National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
EMC Documentum Content ServerTM
V5.3 and
EMC Documentum AdministratorTM
V5.3
Report Number: CCEVS-VR-05-0135
Dated: 21 December 2005
Version: 1.0
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6740
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740
®
TM
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
ii
TABLE OF CONTENTS
1 EXECUTIVE SUMMARY ..................................................................................... 1
2 IDENTIFICATION................................................................................................. 3
3 SECURITY POLICY.............................................................................................. 4
4 ASSUMPTIONS AND CLARIFICATION OF SCOPE........................................ 6
4.1 USAGE ASSUMPTIONS.......................................................................................... 6
4.2 ENVIRONMENTAL ASSUMPTIONS ......................................................................... 6
4.3 CLARIFICATION OF SCOPE.................................................................................... 6
5 ARCHITECTURAL INFORMATION.................................................................. 7
6 DOCUMENTATION .............................................................................................. 8
7 IT PRODUCT TESTING ....................................................................................... 9
7.1 DEVELOPER TESTING .......................................................................................... 9
7.2 EVALUATOR INDEPENDENT TESTING.................................................................... 9
7.3 STRENGTH OF FUNCTION ................................................................................... 10
7.4 VULNERABILITY ANALYSIS ............................................................................... 10
8 EVALUATED CONFIGURATION..................................................................... 10
9 RESULTS OF THE EVALUATION.................................................................... 10
10 VALIDATOR COMMENTS/RECOMMENDATIONS.................................... 11
11 SECURITY TARGET......................................................................................... 12
12 GLOSSARY ........................................................................................................ 13
13 BIBLIOGRAPHY ............................................................................................... 14
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
1
1 Executive Summary
This report documents the NIAP validator’s assessment of the evaluation of the EMC
Documentum Content ServerTM
V5.3 and EMC Documentum AdministratorTM
V5.3, a product
of EMC, Documentum Division, Pleasanton, CA. It presents the evaluation results, their
justifications, and the conformance results. This validation report is not an endorsement of the IT
product by any agency of the U.S. Government and no warranty of the IT product is either
expressed or implied.
The evaluation was performed by the CygnaCom Solutions Security Evaluation Laboratory
(CCTL), and was completed during October 2005. The information in this report is largely
derived from the Evaluation Technical Report (ETR) and associated test reports, all written by
CygnaCom Solutions. The evaluation determined that the product is both Common Criteria
Part 2 extended and Part 3 conformant, and meets the assurance requirements of EAL 2. The
product is not conformant with any published Protection Profiles, but rather is targeted to
satisfying specific organizational security policies while countering specific threats.
EMC Documentum Content ServerTM
V5.3 and EMC Documentum AdministratorTM
V5.3
(hereafter Documentum Content Management System) is a data management and control
application. The Target of Evaluation (TOE) was evaluated using the Common Criteria for
Information Technology Security Evaluation, Version 2.2, January 2004 [CCV2.2], and the
Common Methodology for Information Technology Security Evaluation, Version 2.2, Evaluation
Methodology, January 2004 [CEMV2.2]. The evaluation and validation were consistent with
National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation
Scheme (CCEVS) best practices as described within CCEVS Publication #3 [CCEVS3] and
Publication #4 [CCEVS4]. The Security Target (ST) for Documentum Content Management
System is contained within the document EMC Documentum Content ServerTM
V5.3 and EMC
Documentum AdministratorTM
V5.3 Security Target, dated 18 October 2005 [ST]. The ST has
been shown to be compliant with the Specification of Security Targets requirements found within
Annex A of Part 1 of [CCV2.2].
The Documentum Content Management System is an all-software TOE. It consists of three
components that comprise the TOE:
• Content Server provides a single repository for content and metadata. Content Server
uses an extensible object-oriented model to store content and metadata in the repository.
Everything in a repository is stored as objects. The metadata for each object is stored in
tables in the underlying RDBMS. The content files are stored in the underlying Operating
System file system.
• Connection Broker is a name server for the Content Server.
• Administrator allows an authorized administrator to monitor, administer, configure, and
maintain the Content Server and repositories via a Web browser.
Aspects of the following security functions are controlled / provided by the TOE in conjunction
with the IT environment:
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
2
• Object access control
• Role-based user privileges
• Audit
The following are explicitly excluded from the TOE configuration, but are included in its
environment:
• Client interface
• Hardware platforms and Operating Systems
• Database servers
• Cryptographic services of the operating system (SSL); and
• Network hardware and software (e.g., firewalls and routers)
The environment is assumed to counter the threats of unauthorized access to the physical
components of the TOE. The operating system is assumed to properly authenticate users and
protect files.
