Common Criteria (EAL4) support

Common Criteria (EAL4) support

+
Search Tips | Advanced Search

The National Institute of Standards and Technology (NIST) has developed Common Criteria to ensure you have a safe option for downloading software to use on your systems.
Individuals have a reasonable expectation that their personal information contained in IT products or systems...

Remain private
Be available to them as needed
Not be subject to unauthorized modification

IT products or systems should perform their functions while exercising proper control of the information to ensure it is protected against hazards such as unwanted or unwarranted dissemination, alteration, or loss. The term IT security is used to cover prevention and mitigation of these and similar hazards.
Many consumers of IT lack the knowledge, expertise or resources necessary to judge whether their confidence in the security of their IT products or systems is appropriate, and they may not wish to rely solely on the assertions of the developers. Consumers may therefore choose to increase their confidence in the security measures of an IT product or system by ordering an analysis of its security (in other words, a security evaluation). To use WAS in the Common Criteria EAL4 evaluated configuration, obtain the EAL4 Guidance document.
The document describes how to install and configure WAS in the evaluated configuration and how to manage and deploy applications into the evaluated configuration. The J2EE specification overview describes how to confirm the supported J2EE specifications and their corresponding APIs. The following J2EE specifications, as implemented by WAS, require further explanation here, regarding their methods that are relevant to security.

Interoperable Naming Service (INS)

See Naming roles for the list of interface methods that are supported and are relevant to security.

JMS

The default messaging provider implements the JMS 1.1 specification (part of J2EE 1.4) and some extensions described in the product documentation. Its security model effects the JMS API developer. The following addendums apply to the JMS 1.1 specification when using the default messaging provider. Methods not listed in the table have no security relevance.

Class Method Messaging role required Behavior on security exception Notes
javax.jms.Session createProducer sender Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.Session createConsumer receiver Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.Session createDurableSubscriber receiver Throws JMSSecurityException wrapping SINotAuthorizedException 1,3,4
javax.jms.Session createBrowser browser Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.Session createTemporaryQueue creator Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.Session createTemporaryTopic creator Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.Session unsubscribe Throws JMSSecurityException wrapping SINotAuthorizedException 2,3,4
javax.jms.MessageProducer send sender Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.MessageConsumer receive receiver Throws JMSException wrapping SINotAuthorizedException 3,4
javax.jms.MessageConsumer receiveNoWait receiver Throws JMSException wrapping SINotAuthorizedException 3,4
javax.jms.QueueBrowser getEnumeration browser Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.ConnectionFactory createConnection connector Throws JMSSecurityException wrapping either SINotAuthorizedException or SIAuthenticationException 3,4
javax.jms.QueueSession createReceiver receiver Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.QueueSession createSender sender Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.QueueSession createBrowser browser Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.QueueSession createTemporaryQueue creator Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.QueueSender send sender Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.QueueConnectionFactory createQueueConnection connector Throws JMSSecurityException wrapping either SINotAuthorizedException or SIAuthenticationException 3,4
javax.jms.QueueRequestor constructor sender, receiver, creator Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.QueueRequestor request sender, receiver Throws JMSSecurityException or JMSException, both wrapping SINotAuthorizedException 3,4
javax.jms.TopicSession createSubscriber receiver Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.TopicSession createDurableSubscriber receiver Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.TopicSession createPublisher sender Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.TopicSession createTemporaryTopic creator Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.TopicPublisher publish sender Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.TopicConnectionFactory createTopicConnection connector Throws JMSSecurityException wrapping either SINotAuthorizedException or SIAuthenticationException 3,4
javax.jms.TopicRequestor constructor sender, receiver, creator Throws JMSSecurityException wrapping SINotAuthorizedException 3,4
javax.jms.TopicRequestor request sender, receiver Throws JMSSecurityException or JMSException, both wrapping SINotAuthorizedException 3,4

When reconnecting to an existing subscription, must use same user ID as used when subscription was created.

Must use the same user ID as used when subscription was created.

Wrapped exceptions can be retrieved via JMSException.getLinkedException().

The user ID that will be used for access control depends upon the environment from which the method is invoked, according to the following table.

Environment User ID used

Stand-alone client User ID specified on createConnection, otherwise null.
Application server

For container managed authentication: User ID in container managed authentication alias specified in application resource reference.

