Tivoli Identity Manager

Transcription

1 Tivoli Identity Manager Version 4.6 Common Criteria Guide SC

2

3 Tivoli Identity Manager Version 4.6 Common Criteria Guide SC

4 Note: Before using this information and the product it supports, read the information in Appendix B, Notices, on page 33. First Edition (August 2005) This edition applies to version 4.6 of Tivoli Identity Manager and to all subsequent releases and modifications until otherwise indicated in new editions. This product includes Adaptx, a free XSLT Processor. (C) Keith Visco and Contributors. Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Preface v Who should read this book v Publications and related information......v Tivoli Identity Manager library v Prerequisite product publications vii Related publications viii Accessing publications online viii Accessibility viii Support information ix Conventions used in this book ix Typeface conventions ix Operating system differences ix Definitions for HOME and other directory variables x Special terms x Chapter 1. Introduction and roadmap for Common Criteria implementation What is Common Criteria? What this guide describes Implementation roadmap Chapter 2. Specifications and references for a CC-evaluated system About the evaluated version of Tivoli Identity Manager How to obtain the CC-evaluated product Component specifications for the CC-evaluated system Technical documentation guidance and reference Tivoli Identity Manager technical documentation library Accessing the Tivoli Identity Manager technical documentation used for CC evaluation Obtaining the official certification documents Evaluated and non-evaluated security functionality Evaluated security functionality Security functionality not evaluated...11 Chapter 3. Security policy assumptions and conditions Security policy assumptions Physical policy assumptions Personnel policy assumptions System policy assumptions Connectivity policy assumptions Installation and configuration conditions General server conditions General adapter conditions Documentation issues Assumed security threats Chapter 4. Configuring evaluated security functionality Auditing system activity Viewing audit records Identification and authentication Password challenge/response feature must be disabled No passwords allowed in notifications Shared secret for password notification not allowed Required password policies Client-to-Web server SSL communication required Server-to-adapter SSL communication required HTTPS communication on WebSphere Application Server must be enabled Java 2 security required for WebSphere Application Server Maximum number of invalid logon attempts Password expiration period Enable password editing Provisioning Disable remote password synchronization Event notification Event notification must be disabled...27 Appendix A. Support information Searching knowledge bases Search the information center on your local system or network Search the Internet Obtaining fixes Contacting IBM Software Support Determine the business impact of your problem 31 Describe your problem and gather background information Submit your problem to IBM Software Support 32 Appendix B. Notices Trademarks Index Copyright IBM Corp iii

6 iv IBM Tivoli Identity Manager: Common Criteria Guide

7 Preface Who should read this book The IBM Tivoli Identity Manager Common Criteria Guide provides information about how to use the IBM Tivoli Identity Manager product in accordance with Common Criteria guidelines. This book is intended for system and security administrators who install, maintain, or administer software on their site s computer systems. Readers are expected to understand system and security administration concepts. Additionally, the reader should understand administration concepts for the following: v Directory server v Database server v WebSphere embedded messaging support v WebSphere Application Server v IBM HTTP Server Publications and related information Read the descriptions of the Tivoli Identity Manager library. To determine which additional publications you might find helpful, read the Prerequisite product publications on page vii and the Related publications on page viii. After you determine the publications you need, refer to the instructions in Accessing publications online on page viii. Tivoli Identity Manager library The publications in the Tivoli Identity Manager technical documentation library are organized into the following categories: v Release information v Planning for installation, configuration, and customization v Online user assistance v Server installation and configuration v Problem determination v Technical supplements v Adapter installation and configuration Release Information: v IBM Tivoli Identity Manager Release Notes Provides software and hardware requirements for Tivoli Identity Manager, and additional fix, patch, and other support information. v IBM Tivoli Identity Manager Documentation Read This First Card Lists the Tivoli Identity Manager publications. Planning for installation, configuration, and customization: IBM Tivoli Identity Manager Planning for Deployment Guide describes the components, functions, and capabilities of the product, explains how the product Copyright IBM Corp v

