Assurance Continuity - Venafi Trust Protection Platform, V20.1
Date of Maintenance Completion: 2020.10.12CC Certificate Validation Report Assurance Activity
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Application Software Version 1.3
Extended Package for Secure Shell (SSH) Version 1.0
Original Evaluated TOE: 2020.02.21 - Venafi Trust Protection Platform v19.2
Please note: The above files are for the Original Evaluated TOE. Consequently, they do not refer to this maintained version, although they apply to the maintained version.
Security Target * Assurance Continuity Maintenance Report Administrative Guide
Please note: This serves as an addendum to the VR for the Original Evaluated TOE.
* This is the Security Target (ST) associated with this latest Maintenance Release. To view previous STs for this TOE, click here.
Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product. Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate. Such assurance can only be gained through re-evaluation.
Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary. A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target. Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents.
For this Assurance Continuity, the version number of TOE changed from 19.2.6 to 20.1. The following paragraphs list the minor software updates and fixes made to the TOE during the maintenance cycle.
MS SQL Server 2017 database can now be used. Rationale: The feature interacts with a 3rd party device which is not part of the TOE or the claimed security functionality
A master administrator can now view the owner of custom reports and can reassign a custom report to a new owner. Rationale: Operations with reports do not affect any of the security claims within the evaluation
An Enhancement was made to help Customer Support more effectively assist customers needing help troubleshooting homegrown Adaptable scripts. Rationale: This is a troubleshooting usability feature that does not affect any of the security claims within the evaluation
The Trust Protection Platform can now be configured to authenticate to an SCIM server when setting up the CyberArk connector in the Venafi Configuration Console (VCC). Rationale: The feature is regarding to interaction with a 3rd party device which is not part of the TOE or the claimed security functionality
The rationale for the following software changes is that they are usability features that does not affect any of the security claims within the evaluation
The following bug fixes were judged to have a minor impact. They either do not impact functionality claims or are below the visibility of the SFR testing.
1. Previously, when there were many applications on a device (common with load balancers), both onboard and network validation could delay certificate provisioning (installation).
2. Locking ECC policy value correctly greys out the corresponding choices on policy subfolders.
3. Notification emails are not sent when the target user email contains a comma.
4. Aperture now displays both credentials when editing a certificate installation for Adaptable Applications.
5. You can now successfully provision when using OpenSSL 1.1.1 and with or without remote key generation (which had previously worked only without remote key generation).
6. Provisioning ACM-issued certificates to ALB/ELB/CF when CA templates are assigned by policy now works as expected.
7. When the target bundle does not exist, provisioning a trust store to an F5 device now functions as expected.
8. The Custom Report CSV format now contains the expected Device and Host Address.
9. When you validate a CA template using an invalid credential for Symantec MPKI, the "Object Reference Not Set" error no longer occurs.
10. Effective Revocation Date for Microsoft CA certificate now correctly matches Revocation Date. CAPI no longer fails onboard validation if hostname set and SNI are not enabled for binding.
11. F5 onboard discovery now finds certificates with no extension.
12. AppCAPI.lsc now references the correct parameter for error message.
13. Disabled attributes no longer being manipulated when saving a project.
14. Correct number of certificates now shown on all widgets on the User and Client Device dashboard.
15. User Agent no longer ignores the "Archived" flag when checking if the certificate is already present in CAPI before provisioning.
16. Different Windows versions are no longer reporting different User Agent headers, thereby allowing the VEDSCEP logic to detect Windows NDES clients.
17. Certificate Grid Revocation filter in WebAdmin now functions correctly with “ != “ (NOT operator).
18. Discovery Zones is no longer stuck in Pending Execution state with multiple Management Servers.
19. Active Directory (AD) wizard can’t complete if domains unreachable.
20. Incorrect password caused Active Directory (AD) wizard to finish. Wizard had to be restarted.
21. Enumeration of installed policy in Aperture is slow when adding a new installation to a certificate.
22. Unable to adjust frequency of recovery to improve performance.
23. CertificateRepair.lsc is not included in the 19.3 MSI.
24. Global Catalog is removed from summary in Identity wizard if it is not a selected Domain Controller.
25. Custom Report Wizard in Aperture now saves edited columns.
26. Report Started and Completed events are now logged, and marked as Deprecated.
27. SSH Discovery delivery of sshd_config no longer incorrectly logs debug message "No response" when no response is the correct behavior.
28. Users can no longer see keysets if they have either Read OR View (not View AND Read) permissions.
29. Keyset is no longer "In Policy" after removing the keyset object from WebAdmin.
30. Changing passphrase for encrypted PK with .pub part now works properly.
31. Device placement from Network Discovery now adds devices that were previously placed and removed.
32. "SSH Authorized Users Report" export now inputs values into the correct columns.
33. Long URLs no longer break custom reports,
34. Adaptable workflow no longer forces workflows to be evaluated and executed one at a time, resulting in faster performance.
35. There is now a dedicated Aperture event for retiring a certificate,
36. Private Key Vault ID is now restored to Cert Object when you have to reset in WebAdmin or Cancel in Aperture during cert renewal.
37. Approval is completed while approval workflow is at Stage 100 in Aperture.
38. Environment certificate status shows “Out of Sync.”
39. Results are able to be exported from Applications View Tab with 1000 or more apps.
40. Locked adaptable application credential not enforced by policy.
41. certbot no longer throws "Invalid key authorization" error when communicating with an ACME server.
42. Certificate Status for Revocation is not updating when revocation has taken place.
43. A renewed certificate name (CN) differed between the API call and the name from the CA.
44. GET Certificates and HEAD Certificates can now return multiple Management Types in the same API call.
45. Long URLs no longer break custom reports,
46. Adaptable workflow no longer forces workflows to be evaluated and executed one at a time, resulting in faster performance.