I have been looking into FIPS 140-2 compliance for our web services for some time and running into dead-ends.
The dead-ends I arrive at are because I am constrained to use Windows as the operating system and 64-bit Java. There is no 64-bit binary version of NSS available; the last binary downloads for NSS were 3.12.4 and those windows binaries are 32 bit. I could try to download the NSS source and build it in 64-bit mode, but that is still labeled "experimental", and wouldn't be a FIPS 140-2 *validated* solution anyway. If we were running Solaris or Linux, this wouldn't be an issue. And, apparently, purchasing a FIPS 140-2 module like RSA's BSAFE is not an option for the company either. Another option that has been floated is using MSCAPI, which would use the native crypto libs for Windows. I see a few examples on how to programmatically get certs or sign or encrypt, but don't have the foggiest notion of how I would go about integrating this with CXF and WSS4J. Additionally, I have read that there are issues with obtaining private keys in MSCAPI: e.g., the native windows layer will pop up its own GUI prompting for private key passwords. So, my questions are these: Has anyone used MSCAPI or CNG to do the signing and encryption in CXF or WSS4J? Can anyone relate how they went about addressing FIPS 140-2 requirements for web services? (I actually need to address it across the entire web application, not just the web services.) Regards, and TIA for any replies...
