CRP-C0567-01
Certification Report
Tatsuo Tomita, Chairman
Information-technology Promotion Agency, Japan
Target of Evaluation (TOE)
Application Date/ID 2016-04-25 (ITC-6602)
Certification No. C0567
Sponsor Hewlett Packard Enterprise Company
TOE Name HP XP7 Device Manager Software, HP XP7 Tiered
Storage Manager Software
TOE Version 8.0.1-02
PP Conformance None
Assurance Package EAL2 Augmented with ALC_FLR.1
Developer Hewlett Packard Enterprise Company
Evaluation Facility Mizuho Information & Research Institute, Inc.
Information Security Evaluation Office
This is to report that the evaluation result for the above TOE is certified as
follows.
2017-07-31
Takumi Yamasato, Technical Manager
Information Security Certification Office
IT Security Center
Technology Headquarters
Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following
standards prescribed in the “IT Security Evaluation and
Certification Scheme Document.”
- Common Criteria for Information Technology Security Evaluation
Version 3.1 Release 4
- Common Methodology for Information Technology Security Evaluation
Version 3.1 Release 4
Evaluation Result: Pass
“HP XP7 Device Manager Software, HP XP7 Tiered Storage Manager Software”
has been evaluated based on the standards required, in accordance with the
provisions of the “Requirements for IT Security Certification” by
Information-technology Promotion Agency, Japan, and has met the specified
assurance requirements.
CRP-C0567-01
Notice:
This document is the English translation version of the Certification Report
published by the Certification Body of Japan Information Technology Security
Evaluation and Certification Scheme.
CRP-C0567-01
Table of Contents
1. Executive Summary ............................................................................... 1
1.1 Product Overview ............................................................................ 1
1.1.1 Assurance Package ........................................................................ 1
1.1.2 TOE and Security Functionality ...................................................... 1
1.1.2.1 Threats and Security Objectives ................................................... 2
1.1.2.2 Configuration and Assumptions .................................................... 2
1.1.3 Disclaimers .................................................................................. 3
1.2 Conduct of Evaluation ...................................................................... 3
1.3 Certification ................................................................................... 3
2. Identification ....................................................................................... 4
3. Security Policy...................................................................................... 5
3.1 Security Function Policies ................................................................. 6
3.1.1 Threats and Security Function Policies ............................................ 6
3.1.1.1 Threats ..................................................................................... 6
3.1.1.2 Security Function Policies against Threats ..................................... 6
3.1.2 Organisational Security Policies and Security Function Policies .......... 7
3.1.2.1 Organisational Security Policies ................................................... 7
3.1.2.2 Security Function Policies to Organisational Security Policies .......... 7
4. Assumptions and Clarification of Scope .................................................... 8
4.1 Usage Assumptions .......................................................................... 8
4.2 Environmental Assumptions ............................................................ 10
4.3 Clarification of Scope ..................................................................... 11
5. Architectural Information .................................................................... 12
5.1 TOE Boundary and Components ....................................................... 12
5.2 IT Environment ............................................................................. 13
6. Documentation ................................................................................... 14
7. Evaluation conducted by Evaluation Facility and Results .......................... 15
7.1 Evaluation Facility ........................................................................ 15
7.2 Evaluation Approach ...................................................................... 15
7.3 Overview of Evaluation Activity ....................................................... 15
7.4 IT Product Testing ......................................................................... 16
7.4.1 Developer Testing ....................................................................... 16
7.4.2 Evaluator Independent Testing ..................................................... 18
7.4.3 Evaluator Penetration Testing ...................................................... 22
7.5 Evaluated Configuration ................................................................. 25
7.6 Evaluation Results......................................................................... 25
7.7 Evaluator Comments/Recommendations ............................................ 25
8. Certification ....................................................................................... 26
CRP-C0567-01
8.1 Certification Result........................................................................ 26
8.2 Recommendations .......................................................................... 26
9. Annexes ............................................................................................. 27
10. Security Target ................................................................................ 27
11. Glossary.......................................................................................... 28
12. Bibliography .................................................................................... 29
CRP-C0567-01
1
1. Executive Summary
This Certification Report describes the content of the certification result in relation to IT
Security Evaluation of “HP XP7 Device Manager Software, HP XP7 Tiered Storage
Manager Software Version 8.0.1-02” (hereinafter referred to as the “TOE”) developed by
Hewlett Packard Enterprise Company, and the evaluation of the TOE was finished on
2017-07 by Mizuho Information & Research Institute, Inc., Information Security
Evaluation Office (hereinafter referred to as the “Evaluation Facility”). It is intended to
report to the sponsor, Hewlett Packard Enterprise Company, and provide security
information to procurement entities and consumers who are interested in this TOE.
Readers of the Certification Report are advised to read the Security Target (hereinafter
referred to as the “ST”) described in Chapter 10. Especially, details of security functional
requirements, assurance requirements and rationale for sufficiency of these requirements
of the TOE are described in the ST.
This Certification Report assumes “TOE users (Storage administrators, Account
administrators and System integrators)” to be readers. Note that the Certification Report
presents the certification result based on assurance requirements to which the TOE
conforms, and does not guarantee an individual IT product itself.
1.1 Product Overview
An overview of the TOE functions and operational conditions is described as follows. Refer
to Chapter 2 and subsequent chapters for details.
1.1.1 Assurance Package
Assurance Package of the TOE is EAL2 augmented with ALC_FLR.1.
1.1.2 TOE and Security Functionality
The TOE consists of HP XP7 Device Manager Software and HP XP7 Tiered Storage
Manager Software.
The TOE has a management function to input or modify the information that represents
the configuration of the storage system resources (hereinafter referred to as the “storage
resource information”).
