National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report webMethods Fabric 6.5 Report Number: CCEVS-VR-05-0136 Dated: 2005-12-23 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6740 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740 Validation Report webMethods Fabric 6.5 Table of Contents 1. Executive Summary................................................................................................................1 1.1 webMethods Fabric 6.5 Functionality..............................................................................1 1.2 Evaluation Details ............................................................................................................1 1.3 Interpretations...................................................................................................................2 2. Identification of the TOE........................................................................................................3 2.1 Software............................................................................................................................3 2.2 Documentation .................................................................................................................4 3. Security Policy........................................................................................................................5 3.1 Access Control Policy ......................................................................................................5 3.2 Identification and Authentication.....................................................................................5 3.3 Security Management.......................................................................................................5 3.4 Self Protection ..................................................................................................................5 3.5 Security Audit...................................................................................................................6 4. Assumptions and Clarification of Scope ................................................................................7 4.1 Usage Assumptions ..........................................................................................................7 4.2 Environmental Threats .....................................................................................................7 5. Evaluated Configuration.........................................................................................................9 5.1 Architectural Information...............................................................................................10 6. Evaluation and Validation Process and Conclusions ...........................................................10 6.1 Evaluation of the Security Target (ASE)........................................................................11 6.2 Evaluation of the Configuration Management Capabilities (ACM) ..............................11 6.3 Evaluation of Delivery and Operations Documents (ADO)...........................................12 6.4 Evaluation of the Development (ADV)..........................................................................12 6.5 Evaluation of the Guidance Documents (AGD).............................................................12 6.6 Evaluation of the Test Documentation and Testing Activity (ATE)..............................12 6.7 Vulnerability Assessment Activity (AVA) ....................................................................13 6.8 Summary of the Evaluation Results ...............................................................................13 7. IT Product Testing................................................................................................................13 8. Validator Comments/Recommendations..............................................................................13 9. Security Target .....................................................................................................................15 10. List of Acronyms................................................................................................................15 11. Bibliography.......................................................................................................................15 ii Validation Report webMethods Fabric 6.5 1. Executive Summary This document is intended to assist the end-user of this product with determining the suitability of the product in their environment. End-users should review both the Security Target (ST) which is where specific security claims are made, and this Validation Report (VR) which describes how those security claims were evaluated. The evaluation of the webMethods Fabric 6.5 application integration software product was performed by CygnaCom Solutions, Inc. (an Entrust Company) in the United States and was completed on 5 December, 2005. The evaluation was conducted in accordance with the requirements of the Common Criteria for Information Technology Security Evaluation, version 2.2, Evaluation Assurance Level 2 (EAL2), and the Common Evaluation Methodology for IT Security Evaluation (CEM), Version 2.2. CygnaCom Solutions, Inc. is an approved NIAP Common Criteria Testing Laboratory (CCTL). The CCTL concluded that the Common Criteria assurance requirements for Evaluation Assurance Level 2 (EAL2) have been met and that the conclusions in its Evaluation Technical Report are consistent with the evidence produced. This Validation Report is not an endorsement of webMethods Fabric 6.5 by any agency of the US Government and no warranty of the product is either expressed or implied. 