8 can impact the infrastructure of an organization, recommends guidelines for managing the implementation of the product, and recommends strategies for integrating these capabilities into a production environment. Online user assistance: Provides online help topics and an information center for all Tivoli Identity Manager administrative tasks. The information center includes information that was previously provided in the IBM Tivoli Identity Manager Configuration Guide and the IBM Tivoli Identity Manager Policy and Organization Administration Guide. Server installation and configuration: IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere Environments provides installation and configuration information for Tivoli Identity Manager. Configuration information that was previously provided in the IBM Tivoli Identity Manager Configuration Guide is now included in either the installation guide or in the IBM Tivoli Identity Manager Information Center. Problem determination: IBM Tivoli Identity Manager Problem Determination Guide provides problem determination, logging, and message information for the Tivoli Identity Manager product. Technical supplements: The following technical supplements are provided by developers or by other groups who are interested in this product: v IBM Tivoli Identity Manager Performance Tuning Guide Provides information needed to tune Tivoli Identity Manager Server for a production environment. It is available on the Web at: Click the I character in the A-Z product list, and then, click the IBM Tivoli Identity Manager link. Browse the information center for the Technical Supplements section. v Redbooks and white papers are available on the Web at: IBMTivoliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link. v Technotes are available on the Web at: v Field guides are available on the Web at: v For an extended list of other Tivoli Identity Manager resources, search the following IBM developerworks Web site: Adapter installation and configuration: vi IBM Tivoli Identity Manager: Common Criteria Guide

9 The Tivoli Identity Manager Server technical documentation library also includes an evolving set of platform-specific installation documents for the adapter components of a Tivoli Identity Manager Server implementation. Locate adapters on the Web at: IBMTivoliIdentityManager.html Browse to the Other resources, and click the link for the current inventory of adapters. Skills and training: The following additional skills and technical training information were available at the time that this manual was published: v Virtual Skills Center for Tivoli Software on the Web at: v Tivoli Education Software Training Roadmaps on the Web at: v Tivoli Technical Exchange on the Web at: supp_tech_exch.html Prerequisite product publications To use the information in this book effectively, you must have knowledge of the products that are prerequisites for Tivoli Identity Manager Server. Publications are available from the following locations: v Operating systems Microsoft Windows Server v Database servers IBM DB2 Universal Database - Support: - Information center: - Documentation: winos2unix/support/v8pubs.d2w/en_main - DB2 product family: - Fix packs: - System requirements: Oracle Microsoft SQL Server Preface vii

10 Related v Directory server applications IBM Tivoli Directory Server Version 5.2: en_us/html/ldapinst.htm Version 6.0: toc=/com.ibm.ibmds.doc/toc.xml v WebSphere Application Server Additional information is available in the product directory or Web sites. v WebSphere embedded messaging v IBM HTTP Server publications Information that is related to Tivoli Identity Manager Server is available in the following publications: v The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: v The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available from the Glossary link of the Tivoli Software Library Web page at: Accessing publications online IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli software information center Web site. Access the Tivoli software information center at the following Web address: Click the I character in the A-Z list, and then click the Tivoli Identity Manager link to access the product library. Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your local paper. Accessibility The product documentation includes the following features to aid accessibility: v Documentation is available in convertible PDF format to give the maximum opportunity for users to apply screen-reader software. v All images in the documentation are provided with alternative text so that users with vision impairments can understand the contents of the images. viii IBM Tivoli Identity Manager: Common Criteria Guide

11 Support information If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: v Searching knowledge bases: You can search across a large collection of known problems and workarounds, Technotes, and other information. v Obtaining fixes: You can locate the latest fixes that are already available for your product. v Contacting IBM Software Support: If you still cannot solve your problem, and you need to work with someone from IBM, you can use a variety of ways to contact IBM Software Support. For more information about these ways to resolve problems, see Appendix A, Support information, on page 29. Conventions used in this book Typeface This reference uses several conventions for special terms and actions and for operating system-dependent commands and paths. conventions This guide uses the following typeface conventions: Bold Italic v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v Keywords and parameters in text v Words defined in text v Emphasis of words (words as words) v New terms in text (except in a definition list) v Variables and values you must provide Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options Operating system differences This guide uses the UNIX convention for specifying environment variables and for directory notation. When using the Windows command line, replace $variable with %variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. The names of environment variables are not always the same in Preface ix

12 Windows and UNIX. For example, %TEMP% in the Windows operating system is equivalent to $tmp in a UNIX operating system. Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions. Definitions for HOME and other directory variables The following table contains the default definitions that are used in this guide to represent the HOME directory level for various product installation paths. You can customize the installation directory and HOME directory for your specific implementation. If this is the case, you need to make the appropriate substitution for the definition of each variable represented in this table. The value of path varies for these operating systems: v Windows: drive:\program Files v AIX: /usr v Other UNIX: /opt Path Variable Default Definition Description ITIM_HOME WAS_HOME Windows: path\ibm\itim UNIX: path/ibm/itim Windows: path\websphere\appserver UNIX: path/websphere/appserver The base directory that contains the Tivoli Identity Manager code, configuration, and documentation. The WebSphere Application Server home directory Special terms The following special term is used in this information: UNIX and Linux The term UNIX means both UNIX and Linux systems. A Linux-specific label is used only when required for clarity. x IBM Tivoli Identity Manager: Common Criteria Guide

