AxwayValidationAuthority SuiteSecure applications with PKIsafeguardsThe Federal Government relies on public keyinfrastructures (PKIs) to secure everything frommission-critical networks, to military facilities andpublic infrastructure, to multi-million dollar electronictransactions. Within these PKI environments,protecting high-value assets — whether sensitivedefense data, contractor communications, or militaryinstallations — requires both vigilance and diligence.Axway Validation Authority (VA) Suite offers acomprehensive, scalable, and reliable framework forreal-time validation of digital certificates and accesspermissions within PKI environments. VA Suiteis Certificate Authority (CA)-neutral and providessupport for multiple CAs, several different trustmodels, and CA-specific validation policies.axway.comAxway VA Suite is: Vigilant in determining whether people are who they say they are and if their digital certificates are validand current. Diligent in verifying which secure applications, networks, and locations the owner of a valid digital certificateis authorized to access at any given point in time.VA Suite key features and benefitsFor flexible and robustcertificate validation,Axway IdentityValidation Suite isCA-neutral andsupports all widelyadopted internationalsecurity standards andopen technologies:Next-generationcertificate validationIdentifying invalid orrevoked digitalcertificates is just thetip of the PKI iceberg.Beneath the surface, asecure PKI alsoneeds to: Certified to meet Common Criteria (EAL 3), FIPS 201, NIST PDVAL, FIPS140-2, and DoD JITC standards OCSP and SCVP compliant (RFC 2560, RFC 5055) Entrust-ready and IdenTrust-compliant Part of the IdenTrust, SWIFT Trust Act, BACS, and Global Trust Authorityfinancial trust infrastructures Interoperable with leading cryptographic hardware, including smart cardslike the DoD Common Access Card and the Federal Personal IdentityVerification Card or national eID-card, as well as products certified to FIPS140-2 Level 3 Know which applications and/or network locations a user is authorizedto access Enforce the user’s level of access and any agency policies that apply tothe user’s account Federate the user’s physical access rights across multiple buildings and/or geographic locations Provide visibility into the what, where, and when of each and everyinstance of the user’s physical and logical access
Standards supportSecure web and application serversOCSP (RFC 2560)IPv6 and IPv4SCVP (RFC 5055)Microsoft CAPIenabled desktopapplicationsMicrosoft CAPIenabled serverapplicationsSSL 3.0, TLS 1.2Oracle ApplicationServerIBM LotusDominoRedhatStrongholdApacheNetscape/SunBEA WebLogicX509v3 digital certificate formatCRLv2 and delta CRL revocation dataLDAP(S), FTP, HTTP(S) CRL retrievalDesktop validatorstandard editionDesktop validatorenterprise editionServer validatorSNMP and HTTPS administrationCARSA PKCS#1,#7,#10,#11RSA SHA-1, SHA-256. SHA-512 and MD5CRLMicrosoft Cryptographic APIECC prime 256,384ECCDSAValidation authorityrepeaterOCSP(no nonce)Axway Validation AuthoritySuite ComponentsValidation Authority Server. High-performance,multi-platform server that processes clientdigital certificate status queries using a variety ofprotocols, including OCSP, SCVP, CMP, and VACRLServer Validator. Flexible client application forvalidating digital certificates from the mostwidely used secure web servers and webapplication serversDesktop Validator. Flexible client application thatallows Microsoft Windows-based desktop andserver applications to validate digital certificatesvia the Microsoft Cryptographic API (CAPI)Validator Toolkits. Complete set of certificatevalidation functions, source code examples,and reference manuals that enables certificatevalidation integration into COTS or customapplications developed in C/C or Javaaxway.comDirectoryOCSP, SCVP and VACRL over HTTP(s)Validation authorityrepeaterOCSPFirewall orair gapCRLValidation authorityresponderHardware signingmodulePre-computedOCSP cacheAxway VA Suite Server-based Certificate Validation Protocol (SCVP) technologies let applications delegateboth revocation-checking and path validation to a trusted server in a single request.SCVP enables harvesting of an entity’s credentials for the full range of access rights, cross-validated acrossmultiple certificate chains by highly accredited certification issuers.The most widely deployed validator of digital certificatesAxway VA Suite is widely deployed across the DoD and other government agencies. It consists of severalcomponents that provide a flexible and robust certificate validation solution for both standard and customdesktop and server applications. These components can be used together or, leveraging open standards,integrated with existing solutions using OCSP or SCVP (RFC 5055).VA Suite offers cost-effective scalability across a wide range of operational environments, with supportfor caching and replication of revocation data, regardless of format. The Department of HomelandSecurity uses Axway VA for up to 350,000 users across its organization, helping secure and supportcross-agency collaboration.2
