You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Hart, Andrew B." <AH...@Akimeka.com> on 2013/08/19 16:29:17 UTC
MSCAPI for FIPS 140-2 validated web services?
I have been looking into FIPS 140-2 compliance for our web services for some time and running into dead-ends.
The dead-ends I arrive at are because I am constrained to use Windows as the operating system and 64-bit Java. There is no 64-bit binary version of NSS available; the last binary downloads for NSS were 3.12.4 and those windows binaries are 32 bit. I could try to download the NSS source and build it in 64-bit mode, but that is still labeled "experimental", and wouldn't be a FIPS 140-2 *validated* solution anyway. If we were running Solaris or Linux, this wouldn't be an issue.
And, apparently, purchasing a FIPS 140-2 module like RSA's BSAFE is not an option for the company either.
Another option that has been floated is using MSCAPI, which would use the native crypto libs for Windows. I see a few examples on how to programmatically get certs or sign or encrypt, but don't have the foggiest notion of how I would go about integrating this with CXF and WSS4J. Additionally, I have read that there are issues with obtaining private keys in MSCAPI: e.g., the native windows layer will pop up its own GUI prompting for private key passwords.
So, my questions are these:
Has anyone used MSCAPI or CNG to do the signing and encryption in CXF or WSS4J?
Can anyone relate how they went about addressing FIPS 140-2 requirements for web services? (I actually need to address it across the entire web application, not just the web services.)
Regards, and TIA for any replies...