All copyrights and trademarks are acknowledged.
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
3
2 Identification
TOE: EMC Documentum Content ServerTM
V5.3,
Connection Broker, and
EMC Documentum AdministratorTM
V5.3
Evaluated Software: EMC Documentum Content ServerTM
V5.3 (build # 5.3.0.115), and
EMC Documentum AdministratorTM
V5.3 (build # 5.3.0.041 with CC Update
#103292)
Developer: EMC Documentum
Pleasanton, CA
CCTL: Cygnacom Solutions’ Security Evaluation Laboratory
Suite 5200
4925 Jones Branch Drive
McLean, VA 22102-3305
Validation Team: Edward A. Schneider (Institute for Defense Analyses)
CC Identification: Common Criteria for Information Technology Security Evaluation,
Version 2.2, January 2004 [CCV2.2].
CEM Identification: Common Methodology for Information Technology Security Evaluation,
Version 2.2, Evaluation Methodology, January 2004 [CEMV2.2].
Interpretations: All NIAP and CCIMB interpretations as of the date of the Kick-off
meeting held on 14 July 2004 were considered during the evaluation (all
CCIMB interpretations issued prior to January 2004 had been incorporated
into the version of the CC that was used). The interpretations listed below
had a direct impact on the work performed.
Interpretations
Interpretation Description Affected
Requirements
International Interpretations
INTERP-137 Rules governing binding should be specifiable FIA_USB
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
4
3 Security Policy
The EMC Documentum security policy is reflected in the security functional requirements for
the TOE described in section 5.2 and 6.1 of the ST and for the IT environment described in
sections 5.3 of the ST. A description of the principle security policies is as follows:
• Identification and authentication: The TOE requires users to be identified and
authenticated before being allowed access to the system. However, this is done by the
underlying operating system, which is part of the IT environment.
• Object access control: The EMC Documentum Content Server controls access to objects
based on a subject’s user name or group. An Access Control List associates user names
and groups with an access level. An entry allows a user or group access up through a
level or prohibits it above a level. There are also several extended permissions that may
be explicitly allowed or prohibited. The access levels and extended permissions are
specified in section 6.1.3 of the ST. Note: these controls are only in effect when
repository security is on, which is the configuration that was evaluated.
• Role-based user privileges: The EMC Documentum Content Server supports three
roles: SuperUser, Sysadmin, and User. A User may additionally have privileges Create
Type, Create Cabinet, and Create Group. In addition, there are extended privileges
Config audit, Purge audit, and View Audit. Tables 5-2 and 5-3 and Section 6.1.3 of the
ST describes what these roles and privileges allow a user to do.
• Audit: The TOE provides an auditing capability, although the audit records are stored in
a database external to the TOE. Significant auditable events are:
• user login failure,
• all operations performed on objects,
• all operations performed in repository,
• administrative actions performed.
The security functional requirements for the TOE and the IT environment are documented in
section 5 of the ST. A combination of requirements drawn from part 2 of the CC [CCV2.2] and
explicitly stated security requirements were necessary due to the reliance of the TOE on the IT
environment to protect audit records and to prevent activities outside the control of the TOE
from the TSF. A summary of the SFRs for the TOE and IT environment are included in the
tables below.
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
5
TOE Security Functional Requirements
Class FAU: Security Audit
FAU_GEN.1 Audit data generation
FAU_GEN.2 User identity association
FAU_SAR.1 Audit review
FAU_SAR.2 Restricted audit review
FAU_SAR.3 Selectable audit review
FAU_SEL.1 Selective audit
FAU_STG_EXP.1 Protected audit trail storage
Class FDP: User Data Protection
FDP_ACC.2 Complete access control
FDP_ACF.1 Security attribute based access control
Class FIA: Identification and Authentication
FIA_ATD.1 User attribute definition
FIA_USB.1 User subject binding
Class FMT: Security Management
FMT_MOF.1 Management of security functions behavior
FMT_MSA.1 Management of security attributes
FMT_MSA.3 Static attribute initialization
FMT_MTD.1 Management of the TSF data
FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
Class FPT: Protection of the TSF
FPT_RVM_EXP.1-1 Non-bypassability of the TSP
FPT_SEP_EXP.1-1 TSF domain separation
IT Environment Security Functional Requirements
Class FAU: Security Audit
FAU_STG_EXP.1-2 Protected audit trail storage
Class FIA: Identification and Authentication
FIA_UAU.2 User authentication before any action
FIA_UID.2 User identification before any action
Class FPT: TOE Protection
FPT_RVM_EXP.1-2 Non-bypassability of the TSP
FPT_SEP_EXP.1-2 TSF domain separation
FPT_STM.1 Reliable time stamp
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
6
4 Assumptions and Clarification of Scope
4.1 Usage Assumptions
For secure usage, the operational environment must be managed in accordance with the
documentation associated with the following EAL2 assurance requirements:
ADO_DEL.1 Delivery procedures
ADO_IGS.1 Installation, generation, and start-up procedures
AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
4.2 Environmental Assumptions
The environmental assumptions listed in the following table are required to ensure the security of
the TOE.
