cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hart, Andrew B." <>
Subject MSCAPI for FIPS 140-2 validated web services?
Date Mon, 19 Aug 2013 14:29:17 GMT
I have been looking into FIPS 140-2 compliance for our web services for some time and running
into dead-ends.

The dead-ends I arrive at are because I am constrained to use Windows as the operating system
and 64-bit Java.   There is no 64-bit binary version of NSS available;  the last binary downloads
for NSS were 3.12.4 and those windows binaries are 32 bit.  I could try to download the NSS
source and build it in 64-bit mode, but that is still labeled "experimental", and wouldn't
be a  FIPS 140-2 *validated* solution anyway.  If we were running Solaris or Linux, this wouldn't
be an issue.

And, apparently,  purchasing a FIPS 140-2 module like RSA's BSAFE is not an option for the
company either.

Another option that has been floated is using MSCAPI, which would use the native crypto libs
for Windows.  I see a few examples on how to programmatically get certs or sign or encrypt,
but don't have the foggiest notion of how I would go about integrating this with CXF and WSS4J.
 Additionally, I have read that there are issues with obtaining private keys in MSCAPI:  e.g.,
the native windows layer will pop up its own GUI prompting for private key passwords.

So, my questions are these:

Has anyone used MSCAPI or CNG to do the signing and encryption in CXF or WSS4J?

Can anyone relate how they went about addressing FIPS 140-2 requirements for web services?
 (I actually need to address it across the entire web application, not just the web services.)

Regards, and TIA for any replies...

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message