The TOE provides the following as security functions: display of warning banner against
illegal use; identification and authentication for users; access control function for the
storage resource information and the warning banner message information (hereinafter
referred to as the “banner information”).
For these security functions, the validity of the design policy and the accuracy of the
implementation were evaluated within the scope of the assurance package. The following
section describes the threats and assumptions that the TOE assumes.
CRP-C0567-01
2
1.1.2.1 Threats and Security Objectives
This TOE counters the various threats by using the security functions as follows.
It is assumed to be a threat that an illegal user or an authorized storage administrator or
account administrator might delete, modify, or disclose the storage resource information,
which are assets to be protected, or might delete, modify the banner information, by
performing unauthorized operation from a storage management client.
To counter the threat, the TOE identifies and authenticates users when the users access
the TOE from storage management clients. The TOE controls access to the storage resource
information or banner information so that only authorized users who have the appropriate
permissions can use the permitted operations.
1.1.2.2 Configuration and Assumptions
The evaluated product is assumed to be operated under the following configuration and
assumptions.
The TOE is installed on the management server, and it must be located with peripheral
devices in a physically isolated business server area. Only the trusted administrators of the
hardware and software, who will not perform malicious acts, are permitted to enter this
area.
The TOE is used from the storage management client, which is located outside the business
server area. The communication to the internal network from the external networks
outside the business server area connected to the TOE is assumed to be the managed
network environment, which is restricted only to the TOE communications from the
storage management client.
If the external authentication server and authorization server are used in place of the TOE
identification and authentication function, the servers shall be installed in the same
business server area as the storage management software server. If the servers are
installed in a different business server area, it is assumed that confidentiality and integrity
are maintained between the servers. Note that if confidentiality and integrity cannot be
maintained in the communication paths between the servers.
CRP-C0567-01
3
1.1.3 Disclaimers
- This evaluation does not assure the TOE behavior outside the specified operational
environment. For details on the operational environment, see “4.2 Environmental
Assumptions.”
- In the information publicly disclosed by the developer, the TOE is presented as a product
for managing resources of an actual storage system. However, this evaluation does not
assure the configuration in which the resources of the actual storage system are
managed.
In this evaluation, the configuration in which the TOE manages the “storage resource
information” (which is data in the management server, and is not data in the actual
storage system) is assured.
- This TOE assumes to counter attacks only from a storage management client to the TOE.
It is not assured for the TOE to counter other attack measures in this evaluation, and the
assumption is that the operational environment will prevent other attacks.
- This evaluation is not intended to evaluate the identification and authentication function
of an external authentication server or external authorization server, if the external
authentication function or external authentication group linkage function is used. It is
assumed that the operational environment will prevent spoofing attacks on the external
authentication and authorization server.
1.2 Conduct of Evaluation
Under the IT Security Evaluation and Certification Scheme that the Certification Body
operates, the Evaluation Facility conducted IT security evaluation and completed on
2017-07, based on functional requirements and assurance requirements of the TOE
according to the publicised documents “IT Security Evaluation and Certification Scheme
Document”[1], “Requirements for IT Security Certification”[2], and “Requirements for
Approval of IT Security Evaluation Facility”[3] provided by the Certification Body.
1.3 Certification
The Certification Body verified the Evaluation Technical Report [13] prepared by the
Evaluation Facility as well as evaluation documentation, and confirmed that the TOE
evaluation was conducted in accordance with the prescribed procedure. The certification
oversight reviews were also prepared for those concerns found in the certification process.
Those concerns pointed out by the Certification Body were fully resolved, and the
Certification Body confirmed that the TOE evaluation had been appropriately conducted in
accordance with the CC ([4][5][6] or [7][8][9]) and the CEM (either of [10][11]). The
Certification Body prepared this Certification Report based on the Evaluation Technical
Report submitted by the Evaluation Facility and fully concluded certification activities.
CRP-C0567-01
4
2. Identification
The TOE is identified as follows:
TOE Name: HP XP7 Device Manager Software, HP XP7 Tiered Storage
Manager Software
TOE Version: 8.0.1-02
Developer: Hewlett Packard Enterprise Company
Users can verify that a product is the evaluated and certified TOE by the following means.
By performing the version confirmation procedure described in the guidance
documentation, users can confirm the right version of each product, HP XP7 Device
Manager Software and HP XP7 Tiered Storage Manager Software.
CRP-C0567-01
5
3. Security Policy
This chapter describes security function policies that the TOE adopts to counter threats,
and organisational security policies.
The purpose of using the TOE is to manage the input or modification of the storage
resource information.
To handle market requests, the TOE has a function to display a warning banner regarding
illegal use.
To prevent illegal operations to the storage resource information or banner information, the
TOE has the identification and authentication function and access control function.
By controlling access to the storage resource information, the TOE can control the scope of
the storage resource information (components of the storage resource information, such as
host groups and logical storage) that each user can access, and can control the type of
operation (viewing, modifying, creating, etc.) that a user is permitted to perform on that
information.
The TOE assumes that TOE users have the following roles.
System integrator
- A system integrator determines and sets parameters required for building and
operating the system for the TOE to run. It is assumed that this work includes not
only operations from a storage management client but also works in the business
server area.
Account administrator
- An account administrator manages TOE accounts (registers or deletes accounts, and
edits permissions). It is assumed that the account administrator performs operations
from a storage management client.
Storage administrator
- A storage administrator inputs and modifies the storage resource information. It is
assumed that the storage administrator performs operations from a storage
management client.
The following role is assumed as a role related to the operational environment, while the
use of the TOE is not assumed.
External authentication server administrator
- An external authentication server administrator operates and manages the external
authentication server and authorization server, and sets up the authorization and
authentication information. It is assumed that this work is performed in the business
server area.