Environmental Assumptions
Assumption Description
A.Admin The authorized administrator is trusted to correctly configure
and operate the TOE according to the instructions provided by
the TOE documentation.
A.Database The IT environment provides a database to store TSF data.
A.NoUntrusted There are no untrusted users and no untrusted software on the
Documentum Content Server host.
A.OS The OS provides file protection and user authentication.
A.Physical The TOE components critical to the security policy enforcement
will be protected from unauthorized physical modification by
being located within controlled access facilities and behind a
Firewall.
A.ProtectComm Those responsible for the TOE will ensure the communications
between the Documentum Administrator and Documentum
Content Server host are secure.
A.Time The underlying operating system provides reliable time stamps.
4.3 Clarification of Scope
The Documentum Content Management System executes on top of third-party operating systems
and uses third-party databases to store audit and other administrative data and managed content.
A process running with root privilege on the operating system can bypass all of the TOE security
controls. Thus, non-bypassability of the TOE Security Policy and Domain Separation are limited
to those instances when the operating system invokes the TOE Security Function. Likewise, the
TOE relies on the underlying operating systems to provide secure and reliable communication
between its components.
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
7
Documentum clients interact with the system through a GUI that is installed on their
workstations and that sends messages through the Connection Broker. This GUI is not part of the
TOE and client interface documentation is not part of the TOE documentation considered in this
evaluation.
There are two ways for a purchaser to obtain the TOE: on a CD or by downloading an install
package from www.intraware.com. Only the downloaded version was evaluated and this method
must be used.
5 Architectural Information
Documentum is a content management system, consisting of a Content Server, a Connection
Broker, and a Documentum Administrator. The Documentum Content Server is the core
functionality that allows users to create, capture, manage, deliver, and archive enterprise content
data. Content data is the actual data managed by the Content Server. Metadata is the attributes of
the data. The functionality and features of Documentum Content Server provide the management
and security of content data and metadata in the repository; it was evaluated on Microsoft
Windows Server 2003 with an Oracle database. The Connection Broker is a name server to a
particular repository. The Documentum Administrator is the administrator interface; it was
evaluated on Microsoft Windows Server 2003 using Internet Explorer.
The Client interface is not part of the TOE. Likewise, the underlying operating systems,
databases, web browsers and the communication protocols linking distributed elements of the
architecture are not in the TOE.
An architectural diagram of the TOE.
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
8
6 Documentation
The following is a list of the end-user documentation that was used to support this evaluation:
• EMC Documentum Content ServerTM
V5.3 and EMC Documentum AdministratorTM
V5.3 Security Target.
• Documentum Administrator User Guide V5.3.
• Content Server Administrator’s Guide V5.3.
• Content Server Fundamentals V5.3
• Content Server API Reference Manual V5.3
• Content Server Installation Guide V5.3
• Content Server and Documentum Administrator v5.3 Configuration Management
Capabilities
• Documentum Content Server V 5.3 and Documentum Administrator V5.3 Common
Criteria Supplement Guide
• Web Development Kit and Applications Installation Guide V 5.3
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
9
7 IT Product Testing
7.1 Developer Testing
The vendor testing covered all of the security functions identified in Section 6.1 of the ST. These
security functions were: Security Audit, Managed User Access, and Security Management. At
EAL2, vendor testing must demonstrate correspondence between the tests and the functional
specification. However complete testing is not required; “coverage analysis need not demonstrate
that all security functions have been tested, or that all external interfaces to the TOE Security
Function (TSF) have been tested.”1
The testing was focused on demonstrating that the SFRs worked as claimed in the ST. The test
procedures consisted mainly of automated scripts, with a few manual tests to test administrator
operations entered through the Administrator component. For the automated scripts, the output
from the script was stored in a file and then compared with the expected results file. For the
manual tests, a screen shot showing the results was saved.