13 Chapter 1. Introduction and roadmap for Common Criteria implementation This IBM Tivoli Identity Manager Common Criteria Guide describes how to set up a Tivoli Identity Manager environment to meet the same security conditions used by the Common Criteria evaluation. This guide is a supplement to the standard Tivoli Identity Manager technical documentation library and provides the additional installation, configuration, and security information required to reproduce the security level of an evaluated system. Section topics: v 1.1 What is Common Criteria? on page 1 v 1.2 What this guide describes on page 2 v 1.3 Implementation roadmap on page What is Common Criteria? In order to ensure the security of their computer environments, many governments and other organizations rely on the development of and adherence to strict standards for software and other products. One of the most important of these standards is the Common Criteria for Information Technology Security Evaluation, an internationally recognized ISO standard (ISO 15408) that defines general concepts and principles of information technology (IT) security evaluation and presents a general model of evaluation. Common Criteria presents constructs for expressing IT security objectives, for selecting and defining IT security requirements, and for writing high-level specifications for products and systems. Common Criteria is used by the United States federal government, international governments, and other organizations to assess the security and assurance of technology products. The Common Criteria provides a standardized method of expressing security requirements and defines rigorous criteria by which products are evaluated. A product that passes a Common Criteria evaluation receives officially recognized certification. Common Criteria certification is widely recognized among IT professionals, government agencies, and customers as a seal-of-approval for mission-critical software. Common Criteria evaluation can take place in any certificate issuing member country. The Common Criteria Mutual Recognition Arrangement (CCMRA) ensures that certified products are accepted globally. New members are regularly and frequently added to the list of countries. You can find the information about Common Criteria at the following Web site: Copyright IBM Corp

14 1.2 What this guide describes 1.3 Implementation roadmap This guide makes a distinction between two types of Tivoli Identity Manager implementations: v An implementation that serves a specific production environment v An implementation that meets the conditions established for the Common Criteria evaluation of this product The system configuration that meets these conditions is referred to as a CC-evaluated system in this guide. A CC-evaluated implementation of Tivoli Identity Manager makes specific assumptions about installation, configuration, and security that distinguishes it from most production versions of the product. A CC-evaluated version of the product includes certain restrictions on the way product components are employed and draws specific boundaries around functionality and performance. The purpose of this guide is to describe the assumptions, conditions, and boundaries required to reproduce the implementation of Tivoli Identity Manager used for the Common Criteria evaluation. This Common Criteria evaluation is based on the English version of Tivoli Identity Manager and its documentation. You must use only the English-version Tivoli Identity Manager GUI and refer only to the English-version technical documentation when implementing the CC-evaluated version of Tivoli Identity Manager. To install and configure a CC-evaluated implementation of Tivoli Identity Manager, you must use the standard version 4.6 technical documentation for Tivoli Identity Manager, then refer to the IBM Tivoli Identity Manager Common Criteria Guide (this document) for supplemental information specific to the Common Criteria requirements. If configuration recommendations in the technical documentation are not consistent with the instructions in the IBM Tivoli Identity Manager Common Criteria Guide, the information in the IBM Tivoli Identity Manager Common Criteria Guide takes precedence and applies. For example, if a procedure is described as optional in the IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere Environments but is required in the IBM Tivoli Identity Manager Common Criteria Guide, that procedure is required to meet the specifications for Common Criteria compliance. Use the following checklist as a roadmap to implementing a CC-evaluated version of Tivoli Identity Manager: 1. Understand the definition and purpose of the Common Criteria standard: IBM Tivoli Identity Manager Common Criteria Guide, chapter Review the CC-evaluated product component specifications, documentation references, and summary of evaluated security functionality: IBM Tivoli Identity Manager Common Criteria Guide, chapter Review and apply the installation and policy conditions required for a CC-evaluated system: IBM Tivoli Identity Manager Common Criteria Guide, chapter 3. 2 IBM Tivoli Identity Manager: Common Criteria Guide

