Skip to main content

 
Security  >  

Security solutions

Security Evaluations for IBM Products


  Middleware   JavaCard OpenPlatform  
  IBM Software Cryptographic Modules   IBM Cryptographic Security Chip for PC Clients  
  zSeries Logical PARtitioning (LPAR)   pSeries Logical PARtitioning  
  eServer zSeries running z/OS   eServer zSeries running z/VM  
  S/390 running MVS & OS/390   IBM 4758 PCI Cryptographic Co-Processor  
  IBM eServer Cryptographic Coprocessor Security Module   eServer pSeries running AIX  
  RS/6000 running AIX   eServer iSeries running i5/OS  
  AS/400 running OS/400   Linux  
  Netfinity running NT 4.0   Netfinity running WIN95, WIN98  
  The IBM Firewalls have also been evaluated by ICSA        
Middleware
IBM Directory Server Version 5.1 with FixPak510-01 was evaluated under the Common Criteria at Evaluated Assurance Level 2 for IBM AIX 5.2, SuSE Linux Enterprise Server 8, Red Hat Advanced Server 2.1, Microsoft Windows 2000 and Sun Solaris 8. The certification report was published on 19 August 2003.
IBM Tivoli Directory Server Version 5.2 was evaluated under the Common Criteria at Evaluated Assurance Level 3, for IBM AIX 5.2, SuSE Linux Enterprise Server 8, Red Hat Advanced Server 3.0, Microsoft Windows 2000, Sun Solaris 8 and HP-UX 11i. The certification report was published on 02 March 2004.
IBM Tivoli Directory Server Version 6.0, Fix Pack 1, Interim Fix 5, was evaluated under the Common Criteria at Evaluated Assurance Level 4, augmented by ALC_FLR.1. The certification report was published on 02 March 2006.
IBM Tivoli Access Manager for e-business Version 4.1 with Fixpack 5 was evaluated under the Common Criteria at Evaluated Assurance Level 3 (Augmented) for IBM AIX 5.2, SuSE Linux Enterprise Server 8, Microsoft Windows 2000 Advanced Server SP3 and Sun Solaris 8. The certification report was published on 16 October 2003.
IBM Tivoli Access Manager for e-business Version 5.1 with Fixpack 6 was evaluated under the Common Criteria with a conformance claim of EAL3 augmented by ALC_FLR.1. The certification report was published on 27 July 2005.
IBM Tivoli Access Manager for e-business Version 6.0 with Fixpack 3 was evaluated under the Common Criteria with a conformance claim of EAL3 augmented by ALC_FLR.1. The certification report was published on 12 March 2007.
IBM Tivoli Access Manager for Operating Systems Version 5.1 with Fixpack 17 was evaluated under the Common Criteria with a conformance claim of EAL3 augmented by ALC_FLR.1. The certification report was published on 24 March 2006.
IBM Tivoli Identity Manager Version 4.6 was evaluated under the Common Criteria with a conformance claim of EAL3 augmented by ALC_FLR.1. The certification report was published on 16 February 2006.
IBM DB2 Version 8.2 DB2 Universal Database V8.2 Workgroup Server Edition: for Windows, Linux, AIX, and Solaris; DB2 Universal Database V8.2 Enterprise Server Edition: for Windows, Linux, AIX, and Solaris; DB2 Universal Database V8.2 Personal Edition: for Windows and Linux; DB2 Universal Database V8.2 Express Edition: for Windows and Linux was evaluated under the Common Criteria at EAL4, augmented with ALC_FLR.1. The certification is dated 17 September 2004. Specific details are available at the National Information Assurance Partnership (NIAP) web site.
IBM DB2 Enterprise Server Edition Version 9.1.1 for Linux, Unix, and Windows was evaluated under the Common Criteria at EAL 4, augmented with ALC_FLR.1. The certificate was issued on 26 January 2007. Details are available at the (NIAP) web site. The guidance to installation and usage of DB2 in a Common Criteria environment is available (in PDF format) at the DB2 manuals web site.
IBM DB2 UDB for z/OS Version 8 is in-evaluation under the Common Criteria with a conformance claim of EAL3.
