Common Criteria (EAL4) support

The National Institute of Standards and Technology (NIST) has developed Common Criteria to ensure you have a safe option for downloading software to use on your systems. Information held by IT products or systems is a critical resource that enables organizations to succeed in their mission. Additionally, individuals have a reasonable expectation that their personal information contained in IT products or systems remain private, be available to them as needed, and not be subject to unauthorized modification. IT products or systems should perform their functions while exercising proper control of the information to ensure it is protected against hazards such as unwanted or unwarranted dissemination, alteration, or loss. The term IT security is used to cover prevention and mitigation of these and similar hazards.

Many consumers of IT lack the knowledge, expertise or resources necessary to judge whether their confidence in the security of their IT products or systems is appropriate, and they may not wish to rely solely on the assertions of the developers. Consumers may therefore choose to increase their confidence in the security measures of an IT product or system by ordering an analysis of its security (in other words, a security evaluation).

To use WAS in the Common Criteria EAL4 evaluated configuration, obtain the WAS EAL4 Guidance document. The document describes how to install and configure WAS in the evaluated configuration and how to manage and deploy applications into the evaluated configuration.

The Java 2, Enterprise Edition specification overview describes how to confirm the supported J2EE specifications and their corresponding application programming interfaces (APIs). The following J2EE specifications, as implemented by this product, require further explanation here, regarding their methods that are relevant to security.

Interoperable Naming Service (INS)

See Naming roles for the list of interface methods that are supported and are relevant to security.

Java Message Service (JMS)
The default messaging provider implements the JMS 1.1 specification (part of J2EE 1.4) and some extensions described in the product documentation. Its security model effects the JMS API developer. The following addendums apply to the JMS 1.1 specification when using the default messaging provider. Methods not listed in the table have no security relevance.

Class Method Messaging role required Behavior on security exception Notes
javax.jms.Session createProducer sender Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.Session createConsumer receiver Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.Session createDurableSubscriber receiver Throws JMSSecurityException wrapping SINotAuthorizedException 1,3,4
javax.jms.Session createBrowser browser Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.Session createTemporaryQueue creator Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.Session createTemporaryTopic creator Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.Session unsubscribe   Throws JMSSecurityException wrapping SINotAuthorizedException 2,3,4
javax.jms.MessageProducer send sender Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.MessageConsumer receive receiver Throws JMSException wrapping SINotAuthorizedException 3,4
javax.jms.MessageConsumer receiveNoWait receiver Throws JMSException wrapping SINotAuthorizedException 3,4
javax.jms.QueueBrowser getEnumeration browser Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.ConnectionFactory createConnection connector Throws JMSSecurityException wrapping either SINotAuthorizedException or SIAuthenticationException 3,4
javax.jms.QueueSession createReceiver receiver Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.QueueSession createSender sender Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.QueueSession createBrowser browser Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.QueueSession createTemporaryQueue creator Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.QueueSender send sender Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.QueueConnectionFactory createQueueConnection connector Throws JMSSecurityException wrapping either SINotAuthorizedException or SIAuthenticationException 3,4
javax.jms.QueueRequestor constructor sender, receiver, creator Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.QueueRequestor request sender, receiver Throws JMSSecurityException or JMSException, both wrapping SINotAuthorizedException 3,4
javax.jms.TopicSession createSubscriber receiver Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.TopicSession createDurableSubscriber receiver Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.TopicSession createPublisher sender Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.TopicSession createTemporaryTopic creator Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.TopicPublisher publish sender Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.TopicConnectionFactory createTopicConnection connector Throws JMSSecurityException wrapping either SINotAuthorizedException or SIAuthenticationException 3,4
javax.jms.TopicRequestor constructor sender, receiver, creator Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.TopicRequestor request sender, receiver Throws JMSSecurityException or JMSException, both wrapping SINotAuthorizedException 3,4
  1. When reconnecting to an existing subscription, must use same user ID as used when subscription was created.
  2. Must use the same user ID as used when subscription was created.
  3. Wrapped exceptions can be retrieved via JMSException.getLinkedException().
  4. The user ID that will be used for access control depends upon the environment from which the method is invoked, according to the following table.
Environment User ID used
Stand-alone client User ID specified on createConnection, otherwise null.
Application server

  • For container managed authentication: User ID in container managed authentication alias specified in application resource reference.
  • For component managed authentication: User ID specified on createConnection, otherwise user ID in component managed authentication alias specified in connection factory.
Application client, using local connection factory

  • For container managed authentication: User ID specified on createConnection, otherwise user ID specified in connection factory.
  • For component managed authentication: User ID specified on createConnection, otherwise null.
Application client, using server connection factory (deprecated) User ID specified on createConnection, otherwise null.
Universal Description Discovery & Integration (UDDI)
The WebSphere UDDI Registry supports the OASIS UDDI standard 3.0.2.

Note that the WebSphere UDDI Registry supports the following UDDI APIs from the v 3.0.2 standard:

  • v3 Inquiry API
  • v3 Publication API
  • v3 Security API
  • v3 intra-node Custody Transfer API
  • v3 HTTP GET services
  • v1 and v2 Inquiry API
  • v1 and v2 Publish API

The supported APIs require permissions, as described in TOPIC_NAME? of the WebSphere UDDI Registry documentation.

The WebSphere UDDI Registry does not support the following programming interfaces.

  • inter-node Custody Transfer API
  • Subscription API
  • Replication API
  • Subscription Listener API
  • Value Set API


Related concepts
J2EE specification
Related information
Common Criteria Validation and Evaluation Scheme web site (by the National Information Assurance Partnership) Recommended fixes for WebSphere Application Server (Support document) Common Criteria - what is it, and how do I benefit? (Support document) UDDI Version 3.0.2 (by OASIS) WebSphere Application Server EAL4 AGD - Guidance

 



 

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.