Loading TOC...
Common Criteria Evaluated Configuration Guide (PDF)

Common Criteria Evaluated Configuration Guide — Chapter 1

About the Evaluated Configuration

This chapter introduces the Evaluated Configuration of MarkLogic Server, which is currently under evaluation for the Common Criteria. This chapter includes the following sections:

Common Criteria

The Common Criteria for Information Technology Security Evaluation (the Common Criteria, or CC) and the companion Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for the Common Criteria Recognition Arrangement (CCRA), which ensures:

  • Commercial products are evaluated by independent licensed evaluation laboratories that determine the fulfilment of specified security properties to a specified level of assurance
  • Certificate Authorizing Schemes certify the evaluation results produced by the evaluation labs and issue evaluation certificates accordingly
  • Issued certificates are mutually recognized by the signatories to the CCRA.

MarkLogic Server 9 is currently under evaluation for Common Criteria Evaluation Assurance Level 2 (EAL2+).

For the documentation describing the Common Criteria evaluation process and methodology, see the documents at http://www.commoncriteriaportal.org/.

The Evaluated Configuration

The evaluated configuration of MarkLogic Server is the configuration in which the Common Criteria evaluation was performed. This is a specific version of MarkLogic Server set up in a specific way. That configuration is outlined in this guide. This guide does not explain the various features of MarkLogic Server. For information on the MarkLogic Server features, see the MarkLogic Server documentation.

This guide includes the list of features that cannot be used in an evaluated configuration, along with any needed guidelines for how to exclude these features from your configuration. The evaluated configuration assumes that the configuration is set up according to these guidelines; configurations that do not follow these guidelines are not considered evaluated configurations.

Authorized Administrator

An Authorized Administrator is any user that has the admin role or any user that has the privilege(s) needed to run the Admin API (admin-module-read and admin-module-write), the Security API (any of the privileges in the security role), or the PKI API (pki-read and pki-write). These privileges exist in roles that are installed in the TOE, such as the security role, or can be added to any role by an Authorized Administrator. Any role that provides access to administering security functional requirements, whether the role is predefined at installation time or user-created (by an Authorized Administrator), must be granted by an Authorized Administrator; it is the responsibility of Authorized Administrators to be aware of these privileges when granting privileges or roles to users. Furthermore, any user who has any such privileges is considered an Authorized Administrator.

Additionally, there are other administrative XQuery built-in functions (https://docs.marklogic.com/xdmp/admin) that perform functions such as starting and stopping the server, and these functions each have privileges associated with them. Any user that is granted any of the privileges associated with these functions (for example, xdmp-shutdown) is also considered an Authorized Administrator.

Administrators with the admin role have full privileges to the system. Administrators who have any of the privileges to run functions in the security-related APIs (Admin API, Security API, PKI API, and XQuery Admin built-in functions) only have those privileges that have been granted to them (via roles) by an Authorized Administrator. Those privileges each protect specific functions or sets of functions; the functions are primitives and must be used in a program with the proper logic in order to perform Security Functional Requirements. It is up to the Authorized Administrator who grants these privileges to determine which privileges a user is granted.

If administration is performed using the Admin API, Security API, PKI API, and/or the built-in Admin functions, those APIs must run against an HTTP or XDBC App Server that is set up to use TLS. Actions against the Admin Interface, HTTP interfaces, and XDBC interfaces are auditable, based on the configuration for the App Server. You should audit actions based on your own security policies.

Only Authorized Administrators can manage the target of evaluation (TOE) using the Admin Interface or using the various XQuery administrative functions included with MarkLogic (the Admin API, the Security API, the PKI API, or the built-in Admin functions). Additionally, all code must be evaluated through an interface that is set up to use TLS. Authorized administrators are assumed to be non-hostile, appropriately trained, and follow proper administrative procedures. For more details about the Authorized Administrator and about performing administrative tasks in MarkLogic Server, see the Administrator's Guide and Security Guide. For more details about the TOE, see Target of Evaluation (TOE).

TOE Requirements

This section lists the requirements for the target of evaluation (TOE). This is a subset of the platforms in which MarkLogic Server runs (see the Installation Guide for those details), and includes the following parts:

MarkLogic Server TOE Platform

In its evaluated configuration, MarkLogic Server is supported on Red Hat Enterprise Linux 7 (x64). This platform provides the following capabilities that fulfil certain security objectives for the operational environment: its system clock provides a reliable time source that is used by MarkLogic Server to timestamp audit records (OE.TIME); it is a multi-processing platform that provides applications with dedicated processes for their exclusive use, isolating applications from one another in the operational environment (OE.PROCESS). For further details about this platform, see the Installation Guide.

Licence Key for TOE

The TOE requires the 9.0 Essential Enterprise Edition of MarkLogic Server, which is enabled by a license key. Contact your sales representative, or if you have an active maintenance contract, you can contact MarkLogic Technical Support for information about obtaining a license key.

Admin Interface App Server Configured to Use HTTPS

The App Server in which the Admin Interface runs must be configured to use HTTPS. To configure HTTPS on the Admin App Server, follow the procedure described in Configure the Admin App Server to Use HTTPS. Additionally, any App Server where Admin API or Security API functions are run must also be set up to use HTTPS.

All TOE Access App Server Configured to Use HTTPS and Digest Authentication

Any application that runs in the TOE should have its App Server(s) configured to use HTTPS. To configure HTTPS on an App Server, follow the procedure in Configuring SSL on App Servers in the Security Guide. Additionally, all App Servers must be configured to use digest authentication, which is the default.

Features Not Part of the TOE

MarkLogic Server must be configured so it does not use any features that are not part of the TOE. For details, see Not Allowed in the TOE.

MarkLogic Server 9.0

The evaluated configuration requires MarkLogic Server Essential Enterprise 9.0.

« Table of contents
Next chapter »