NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Axway API Gateway version 7.4.1 with SP2

Certificate Date:  2017.01.13

Validation Report Number:  CCEVS-VR-VID10778-2017

Product Type:    Enterprise Security Management

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Enterprise Security Management-Access Control Version 2.1
  Protection Profile for Enterprise Security Management - Policy Management Version 2.1

CC Testing Lab:

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is a comprehensive platform for managing, delivering, and securing APIs allowing for centralized enterprise security management solutions. The TOE controls how APIs and web services are exposed to and accessed by external client applications.  The TOE comprises the Axway API Gateway v7.4.1 software.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the product meets the security requirements contained in the Security Target. The criteria against which the Axway API Gateway version 7.4.1 was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 4. Computer Sciences Corporation determined that the product is conformant to requirements for Standard Protection Profile for Enterprise Security Management Policy Management v2.1, dated October 24, 2013 and Standard Protection Profile for Enterprise Security Management Access Control v2.1, dated October 24, 2013. The product satisfies all of the security functional requirements stated in the Security Target. Three validators, on behalf of the CCEVS Validation Body, monitored the evaluation carried out by Computer Sciences Corporation. The evaluation was completed in January 13, 2017. Results of the evaluation can be found in Assurance Activity Report for Axway API Gateway version 7.4.1 prepared by Computer Sciences Corporation.

Environmental Strengths

The Axway API Gateway version 7.4.1 TOE implements the following security functions:

Access Control Policy Definition – The TOE includes the Policy Studio tool which is used to define and configure security policies that are enforced by the API Gateway server. The TOE only consumes policies that are defined by its policy definition component.  Policies are transmitted from Policy Studio to the API Gateway server using a TLS trusted channel to protect the TSF data.

Access Control Policy Enforcement - The core functionality of the TOE is its ability to define and enforce policies to protect APIs and web services. The TOE enforces policies comprising message filters where each filter processes message request in a certain way.  The ST identifies the message filters included in the evaluated configuration. In the evaluated configuration, the Gateway may only consume policies created and deployed from the Axway Policy Studio.

Security Audit - The TOE generates audit events associated with use of the administrative functions, for enforcement of its access control policy and for use of its management functions.   The TOE may store logs locally on the file system or remotely on an external audit server. Communication with the external audit server is secured using TLS
Robust Administrative Access – Administrator access to the TOE can be achieved via the Policy Studio application and the web-based API Gateway Manager interface. Users must authenticate prior to being granted access. Users access TOE protected functions and data based on their user roles. Users may authenticate via username and password.

Continuity of Enforcement - The Gateway continues policy enforcement in the event of a loss of connectivity with Policy Studio by enforcing the last policy received. Continuous connectivity with the Policy Studio is not expected or required.

Protected Communication - The TOE uses TLS to provide trusted channels for communication between its separate components; between itself and an external LDAP server and between itself and an external HTTP-based audit server.  It provides a trusted path via HTTPS for remote administrators to access the TOE external interfaces.

Vendor Information

Jeremy Westerman
Site Map              Contact Us              Home