122-B
June 2009 Issue 1.0 Page 1 of 18
CERTIFICATION REPORT No. CRP250
Oracle Business Intelligence Enterprise Edition (OBIEE)
Version 10.1.3.3.2 with Quick Fix 090406
running on Oracle Enterprise Linux 4 update 5 x86_64
Issue 1.0
June 2009
© Crown Copyright 2009 – All Rights Reserved
Reproduction is authorised, provided
that this report is copied in its entirety.
CESG Certification Body
IACS Delivery Office, CESG
Hubble Road, Cheltenham
Gloucestershire, GL51 0EX
United Kingdom
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
Page 2 of 18 Issue 1.0 June 2009
CERTIFICATION STATEMENT
The product detailed below has been evaluated under the terms of the UK IT Security Evaluation and Certification
Scheme and has met the specified Common Criteria requirements. The scope of the evaluation and the assumed
usage environment are specified in the body of this report.
Sponsor: Oracle Corporation
Developer: Oracle Corporation
Product and Version: Oracle Business Intelligence Enterprise Edition (OBIEE)
Version 10.1.3.3.2 with Quick Fix 090406
Platform: Oracle Enterprise Linux (OEL) version 4 update 5 x86_64
Description: Oracle Business Intelligence Enterprise Edition (OBIEE) is a suite of products that
allow enterprises to securely manage, report on and present access to their resources and
assets via a single common business model. It provides users with secure, fine-grained
access to enterprise resources and assets.
CC Part 2: Extended
CC Part 3: Conformant
EAL: EAL3
SoF: N/A
PP Conformance: N/A
CLEF: Logica UK Limited
CC Certificate: CRP250
Date Certified: 19 June 2009
The evaluation was performed in accordance with the requirements of the UK IT Security Evaluation and Certification Scheme as described in
UK Scheme Publication 01 [UKSP01] and 02 [UKSP02P1], [UKSP02P2]. The Scheme has established a Certification Body, which is
managed by CESG on behalf of Her Majesty’s Government.
The purpose of the evaluation was to provide assurance about the effectiveness of the TOE in meeting its Security Target [ST], which
prospective consumers are advised to read. To ensure that the Security Target gave an appropriate baseline for a CC evaluation, it was first
itself evaluated. The TOE was then evaluated against this baseline. Both parts of the evaluation were performed in accordance with CC Part 1
[CC1] and 3 [CC3], the Common Evaluation Methodology [CEM] and relevant Interpretations.
The issue of a Certification Report is a confirmation that the evaluation process has been performed properly and that no exploitable
vulnerabilities have been found in the evaluated configuration of the TOE. It is not an endorsement of the product.
ARRANGEMENT ON THE RECOGNITION OF COMMON CRITERIA CERTIFICATES
IN THE FIELD OF INFORMATION TECHNOLOGY SECURITY
The Certification Body of the UK IT Security Evaluation and Certification Scheme is a member of the above Arrangement [CCRA] and, as
such, this confirms that the Common Criteria certificate has been issued by or under the authority of a Party to this Arrangement and is the
Party’s claim that the certificate has been issued in accordance with the terms of this Arrangement.
The judgements1
contained in the certificate and in this report are those of the Qualified Certification Body which issued them and of the
Evaluation Facility which performed the evaluation. There is no implication of acceptance by other Members of the Arrangement Group of
liability in respect of those judgements or for loss sustained as a result of reliance placed by a third party upon those judgements.
MUTUAL RECOGNITION AGREEMENT OF INFORMATION TECHNOLOGY SECURITY EVALUATION CERTIFICATES
The SOG-IS MRA logo which appears below:
• confirms that the certificate has been issued under the authority of a party to an international Mutual Recognition Agreement (MRA)
[MRA] designed to ensure that security evaluations are performed to high and consistent standards;
• indicates that it is the claim of the evaluating party that its evaluation and certification processes meet all the conditions of the MRA.
The judgements1
contained in the certificate and in this report are those of the Qualified Certification Body which issued them and of the
Evaluation Facility which performed the evaluation. Use of the logo of this Agreement does not imply acceptance by other Members of
liability in respect of those judgements or for loss sustained as a result of reliance placed by a third party upon those judgements.
