................................................... 30
6.1 Conventions ........................................................................................................................................... 30
6.2 Security Functional Requirements......................................................................................................... 30
6.2.1 Class FAU: Security Audit............................................................................................................... 32
6.2.2 Class FCO: Communication............................................................................................................ 33
6.2.3 Class FCS: Cryptographic Support.................................................................................................. 34
6.2.4 Class FDP: User Data Protection.................................................................................................... 36
6.2.5 Class FIA: Identification and Authentication................................................................................. 39
6.2.6 Class FMT: Security Management................................................................................................. 40
6.2.7 Class FPT: Protection of the TSF.................................................................................................... 42
6.2.8 Class FRU: Resource Utilization..................................................................................................... 43
6.2.9 Class FTA: TOE Access.................................................................................................................... 44
6.2.10 Class FTP: Trusted Path/Channels................................................................................................. 45
6.2.11 Class FDC: Data Collection and Analysis........................................................................................ 46
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 3 of 71
6.3 Security Assurance Requirements ......................................................................................................... 48
7. TOE Summary Specification............................................................................................................................ 49
7.1 TOE Security Functionality ..................................................................................................................... 49
7.1.1 Security Audit ................................................................................................................................ 50
7.1.2 Communication............................................................................................................................. 53
7.1.3 Cryptographic Support .................................................................................................................. 53
7.1.4 User Data Protection..................................................................................................................... 54
7.1.5 Identification and Authentication ................................................................................................. 54
7.1.6 Security Management ................................................................................................................... 54
7.1.7 Protection of the TSF..................................................................................................................... 55
7.1.8 Resource Utilization ...................................................................................................................... 56
7.1.9 TOE Access..................................................................................................................................... 56
7.1.10 Trusted Path/Channels.................................................................................................................. 56
7.1.11 Data Collection and Analysis ......................................................................................................... 56
8. Rationale......................................................................................................................................................... 58
8.1 Conformance Claims Rationale.............................................................................................................. 58
8.2 Security Objectives Rationale ................................................................................................................ 58
8.2.1 Security Objectives Rationale Relating to Threats ........................................................................ 58
8.2.2 Security Objectives Rationale Relating to Policies ........................................................................ 59
8.2.3 Security Objectives Rationale Relating to Assumptions................................................................ 59
8.3 Rationale for Extended Security Functional Requirements................................................................... 61
8.4 Security Requirements Rationale........................................................................................................... 61
8.4.1 Rationale for Security Functional Requirements of the TOE Objectives....................................... 61
8.4.2 Security Assurance Requirements Rationale ................................................................................ 64
8.4.3 Dependency Rationale .................................................................................................................. 64
9. Acronyms........................................................................................................................................................ 67
List of Figures
Figure 1 – Deployment Configuration of the TOE ................................................................................................... 11
Figure 2 – FDC: Data Collection and Analysis Class Decomposition........................................................................ 26
Figure 3 – System analysis family decomposition................................................................................................... 26
Figure 4 – System scan family decomposition ........................................................................................................ 27
Figure 5 – Scanned data storage family decomposition ......................................................................................... 28
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 4 of 71
List of Tables
Table 1 – ST and TOE References ...............................................................................................................................6
Table 2 – Minimum System Requirements ............................................................................................................. 13
Table 3 – TOE Guidance Documents ....................................................................................................................... 16
Table 4 – CC and PP Conformance .......................................................................................................................... 20
Table 5 – Threats ..................................................................................................................................................... 21
Table 6 – Assumptions............................................................................................................................................. 22
Table 7 – Security Objectives for the TOE............................................................................................................... 23
Table 8 – IT Security Objectives............................................................................................................................... 24
Table 9 – Non-IT Security Objectives....................................................................................................................... 24
Table 10 – Extended TOE Security Functional Requirements ................................................................................. 25
Table 11 – TOE Security Functional Requirements ................................................................................................. 30
Table 12 – RSA BSAFE® Crypto-J JSAFE and JCE Software Module 6.2.1 Cryptographic Operations...................... 34
Table 13 – OpenSSL FIPS Object Module 2.0.12 Cryptographic Operations........................................................... 35
Table 14 – Resource Permissions ............................................................................................................................ 36
Table 15 – Assurance Requirements....................................................................................................................... 48
Table 16 – Mapping of TOE Security Functionality to Security Functional Requirements...................................... 49
Table 17 – Audit Log Contexts................................................................................................................................. 50
Table 18 – User/Group Management Configuration Changes................................................................................ 51
Table 19 – Operations Management Event Changes.............................................................................................. 51
Table 20 – Operations Management Configuration Changes................................................................................. 52
Table 21 – Threats: Objectives Mapping................................................................................................................. 58
Table 22 – Assumptions: Objectives Mapping ........................................................................................................ 59
Table 23 – Objectives: SFRs Mapping...................................................................................................................... 61
Table 24 – Functional Requirements Dependencies............................................................................................... 65
Table 25 – Acronyms ............................................................................................................................................... 67
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 5 of 71
1. Introduction
This section identifies the Security Target (ST), Target of Evaluation (TOE), and the ST organization. The TOE is HPE
Operations Bridge Premium v2016.05 including HPE Operations Manager i v10.11 Build 016.001.63210 Hotfix
QCCR8D53202_1011, HPE Operations Agent v12.01 Build 020, and HPE Operations Bridge Reporter v10.01 Build
953.00001 and will hereafter be referred to as the TOE throughout this document. The TOE is software-only and
provides event monitoring, correlation, analysis, reporting, and automation services across an Information
Technology (IT) environment.
1.1 Purpose
This ST is divided into nine sections, as follows:
• Introduction (Section 1) – Provides a brief summary of the ST contents and describes the organization of
other sections within this document. It also provides an overview of the TOE security functionality and
describes the physical and logical scope for the TOE, as well as the ST and TOE references.
• Conformance Claims (Section 2) – Provides the identification of any Common Criteria (CC), Protection
Profile (PP), and Evaluation Assurance Level (EAL) package claims. It also identifies whether the ST contains
extended security requirements.
• Security Problem (Section 3) – Describes the threats, organizational security policies, and assumptions
that pertain to the TOE and its environment.
• Security Objectives (Section 4) – Identifies the security objectives that are satisfied by the TOE and its
environment.
• Extended Components (Section 5) – Identifies new components (extended Security Functional
Requirements (SFRs) and extended Security Assurance Requirements (SARs)) that are not included in CC
Part 2 or CC Part 3.
• Security Requirements (Section 6) – Presents the SFRs and SARs met by the TOE.
• TOE Summary Specification (Section 7) – Describes the security functions provided by the TOE that satisfy
the security functional requirements and objectives.
• Rationale (Section 8) – Presents the rationale for the security objectives, requirements, and SFR
dependencies as to their consistency, completeness, and suitability.
• Acronyms (Section 9) – Defines the acronyms and terminology used within this ST.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 6 of 71
1.2 Security Target and TOE References
Table 1 below shows the ST and TOE references.
Table 1 – ST and TOE References
ST Title
Hewlett Packard Enterprise Development LP HPE Operations Bridge Premium v2016.05 including
HPE Operations Manager i v10.11, HPE Operations Agent v12.01, and HPE Operations Bridge
Reporter v10.01 Security Target
ST Version Version 1.2
ST Author Corsec Security, Inc.
ST Publication Date 11/15/2017
TOE Reference
HPE Operations Bridge Premium v2016.05 including:
• HPE Operations Manager i v10.11 Build 016.001.63210 Hotfix: QCCR8D53202_1011
• HPE Operations Agent (OA) v12.01 Build 020
• HPE Operations Bridge Reporter v10.01 Build 953.00001
FIPS1 140-2 Status
• Level 1, RSA BSAFE® Crypto-J JSAFE and JCE2 Software Module, Software Version 6.2.1,
Certificate No. 2469
• Level 1, OpenSSL FIPS Object Module, Software Version 2.0.12, Certificate No. 1747
1.3 Product Overview
The Product Overview provides a high-level description of the product that is the subject of the evaluation. The
following section, TOE Overview, will provide the introduction to the parts of the overall product that are
specifically being evaluated.
1.3.1 HPE Operations Bridge Premium Overview
HPE Operations Bridge Premium, also referred to as “HPE OpsBridge”, is an IT event correlation and management
software product. The HPE OpsBridge software includes the following components:
• HPE Operations Manager i (OMi)
• HPE Operations Agent (OA)
• HPE Operations Bridge Reporter (OBR)
The HPE OA is responsible for collecting event data from monitored systems. HPE OMi is responsible for receiving
the event data and performing event data processing, automation and correlation. HPE OBR is a cross domain
performance reporting tool.
All infrastructure events from various IT management systems are funneled into HPE OpsBridge via the HPE OA,
where they are correlated via HPE OMi based on the relationships between Configuration Items (CIs) and analyzed
to determine the root cause of a service condition. The HPE OpsBridge software allows events from monitored
systems to be automatically prioritized via HPE OMi based on business rules associated with Key Performance
1
FIPS – Federal Information Processing Standards
2
JCE – Java Cryptography Extension
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 7 of 71
Indicators (KPIs) and Health Indicators (HIs) assigned to CIs within the IT topology. HPE OpsBridge also allows
automatic workflows and actions to be triggered upon the detection of a service condition.
HPE OpsBridge provides the capability to forward events from monitored systems to other HPE products including
Service Manager (SM), Service Anywhere (SAW), or corresponding third party trouble ticket systems where tickets
are created from the forwarded events. Events from monitored systems can also be received from various
applications including Business Service Management (BSM), AppPulse, Operations Manager (OM)3
, Network Node
Manager i (NNMi), SiteScope (SiS), Nagios, and Microsoft System Center Operations Manager (SCOM). HPE
OpsBridge can integrate with Operations Orchestration (OO) to trigger the launch of a work-flow in the context of
an event. Additionally, HPE OpsBridge can integrate with HPE CMS4
/UCMDB5
to synchronize the topological data
between HPE OpsBridge and CMS.
HPE OpsBridge utilizes FIPS 140-2 cryptographic modules and the SP6
800-90A HMAC7
DRBG8
to generate keys for
all cryptographic operations.
1.4 TOE Overview
The TOE Overview summarizes the usage and major security features of the TOE. The TOE Overview provides a
context for the TOE evaluation by identifying the TOE type and describing the TOE.
The TOE is an IT event correlation and management software suite that includes the following HPE OpsBridge
components:
• HPE OMi Software
• HPE OA Software
• HPE OBR Software
1.4.1 HPE OMi 10.11
HPE OMi is the central component of the HPE OpsBridge product. HPE OMi receives events and topology
information from HPE OA and processes, correlates, and analyzes events to identify service conditions. HPE OMi
provides the following security features:
• Generates audit records for security relevant events (which can only be reviewed by authorized users)
• Provides automatic failover services to ensure the secure state and continued operations of the TOE
• Distributes certificates to HP OAs for the secure transmission of configuration and event data
• Enforces TOE user access control and provides a login banner warning against unauthorised use of the
TOE
• Provides cryptographic support to protect event data from disclosure or modification when transferred
internally between TOE components
3
Operations Manager is a legacy systems monitoring product, not to be confused with OMi.
4
CMS – Configuration Management System
5
UCMDB – Universal Configuration Management Database System
6
SP – Special Publication
7
HMAC – Hash Message Authentication Code
8
DRBG – Deterministic Random Bit Generator
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 8 of 71
• Provides cryptographic support to secure trusted paths and channels between itself and user workstations
and external servers
The two primary components of HPE OMi include the HPE OMi Gateway (GW) Server and the HPE OMi Data
Processing (DP) Server.
1.4.1.1 Gateway Server
The HPE OMi GW server is the front end component that provides the HPE OMi Web UI9
, OMi CLI10
, JMX11
Console,
and various CLI tools used to perform the HPE OMi GW server’s security management services. The HPE OMi Web
UI security management services include:
• Audit configuration
• User management and access control
• Authentication setup
• Event collection and analysis
• Run-Time Service Model (RTSM)12
administration.
• Automatic failover configuration
Additionally, the HPE OMi GW server provides web services APIs13
for integrations with external systems. The
web services APIs and HPE OMi Web UI are served by the Hewlett Packard Application Server (HPAS) and the
included web server is Apache 2.4.
1.4.1.2 Data Processing Server
The HPE OMi DP server is the back-end component that interacts with an external Oracle or Microsoft SQL14
database server for event storage. The HPE OMi DP server includes the event pipeline which relates incoming
events with CIs, correlates events, automates actions, and stores events in the database. The HPE OMi DP server
provides the OMi DP CLI for security management tasks. The OMi DP CLI includes the following tools:
• ovcm tool (to manage certificates)
• opr-archive-events tool (to delete closed events from the database)
• opr-agt tool (to manage and configure HP OA)
• opr-node tool (to manage nodes in the RTSM)
The HPE OMi DP server uses the HPAS and maintains a certificate server that issues certificates used for
authentication and signing event/configuration payloads. Additionally, the DP server provides automatic failover
services via a High-Availability Controller (HAC) and backup DP server.
1.4.2 HPE OA 12.01
HPE OA is responsible for collecting event data from monitored systems and consists of the Operations Monitoring
Component and the Performance Collection Component. The Operations Monitoring Component builds up the
9
UI – User Interface
10
CLI – Command Line Interface
11
JMX – Java Management Extensions
12
RTSM is a self-contained instance of the HP Universal Configuration Management Database (UCMDB) product.