The testing showed that the proper audit records were generated and contained the required
information, that authorized administrators could access the audit records, and that unauthorized
users could not. It also tested both authorized and unauthorized accesses to the stored content.
The evaluator determined that the vendor tested (at a high level) most of the security-relevant
aspects of the product that were claimed in the ST. The evaluator determined that the developer’s
tests were sound in their approach. The test document provided the configuration of the test
hardware and software, the objective for each of the tests, and test procedures. The information
provided was adequate to be able to reproduce the tests. The evaluators determined that the
developer’s approach to testing the TSFs was appropriate for this EAL2 evaluation.
7.2 Evaluator Independent Testing
At EAL 2, the stated purpose of the evaluator’s independent testing activity “is to determine, by
independently testing a subset of the TSF, whether the TOE behaves as specified, and to gain
confidence in the developer’s test results by performing a sample of the developer’s tests.”
(CEM 6.8.4.1). The CEM further instructs the evaluator to consider a number of factors
including: the “Rigour of developer testing of the security functions. Some security functions
identified in the functional specification may have had little or no developer test evidence
attributed to them.” (CEM 6.8.4.3.2) As a result, the testing at EAL 2 may not be systematic and
the end-users should not assume that all claims in the ST have been explicitly verified by either
the developer or the evaluators.
The evaluation team installed the TOE as specified in the secure installation procedures. The
same test equipment that was used for developer testing was used for the independent testing,
except that the Administrator was installed on a separate hardware platform from the rest of the
TOE to verify proper functioning in a distributed environment. Both platforms were Pentium-
based machines and were connected via SSL. The Connection Broker and the Oracle database
1
CEM, V2.2, paragraph 6.8.2.2 (application note for EAL2:ATE_COV.1)
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
10
were installed on the Content Server host. There were two repositories on the Content server: one
for testing the Content Server functionality and another for testing the Administrator
functionality, and one instance of the Oracle database.
The evaluator reran all of the automated scripts and several of the manual tests. All of the results
duplicated those of the developer. The evaluator also devised seven tests, each of which covered
multiple security functionalities. The first test created all types of users, covering all possible
permissions. The subsequent tests used these users to perform many of the allowed and
disallowed functions for the users. Some tests were devised to test boundary conditions. Both
positive and negative tests were devised. Each of these tests produced the expected results.
Test results, which are contained in proprietary reports, were satisfactory to both the Evaluation
Team and the Validation Team.
7.3 Strength of Function
There are no specific SOF claims pertaining to a specific IT Security Function(s) since
Identification and Authentication is done in the environment.
7.4 Vulnerability Analysis
The vendor searched for publicly known vulnerabilities specifically related to the TOE using key
words related to the product type, as well as publicly known vulnerabilities in the third-party
products that are incorporated in the TOE. No publicly-known vulnerabilities specific to the
evaluated version of Documentum were found. The developer examined the known
vulnerabilities in the supporting third party products (MS Windows, Oracle database, Internet
Explorer) using the National Vulnerability Database (nvd.nist.gov), the Common Vulnerability
and Exposure list (www.cve.mitre.org), and SecureFocus (www.securityfocus.com); an
explanation was given why these are not exploitable in the intended environment.
The evaluator devised penetration tests using the developers analysis, including some of the
developer’s tests. NESSUS (www.nessus.org) was used for port analysis. No exploitable obvious
vulnerabilities were found.
8 Evaluated Configuration
The evaluated configuration was EMC Documentum Content ServerTM
V5.3 (build # 5.3.0.115),
and EMC Documentum AdministratorTM
V5.3 (build # 5.3.0.041 with CC Update #103292).
9 Results of the Evaluation
A verdict for an assurance component is determined by the resulting verdicts assigned to the
corresponding evaluator action elements. The evaluation was conducted based upon CC, Version
2.2; CEM, Version 2.2, and all applicable NIAP CCEVS and International Interpretations in
effect on 14 July 2004.