15 4. Install and configure the single-server version of Tivoli Identity Manager according to the standard installation documentation: IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere Environments 5. Review and apply the security functionality required for a CC-evaluated system: IBM Tivoli Identity Manager Common Criteria Guide, chapter 4. Chapter 1. Introduction and roadmap for Common Criteria implementation 3

16 4 IBM Tivoli Identity Manager: Common Criteria Guide

17 Chapter 2. Specifications and references for a CC-evaluated system Note: Before proceeding with this chapter, make sure you read 1.3 Implementation roadmap on page 2. This chapter provides specifications and references for implementing a Common Criteria evaluated (CC-evaluated) Tivoli Identity Manager system. Section topics: v 2.1 About the evaluated version of Tivoli Identity Manager on page 5 v 2.2 How to obtain the CC-evaluated product on page 5 v 2.3 Component specifications for the CC-evaluated system on page 6 v 2.4 Technical documentation guidance and reference on page 7 v 2.5 Evaluated and non-evaluated security functionality on page About the evaluated version of Tivoli Identity Manager IBM Tivoli Identity Manager 4.6 contains the technology to meet the requirements of the Common Criteria Evaluation Assurance Level (EAL) 3+. The system configuration that meets these requirements is referred to as a CC-evaluated system in this guide. The Common Criteria evaluation for Tivoli Identity Manager was performed on the specific configuration described in this guide. Any deviation from this configuration may result in a non-evaluated system, but does not necessarily mean that the security of the system is reduced. 2.2 How to obtain the CC-evaluated product Tivoli Identity Manager is a distributed system comprising the Tivoli Identity Manager Server, the application server, database, directory server, and adapters. Only the Tivoli Identity Manager Server and certain adapters have been assessed as the part of the evaluation, while other components are considered to provide supplementary functions in the IT environment. Tivoli Identity Manager is delivered as an installation image through IBM s Passport Advantage distribution channel. The evaluated configuration assumes that the customer uses online access to Passport Advantage to download an installation image. You must use the Restartable Transfer Java applet offered on the Passport Advantage download site for retrieving the images (and not the HTTP download). Only this applet provides for sufficient integrity of the downloaded files. Additionally, users should verify that IBM can be identified as the originator of the Java applet by checking the digital signature issued for it (open the applet in a browser to reveal an information box about the signature). Copyright IBM Corp

18 2.3 Component specifications for the CC-evaluated system The CC-evaluated implementation of Tivoli Identity Manager is a single-node deployment only. From the list of components below, only the Tivoli Identity Manager Server, the Microsoft Windows AD adapter, and the Oracle adapter were subject to evaluation under the Common Criteria. The remaining components are required to support the server and the adapters and are included in the definition of a CC-evaluated system configuration, but their individual security functionality has not been evaluated. Note: Refer to the IBM Tivoli Identity Manager Release Notes for the applicable fix packs and APARs that are associated with each product listed below. Supported platform components: v Java 2 Platform Enterprise Edition Specification (J2EE), Version 1.4 Tivoli Identity Manager Server processes run within the J2EE environment used by WebSphere Application Server. Consequently, all supported operating system versions listed in the IBM Tivoli Identity Manager Release Notes can be used for CC evaluation. The evaluated configuration is restricted to Windows Server 2003 Enterprise Edition. Supported server components: v WebSphere Application Server 5.1 for a single-server installation on all operating system platforms supported for Tivoli Identity Manager Version 4.6 Web application server Java Message Service (JMS) IBM WebSphere embedded messaging support v Tivoli Identity Manager Server 4.6 (this component included in the evaluation) Tivoli Identity Manager application binaries Tivoli Identity Manager configuration files Tivoli Identity Manager API (overview documentation, detailed documentation, examples) v IBM Directory Server Version 5.2, Fix Pack 2 v Supported Relational Database Management System (RDMS): IBM DB2 Universal Database Enterprise Edition server and IBM DB2 runtime client, Version 8.2 Oracle Version 9i Release 2 ( ) Microsoft SQL Server 2000 v Access to user and administration interfaces: Mozilla 1.7 (using the Java Runtime Environment provided with this browser) Microsoft Internet Explorer 6.0 (using the Java Runtime Environment provided with this browser) Supported adapter components: v Adapter for Windows AD Version (this component included in the evaluation) This adapter runs on 32-bit x86-based machines with Windows 2000 Advanced Server running Active Directory, Windows Server 2003 Enterprise Edition, or Windows XP Workstation. 6 IBM Tivoli Identity Manager: Common Criteria Guide

