NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Axway Validation Authority Suite 5.0

Certificate Date:  2019.08.02

Validation Report Number:  CCEVS-VR-VID10959-2019

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Application Software Version 1.2

CC Testing Lab:  Gossamer Security Solutions

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The Axway Validation Authority (VA) Suite provides a comprehensive, scalable, and reliable framework for real-time validation of digital certifications for the Public Key Infrastructure (PKI). The Axway VA Suite provides a variety of PKI and certificate management functionality to prevent revoked credentials from being used for secure email, smart card login, network access (including wireless), or other sensitive electronic transactions. The Axway VA Suite provides the following functionality:

·         Maintains and processes a store of digital certificate revocation data by obtaining the digital Certificate Revocation List (CRL) from multiple CA or VA sources and performing end-to-end certificate validation if one or more intermediate CAs are used and the validation policy requires a complete certificate chain validation.

·         Generates and signs OCSP/SCVP responses.[1] Maintains a cache loaded with OCSP responses that are pre-computed or dynamically built up by proxy client requests to a responder.

·         Allows caching of CRLs and delta CRLs to support non-OCSP clients or clients that want to maintain their own revocation data caches for backup and in low-bandwidth and non real-time environments.

·         Supports SSL-based communications with clients, digitally signed client requests/responses, and digitally signed XML logs and CRL archives, as well as SSL-based server administration.

·         Supports software PKCS #11 or CAPI token based hardware signing and encryption products, including hardware security modules from leading vendors that comply with FIPS 140-2 Level 2 or above.[2]

For purposes of this evaluation, the Axway VA Suite is a software application that offers CAVP certified cryptographic functions (key generation, hashing, signing, random bit generation), secure remote administration, secure storage of credentials, X.509 certificate validation and authentication, trusted update, anti-exploitation capabilities and restricted network communications.

[1] The generation and signing of OCSP/SCVP has not been tested in the evaluated configuration.

[2] The use of a Hardware Security Module (HSM) is not included in the evaluated configuration.


Evaluated Configuration

The TOE is composed of three software-only applications which execute on a Microsoft Windows or RHEL operating system platform.  The underlying platform is considered part of the operating environment but provides some of the security functionality required by the ASPP12. 

Specifically, the evaluated configuration includes the following:

·         Axway Validation Authority Server v5.0 - a software server application running on the following two platforms:

o    Microsoft Windows 2012 (64 bit) on a 64 bit Intel Xeon processor

o    RHEL 7 (64 bit) on a 64 bit Intel Xeon processor

  • Axway Desktop Validator (Standard & Enterprise Editions) v5.0 – a software client application running on the following platform:

o    Microsoft Windows 2012 (64 bit) on a 64 bit Intel Xeon processor

  • Axway Server Validator v5.0 – a software client application running on the following two platforms:

o    Microsoft Windows 2012 (64 bit) on a 64 bit Intel Xeon processor

o    RHEL 7 (64 bit) on a 64 bit Intel Xeon processor

Server Validator provides revocation checking for the following web servers in the operational environment:  Apache 2.4 and Oracle HTTP Server (OHS) 12c.  

Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Axway Axway Validatio Authority Version 5.0 Common Criteria Guide, 19 July 2019 document, satisfies all of the security functional requirements stated in the Axway Validation Authority Suite (ASPP12) Security Target, Version 0.10, 07/16/2019.  The project underwent CCEVS Validator review.  The evaluation was completed in August 2019.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.

Cryptographic support:

The TOE uses CAVP-validated cryptographic algorithm implementations, provided by the Axway Security Kernel, a cryptographic module built upon a custom version of OpenSSL 1.0.2k, to support asymmetric key generation, encryption/decryption, signature generation and verification and establishment of trusted channels to protect data in transit. The TOE provides a web server for TLS/HTTPS to facilitate trusted remote communications and implements functionality to securely store key data related to secure communications. The TOE also relies on the underlying platform to generate entropy that is used as input data for the TOE’s deterministic random bit generator (DRBG).

User data protection:

The TOE does not access any hardware resources or sensitive information repositories and no sensitive data is stored in non-volatile memory.  Inbound and outbound network communications are restricted to those that are user-initiated.

Identification and authentication:

The TOE implements X509 certificate validation to validate the revocation status of certificates using CRL. The TOE uses X509 certificates to support HTTPS/TLS authentication.

Security management:

The TOE provides a Web-based Graphical User Interface (Web GUI) to access and manage the TOE security functions. When configured with default credentials or no credentials, the TOE restricts its functionality and only allows the ability to set new credentials.  By default, the TOE is configured with file permissions to protect itself and its data from unauthorized access.


The TOE does not transmit personally identifiable information (PII) over any network interfaces.

Protection of the TSF:

The TOE protects itself against exploitation by implementing address space layout randomization (ASLR) and by not allocating any memory region for both write and execute permission. The TOE is compiled for both Windows and Linux with stack-based buffer overflow protection and does not allow user-modifiable files to be written to directories that contain executable files. The TOE uses standard platform APIs and includes a number of third party libraries used to perform its functions.

The TOE includes mechanisms to check for updates and to query the current version of the application software. TOE software is digitally signed and distributed using the platform-supported package manager (Windows or Linux).  The TOE does not update its own binary code in any way and when removed, all traces of the TOE application software are deleted.

Trusted path/channels:

The TOE protects communications between itself and remote administrators using HTTPS/TLS.

Vendor Information

Axway, Inc
Jeff Allen
Site Map              Contact Us              Home