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
11
The Evaluation Team assigned a Pass, Fail, or Inconclusive verdict to each work unit of each
EAL 2 assurance component. For Fail or Inconclusive work unit verdicts, the Evaluation Team
advised the developer of issues requiring resolution or clarification within the evaluation
evidence. In this way, the Evaluation Team assigned an overall Pass verdict to the assurance
component only when all of the work units for that component had been assigned a Pass verdict.
The evaluation determined that the product is both Common Criteria Part 2 extended and
Part 3 conformant, and meets the assurance requirements of EAL 2. The details of the
evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled by
CygnaCom Solutions. The security assurance requirements are displayed in the following table.
TOE Security Assurance Requirements
Assurance Component ID Assurance Component Name
ACM_CAP.2 Configuration items
ADO_DEL.1 Delivery procedures
ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.1 Informal functional specification
ADV_HLD.1 Descriptive high-level design
ADV_RCR.1 Informal correspondence demonstration
AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing – sample
AVA_SOF.1 Strength of TOE security function evaluation
AVA_VLA.1 Developer vulnerability analysis
10 Validator Comments/Recommendations
The Validator agrees with the conclusion of the CygnaCom Solutions Evaluation Team, and
recommends to CCEVS Management that an EAL2 certificate rating be issued for EMC
Documentum Content ServerTM
V5.3 and EMC Documentum AdministratorTM
V5.3.
The evaluators have looked at the design of the Content Server and Administrator, tested their
functionality, and looked for obvious vulnerabilities; they found that the TOE satisfies the
functional claims made in the ST and the validator concurs. Note that no evaluation verifies that
there are no flaws, only that the evaluator could not find any.
The TOE does not protect the connection between itself and the Client interface; an unauthorized
party could potentially observe this connection. As recommended by EMC Documentum, the
TOE and the Client should be installed such that interactions are protected by SSL. Also, a
firewall should be installed to protect against unauthorized access to the TOE.
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
12
The TOE is a software application that sits on top of a commercial operating system and that
interacts with commercial databases. It depends on these to protect itself and its data from
unauthorized access, such as installing a virus into the Content Server code. Any patches for
these products should be promptly installed.
11 Security Target
The Security Target for EMC Documentum Content ServerTM
V5.3 and EMC Documentum
AdministratorTM
V5.3 is contained within the document EMC Documentum Content ServerTM
V5.3 and EMC Documentum AdministratorTM
V5.3 Security Target, dated 8 December 2005.
[ST]. The ST is compliant with the Specification of Security Targets requirements found within
Annex A of Part 1 of the CC [CCV2.2].
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
13
12 Glossary
The following table is a glossary of terms used within this validation report.
Acronym Expansion
CC Common Criteria for Information Technology Security
Evaluation. [Note: Within this Validation Report, CC
always means Version 2.2, dated January 2004.]
CCEVS Common Criteria Evaluation and Validation Scheme
CCTL Common Criteria Testing Laboratory
CCIMB Common Criteria Interpretations Management Board
EAL Evaluation Assurance Level
ETR Evaluation Technical Report
GUI Graphical User Interface
I&A Identification and Authentication
IT Information Technology
NIAP National Information Assurance Partnership
NIST National Institute of Standards and Technology
NSA National Security Agency
NVLAP National Voluntary Laboratory Accreditation Program
PP Protection Profile
SFR Security Function Requirement
SOF Strength of Function
SSL Secure Socket Layer
ST Security Target
TOE Target of Evaluation
TSF TOE Security Functions
EMC Documentum Content ServerTM
V5.3 and Documentum AdministratorTM
V5.3
CCEVS-VR-05-0135
14
13 Bibliography
URLs
• Common Criteria Evaluation and Validation Scheme (CCEVS):
http://niap.nist.gov/cc-scheme/
• Cygnacom Solutions: http://www.cygnacom.com/
• EMC Documentum: http://www.documentum.com/
CCEVS Documents
[CCV2.2] Common Criteria for Information Technology Security Evaluation, Version 2.2,
January 2004.
[CEMV2.2] Common Methodology for Information Technology Security Evaluation, Version
2.2, Part 2: Evaluation Methodology, January 2004.
[CCEVS3] Guidance to Validators of IT Security Evaluations, Version 1.0, February 2000.
[CCEVS4] Guidance to Common Criteria Testing Laboratories, Draft, Version 1.0, March
2000.
Other Documents
[ST] EMC Documentum Content ServerTM
V5.3 and EMC Documentum
AdministratorTM
V5.3 Security Target, Version 2.0, 8 December 2005.