IBM DB2 Content Manager for Multiplatforms V8.2 was evaluated under the Common Criteria with a conformance claim of EAL3 augmented with ALC_FLR.1. The Common Criteria certificate was issued 22 December 2004; additional details are available at NIAP's CCEVS site.
WebSphere Application Server V5.0.2.8 was evaluated under the Common Criteria with a conformance claim of EAL2, augmented with ALC_FLR.1. The Common Criteria certificate was issued 02 December 2004; additional details are available at NIAP's CCEVS site.
IBM WebSphere Application Server Version 6.0.2.3 (32-bit), WebSphere Application Server Express Version 6.0.2.3, WebSphere Application Server Network Deployment (32-bit) Version 6.0.2.3, and WebSphere Application Server for z/OS Version 6.0.1, service level 6.0.2.3, were evaluated under the Common Criteria with a conformance claim of EAL4 augmented by ALC_FLR.1. The certficate was published on 12 May 2006.
IBM WebSphere Application Server Version 6.1.0.2 was evaluated under the Common Criteria with a conformance claim of EAL4 augmented by ALC_FLR.1. The certficate was issued on 16 March 2007.
IBM WebSphere Application Server for z/OS Version 6.1.0.2 was evaluated under the Common Criteria with a conformance claim of EAL4 augmented by ALC_FLR.1. The certficate was issued on 16 March 2007.
IBM WebSphere Application Server Network Deployment Version 6.1.0.2 was evaluated under the Common Criteria with a conformance claim of EAL4 augmented by ALC_FLR.1. The certficate was issued on 16 March 2007.
WebSphere Portal V5.0.2 was evaluated at EAL2 under the Common Criteria for AIX 5.1 and 5.2, SuSE 7.3 for Intel, SuSE Linux Enterprise Server (SLES) 7 & 8 for Intel, 7 for zSeries, Red Hat Linux 8.0 and Advanced Server 2.1 for Intel, Sun Solaris 8, Microsoft Windows 2000 Server and Advanced Server, and Microsoft Windows 2003 Standard and Enterprise. The validation report was published on 23 August 2004.
IBM WebSphere MQ Version 5.3.0.2 with Corrective Service Diskette (CSD) 6 was evaluated under the Common Criteria at EAL2. The certification is dated 27 April 2004. Specific details are available at the NIAP web site.
IBM WebSphere MQ Version 6 is in-evaluation as of 26 August 2005 under the Common Criteria with a conformance claim of EAL4.
WebSphere Business Integration Message Broker, V5.0, Fix Pack 4 was evaluated under the Common Criteria at Evaluated Assurance Level 3 (Augmented). The Common Criteria certificate (issued 15 December 2005), validation report and security target are all available from the National Information Assurance Partnership (NIAP) web site.
WebSphere Federation Server Version 9.1, Fix Pack 1 was evaluated under the Common Criteria at Evaluated Assurance Level 4 augmented with ALC_FLR.1. The validation report was published on 25 May 2007.
IBM Workplace Collaborative Learning 2.6, IBM Workplace Team Collaboration 2.6, IBM Workplace Messaging 2.6, IBM Workplace Documents 2.6, and IBM Workplace Managed Client 2.6 are in-evaluation under the Common Criteria with a conformance claim of EAL2.
IBM Global Security Kit (GSKit) Version 7c, a security component used by multiple IBM middleware products, was evaluated under the Common Criteria with an Evaluated Assurance Level of 4, with a completion date of March 2005.
IBM Global Security Kit (GSKit) Version 7.0.4.11, a security component used by multiple IBM middleware products, was evaluated under the Common Criteria with an Evaluated Assurance Level of 4. The certificate was published on 2 August 2007.
IBM WebSphere Everyplace Connection Manager (WECM) V6.1 is in-evaluation as of 12 December 2005 under the Common Criteria with a conformance claim of EAL3 augmented with ALC_FLR.1.
IBM Tivoli License Compliance Manager Version 2.2 Fix Pack 1 was evaluated under the Common Criteria with a conformance claim of EAL2 augmented with ALC_FLR.1. The certification report was published on 14 February 2007.
IBM Tivoli Storage Manager is in-evaluation as of 04 April 2006 under the Common Criteria with a conformance claim of EAL3+.