1.1 webMethods Fabric 6.5 Functionality webMethods Fabric is a client/server application that provides access control of services implemented on the webMethods Integration Server. The product facilitates the secure exchange of data and logic among resources and supports the development and management of complex business processes through browser or web enabled interfaces. webMethods Fabric performs the following security functions, which are described in Section 3 of this report: • Access Control Policy • Identification & Authentication • Security Management • Self Protection • Security Audit 1.2 Evaluation Details Table 1-1 provides the required evaluation identification details. 1 Validation Report webMethods Fabric 6.5 Table 1-1. Evaluation Details Item Identification Evaluation Scheme US Common Criteria Evaluation and Validation Scheme (CCEVS) Target of Evaluation webMethods Fabric 6.5 EAL EAL2 Protection Profile None Security Target webMethods Fabric 6.5 Security Target, Version 1.0, 12 December, 2005 Developer webMethods, Inc. 3877 Fairfax Ridge Road Fairfax, VA 20030 Evaluators Swapna Katikaneni CygnaCom Solutions, Inc. 7925 Jones Branch Drive, McLean, VA 22102-3321 Validator Ralph Broom Mitretek Systems, Inc., 3150 Fairview Park Drive South Falls Church, VA 22042 Dates of Evaluation 3 March, 2005 to 5 December, 2005 Conformance Result Part 2 extended, Part 3 conformant, and EAL2 conformant Common Criteria (CC) Version CC, version 2.2, January 2004 Common Evaluation Methodology (CEM) Version CEM version 2.2, January 2004 Evaluation Technical Report webMethods Fabric 6.5 Evaluation Technical Report: - Volume 1, Evaluation Technical Report for a Target of Evaluation, ETR v1.0 dated 28 November, 2005. - Volume 2, Evaluation Technical Report for a Target of Evaluation, ETR v1.0 dated 18 November, 2005. Key words Business Software Integration 1.3 Interpretations The Evaluation Team performed an analysis of the international interpretations of the CC and the CEM and determined that none of the international interpretations issued by the Common Criteria Interpretations Management Board (CCIMB) identified below were applicable to this evaluation. The Validator reviewed the relevant international interpretations and determined that the Evaluation Team correctly performed this analysis. The following international interpretations were reviewed by the Validator: 86, 137, 146, 175, 180, 192, 220, 227, 228, 232, 243 and 254. 2 Validation Report webMethods Fabric 6.5 2. Identification of the TOE 2.1 Software webMethods Fabric 6.5 is a client/server application that provides access control of services implemented on the webMethods Integration Server (IS). The TOE facilitates the secure exchange of data and logic among resources and supports the development and management of complex business processes through web-enabled or browser interfaces. The TOE consists of two primary components: • Integration Server (IS) – Enables access control over the integration logic through the integrated applications • Broker – A high-speed message router which enables access control over asynchronous messaging The TOE also contains several secondary components: • Host Adapters – Zero or more special modules that link back-end resources with the Integration Server. In this relationship the IS plays the role of the client to the external resource. The TOE includes two adapters; Java Database Connectivity (JDBC) for Oracle, Microsoft SQL Server, IBM DB2, and other databases, and Java Message Service (JMS) to permit high-speed asynchronous message delivery. Note that adapters rely on 3rd party drivers which are not part of the TOE. • Developer – A graphical Integrated Development Environment (IDE) tool used by administrators to build, edit and test integration logic. The following components are supplied with the TOE, but are not part of the TOE and were not evaluated: • Entrust Authority Security Toolkit for Java 7.0 – provides cryptographic services for externals users and the Developer component connecting to the IS. • Spyrus SSL Toolkit – provides cryptographic services (encryption) for connections between TOE components where one of them is a Broker or for the remote connection of an authorized administrator to the TOE. The TOE consumer will need to provide the following: • Appropriate hardware to run the operating system. • A supported operating system to host the TOE. • Appropriate network environment. • Trained administrators; and • Physical security of the TOE. 3 Validation Report webMethods Fabric 6.5 2.2 Documentation The following documents were used to validate the evaluation: • Security Target v1.0 for webMethods Fabric 6.5, dated 2005-12-12. • Evaluation Technical Report Volume 1 for webMethods Fabric 6.5, ETR version 1.0 dated 2005-11-28. • Evaluation Technical Report Volume 2 for webMethods Fabric 6.5, ETR version 1.0 dated 2005-11-18. • webMethods Fabric 6.5 Proprietary Development Specification v0.6, dated 2005-11-17. • webMethods Integration Server Administrator’s Guide, Version 6.5, Document ID: webM- IS-AG-20040116webM-IS-AG-65-20050429. • webMethods Broker Administrator’s Guide, Version 6.5, Document ID: BR-AG-65- 20050615. • webMethods Fabric 6.5 Security Best Practices, December 2005. • webMethods Fabric Version 6.5 Configuration Management v0.5 dated 2005-11-14. • webMethods Fabric Version 6.5 CC Guidance Documentation v0.3 dated 2005-11-17. • webMethods Fabric Version 6.5 Delivery Procedures v0.3 dated 2005-10-18. • webMethods Fabric Version 6.5 Strength of Function Analysis v0.3 dated 2005-10-18. • webMethods Fabric Version 6.5 Test Coverage Analysis v0.4 dated 2005-11-02. • webMethods Fabric Version 6.5 Vulnerability Analysis v0.3 dated 2005-10-18. • webMethods Fabric JDBC Adapter User’s Guide, Document ID: ADAPTER-JDBC-UG- 603-20040511 • webMethods Fabric JMS Adapter Installation Guide, Document ID: ADAPTER-JMS-IG- 61-20040213 • webMethods Fabric JMS Adapter User’s Guide, Document ID: ADAPTER-JMS-UG-61- 20040213 4 Validation Report webMethods Fabric 6.5 3. Security Policy webMethods Fabric 6.5 performs the following security functions: • Access Control Policy • Identification & Authentication • Security Management • Self Protection • Security Audit 3.1 Access Control Policy webMethods Fabric 6.5 enforces a discretionary information flow control policy to control access to services and documents based on users and groups. Documents are associated with document types, which define the structure of a particular type of document and how it is to be routed between Broker clients and resources. Services are logical methods that operate on documents, and are executed on the Integration Server. Access control mechanisms are implemented on TCP ports and on resources. Port restrictions can be by either source or destination. Access to resources is controlled at the group level. The ability to define access control restrictions is limited to authorized administrators. 3.2 Identification and Authentication webMethods Fabric 6.5 allows only users who have been successfully identified and authenticated (authorized administrators) to access security-relevant functionality, including viewing audit records. For password-based access, the TOE maintains a list of user accounts and data about these accounts: name, credential data, and a list of privileges. The TOE also supports certificate-based authentication of external users via the IT environment. (Certificate-based authentication was not evaluated.) The TOE identifies and authenticates users (based on user name and password) before allowing them to assume the administrative role defined by their privileges. No user may perform any administrative functions unless the identification and authentication are successful. 3.3 Security Management webMethods Fabric 6.5 supports one administrative role to perform security management. An administrator can access the TOE remotely and monitor or manage the interaction between external users. An administrator can also access the Broker Server to manage the interaction between TOE components, or access through the Developer interface to configure or develop services or workflows. 3.4 Self Protection 5 Validation Report webMethods Fabric 6.5 webMethods Fabric 6.5 ensures that all information must flow through policy enforcement mechanisms and protects its programs and data from unauthorized access through its own interfaces. 3.5 Security Audit The TOE generates audit information for security-relevant events and enables authorized administrators to view the audit records. The TOE generates audit records for the following events: • Reading of information from the audit records • Unsuccessful attempts to read information from the audit records • Modification of the audit configuration that occur while the audit collection functions are operating • All requests to perform an operation on a package, folder, service, flow service, specification, schema, document type, or trigger • Rejection by the TSF of any tested secret • Modification of the behaviour of the functions in the TSF • Modification of the values of security attributes • Modification of the default setting of permissive or restrictive rules • Modification of the initial values of security attributes • All modification of the values of TSF data • Use of the management functions • Modification of the group of users that are part of a role • start-up and shutdown of the audit function Each audit record includes the date and time as obtained from the IT environment (OS), user identity (when applicable), type of event, and its outcome (success or failure). The audit records can be viewed by authorized administrators. 