19 The evaluated configuration is restricted to Windows Server 2003 Enterprise Edition. v Oracle Database Adapter for Windows Version (this component included in the evaluation) This adapter runs on 32-bit x86-based machines with Windows Server 2003 Enterprise Edition, Windows 2000 Advanced Server, or Windows NT running Oracle Client software Version 8i or Version 9i. The adapter supports Oracle Database versions 8i and 9i for all platforms. The evaluated configuration is restricted to systems using Windows Server 2003 Enterprise Edition running the Oracle Client software Version 9i. 2.4 Technical documentation guidance and reference This Common Criteria evaluation is based on the English version of Tivoli Identity Manager and its documentation. When implementing the CC-evaluated version of Tivoli Identity Manager, you must use only the English-version Tivoli Identity Manager GUI and refer only to the following English-version technical documentation: v Tivoli Identity Manager version 4.6 publications described in Tivoli Identity Manager technical documentation library. v IBM Tivoli Identity Manager Common Criteria Guide (this document), which must be obtained using a secure download procedure described in Accessing the Tivoli Identity Manager technical documentation used for CC evaluation Tivoli Identity Manager technical documentation library The following technical documents provide standard information and procedures for installing and configuring the CC-evaluated implementation of Tivoli Identity Manager. These documents were updated and revised for version 4.6 and verified for security compliance with the Common Criteria evaluation: v IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere Environments v IBM Tivoli Identity Manager Oracle Adapter for Windows Installation and Configuration Guide v IBM Tivoli Identity Manager Adapter for Windows Installation and Configuration Guide v IBM Tivoli Identity Manager Information Center Additionally, always review the latest version of the IBM Tivoli Identity Manager Release Notes for late-arriving Common Criteria information affecting this product. To implement a CC-evaluated system, you must follow all configuration and security guidelines specified in the IBM Tivoli Identity Manager Common Criteria Guide (this document), which must be obtained using one of the secure access procedures described in Tivoli Identity Manager technical documentation library Accessing the Tivoli Identity Manager technical documentation used for CC evaluation The standard library information for installing and configuring the CC-evaluated implementation of Tivoli Identity Manager, described in Tivoli Identity Chapter 2. Specifications and references for a CC-evaluated system 7

20 Manager technical documentation library on page 7, can be obtained online (in Portable Document Format (PDF) or Hypertext Markup Language (HTML) format or both) in the Tivoli Information Center: Use the publications listed in the Tivoli Information Center to install and configure a CC-evaluated implementation of Tivoli Identity Manager. However, to ensure compliance with CC guidelines, access the IBM Tivoli Identity Manager Common Criteria Guide using a secure procedure described in this section. Do not use the copy of IBM Tivoli Identity Manager Common Criteria Guide that is posted in the Tivoli Information Center. Updates to all technical documents are also posted in the Tivoli Information Center. You must securely obtain the IBM Tivoli Identity Manager Common Criteria Guide using either of the following procedures: Passport Advantage The IBM Tivoli Identity Manager Common Criteria Guide is available as a separately selectable item for customers with Passport Advantage access to the IBM Tivoli Identity Manager Version 4.6 product. Download Director The IBM Tivoli Identity Manager Common Criteria Guide can also be obtained securely through the IBM Publications Center using the Download Director option. To use Download Director, you must have installed Java 2 Runtime Environment version on your local system, and your Web browser must be set to use Java To access the IBM Publications Center, use the following procedure: 1. Start a supported version of a Web browser and go to the IBM home page at: 2. Under Get support click Product publications. 3. In the Product publications window, in the Information centers and libraries section, click Browse by product. 4. In the Product information window, in the Product information column, click Search for publications. 5. In Welcome to the IBM Publications Center, in the search field, select United States of America and click Go. 6. In the Quick Publications Center Search window, in the Publication number field, enter SC , and click Go. 7. In the Publication information window the IBM Tivoli Identity Manager Common Criteria Guide is listed. Click the option under Download Director. 8. The security applet prompts you to select whether you trust the content of the information you are about to receive from the IBM Web site. Click Yes to start the download. To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you click File Print). 8 IBM Tivoli Identity Manager: Common Criteria Guide

21 2.4.3 Obtaining the official certification documents The official technical reference describing the details of the Common Criteria evaluation for Tivoli Identity Manager Version 4.6 is contained in a document known as the IBM Tivoli Identity Manager 4.6 Security Target. Additionally, a certification report is produced that describes the successful completion of the evaluation process. When these documents are made available, you can obtain them from the Web site of the German certification body, Bundesamt für Sicherheit in der Informationstechnik (BSI): Chapter 2. Specifications and references for a CC-evaluated system 9