CCRA logo CC logo SOG-IS MRA logo
1
All judgements contained in this Certification Report are covered by the CCRA [CCRA] and the MRA [MRA].
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
June 2009 Issue 1.0 Page 3 of 18
TABLE OF CONTENTS
CERTIFICATION STATEMENT..............................................................................................2
TABLE OF CONTENTS..............................................................................................................3
I. EXECUTIVE SUMMARY .................................................................................................4
Introduction........................................................................................................................................ 4
Evaluated Product and TOE Scope.................................................................................................... 4
Protection Profile Conformance......................................................................................................... 4
Security Claims.................................................................................................................................. 4
Evaluation Conduct............................................................................................................................ 5
Conclusions and Recommendations .................................................................................................. 5
Disclaimers ........................................................................................................................................ 5
II. TOE SECURITY GUIDANCE...........................................................................................7
Introduction........................................................................................................................................ 7
Delivery.............................................................................................................................................. 7
Installation and Guidance Documentation......................................................................................... 7
III. EVALUATED CONFIGURATION ..................................................................................8
TOE Identification ............................................................................................................................. 8
TOE Documentation .......................................................................................................................... 8
TOE Scope......................................................................................................................................... 8
TOE Configuration ............................................................................................................................ 8
Environmental Requirements............................................................................................................. 8
Test Configuration ............................................................................................................................. 9
IV. PRODUCT ARCHITECTURE........................................................................................11
Introduction...................................................................................................................................... 11
Product Description and Architecture.............................................................................................. 11
TOE Design Subsystems.................................................................................................................. 12
TOE Dependencies .......................................................................................................................... 13
TOE Interfaces................................................................................................................................. 13
V. TOE TESTING ..................................................................................................................14
TOE Testing..................................................................................................................................... 14
Vulnerability Analysis ..................................................................................................................... 14
Platform Issues................................................................................................................................. 14
VI. REFERENCES...................................................................................................................15
VII. ABBREVIATIONS............................................................................................................17
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
Page 4 of 18 Issue 1.0 June 2009
I. EXECUTIVE SUMMARY
Introduction
1. This Certification Report states the outcome of the Common Criteria (CC) security
evaluation of Oracle Business Intelligence Enterprise Edition (OBIEE) Version 10.1.3.3.2
with Quick Fix 090406 to the Sponsor, Oracle Corporation, as summarised on page 2
‘Certification Statement’ of this report, and is intended to assist prospective consumers
when judging the suitability of the IT security of the product for their particular
requirements.
2. Prospective consumers are advised to read this report in conjunction with the Security
Target [ST], which specifies the functional, environmental and assurance requirements.
Evaluated Product and TOE Scope
3. The following product completed evaluation to CC EAL3 on 19 June 2009:
• Oracle Business Intelligence Enterprise Edition Version 10.1.3.3.2 with Quick Fix
090406 running on Oracle Enterprise Linux version 4 update 5 x86_64.
4. The Developer was Oracle Corporation.
5. The evaluated configuration of this product is described in this report as the Target of
Evaluation (TOE). Details of the TOE Scope, its assumed environment and the evaluated
configuration are given in Chapter III ‘Evaluated Configuration’ of this report.
6. An overview of the TOE and its product architecture can be found in Chapter IV ‘Product
Architecture’ of this report. Configuration requirements are specified in Section 2 of [ST].
Protection Profile Conformance
7. The Security Target [ST] does not claim conformance to any protection profile.
Security Claims
8. The Security Target [ST] fully specifies the TOE’s Security Objectives, the Threats which
these Objectives counter and the Security Functional Requirements (SFRs) that refine the
Objectives. All of the SFRs are taken from CC Part 2 [CC2]; use of this standard facilitates
comparison with other evaluated products.
9. The TOE security policies are detailed in ST [ST]. There are no Organisational Security
Policies (OSPs) specified in ST [ST].