6 Validation Report webMethods Fabric 6.5 4. Assumptions and Clarification of Scope This section describes the security aspects of the environment in which the TOE is expected to operate. 4.1 Usage Assumptions The assumptions listed below are not addressed by any IT requirements but instead rely on the procedural or administrative measures applied to the operating environment. Users must consider these assumptions and whether they are valid for the intended use of the product. A.Admin The administrator is trusted to correctly configure and operate the TOE according to the instructions provided by the TOE documentation. A.Manage It is assumed that one or more administrators are assigned who are competent to manage the TOE and the security of the information it contains, and who can be trusted not to deliberately abuse their privileges so as to undermine security. A.NoUntrusted It is assumed that there will be no untrusted software on the webMethods Integration Server and Broker. A.Physical The TOE components critical to the security policy enforcement will be protected from unauthorized physical modification. A.Users It is assumed that users will protect their authentication data. A.IT The TOE relies upon the IT environment to support protected communications, provide audit file protection, support partial domain separation, support non- bypassability, provide reliable time-stamps, and to perform user authentication when configured to do so. 4.2 Environmental Threats T.Abuse An undetected compromise of the TOE may occur as a result of an authorized user of the TOE (intentionally or otherwise) performing actions the individual is authorized to perform. T.Access An authorized user of the TOE may access information or resources without having permission from the person who owns, or is responsible for, the information or resource. T.Bypass An unauthorised user may attempt to bypass the information flow control policy. T.Intercept An unauthorized person on an internal network that connects TOE components may intercept communications between the TOE components and attempt to access and/or modify the data being transmitted. T.Mismanage Authorized Administrators may make errors in the management of security functions and TSF data. Administrative errors may allow attackers to gain unauthorized access to resources protected by the TOE. 7 Validation Report webMethods Fabric 6.5 T.Tamper An attacker may attempt to modify TSF programs and data. T.Transmit TSF data may be disclosed or modified by an attacker while being transmitted between the TOE and its users. T.Undetect Attempts by an attacker to violate the security policy may go undetected. If the attacker is successful, TSF data may be lost or altered. 8 Validation Report webMethods Fabric 6.5 5. Evaluated Configuration The three evaluated configurations consist of three machines running the Java Virtual Machine (JVM) version 1.4.2. Two machines ran the Integration Server (IS), and the third ran the Broker. The first configuration involved users accessing a single IS via protected network ports. Internal The second configuration has the IS and Broker servers procedurally segregated (e.g., through encryption or trust) from the TOE. In this diagram the Broker and both Integration Servers are externally visible. For this configuration, the IT environment has to protect network connections. Internal The third configuration involves the IS and Broker servers running procedurally segregated users from behind a VPN. The Reverse Invoke server shown in this diagram is not part of the TOE. In this configuration, the TOE is accessed through a firewall and may not be directly connected to by external users. 9 Validation Report webMethods Fabric 6.5 5.1 Architectural Information The TOE consists of three subsystems: the Integration Server, the Developer and the Broker. The Integration Server contains the following interfaces: • Graphical User Interface to the IS Administrator Interface • Broker Administrative Interface • External User Interface The external interfaces on the Integration Server provide the following security functions: • Access Control • Identification and Authentication • Security Management Functions • Security Audit The Developer interfaces with the Integration Server and provides the following functions: • Adapter Services – Services that invoke specific processes on a back-end resource (for example, query a customer database, post a journal entry to a general ledger application, or delete an item from an inventory system). • Adapter notifications — Alerts that are issued by back-end systems and which initiate an action on the integration platform. • Adding Groups to ACL — The Developer is responsible for assigning ACL to the appropriate resource or resource folder. All Developer functions are subject to the security functions of the Integration Server The Broker has a single internal interface to the Integration Server and does not itself support any TOE security functionality. Access to the Broker is subject to the security functions of the Integration Server. 