Back to top

JavaCard OpenPlatform
The IBM JCOP21id 32K has been evaluated at CMVP FIPS 140-2 Overall Level 3. Certificate No. 363 was published with a validation date of 26 November 2003.
The NXP P541G072V0P (JCOP 41 v2.3.1) smart card with Java Card platform was evaluated under the Common Criteria at Evaluated Assurance Level 4, augmented with ADV_IMP.2, ALC_DVS.2, AVA_MSU.3 and AVA_VLA.4. The evaluation used the Java Card System Protection Profile Collection, Version: 1.0b, August 2003, Minimal Configuration Protection Profile (DCSSI PP/0303). The certification report was published on 10 August 2007.

Back to top

IBM Software Cryptographic Modules
The IBM Crypto for C (ICC) Version 0.1 has been evaluated at CMVP 140-2 Overall Level 1 for IBM AIX 5.2 (single user mode), Sun Solaris 5.8 and Microsoft Windows 2000 (single user mode). Certificate No. 350 was published with a validation date of 03 October 2003.
The IBM Crypto for C (ICC) Versions 1.1, 1.2 and 1.2.1, when operated in FIPS mode, have been evaluated at CMVP 140-2 Overall Level 1 for IBM AIX 5.2, Sun Solaris 5.8, Microsoft Windows 2000 Professional and Advanced Server, SuSE Linux Enterprise Server 8 (x86 and PowerPC), RedHat Linux Advanced Server 2.1 (x86), and HPUX 11i – all in single user mode. Certificate No.384 was published with a validation date of 24 February 2004.
The IBM Crypto for C (ICC) Version 1.4.5 has been evaluated at CMVP 140-2 Overall Level 1 for Sun Solaris 9 , HPUX 11i, AIX 5.2, RedHat Enterprise Linux v4(IA-32,AMD64,PowerPC,zSeries), SuSE Linux Enterprise Server 9 (IA-32,AMD64,PowerPC,zSeries), Microsoft Windows Server 2003(IA-32,AMD64). Certificate No. 775 was published with a validation date of May 18 2007.
The IBM Java JCE 140-2 Cryptographic Module Version 1.1 has been evaluated at CMVP 140-2 Overall Level 1 for Windows 2000 Professional SP3 (JVM 1.3.1_03 and JVM 1.4.1_04), Windows 2000 Advanced Server SP4 (JVM 1.4.1), Sun Solaris 5.8 (JVM 1.3.1 and 1.4.1), AIX 5.2 (JVM 1.3.1 and 1.4.1), SuSE Linux Enterprise Server 8 (JVM 1.4.1_05), RedHat Linux Advanced Server 2.1 (JVM 1.4.1_05), IBM OS/400 V5R2M0 (JVM 1.4.1) – all in single user mode. Certificate No. 376 was published with a validation date of 30 January 2004.
The IBM Java JCE 140-2 Cryptographic Module Version 1.2 has been evaluated at CMVP 140-2 Overall Level 1 for Windows XP Professional using IBM JVM 1.4.2 (single-user mode). Certificate No. 497 was published with a validation date of 11 January 2005.
The IBM CryptoLite in C Version 3.0 has been evaluated at CMVP 140-2 Overall Level 1 for Red Hat Linux 8.0 (single user mode) and Microsoft Windows 2000 Professional SP3. Certificate No. 356 was published with a validation date of 20 November 2003.
The IBM CryptoLite in Java Version 3.0 has been evaluated at CMVP 140-2 Overall Level 1 for IBM AIX 5.2 (single user mode), Sun Solaris 5.8 and Microsoft Windows 2000 Professional SP3. Certificate No. 354 was published with a validation date of 27 October 2003.
The IBM Everyplace Wireless Gateway Cryptographic Module Version 1.6 has been evaluated at CMVP 140-2 Overall Level 2 for IBM AIX 5L Version 5.2 and Trusted Solaris 8. Certificate No. 321 was published with a validation date of 29 May 2003.
The IBM Everyplace Wireless Gateway Cryptographic Module Version 1.6 has been evaluated at CMVP 140-2 Overall Level 1 for Microsoft Windows 2000 SP2 and Microsoft Pocket PC 2002. Certificate No. 320 was published with a validation date of 29 May 2003.
The IBM Java JSSE FIPS 140-2 Cryptographic Module Version 1.1 has been evaluated at CMVP 140-2 Overall Level 1 with Windows 2000 Professional SP3 (JVM 1.3.1_03 and JVM 1.4.1_04), Windows 2000 Advanced Server SP4 (JVM 1.4.1), Sun Solaris 5.8 (JVM 1.3.1 and 1.4.1), AIX 5.2 (JVM 1.3.1 and 1.4.1), SuSE Linux Enterprise Server 8 (JVM 1.4.1_05), Red Hat Linux Advanced Server 2.1(JVM 1.4.1_05), IBM OS/400 V5R2M0 (JVM 1.4.1), and z/OS V1R4 (JVM 1.4.1). Certificate No. 409 was published with a validation date of 05 April 2004.
The IBM SSLite in Java Version 3.15.3232 has been evaluated at CMVP 140-2 Overall Level 1 with Windows 2000 SP3 (JRE 1.3.1_03) and Red Hat Linux 8.0 (JRE 1.3.1_07). Certificate No. 406 was published with a validation date of 18 March 2004.