10. The environmental assumptions related to the operating environment are detailed in
Chapter III (in ‘Environmental Requirements’) of this report.
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
June 2009 Issue 1.0 Page 5 of 18
Evaluation Conduct
11. The Certification Body monitored the evaluation which was performed by the Logica
Commercial Evaluation Facility (CLEF). The evaluation addressed the requirements
specified in the Security Target [ST]. The results of this work, completed in May 2009,
were reported in the Evaluation Technical Reports [ETR1], [ETR2] and [ETR3].
Conclusions and Recommendations
12. The conclusions of the Certification Body are summarised on page 2 ‘Certification
Statement’ of this report.
13. Prospective consumers of Oracle Business Intelligence Enterprise Edition Version
10.1.3.3.2 with Quick Fix 090406 should understand the specific scope of the certification
by reading this report in conjunction with the Security Target [ST]. The TOE should be
used in accordance with the environmental assumptions specified in the Security Target.
Prospective consumers are advised to check that the SFRs and the evaluated configuration
match their identified requirements, and to give due consideration to the recommendations
and caveats of this report.
14. The TOE should be used in accordance with the supporting guidance documentation
included in the evaluated configuration. Chapter II ‘TOE Security Guidance’ of this report
includes a number of recommendations regarding the secure receipt, installation,
configuration and operation of the TOE.
15. In addition, the Evaluators’ comments and recommendations are as follows:
• There are no specific comments or recommendations for the TOE consumer. Note that
six Level 4 Observation Reports remain outstanding, for resolution by the Developer in
future versions of this product. However, most of the associated risks are adequately
mitigated by following the Evaluated Configuration Guide [ECG].
Disclaimers
16. This report is only valid for the evaluated TOE. This is specified in Chapter III ‘Evaluated
Configuration’ of this report.
17. Certification is not a guarantee of freedom from security vulnerabilities. There remains a
small probability (smaller with higher Evaluation Assurance Levels) that exploitable
vulnerabilities may be discovered after an evaluation has been completed. This report
reflects the Certification Body’s view at the time of certification.
18. Existing and prospective consumers should check regularly for themselves whether any
security vulnerabilities have been discovered since the final ETR was issued and, if
appropriate, should check with the Vendor to see if any patches exist for the product and
whether those patches have further assurance.
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
Page 6 of 18 Issue 1.0 June 2009
19. The installation of patches for security vulnerabilities, whether or not those patches have
further assurance, should improve the security of the TOE. However, note that
unevaluated patching will invalidate the certification of the TOE, unless the TOE has
undergone a formal re-certification or is covered under an approved Assurance Continuity
process by a CCRA certificate-authorising Scheme.
20. All product or company names used in this report are for identification purposes only and
may be trademarks of their respective owners.
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
June 2009 Issue 1.0 Page 7 of 18
II. TOE SECURITY GUIDANCE
Introduction
21. The following sections provide guidance that is of particular relevance to purchasers of the
TOE.
Delivery
22. On receipt of the TOE, the consumer is recommended to check that the evaluated version
has been supplied from an authentic source and the security of the TOE has not been
compromised (e.g. by tampering) during delivery.
23. Section 2 of the [ECG] lists all components that constitute the TOE, including specific CD
part numbers.
Installation and Guidance Documentation
24. The Installation and Secure Configuration documentation is as follows:
• [ECG] Evaluated Configuration Document – Provides guidance to
administrators for the security of the TOE and its environment.
25. The Evaluated Configuration Document [ECG] is released by Oracle to consumers on
request. It is anticipated that Oracle may also make the document available for download
from one of its websites, for example via:
http://www.oracle.com/technology/deploy/security/seceval/oracle-common-criteria-evaluated.html
26. The User Guide and Administration Guide documentation is as follows:
• [ECG] Evaluated Configuration Document
• [AG_BIPS] OBI Presentation Services Administration Guide
• [AG_WS] OBI Web Services Guide
• [AG_BIS] OBI Server Administration Guide
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
Page 8 of 18 Issue 1.0 June 2009
III. EVALUATED CONFIGURATION
TOE Identification
27. The TOE is Oracle Business Intelligence Enterprise Edition Version 10.1.3.3.2 with Quick
Fix 090406, which consists of:
• Oracle Web Services (10.1.3.3.2),
• Oracle BI Java Host (10.1.3.3.2),
• Oracle BI Answers (10.1.3.3.2),
• Oracle BI Server (10.1.3.3.2) with Quick Fix 090406, and
• Oracle BI Presentation Services (10.1.3.3.2) with Quick Fix 090406.