6. Evaluation and Validation Process and Conclusions This section describes the evaluation process used by the team and the activities the Validator performed to gain confidence in the evaluation team’s analysis. The evaluation team conducted a review of the Integration Server, Developer and Broker components of the product based on functional requirements as specified in the Security Target and assurance requirements as required for EAL2. The EAL2 assurance requirements include the following: 10 Validation Report webMethods Fabric 6.5 Table 6-1. EAL2 Components EAL2 Component EAL2 Component Title ASE Evaluation of Security Target ACM_CAP.2 Configuration items ADO_DEL.1 Delivery procedures ADO_IGS.1 Installation, generation, and start-up procedures ADV_FSP.1 Informal functional specification ADV_HLD.1 Descriptive high-level design ADV_RCR.1 Informal correspondence demonstration AGD_ADM.1 Administrator guidance AGD_USR.1 User guidance ATE_COV.1 Evidence of coverage ATE_FUN.1 Functional testing ATE_IND.2 Independent testing – sample AVA_SOF.1 Strength of TOE security function evaluation AVA_VLA.1 Developer vulnerability analysis 6.1 Evaluation of the Security Target (ASE) The evaluation team applied each EAL2 ASE CEM work unit. Evaluation team action during the course of the ST evaluation ensured that the ST contained a description of the environment in terms of threats, assumptions and policies. The team also confirmed that the ST contains a statement of security requirements claimed to be met by the webMethods Fabric 6.5 product that are consistent with the Common Criteria, and product security function descriptions that support those requirements. The Validator reviewed the Evaluation team’s work units and compared them with the Security Target to determine that the work units were performed correctly. 6.2 Evaluation of the Configuration Management Capabilities (ACM) Configuration Management (CM) systems are put in place to provide a method of tracking changes to the portions of the TOE that they control. The ACM evaluation ensures that the integrity of the TOE is adequately preserved; that the configuration management provides confidence to the consumer that the TOE and documentation used for evaluation are the ones prepared for distribution. It also ensures that the TOE is accurately and uniquely identified such that the consumer is able to identify the evaluated TOE and discern one version from another. The consumer must request the evaluated version of the product. The evaluation team analyzed the CM process and determined that TOE components and documentation have unique references and that a system is in place to track release configurations of the TOE and changes to its components. 11 Validation Report webMethods Fabric 6.5 The Validator reviewed the Evaluations team’s work units and evidence to determine that the work units were performed correctly. 6.3 Evaluation of Delivery and Operations Documents (ADO) The evaluation team analyzed the documentation of the procedures used to ensure that the TOE is delivered, installed, generated and started in the same way that the developer intended it to be and that it was delivered without modification. The consumer must obtain the appropriate evaluation configuration documentation from the webMethods Advantage website (http://advantage.webMethods.com). The Validator reviewed the Evaluations team’s work units, evidence and TOE documentation to determine that the work units were performed correctly. 6.4 Evaluation of the Development (ADV) The evaluation team inspected the design documentation to determine that the TOE Security Functions (TSF) could be understood, were consistent and that they supported the claims in the ST. The design documentation consists of a functional specification describing the TOE in terms of internal subsystems and a high-level design which describes how those subsystems work together. The Validator reviewed the Evaluations team’s work units, the TOE functional specification and user and administrator guidance to determine that the work units were performed correctly. 6.5 Evaluation of the Guidance Documents (AGD) The evaluation team analyzed the documentation that describes how to operate the TOE in a secure manner and compared it with the actual operation of the TOE. The TOE Broker component includes both a Graphical User Interface (GUI) and a command-line interface; only the GUI was evaluated. The Validator reviewed the Evaluations team’s work units, test results and user and administrator guidance to determine that the work units were performed correctly. 6.6 Evaluation of the Test Documentation and Testing Activity (ATE) The evaluation team examined the developer tests to ensure that those tests would confirm that the TOE behaves as specified in the design documentation and in accordance with the TSF requirements as specified in the ST. In addition, the evaluation team independently performed a subset of the developer tests and compared them to the developer test results. The Validator reviewed the Evaluations team’s work units, test results and developer test results to determine that the work units were performed correctly. 