13
API – Application Programming Interface
14
SQL – Structured Query Language
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 9 of 71
monitoring and messaging capabilities of HPE OA and the Performance Collection Component provides the data
collection and storage functionality. These components provide security management CLI tools that aid in the
enforcement of the data collection and analysis functionality of the TOE. The HPE OA also utilizes cryptographic
support to ensure that event data is protected when transmitted between TOE components.
The Operations Monitoring Component includes the following sub-components:
• Monitor Agent
• Action Agent
• Message Agent
• Trap Interceptor
• WMI15
Interceptor
• Message Interceptor
• Logfile Encapsulator
• Event Correlation Agent
• Embedded Performance Component
The Performance Collection Component includes the following sub-components:
• Scope Collector
• Measurement Interface Daemon
• Transaction Tracking Daemon
• Embedded Performance Component
1.4.3 HPE OBR v10.01
HPE OBR processes event and topology information from HPE OMi and the HPE OA and displays them in reports.
HPE OBR is a historical infrastructure reporting tool that displays high level cross-domain reports and detailed
domain level reports. Domains include the server, network and application environments from which HPE OBR
collects data. Cross-domain reports display data from related domains to give a broad picture of the health and
performance of an IT infrastructure. HPE OBR reports can be used to analyze patterns in the IT environment,
forecast IT resource performance based on historical data, and perform a custom analysis of the data using report
filters.
HPE OBR reports are available in content packs. Content packs contain the rules that define how the performance
metrics will be collected, transformed, and aggregated in the reports. A typical content pack defines the metrics
for a specific domain along with the necessary rules for analysis required in that domain.
HPE OBR provides cryptographic support to ensure that event data is protected from disclosure or modification
when transmitted between TOE components and to secure trusted path and channels between itself and user
workstations and external servers.
HPE OBR provides the web-based HPE OBR Admin console and OBR CLI for configuration and management of the
platform and installed content packs. The HPE OBR Admin console provides security management tasks, enforces
authentication mechanisms, and presents a login banner warning against unauthorised use of the TOE.
15
WMI – Windows Management Instrumentation
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 10 of 71
The OBR CLI utilizes the following tools and services for security management tasks:
• Create Vertica Database Tool
• Configure Poller Tool
• OBR Full Restore Tool
• OBR Backup Tool
• License Manager Tool
• Dimension Manager Tool
• Downtime Utility Tool
• Admin Server Client Auth Tool
1.4.4 Brief Description of the Components of the TOE
The HPE Operations Bridge Premium v2016.05 media kit includes the following components:
• HPE OMi v10.11 Build 016.001.63210 Hotfix: QCCR8D53202_1011
• HPE OBR v10.01 Build 953.00001
• HPE OA v12.01 Build 020
The software media kits differ depending on the operating system on which the TOE components are installed.
Also, the same media kit is available in the following languages:
• Russian
• Simplified Chinese
• Korean
• Japanese
• French
• Spanish
• German
• English
1.4.5 TOE Environment
The evaluated configuration includes the HPE Operations Bridge Premium v2016.05 media kit (English) with both
the Windows and Linux versions of the HPE OMi and HPE OA media kit zip files and the Linux version of the HPE
OBR media kit. The TOE includes two instances of the HPE OMi GW server, four instances of the HPE OMi DP
servers, and two instances of the HPE OAs. The TOE also includes one HPE OBR Server and one HPE OBR Remote
Collector (installed from the HPE OBR software binary).
Figure 1 depicts the detailed deployment diagram for the TOE components in the evaluated configuration. The
following are previously undefined acronyms that appear within the diagram:
• AD – Active Directory
• HTTPS – Hypertext Transfer Protocol Secure
• JDBC – Java Database Connectivity
• JMS – Java Message Service
• LDAP – Lightweight Directory Access Protocol
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 11 of 71
• LDAP/S – Lightweight Directory Access Protocol over Secure Sockets Layer (SSL)
• NTP – Network Time Protocol
• OS – Operating System
• RHEL – Red Hat Enterprise Linux
Figure 1 – Deployment Configuration of the TOE
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 12 of 71
1.4.5.1 Non-TOE Hardware/Software/Firmware Requirements
The TOE requires the following non-TOE hardware and software to be properly configured and available in the
operational environment for its essential operation:
• LDAP or AD server
• NTP server
• Certificate authority (used to issue user certificates)
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 13 of 71
Though this hardware and software is necessary for the TOE’s operation, it is not part of the TOE. Table 2
specifies the minimum system requirements for the proper operation of the TOE.
Table 2 – Minimum System Requirements
TOE
Component
Hardware Requirements OS Requirements DB16
Requirements
Browser
Requirements
Other
Requirements
HPE OMi • 4 CPU17 (64 bit)
• Minimum Memory:
o Small (up to 2,000
nodes) – 8GB18 for
DP server, 4GB for
GW server
o Medium (up to 5,000
nodes) – 12GB for DP
server, 6GB for GW
server
o Large (more than
5,000 nodes) – 26GB
for DP server, 10GB
for GW server
• RHEL 6.7
• Microsoft
Windows
Server 2012 R2
• Microsoft SQL
Server 2014 or
Oracle DB 12c
(Enterprise or
Developer
editions)
• Small
Deployment:
2 CPU cores, 2
GB RAM19
• Medium
Deployment:
2 CPU cores, 2
GB RAM
• Large
Deployment:
4 CPU cores, 4
GB RAM
• Mozilla
Firefox 38
ESR (for
RHEL)
• Internet
Explorer 11
(for
Windows)
• Browser
requires
JRE20
1.7.0_67 or
greater, or
1.8.0_25 or
greater.
• Adobe Flash
Player 14 or
later for
Windows
• Flash Player
11.2 or later
for RHEL
HPE OA • Minimum Memory: 2 GB
or more
• Processor: 1-2 CPU
• Disk Space: 4 GB of free
disk space; 500 MB21 free
disk space for temporary
files
• Microsoft
Windows
Server 2012 R2
• N/A • N/A • N/A
16
DB – Database
17
CPU – Central Processing Unit
18
GB – Gigabyte
19
RAM – Random-Access Memory
20
JRE – Java Runtime Environment
21
MB – Megabytes
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 14 of 71
TOE
Component
Hardware Requirements OS Requirements DB16
Requirements
Browser
Requirements
Other
Requirements
HPE OBR
Server
Small Deployment:
• 8 CPU (64 bit) cores
• 16 GBRAM
• Diskspace: 400 GB for DB
and 100 GB for software
Medium Deployment (1):
• 12 CPU (64 bit) cores
• 24 GB RAM
• Diskspace: 800 GB for DB
and 200 GB for software
Medium Deployment (2):
• 16 CPU (64 bit) cores
• 48 GB RAM
• Diskspace: 1.6 TB22 for DB
and 400 GB for software
Large Deployment:
• 24 CPU (64 bit) cores
• 64 GB RAM
• Diskspace: 4.5 TB for DB
and 0.5 TB for software
• RHEL 6.7 • External
Vertica
Database: 8
CPU; 16 GB
RAM;
Diskspace:
350 GB, RHEL
6.7
• Mozilla
Firefox 38
ESR or
Internet
Explorer 11
browser
• ActiveX &
JavaScript
controls
must be
enabled on
browser
• Browser
requires
JRE 1.7 or
JRE 1.8
• N/A
HPE OBR
Remote
Collector
• 4 CPU (64 bit) cores
• 8 GB RAM
• Diskspace: 300 GB
• RHEL 6.7 • N/A • N/A • N/A
22
TB – Terabyte
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 15 of 71
1.4.6 Product Physical/Logical Features and Functionality not
included in the TOE
The HPE Operations Bridge Premium v2016.05 provides other security features that are out of the scope of the
TOE. These features are not included in the TOE and will not be evaluated, and therefore there is no assurance
level associated with them. The features not included in the TOE are the following:
• HPE Service Health Analyzer
• Local authentication
• SAP BO23
Server
o Including SAP BO BI Launchpad and SAP BO Central Management Console (except for initial
configuration tasks)
• Content Development Environment (CLI and UI)
• The following HPE OMi API calls:
o SendEvent
o SubmitEvent
• The following HPE OMi CLI tools:
o ConfigExchangeSiS Tool
o BBC Trust Server Tool
o opr-sis-file-manager Tool
o opr-close-events Tool
o opr-import-events Tool
o Content Pack Auto Upload Tool
o Content Pack Manager Tool
• The OA Java API
• The OMi JMX Console except for the hac-backup MBean service (required for HA configuration)
• The following HPE OBR CLI tools/services:
o Enable NNMi Integration Tool
o NNMi Remote Mount Tool
o setenv, CreateCPFolders, createManifest Template Tool
• Lightweight Single Sign-On (LW-SSO)
• User Engagement
• OpenSSL 1.0.2j – The product contains a FIPS-capable OpenSSL 1.0.2j library which is linked with the
OpenSSL FIPS Object Module 2.0.12. The non-FIPS functionality provided by OpenSSL 1.0.2j is not the
cryptographic functionality evaluated in Class FCS: Cryptographic Support and there is no such assurance
provided for the non-FIPS cryptographic functionality.
1.5 TOE Description
This section primarily addresses the physical and logical components of the TOE that are included in the evaluation.
23
BO – BusinessObjects
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 16 of 71
1.5.1 Physical Scope
The software-only TOE is a distributed system composed of the HPE OMi, OA, and OBR software. The HPE OMi
software includes the GW and DP server components and the Management packs. The HPE OBR software includes
the OBR Server, OBR Remote Collector, and Content packs.
The TOE is packaged along with the electronic documentation as an ISO24
-9660 image for HPE OBR, and as
multiple .zip files for HPE OMi. The HPE OA software binary is available as part of the HPE OMi package and as a
separate ISO image.
The TOE guidance documents are also available on the HPE Software Support website
(https://softwaresupport.HPE.com/) for registered customers to download.
The following guides in Table 3 are available in PDF25
format and are required reading and part of the TOE:
Table 3 – TOE Guidance Documents
HPE Operations Manager i; Software Version: 10.11; OMi Administration Guide;
Document Release Date: 25 May 2016; Software Release Date: May 2016
HPE Operations Manager i; Software Version: 10.11; OMi User Guide;
Document Release Date: 25 May 2016; Software Release Date: May 2016
HPE Operations Manager i; Software Version: 10.11; OMi Extensibility Guide;
Document Release Date: 25 May 2016; Software Release Date: May 2016
HPE Operations Manager i; Software Version: 10.11; OMi FIPS Configuration Guide;
Document Release Date: 25 May 2016; Software Release Date: May 2016
HPE Operations Manager i; Software Version: 10.11; OMi Database Guide;
Document Release Date: 25 May 2016; Software Release Date: May 2016
HPE Operations Manager i; Software Version: 10.11; RTSM Administration Guide;
Document Release Date: May 2016; Software Release Date: May 2016
HPE Operations Agent; Software Version: 12.01; Reference Guide;
Document Release Date: May 2016; Software Release Date: May 2016
HPE Operations Agent and Infrastructure SPIs; Software Version: 12.01; Installation Guide;
Document Release Date: May 2016; Software Release Date: May 2016
HPE Operations Agent; Software Version: 12.01; User Guide;
Document Release Date: May 2016; Software Release Date: May 2016
HPE Operations Bridge Reporter; Software Version: 10.01; Administration Guide;
Document Release Date: June 2016; Software Release Date: June 2016
HPE Operations Bridge Reporter; Software Version: 10.01; Configuration Guide;
Document Release Date: June 2016; Software Release Date: June 2016
HPE Operations Bridge Reporter; Software Version: 10.01; Release Notes; Document Release
Date: May 2017; Software Release Date: June 2016
24
ISO – International Organization for Standardization
25
PDF – Portable Document Format
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 17 of 71
Hewlett Packard Enterprise Development LP; HPE Operations Bridge Premium v2016.05
including HPE Operations Manager i v10.11, HPE Operations Agent v12.01, and HPE
Operations Bridge Reporter v10.01; Security Target; Evaluation Assurance Level (EAL):
EAL2+ v1.2 (This document)
Hewlett Packard Enterprise Development LP; HPE Operations Bridge Premium v2016.05
including HPE Operations Manager i v10.11, HPE Operations Agent v12.01, and HPE
Operations Bridge Reporter v10.01; Guidance Documentation Supplement Document;
Evaluation Assurance Level (EAL): EAL2+ v1.1
1.5.2 Logical Scope
The logical boundary of the TOE will be broken down into the following security classes which are further described
in sections 6 and 7 of this ST. The logical scope also provides the description of the security features of the TOE.
The security functional requirements implemented by the TOE are usefully grouped under the following Security
Function Classes:
• Security Audit
• Communication
• Cryptographic Support
• User Data Protection
• Identification and Authentication
• Security Management
• Protection of the TSF26
• Resource Utilization
• TOE Access
• Trusted Path/Channels
• Data Collection and Analysis
1.5.2.1 Security Audit
The Security Audit functionality provides the capability to generate audit data for HPE OMi security relevant
events and records the identity of the subject responsible for initiating the event. TOE users27
or administrators28
with sufficient audit log permissions have access to view the audit logs. The TOE prevents any unauthorised
deletion and modification of the audit logs.
