Certified Product: CA Technologies CA API Gateway v9.2

CA Technologies CA API Gateway v9.2  (hereafter referred to as the Target of Evaluation, or TOE) from CA Technologies, was the subject of a Common Criteria evaluation performed by the Common Criteria Evaluation Facility at EWA-Canada. The evaluation was completed in October 2017.

The TOE is an enterprise API Management and security solution that provides centralized API management and access control over SOAP web service APIs. The TOE controls how APIs are exposed to and accessed by external client applications.

The TOE is comprised of two main components:

  • Policy Manager.  A GUI application that provides the user with the primary administrative interface to the Gateway. The Policy Manager is used to construct policies and administer the TOE; and
  • Gateway. One or more hardware or virtual appliances that enforce policy assertions to control web services. Basic configuration is performed using the Gateway Configuration Utility – a menu based Command Line Interface. The Gateway consumes policies defined by the Policy Manager which also provides the primary administrative interface.

The scope of this evaluation is defined in the Security Target, which identifies assumptions made during the evaluation, the intended environment for the TOE, the security requirements to be met, and the level of confidence to which it is asserted that the TOE satisfies its IT security requirements.

The evaluation of the TOE determined that this Information Technology (IT) product implements the security functional requirements specified in the Security Target, and satisfies the requirements of Exact conformance to the following two protection profiles:

  • Standard Protection Profile for Enterprise Security Management Policy Management, v2.1, 24 October 2013 (ESM Policy Manager PP); and
  • Standard Protection Profile for Enterprise Security Management Access Control, v2.1, 24 October 2013 (ESM Access Control PP) – Architectural Variation: Web Based Access Control.

Consumers are advised to carefully review the Certification Report to gain an understanding of the security functionality, the evaluated configuration, and the intended operating environment for the TOE.