VA server key features and benefitsVA-to-VA mirroring(replication) Supports backup, load balancing, and failover by replicating the same certificate revocation data across a cluster ofVA ServersDistributed repeaterresponder caching Maintains a cache loaded with OCSP responses that are precomputed or dynamically built up by proxy client requests toa responder Supports non-OCSP clients or clients that want to maintain their own revocation data caches for backup and in low-bandwidthand non-real-time environments, such as Naval operations or first respondersRobust security andnon-repudiation Supports SSL-based communications with clients, digitally signed client requests/responses, and digitally signed XML logs andCRL archives, as well as SSL-based server administration Supports software, PKCS #11, and CAPI token-based hardware signing and encryption products from all leading vendorsVA ServerPrevent revoked credentials from being used forsecure email, smart card login, network access(including wireless), or other sensitive electronictransactions with VA Server — a sophisticated digitalcertificate status responder and the core of AxwayVA Suite.axway.comTo validate a digital certificate, a client applicationcan simply query the VA Server rather than performthe cumbersome task of obtaining and processingthe entire Certificate Revocation List (CRL) every timeit encounters a digital certificate. That’s becauseVA Server maintains a store of digital certificaterevocation data by obtaining the CRL from theissuing CA.Client applications can query VA Server using variousopen standard protocols (OCSP, SCVP, CMP, VACRL),allowing them to delegate the entire certificatevalidation operation — including path constructionand intermediate CA validation — to the VA Server.For tactical environments, or where bandwidthis limited, VA Server also supports protocols likeCompact CRL and VACRL. The server can convert3
CA-issued CRLs — which can be over 40 MB formature PKIs — into revocation data with a muchsmaller footprint.VA Server ValidatorServer validator and desktop validator key features and benefitsRobust security andnon-repudiationVA Server Validator is a flexible client application thatallows digital certificate validation on themost widely used secure web and application serversavailable on UNIX, Windows, and Apple platforms,including: Performs end-to-end certificate validation if one or more intermediate CAsare used and the validation policy requires a complete certificate chainvalidation Communicates securely with VA Server utilizing SSL/TLS and digitallysigns requests to VA Server for deployments requiring a high degree ofauditability and non-repudiation Apache Oracle Application ServerVA Server Validator uses the native interfaces ofthese web and application servers to add digitalcertificate validation functionality as part of theproduct’s PKI-based client authentication. Workingas a plug-in, VA Server Validator can query aVA Server (or any other standards-based digitalcertificate validation responder) or utilize a CRL todetermine the status of a digital certificate presentedby a client. Clients with revoked orexpired certificates are denied access to theserver or application. Processes CRL data from multiple CA or VA sources to support complextrust models and certificate policy controls for path processing andpolicy enforcement Supports cryptographic hardware via the standard PKCS #11 interface,including FIPS 140-2 Level 3 and 4, which can be used to accelerate digitalsigning and SSL/TLS operationsSeparate, configurablevalidation caches Provides in-memory repository of all certificate validation requests,regardless of the validation mechanism Supplies disk-resident CRL repository Improves performance and increases reliability in environments where theunderlying network is not always available Supports multiple sources of revocation information, including multipleVA Servers, via robust failover mechanismAutomatic configuration Supports automatic configuration using parameters obtained from theVA Server if the web or application server supports auto-configuration Facilitates large-scale application deploymentsaxway.com4
System SpecificationsVA Desktop ValidatorDelivery optionsVA Desktop Validator is a flexible client solutionthat allows digital certificate validation in the mostcommonly used Microsoft Windows-based desktopand server applications. VA Desktop Validatorintegrates seamlessly with any Microsoft CAPIcompliant client or server application.Software applicationPlatforms(64-bit support)Sun Solaris 10Red Hat Linux 5, 6Windows 2003, 2008, 2012, XP, Vistaand Windows 7Cryptographic hardware(FIPS 140-2 Levels 2, 3 &4)ThalesSafeNetAEP NetworksLoad balancersCisco CSS and CSMFoundry BigIronF5 Big IPResonate Dispatch Validates digital certificates encountered by PKIenabled Windows applications via CRL lookups orstandard protocol queries to a VA Server or otherOCSP or SCVP standards-based responder Provides high availability and can be remotelyinstalled, configured, and maintained usingapplications like Microsoft SMS, CA Unicenter,or Microsoft Active Directoryagency PKI-enabled applications like network andhandheld devices, physical security systems,and workflow applications.VA Validator Toolkits encapsulates the complexitiesof PKI digital certificate validation in a three-stepprocess that developers can implement througheasy-to-understand C/C and Java interfaces. VAValidator Toolkit for C/C is certified DOD JITC,IdenTrust, and FIPS 140-2 Level 1 compliant.These credentials save agencies and contractorsthe time and cost of additional testing andcertification. The VA Validator Java Toolkit usesthird-party Java security providers to executecryptographic functions. Supports single sign-on applications based ondigital certificates stored on smart cards like theDoD Common Access Card or Federal PIV card Facilitates secure workflow applications based ondigitally signed documents and secure email(S/MIME) messagesVA Validator ToolkitsVA Validator Toolkits supplies a complete setof certificate validation functions, source codeexamples, and reference manuals. The VA ValidatorToolkits can save development time and money forLearn how real-timePKI validation canbenefit your agencyLEARN uthorityCopyright Axway 2017. All Rights Reserved.axway.comAXWAY DS AXWAY-VA-SUITE EN 101217
VA Desktop Validator VA Desktop Validator is a flexible client solution that allows digital certificate validation in the most commonly used Microsoft Windows-based desktop and server applications. VA Desktop Validator integrates seamlessly with any Microsoft CAPI-compliant client or server application.