We are pleased to announce that Red Hat’s Data Services Platform, specifically MetaMatrix 5.5.3, has achieved Common Criteria certification at Evaluation Assurance Level (EAL) 2. This is a significant milestone for Red Hat’s data services solutions and adds another Common Criteria certification to the Red Hat portfolio, in line with the goals we set in November 2007.

Recognized in 25 countries, Common Criteria is a set of internationally approved guidelines for evaluating and certifying the information security of IT products and information systems. The certification gives private and public sector organizations the confidence that the evaluated IT solution complies with widely accepted security standards.

Data services platforms have become more important as the business world continues to face ever-increasing scrutiny and regulation. The Common Criteria certification for our Data Services Platform, MetaMatrix 5.5.3 shows that the solution complies with these worldwide security standards, making it an attractive option for a security-conscious company or government agency.

Red Hat’s Data Services Platform can help bridge the gap between the data you have and the data you need, reducing the time and cost of software development and integration. This solution facilitates the development of systems that provide consistent, integrated data in real time with enterprise performance, security and management capabilities allowing customers to make better use of existing information assets and work already done.

Red Hat’s Data Services Platform, MetaMatrix, is the latest Red Hat solution to meet the stringent requirements for Common Criteria – the JBoss Enterprise Application Platform received its certification in July 2009. To see the full listing of security-certified Red Hat solutions, please visit our Certifications and Accreditations page.

Today we are celebrating a momentous occasion. Ten years ago today, Red Hat and IBM began our global collaborative partnership to expand the use of enterprise solutions on Linux. It was a small but important start to announce that IBM would run Red Hat Linux on its industry-standard systems. Back in 1999, Red Hat was on the eve of its IPO, and IBM was testing the waters of Linux. Only 10 million users ran the Linux operating system at the time, according to IDC Research quoted in our original partnership announcement.

The global partnership has broadly expanded over the years, and today delivers combined solutions driven by rich joint technology innovations. Together, Red Hat and IBM are deeply penetrating the mission-critical infrastructures of many of the world’s Fortune 500 companies, delivering value to our joint customers through the combination of open source solutions, comprehensive services, solid platforms and technology leadership. Red Hat stands as a Strategic Alliance partner for IBM — the top ranking partnership category — and IBM is a Premier OEM partner for Red Hat.

Our alliance helped spur broad-based industry Linux adoption, driving the one of the fastest growth rates for mainstream operating systems in the past decade. As of 3Q08, IDC’s Server Tracker indicated that Linux accounts for 14% of the overall server market. (rolling 4Q average). Red Hat is the top commercial contributor to the Linux kernel, and IBM is one of the world’s top Linux evangelists—the third largest contributor to the Linux kernel — and runs Red Hat Enterprise Linux across all of our servers and 500 middleware programs.

Of the milestones we’ve achieved over the length of our partnership, here are some of the highlights, including joint innovation and penetration of the enterprise:

• Advancing open source solutions and open standards
  Red Hat and IBM were founding members of the Open Invention Network (OIN), which promotes Linux by using patents to create a collaborative ecosystem, and were instrumental in supporting the Open Document Format (ODF), to ensure that state documents will be accessible to the public.
• Delivering record-setting price/performance solutions
  We’ve produced world-record performance with the combination of Red Hat Enterprise Linux on IBM System x and POWER servers, such as Red Hat Enterprise Linux 5.2 on an IBM System x 3950 M2 with the new Intel X7460 Xeon processor achieving a record-setting TPC-C benchmark offering record-breaking price/performance results – half as fast as the next x86 system on tpc.org.
• Expanding Linux-on-Mainframe
  Formally announced in May 2007, Red Hat’s Linux-on-Mainframe Program has grown the use of Red Hat Enterprise Linux on IBM System z mainframes.
• Rethinking desktop management
  IBM and Red Hat have teamed to simplify desktop management and lower costs with the Red Hat Enterprise Linux-based IBM Open Collaboration Client Solution (OCCS).
• Enhancing security
  Red Hat Enterprise Linux 5 provides security in a mainstream, open-source operating system, and IBM mainframes have long been known for secure computing. Together, IBM and Red Hat have created a top-of-the-line compelling solution for security – Red Hat Enterprise Linux 5 on IBM System z. Red Hat has achieved the highest Linux-on-System z certification available on the market today.
• Developing the realtime Linux kernel
  Red Hat and IBM worked closely throughout the development of the Linux kernel’s realtime capabilities to set the mark for predictable, low-latency computing. Red Hat announced Red Hat Enterprise MRG 1.0 availability at the Red Hat Summit in June 2008, with backing from IBM. IBM WebSphere Real Time on MRG Realtime extends the business benefits of Java to time-critical applications and provides realtime Linux extensions in Red Hat Enterprise MRG.

What’s next for the future of our alliance? Together, we will continue the rapid innovation that has come to define our relationship. Red Hat and IBM believe that in 2009, more clients that ever will adopt Linux. We think that Linux adoption is on the rise as companies are forced to find efficiencies, carve out costs, adopt a different cost structure and integrate infrastructures when companies merge. We’re seeing Linux and consolidation projects reducing energy consumption.

In 2009, you’ll see us focusing on key growth initiatives such as:

• Big Green Linux
  Just this month, we announced that Bank of New Zealand reduced its carbon footprint with Red Hat Enterprise Linux on IBM System z mainframes.
• Emerging technologies
  The combination o f Red Hat Enterprise Linux on IBM systems is behind some of the world’s most innovative solutions, such as the world’s fastest computer Roadrunner and a cloud computer center in Wuxi China.
• Virtualization
  Our teams are working closely together today on virtualization that will enable our customers to continue leveraging our deep joint value.
• Business-critical Linux
  IBM and Raytheon were voted a Red Hat Innovation Award winner at the Red Hat Summit for their realtime development for the US Navy, and we continue our work to deliver true business-critical value to customers.

We’ve enjoyed 10 years of great success as partners, but the true proof points of our strong partnership lie on our joint customer successes – see some of them here.

We asked Linux Foundation’s Jim Zemlin what he thought, and here’s what he told us:

IBM and Red Hat together have been instrumental in the global adoption of Linux and in the development of the operating system. As leading participants in the massive collaboration that drives Linux to give birth to new technologies, IBM and Red Hat should be applauded. Today is an important day as we look 10 years back and 10 years into the future. Linux is fueling a new software economy, and IBM and Red Hat will surely be as instrumental in its future as they have been in its history.

To learn more about the Red Hat-IBM alliance, visit here.

Following the release of Fedora 9 last May, we’ve been hard at work in anticipation for Fedora 10. OK, so maybe we took one day off to celebrate the success of Fedora 9, but we didn’t wait too long before diving in to implement cool, new features in the next release. Fedora 10 (Cambridge) is due out in November 2008, and the Alpha release provides a chance for the whole community to weigh in. Tell us what you think and get involved in testing the new features – check out the Fedora 10 Alpha release notes, and then download the Alpha.

Red Hat engineers working in Fedora and upstream communities have been developing several new features slated for Fedora 10. Here are just a few of the features that we’re very excited to deliver:

• Glitch free audio. The revolutionary PulseAudio stack has been enhanced to use timer-based scheduling. This means that it uses less power, is more hardware independent, and adjusts dynamically to keep audio data flowing without interruption — minimizing drop outs.

• Sectool. Fedora 10 will feature a brand new security auditing and intrusion detection system. It has both text and graphical front ends, features highly configurable groups for adjusting test runs, and is completely modular and extensible. Administrators and the community at large can write their own tests to extend its functionality even further.

• Connection Sharing. Fedora 10 delivers on the promise of NetworkManager’s “Create new wireless network” tool, with easy setup of an ad-hoc wifi network on any machine with a network connection and a spare wireless card. If the machine has primary network connection (wired, 3G, second wireless card), routing is set up so that devices connected to the ad-hoc wifi network can share the connection to the outside network.

There are more great features on the way. As always, everything that goes into and comes out of the Fedora Project is completely open and free for anyone to use, modify, and redistribute. Keep an eye on our wiki’s feature list to see how things are progressing throughout the Fedora 10 development cycle.

We’re excited to announce two major bits of security news from the Red Hat Summit today:

• The launch of the Red Hat Enterprise IPA product
• The acquisition of open source identity integration provider, Identyx

After the completion of a successful beta test program that was launched at the RSA security conference in April, version 1.0 of Red Hat Enterprise IPA is now generally available. If you’re not familiar with the freeIPA project upon which Red Hat Enterprise IPA is based, it was started about a year ago as an open source, standards-based identity and access management solution for the Unix/Linux environment.

Red Hat used the source from the upstream freeIPA project to build packages that were put through a rigorous quality assurance test cycle. Testing included full alpha and beta programs with a targeted group of customers. A number of different Linux and Unix clients including Red Hat Enterprise Linux, AIX Solaris and HP-UX were used in an effort to ensure support for heterogeneous clients. Customers now have a Red Hat-supported, centralized identity management solution to ease administration of their Linux and Unix users.

The other big news is the technology purchase of the Identyx code base. Identyx is an open source identity management platform company and a leading provider of virtual directory software. Its Penrose virtual directory product complements the Enterprise IPA product very well and greatly simplifies the task of integrating IPA into complex indentity infrastructures that may have many existing directories or identity repositories. You can find out more about Identyx and its product offerings here.

Today we’re excited to announce another community initiative — the Open Source Software Security community (oss-security). This project is an ongoing effort to manage security information in open source software by building on the collaborative foundation of the open source model.

The purpose of oss-security is to encourage public discussion of security flaws, concepts and practices in the open source community. We don’t want to simply be an information clearinghouse, or to replace any of the current security lists and groups. The goal is to fill an existing vacuum by encouraging active participation of those interested in the ideas and unique challenges in securing open source software. This includes activities such as flaw discovery, understanding, reporting and overall best practices.

The oss-security community was initially founded by individuals from Foresight Linux, Mandriva, Openwall and Red Hat, and has since grown to include contributions from many other projects and individuals. The computing resources are currently graciously donated by the Openwall Project.

If you have an interest in the open source security space, we encourage you to participate in the oss-security community by adding content to the wiki, contributing to mailing-list discussions or joining us on IRC.

More information can be found on the group’s wiki page here.

Today, with atsec information security, we announced that JBoss Enterprise Application Platform, v4.3 is currently ‘In Evaluation’ for Common Criteria certification at Evaluation Assurance Level (EAL)2+ (augmented for flaw remediation).

This is an important announcement on many levels. It represents the first major milestone since we announced our intent to pursue additional Common Criteria certifications in Nov. 2007. Beyond this, many U.S. federal government agencies and private-sector companies use Common Criteria evaluations as a benchmark to make informed security decisions when evaluating solutions. Why? Products are evaluated by independent labs under Common Criteria’s stringent and lengthy testing requirements, giving customers an impartial assessment of the product’s ability to meet specific security requirements. Outside of the U.S., dozens of nations now recognize Common Criteria certifications, agreeing that the evaluations “contribute significantly to confidence in the security of those products.” Because Common Criteria is a recognized international standard, it gives private-sector customers with worldwide operations confidence that the products they purchase will meet local security standards.

The announcement also reinforces our commitment to IT security. We’ve long been known for our pursuit of additional security certifications. Red Hat Enterprise Linux is one of the most certified operating systems available. Outside of the JBoss Enterprise Application Platform, we’re not aware of any other open source application server that’s been able to reach this status.

If you want to learn more about our extensive history with Common Criteria certifications, check out our Certifications and Accreditations page.

In the last few weeks, there have been three significant events in the adoption of SELinux and Type Enforcement. They’re all exciting, and each is a testament to the long-term success and viability of the TE approach. Even more exciting, though, is the fact that none of these announcements came from Red Hat. After carrying the flag for so long, it’s gratifying to see other communities join the effort to make serious security a standard feature in general-purpose operating systems.

First, Sun has announced that they will be porting Flask to OpenSolaris in cooperation with the NSA, calling it Flexible Mandatory Access Control, or FMAC. If this sounds familiar, it should — it’s very similar to the deal NSA and Red Hat struck in 2004, when SELinux was just gaining interest from a broad audience.

While Sun obviously isn’t working on SELinux, they’ll be taking Type Enforcement, the theory behind SELinux, and bringing it to the OpenSolaris project. This is gratifying to Red Hat, of course, as this is significant endorsement of the TE approach. The work will be in OpenSolaris and not Solaris proper, and it’s not clear how the Flask work will be ported from OpenSolaris to Solaris, but nevertheless I’m sure I speak for everyone on the SELinux team at Red Hat in welcoming Sun to the fold.

Second, SELinux is now available on the new Ubuntu release, Hardy Heron. In the past, SELinux has been stigmatized by being a “Red Hat” thing, or a “Fedora” thing, even though Gentoo and Debian have incorporated it in the past. With the addition of another high-profile distribution, that seems to be changing.

Third, the good people at Tresys and the rest of the SELinux team have released a new Reference Policy for SELinux. This new policy adds a very exciting new feature: support for XACE/XSELinux. In other words, the framework is now in place to label an OpenOffice document window as “Company Confidential” or “Secret,” and enforce rules around how data in that window can be used. At the same time, Red Hat has contributed support for a number of new features, including confined users, so you can say “let this person log in, but don’t let them run X Windows or use the network,” or “let this staff member log in, but only let him manage the web server.” Imagine how useful it would be to have these features and that kind of protection in every Linux distribution. Even private sector customers can appreciate how useful it could be for HIPPA or SOX compliance.

Viewed from a distance, I think there are a few reasons for this sudden surge in interest:

First, SELinux is now much easier to use that it’s been in the past. Customers I talk to have moved from “It’s a pain, I always turn it off” to “I know I should use it, I’ll get to it eventually.” That’s a non-trivial improvement, due in no small part to the outstanding work done by Dan Walsh and the rest of the Red Hat team on tools like setroubleshoot.

Second, SELinux is slowly moving out of the narrow government market and into more general-use applications. As more security risks emerge, and the tools become more flexible and useful, folks see the utility of securing and compartmentalizing their systems. Vendors and distributions are responding with a tested and proven security solution like SELinux, and Type Enforcement generally.

Third, in the government space, it’s becoming clear that TE is the only way to accurately and securely model the complex interactions between agencies and coalition partners. Trusted Solaris 8, the 800 pound gorilla in this market, is near the end of its useful life. The upgrade path to Solaris 10 Trusted Extensions is less than simple. For many use cases, especially those involving a large number of security enclaves, Solaris 10 and its Zones-based approach simply can’t do the job. Customers are hungry for more straightforward alternative that can support even complex use cases, and they’re all taking a long hard look at SELinux.

So, I’m proud that Red Hat has taken a leadership role in this field. We have been a visible cheerleader for TE and SELinux for years, and it’s gratifying to see the community grow. With luck, the Fedora, OpenSolaris, and Debian communities can all work together, each learning from the other’s mistakes, and ultimately deliver the best and most flexible security available. That way, everyone wins.

For the last few years, Red Hat has been a regular fixture at the RSA Conference, and this year will be no different. We will be showing the recently open sourced Certificate System Dogtag project and we’ll be launching the beta program for Red Hat Enterprise IPA. Red Hat Enterprise IPA is a new product, scheduled for release mid-year, that is based on the open source freeIPA, centralized Identity, Policy and Audit project. At the Red Hat booth at RSA, we will have a demo showing the high-level features of Red Hat Enterprise IPA, so if you are interested in participating in the beta program please visit us at the show, or sign up for more information about the beta.

Identity and access management is important for reasons of efficiency, risk reduction and compliance. Existing solutions are either no longer compliant (NIS), expensive or not that easy to use (do-it-yourself LDAP and perhaps Kerberos). Red Hat’s acquisition of Netscape’s Directory Server and Certificate System was just the start of our identity and access management strategy.

The freeIPA project and Red Hat Enterprise IPA are our next steps. freeIPA was started 10 months ago as an open source, standards-based identity and access management solution for the Unix/Linux environment. As of now, freeIPA is at version 1. Red Hat Enterprise IPA 1.0 will be based on this version and will make it simpler for admins to setup, deploy and manage an LDAP and Kerberos environment and that means users get the benefits of Kerberos-based single-sign-on. IPA will help with compliance by enabling one traceable identity for users, easier audit of user activity, migration from NIS and synchronization with Active Directory. This is all meant to manage a heterogeneous Linux and Unix environment.

While version 1.0 is focused on user identity management for the Unix/Linux world, we anticipate that version 2.0 will add the management of service and machine identity, policy and basic audit. freeIPA is looking to provide and manage secure identity for machines, virtual machines and services, easily manage who accesses what services on what machines, provide for central management of policy such as centrally managed sudoers and SELinux policy and centrally audit admin action. It is being built with a plug-in architecture to make it easier for the community to add in additional solutions. We are always looking for people to join the project and contribute.

You can learn more at www.freeIPA.org.

We hope you’re as excited about freeIPA and Red Hat Enterprise IPA as we are. Look forward to hearing more from the security team over the upcoming months.

Red Hat Certificate System was acquired from AOL three years ago as part of the Netscape technology acquisition. In keeping with our commitment to open source software, today Red Hat has released all of the source code to Red Hat Certificate System. Much of the technology in Red Hat Certificate System was already open source, including the Apache web server, Red Hat Directory Server and the FIPS140-2 level 2 validated NSS cryptographic libraries, but today’s move further demonstrates Red Hat’s belief that the open source development model creates more secure software.

With the Certificate System code now available under an open source license, it will be much easier to integrate these proven technologies with other open source projects. One specific example of this is the Red Hat-sponsored freeIPA project. freeIPA provides central management of (I)dentity, (P)olicy and (A)udit for the Unix and Linux world through the use of open source and open standards. By incorporating technology from Certificate System, the freeIPA project will, over time, be able to centrally manage machine and service digital certificates including provisioning those certificates to the machine when it joins the IPA realm and renewing them upon expiration. This will enhance enterprise security by streamlining the use of certificates within the environment.

For more information on the above-mentioned technologies, or if you would like to take part and join the open source communities working on these projects, please visit:

• http://pki-svn.fedora.redhat.com/wiki/PKI_Main_Page
• http://www.freeipa.org

Shortly after purchasing the technologies from AOL/Netscape, we opened the source for Red Hat Directory Server in the summer of 2005. Since then, the Fedora Directory Server project has attracted attention and contributions from the community and is now also at the heart of a broader community effort around the central management of identity, policy and audit for the Unix and Linux world, called freeIPA.

Today’s 8.0 release of Red Hat Directory Server is built directly from those fully open source Fedora Directory Server bits and contains all of the contributions and community effort that went into that project. Part of the effort was around achieving full RPM compliance for Red Hat Directory Server, enabling organizations to now rely on the standard Red Hat Network update process for updates.

Organizations use Red Hat Directory Server as a vital part of their infrastructure to provide authentication and authorization. A recent example is Basel University, which needed to provide reliable, authorized access for its 15,000 students and employees to university resources. The University turned to Red Hat Directory server with success.

Beyond the major features discussed above, Red Hat Directory Server 8.0 brings organizations new features in platform support, security and protocol support:

• Platform support: Red Hat Enterprise Linux 4 and 5, 32 bit and 64 bit for both, HP-UX 11i (Itanium, 64-bit), and Solaris 9 SPARC 64 bit.
• Security: Enhanced password syntax policies help meet regulatory requirements. FIPS compliance is achieved using a validated NSS security module. Other security enhancements include default SELinux profile, support SHA-256, SHA-384, SHA-512 and MD5 for hashed password storage, and improved support for SASL/Kerberos.
• Protocol support: Accept incoming connections from IPv6 clients and support for IPv6 in the SDK but no support for interpreting IPv6 addresses in access control instructions or using IPv6 connections for operations such as replication and chaining.

We believe that Red Hat Directory Server 8.0 is the only robust, open-source directory server with enterprise-class support. We’re working on more developments in this area, so stay tuned for upcoming news.