1.5.2.2 Communication
The Communication functionality ensures that HPE OMi servers distribute certificates to HPE OAs for the secure
transmission of configuration and event data. Signatures are applied to configuration payloads sent between the
HPE OMi GW server and HPE OAs.
1.5.2.3 Cryptographic Support
The Cryptographic Support functionality utilizes the FIPS-validated RSA BSAFE® Crypto-J Module (software version
6.2.1, cert #2469) for Java based components of HPE OMi and the OpenSSL FIPS Object Module (software version
26
TSF – TOE Security Functions
27
“TOE users” refers to users with no administrative privileges.
28
“Administrators” refers to users with administrative privileges.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 18 of 71
2.0.12, cert #1747) for C++ based components of HPE OMi. These FIPS-validated modules are used by the HPE
OMi TOE component to perform all cryptographic functions.
HPE OBR also utilizes the FIPS-validated RSA BSAFE® Crypto-J Module (software version 6.2.1, cert #2469) and the
OpenSSL FIPS Object Module (software version 2.0.12, cert #1747). The TOE destroys all keys according to the FIPS
140-2 standard (by overwriting with zeroes).
1.5.2.4 User Data Protection
The User Data Protection functionality enforces the Resource Access Control SFP29
for controlling the access of
HPE OMi users to resources. The Resource Access Control SFP is also enforced when exporting event data from
HPE OMi servers to targeted systems.
1.5.2.5 Identification and Authentication
The Identification and Authentication functionality requires TOE users and administrators to be identified and
authenticated before gaining access to any TOE functionality. The TOE utilizes LDAP and X.509 certificate-based
remote authentication.
1.5.2.6 Security Management
The Security Management functionality provides the capability for administrators with authorized roles to manage
the security functionality, TSF data, and attributes provided by the TOE. HPE OMi provides the Super-Admin role
and custom roles.
1.5.2.7 Protection of the TSF
The Protection of the TSF functionality ensures that the TOE maintains a secure state in the event of an HPE OMi
DP server failure. The TOE also ensures that event data is protected from disclosure or modification when
transferred internally between TOE components.
1.5.2.8 Resource Utilization
The Resource Utilization functionality provides the capability for the TOE to perform automatic failover
procedures to ensure that all capabilities of the TOE are still operational in the event of an HPE OMi DP server
failure.
1.5.2.9 TOE Access
The TOE Access functionality ensures that an advisory TOE access banner is displayed on the HPE OMi Web UI and
HPE and OBR Admin console warning the TOE user or administrator against unauthorised access.
1.5.2.10 Trusted Path/Channels
The Trusted Path/Channels functionality provides Inter-TSF trusted channels for LDAP authentication via LDAP/S
connections, HPE OMi external database communications via JDBC over TLS, and HPE OBR external database
communications via JDBC over TLS. This functionality also provides a trusted path for HTTPS connections from TOE
user or administrator workstations to the HPE OMi Web UI and HPE OBR Admin console interface.
1.5.2.11 Data Collection and Analysis
The Data Collection and Analysis functionality provides the capability for the TOE to monitor systems and gather
event data. After the event data is gathered, the TOE performs an analysis of the event data to discover potential
29
SFP – Security Function Policy
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 19 of 71
security violations. Event data is stored in an embedded or external database and the TOE does not allow deletion
or modification of event data by unauthorised TOE users.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 20 of 71
2. Conformance Claims
This section and Table 4 provide the identification for any CC, PP, and EAL package conformance claims. Rationale
is provided for any extensions or augmentations to the conformance claims. Rationale for CC and PP conformance
claims can be found in Section 8.
Table 4 – CC and PP Conformance
Common Criteria (CC)
Identification and
Conformance
Common Criteria for Information Technology Security Evaluation, Version 3.1, Release 4,
September 2012; CC Part 2 extended; CC Part 3 conformant; PP claim (none); Parts 2 and 3
Interpretations of the CEM as of 11/15/2017 were reviewed, and no interpretations apply to the
claims made in this ST.
PP Identification None
Evaluation Assurance Level EAL2+ Augmented with Flaw Reporting Procedures (ALC_FLR.2)
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 21 of 71
3. Security Problem
This section describes the security aspects of the environment in which the TOE will be used and the manner in
which the TOE is expected to be employed. It provides the statement of the TOE security environment, which
identifies and explains all:
• Known and presumed threats countered by either the TOE or by the security environment
• Organizational security policies with which the TOE must comply
• Assumptions about the secure usage of the TOE, including physical, personnel and connectivity aspects
3.1 Threats to Security
This section identifies the threats to the IT assets against which protection is required by the TOE or by the security
environment. The threat agents are divided into two categories:
• TOE users: Authorized users who may misuse the TOE.
• Attacker who is not a TOE user: entities that have public knowledge of how the TOE operates and are
assumed to possess a low skill level, limited resources for attempting to tamper with the TOE, and have
no physical access to the TOE.
• Operational conditions that cause the operation of the TOE to be interrupted as a result of hardware
failures (e.g. power supplies, storage media, etc.) or software failures, where the source of the threat is
non-human.
Both are assumed to have a low level of motivation. The IT assets requiring protection are the TSF and user data
saved on or transitioning through the TOE and the hosts on the protected network. Removal, diminution and
mitigation of the threats are through the objectives identified in Section 4.1. Table 5 below lists the applicable
threats.
Table 5 – Threats
Name Description
T.DATA_AVAILABILITY TOE data or capabilities may become unavailable due to DP server failures caused by an attacker who is
not a TOE user (e.g. performing a denial of service attack), or an operational condition (power failures,
etc.).
T.ADMIN_ERROR A TOE user may incorrectly install or configure the TOE resulting in ineffective security mechanisms.
T.AUDIT_COMPROMISE An attacker who is not a TOE user may view audit records cause audit records to be lost or modified, or
prevent future records from being recorded, thus masking an attacker who is not a TOE user’s actions.
T.BAD_STATE An attacker who is not a TOE user may exploit vulnerabilities in monitored IT entities that reach an insecure
state without the network administrators becoming aware.
T.DATA_COMPROMISE An attacker who is not a TOE user may read, modify, delay, or destroy security critical TOE configuration
data stored on the TOE or being transmitted between physically separated parts of the TOE.
T.UNAUTHORISED_ACCESS A TOE user may gain unauthorised access (view, modify, delete) to user data through possible misuse.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 22 of 71
3.2 Organizational Security Policies
There are no Organizational Security Policies defined for this Security Target.
3.3 Assumptions
This section describes the security aspects of the intended environment for the evaluated TOE. The operational
environment must be managed in accordance with assurance requirement documentation for delivery, operation,
and user guidance. Table 6 lists the specific conditions that are required to ensure the security of the TOE and are
assumed to exist in an environment where this TOE is employed.
Table 6 – Assumptions
Name Description
A. AUTH The TOE environment will provide the identification and authentication repository of users attempting to manage
and use the TOE.
A.MANAGE There are one or more competent individuals assigned to manage the TOE and the security of the information it
contains. Administrators of the TOE are assumed to be appropriately trained to undertake the installation,
configuration and management of the TOE in a secure and trusted manner.
A.LOCATE The TOE, and all components of the TOE environment, including the authentication servers and database servers
are located within a controlled access facility and appropriately located within the network to perform their
functions. The devices with which the TOE communicates for exporting events are also located within a controlled
access facility. Administrative and user workstations are located within a separate controlled access facility.
A.OS_ACCESS The TOE environment is in a secure state and provides a sufficient level of protection to itself and the TOE
components.
A.PROTECT The TOE software will be protected from unauthorised modification.
A.NOEVIL The administrators and users of the TOE are non-hostile, appropriately trained, and follow all guidance.
A.SECURE_COM The TOE environment provides the necessary network infrastructure required for its operation and ensures the
TOE is secured and protected from interference or tampering by using a firewall to prevent access from non-
trusted entities. Additionally, the TOE environment provides a sufficient level of protection to secure
communications between the TOE and network-attached devices within the secure access facility.
A.TIMESTAMP The TOE environment provides the TOE with the necessary reliable timestamps.
A.ADMIN_PROTECT The workstations in the TOE environment used to access the TOE are free of malicious software.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 23 of 71
4. Security Objectives
Security objectives are concise, abstract statements of the intended solution to the problem defined by the
security problem definition (see Section 3). The set of security objectives for a TOE form a high-level solution to
the security problem. This high-level solution is divided into two part-wise solutions: the security objectives for
the TOE, and the security objectives for the TOE’s operational environment. This section identifies the security
objectives for the TOE and its supporting environment.
4.1 Security Objectives for the TOE
The specific security objectives for the TOE are listed in Table 7 below.
Table 7 – Security Objectives for the TOE
Name Description
O.BANNER The TOE will provide a mechanism that warns against unauthorised use of the TOE.
O.FAIL_SECURE The TOE will preserve a secure state and ensure that all capabilities of the TOE are still operational in the event of
a DP server failure.
O.MONITOR The TOE must be able to monitor machines on the network to ensure that they exist in a secure state and alert
administrators if a system enters an insecure state. The TOE will also analyze and securely store the scanned and
collected data.
O.PROTECT The TOE will provide confidentiality and integrity services using FIPS 140-2 algorithms to protect TOE
communication channels and user data. The TOE will also provide confidentiality of stored keys and keys used for
cryptographic services performed by the TOE.
O.ACCESS The TOE will ensure that TOE users and administrators gain only authorized access to it and to resources that it
controls.
O.AUDIT The TOE will provide the capability to detect security relevant events and create records of those events in the audit
trail. The TOE will also ensure that the audit records remain available in the event of a failure and are protected
from unauthorised modification and deletion.
O.AUDIT_REVIEW The TOE will provide the capability for only authorized TOE users to view audit information.
O.USER_AUTHEN The TOE will uniquely identify and authenticate TOE users and administrators prior to allowing access to TOE
functions and data.
O.TOE_ADMIN The TOE will provide mechanisms to ensure that only administrators are able to log in and configure the TOE. The
TOE will also provide the functions necessary to support the administrators operating the TOE and protections for
logged-in administrators.
4.2 Security Objectives for the Operational Environment
This section describes the environmental objectives.
4.2.1 IT Security Objectives
Table 8 below lists the IT security objectives that are to be satisfied by the environment.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 24 of 71
Table 8 – IT Security Objectives
Name Description
OE.TIMESTAMP The TOE environment must provide reliable timestamps to the TOE.
OE.NET_CON The TOE environment must be implemented such that the TOE is appropriately located within and connected to
the network to perform its intended function.
OE.AUTH The TOE environment must provide the authentication and identification repository of users attempting to use
the TOE.
OE.OS_ACCESS The operating system upon which the TOE is installed provides a sufficient level of protection for itself and the
TOE software it contains.
OE.PROTECT The TOE environment must protect itself and the TOE from external interference and tampering.
OE.SECURE_COM The TOE environment must provide mechanisms to secure communications between TOE components and other
devices to which the TOE is attached (including routers, switches, cabling, connectors, and firewalls) and must
be properly implemented such that the TOE is secured and protected from interference or tampering. Firewalls
must be configured to restrict all external access from outside the internal network where the TOE is accessible.
OE.ADMIN_PROTECT The administrative and user workstations must be protected from any external interference and tampering by
having all security updates and anti-malware software installed.
4.2.2 Non-IT Security Objectives
Table 9 below lists the non-IT environment security objectives that are to be satisfied without imposing technical
requirements on the TOE. That is, they will not require the implementation of functions in the TOE hardware
and/or software. Thus, they will be satisfied largely through application of procedural or administrative measures.
Table 9 – Non-IT Security Objectives
Name Description
OE.MANAGE The TOE environment will provide competent, non-hostile administrators and users of the TOE who are appropriately
trained and follow all administrator and user guidance. Administrators of the TOE will ensure the system is used securely.
OE.PHYSICAL Physical security, commensurate with the value of the TOE and the data it contains, is provided by the environment.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 25 of 71
5. Extended Components
This section defines the extended SFRs and extended SARs met by the TOE. These requirements are presented
following the conventions identified in Section 6.1.
5.1 Extended TOE Security Functional Components
This section specifies the extended SFRs for the TOE. The extended SFRs are organized by class. Table 10 identifies
all extended SFRs implemented by the TOE.
Table 10 – Extended TOE Security Functional Requirements
Name Description
FDC_SCN.1 System scan
FDC_ANA.1 System analysis
FDC_STG.1 Scanned data storage
5.1.1 Class FDC: Data Collection and Analysis
Data Collection and Analysis functions involve:
• Monitoring systems to obtain data,
• Storing the collected data,
• Performing analysis on collected data and presenting analytical results and reports to administrators in a
format that allows them to take appropriate actions.
The FDC: Data Collection and Analysis class was modeled after the CC FAU: Security Audit class. The extended
family and related components for FDC_ANA: System Analysis were modeled after the CC family and related
components for FAU_SAA: Security Audit Analysis. The extended family FDC_SCN: System Scan was modeled after
the CC family FAU_GEN: Security Audit Data Generation. The extended family FDC_STG: Scanned Data Storage
was modeled after the CC family FAU_STG: Security Audit Event Storage.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 26 of 71
Figure 2 – FDC: Data Collection and Analysis Class Decomposition
5.1.1.1 FDC_ANA: System analysis
Family Behavior
This family defines the requirements for the use of analysis procedures that allow administrators to react to
potential security violations found during collected data analysis.