TOE Documentation
28. The relevant guidance documentation for the evaluated configuration is identified in
Chapter II (in ‘Installation and Guidance Documentation’) of this report.
TOE Scope
29. The TOE Scope is defined in the Security Target [ST] Section 2. Functionality that is
outside the TOE Scope is also defined in [ST] Section 2.
TOE Configuration
30. The evaluated configuration of the TOE is defined in [ECG] Section 2.
Environmental Requirements
31. The environmental assumptions for the TOE are stated in [ST] Section 3.
32. The TOE was evaluated running on Oracle Enterprise Linux 4 Update 5 x86_64.
33. The TOE has software dependencies, in that it relies on the host operating system, database
server, web server, internet directory to:
a. Protect the TOE’s security features that are within the scope of its evaluation and
certification, including its:
i. user identification and authentication;
ii. resource access control;
iii. security attribute maintenance;
iv. audit and accountability.
b. Protect the TOE from being bypassed, tampered with, misused or directly attacked.
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
June 2009 Issue 1.0 Page 9 of 18
34. Hence the security of the TOE depends not only on secure administration of the TOE, but
also on secure administration of the host operating system, database server, internet
directory and web server in secure configurations using the TOE.
Test Configuration
35. The Developers used the following configuration for their testing:
Machine No 1 2 3 4 5 6 7
Machine name Dell Optiplex
745 MT
Dell Optiplex
745 MT
Dell Optiplex
745 MT
Dell Optiplex
745 MT
Dell Optiplex
745 MT
Dell Optiplex
745 MT
Dell Optiplex
745 MT
Processor Core 2 Duo
E6400
Core 2 Duo
E6400
Core 2 Duo
E6400
Core 2 Duo
E6400
Core 2 Duo
E6400
Core 2 Duo
E6400
Core 2 Duo
E6400
CPU speed 2.13 GHz 2.13 GHz 2.13 GHz 2.13 GHz 2.13 GHz 2.13 GHz 2.13 GHz
Memory 1 GB 1 GB 1 GB 1 GB 1 GB 1 GB 1 GB
Operating System Oracle
Enterprise
Linux 4
Update 5
x86_64
Oracle
Enterprise
Linux 4
Update 5
x86_64
Oracle
Enterprise
Linux 4
Update 5
x86_64
Oracle
Enterprise
Linux 4
Update 5
x86_64
Oracle
Enterprise
Linux 4
Update 5
x86_64
Windows XP Oracle
Enterprise
Linux 4
Update 5
x86_64
Drives 160 GB 160 GB 160 GB 160 GB 160 GB 160 GB 160 GB
Products Installed
Used
as
Primary
OBI
EE
server
-
Oracle
Application
Server
10g
Release
3
(10.1.3.1.0)
-
Oracle
Client
10g
Release
2
(10.2.0.3.0)
-
Oracle
Business
Intelligence
Enterprise
Edition
(10.1.3.3.2)
Used
as
Secondary
OBIEE
Server
-
Oracle
Application
Server
10g
Release
3
(10.1.3.1.0)
-
Oracle
Client
10g
Release
2
(10.2.0.3.0)
-
Oracle
Business
Intelligence
Enterprise
Edition
(10.1.3.3.2)
Database
server
-
Oracle
Database
10g
Release
2
(10.2.0.3.0)
LDAP
server
-
Oracle
Internet
Directory
10g
(10.1.4.0.1)
Web
server
-
Oracle
Application
Server
10g
Release
3
(10.1.3.1.0)
-
Oracle
HTTP
Server
10g
(10.1.2.0.2)
-
Oracle
Business
Intelligence
Enterprise
Edition
Services
Plug-
In
(10.1.3.3.2)
OBIEE
Admin
tools
-
Oracle
Application
Server
10g
Release