22 2.5 Evaluated and non-evaluated security functionality This section describes: v Security functionality evaluated for Tivoli Identity Manager 4.6. For specific details describing the configuration of these security items, refer to Chapter 4, Configuring evaluated security functionality, on page 19. v Security functionality not evaluated for Tivoli Identity Manager Evaluated security functionality This section describes the security functionality that was evaluated for the 4.6 version of Tivoli Identity Manager. For specific details describing the configuration of these security items, refer to Chapter 4, Configuring evaluated security functionality, on page 19. Audit of activities A CC-evaluated implementation of Tivoli Identity Manager is capable of auditing internal events (such as the modification of provisioning policies or the creation of new users) by generating audit information for all transactions and storing this information in a transactional database provided by the IT environment. You can view these audit records using the Tivoli Identity Manager GUI (Home Pending or Completed Requests). Identification and authentication A CC-evaluated implementation of Tivoli Identity Manager identifies users (including administrators) by user name and authenticates them by password. ITIM users are persons having an account on the Tivoli Identity Manager system. ITIM users can be organized by membership in ITIM groups. User identities are stored in a directory server provided by the IT environment. Only hashes of the passwords are stored in the Tivoli Identity Manager system. Password policies can be applied to enforce requirements on the quality of the password that a user chooses. Lockout mechanisms prevent password guessing attacks. Authorization (access control) A CC-evaluated implementation of Tivoli Identity Manager performs authorization for user actions, commonly referred to as requests, based on access control items (ACIs). ACIs can be assigned to ITIM groups and ACI principals (such as administrators). One predefined account (ITIM manager) exists for Tivoli Identity Manager administrators. Other ITIM groups can be defined by the customer. The following ACIs have been considered in the Common Criteria evaluation: v v v Organizational Provides access control to functions related to entities within an organization or the organization itself. Provisioning Provides access control to functions related to provisioning and other policies. Reporting Provides access control to functions related to the generation of reports. ACIs can be created, modified, or deleted by either a system administrator or explicitly entitled users. Members of the predefined administrator group are not subject to any access control. 10 IBM Tivoli Identity Manager: Common Criteria Guide

23 Provisioning Provisioning policies for a CC-evaluated implementation of Tivoli Identity Manager define the services to which persons belonging to an organizational role can have access. If a person belongs to an organizational role defined within a Tivoli Identity Manager environment, and a provisioning policy specifies the entitlement of this organizational role to a certain service, the person is entitled to have an account on this service. Such an account may be created in the following ways: v Upon request of the user, if the person belongs to an ITIM group v Manually created by an administrator request v Automatically created for the person during periodic policy enforcement Service reconciliation and identity feeds The CC-evaluated implementation of Tivoli Identity Manager provides the capability of gathering account information from managed resources. The process of reconciliation retrieves and compares user information stored on a managed resource with the corresponding data stored in the Tivoli Identity Manager database. Additionally, data can be imported by identity feeds. For example, user data (such as person, or identity, information) can be imported into an organization managed by Tivoli Identity Manager. This functionality eliminates the manual adding of a potentially large number of persons to the Tivoli Identity Manager database by the administrator. Identity feeds also allow automated reconciliation with systems used for human resource management within an organization. An identity feed from a DSML file and a reconciliation using the IBM Tivoli Directory Integrator were both evaluated for Common Criteria Security functionality not evaluated This section lists the security functionality that was determined to be out of scope and therefore not evaluated for the 4.6 version of Tivoli Identity Manager. You can use the functionality listed in this section; however, the current Common Criteria evaluation for Tivoli Identity Manager Version 4.6 does not provide any level of assurance for the use of these items. v SSL/TLS-based encryption of network connections was not evaluated for Common Criteria. Tivoli Identity Manager makes use of several third party products to implement this functionality. The assumption is made that these products provide a correct implementation of SSL/TLS. v Generation of log files that can be viewed by directly accessing the files was not evaluated for Common Criteria. v Identity feed through a JNDI interface was not evaluated for Common Criteria. v The use of IBM Tivoli Directory Integrator for provisioning accounts was not evaluated for Common Criteria. v The Enterprise Java Beans (EJB), Web, and applet containers in the IT environment (described in J2EE, J2SE, and related specifications) were not evaluated for Common Criteria. Chapter 2. Specifications and references for a CC-evaluated system 11