Component Leveling
Figure 3 – System analysis family decomposition
FDC_ANA.1: System Analysis provides the capability to analyze collected data and present the results to
administrators in a way that easily allows the administrators to respond to potential security violations found
during the analysis.
Management: FDC_ANA.1
The following actions could be considered for the management functions in FMT:
• Maintenance (deletion, modification, addition) of the analysis rules or the set of systems the rules are
applied to.
Audit: FDC_ANA.1 System Analysis
• There are no auditable events foreseen.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 27 of 71
FDC_ANA.1 System analysis
Hierarchical to: No other components.
Dependencies: FDC_SCN.1 System scan
FDC_ANA.1.1
The TSF shall be able to apply a set of rules in analyzing collected event data and based upon these rules
indicate potential security violations:
a) Calculate a status for correlated and processed event data
FDC_ANA.1.2
The TSF shall enforce the following set of rules for monitoring scanned event data: Accumulation or
combination of [assignment: subset of defined collected data] known to indicate a potential security
violation; [assignment: any other rules].
FDC_ANA.1.3
The TSF shall be able to indicate a possible security violation to [assignment: list of TOE users or
administrators with permission to review analytical results] and allow [assignment: list of TOE users or
administrators with permission to modify user and security configurations] to address security violations
that are discovered.
5.1.1.2 FDC_SCN: System scan
Family Behavior
This family defines the requirements for monitoring systems to collect event data.
Component Leveling
Figure 4 – System scan family decomposition
FDC_SCN.1 System Scan defines the monitoring function and specifies which machines will be monitored.
Management: FDC_SCN.1
• There are no management activities foreseen.
Audit: FDC_SCN.1
• There are no auditable events foreseen.
FDC_SCN.1 System scan
Hierarchical to: No other components.
Dependencies: No dependencies
FDC_SCN.1.1
The system shall be able to monitor and collect the following information from the targeted IT system
resource(s):
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 28 of 71
• Event data from monitored processes, files, metrics, and systems
• System health information from monitored systems
• Event topology information from monitored systems
FDC_SCN.1.2
The TSF shall record within the event database at least the following information:
• Date and time of event occurrence
• Host system where the event occurred
• Application that caused the event
• Event severity
• Administrator responsible for solving the problem that caused the event (if assigned)
5.1.1.3 FDC_STG: Scanned data storage
Family Behavior
This family defines the requirements for protecting stored event data.
Component Leveling
Figure 5 – Scanned data storage family decomposition
FDC_STG.1 Scanned Data Storage defines how the TSF protects stored monitor data from unauthorised
modification or deletion.
Management: FDC_STG.1
• There are no management activities foreseen.
Audit: FDC_STG.1
• There are no auditable events foreseen.
FDC_STG.1 Scanned data storage
Hierarchical to: No other components.
Dependencies: FDC_SCN.1 System scan
FDC_STG.1.1
The TSF shall protect the stored collected data from unauthorised deletion.
FDC_STG.1.2
The TSF shall be able to prevent unauthorised modifications to the stored collected data.
FDC_STG.1.3
The TSF shall ensure the storage of scanned data in the event of a [assignment: storage failure] by
performing the following actions: [assignment: list of actions used to ensure data is not lost in the event
of a storage failure].
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 29 of 71
FDC_STG.1.4
The TSF shall indicate a failure to store collected data by performing the following actions: [assignment:
list of actions that are used to notify administrators of a storage failure].
5.2 Extended TOE Security Assurance Components
There are no extended SARs defined for this ST.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 30 of 71
6. Security Requirements
This section defines the SFRs and SARs met by the TOE. These requirements are presented following the
conventions identified in Section 6.1.
6.1 Conventions
There are several font variations used within this ST. Selected presentation choices are discussed here to aid the
Security Target reader.
The CC allows for assignment, refinement, selection and iteration operations to be performed on security
functional requirements. All of these operations are used within this ST. These operations are performed as
described in Part 2 of the CC, and are shown as follows:
• Completed assignment statements are identified using [italicized text within brackets].
• Completed selection statements are identified using [underlined text within brackets].
• Refinements are identified using bold text. Any text removed is stricken (Example: TSF Data) and should
be considered as a refinement.
• Iterations are identified by appending a letter in parentheses following the component title. For example,
FAU_GEN.1(a) Audit Data Generation would be the first iteration and FAU_GEN.1(b) Audit Data
Generation would be the second iteration.
6.2 Security Functional Requirements
This section specifies the SFRs for the TOE. This section organizes the SFRs by CC class. Table 11 identifies all SFRs
implemented by the TOE and indicates the ST operations performed on each requirement.
Table 11 – TOE Security Functional Requirements
Name Description S A R I
FAU_GEN.1 Audit data generation ✓✓
FAU_SAR.1 Audit review  ✓
FAU_STG.2 Guarantees of audit data availability ✓✓✓
FCO_NRO.1 Selective proof of origin ✓✓
FCS_CKM.1 Cryptographic key generation  ✓
FCS_CKM.4 Cryptographic key destruction  ✓
FCS_COP.1 Cryptographic operation  ✓
FDP_ACC.1 Subset access control  ✓
FDP_ACF.1 Security attribute based access control  ✓
FDP_ETC.1 Export of user data without security attributes  ✓
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 31 of 71
Name Description S A R I
FIA_UAU.2 User authentication before any action   
FIA_UAU.5 Multiple authentication mechanisms  ✓
FIA_UID.2 User identification before any action   
FMT_MOF.1 Management of security functions behaviour ✓✓
FMT_MSA.1 Management of security attributes ✓✓
FMT_MSA.3 Static attribute initialisation ✓✓
FMT_SMF.1 Specification of management functions  ✓
FMT_SMR.1 Security roles  ✓
FPT_FLS.1 Failure with preservation of secure state  ✓
FPT_ITT.1 Basic internal TSF data transfer protection ✓ 
FRU_FLT.1 Degraded fault tolerance  ✓
FTA_TAB.1 Default TOE access banners   
FTP_ITC.1 Trusted channel ✓✓
FTP_TRP.1 Trusted path ✓✓
FDC_ANA.1 System analysis  ✓
FDC_SCN.1 System scan   
FDC_STG.1 Scanned data storage  ✓
Note: S=Selection; A=Assignment; R=Refinement; I=Iteration
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 32 of 71
6.2.1 Class FAU: Security Audit
FAU_GEN.1 Audit Data Generation
Hierarchical to: No other components.
Dependencies: FPT_STM.1 Reliable time stamps
FAU_GEN.1.1
The TSF shall be able to generate an audit record of the following auditable events:
a. Start-up and shutdown of the audit functions;
b. All auditable events, for the [not specified] level of audit; and
c. [
o HPE OMi user and administrator logins
o HPE OMi user and group management actions
o HPE OMi configuration changes
o HPE OMi changes to events (configurable)
o HPE OMi failed authentication attempts
].
FAU_GEN.1.2
The TSF shall record within each audit record at least the following information:
a. Date and time of the event, type of event, subject identity (if applicable), and the outcome
(success or failure) of the event; and
b. For each audit event type, based on the auditable event definitions of the functional components
included in the PP/ST, [no other information].
Application Note: The outcome (success or failure) of HPE OMi user and group management actions and HPE OMi
changes to events (configurable) is implied and not explicitly stated in the audit records
FAU_SAR.1 Audit review
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation
FAU_SAR.1.1
The TSF shall provide [TOE users and administrators with sufficient Setup and Maintenance (Audit Log)
permissions] with the capability to read [all information] from the audit records.
FAU_SAR.1.2
The TSF shall provide the audit records in a manner suitable for the user to interpret the information.
FAU_STG.2 Guarantees of audit data availability
Hierarchical to: FAU_STG.1 Protected audit trail storage
Dependencies: FAU_GEN.1 Audit data generation
FAU_STG.2.1
The TSF shall protect the stored audit records in the audit trail from unauthorised deletion.
FAU_STG.2.2
The TSF shall be able to [prevent] unauthorised modifications to the stored audit records in the audit trail.
FAU_STG.2.3
The TSF shall ensure that [HPE OMi] stored audit records will be maintained when the following conditions
occur: [Server failure].
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 33 of 71
6.2.2 Class FCO: Communication
FCO_NRO.1 Selective proof of origin
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
FCO_NRO.1.1
The TSF shall be able to generate evidence of origin for transmitted [HPE OA policies] at the request of the
[recipient].
FCO_NRO.1.2
The TSF shall be able to relate the [public key, certificate] of the originator of the information, and the
[SHA30
-2 digest] of the information to which the evidence applies.
FCO_NRO.1.3
The TSF shall provide a capability to verify the evidence of origin of information to [recipient] given
[validity of the certificate].
30
SHA – Secure Hash Algorithm
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 34 of 71
6.2.3 Class FCS: Cryptographic Support
FCS_CKM.1 Cryptographic key generation
Hierarchical to: No other components.
Dependencies: [FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1
The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation
algorithm [key generation using a deterministic random number generator] and specified cryptographic
key sizes [128- and 256-bit; 112-bit; 2048-bit] that meet the following: [none].
FCS_CKM.4 Cryptographic key destruction
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4.1
The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction
method [zeroization] that meets the following: [FIPS 140-2 standard zeroization requirements].
FCS_COP.1 Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1a
The TSF shall perform [list of cryptographic operations in Table 12 and Table 13] in accordance with a
specified cryptographic algorithm [the cryptographic algorithms listed in Table 12 and Table 13] and
cryptographic key sizes [key sizes listed in Table 12 and Table 13] that meet the following: [none].
Table 12 – RSA BSAFE® Crypto-J JSAFE and JCE Software Module 6.2.1 Cryptographic Operations
Algorithm Cert #
Symmetric Key Algorithms
AES CBC, GCM modes for 128- and 256-bit key sizes #3263
Triple-DES CBC, for keying option one (three different keys) #1852
Digital Signature Algorithms
RSA X9.31, PKCS#1 V.1.5, RSASSA-PSS Signature generation; Signature verification –2048-bit #1663
ECDSA Signature generation for all NSA Suite B P, K, and B Curves, Signature Verification for all P, K, and B
curves.
#619
Key Generation Algorithms
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 35 of 71
Algorithm Cert #
HMAC DRBG (HMAC-SHA-256) #722
Hashing Functions
SHA-1, SHA-256, SHA-384 #2701
MAC Functions
HMAC with SHA-1, SHA-256, SHA-384 #2062
Table 13 – OpenSSL FIPS Object Module 2.0.12 Cryptographic Operations
Algorithm Cert #
Symmetric Key Algorithms
AES CBC, GCM modes for 256-bit key sizes #2484
Digital Signature Algorithms
RSA X9.31, PKCS#1 V.1.5, RSASSA-PSS Signature generation; Signature verification –2048-bit #1273
ECDSA Signature generation for all NSA Suite B P, and K Curves, Signature Verification for all B, P, and K Curves. #413
Key Generation Algorithms
CTR DRBG (AES-256) #342
Hashing Functions
SHA-1, SHA-256, SHA-384 #2102
MAC Functions
HMAC with SHA-1, SHA-256, SHA-384 #1526
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 36 of 71
6.2.4 Class FDP: User Data Protection
FDP_ACC.1 Subset access control
Hierarchical to: No other components.
Dependencies: FDP_ACF.1 Security attribute based access control
FDP_ACC.1.1
The TSF shall enforce the [Resource Access Control SFP] on [
Subjects:
• HPE OMi TOE users
Objects:
• HPE OMi Web UI resource – Workspaces
• HPE OMi Web UI resource – Event Processing
• HPE OMi Web UI resource – Monitoring
• HPE OMi Web UI resource – Operations Console
• HPE OMi Web UI resource – Service Health
Permissions by category displayed in Table 14 below:
Table 14 – Resource Permissions
TOE
Component
Resource Subset Permissions
HPE OMi Web UI (Workspaces) Predefined Pages All, None
User Components Change, Delete, View, Add, All, None
User Pages Locked, Change, Delete, View, All,
None
HPE OMi Web UI (Event Processing) Automation All, Add, None31
Correlation All, None
HPE OMi Web UI (Monitoring) Assignments & Tuning
Automatic Assignment Rules
Deployment Jobs
Management Templates & Aspects
Policy Templates
All, None
HPE OMi Web UI (Operations Console) Custom Actions (Execution)
Run Book Execution
Tools (Execution)
Execute, All, None
Custom Actions (Administration)
Monitoring Dashboards
Monitoring Dashboards
(Administration)
External Instructions
Performance Graph Mappings
ROI Dashboard
All, None
31
The “Event Submission” sub-category of the Event Processing/Automation Web UI resource can only be assigned the
“Add” or “None” permissions. The remaining sub-categories can be assigned “All” or “None” permissions.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 37 of 71
TOE
Component
Resource Subset Permissions
Tools (Administration)
View Mappings
Design Graphs
Events Change Properties 32 , Life Cycle
Operations33, Launch Actions34, View,
All, None
Event Browser Clear View Filter, Share Filters, None
Run Book Mappings Change, Delete, View, Add, All, None
HPE OMi Web UI (Service Health) Alerts Change, None
Downtime Management View, All, None
Repositories Reset, None
].
FDP_ACF.1 Security attribute based access control
Hierarchical to: No other components.
