MSCAPI for FIPS 140-2 validated web services?

["Hart, Andrew B." <AH...@Akimeka.com>]

I have been looking into FIPS 140-2 compliance for our web services for some time and running into dead-ends.



The dead-ends I arrive at are because I am constrained to use Windows as the operating system and 64-bit Java.   There is no 64-bit binary version of NSS available;  the last binary downloads for NSS were 3.12.4 and those windows binaries are 32 bit.  I could try to download the NSS source and build it in 64-bit mode, but that is still labeled "experimental", and wouldn't be a  FIPS 140-2 *validated* solution anyway.  If we were running Solaris or Linux, this wouldn't be an issue.



And, apparently,  purchasing a FIPS 140-2 module like RSA's BSAFE is not an option for the company either.



Another option that has been floated is using MSCAPI, which would use the native crypto libs for Windows.  I see a few examples on how to programmatically get certs or sign or encrypt, but don't have the foggiest notion of how I would go about integrating this with CXF and WSS4J.  Additionally, I have read that there are issues with obtaining private keys in MSCAPI:  e.g., the native windows layer will pop up its own GUI prompting for private key passwords.



So, my questions are these:



Has anyone used MSCAPI or CNG to do the signing and encryption in CXF or WSS4J?



Can anyone relate how they went about addressing FIPS 140-2 requirements for web services?  (I actually need to address it across the entire web application, not just the web services.)



Regards, and TIA for any replies...