24 12 IBM Tivoli Identity Manager: Common Criteria Guide

25 Chapter 3. Security policy assumptions and conditions Note: Before proceeding with this chapter, make sure you read 1.3 Implementation roadmap on page 2. A Common Criteria evaluated (CC-evaluated) implementation of Tivoli Identity Manager makes specific assumptions about required security policy and installation restrictions. Assumptions are items and issues that cannot be formally evaluated but are required to ensure the security level of a CC-evaluated system. To reproduce a CC-evaluated implementation of Tivoli Identity Manager, you must review and apply the items in this chapter. Section topics: v 3.1 Security policy assumptions on page 13 v 3.2 Installation and configuration conditions on page Security policy assumptions A CC-evaluated implementation of Tivoli Identity Manager is based on security policy assumptions that must be respected to achieve and maintain a secure operation Physical policy assumptions The machines running the Tivoli Identity Manager server and adapters that are part of the CC-evaluated configuration must be protected against unauthorized physical access and modification Personnel policy assumptions v The system administration personnel for Tivoli Identity Manager and the IT environment are not careless, willfully negligent, or hostile, and follow and abide by the instructions provided by the administrator documentation. They are well trained to securely administer all aspects of Tivoli Identity Manager operation in accordance with the conditions outlined in the product technical documentation and this guide. v Passwords generated for users of the system by administrators must be transmitted in a secure fashion to the users. v Users and administrators have to protect any passwords used for authentication to Tivoli Identity Manager, and must not disclose their passwords to others. v Users of the Tivoli Identity Manager environment are from a well-managed user community in a non-hostile working environment System policy assumptions v All services on the Tivoli Identity Manager Server must be switched off, especially networked services that are nonessential for running, managing, and administering Tivoli Identity Manager. Tivoli Identity Manager components must be the only components running on the underlying operating systems. v The runtime environment must provide an exact time to the Tivoli Identity Manager components. Exact time is critical for audit record generation. v Tivoli Identity Manager properties files, configuration files, and log/audit files must be protected using operating system access control mechanisms. Copyright IBM Corp

26 v The directory server must protect stored data from unauthorized modification and deletion by requiring user identification and authentication, and performing access control on the data entries. v The database server must protect stored audit records and other data from unauthorized modification and deletion by requiring user identification and authentication, and performing access control on the data entries. v If you use the product APIs to create a custom application to access the Tivoli Identity Manager Server, you must use the ITIM_CLIENT role to establish the working context in the WebSphere Application Server. The ITIM_CLIENT role is described in the IBM Tivoli Identity Manager Planning for Deployment Guide. Additional management and administration issues and mechanisms of the underlying operating systems are beyond the scope of these guidelines Connectivity policy assumptions v An administrator using a remote terminal or remote workstation for administration must ensure that the remote terminal or workstation is in a secured environment and use secure connections to the Tivoli Identity Manager Server. Adequate procedures and security policies must be in place to protect remote terminal-to-server communication against eavesdropping and unauthorized access. v An administrator using the Web GUI supplied with the product to access the Tivoli Identity Manager Server from a remote workstation must log in with a user ID that is mapped to the ITIM_CLIENT role. The ITIM_CLIENT role, described in the IBM Tivoli Identity Manager Planning for Deployment Guide, is an unprivileged role that prevents access to core product functions. The procedure for mapping credentials to the ITIM_CLIENT role is described in Java 2 security required for WebSphere Application Server on page 24. v Person information stored in any external enterprise identity data store must be managed in a way that allows proper association with the entity information managed by Tivoli Identity Manager. 3.2 Installation and configuration conditions General server conditions v This Common Criteria evaluation is based on the English version of Tivoli Identity Manager and its documentation. You must use only the English-version Tivoli Identity Manager GUI. v Ensure that you are using clean systems that do not have previous versions of Tivoli Identity Manager installed. You are not allowed to upgrade from an older release to the current release and then use this upgraded system as a basis for a CC-evaluated configuration. v The system must be configured in such a way that no unauthorized access to functions provided by the Web application server and operating system software (including network services) is possible either locally or through any network connection. Additionally, all product system components are protected against interference by unauthorized users. v The Tivoli Identity Manager Server component must be installed and operated on a dedicated Web application server that communicates through network connections with clients, adapters, and the resources in the IT environment (for example, LDAP registry, relational database management system (RDBMS)). 14 IBM Tivoli Identity Manager: Common Criteria Guide

