This article describes how to configure SSL for FIX session.

Configuration is available for FIXEdge installations on both Windows and Linux starting from FIX Antenna C++/.NET version 2.13.0 and FIXEdge version 5.9.0.

Prepare a certificate and private key for FIXEdge

The following instruction shows how to use a self-signed certificate in FIXEdge. If a certificate is ready the generation step can be skipped.

  1. Create self-signed SSL certificate via open SSL using the following instructions:

    openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -nodes -days XXX -keyout key.pem
  2. Copy the created certificate and key to FIXEdge/FixEdge1/conf folder (or any other one).

Configure SSL Initiator in FIXEdge

Add the following properties to your FIX session in FIXEdge.properties file pointing to certificate storage determined on the previous step:

FIXEdge supports pem, pfx (since version 6.8), and der (since version 6.8) certificates for Iniciator sessions.

minimal configuration

FixLayer.FixEngine.Sessions = FIXInitiator

FixLayer.FixEngine.Session.FIXInitiator.Version = FIX44
FixLayer.FixEngine.Session.FIXInitiator.Role = Initiator
FixLayer.FixEngine.Session.FIXInitiator.SenderCompID = FIXEdge
FixLayer.FixEngine.Session.FIXInitiator.TargetCompID = Target
FixLayer.FixEngine.Session.FIXInitiator.Host = *** remote host requiring SSL ****
FixLayer.FixEngine.Session.FIXInitiator.Port = *** remote port ****
FixLayer.FixEngine.Session.FIXInitiator.HBI = 10

# **** SSL specific configuration *****
FixLayer.FixEngine.Session.FIXInitiator.SSL = true 
# SSL protocol(s) to be used (comma separated list). Supported valid values: SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2.
FixLayer.FixEngine.Session.FIXInitiator.SSLProtocols = TLSv1_1, TLSv1_2 
FixLayer.FixEngine.Session.FIXInitiator.SSL = true 

full configuration with a certificate and private key

FixLayer.FixEngine.Sessions = FIXSession
FixLayer.FixEngine.Session.FIXSession.Version = FIX44
FixLayer.FixEngine.Session.FIXSession.Role = Initiator
FixLayer.FixEngine.Session.FIXSession.SenderCompID = SID
FixLayer.FixEngine.Session.FIXSession.TargetCompID = TID
FixLayer.FixEngine.Session.FIXSession.SenderSubID = SSUB
FixLayer.FixEngine.Session.FIXSession.TargetSubID = TSUB
FixLayer.FixEngine.Session.FIXSession.Host = *** remote host requiring SSL ****
FixLayer.FixEngine.Session.FIXSession.Port = *** remote port ****
FixLayer.FixEngine.Session.FIXSession.HBI = 10
# Other session parameters are intentionally omited
# **** SSL specific configuration *****
FixLayer.FixEngine.Session.FIXSession.SSL = true 
FixLayer.FixEngine.Session.FIXSession.SSLCheckPrivateKey = true
# Path to SSL certificate 
FixLayer.FixEngine.Session.FIXSession.SSLCertificate = C:/B2BITS/FIXEdge/FixEdge2/conf/cert.pem
# Path to SSL private key. Parameter is optional. 
# If it is omitted Engine tries to load private key from the same file as SSLCertificate parameter states. 
FixLayer.FixEngine.Session.FIXSession.SSLPrivateKey = C:/B2BITS/FIXEdge/FixEdge2/conf/key.pem
# SSL protocol(s) to be used (comma separated list). Supported valid values: SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2.
FixLayer.FixEngine.Session.FIXSession.SSLProtocols = SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2 

Configure SSL Acceptors in FIXEdge

All FIXEdge acceptors are listening to the connections on ListenSSLPort defined in the engine.properties and use mutual configuration.

FIXEdge supports  pem, pfx (since version 6.7), and der  (since version 6.7) certificates for Acceptor sessions.

ListenSSLPort = 8905
SSLCertificate = FIXEdge1/conf/cert.pem
SSLPrivateKey = FIXEdge1/conf/key.pem
SSLProtocols = TLSv1_2

Optionally non-secure connections can be restricted for a specific session set SSL session property to true in FIXEdge.properties

FixLayer.FixEngine.Sessions = SSLAcceptor

FixLayer.FixEngine.Session.SSLAcceptor.Version = FIX44
FixLayer.FixEngine.Session.SSLAcceptor.Role = Acceptor
FixLayer.FixEngine.Session.SSLAcceptor.SenderCompID = FIXEDGE
FixLayer.FixEngine.Session.SSLAcceptor.TargetCompID = CLIENT
FixLayer.FixEngine.Session.SSLAcceptor.SSL = true 

A full list of supported parameters can be found here: Using SSL in acceptor.

Configure Ciphers for SSL Acceptors in FIXEdge

The cipher list can be defined in the engine.properties see Ciphers configuration in FIX Antenna C++ based applications for details

  • No labels