CRP-C0567-01
6
3.1 Security Function Policies
The TOE possesses the security functions to counter the threats shown in Section 3.1.1 and
to satisfy the organisational security policies shown in Section 3.1.2.
3.1.1 Threats and Security Function Policies
3.1.1.1 Threats
The TOE assumes the threats shown in Table 3-1 and provides the security functions to
counter them.
Table 3-1 Assumed Threats
Identifier Threat
T.ILLEGAL_ACCESS
(illegal connection)
If an illegal user who does not have an account in the
TOE accesses the TOE from a storage management
client, this user might delete, modify, or reveal storage
resource information, or delete or modify banner
information.
In addition, a user who has an account in the TOE
might be misrecognized as having permissions that the
user does not really have, and might delete or modify
the storage resource information or banner information,
which the TOE manages, from a storage management
client.
(Supplementary information)
This threat indicates non-permitted operations carried
out by spoofing attacks.
T.UNAUTHORISED_ACCESS
(unauthorized access)
An authenticated storage administrator or account
administrator might delete or modify the storage
resource information or banner information, which the
TOE manages, by performing an unauthorized
operation from a storage management client.
3.1.1.2 Security Function Policies against Threats
The TOE counters the threats shown in Table 3-1 by the following security function
policies.
(1) Countermeasure against threat “T.ILLEGAL_ACCESS”
When the user of a storage management client terminal accesses the TOE and storage
management software, the TOE identifies and authenticates those users for whom
internal authentication is specified, and the external authentication server identifies
and authenticates those users for whom external authentication is specified, in order to
confirm whether the users are authorized users.
The TOE and the external authentication server limit the patterns of passwords that
can be registered so that difficult-to-guess passwords must be set. The users set
CRP-C0567-01
7
passwords that are difficult to guess from the combination of the password length and
types of characters used, and change these passwords at appropriate intervals, so that
they do not reveal their passwords. This process ensures secure password management.
In addition, the TOE automatically locks the account of a user for whom an
authentication attempt fails the defined number of times, to counter brute-force
password attacks.
(2) Countermeasure against threat “T.UNAUTHORISED_ACCESS”
The TOE controls access to the storage resource information and banner information in
accordance with the permissions granted to each TOE user.
3.1.2 Organisational Security Policies and Security Function Policies
3.1.2.1 Organisational Security Policies
Organisational security policies required in use of the TOE are shown in Table 3-2.
Table 3-2 Organisational Security Policies
Identifier Organisational Security Policy
P.BANNER
(warning banners)
The TOE must have a function that displays advisory
warning messages related to illegal use of the TOE.
3.1.2.2 Security Function Policies to Organisational Security Policies
The TOE provides the security functions to satisfy the organisational security policies
shown in Table 3-2.
(1) Countermeasure against Organizational Security Policy “P.BANNER”
The TOE has a function to display advisory warning messages related to illegal use of
the software.
CRP-C0567-01
8
4. Assumptions and Clarification of Scope
This chapter describes the assumptions and the operational environment to operate the
TOE as useful information for the assumed readers to determine the use of the TOE.
4.1 Usage Assumptions
Table 4-1 shows assumptions to operate the TOE. The effective performances of the TOE
security functions are not assured unless these assumptions are satisfied.
Table 4-1 Assumptions in Use of the TOE
Identifier Assumptions
A.PHYSICAL
(hardware
management)
The management server on which the TOE runs,
peripheral devices, the external authentication server
and external authorization server that the TOE uses,
the internal network, and the firewall at the boundary
of the internal network, must be installed in a
physically isolated business server area.
Only the administrators of the hardware and software
in that area are permitted to enter this area. The
administrators must be trusted persons who will not
perform malicious acts in that area.
A.NETWORKS
(networks)
The internal network, located in the business server
area that houses the management network connected to
the management server, must be restricted only to
communication from storage management client
terminals by means of a firewall.
(Supplementary information)
To ensure this assumption is satisfied, it is necessary to
prevent fake storage management client terminals.
A.ADMINISTRATORS
(administrators)
The system integrator must be a trusted person.
Account administrators, storage administrators, and
external authentication server administrators must not,
in the course of the work associated with their own
permissions, perform malicious acts related to the
management of accounts and permissions of TOE users,
and the management of storage systems.
Other server administrators must not perform malicious
acts with regard to their own work.
(Supplementary information)
The above-mentioned “management of storage systems”
means operations of the storage resource information in
the management server, and does not mean the
management of the actual storage system.
CRP-C0567-01
9
Identifier Assumptions
A.SECURE_CHANNEL
(communication
security)
The network between the management server, on which
the TOE runs, and storage management clients, must be
secured with regard to the confidentiality and integrity
of communications.
When the TOE and the external authentication server
and external authorization server that the TOE uses are
located in different business server areas, the network
between them must be secured with regard to the
confidentiality and integrity of communications.
A.PASSWORD
(setting and updating
passwords)
Account administrators, system integrators, and
external authentication server administrators must
determine an appropriate level of password complexity,
as well as the number of login attempts to be permitted
before an account is to be locked, and they must specify
password settings accordingly.
Each storage administrator, account administrators,
system integrators, and external authentication server
administrators must update their passwords
appropriately so that passwords are not stolen or
revealed via physical actions (for example, writing a
password on a sticky note and sticking it on a PC
monitor, or allowing over-the-shoulder snooping), or via
human causes (for example, failing to update
passwords, updating a password by using the same
password again, using a password consisting of personal
information, using a password that is used in other
applications, or leaving password information in the
cache).
A.CLIENTS
(management of storage
management client
terminals)
Malicious software must not exist on the storage
management client terminals.