Dependencies: FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialization
FDP_ACF.1.1
The TSF shall enforce the [Resource Access Control SFP] to objects based on the following: [
Subject Attributes:
• HPE OMi user role/permissions
Object Attributes:
• Resource permissions for the following:
o HPE OMi Web UI – Workspaces
o HPE OMi Web UI – Event Processing
o HPE OMi Web UI – Monitoring
o HPE OMi Web UI – Operations Console
o HPE OMi Web UI – Service Health
].
FDP_ACF.1.2
The TSF shall enforce the following rules to determine if an operation among controlled subjects and
controlled objects is allowed: [The TOE user or administrator is granted access to perform an operation on
a resource based on the associated role/permissions within the TOE. Otherwise, access is denied and the
operation is unavailable to the user].
FDP_ACF.1.3
32
“Change Properties” includes “Priority”, “Solution”, “Title”, “Custom Attributes”, “Description”, “Severity”, “Event
Relations”, and “Annotations”.
33
“Life Cycle Operations” includes “Assign To”, “Close” “Close Transferred”, “Transfer Control”, “Work On/Resolve”, and
“Reopen” permissions.
34
“Launch Actions” includes “Operation Action” and “Automatic Action” permissions.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 38 of 71
The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [no
other rules].
FDP_ACF.1.4
The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [no other
rules].
FDP_ETC.1 Export of user data without security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FDP_ETC.1.1
The TSF shall enforce the [Resource Access Control SFP] when exporting user data, controlled under the
SFP(s), outside of the TOE.
FDP_ETC.1.2
The TSF shall export the user data without the user data’s associated security attributes.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 39 of 71
6.2.5 Class FIA: Identification and Authentication
FIA_UAU.2 User authentication before any action
Hierarchical to: FIA_UAU.1 Timing of authentication
Dependencies: FIA_UID.1 Timing of identification
FIA_UAU.2.1
The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated
actions on behalf of that user.
Application Note: This SFR applies to the HPE OMi Web UI and HPE OBR Admin console.
FIA_UAU.5 Multiple authentication mechanisms
Hierarchical to: No other components.
Dependencies: No dependencies
FIA_UAU.5.1
The TSF shall provide [LDAP and X.509 certificate-based authentication] to support user authentication.
FIA_UAU.5.2
The TSF shall authenticate any user’s claimed identity according to the [
• verification of stored credential information for LDAP authentication
• verification of stored X.509 certificates for certificate-based authentication
].
Application Note: This SFR applies to the HPE OMi Web UI and HPE OBR Admin console.
FIA_UID.2 User identification before any action
Hierarchical to: FIA_UID.1 Timing of identification
Dependencies: No dependencies
FIA_UID.2.1
The TSF shall require each user to be successfully identified before allowing any other TSF-mediated
actions on behalf of that user.
Application Note: This SFR applies to the HPE OMi Web UI and HPE OBR Admin console.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 40 of 71
6.2.6 Class FMT: Security Management
FMT_MOF.1 Management of security functions behavior
Hierarchical to: No other components.
Dependencies: FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
FMT_MOF.1.1
The TSF shall restrict the ability to [modify the behavior of] the functions [
• Audit configuration
• Authentication management
• Event lifecycle management
• User management
• Automatic Failover configuration
• Reports and content pack configuration
to [authorized users with sufficient permissions or the Super-Admin role].
FMT_MSA.1 Management of security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control or
FDP_IFC.1 Subset information flow control]
FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
FMT_MSA.1.1
The TSF shall enforce the [Resource Access Control SFP] to restrict the ability to [modify, delete, [add]] the
security attributes [role, permissions] to [authorized users with sufficient permissions or Super-Admins].
FMT_MSA.3 Static attribute initialization
Hierarchical to: No other components.
Dependencies: FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.3.1
The TSF shall enforce the [Resource Access Control SFP] to provide [restrictive] default values for security
attributes that are used to enforce the SFP.
FMT_MSA.3.2
The TSF shall allow the [authorized users with sufficient permissions or Super-Admins] to specify
alternative initial values to override the default values when an object or information is created.
FMT_SMF.1 Specification of Management Functions
Hierarchical to: No other components.
Dependencies: No Dependencies
FMT_SMF.1.1
The TSF shall be capable of performing the following management functions: [
• Manage the Resource Access Control SFP
• Configure event monitoring settings
• Manage audit configuration data
• Manage users and roles
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 41 of 71
• Manage authentication data
• Configure automatic failover settings
• Configure event automation and correlation settings
• OBR Management and configuration tasks
• Node/OA Management and configuration tasks
• Configure reports, content packs, packages, and management packs
]
FMT_SMR.1 Security roles
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
FMT_SMR.1.1
The TSF shall maintain the roles [
HPE OMi
â–ª Super-Admin role
â–ª Custom roles
].
FMT_SMR.1.2
The TSF shall be able to associate users with roles.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 42 of 71
6.2.7 Class FPT: Protection of the TSF
FPT_FLS.1 Failure with preservation of secure state
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_FLS.1.1
The TSF shall preserve a secure state when the following types of failures occur: [DP server failure].
FPT_ITT.1 Basic internal TSF data transfer protection
Hierarchical to: No other components.
Dependencies: No dependencies
FPT_ITT.1.1
The TSF shall protect TSF data from [disclosure, modification] when it is transmitted between separate
parts of the TOE.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 43 of 71
6.2.8 Class FRU: Resource Utilization
FRU_FLT.1 Degraded fault tolerance
Hierarchical to: No other components.
Dependencies: FPT_FLS.1 Failure with preservation of secure state
FRU_FLT.1.1
The TSF shall ensure the operation of [all TOE capabilities] when the following failures occur: [DP server
failure].
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 44 of 71
6.2.9 Class FTA: TOE Access
FTA_TAB.1 Default TOE access banners
Hierarchical to: No other components.
Dependencies: No dependencies
FTA_TAB.1.1
Before establishing a user session, the TSF shall display an advisory warning message regarding
unauthorised use of the TOE.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 45 of 71
6.2.10 Class FTP: Trusted Path/Channels
FTP_ITC.1 Inter-TSF trusted channel
Hierarchical to: No other components.
Dependencies: No dependencies
FTP_ITC.1.1
The TSF shall provide a communication channel between itself and another trusted IT product that is
logically distinct from other communication channels and provides assured identification of its end points
and protection of the channel data from modification or disclosure.
FTP_ITC.1.2
The TSF shall permit [the TSF] to initiate communication via the trusted channel.
FTP_ITC.1.3
The TSF shall initiate communication via the trusted channel for [
• LDAP authentication (LDAP/S)
• HPE OMi connections to the external databases (JDBC over TLS35
)
• HPE OBR connections to the external databases (JDBC over TLS)
].
Application Note: Functions listed in FTP_ITC.1.3 are all initiated by the TOE.
FTP_TRP.1 Trusted path
Hierarchical to: No other components.
Dependencies: No dependencies
FTP_TRP.1.1
The TSF shall provide a communication path between itself and [remote] users that is logically distinct
from other communication paths and provides assured identification of its end points and protection of
the communicated data from [modification, disclosure].
FTP_TRP.1.2
The TSF shall permit [remote users] to initiate communication via the trusted path.
FTP_TRP.1.3
The TSF shall require the use of the trusted path for [[HTTPS connections to the HPE OMi Web UI, HPE OBR
Admin console]].
35
TLS – Transport Layer Security
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 46 of 71
6.2.11 Class FDC: Data Collection and Analysis
FDC_ANA.1 System analysis
Hierarchical to: No other components.
Dependencies: FDC_SCN.1 System scan
FDC_ANA.1.1
The TSF shall be able to apply a set of rules in analyzing collected event data and based upon these rules
indicate potential security violations:
b) Calculate a status for correlated and processed event data
FDC_ANA.1.2
The TSF shall enforce the following set of rules for monitoring scanned event data: Accumulation or
combination of [event data] known to indicate a potential security violation; [Suppress duplicated events;
correlate events by analyzing relationships between CIs; trigger notifications; forward events; execute
automated administrator-defined actions].
FDC_ANA.1.3
The TSF shall be able to indicate a possible security violation to [authorized TOE users with sufficient
“Service Health” and “Operations Console” permissions] and allow [authorized administrators] to address
security violations that are discovered.
FDC_SCN.1 System scan
Hierarchical to: No other components.
Dependencies: No dependencies
FDC_SCN.1.1
The system shall be able to monitor and collect the following information from the targeted IT system
resource(s):
• Event data from monitored processes, files, metrics, and systems
• System health information from monitored systems
• Event topology information from monitored systems
FDC_SCN.1.2
The TSF shall record within the event database at least the following information:
• Date and time of event occurrence
• Host system where the event occurred
• Application that caused the event
• Event severity
• Administrator responsible for solving the problem that caused the event (if assigned)
FDC_STG.1 Scanned data storage
Hierarchical to: No other components.
Dependencies: FDC_SCN.1 System scan
FDC_STG.1.1
The TSF shall protect the stored collected data from unauthorised deletion.
FDC_STG.1.2
The TSF shall be able to prevent unauthorised modifications to the stored collected data.
FDC_STG.1.3
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 47 of 71
The TSF shall ensure the storage of scanned data in the event of a [database outage] by performing the
following actions: [
• Buffer events until server is reachable again
• When server is reachable, send events in correct order
• When events are received on server, store events in a persistent queue
• Remove events from queue only after events are stored in database
].
FDC_STG.1.4
The TSF shall indicate a failure to store collected data by performing the following actions: [Create event
that notifies an authorized TOE user or administrator that there is a problem if no keep alive messages are
received by the HPE OMi server from the HPE OA. If the HPE OMi server does not allow the creation of an
event for notification, an authorized TOE user or administrator will be notified by email].
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 48 of 71
6.3 Security Assurance Requirements
This section defines the assurance requirements for the TOE. Assurance requirements are taken from the CC Part
3 and are EAL2+ augmented with ALC_FLR.2. Table 15 summarizes these requirements.
Table 15 – Assurance Requirements
Assurance Requirements
Class ASE: Security Target evaluation ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_OBJ.2 Security objectives
ASE_REQ.2 Derived security requirements
ASE_SPD.1 Security problem definition
ASE_TSS.1 TOE summary specification
Class ALC: Life Cycle Support ALC_CMC.2 Use of a CM system
ALC_CMS.2 Parts of the TOE CM Coverage
ALC_DEL.1 Delivery Procedures
ALC_FLR.2 Flaw reporting procedures
Class ADV: Development ADV_ARC.1 Security Architecture Description
ADV_FSP.2 Security-enforcing functional specification
ADV_TDS.1 Basic design
Class AGD: Guidance documents AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
Class ATE: Tests ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing – sample
Class AVA: Vulnerability assessment AVA_VAN.2 Vulnerability analysis
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 49 of 71
7. TOE Summary Specification
This section presents information to detail how the TOE meets the functional requirements described in previous
sections of this ST.
7.1 TOE Security Functionality
Each of the security requirements and the associated descriptions correspond to a security functionality. Hence,
each security functionality is described by how it specifically satisfies each of its related requirements. This serves
to both describe the security functionality and rationalize that the security functionality satisfies the necessary
requirements. Table 16 lists the security functionality and their associated SFRs.
Table 16 – Mapping of TOE Security Functionality to Security Functional Requirements
TOE Security Functionality SFR ID Description
Security Audit FAU_GEN.1 Audit data generation
FAU_SAR.1 Audit review
FAU_STG.2 Guarantees of audit data availability
Communication FCO_NRO.1 Selective proof of origin
Cryptographic Support FCS_CKM.1 Cryptographic key generation
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1 Cryptographic operation
User Data Protection FDP_ACC.1 Subset access control
FDP_ACF.1 Security attribute based access control
FDP_ETC.1 Export of user data without security attributes
Identification and Authentication FIA_UAU.2 User authentication before any action
FIA_UAU.5 Multiple authentication mechanisms
FIA_UID.2 User identification before any action
Security Management FMT_MOF.1 Management of security functions behaviour
FMT_MSA.1 Management of security attributes
FMT_MSA.3 Static attribute initialisation
FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
Protection of the TSF FPT_FLS.1 Failure with preservation of secure state
FPT_ITT.1 Basic internal TSF data transfer protection
Resource Utilization FRU_FLT.1 Degraded fault tolerance
TOE Access FTA_TAB.1 Default TOE access banners
Trusted path/channels FTP_ITC.1 Trusted channel
FTP_TRP.1 Trusted path
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 50 of 71
TOE Security Functionality SFR ID Description
Data Collection and Analysis FDC_ANA.1 System analysis
FDC_SCN.1 System scan
FDC_STG.1 Scanned data storage
7.1.1 Security Audit
The following sections describe the HPE OMi audit functionality.
7.1.1.1 HPE OMi Security Audit
HPE OMi records audits for successful and failed TOE user login attempts, user and group management actions,
configuration changes, and changes to events (configurable). These audit logs include the modification date, TOE
user, actions, and additional information fields. Although the TOE does not audit the startup and shutdown of the
audit function, it does audit the startup and shutdown of the TOE, thereby indicating when the audit function is
started and stopped as well.
The log viewer is available from the HPE OMi Web UI and is restricted to authorized roles based on permission.