Back to top

IBM Cryptographic Security Chip for PC Clients
Evaluated at Common Criteria at Evaluation Assurance Level 3 (EAL3) on September 10, 2001. (See the "Sensitive Data Protection" table, located halfway down the page.)
Also see: NIAP Validated Product: IBM Cryptographic Security Chip for PC Clients.
See IBM Embedded Security Subsystem (select "IBM Embedded Security Subsystem") for more information.

Back to top

zSeries Logical PARtitioning (LPAR)
eServer zSeries 900 PR/SM evaluated at Common Criteria EAL5 on 27 February 2003.
eServer zSeries 800 and 900 GA3 PR/SM evaluated at Common Criteria EAL5 and EAL4 on 06 June 2003.
eServer zSeries 990 Processor Resource/System Manager (PR/SM) evaluated at Common Criteria EAL5 in Germany, EAL4 world-wide, on 13 May 2004.
PR/SM LPAR for IBM eServer zSeries 890 and 990, evaluated at Common Criteria EAL5 in Germany, EAL4 world-wide, on 13 May 2005.
PR/SM LPAR for the IBM System z9 109 was evaluated under the Common Criteria at evaluated assurance level 5 in Germany, level 4 world-wide. The certificate was published on 24 March 2006.
PR/SM LPAR for the IBM System z9 Enterprise Class and the IBM System z9 Business Class were evaluated under the Common Criteria at Evaluated Assurance Level 5 in Germany, Level 4 world-wide. The BSI issued certificate ID BSI-DSZ-CC-0378-2006 on 04 September 2006.

Back to top

pSeries Logical PARtitioning
IBM LPAR for POWER4 for the IBM pSeries — Firmware Releases: 3R031021 (p630), 3K031021 (p650) and 3H031021 (p690) is evaluated under the Common Criteria with an Evaluated Assurance Level 4, augmented by ALC_FLR.1 (Basic Flaw Remediation) on 26 January 2004.
IBM LPAR for POWER6 was evaluated under the Common Criteria with an Evaluated Assurance Level 4 augmented by ALC_FLR.2. The certification report was published on 7 November 2007.

Back to top

eServer zSeries running z/OS
z/OS V1.6 was evaluated under the Common Criteria at Evaluated Assurance Level 3 (Augmented) using both the Controlled Access Protection Profile (CAPP) and the Labeled Security Protection Profile (LSPP). The certification report was published on 09 March 2005.
z/OS Version 1.7 was evaluated under the Common Criteria, using the CAPP and the LSPP, at Evaluated Assurance Level 4, augmented by ALC_FLR.1. The certificate was published on 02 March 2006.
z/OS Version 1.8 was evaluated under the Common Criteria, using the CAPP and the LSPP, at Evaluated Assurance Level 4, augmented by ALC_FLR.1. The certificate was published in May 2007.

Back to top

eServer zSeries running z/VM
z/VM Version 5 Release 1 was evaluated under the Common Criteria at Evaluated Assurance Level 3 (Augmented) using both the Controlled Access Protection Profile (CAPP) and the Labeled Security Protection Profile (LSPP). Certification report (BSI-DSZ-CC-0258-2005) was published on 26 October 2005 by the German Federal Office of Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). The security target is also available from the BSI's web site.

Back to top

S/390 running MVS & OS/390
S/390 CMOS cryptographic co-processor evaluated at NIST FIPS 140-1 Level 4. View the PDF
S/390 PR/SM evaluated at ITSEC E4
  1. S/390 CMOS G6 Family, March 16, 2000
  2. S/390 CMOS G5 Family, March 1999
  3. 9021 and 9121 Processor Families, October 1995
OS/390 has received International Computer Security Association ICSA) Certification for the crypto algorithms in S/390 Virtual Private Network (VPN) support.
MVS 3.1.3 along with RACF 1.9.0 and the trusted computing base were evaluated at DoD TCSEC B1 in 1990.
Follow-on versions of OS/390 have not been re-submitted (RAMPed), but are typically "designed to meet" C2 or higher.

Back to top

IBM 4758 PCI Cryptographic Co-Processor
World's first product to be certified at NIST FIPS 140-1 Level 4.
Approved by German ZKA for operation as a security module in electronic cash networks.
Visit the IBM 4758 PCI Cryptographic Co-Processor website.

Back to top

IBM eServer Cryptographic Coprocessor Security Module
The IBM eServer Cryptographic Coprocessor Security Module, (Hardware Version: P/N 16R0911, Model 4764-001; Firmware Version: 1.16), has been evaluated at CMVP 140-2 Overall Level 4, when operated in FIPS mode. Certificate No. 524 was published with a validation date of 01 May 2005.

Back to top

eServer pSeries running AIX
AIX 5L for POWER Version 5.2 was evaluated under the Common Criteria using the CAPP, achieving an EAL4 (Augmented). The certification report was published on 08 September 2003.
AIX 5L for POWER Version 5.2 Maintenance Level 5200-04 was evaluated under the Common Criteria, using the CAPP, with a conformance claim of EAL4 (Augmented).
AIX 5L for POWER Version 5.2, Maintenance Level 5200-05, with Innovative Security Systems Pitbull Foundation Version 5.0, was evaluated under the Common Criteria at Evaluated Assurance Level 4 augmented by ALC_FLR.1 using the Labelled Security Protection Profile (LSPP). The certificate was published on 02 May 2006.
AIX 5L for POWER Version 5.3, Maintenance Level 5300-04, is in-evaluation under the Common Criteria, using the CAPP, with a conformance claim of EAL4+.

Back to top

RS/6000 running AIX
AIX 4.2 was successfully evaluated for security at ITSEC E3 level of assurance and F-C2 function class in May 1997 AIX 4.3 was the first 64-bit operating system certified at the ITSEC E3/F-C2 level, May 1998.
AIX 4.3 with Bull's EST 2.0.1 received a common criteria B1 rating.
AIX 4.3 first UNIX OS to offer International Computer Security Association (ICSA) Virtual Private Network (VPN) Certification.
AIX 4.3.1 was evaluated at the DoD TCSEC C2 level in Jan 1999, (first 64-bit UNIX OS to be awarded C2).

Back to top

eServer iSeries running i5/OS
IBM i5/OS V5R3M0 running on IBM eServer models 520, 550, and 570 with Software Feature Code 1930 was evaluated under the Common Criteria at Evaluated Assurance Level 4 (Augmented) using the Controlled Access Protection Profile (CAPP). The Common Criteria certificate (issued 10 August 2005), validation report and security target are all available from the National Information Assurance Partnership (NIAP) web site.

Back to top

AS/400 running OS/400
OS/400 V2R3 received a DoD TCSEC C2 rating in Oct 1995.
V3R2 was RAMPed (evaluate all changes) at the C2 level in Oct 1997.
V4R1 was RAMPed at the C2 level in Oct 1998.

Back to top

Linux
IBM sponsored the Common Criteria evaluation of SuSE Linux Enterprise Server Version 8, Service Pack 3, RC4, with certifcation-sles-eal3 package. The evaluation was performed using the CAPP (Controlled Access Protection Profile) and achieved an EAL (Evaluated Assurance Level) 3, augmented by ALC_FLR.2 (flaw reporting procedures). The certification report was published on 14 January 2004.
IBM sponsored the Common Criteria evaluation of SuSE Linux Enterprise Server Version 9, with certifcation-sles-ibm-eal4 package. The evaluation was performed using the CAPP, and achieved an EAL4, augmented by ALC_FLR.3. The certification report was published on 09 March 2005.
IBM sponsored the Common Criteria evaluation of SuSE Linux Enterprise Server Version 10 SP1. The evaluation was performed using the CAPP, and achieved an EAL4, augmented by ALC_FLR.3. The certification report was published on 8 October 2007.
Red Hat Enterprise Linux 3, Update 2 on IBM eServers was evaluated under the Common Criteria, using the Controlled Access Protection Profile (CAPP), achieving EAL3, augmented. The evaluation results, announced 03 August 2004, are for Red Hat Enterprise Linux WS on xSeries, and Red Hat Enterprise Linux AS on xSeries, iSeries, pSeries, zSeries as well as Opteron-based systems.
Red Hat Enterprise Linux Version 4, Update 1, AS and WS, was evaluated under the Common Criteria, using the Controlled Access Protection Profile (CAPP), achieving EAL4, augmented with ALC_FLR.3. This evaluation was achieved on the following IBM hardware platforms: IBM xSeries (including Intel Xeon, Intel Xeon EM64T and AMD Opteron based systems), pSeries, iSeries, zSeries, eServer, and IBM Blade center. The certificate was issued on 26 January 2006.
Red Hat Enterprise Linux Version 5 was evaluated under the Common Criteria, using the Controlled Access Protection Profile (CAPP), the Labelled Security Protection Profile (LSPP), and the Role-Based Access Control (RBAC) Protection Profile. The evaluation achieved an Evaluated Assurance Level 4, augmented with ALC_FLR.3. The certificate was issued on 07 June 2007. Additional details may be found at the NIAP web site.

Back to top

Netfinity running NT 4.0
Netfinity HW was designed to meet C2 level of trust.
Windows NT Server and Workstation 3.51 and 4.0 evaluated at ITSEC E3/F-C2.
Windows NT Server and Workstation 3.5 has been evaluated at TCSEC C2.

Back to top

Netfinity running WIN95, WIN98
None, although Netfinity HW was designed to meet C2 level of trust.

Back to top

The IBM Firewalls have also been evaluated by ICSA
IBM Firewall for AIX Version 3.1.1.
IBM Firewall for AS/400 version 5769FW1.
IBM eNetwork Firewall 3.2 for NT.1

Back to top