A.SRV_MGMT
(server management)
For the management servers, the settings for services
that run on the server, server settings, and accounts
registered on the server must be managed to prevent
the storage management clients from bypassing the
TOE and directly accessing the internal network.
(Supplementary information)
It is assumed that remote access by SSH or telnet is
prohibited because such access is considered to be an
access to the internal network.
CRP-C0567-01
10
4.2 Environmental Assumptions
According to the assumption A.PHYSICAL, the following must be installed in a physically
secure business server area: the management server on which the TOE runs, peripheral
devices, the external authentication server and external authorization server that the TOE
uses, the internal network, and the firewall located at the boundary of the internal network.
Figure 4-1 shows the operational environment of the TOE to be assured.
Figure 4-1 Operational Environment of the TOE to be Assured
The operational environment of the TOE to be assured is as follows:
Management server
Server machine with the following software:
- Windows Server 2012 R2 (64bit)
- Java™ SE Development Kit 8, Update 92
Storage management client terminal
PC with the following software:
- Windows 7 SP1
- Internet Explorer 9 (32bit)
- Flash Player 14.0
External authentication server and external authorization server
Server machine with the following software:
(It is necessary when the external authentication server and authorization server is
used in place of the TOE identification and authentication function.)
- Windows Server 2012 R2 (64bit)
Firewall
A firewall must be installed so that communications to the internal network from
external networks are restricted to communications from storage management client
terminals.
However, if another method accomplishes this purpose, that method can also be used
(for example, if the storage management client terminal is also connected to the
internal network).
Storage management
client terminal
Web browser
Management server
Web server
TOE
External authentication server
External authorization server
Firewall
Business server area
Internal LAN
External LAN
CRP-C0567-01
11
It should be noted that the reliability of the hardware and the cooperating software shown
in this configuration is out of the scope in the evaluation. Those are assumed to be
trustworthy.
4.3 Clarification of Scope
The external authentication server and authorization server is installed in the business
server area, and the “external authentication function” and “external authentication group
linkage function” can also be used in place of the TOE identification and authentication
function. However, the scope of the TOE does not include the identification and
authentication function of the external authentication server and authorization server, so
it is the responsibility of the operator to operate the system securely in accordance with the
security objectives.
The TOE is a server program that runs on a general OS, and therefore depends on OS
functions (for example, for managing processes and for separating processes). With this
assumption, accesses to the TOE are restricted only to communications from storage
management clients. Furthermore, it is assumed that no malicious software is installed on
the storage management clients, and that the OS commands are not used for malicious
purposes.
CRP-C0567-01
12
5. Architectural Information
This chapter explains the scope and the main components (subsystems) of the TOE.
5.1 TOE Boundary and Components
Figure 5-1 shows the configuration of the TOE. The TOE is software that runs on the
management server and does not include the OS.
HBase
Browser
Storage management client terminal
OS (Applicable Platform)
Web service module
Management server
TOE
Storage
Management
Identification and
authentication module
Repository
GUI framework
Common utilities
Security information
fundamental management
module
Warning banner module
Access control
to storage
resources
module
Figure 5.1 TOE boundary
- The identification and authentication module is a module that implements the
identification and authentication function of the TOE.
- The security information fundamental management module is a module that implements
the security information fundamental management function of the TOE.
- The warning banner module is a module that implements the warning banner function of
the TOE.
- The common utilities are a module that implements the common utilities of the TOE.
- The web service module is a module that implements the TOE web services.
- The GUI framework is a module that implements the TOE’s graphical user interface
(GUI).
CRP-C0567-01
13
- The repository is the database that stores data for the TOE.
- The access control to storage resources module controls access to resources by associating
information on the storage resource information with the security information
fundamental management module.
5.2 IT Environment
The TOE is installed on a management server whose operating platform is Windows Server
2012 R2 (64bit) (with JavaTM SE Development Kit 8, Update 92).
The TOE user operates the TOE via Internet Explorer 9 (32bit) from a storage
management client terminal.
Microsoft Active Directory (Windows Server 2012 R2 (64bit) attached) is used on an
external authentication server.
For external authentication, the authentication function of an LDAP directory server, a
RADIUS server, or a Kerberos server is used.
CRP-C0567-01
14
6. Documentation
The identification of documents attached to the TOE is listed below. TOE users are
required to fully understand and comply with the following documents in order to satisfy
the assumptions.
- HP XP7 Device Manager Software, HP XP7 Tiered Storage Manager Software Security
Guide
(Part number: 870545-001)
- HP XP7 Command View Advanced Edition User Guide
(Part number: TK981-96023)
- HP XP7 Command View Advanced Edition Installation and Configuration Guide
(Part number: TK981-96017)
- HP XP7 Command View Advanced Edition Administrator Guide
(Part number: TK981-96019)
- HP XP7 Command View Advanced Edition 8.0.1-02 Release Notes
(Part number: TK981-96024)
CRP-C0567-01
15
7. Evaluation conducted by Evaluation Facility and Results
7.1 Evaluation Facility
Mizuho Information & Research Institute, Inc., Information Security Evaluation Office
that conducted the evaluation as the Evaluation Facility is approved under JISEC and is
accredited by NITE (National Institute of Technology and Evaluation), the Accreditation
Body, which joins Mutual Recognition Arrangement of ILAC (International Laboratory
Accreditation Cooperation). It is periodically confirmed that the above Evaluation Facility
meets the requirements on the appropriateness of the management and evaluators for
maintaining the quality of evaluation.
7.2 Evaluation Approach
Evaluation was conducted by using the evaluation methods prescribed in the CEM in
accordance with the assurance components in the CC Part 3. Details for evaluation
activities were reported in the Evaluation Technical Report. The Evaluation Technical
Report explains the summary of the TOE as well as the content of the evaluation and the
verdict of each work unit in the CEM.
7.3 Overview of Evaluation Activity
The history of the evaluation conducted is described in the Evaluation Technical Report as
follows.
The evaluation has started on 2016-04 and concluded upon completion of the Evaluation
Technical Report dated 2017-07. The Evaluation Facility received a full set of evaluation
deliverables necessary for evaluation provided by the developer, and examined the evidence
in relation to a series of evaluation conducted. In addition, the evaluator examined the
procedural status conducted in relation to the work unit for delivery by observing other
products that were actually delivered by following the same procedure as the TOE on
2017-04. Furthermore, the evaluator conducted the sampling check of the developer testing
and the evaluator testing by using the developer testing environment at the developer site
on 2016-08 and 2016-09.
Concerns that the Certification Body found in the evaluation process were described as the
certification oversight reviews, and those were sent to the Evaluation Facility. After the
Evaluation Facility and the developer examined them, those concerns were reflected in the
Evaluation Technical Report.
CRP-C0567-01
16
7.4 IT Product Testing
The evaluator confirmed the validity of the testing that the developer had performed. As a
result of the evidence shown in the process of the evaluation and those confirmed validity,
the evaluator performed the reproducibility testing, additional testing and penetration
testing based on vulnerability assessments judged to be necessary.
7.4.1 Developer Testing
The evaluator evaluated the integrity of the developer testing that the developer performed
and the documentation of actual testing results. The content of the developer testing
evaluated by the evaluator is explained as follows.
1) Developer Testing Environment
Figure 7-1 shows the testing configuration performed by the developer.
Figure 7-1 Configuration of the Developer Testing
The TOE to be tested by the developer is described as follows, and it is the same as what is
written in the ST.
- HP XP7 Device Manager Software, HP XP7 Tiered Storage Manager Software
Version: 8.0.1-02
The components in the environment for testing performed by the developer are described
as follows. This configuration is the same as what is identified in the ST. The evaluators
checked that there was no problem with the confirmation of the TOE functions.
Management server
Server machine with the following software:
- Windows Server 2012 R2 Datacenter x64 (64bit)
- Java™ SE Development Kit 8, Update 92
External authentication server and external authorization server
Server machine with the following software:
- Windows Server 2012 R2 Datacenter x64 (64bit)
Storage management client terminal
Storage management
client terminal
Web browser
Management server
TOE
Web server
External authentication server
and authorization server
CRP-C0567-01
17
PC with the following software:
- Windows 7 Professional SP1 (64bit)
- Internet Explorer 9 (32bit)
- Flash Player 14.0
2) Summary of the Developer Testing
A summary of the developer testing is as follows.
a. Developer Testing Outline
An outline of the developer testing is as follows.
<Developer Testing Approach>
The TOE's external interface were stimulated by normal usage of the TOE (by operation
from the web browser of a storage management client terminal, by operation from the
console of the management server, and by changing the configuration file of the TOE in the
management server), and the TOE responses were confirmed. To efficiently input the
storage resource information, a storage simulator was used for some tests.
For those TOE behavior which was difficult to confirm by normal usage of the TOE, Fiddler
was used to change input to the web server and to confirm the TOE responses.
The TOE responses were observed from the management server console and from the web
browser of the storage management client terminal.
<Developer Testing Tools>
Table 7-1 shows tools used in the developer testing.
Table 7-1 Developer Testing Tools
Tool Name Outline and Purpose of Use
Fiddler Fiddler version 2.4.2.6
It mediates communications between a web browser and
web server, and changes or refers to the communication
data between them.
Storage simulator It provides the storage resource information.
<Content of the Performed Developer Testing>
By normal usage of the TOE, the developer tested the following cases: cases permitted by
and prohibited by the security functional requirements, cases for which inappropriate
input is given, and cases for which there was a concern that inconsistencies might occur if
multiple operations were performed on the same data.
The developer used Fiddler to test the input of parameter values that could not be input by
normal usage of a web browser.
CRP-C0567-01
18
b. Scope of the Performed Developer Testing
The developer testing was performed on 63 items by the developer. By the coverage
analysis, the coverage of the testing for the external interfaces and security functions
described in the functional specifications was confirmed. The coverage of some external
interfaces was determined to be insufficient, so the evaluators performed the independent
testing to cover this insufficiency.
c. Result
The evaluator confirmed the approach of the performed developer testing and the
legitimacy of tested items, and confirmed consistencies between the testing approach
described in the testing plan and the actual testing approach. The evaluator confirmed
consistencies between the testing results expected by the developer and the actual testing
results performed by the developer.
7.4.2 Evaluator Independent Testing
The evaluator performed the sample testing to reconfirm the execution of security
functions by the test items extracted from the developer testing. In addition, the evaluator
performed the evaluator independent testing (hereinafter referred to as the “independent
testing”) to gain further assurance that security functions are certainly implemented,
based on the evidence shown in the process of the evaluation. The independent testing
performed by the evaluator is explained as follows.
1) Independent Testing Environment
The environment for the independent testing performed by the evaluators was the same as
the environment for the developer testing.
Although the evaluators prepared the components and testing programs used for the
developer testing, the evaluators confirmed their specifications and performed their
behavior testing as well as calibration.
2) Summary of the Independent Testing
A summary of the independent testing is as follows.
a. Viewpoints of the Independent Testing
Viewpoints of the independent testing that the evaluator designed from the developer
testing and the provided evaluation documentation are shown below.
Focusing on the following points of view, the evaluators extracted test items from the
developer testing specifications.
I. Points of view of the security functions
To test security functions in an unbiased way, samples for each security function
(identification and authentication, access control, and warning banner function) were
taken.
II. Points of view of the interfaces
Samples were taken from each type of interfaces in order to confirm the behavior
caused by operations from a web browser, by operations from the console of the
CRP-C0567-01
19
management server, and by changes to the TOE configuration files on the management
server. At the same time, sampling tests were performed so that all the SFRs were
covered.
III. Points of view of other testing characteristics
Samples were taken from those tests which have characteristics in test scenarios and
methods, such as tests in which multiple operations were performed on the same data,
or tests in which the input to a web server is changed using Fiddler.
Based on the following points of view, evaluators devised additional independent testing:
i. Variation of the developer testing: Roles
For a function which can be operated by multiple roles, the evaluators performed tests
with different roles (system integrator, account administrator, and storage
administrator) from those used in the developer testing.
ii. Variation of the developer testing: Input parameters
For a function which receives inputs from a parameter, the evaluators performed tests
with different parameter values from those used in the developer testing.
iii. Variation of the developer testing: Enhanced coverage
For some TOE behavior which the evaluators determined was not confirmed by the
developer testing, the evaluators performed additional tests to supplement
insufficiency.
The evaluators examined each interface type (operations from a web browser, operations
from the console of the management server, and changes to the TOE configuration files on
the management server) to decide whether additional testing was necessary.
b. Independent Testing Outline
The evaluators performed sampling tests of the developer testing on 56 items. The samples
were selected, in consideration of the above-mentioned points of view in I, II, III of “a)
Viewpoints of the Independent Testing.”
The evaluators performed additional independent testing on 11 items. The tests were
devised to supplement the developer testing, in consideration of the above-mentioned
points of view in i, ii, iii of “a) Viewpoints of the Independent Testing.”
An outline of the independent testing that the evaluator performed is as follows.
<Content of the Performed Independent Testing>
Table 7-2 shows the points of view in the independent testing and the contents of the
corresponding testing.
CRP-C0567-01
20
Table 7-2 Content of the Performed Independent Testing
Points of View for the
Independent Testing
Testing Outline
(1) Testing the function for
adding users
Points of view to be considered:
i and iii
The evaluators confirm the behavior when an
account administrator registers a user.
The developer tested the case in which a system
integrator registers a user, but did not test the
cases when other administrators register users.
Therefore, the evaluators confirm the behavior
when other administrators with different roles
register users.
(2) Testing the function for
changing user passwords
Points of view to be considered:
i and iii
The evaluators confirm the behavior when an
account administrator changes his or her own
password.
The developer tested the case in which a system
integrator changes his or her own password, but
did not test the cases when other administrators
change their own passwords.
Therefore, the evaluators confirm the behavior
when other administrators with different roles
register their own passwords.
(3) Testing the function for
changing password
complexity setting
Point of view to be considered:
ii
The evaluators confirm the behavior of the
password complexity setting.
The developer did not confirm the case in which “0”
and negative numbers are included in the password
complexity setting.
Therefore, the evaluators confirm the behavior
related to the rule that includes “0” and negative
numbers in the password complexity setting.
(4) Testing the function for
changing the warning banner
in the web interface
Point of view to be considered:
ii
The evaluators confirm the behavior of the warning
banner setting.
The developer tested the behavior in the case when
an independent HTML tag was used, but did not
confirm the cases when setting tags that consist of
letters or character strings that include attributes.
Therefore, the evaluators confirm the behavior in
the cases when setting tags that consist of letters or
character strings that include attributes.
CRP-C0567-01
21
Points of View for the
Independent Testing
Testing Outline
(5) Testing the function for
changing the warning banner
in the command interface
Point of view to be considered:
iii
The evaluators confirm the behavior of setting the
warning banner in the command interface.
The developer tested the case in which a new
warning banner is set, but did not confirm the
behavior after setting it in the web interface.
Therefore, the evaluators confirm the behavior of
the warning banner when executing a command
after setting it in the web interface.
(6) Testing the function for
unlocking accounts
Point of view to be considered:
ii
The evaluators confirm the behavior of unlocking
accounts.
The developer did not confirm the behavior when
passwords longer than the predetermined length
are entered.
Therefore, the evaluators confirm the behavior
when passwords longer than the predetermined
length are entered.
(7) Testing the external
authentication function
(LDAP)
Points of view to be considered:
i and iii
The evaluators confirm the behavior of the external
authentication function when LDAP is specified as
the external authentication protocol.
The developer tested the external authentication
function with a storage administrator, but did not
confirm the behavior with other administrators.
Therefore, the evaluators confirm the behavior
with other administrators with different roles.
(8) Testing the external
authentication function
(RADIUS)
Points of view to be considered:
i and iii
The evaluators confirm the behavior of the external
authentication function when RADIUS is specified
as the external authentication protocol.
The developer tested the external authentication
function with a storage administrator, but did not
confirm the behavior with other administrators.
Therefore, the evaluators confirm the behavior
with other administrators with different roles.
(9) Testing the external
authentication function
(Kerberos)
Points of view to be considered:
i and iii
The evaluators confirm the behavior of the external
authentication function when Kerberos is specified
as the external authentication protocol.
The developer tested the external authentication
function with a storage administrator, but did not
confirm the behavior with other administrators.
Therefore, the evaluators confirm the behavior
with other administrators with different roles)
CRP-C0567-01
22
Points of View for the
Independent Testing
Testing Outline
(10) Testing invalid values in the
configuration files
Point of view to be considered:
ii
The evaluators confirm the behavior when an
invalid value is set in the TOE configuration files
on the management server.
The developer tested the case in which an expected
invalid value was set in the TOE configuration
files, but did not confirm the case in which nothing
is specified or unexpected values are specified.
Therefore, the evaluators confirm the behavior
when such values are specified.
(11) Testing user IDs and user
passwords
Point of view to be considered:
ii
The evaluators confirm the behavior of adding a
user or user login, in the cases in which the
character string used for a user ID or password
exceeds the maximum number of characters or
includes invalid (not permitted) characters.
The developer did not test the behavior when a user
ID or password exceeds the maximum number of
characters or includes invalid (not permitted)
characters. The evaluators test the behavior in
such cases.
In addition, the evaluators confirm the behavior
when the values used for the developer testing
were changed to invalid (not permitted) characters.
c. Result
All the independent testing performed by the evaluator was correctly completed, and the
evaluator confirmed the behavior of the TOE. The evaluator confirmed consistencies
between the expected behavior and all the testing results.
7.4.3 Evaluator Penetration Testing
The evaluator devised and performed the necessary evaluator penetration testing
(hereinafter referred to as the “penetration testing”) on the potentially exploitable
vulnerabilities of concern under the assumed environment of use and attack level from the
evidence shown in the process of the evaluation. The penetration testing performed by the
evaluator is explained as follows.
1) Summary of the Penetration Testing
A summary of the penetration testing performed by the evaluator is as follows.
a. Vulnerability of Concern
The evaluator searched into the provided documentation (security architecture
specification, structural design, and functional specification) and the publicly available
information for the potential vulnerabilities, and then identified the following
CRP-C0567-01
23
vulnerabilities which require the penetration testing.
i. In terms of direct attacks, it is possible that the randomness of a token might be
insufficient, and that attacks based on invalid tokens might occur.
ii. In terms of monitoring, there are risks of snooping. For example, while the TOE
receives the password entered from a storage management client, the TOE itself does
not provide a login screen, so SFR of authentication feedback is not selected, and a
password is displayed on a screen during entering a login password and might be
snooped by someone.
iii. Other publicly-known vulnerabilities, including vulnerabilities related to web
applications, databases, and the OS.
b. Penetration Testing Outline
The evaluator performed the following penetration testing to identify potentially
exploitable vulnerabilities.
<Penetration Testing Environment>
The evaluators performed the penetration testing in an environment in which an
inspection PC was added to the independent testing environment.
Table 7-3 shows details of the software used in the inspection PC. The evaluators confirmed
the specifications of the software and performed the behavior testing as well as calibration.
The publicly-known vulnerability was searched even after the penetration testing had
performed, and evaluators determined that it was not necessary to perform additional
testing to update the vulnerability database.
Except for the inspection PC, this environment is the same as the environment used for the
independent testing.
Figure 7-3 Software used for the Penetration Testing
Software name Outline
Operation System Windows 7 SP1
Web browser Internet Explorer 9 (32bit) on Windows 7 SP1 with
Flash Player 14.0
Nessus Nessus 6.7.0
- A security scanner
- The vulnerability database used contains the latest data
(as of 2016-08-31).
Nikto Nikto 2.1.5
- A security scanner targeted web servers
- The vulnerability database used contains the latest data
(as of 2016-08-31).
OWASP ZAP ZAP 2.5.0
- A vulnerability diagnosis tool for web applications
CRP-C0567-01
24
Software name Outline
Tamper IE Tamper IE 1.0.1.13
- Tamper IE captures data transmitted from Internet Explorer,
and enables such data to be tampered with.
<Penetration Testing Approach>
For the management servers installed in the independent testing environment, evaluators
stimulated TOE interfaces from a storage management client and from an inspection PC.
- Evaluators confirm the TOE behavior by stimulating from TSFI.
- Evaluators capture packets transmitted to the TOE from a storage management client
by using tools, and confirm the contents.
- Evaluators execute scans with vulnerability inspection tools.
For the binary inspection, the evaluators confirmed parts that were recognizable as
character strings by using binary analysis tools, created by the Evaluation Facility, in
terms that secret parameters which can be extracted might exist in the binary files.
<Content of the Performed Penetration Testing>
Table 7-4 shows vulnerabilities of concern and the content of the penetration testing
corresponding to them.
Table 7-4 Outline of the Penetration Testing
Vulnerability Outline of Testing
1) Confirming the randomness of
tokens and the possibility of using
invalid tokens
The evaluators acquire tokens and confirm that
there is no regularity. The evaluators confirm
the TOE behavior by inputting invalid tokens
into parameters.
Tamper IE is used to acquire tokens and input
invalid tokens.
2) Testing the protection of input
values when a password is entered
The evaluators confirm there is no risk of a
password being snooped by being displaying on a
screen, etc., when a password is entered.
3) Inspecting with tools The evaluators perform inspections with tools
(Nessus, Nikto, and OWASP ZAP) to inspect for
other publicly-known vulnerabilities, including
vulnerabilities related to web applications,
databases, and operating systems.
CRP-C0567-01
25
c. Result
In the penetration testing performed by the evaluator, the evaluator did not find any
exploitable vulnerabilities that attackers who have the assumed attack potential could
exploit.
7.5 Evaluated Configuration
In this evaluation, the assumed operational environment is specified in the ST, and this
evaluation was performed in an environment that is the same as the operational
environment specified by the ST.
7.6 Evaluation Results
The evaluator had concluded that the TOE satisfies all work units prescribed in the CEM
by submitting the Evaluation Technical Report.
In the evaluation, the following were confirmed.
- Security functional requirements: Common Criteria Part 2 Conformant
- Security assurance requirements: Common Criteria Part 3 Conformant
As a result of the evaluation, the verdict “PASS” was confirmed for the following assurance
components.
- All assurance components of EAL2 package
- Additional assurance component ALC_FLR.1
The result of the evaluation is only applied to those which are composed by the TOE
corresponding to the identification described in Chapter 2.
7.7 Evaluator Comments/Recommendations
There are no special evaluator recommendations addressed to possible procurement
entities.
CRP-C0567-01
26
8. Certification
The Certification Body conducted the following certification based on the materials
submitted by the Evaluation Facility during the evaluation process.
1. The submitted documentation was sampled, the content was examined, and the related
work units shall be evaluated as presented in the Evaluation Technical Report.
2. Rationale of the evaluation verdict by the evaluator presented in the Evaluation
Technical Report shall be adequate.
3. The evaluator's evaluation methodology presented in the Evaluation Technical Report
shall conform to the CEM.
Concerns found in the certification process were prepared as the certification oversight
reviews, and those were sent to the Evaluation Facility. The Certification Body confirmed
such concerns pointed out in the certification oversight reviews were solved in the ST and
the Evaluation Technical Report and issued this Certification Report.
8.1 Certification Result
As a result of verification of the submitted Evaluation Technical Report, and related
evaluation documentation, the Certification Body determined that the TOE satisfies all
assurance requirements for EAL2 augmented with ALC_FLR.1 in the CC Part 3.
8.2 Recommendations
- Possible procurement entities should decide whether the TOE is acceptable in their
environments based on the TOE behavior in this evaluation for which operational
environment or settings is assured. When making this decision, the possible
procurement entities need to note the following:
> The TOE behavior outside the specified operational environment is not assured in this
evaluation. For details on the operational environment, see “4.2 Environmental
Assumptions.”
> This evaluation is not intended to assure the configuration, in which the resources of
the actual storage system is managed by the TOE functions
In this evaluation, the configuration, in which the “storage resource information”
(which is data in the management server, and is not data in the actual storage system)
is managed by the TOE, is assured.
> To counter attacks on the TOE from sources other than storage management clients is
not assured in this evaluation. Such attacks must be prevented by the operating
environment.
- The online help of the product is not included in the guidance documentation to be
assured. For details on the guidance documentation to be assured, see “6.
Documentation.”
CRP-C0567-01
27
9. Annexes
There is no annex.
10. Security Target
The Security Target [12] of the TOE is provided as a separate document from this
Certification Report.
HP XP7 Device Manager Software, HP XP7 Tiered Storage Manager Software
Security Target Version 1.0.9
(July 7, 2017) Hewlett Packard Enterprise Company
CRP-C0567-01
28
11. Glossary
The abbreviations relating to the CC used in this report are listed below.
CC Common Criteria for Information Technology Security
Evaluation
CEM Common Methodology for Information Technology Security
Evaluation
EAL Evaluation Assurance Level
PP Protection Profile
ST Security Target
TOE Target of Evaluation
TSF TOE Security Functionality
The definitions of terms used in this report are listed below.
Banner
information
Message information displayed as the warning banner
function.
External
authentication
An authentication method that uses the authentication
function of the external authentication server (LDAP directory
server, RADIUS server, or Kerberos server) outside the TOE
from internal TOE.
External
authentication
group linkage
A function of the TOE that acquires information about a group
registered on an external authorization server and the
accounts in that group, and then grants permissions
information to the TOE. Because this function requires the
authentication function external to the TOE, and because the
accounts belong to a group, this function is called “external
authentication group linkage.”
Internal
authentication
An authentication method that uses only the TOE internal
authentication function.
Security
parameter
Parameter information related to TOE security functions. It
includes such information as the number and type of
characters permitted in passwords; the number of consecutive
login failures and the corresponding threshold values; and
whether the threshold values have been exceeded, in which
case the account is locked.
Storage
resource
information
The information that represents the configuration of the
storage system as follows, which is stored on the management
server.
It contains the following; which host group uses which logical
storage; which physical disk group ensures any capacity to each
logical storage; and each physical disk group consists of which
physical disk.
Warning
banner
Warning messages displayed before users start to use the TOE.
Warning banners are mainly used to call attention to the
possibility of illegal use.
CRP-C0567-01
29
12. Bibliography
[1] IT Security Evaluation and Certification Scheme Document, June 2015,
Information-technology Promotion Agency, Japan, CCS-01
[2] Requirements for IT Security Certification, October 2015,
Information-technology Promotion Agency, Japan, CCM-02
[3] Requirements for Approval of IT Security Evaluation Facility, October 2015,
Information-technology Promotion Agency, Japan, CCM-03
[4] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model, Version 3.1 Revision 4, September 2012,
CCMB-2012-09-001
[5] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional components, Version 3.1 Revision 4, September 2012,
CCMB-2012-09-002
[6] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance components, Version 3.1 Revision 4, September 2012,
CCMB-2012-09-003
[7] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model, Version 3.1 Revision 4, September 2012,
CCMB-2012-09-001 (Japanese Version 1.0, November 2012)
[8] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional components, Version 3.1 Revision 4, September 2012,
CCMB-2012-09-002 (Japanese Version 1.0, November 2012)
[9] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance components, Version 3.1 Revision 4, September 2012,
CCMB-2012-09-003 (Japanese Version 1.0, November 2012)
[10] Common Methodology for Information Technology Security Evaluation:
Evaluation methodology, Version 3.1 Revision 4, September 2012, CCMB-2012-09-004
[11] Common Methodology for Information Technology Security Evaluation:
Evaluation methodology, Version 3.1 Revision 4, September 2012, CCMB-2012-09-004
(Japanese Version 1.0, November 2012)
[12] HP XP7 Device Manager Software, HP XP7 Tiered Storage Manager Software
Security Target, Version 1.0.9 (July 7, 2017) Hewlett Packard Enterprise Company
[13] HP XP7 Device Manager Software, HP XP7 Tiered Storage Manager Software
Evaluation Technical Report, Version 4 (142872-01-R003-04), July 10, 2017,
Mizuho Information & Research Institute, Inc., Information Security Evaluation
Office