HPE OMi prevents unauthorised deletion/modification of the audit trail. The TOE contains the following HPE OMi
audit log contexts in Table 17 below:
Table 17 – Audit Log Contexts
Audit Log Context Description
CI Status Alert
Administration
Displays actions related to creating alert schemes for a CI status alert.
Downtime/Event
Scheduling
Displays actions related to creating and modifying downtime and scheduled events.
Infrastructure Settings Displays actions related to modifying infrastructure settings. The result of each action is denoted as
SUCCESS or FAILURE.
Login Displays actions related to users' logins and logouts. The result of each action is denoted as SUCCESS or
FAILURE.
Notification Template
Administration
Displays actions related to modifying open ticket information, ticket settings, closed tickets, ticket
templates, and subscription information: notification types (locations or general messages), and
recipients.
Operations
Management
Displays actions related to Operations Management, such as the creating and modifying of content
packs, event rules, and notifications. This audit log can be configured to log the following changes:
• Configuration – This is selected by default and ensures that only configuration changes are
written to the audit log.
• All – This setting ensures both event and configuration changes are written to the audit log.
Recipient
Administration
Displays actions related to modifying information and general notifications.
Service Health Displays actions related to the Service Health application.
Service Health
Administration
Displays actions related to configurations made in Service Health Administration.
Startup/Shutdown Displays actions related to startups and shutdowns of OMi host systems.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 51 of 71
Audit Log Context Description
User/Group
Management
Displays actions related to adding, modifying, and deleting TOE users, TOE user groups, and roles.
Additionally, it displays the assignments of permissions to roles and the assignments of roles to TOE
users and TOE user groups.
View Manager Displays actions related to KPIs such as adding a KPI, editing a KPI, and deleting a KPI. Additionally, it
displays actions related to changing the Save KPI data over time for this CI option.
Table 18 below describes the configuration changes and actions written to the User/Group Management audit
log:
Table 18 – User/Group Management Configuration Changes
Configuration Change Action
Assigning Permissions to Roles Create, edit, and delete
Role Create, edit, and delete
TOE user Create, edit, and delete
TOE user Group Create, edit, and delete
The Operations Management audit log contains configuration and event changes. Table 19 below contains the
type of event changes that are written to the Operations Management audit log:
Table 19 – Operations Management Event Changes
Event Change Action
Action Launch
Custom attributes Create, edit, and delete
Annotations Create, edit, and delete
Assign event to TOE user or group Change
Event title Edit
Forwarding actions Launch
Lifecycle state of event Change
opr-archive-events.bat, opr-close-
events.bat
Launch
Priority of event Change
Automatic or operator action Rerun
Severity of event Change
Tool Launch
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 52 of 71
Table 20 below contains the type of configuration changes that are written to the Operations Management audit
log:
Table 20 – Operations Management Configuration Changes
Configuration Change Action
CI Resolver Mapping Create, edit, and delete
Connected Server Create, edit, and delete
Content Packs Create, edit, delete, import, and export
Custom Action Configurations Create, edit, and delete
Downtime Configuration Create, edit, and delete
EPI36 Configuration Create, edit, and delete
Event Assignment Rules Create, edit, and delete
Event Forwarding web service-triggered actions using the console API
Filters Create, edit, and delete
Forwarding Rules Create, edit, and delete
Indicator Mapping Rules Create, edit, and delete
Monitoring Automation:
Aspect Versions
Create and delete
Monitoring Automation:
Assignments
Create, delete, and change.
Changes include disabling and enabling assignments, and changing parameter values.
Monitoring Automation:
Automatic Assignments
Create and delete
Monitoring Automation:
Configuration Folders
Create, delete, and change deployment
Monitoring Automation:
Deployment Packages
Create and delete
Monitoring Automation:
Instrumentations
Create, delete, and change
Monitoring Automation: Jobs Create, delete, and change
Monitoring Automation:
Management Template
Versions
Create and delete
Monitoring Automation: Node
Groups
Create, delete, and change
Changes including adding a node to and removing a node from a node group
Monitoring Automation: Node
Filters
Create, delete, and change
Monitoring Automation:
Nodes
Create, delete, and change
36
EPI – Event Processing Interface
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 53 of 71
Configuration Change Action
Monitoring Automation:
Template Groups
Create, delete, and change
Changes include adding a template to or removing a template from a template group.
In addition, audit configuration changes (change, enable, and disable), are written to the Infrastructure Settings
audit log.
The audit logs use the Apache log4j logging utility. Audit logs are stored in the external database, and the TOE
does not provide delete/modify operations in the UI.
Audit logs are retained for an administrator-defined period between 90 and 350 days. If a value is not set, the logs
are retained indefinitely.
TOE Security Functional Requirements Satisfied: FAU_GEN.1, FAU_SAR.1, FAU_STG.2.
7.1.2 Communication
HPE OMi maintains an internal PKI 37
which distributes certificates to HPE OAs for secure transmission of
configuration and event data. Signatures are applied to configuration payloads sent to HPE OAs from HPE OMi
using the HPE OMi server’s private key.
TOE Security Functional Requirements Satisfied: FCO_NRO.1.
7.1.3 Cryptographic Support
HPE OMi utilizes the FIPS 140-2 validated RSA BSAFE® Crypto-J JSAFE and JCE Software Module (software version
6.2.1) and the OpenSSL FIPS Object Module (software version 2.0.12) libraries for performing all cryptographic
operations. All HPE OMi cryptographic operations (including HTTPS/TLS support, TLS encrypted JDBC, internal
X.509 PKI infrastructure, AES encryption of third-party credentials, agent configuration payload signatures, key
generation/derivation, password hashing, and other cryptography related functions) are used according to the
RSA BSAFE® Crypto-J Module or OpenSSL FIPS Object Module “FIPS-Mode” configuration as dictated by their
respective Security Policies. HPE OMi uses SHA-2 algorithms for cryptographic signatures and supports TLS 1.2
cipher suites.
HPE OBR also uses the FIPS 140-2 validated RSA BSAFE® Crypto-J JSAFE and JCE Software Module (software version
6.2.1) and the OpenSSL FIPS Object Module (software version 2.0.12) for the HPE OBR cryptographic operations.
All of the modules utilized by the TOE destroy all keys by overwriting them with zeros.
TOE Security Functional Requirements Satisfied: FCS_CKM.1, FCS_CKM.4, FCS_COP.1.
37
PKI – Public Key Infrastructure
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 54 of 71
7.1.4 User Data Protection
The TOE enforces the Resource Access Control SFP on subjects (HPE OMi TOE users) accessing objects (HPE OMi
Web UI resources). The HPE OMi Web UI resources include the Workspaces, Event Processing, Monitoring,
Operations Console, and Service Health areas of the HPE OMi Web UI. The Resource Access Control SFP allows
TOE users to gain access to the HPE OMi Web UI resources only if the TOE user has the correct permissions
(determined by their role) for the resource. Access control parameters differ according to the resource area of the
HPE OMi Web UI. These access control parameters are listed in Table 14.
Integrations with 3rd
party products allow the exportation of events to other systems. The exportation of events
to other systems is under the enforcement of the Resource Access Control SFP and is only allowed if the TOE user
has the correct permissions (determined by their role) for the HPE OMi Web UI’s “Operations Console – Events”
resource.
TOE Security Functional Requirements Satisfied: FDP_ACC.1, FDP_ACF.1, FDP_ETC.1
7.1.5 Identification and Authentication
The HPE OMi Web UI and HPE OBR Admin console provide the Identification and Authentication functionality of
the TOE. These user interfaces use certificate-based authentication and LDAP authentication to authenticate
credentials passed by TOE users. Besides being used for authentication, LDAP is also used to synchronize HPE OMi
users and groups with users and groups configured on the external LDAP server.
Prior to authenticating via the HPE OMi Web UI or HPE OBR Admin console, TOE users and administrators are not
given access to any TOE functionality. TOE users and administrators must pass valid credentials to the TOE for
authentication to be successful.
TOE Security Functional Requirements Satisfied: FIA_UAU.2, FIA_UAU.5, FIA_UID.2.
7.1.6 Security Management
HPE OMi provides the Super-Admin role and custom roles. A default administrative account named “admin” with
Super-Admin privileges is provided after initial configuration of the TOE. The Super-Admin role includes full access
permissions for TOE management functions. Custom roles are created by authorized administrators based on a
set of granular permissions and are mapped to a TOE user or group. By default, TOE users have no access to the
TOE until they are assigned to a role with permissions by an authorized role.
HPE OMi allows authorized roles with sufficient management permissions to perform the following administrative
functions:
• Manage the Resource Access Control SFP
• Configure event monitoring settings
• Manage audit configuration data
• Manage users and roles
• Manage authentication data
• Configure automatic failover settings
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 55 of 71
• Configure event automation and correlation settings
• OBR Management and configuration tasks
• Node/OA Management and configuration tasks
• Configure reports, content packs, packages, and management packs
The OBR management and configuration tasks include performing restoration, updates, configuring pollers,
creating databases, adding licenses, managing dimensions, and processing downtime information. The node/OA
management and configuration tasks include managing the monitoring components, policies, notifications, and
related certificates.
Only authorized Super-Admin roles or users with sufficient permissions can modify the behavior of audit
configuration, authentication management, event lifecycle management, user management, reports and content
pack configuration, or automatic failover configuration. Additionally, Super-Admin roles or users with sufficient
permissions can modify, delete, add, or change the default of the security attributes required by the Resource
Access Control SFP.
TOE Security Functional Requirements Satisfied: FMT_MOF.1, FMT_MSA.1, FMT_MSA.3, FMT_SMR.1,
FMT_SMF.1.
7.1.7 Protection of the TSF
The TOE utilizes cryptographic services to secure communications between distributed components of the TOE.
These secure communications prevent unauthorised disclosure and modification of TSF data. The TOE uses:
• HTTPS for communication between HPE OMi GW server and HPE OAs
• JMS for communication between the HPE OMi GW server and HPE OMi DP server
• HTTPS for communication between HPE OBR Remote Collector and the HPE OMi RTSM (of the HPE OMi
GW server)
• HTTPS for communication between HPE OBR Remote Collector and the HPE OAs
• HTTPS for communication between HPE OBR Remote Collector and the HPE OBR server
HPE OAs communicate with the HPE OMi GW server via the GW communication broker. This HTTPS connection is
secured by the FIPS 140-2 validated OpenSSL library (referred to in section 7.1.3). The FIPS 140-2 validated RSA
BSAFE® Crypto-J library (referred to in section 7.1.3) is used to secure communications between the HPE OMi GW
server and HPE OMi DP server.
The TOE also maintains a secure state of operation by continuing to offer all of its functionality in the event of an
HPE OMi DP server failure. The TOE utilizes a backup HPE OMi DP server and automatic failover procedures. The
TOE communicates heartbeat information through the DB to the redundant backup server. The HPE OMi DP server
HAC regularly checks a table in the DB for updates to determine whether a failover is required. In the event of an
HPE OMi DP server failure, the HAC performs automatic failover and moves the services to the backup server. The
server retrieves the current configuration from the management database and continues to provide the services
as the new active HPE OMi DP server.
TOE Security Functional Requirements Satisfied: FPT_FLS.1, FPT_ITT.1.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 56 of 71
7.1.8 Resource Utilization
The TOE ensures that all capabilities of the TOE are still operational in the event of an HPE OMi DP server failure.
Refer to section 7.1.7 for more information on how the HPE OMi DP server HA38
procedures help to ensure a
minimal impact on performance in the event of an HPE OMi DP server failure.
TOE Security Functional Requirements Satisfied: FRU_FLT.1.
7.1.9 TOE Access
The TOE provides a login banner containing an advisory and consent message regarding unauthorised use of the
TOE on the HPE OMi Web UI and HPE OBR Admin console.
TOE Security Functional Requirements Satisfied: FTA_TAB.1.
7.1.10 Trusted Path/Channels
The TOE provides trusted channels between itself and external LDAP or AD servers and external databases that
support secure communications. The TOE uses:
• LDAP/S for communication with LDAP or AD servers
• JDBC over TLS for HPE OMi connections to the HPE OMi external database
• JDBC over TLS for HPE OBR connections to the HPE OBR external database
• JDBC over TLS for HPE OBR connections to the HPE OMi external database
The TOE also provides a trusted path using HTTPS connections between TOE user and administrator workstations
and the HPE OMi Web UI and HPE OBR Admin console. These protocols all rely on the FIPS 140-2 validated
providers referred to in 7.1.3 for their cryptographic algorithms.
TOE Security Functional Requirements Satisfied: FTP_ITC.1, FTP_TRP.1.
7.1.11 Data Collection and Analysis
HPE OAs are capable of generating event data from monitored processes, log files, performance metrics, system
health information, topology information, and systems. Events have various attributes associated with them
including:
• ID
• Severity
• Lifecycle State
• Business Priority
• Assigned TOE user/Group
• Category
• Related CIs
38
HA – High Availability
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 57 of 71
• Event type
• Duplicate count
• Timestamps
• Source information
The date and time of event occurrence, host system (node) where the event occurred, application that caused the
event, event severity, and the administrator responsible for solving the problem that caused the event (if assigned)
are all recorded in the event database. When event data is collected, it is correlated and processed by HPE OMi
and a status is calculated. Root cause analysis is performed to identify the source of related events, event
duplicates and event storms (multiple events from the same source within a short time frame) are detected, and
selected events are suppressed. Events can be used to trigger notifications (email, SMS39
, etc.) or automated
administrator-defined actions. Event notifications are restricted to assigned TOE users or groups based the TOE
user or group permissions (associated with the TOE user or group’s role). Additionally, HPE OMi supports various
integrations allowing events to be forwarded to other HPE products or third party help-desk ticketing systems.