12 Validation Report webMethods Fabric 6.5 6.7 Vulnerability Assessment Activity (AVA) The evaluation team examined the TOE for flaws or weaknesses in its intended environment and conducted its own penetration testing. The team reviewed the developer’s claims for the strength of specific security functions, performed searches for obvious vulnerabilities and conducted a sample penetration test. The Validator reviewed the Evaluations team’s work units, test results and penetration test to determine that the work units were performed correctly. 6.8 Summary of the Evaluation Results The evaluation team’s assessment of the evaluation evidence demonstrates that the claims in the ST are met. Additionally, the evaluation team’s performance of the majority of the vendor test suite also demonstrates the veracity of the claims in the ST. 7. IT Product Testing Testing was conducted from 20 October, 2005 to 24 October, 2005 at the webMethods facility in Fairfax, VA. The testing was conducted by Swapna Katikaneni, representing the CCTL CygnaCom. Functional and vulnerability testing was conducted, including a partial execution (~80%) of the developer test suite with a focus on authentication and access control functionality. Delivery and installation procedures were also examined. The Broker and its functions were excluded from the list of TOE Security Functions and testing. The test configuration was as described in section 5. Evaluated Configuration, with the JVM running on Windows XP SP2. The approach used was functional test-case design. 8. Validator Comments/Recommendations This is a software-only TOE. The Validator determined that the evaluation and all of its activities were performed in accordance with the CC, the CEM and CCEVS practices. The Validator has the following observations: • In order to meet requirements for auditing the end-user must install the Integration Server WmCCudit package as described and follow the procedures outlined under Auditing in the Evaluated Configuration in Appendix C of the webMethods Fabric 6.5 Security Best Practices document. • The developer tests fully or partially covered all TOE security functional requirements and the evaluator executed approximately 80% of the developer tests as well as additional independent tests. All TOE security functions and their interfaces were tested. 13 Validation Report webMethods Fabric 6.5 • Configuration of this product is moderately complex; however the administrative guidance is helpful in supplying explanations of configurable options, useful default values and warnings of possible unsafe values or configurations. • The TOE uses cryptography (SSL) in the IT Environment to protect communications between TOE components. Cryptography was not part of the TOE evaluation, so intra-TOE communications should be protected (e.g., isolated from untrusted networks), or the end- user (or product installer) should consider the risks of using a non-evaluated cryptographic implementation to protect the communication path. • Although the installer was not part of the TOE evaluation, testing did determine that it correctly installed the TOE. The Validator agrees that the CCTL presented appropriate rationales to support the Results of Evaluation presented in Section 4 of the ETR, volume 1, and the Conclusions presented in Section 5 of the ETR, volume 2. The Validator therefore concludes that the evaluation and the Pass results for the TOE identified below is complete and correct: webMethods Fabric 6.5 14 Validation Report webMethods Fabric 6.5 9. Security Target The Security Target (ST) reference for this product is “webMethods Fabric 6.5, EAL2 Common Criteria Evaluation, Security Target V1.0, 12 December 2005”. The ST describes what the TOE does, defines the functional claims that the developer is making for the TOE and which standards / specifications the TOE is claimed to conform with. The conformance claims for this product are: • Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Requirements, Version 2.2, January 2004, CCIMB-2004-01-002. • Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Requirements, Version 2.2, January 2004, CCIMB-2004-01-002, at Evaluation Assurance Level (EAL) 2. 10. List of Acronyms Acronym Definition CC Common Criteria CCEVS Common Criteria Evaluation and Validation Scheme CCIMB Common Criteria Interpretations Management Board CCTL Common Criteria Testing Laboratory CEM Common Evaluation Methodology for Information Technology Security Evaluation CLI Command Line Interface EAL2 Evaluation Assurance Level 2 ETR Evaluation Technical Report GUI Graphical User Interface NIAP National Information Assurance Partnership SSL Secure Sockets Layer TOE Target of Evaluation TSF TOE Security Functions 11. Bibliography In addition to the documents specified in section 2.2 Documentation, the following documents were used in compiling this Validation Report: • Common Criteria for Information Technology Security Evaluation, Version 2.2, January 2004: o Part 1: Introduction and General Model o Part 2: Security Functional Requirements 15 Validation Report webMethods Fabric 6.5 16 o Part 2: Annexes o Part 3: Security Assurance Requirements • Common Methodology for Information Technology Security Evaluation, Version 2.2, January 2004: