Installation Guide
Version 6.0f, 12 March 2001

Table of Contents

1.  Background
1.1 Common Criteria Overview
1.2 CC Toolbox Overview
1.3 New Toolbox Features
1.4 Limitations
1.5 Security and Privacy
2. Installing the CC Toolbox
2.1 Minimum System Configuration
2.2 Uninstalling Previous Versions
2.3 Installing the CC Toolbox
3. Toolbox Configuration
4. Support via Observation Reports
5. Relevant License Agreements

1.  Background

1.1 Common Criteria Overview

The Common Criteria (CC) provides an approach to describing Information Technology (IT) system security from two interrelated perspectives:

1.2  CC Toolbox Overview

Version 6.0 of the CC Toolbox has been developed as an integrated set of tools to aid consumers, customers and system developers in writing PPs and STs. The CC Toolbox is intended to simplify and streamline use of the CC for IT system practitioners and thus facilitate widespread acceptance and use of the CC. The purpose of the CC Toolbox is twofold:

The CC Toolbox consists of two tools with a common user interface.  The user may select between these tools by choosing the appropriate radio button on the CC Toolbox toolbar:

Since the paradigms of creating a PP or ST are similar, the user interface of the CC Toolbox is designed to accommodate both sets of tasks and can produce either report.  Users of the CC Toolbox can maneuver through the tool, specifying functional or assurance requirements, selecting an Evaluation Assurance Level (EAL), Security Objectives, Threats, Policies, etc., and defer the decision of which type of report they wish to produce until a later time in the process.  The output of the CC Toolbox is a skeleton PP or ST report based on information supplied by the user. The reports produced by the CC Toolbox are not to be considered final products and will need to be completed by the user.

1.3  New Toolbox Features

The CC Toolbox is now public domain software, and is being developed by interested contributors under public license. The new version 6.0f provides easier installation, more convenient access to user documentation, and a new HTML rendering of the CC.

Version 6 of the CC Toolbox provides the capability to:

Version 6 is accompanied by a CC Profiling Knowledge Base, a database of Protection Profile development information that may be helpful in developing new pre-defined environment files for the CC Toolbox. The CC Profiling Knowledge Base comes with its own User Guide.  Please visit NIAP's website at: to download a copy of the CC Profiling Knowledge Base.

1.4  Limitations

Interview sessions created using Version 1.0 can NOT be imported into Version 6.0 of the CC Toolbox. Sessions created in Version 2.  0, 3.0 , 4.0, and 5.0x can be imported into Version 6.0.  User-defined policies, threats, assumptions or security objectives created in Version 2.0 and Version 3.0 that have a name conflict with the domain knowledge in Version 6.0 will be appended with "_UD".  The Report Data Set (*.rds) files created in Version 4.0 cannot use the new domain knowledge data (Pre-Defined Environment, *.pde files) available in Versions 5.0.

Version 6.0 of the CC Toolbox contains a domain knowledge base that includes pre-defined Assumptions, Threats, Policies, Security Objectives, and associated implementation strategies.  The Assumptions, Threats, Policies and Objectives suggested by the tool are provided for the convenience of the tool users.  Users may copy portions of the information into a PP or ST, browse the information for ideas on writing their own assumptions, threats, policies and objectives, or reword the information for use in a PP or ST.  The security engineering guidance provided by the tool also includes suggestions for selecting threats, objectives, and CC components, for completing operations on CC components, and for providing PP rationale.  The information and suggestions provided by the tool represent the combined technical experience of the security engineers who compiled the information.  The US Government does not mandate use of the information provided by the tool.  Specifically, the provision of this information does not abrogate the Toolbox user's responsibilities to perform the appropriate security analysis and to determine fitness for use.

1.5  Security and Privacy

The reports generated by the CC Toolbox may be classified or proprietary depending upon the information supplied by the user.  Additionally, the security classification of the system upon which the CC Toolbox is installed determines the classification level of the application.  Therefore, it is the user's responsibility to adequately protect the CC Toolbox and the data, including the ST and PP reports. 

2.  Installing the CC Toolbox

Briefly, installation consists of the following steps:

  1. Ensure that your system has the necessary resources (see below):
  2. If desired, uninstall any previous releases of the CC Toolbox.
  3. Obtain a copy of the CC Toolbox, double click on the downloaded v60f_cctoolbox.exe, and follow the online instructions.

2.1 Minimum System Configuration

2.1.1 Hardware.  The CC Toolbox requires the following minimum hardware configuration:

2.1.2. Operating System.  The CC Toolbox has been developed to run on Microsoft Windows operating systems.  Its Java-based implementation makes it relatively platform independent.

2.1.3 Java Runtime Environment 1.3 (JRE 1.3).  You can check whether your computer has JRE 1.3 as follows:

If your computer doesn't have JRE 1.3, you can obtain a copy from [] and install it by double clicking on the downloaded .exe file. If you have the Toolbox CD, there is a copy of JRE 1.3 on the CD as well.

2.1.4 Windows Scripting Engine. Recent versions of Windows come with the WScript scripting engine. You can check whether you have WScript by going to the start menu, selecting Run, and typing WScript. This will work even if your e-mailer and browser have disabled the use of scripts. If you do not have WScript, you can obtain it from []. Only the last portion of the installation requires WScript, and as a last resort you can do that portion by hand.

2.1 5 Microsoft Access. Users who wish to modify or extend the domain knowledge base will need to have a copy of Microsoft Access 97, as the CC Profiling Knowledge Base is implemented using Access.

2.2 Uninstalling Previous Versions

If you decide to uninstall a version of the CC Toolbox, either of the following techniques should work:

The Uninstall program will proceed with uninstalling the CC Toolbox software.  It will not delete data files. In particular, it will not delete saved reports or your personal configuration information, which is stored in the file resources\CCToolbox.config.

Note. If you choose not to uninstall a previous version, then it is important to install the new version into a different directory. In Version 6.0f this is easy, as the installer suggests a new default installation directory directory.

2.3 Installing the CC Toolbox

You may obtain the CC Toolbox from the NIAP website [], or in some cases, you may receive it on a CD. 

After loading the CC Toolbox onto your computer, double click on the downloaded CC Toolbox installer, v60f_cctoolbox.exe, and proceed as follows:

3.  CC Toolbox Configuration

You can personalize your copy of the CC Toolbox by selecting the Configuration function on the File menu. Configuration options are divided into two groups, Defaults and E-Mail Settings.

The CC Toolbox has a built in Autosave feature that saves an interview session based on a pre-specified time interval (i.e., every 10 minutes).  You can adjust the time by moving the slider with your mouse, by highlighting the slider and pressing the left- or right-arrow keys, or by typing in a number directly.  Setting the time to zero minutes disables the Autosave.
The default report mode can be set to either Protection Profile or Security Target.  Setting the default report mode to PP, for example, will cause the user to always be in PP mode when a new CC Toolbox session is created.  The difference between PP and ST mode is merely which report type will be generated and in the wording of the prompts in the Component Interviews. 
The default directory location is the place where the CC Toolbox will save templates and report data sets.  Additionally, this is the directory where the CC Toolbox will look for templates and report data sets when users request an Open operation.  Users can change this directory by selecting the Browse button or by manually entering a valid directory location.
The CC Toolbox Configuration function allows the user to enable or disable logging mode.  When enabled key user events are logged to the file CCToolboxRecordFile.txt.  This file will be sent as an attachment to an Observation Report e-mail.  The intention of logging is to allow the user easily record the steps they followed to recreate an error that they plan to report via an Observation Report.
E-Mail Settings
This information can be reliably found in the preference settings of your e-mail program. In Netscape, look on the Edit Menu, select Preferences. Expand the Mail & News Groups node on the left of the pane. Click on Mail Servers. The Mail Host is the Outgoing Mail (SMPT) Server. Typical Mail Host values are, e.g.,, If you are behind a firewall, you will need to specify a mail host that on your side of the firewall.
The Name, Company, Telephone, Fax, and Email fields have their obvious meanings.

For more information on configuring and using the CC Toolbox consult the Users Guide and the Reference Manual. Shortcuts to these documents can be found in the CC Toolbox folder on the Start Menu (assuming you choose the option to install them).

4.  Support via Observation Reports

You are encouraged to document any feedback/observations online from within the CC Toolbox (Observation Form), which will be emailed to This approach can provide you with needed support and, at the same time, provides the Toolbox developers with needed feedback.

An observation report may be sent directly from the CC Toolbox by selecting the Observation Report option from the Help menu on the menu bar.  Upon selection, the CC Toolbox Observation Reporting Form will be displayed.  A name, email address, and Mail Host must be provided in the form.  Complete the observation and press the rotating Send Email icon.  This observation report will be sent to the National Information Assurance Partnership (NIAP).  The observation report also sends NIAP information about the:

5.  Relevant License Agreements

Use of the CC Toolbox and related tools is subject to constraints given in the file LICENSE.TXT.

The CC Toolbox includes free, redistributable support software from Sun Microsystems and IBM. Use of this support software, and thus of the CC Toolbox itself, is subject to license agreements available from the respective vendors:

Freeware Product URL for Further Information
JavaTM 2 Runtime Environment
JavaBeansTM Activation Framework
IBM® Logging Toolkit for Java