3
(10.1.3.1.0)
-
Oracle
Business
Intelligence
Enterprise
Edition
Client
Tools
(10.1.3.3.2)
N/A
used
as
Network
File
System
(NFS)
Table 1 – Environmental Configuration (Developer’s tests)
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
Page 10 of 18 Issue 1.0 June 2009
36. The Evaluators used the following configuration for their testing:
Machine No Host Machine 1 Host Machine 2
Machine name Dell Optiplex 745 MT Dell Optiplex 745 MT
Processor Core 2 Duo E6400 Core 2 Duo E6400
CPU speed 2.13 GHz 2.13 GHz
Memory 1 GB 1 GB
Host Machine OS Oracle Enterprise Linux 4 Update 5 x86_64 Oracle Enterprise Linux 4 Update 5 x86_64
Virtual Machine ID VM1 VM2 VM3 VM4 VM5 VM6 VM7
Operating System Oracle
Enterprise
Linux 4
Update 5
x86_64
Oracle
Enterprise
Linux 4
Update 5
x86_64
Oracle
Enterprise
Linux 4
Update 5
x86_64
Oracle
Enterprise
Linux 4
Update 5
x86_64
Oracle
Enterprise
Linux 4
Update 5
x86_64
Windows XP Oracle
Enterprise
Linux 4
Update 5
x86_64
Drives 160 GB 160 GB 160 GB 160 GB 160 GB 160 GB 160 GB
Products Installed
Used
as
Primary
OBI
EE
server
-
Oracle
Application
Server
10g
Release
3
(10.1.3.1.0)
-
Oracle
Client
10g
Release
2
(10.2.0.3.0)
-
Oracle
Business
Intelligence
Enterprise
Edition
(10.1.3.3.2)
Used
as
Secondary
OBIEE
Server
-
Oracle
Application
Server
10g
Release
3
(10.1.3.1.0)
-
Oracle
Client
10g
Release
2
(10.2.0.3.0)
-
Oracle
Business
Intelligence
Enterprise
Edition
(10.1.3.3.2)
Database
server
-
Oracle
Database
10g
Release
2
(10.2.0.3.0)
LDAP
server
-
Oracle
Internet
Directory
10g
(10.1.4.0.1)
Web
server
-
Oracle
Application
Server
10g
Release
3
(10.1.3.1.0)
-
Oracle
HTTP
Server
10g
(10.1.2.0.2)
-
Oracle
Business
Intelligence
Enterprise
Edition
Services
Plug-
In
(10.1.3.3.2)
OBIEE
Admin
tools
-
Oracle
Application
Server
10g
Release
3
(10.1.3.1.0)
-
Oracle
Business
Intelligence
Enterprise
Edition
Client
Tools
(10.1.3.3.2)
N/A
used
as
Network
File
System
(NFS)
Table 2 – Environmental Configuration (Evaluators’ tests)
37. Further details of the Developer’s testing and Evaluators’ testing are given in Chapter V.
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
June 2009 Issue 1.0 Page 11 of 18
IV. PRODUCT ARCHITECTURE
Introduction
38. This Chapter gives an overview of the main TOE architectural features. Other details of the
scope of evaluation are given in Chapter III ‘Evaluated Configuration’ of this report.
Product Description and Architecture
39. Oracle Business Intelligence Enterprise Edition is a suite of products that allow enterprises
to manage, report on and present access to their data via a single common business model.
40. For this evaluation of Oracle Business Intelligence Enterprise Edition, the products that are
in the Target of Evaluation are Oracle Web Services (10.1.3.3.2), Oracle BI Presentation
Services (10.1.3.3.2) with Quick Fix 090406, Oracle BI Java Host (10.1.3.3.2), Oracle BI
Answers (10.1.3.3.2) and Oracle BI Server (10.1.3.3.2) with Quick Fix 090406.
41. The following diagram details the product architecture where the numbers are port
numbers.
