Validated Product - AquaLogic Interaction 6.1 with AquaLogic Interaction Development Kit

PRODUCT DESCRIPTION

The Target of Evaluation (TOE) is AquaLogic® Interaction 6.1 MP1 with AquaLogic® Interaction Development Kit 6.0, henceforth referred to as ALI and IDK respectively.

AquaLogic Interaction (ALI) is the portal platform for the BEA AquaLogic User Interaction (ALUI) suite of products. A portal is a Web site that gives users a single point of access to applications and information in a single unified interface. ALI includes a portal infrastructure, a user interface (UI), a document content management system, and a search function. ALI integrates applications and ALUI components into a cohesive Web-based environment that can be customized and personalized to meet the internal and customer-oriented portal needs of large enterprise companies.

AquaLogic Interaction Development Kit 6.0 (IDK) offers Java platform and .NET client-side libraries that provide connectivity to Web services-based application programming interfaces (APIs) for ALI.

ALI’s portal framework integrates applications by using portlets and also supports virtual community workspaces. Portlets are one of the mechanisms that end users use for accessing data and applications from portals. Portlets enable the integration of functionality from external systems in the portal page, thus providing a single entry point (or window) for a wide range of content and services. Portlets can be used for everything from displaying useful information to building integrated applications that combine functionality from multiple systems. The ALI portlet architecture conforms to Service-Oriented Architecture (SOA) and leverages the key SOA interfaces and protocols: HTTP and SOAP. SOA is an IT strategy that organizes the discrete functions contained in enterprise applications into interoperable, standards-based services that can be combined and reused quickly to meet business needs.

Most of the ALI portal’s end-user and administrative functionality and tools are packaged and implemented as portlets. ALI organizes this functionality into categories and implements each category in a set of portlets. The categories include the following:

• User Interface
• Web Services
• User Management
• Content management
• Security
• Search
• Scheduled Operations.

The IDK APIs (included with both the Java and .NET versions of the IDK) provide support for portlet development, including manipulating settings, accessing user information, and managing communication with the portal. Security is enforced by the portal in exactly the same way as when the functionality is executed from within the portal. In the ALUI web services architecture, most portlets are hosted remotely and connect to a back-end application for data or functionality. The remote portlets can access an API provided by the IDK called the Programmable Remote Client (PRC). The PRC API provides interfaces to perform object-oriented access into the portal’s SOAP API, which exposes elements of the portal API.

The IDK also enables developers to create remote authentication services. The IDK Authentication API provides an abstraction from the necessary SOAP calls and enables developers to simply implement an object interface for the external authentication service.

The AquaLogic Interaction Development Kit (IDK) enables Java and .NET developers to build and deliver user-centric composite applications through AquaLogic Interaction. The IDK provides interfaces for pagelets, portlets and integration web services – authentication and profile services, crawlers, and search services. The 6.0 release of the IDK includes a proxy Application Programming Interface (API) used to create pagelets for implementation in AquaLogic Interaction.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the BEA AquaLogic Interaction 6.1 MP1 with AquaLogic Interaction Development Kit 6.0 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL2 family of assurance requirements, augmented with ALC_FLR.2 (Flaw reporting procedures). The product satisfies all of the security functional requirements stated in the BEA AquaLogic Interaction 6.1 MP1 with AquaLogic Interaction Development Kit 6.0 Security Target, when configured as specified in the following guidance documents, available from BEA’s edocs website (http://edocs.bea.com/alui/ali/docs61/index.html) as indicated:

• Release Notes
• Installation and Upgrade Guide
• Installation Worksheet for Windows Installations
• Installation Worksheet for UNIX Installations
• Development Guide for AquaLogic User Interaction.

One validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in December 2007. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10103-2007), prepared by CCEVS.

ENVIRONMENTAL STRENGTHS

BEA AquaLogic Interaction 6.1 MP1 with AquaLogic Interaction Development Kit 6.0 provides a low to moderate level of independently assured security in a conventional TOE and is suitable for a cooperative non-hostile environment with good physical access security and competent administrators.

BEA AquaLogic Interaction 6.1 MP1 with AquaLogic Interaction Development Kit 6.0 supports the following five security functions:

• Security Audit: ALI provides the capability to generate audit records, determine which user actions will be audited, and display the audit records. ALI is dependent upon the IT environment to store and protect the audit records from unauthorized modifications and deletions.
• User Data Protection: The primary security functionality of the TOE is to provide access control to ALI resources. ALI enforces an access control policy based on access control lists (ACLs) to control users’ access to ALI objects and administrative interfaces.
• Identification and Authentication: ALI includes the capability to use third-party authentication sources such as Microsoft Active Directory and various LDAP products to get user information and to perform identification and authentication. ALI enforces the identification and authentication decision received from the third-party source. ALI also includes an internal identification and authentication mechanism which is used to log in administrative users and user that are defined within the ALI. ALI includes the capability to monitor the login process and lockout user accounts that exceeded the configured unsuccessful login limit.
• Security Management: ALI includes the Administrative Portal that is used by authorized administrators to manage the security functions of the TOE, including: management of the access control function and ACLs; management of the audit function; management of user accounts, groups and roles; and management of user authentication and authentication failure handling.
• Protection of the TSF: ALI ensures all requests made through its interfaces to access its objects are mediated by the access control security function before any access is granted.