HPE OMi regularly checks the health of the connected HPE OAs. The HPE OAs regularly send keep alive messages
to HPE OMi. If HPE OMi receives no keep alive messages from an HPE OA for a certain interval, a corresponding
event within the HPE OMi will be created that notifies an authorized administrator that there is a problem with
the HPE OA. If HPE OMi is not reachable, the HPE OA buffers events until the server is reachable again and then
sends them in the correct order. A maximum amount of time/number of events that shall be buffered can be
configured by an administrator. When the events are received on the server they are stored in a persistent queue.
HPE OMi reads the events from the queue and stores them in the database. Events are removed from the queue
only after the events are stored. HPE OMi also includes integrated self-monitoring. If there is a problem detected
on HPE OMi which does not allow the creation of an event for notification, HPE OMi sends an e-mail to notify an
authorized administrator.
TOE Security Functional Requirements Satisfied: FDC_ANA.1, FDC_SCN.1, FDC_STG.1.
39
SMS – Short Message Service
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 58 of 71
8. Rationale
8.1 Conformance Claims Rationale
This Security Target conforms to Part 2 extended and Part 3 of the Common Criteria for Information Technology
Security Evaluation, Version 3.1 Release 4.
8.2 Security Objectives Rationale
This section provides a rationale for the existence of each threat, policy statement, and assumption that compose
the Security Target. Sections 8.2.1, 8.2.2, and 8.2.3 demonstrate the mappings between the threats, policies, and
assumptions to the security objectives are complete. The following discussion provides detailed evidence of
coverage for each threat, policy, and assumption.
8.2.1 Security Objectives Rationale Relating to Threats
Table 21 below provides a mapping of the objectives to the threats they counter.
Table 21 – Threats: Objectives Mapping
Threats Objectives Rationale
T.DATA_AVAILABILITY
TOE data or capabilities may become
unavailable due to DP server failures
caused by an attacker who is not a TOE
user (e.g. performing a denial of service
attack), or an operational condition
(power failures, etc.).
O.FAIL_SECURE
The TOE will preserve a secure state and ensure
that all capabilities of the TOE are still
operational in the event of a DP server failure.
O.FAIL_SECURE counters this threat by
ensuring that the TOE preserves a secure state
and maintains all TOE capabilities in the event
of a DP server failure.
O.MONITOR
The TOE must be able to monitor machines on
the network to ensure that they exist in a
secure state and alert administrators if a
system enters an insecure state. The TOE will
also analyze and securely store the scanned
and collected data.
O.MONITOR counters this threat by ensuring
that scanned events will be stored in the event
of a database outage by buffering the events
and storing them in a queue until the database
is available again.
T.ADMIN_ERROR
A TOE user may incorrectly install or
configure the TOE resulting in
ineffective security mechanisms.
O.TOE_ADMIN
The TOE will provide mechanisms to ensure
that only administrators are able to log in and
configure the TOE. The TOE will also provide
the functions necessary to support the
administrators operating the TOE and
protections for logged-in administrators.
O.TOE_ADMIN counters this threat by ensuring
that only administrators are able to log in and
configure the TOE, and provide protections for
logged-in administrators.
T.AUDIT_COMPROMISE
An attacker who is not a TOE user may
view audit records, cause audit records
to be lost or modified, or prevent future
records from being recorded, thus
masking an attacker who is not a TOE
user’s actions.
O.AUDIT
The TOE will provide the capability to detect
security relevant events and create records of
those events in the audit trail. The TOE will also
ensure that the audit records remain available
in the event of a failure and are protected from
unauthorised modification and deletion.
O.AUDIT counters this threat by ensuring that
unauthorised attempts to access the TOE are
recorded.
O.AUDIT_REVIEW O.AUDIT_REVIEW counters this threat by
ensuring that only authorized TOE users are
allowed to view the audit logs.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 59 of 71
Threats Objectives Rationale
The TOE will provide the capability for only
authorized TOE users to view audit
information.
T.BAD_STATE
An attacker who is not a TOE user may
exploit vulnerabilities in monitored IT
entities that reach an insecure state
without the network administrators
becoming aware.
O.MONITOR
The TOE must be able to monitor machines on
the network to ensure that they exist in a
secure state and alert administrators if a
system enters an insecure state. The TOE will
also analyze and securely store the scanned
and collected data.
O.MONITOR counters this threat by ensuring
that systems on the network are monitored by
the TOE and that the TOE alerts TOE users
when a security violation occurs.
T.DATA_COMPROMISE
An attacker who is not a TOE user may
read, modify, delay, or destroy security
critical TOE configuration data stored
on the TOE or being transmitted
between physically separated parts of
the TOE.
O.PROTECT
The TOE will provide confidentiality and
integrity services using FIPS 140-2 algorithms
to protect TOE communication channels and
user data. The TOE will also provide
confidentiality of stored keys and keys used for
cryptographic services performed by the TOE.
O.PROTECT counters this threat by providing
encryption services available to authorized TOE
users, administrators, and TOE user or
administrator applications.
T.UNAUTHORISED _ACCESS
A TOE user may gain unauthorised
access (view, modify, delete) to user
data through possible misuse.
O.BANNER
The TOE will provide a mechanism that warns
against unauthorised use of the TOE.
O.BANNER counters this threat by ensuring
that the TOE warns against unauthorised use
by using an advisory warning message banner.
O.ACCESS
The TOE will ensure that TOE users and
administrators gain only authorized access to it
and to resources that it controls.
O.ACCESS counters this threat by ensuring that
TOE users and administrators gain only
authorized access to it and to resources that it
controls.
O.USER_AUTHEN
The TOE will uniquely identify and authenticate
TOE users and administrators prior to allowing
access to TOE functions and data.
O.USER_AUTHEN counters this threat by
ensuring that administrators and TOE users are
authenticated and identified before being
allowed access to the TOE.
Every threat is mapped to one or more objectives in the table above. This complete mapping demonstrates that
the defined security objectives counter all defined threats.
8.2.2 Security Objectives Rationale Relating to Policies
There are no Organizational Security Policies defined for this Security Target.
8.2.3 Security Objectives Rationale Relating to Assumptions
Table 22 below gives a mapping of assumptions and the environmental objectives that uphold them.
Table 22 – Assumptions: Objectives Mapping
Assumptions Objectives Rationale
A.ADMIN_PROTECT
The workstations in the TOE
environment used to access the TOE are
free of malicious software.
OE.ADMIN_PROTECT
The administrative and user workstations must
be protected from any external interference
and tampering by having all security updates
and anti-malware software installed.
OE.ADMIN_PROTECT upholds this assumption
by ensuring that the administrative and user
workstations are protected from external
interference and tampering.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 60 of 71
Assumptions Objectives Rationale
A.AUTH
The TOE environment will provide the
identification and authentication
repository of users attempting to
manage and use the TOE.
OE.AUTH
The TOE environment must provide the
authentication and identification repository of
users attempting to use the TOE.
OE.AUTH satisfies this assumption by ensuring
that the TOE environment provides the
authentication and identification repository of
users attempting to use the TOE.
A.MANAGE
There are one or more competent
individuals assigned to manage the TOE
and the security of the information it
contains. Administrators of the TOE are
assumed to be appropriately trained to
undertake the installation,
configuration and management of the
TOE in a secure and trusted manner.
OE.MANAGE
The TOE environment will provide competent,
non-hostile administrators and users of the
TOE who are appropriately trained and follow
all administrator and user guidance.
Administrators of the TOE will ensure the
system is used securely.
OE.MANAGE satisfies this assumption by
ensuring that those
responsible for the TOE will provide competent
individuals to
perform management of the security of the
environment, and
restrict these functions and facilities from
unauthorised use.
A.LOCATE
The TOE, and all components of the TOE
environment, including the
authentication servers and database
servers are located within a controlled
access facility and appropriately located
within the network to perform their
functions. The devices with which the
TOE communicates for exporting
events are also located within a
controlled access facility.
Administrative and user workstations
are located within a separate controlled
access facility.
OE.NET_CON
The TOE environment must be implemented
such that the TOE is appropriately located
within and connected to the network to
perform its intended function.
OE.NET_CON satisfies this assumption by
ensuring that the TOE is appropriately located
within and connected to the network to
perform its intended function.
OE.PHYSICAL
Physical security, commensurate with the
value of the TOE and the data it contains, is
provided by the environment.
OE.PHYSICAL satisfies the assumption that the
TOE environment provides physical security
commensurate with the value of the TOE and
the data it contains.
A.OS_ACCESS
The TOE environment is in a secure
state and provides a sufficient level of
protection to itself and the TOE
components.
OE.OS_ACCESS
The operating system upon which the TOE is
installed provides a sufficient level of
protection for itself and the TOE software it
contains.
OE.OS_ACCESS upholds this assumption by
ensuring that the OS where the TOE is installed
provides enough protection for itself and the
TOE to prevent tampering in a physically secure
environment.
A.PROTECT
The TOE software will be protected
from unauthorised modification.
OE.PROTECT
The TOE environment must protect itself and
the TOE from external interference and
tampering.
OE.PROTECT satisfies the assumption that the
TOE environment provides protection from
unauthorised modification.
A.NOEVIL
The administrators and users of the TOE
are non-hostile, appropriately trained,
and follow all guidance.
OE.MANAGE
The TOE environment will provide competent,
non-hostile administrators and users of the
TOE who are appropriately trained and follow
all administrator and user guidance.
Administrators of the TOE will ensure the
system is used securely.
OE.MANAGE satisfies this assumption by
ensuring that those
responsible for the TOE will provide
competent, non-hostile individuals to perform
management of the security of the
environment.
A.SECURE_COM
The TOE environment provides the
necessary network infrastructure
required for its operation and ensures
the TOE is secured and protected from
interference or tampering by using a
firewall to prevent access from non-
OE.SECURE_COM
The TOE environment must provide
mechanisms to secure communications
between TOE components and other devices to
which the TOE is attached (including routers,
switches, cabling, connectors, and firewalls)
and must be properly implemented such that
OE.SECURE_COM satisfies this assumption by
ensuring that the TOE environment provides
the appropriate connectivity and mechanisms
to secure communications between the TOE
and other devices, and to allow the TOE to
perform its functions in a secure manner.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 61 of 71
Assumptions Objectives Rationale
trusted entities. Additionally, the TOE
environment provides a sufficient level
of protection to secure
communications between the TOE and
network-attached devices within the
secure access facility.
the TOE is secured and protected from
interference or tampering. Firewalls must be
configured to restrict all external access from
outside the internal network where the TOE is
accessible.
A.TIMESTAMP
The TOE environment provides the TOE
with the necessary reliable timestamps.
OE.TIMESTAMP
The TOE environment must provide reliable
timestamps to the TOE.
OE.TIMESTAMP satisfies this assumption by
ensuring that the operating system where the
TOE is installed will provide reliable
timestamps for the TOE.
Every assumption is mapped to one or more objectives in the table above. This complete mapping demonstrates
that the defined security objectives uphold all defined assumptions.
8.3 Rationale for Extended Security Functional Requirements
A class of FDC requirements was created to specifically address the data collected and analyzed by the HPE
OpsBridge devices. The audit class of the CC (FAU) was used as a model for creating these requirements. The
purpose of this class of requirements is to address the unique nature of HPE OpsBridge products and provide
requirements about collecting, analyzing, storing, and reviewing the event and topology data. FDC_SCN.1 has no
dependencies since the stated requirements embody all the necessary security functions. FDC_ANA.1 and
FDC_STG.1 are dependent on FDC_SCN.1 since they apply to scan data that must first be collected by the TOE.
These requirements exhibit functionality that can be easily documented in the ADV assurance evidence and thus
do not require any additional Assurance Documentation.
8.4 Security Requirements Rationale
The following discussion provides detailed evidence of coverage for each security objective.
8.4.1 Rationale for Security Functional Requirements of the TOE
Objectives
Table 23 below shows a mapping of the objectives and the SFRs that support them.
Table 23 – Objectives: SFRs Mapping
Objective Requirements Addressing the Objective Rationale
O.PROTECT
The TOE will provide confidentiality and
integrity services using FIPS 140-2
algorithms to protect TOE
communication channels and user data.
The TOE will also provide confidentiality
of stored keys and keys used for
FCO_NRO.1
Selective proof of origin
The requirement meets the objective by
ensuring that FIPS 140-2 cryptographic
operations are used when generating evidence
of origin to help protect transmitted user data.
FCS_CKM.1
Cryptographic key generation
The requirement meets the objective by
ensuring that the TOE can generate
cryptographic keys for use during
cryptographic operations.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 62 of 71
Objective Requirements Addressing the Objective Rationale
cryptographic services performed by
the TOE.
FCS_CKM.4
Cryptographic key destruction
The requirement meets the objective by
ensuring that the TOE destroys cryptographic
keys when no longer in use.
FCS_COP.1
Cryptographic operation
The requirement meets the objective by
ensuring that the TOE provides confidentiality
and integrity services for the TOE by providing
FIPS 140-2 validated algorithms.
O.FAIL_SECURE
The TOE will preserve a secure state
and ensure that all capabilities of the
TOE are still operational in the event of
a DP server failure.
FPT_FLS.1
Failure with preservation of secure state
The requirement meets the objective by
ensuring that the TOE preserves a secure state
in the event of a DP server failure.
O.PROTECT
The TOE will provide confidentiality and
integrity services using FIPS 140-2
algorithms to protect TOE
communication channels and user data.
The TOE will also provide confidentiality
of stored keys and keys used for
cryptographic services performed by
the TOE.
FPT_ITT.1
Basic internal TSF data transfer protection
The requirement meets the objective by
providing FIPS 140-2 cryptographic operations
to ensure that TSF data is protected from
disclosure or modification when transmitted
between separate parts of the TOE or
O.FAIL_SECURE
The TOE will preserve a secure state
and ensure that all capabilities of the
TOE are still operational in the event of
a DP server failure.
FRU_FLT.1
Degraded fault tolerance
The requirement meets the objective by
ensuring that all TOE capabilities are
operational in the event of a DP server failure.
O.BANNER
The TOE will provide a mechanism that
warns against unauthorised use of the
TOE.
FTA_TAB.1
Default TOE access banners
The requirement meets the objective by
ensuring that users are presented with an
advisory warning message regarding
unauthorised use of the TOE.
O.PROTECT
The TOE will provide confidentiality and
integrity services using FIPS 140-2
algorithms to protect TOE
communication channels and user data.
The TOE will also provide confidentiality
of stored keys and keys used for
cryptographic services performed by
the TOE.
FTP_ITC.1
Trusted channel
The requirement meets the objective by
utilizing FIPS 140-2 cryptographic operations
for the trusted channels used by the TOE.
FTP_TRP.1
Trusted path
The requirement meets the objective by
utilizing FIPS 140-2 cryptographic operations
for the trusted paths used by the TOE.
O.MONITOR
The TOE must be able to monitor
machines on the network to ensure
that they exist in a secure state and
alert administrators if a system enters
an insecure state. The TOE will also
analyze and securely store the scanned
and collected data.
FDC_ANA.1
System analysis
The requirement meets the objective by
ensuring the TOE analyzes the collected data.
FDC_SCN.1
System scan
The requirement meets the objective by
providing authorized TOE users and
administrators with the capability to read the
collected system data.
FDC_STG.1
Scanned data storage
The requirement meets the objective by
ensuring that the TOE securely stores
information from the managed machines.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 63 of 71
Objective Requirements Addressing the Objective Rationale
O.ACCESS
The TOE will ensure that TOE users and
administrators gain only authorized
access to it and to resources that it
controls.
FDP_ACC.1
Subset access control
The requirement meets the objective by
enforcing the Resource Access Control SFP on
all subjects and all named objects and all
operations among them. The Resource Access
Control SFP specifies the access rules between
all subjects and all named objects controlled by
the TOE. While authorized TOE users and
administrators are trusted to some extent, this
requirement ensures only authorized access is
allowed to named objects.
FDP_ACF.1
Security attribute based access control
The requirement meets the objective by
specifying the Resource Access Control SFP
rules that will be enforced by the TSF and
determines if an operation among subjects and
named objects is allowed. Furthermore, it
specifies the rules to explicitly authorize or
deny access to a named object based upon
security attributes.
FDP_ETC.1
Export of user data without security attributes
The requirement meets the objective by
ensuring that the Resource Access Control SFP
enforces access control parameters during the
exportation of events and configuration data to
targeted systems.
O.AUDIT
The TOE will provide the capability to
detect security relevant events and
create records of those events in the
audit trail. The TOE will also ensure that
the audit records remain available in
the event of a failure and are protected
from unauthorised modification and
deletion.
FAU_GEN.1
Audit data generation
The requirement meets this objective by
ensuring that the TOE maintains a record of
defined security related events, including
relevant details about the event.
FAU_STG.2
Guarantees of audit data availability
The requirement meets the objective by
ensuring that audit logs remain available are
protected from unauthorised modification and
deletion.
O.AUDIT_REVIEW
The TOE will provide the capability for
only authorized TOE users to view audit
information.
FAU_SAR.1
Audit review
The requirement meets the objective by
ensuring that the TOE provides the ability to
review logs.
O.USER_AUTHEN
The TOE will uniquely identify and
authenticate TOE users and
administrators prior to allowing access
to TOE functions and data.
FIA_UAU.2
User authentication before any action
The requirement meets the objective by
ensuring that every TOE user or administrator
is authenticated before the TOE performs any
TSF-mediated actions on behalf of that TOE
user or administrator.
FIA_UAU.5
Multiple authentication mechanisms
The requirement meets the objective by
providing multiple authentication mechanisms
to support TOE user or administrator
authentication.
FIA_UID.2
User identification before any action
The requirement meets the objective by
ensuring that every TOE user or administrator
is identified before the TOE performs any TSF-
mediated actions on behalf of that TOE user or
administrator.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 64 of 71
Objective Requirements Addressing the Objective Rationale
O.TOE_ADMIN
The TOE will provide mechanisms to
ensure that only administrators are
able to log in and configure the TOE.
The TOE will also provide the functions
necessary to support the
administrators operating the TOE and
protections for logged-in
administrators.
FMT_MOF.1
Management of security functions behaviour
The requirement meets the objective by
ensuring that only authorized roles with
sufficient permissions are able to disable,
enable, or modify the behavior of TOE security
functions.
FMT_MSA.1
Management of security attributes
The requirement meets the objective by
restricting the ability to manage security
attributes for the TOE to authorized roles with
sufficient permissions.
FMT_MSA.3
Static attribute initialisation
The requirement meets the objective by
ensuring that the TOE provides restrictive
default values for security attributes, and
specifies alternative initial values to override
the default values when an object or
information is created.
FMT_SMF.1
Specification of management functions
The requirement meets the objective by
ensuring that the TOE includes administrative
functions to facilitate the management of the
TSF.
FMT_SMR.1
Security roles
The requirement meets the objective by
ensuring that the TOE associates TOE users and
administrators with roles to provide access to
TSF management functions and data.
8.4.2 Security Assurance Requirements Rationale
EAL2 was chosen to provide a low to moderate level of assurance that is consistent with good commercial
practices. As such, minimal additional tasks are placed upon the vendor assuming the vendor follows reasonable
software engineering practices and can provide support to the evaluation for design and testing efforts. The
chosen assurance level is appropriate with the threats defined for the environment. While the System may
monitor a hostile environment, it is expected to be in a non-hostile position and embedded in or protected by
other products designed to address threats that correspond with the intended environment. At EAL2, the System
will have incurred a search for obvious flaws to support its introduction into the non-hostile environment.
The augmentation of ALC_FLR.2 was chosen to give greater assurance of the developer’s on-going flaw
remediation processes.
8.4.3 Dependency Rationale
The SFRs in this ST satisfy all of the required dependencies listed in the Common Criteria, applicable PPs, and SFRs
explicitly stated in this ST. Table 24 lists each requirement to which the TOE claims conformance and indicates
whether the dependent requirements are included. As the table indicates, all dependencies have been met.
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 65 of 71
Table 24 – Functional Requirements Dependencies
SFR ID Dependencies Dependency
Met
Rationale
FAU_GEN.1 FPT_STM.1 ✓ FPT_STM.1 is not included because
time stamps are provided by the
environment. An environmental
objective states that the TOE will
receive reliable timestamps.
FAU_SAR.1 FAU_GEN.1 ✓
FAU_STG.2 FAU_GEN.1 ✓
FCO_NRO.1 FIA_UID.1 ✓
FCS_CKM.1 FCS_CKM.4 ✓
FCS_COP.1 ✓
FCS_CKM.4 FCS_CKM.1 ✓
FCS_COP.1 FCS_CKM.1 ✓
FCS_CKM.4 ✓
FDP_ACC.1 FDP_ACF.1 ✓
FDP_ACF.1 FMT_MSA.3 ✓
FDP_ACC.1 ✓
FDP_ETC.1 FDP_ACC.1 ✓
FIA_UAU.2 FIA_UID.1 ✓ Although FIA_UID.1 is not included,
FIA_UID.2, which is hierarchical to
FIA_UID.1 is included. This satisfies
this dependency.
FIA_UAU.5 No dependencies N/A
FIA_UID.2 No dependencies N/A
FMT_MOF.1 FMT_SMR.1 ✓
FMT_SMF.1 ✓
FMT_MSA.1 FMT_SMR.1 ✓
FDP_ACC.1 ✓
FMT_SMF.1 ✓
FMT_MSA.3 FMT_SMR.1 ✓
FMT_MSA.1 ✓
FMT_SMF.1 No dependencies N/A
FMT_SMR.1 FIA_UID.1 ✓ Although FIA_UID.1 is not included,
FIA_UID.2, which is hierarchical to
FIA_UID.1 is included. This satisfies
this dependency.
FPT_FLS.1 No dependencies N/A
FPT_ITT.1 No dependencies N/A
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 66 of 71
SFR ID Dependencies Dependency
Met
Rationale
FRU_FLT.1 FPT_FLS.1 ✓
FTA_TAB.1 No dependencies N/A
FTP_ITC.1 No dependencies N/A
FTP_TRP.1 No dependencies N/A
FDC_ANA.1 FDC_SCN.1 ✓
FDC_SCN.1 No dependencies N/A
FDC_STG.1 FDC_SCN.1 ✓
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 67 of 71
9. Acronyms
Table 25 defines the acronyms used throughout this document.
Table 25 – Acronyms
Acronym Definition
AD Active Directory
AES Advanced Encryption Standard
ANSI American National Standards Institute
API Application Programming Interface
BI Business Intelligence
BO BusinessObjects
BSM Business Service Management
CBC Cipher Block Chaining
CC Common Criteria
CCM Counter with CBC- MAC
CFB Cipher Feedback
CI Configuration Item
CLI Command Line Interface
CM Configuration Management
CMAC Cipher-Based MAC
CMS Configuration Management System
CPU Central Processing Unit
CTR Counter Mode
DB Database
DES Data Encryption Standard
DP Data Processing
DRBG Deterministic Random Bit Generator
DSA Digital Signature Algorithm
EAL Evaluation Assurance Level
EC Elliptic Curve
ECB Electronic Codebook
ECC Elliptic Curve Cryptography
ECDSA Elliptic Curve Digital Signature Algorithm
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 68 of 71
Acronym Definition
EPI Event Processing Interface
ETL Extraction, Transformation, Loading
FIPS Federal Information Processing Standards
GB Gigabyte
GCM Galois Counter Mode
GW Gateway
HA High Availability
HAC High-Availability Controller
HI Health Indicator
HMAC Hash Message Authentication Code
HPE Hewlett Packard Enterprise Development LP
HPAS Hewlett Packard Application Server
HTML Hypertext Markup Language
HTTPS Hypertext Transfer Protocol Secure
ID Identifier
ISO International Organization for Standardization
IT Information Technology
JCE Java Cryptography Extension
JDBC Java Database Connectivity
JMS Java Message Service
JMX Java Management Extensions
JRE Java Runtime Environment
KPI Key Performance Indicator
LDAP Lightweight Directory Access Protocol
LDAP/S
Lightweight Directory Access Protocol over Secure Sockets
Layer
LW-SSO Lightweight Single Sign-On
MAC Message Authentication Code
MB Megabytes
NIST National Institute of Standards and Technology
NNMi Network Node Manager i
NSA National Security Agency
NTP Network Time Protocol
OBR Operations Bridge Reporter
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 69 of 71
Acronym Definition
OFB Output Feedback
OM Operations Manager
OMi Operations Manager i
OO Operations Orchestration
OS Operating System
PDAPI Pervasive Distribution And Payment Interface
PDF Portable Document Format
PKCS Public-Key Cryptography Standards
PKI Public Key Infrastructure
PP Protection Profile
PRNG Pseudo Random Number Generator
PSS Probabilistic Signature Scheme
QA Quality Assurance
RAM Random-Access Memory
RHEL Red Hat Enterprise Linux
RNG Random Number Generator
RTSM Run-Time Service Model
SAR Security Assurance Requirement
SAW Service Anywhere
SCOM Microsoft System Center Operations Manager
SFP Security Function Policy
SFR Security Functional Requirement
SHA Secure Hash Algorithm
SiS SiteScope
SM Service Manager
SMS Short Message Service
SP Special Publication
SQL Structured Query Language
SSL Secure Sockets Layer
ST Security Target
TB Terabyte
TLS Transport Layer Security
TOE Target of Evaluation
TSF TOE Security Functions
Security Target, Version 1.2 November 15, 2017
HPE Operations Bridge Premium v2016.05 including HPE OMi v10.11, HPE OA v12.01, and HPE OBR v10.01
©2017 Hewlett Packard Enterprise Development LP
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Page 70 of 71
Acronym Definition
UCMDB Universal Configuration Management Database System
UI User Interface
WMI Windows Management Instrumentation
XEX XOR-Encrypt-XOR
XOR Exclusive Or
Prepared by:
Corsec Security, Inc.
13921 Park Center Road, Suite 460
Herndon, VA 20171
United States of America
Phone: +1 703 267 6050
Email: info@corsec.com
http://www.corsec.com