27 v Do not register user-defined Java or JavaScript extensions in the Tivoli Identity Manager configuration files. v The CC-evaluated implementation of Tivoli Identity Manager must not be operated in a multi-tenant setup. v The usage of low-level APIs (as opposed to the provided application API) to extend the functionality of the Tivoli Identity Manager core services is prohibited. v The Web application server and MQSeries are installed on one dedicated machine that is physically and logically protected. Clustering is disabled. v The directory server and RDBMS are installed either together on one system or separately on two systems. They are for dedicated use by Tivoli Identity Manager only and configured accordingly (for example, with restricted network availability). The underlying machine(s) are dedicated to run only these applications. v All network communication is protected, either by cryptographic (SSL/TLS) or organizational (restricted network access) means. Network connections requiring protection include: Client to application server/web server Adapter to Tivoli Identity Manager server Database server to Tivoli Identity Manager server Directory server to Tivoli Identity Manager server v Only identity feed through a DSML file and reconciliation using the IBM Tivoli Directory Integrator are supported as the mechanisms for identity feed and account reconciliation. v IBM Tivoli Directory Integrator is not supported for provisioning accounts. v Single sign-on (SSO) with Tivoli Access Manager is not supported. v Applications that access the Tivoli Identity Manager application API are implemented using the Java Development Kit (JDK) packaged with the WebSphere Application Server. v The procedure entitled "Configuring the referential integrity plug-in on the IBM Tivoli Directory Server" in the IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere Environments is not required for CC evaluation. The plug-in is already integrated into the IBM Tivoli Directory Server General adapter conditions v The CC-evaluated implementation of Tivoli Identity Manager can only use the specified adapters (refer to 2.3 Component specifications for the CC-evaluated system on page 6). Tivoli Identity Manager adapters were called agents in previous versions of Tivoli Identity Manager. No other adapters or agents in the IT environment can be connected to the CC-evaluated configuration, including LDAP or vendor-specific agents. v The adapters supported by the CC-evaluated configuration must use the DAML protocol (and not FTP) for communication with the Tivoli Identity Manager server. v The operating system must operate as specified and provide adequate protection measures against tampering with the adapter and its interfaces. v To prevent password snooping through the network, access to network sockets opened by adapters for configuration with the agentcfg utility is restricted to root users, or administrators, on the local operating system hosting the adapter. High quality passwords must be set for the adapter configuration. Chapter 3. Security policy assumptions and conditions 15

28 3.2.3 Documentation issues 3.3 Assumed security threats v This Common Criteria evaluation is based on the English version of Tivoli Identity Manager and its documentation. You must refer only to the English-version technical documentation when implementing the CC-evaluated version of Tivoli Identity Manager. v The following technical documents provide standard information and procedures for installing and configuring the CC-evaluated implementation of Tivoli Identity Manager. These documents must be obtained using the secure procedure described in Accessing the Tivoli Identity Manager technical documentation used for CC evaluation on page 7. IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere Environments IBM Tivoli Identity Manager Oracle Adapter for Windows Installation and Configuration Guide IBM Tivoli Identity Manager Adapter for Windows Installation and Configuration Guide IBM Tivoli Identity Manager Information Center IBM Tivoli Identity Manager Common Criteria Guide (this document) IBM Tivoli Identity Manager Release Notes The Common Criteria evaluation of Tivoli Identity Manager produces a set of conditions for an accepted level of security for the system implementation. Security conditions exist to counter the general threat of unauthorized access to stored and transmitted information assets. The term access includes the acts of disclosure, modification, and destruction. Assets to be protected include: v Information related to identities, accounts, organizational structures, users, and groups v Provisioning policies, password policies, service definitions, workflows, ACIs, and other policies maintained by Tivoli Identity Manager v Authentication and transaction security credentials Two classifications of threats (threat agents) are considered: v Unauthenticated individuals Individuals not known to Tivoli Identity Manager but who have network-based access to communication interfaces exposed by Tivoli Identity Manager. v Authorized users of Tivoli Identity Manager Individuals who have successfully authenticated themselves to Tivoli Identity Manager and can access resources as defined by the access control information through the user and administration interface. The CC-evaluated implementation of Tivoli Identity Manager is not intended to provide protection against determined attempts by hostile and well-funded attackers attempting to breach system security. Instead, the CC-evaluated implementation of Tivoli Identity Manager assumes that threats are going to originate from a well-managed user community in a non-hostile working environment. Therefore, the product s focus is to protect against inadvertent or casual attempts to breach the system security. 16 IBM Tivoli Identity Manager: Common Criteria Guide