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
Page 12 of 18 Issue 1.0 June 2009
TOE Design Subsystems
42. The TOE subsystems, and their security features/functionality, are as follows:
• The user interface to the TOE is Oracle BI Web Services via Simple Object Access
Protocol (SOAP) and Hypertext Transfer Protocol Secure (HTTPS). Oracle BI Web
Services is an Application Programming Interface (API) that implements SOAP.
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
June 2009 Issue 1.0 Page 13 of 18
• Presentation Services provides an authenticated user with access to Requests. These
deliver reports back in HTML format. If a user has sufficient privilege they may also
send logical queries. Requests are subject to access controls. Users will only be able to
execute requests for which they are authorised.
• BI Server is the command centre for Oracle BIEE controlling authentication, user
accountability, access to the business model, and access to the back end Oracle
Database Management System that stores the physical database tables. Administrators
use this to define and partition the organisational business model to give users the
access to the parts of the business model required for their role.
TOE Dependencies
43. The TOE has no hardware or firmware dependencies.
TOE Interfaces
44. The external TOE Security Functions Interface (TSFI) is described as follows:
• All user requests for authentication are received by the Web Services through the
Presentation Services and passed to the BI Server. This in turn passes authentication
through to one of two entities. The BI Server either submits the username and
password pair directly to the database to perform authentication or it hands off the
authentication to OID which then decides whether the user is permitted access or not.
• Oracle BIEE stores the accounting log in the backend database, which can then be
queried by Administrators like any other data object. The level of logging is
configurable.
• HTTPS (implemented using OpenSSL version 0.9.8.j) is used internally to protect user
credentials from unauthorised access; and also externally in communication with user
applications using the Web Services via the Oracle Web server. Oracle Advanced
Security Option is used to encrypt communications with the back end database.
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
Page 14 of 18 Issue 1.0 June 2009
V. TOE TESTING
TOE Testing
45. The Developer’s tests covered:
• all SFRs;
• all TOE high-level subsystems, as identified in Chapter IV (in ‘TOE Design
Subsystems’) of this report;
• the TSFI, as identified in Chapter IV (in ‘TOE Interfaces’) of this report.
46. The Developer’s tests also included those TOE interfaces which are internal to the product
and thus had to be exercised indirectly.
47. The Developer installed and tested the TOE on the platforms specified in Table 1.
48. The Evaluators devised and ran a total of 14 independent functional tests, different from
those performed by the Developer. No anomalies were found.
49. The Evaluators also devised and ran a total of 7 penetration tests to address potential
vulnerabilities considered during the evaluation. No exploitable vulnerabilities or errors
were detected.
50. The Evaluators installed the TOE and performed their independent functional tests and
penetrations tests, as well as various platform dependency tests, on the platforms and
configurations specified in Table 2.
51. The Evaluators finished running their penetration tests in May 2009.
Vulnerability Analysis
52. The Evaluators’ vulnerability analysis, which preceded penetration testing and was
reported in [ETR3], was based on public domain sources and the visibility of the TOE
provided by the evaluation deliverables, in particular the developer’s design documents
and the [ECG].
Platform Issues
53. The Developer’s provided a Platform Rationale which provided reasoning why the security
of the TOE is not undermined by the underlying platforms. The evaluators analysed the
Rationale and performed various tests against the underlying OS, database, LDAP
platform, OC4J platform and virtual workstation. The Evaluators confirmed that each
underlying platform does not undermine the security of the TOE.
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
June 2009 Issue 1.0 Page 15 of 18
VI. REFERENCES
[AG_BIPS] Oracle Business Intelligence Presentation Services Administration Guide,
Version 10.1.3.2,
Part Number: B31766-01, December 2006.
[AG_WS] Oracle Business Intelligence Web Services Guide,
Version 10.1.3.2,
Part Number: B31769-01, December 2006.
[AG_BIS] Oracle Business Intelligence Server Guide,
Version 10.1.3.2,
Part Number: B31770-01, December 2006.
[CC] Common Criteria for Information Technology Security Evaluation,
(comprising Parts 1, 2, 3: [CC1], [CC2], [CC3]).