For component managed authentication: User ID specified on createConnection, otherwise user ID in component managed authentication alias specified in connection factory.

Application client, using local connection factory

For container managed authentication: User ID specified on createConnection, otherwise user ID specified in connection factory.

For component managed authentication: User ID specified on createConnection, otherwise null.

Application client, using server connection factory (deprecated) User ID specified on createConnection, otherwise null.

Universal Description Discovery & Integration (UDDI)

The WebSphere UDDI Registry supports the OASIS UDDI standard 3.0.2.Note that the WebSphere UDDI Registry supports the following UDDI APIs from the v 3.0.2 standard:

v3 Inquiry API
v3 Publication API
v3 Security API
v3 intra-node Custody Transfer API
v3 HTTP GET services
v1 and v2 Inquiry API
v1 and v2 Publish API

The supported APIs require permissions, as described in TOPIC_NAME? of the WebSphere UDDI Registry documentation. The WebSphere UDDI Registry does not support the following programming interfaces.

inter-node Custody Transfer API
Subscription API
Replication API
Subscription Listener API
Value Set API

Related concepts
J2EE specification

Related information
Recommended fixes for WAS (Support document)
Common Criteria - what is it, and how do I benefit? (Support document)
UDDI V3.0.2 (by OASIS)

Class	Method	Messaging role required	Behavior on security exception	Notes
javax.jms.Session	createProducer	sender	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.Session	createConsumer	receiver	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.Session	createDurableSubscriber	receiver	Throws JMSSecurityException wrapping SINotAuthorizedException	1,3,4
javax.jms.Session	createBrowser	browser	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.Session	createTemporaryQueue	creator	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.Session	createTemporaryTopic	creator	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.Session	unsubscribe		Throws JMSSecurityException wrapping SINotAuthorizedException	2,3,4
javax.jms.MessageProducer	send	sender	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.MessageConsumer	receive	receiver	Throws JMSException wrapping SINotAuthorizedException	3,4
javax.jms.MessageConsumer	receiveNoWait	receiver	Throws JMSException wrapping SINotAuthorizedException	3,4
javax.jms.QueueBrowser	getEnumeration	browser	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.ConnectionFactory	createConnection	connector	Throws JMSSecurityException wrapping either SINotAuthorizedException or SIAuthenticationException	3,4
javax.jms.QueueSession	createReceiver	receiver	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.QueueSession	createSender	sender	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.QueueSession	createBrowser	browser	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.QueueSession	createTemporaryQueue	creator	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.QueueSender	send	sender	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.QueueConnectionFactory	createQueueConnection	connector	Throws JMSSecurityException wrapping either SINotAuthorizedException or SIAuthenticationException	3,4
javax.jms.QueueRequestor	constructor	sender, receiver, creator	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.QueueRequestor	request	sender, receiver	Throws JMSSecurityException or JMSException, both wrapping SINotAuthorizedException	3,4
javax.jms.TopicSession	createSubscriber	receiver	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.TopicSession	createDurableSubscriber	receiver	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.TopicSession	createPublisher	sender	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.TopicSession	createTemporaryTopic	creator	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.TopicPublisher	publish	sender	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.TopicConnectionFactory	createTopicConnection	connector	Throws JMSSecurityException wrapping either SINotAuthorizedException or SIAuthenticationException	3,4
javax.jms.TopicRequestor	constructor	sender, receiver, creator	Throws JMSSecurityException wrapping SINotAuthorizedException	3,4
javax.jms.TopicRequestor	request	sender, receiver	Throws JMSSecurityException or JMSException, both wrapping SINotAuthorizedException	3,4

Environment	User ID used
Stand-alone client	User ID specified on createConnection, otherwise null.
Application server	For container managed authentication: User ID in container managed authentication alias specified in application resource reference. For component managed authentication: User ID specified on createConnection, otherwise user ID in component managed authentication alias specified in connection factory.
Application client, using local connection factory	For container managed authentication: User ID specified on createConnection, otherwise user ID specified in connection factory. For component managed authentication: User ID specified on createConnection, otherwise null.
Application client, using server connection factory (deprecated)	User ID specified on createConnection, otherwise null.