{"id":1196,"date":"2009-08-12T23:57:21","date_gmt":"2009-08-13T04:57:21","guid":{"rendered":"http:\/\/www.coresecuritypatterns.com\/blogs\/?p=1196"},"modified":"2009-08-12T23:57:21","modified_gmt":"2009-08-13T04:57:21","slug":"enabling-java-with-fips-140-compliant-ssltls-solution","status":"publish","type":"post","link":"https:\/\/websecuritypatterns.com\/blogs\/2009\/08\/12\/enabling-java-with-fips-140-compliant-ssltls-solution\/","title":{"rendered":"Enabling FIPS-140 compliance for Java based SSL\/TLS applications"},"content":{"rendered":"

\"\"<\/a>FIPS-140* compliance\u00a0has gained overwhelming attention these days and it has\u00a0become a mandatory requirement for several security sensitive applications (mostly in Government and Security solutions and recently with select finance\u00a0industry solutions and particularly for achieving compliance with regulatory mandates such as PCI DSS, FISMA, HIPPA, etc\u00a0). FIPS-140 also helps defining security requirements for supporting integration with cryptographic hardware and software\u00a0tokens.\u00a0 Ensuring FIPS compliance\u00a0to Java based application security has been one of demanding needs of security enthusiasts but unfortunately neither Sun JCE or JSSE\u00a0is not yet\u00a0FIPS-140 certified – hopefully soon !\u00a0 Sun JDK 6 (and\u00a0above)\u00a0has also\u00a0introduced several enhancements including support for enabling FIPS-140 compliance for Sun JSSE using FIPS-140 certified cryptographic providers for supporting SSL\/TLS communication and associated cryptographic operations. To accomplish this, Java 6\u00a0uses the PKCS#11 support\u00a0for JSSE to integrate with PKCS#11 based FIPS-140 cryptographic token.<\/p>\n

\u00a0<\/p>\n

Lately I worked on a security solution using SunJSSE with NSS as a software cryptographic token… and here is my tipsheet for those keen on playing FIPS conformance with SunJSSE.<\/p>\n

\u00a0<\/p>\n