[CC1] Common Criteria for Information Technology Security Evaluation,
Part 1, Introduction and General Model,
Common Criteria Maintenance Board,
CCMB-2006-09-001, Version 3.1 R1, September 2006.
[CC2] Common Criteria for Information Technology Security Evaluation,
Part 2, Security Functional Requirements,
Common Criteria Maintenance Board,
CCMB-2007-09-002, Version 3.1 R2, September 2007.
[CC3] Common Criteria for Information Technology Security Evaluation,
Part 3, Security Assurance Requirements,
Common Criteria Maintenance Board,
CCMB-2007-09-003, Version 3.1 R2, September 2007.
[CCRA] Arrangement on the Recognition of Common Criteria Certificates in the Field
of Information Technology Security,
Participants in the Arrangement Group,
May 2000.
[CEM] Common Methodology for Information Technology Security Evaluation,
Evaluation Methodology,
Common Criteria Maintenance Board,
CCMB-2007-09-004, Version 3.1 R2, September 2007.
[ECG] Evaluated Configuration Guide for Oracle Business Intelligence Enterprise
Edition (10.1.3.3.2) with Quick Fix 090406,
Version 1.0, 2 June 2009.
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
Page 16 of 18 Issue 1.0 June 2009
[ETR1] LFL/T256 Evaluation Technical Report 1,
Evaluation of Oracle Business Intelligence Enterprise Edition (10.1.3.3.2),
Logica CLEF,
LFL/T256/ETR1, Issue 0.2, 25 July 2008
[ETR2] LFL/T256 Evaluation Technical Report 2,
Evaluation of Oracle Business Intelligence Enterprise Edition (10.1.3.3.2),
Logica CLEF,
LFL/T256/ETR2, Issue 1.0, 17 September 2008
[ETR3] LFL/T256 Evaluation Technical Report 3,
Evaluation of Oracle Business Intelligence Enterprise Edition (10.1.3.3.2) with
Quick Fix 090406,
Logica CLEF,
LFL/T256/ETR3, Issue 1.0, 8 June 2009.
[MRA] Mutual Recognition Agreement of Information Technology Security
Evaluation Certificates,
Management Committee of Agreement Group,
Senior Officials Group – Information Systems Security,
Version 2.0, April 1999.
[ST] Security Target for Oracle Business Intelligence Enterprise Edition (10.1.3.3.2)
with Quick Fix 090406,
Oracle Corporation,
Issue 1.7, 22 June 2009.
[UKSP00] Abbreviations and References,
UK IT Security Evaluation and Certification Scheme,
UKSP 00, Issue 1.5, October 2008.
[UKSP01] Description of the Scheme,
UK IT Security Evaluation and Certification Scheme,
UKSP 01, Issue 6.2, October 2008.
[UKSP02P1] CLEF Requirements - Startup and Operations,
UK IT Security Evaluation and Certification Scheme,
UKSP 02: Part I, Issue 4.1, October 2008.
[UKSP02P2] CLEF Requirements - Conduct of an Evaluation,
UK IT Security Evaluation and Certification Scheme,
UKSP 02: Part II, Issue 2.3, October 2008.
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
June 2009 Issue 1.0 Page 17 of 18
VII. ABBREVIATIONS
This list of abbreviations is specific to the TOE. It therefore excludes: general IT abbreviations
(e.g. GUI, HTML, LAN, PC); standard CC abbreviations (e.g. TOE, TSF) covered in CC Part 1
[CC1]; and UK Scheme abbreviations (e.g. CESG, CLEF) covered in [UKSP00].
BI Business Intelligence
OEL Oracle Enterprise Linux
OBIEE Oracle Business Intelligence Enterprise Edition
OBI Oracle Business Intelligence
OID Oracle Internet Directory
OS Operating System
OC4J Oracle Containers for Java
LDAP Lightweight Directory Access Protocol
CRP250 – OBIEE Version 10.1.3.3.2 with Quick Fix 090406
Page 18 of 18 Issue 1.0 June 2009
This page is intentionally blank.