Loading TOC...
Common Criteria Evaluated Configuration Guide (PDF)

Common Criteria Evaluated Configuration Guide — Chapter 2

Target of Evaluation (TOE)

This chapter describes the target of evaluation (TOE) configuration for MarkLogic Server.

Overview of the TOE

The target of evaluation (TOE) is the configuration of MarkLogic Server that is certified by the Common Criteria evaluation process as the proper setup of the environment in which an evaluated configuration of MarkLogic Server can run. All of the requirements for setup set forth in this guide must be met for a configuration to be considered an evaluated configuration. This section briefly describes the TOE and includes the following parts:

Common Criteria Evaluation Process

MarkLogic Server has gone through a rigorous process for the Common Criteria evaluation. The process includes detailed specifications and testing of the security architecture and implementation of MarkLogic Server. It also includes processes for development, support, and maintenance of the product through all phases of product development. These tests and processes are conducted by MarkLogic Corporation and by the Common Criteria evaluation labs. They follow the process outlined in the Common Criteria Evaluation Methodology (CEM). The documents describing this process are available at http://www.commoncriteriaportal.org.

Security Features of MarkLogic Server

MarkLogic Server is designed as a multi-user system, where each user can only see content or execute code according to the security policy implemented in the configuration. MarkLogic Server has many security features, including:

  • auditing
  • last-login database
  • role-based security model to protect documents and code evaluation
  • session-level limits
  • encryption at rest
  • element level security

For details on the MarkLogic Server role-based security model, see Security Guide. For details on administrative procedures in MarkLogic Server, including security administrative procedures, see the Administrator's Guide.

Not Allowed in the TOE

The MarkLogic Server TOE was tested in a secure configuration that specifically excludes certain product capabilities and functionality that might make the system more vulnerable to attack. The following features of the TOE should not be enabled or used in an evaluated configuration to ensure a secure configuration. Note that all system administration tasks must be performed by an Authorized Administrator, as described in Authorized Administrator, according to the guidance described in this guide and in the rest of the MarkLogic Server documentation. Excluded functionality is as follows:

  • WebDAV Servers are not part of the TOE; do not create any WebDAV servers in an evaluated configuration. The rationale for excluding WebDAV servers is not any inherent problem with MarkLogic Server, but rather with the clients that access a WebDAV Server. WebDAV servers require access by WebDAV clients, and WebDAV clients are not nearly as mature as web browsers and often do not have very secure implementations. The warning not to create a WebDAV Server in an evaluated configuration is specifically to ensure there is no possibility of WebDAV client access to the TOE. While these clients are not provided as part of the TOE, they are freely available, and therefore the Administrator must take action to ensure there is no possibility of WebDAV client use with the TOE.
  • Basic authentication and application-level authentication are not part of the TOE; all App Servers (HTTP Servers, XDBC Servers, and ODBC Servers) in an evaluated configuration must use digest authentication. Digest authentication (what the TOE requires) is the default. For details on configuring HTTP, XDBC, or ODBC Server authentication, see the Administrator's Guide.
  • UDFs (user-defined functions) are not part of the TOE. MarkLogic includes an interface to create UDFs to perform custom aggregate tasks, written in C++, but that interface is not allowed in the TOE.

Admin Interface, Admin API, and Security API Must Run With HTTPS

Any administration activities on the MarkLogic Server TOE must be performed on an App Server that is configured to use Transport Layer Security (TLS), which allows communication over HTTPS. For information about configuring the Admin Interface to use TLS (HTTPS), see Configure the Admin App Server to Use HTTPS.

Additionally, if you are using the Admin API, Security API, PKI API, or the Admin Built-in functions to perform TOE Security Functions, the HTTP or XDBC servers on which the Admin API, Security API, PKI API, or Admin Built-In API code runs must be configured to use HTTPS. For details on configuring App Servers, see the Administrator's Guide.

TOE Version

The evaluated configuration of MarkLogic Server must run on the following version:

9.0, Essential Enterprise 9

Additionally, the TOE must be installed on the platform supported in the evaluated configuration, as specified in MarkLogic Server TOE Platform.

Any software updates, patches, fixes, or changes from this configuration will render the TOE out of is evaluated configuration.

TOE Assumptions

The following assumptions (from section 3.1 of the Security Target) are made about the TOE:

A.NO_EVIL

TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner.

A.OS_TIME

The OS in the environment shall be able to provide reliable time stamps for use by the TOE.

A.TRUSTED_OS

The underlying OS is trusted to provide protection of the DBMS processes and stored data from other processes running on the underlying OS.

A.NO_GENERAL_PURPOSE

It is assumed that there are no general-purpose computing capabilities (e.g., compilers or user applications) available on the DBMS, other than those services necessary for the operation, administration and support of the DBMS.

A.PHYSICAL

Physical security, commensurate with the value of the TOE and the data it contains, is assumed to be provided by the environment.

A.AUTH

Passwords are encrypted during the authentication process.

A.CLIENT

The web browsers used to access the Admin Interface perform correctly such that when the browser is closed, the active Admin session is terminated. Client applications used to access the Admin API, Security API, and PKI API will perform correctly and when the application is closed, the active Admin session will be terminated.

« Previous chapter
Next chapter »