EPAM-B2BITS products for Capital Markets
Page tree
Skip to end of metadata
Go to start of metadata

Overview

This article describes how to configure SSL for FIX session.

Configuration is available for FIXEdge installations on both Windows and Linux starting from FIX Antenna C++/.NET version 2.13.0 and FIXEdge version 5.9.0.

Prepare a certificate and private key for FIXEdge

The following instruction shows how to use a self-signed certificate in FIXEdge. If a certificate is ready the generation step can be skipped.

  1. Create self-signed SSL certificate via open SSL using the following instructions:

    openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -nodes -days XXX -keyout key.pem

  2. Copy the created certificate and key to FIXEdge/FixEdge1/conf folder (or any other one).

Configure SSL Initiator in FIXEdge

Add the following properties to your FIX session in FIXEdge.properties file pointing to certificate storage determined on the previous step:

FIXEdge supports pem, pfx (since version 6.8), and der (since version 6.8) certificates for Iniciator sessions.

minimal configuration

FixLayer.FixEngine.Sessions = FIXInitiator

FixLayer.FixEngine.Session.FIXInitiator.Version = FIX44
FixLayer.FixEngine.Session.FIXInitiator.Role = Initiator
FixLayer.FixEngine.Session.FIXInitiator.SenderCompID = FIXEdge
FixLayer.FixEngine.Session.FIXInitiator.TargetCompID = Target
FixLayer.FixEngine.Session.FIXInitiator.Host = *** remote host requiring SSL ****
FixLayer.FixEngine.Session.FIXInitiator.Port = *** remote port ****
FixLayer.FixEngine.Session.FIXInitiator.HBI = 10

# **** SSL specific configuration *****
FixLayer.FixEngine.Session.FIXInitiator.SSL = true 
# SSL protocol(s) to be used (comma separated list). Supported valid values: SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2.
FixLayer.FixEngine.Session.FIXInitiator.SSLProtocols = TLSv1_1, TLSv1_2 
FixLayer.FixEngine.Session.FIXInitiator.SSL = true


full configuration with a certificate and private key

FixLayer.FixEngine.Sessions = FIXSession
FixLayer.FixEngine.Session.FIXSession.Version = FIX44
FixLayer.FixEngine.Session.FIXSession.Role = Initiator
FixLayer.FixEngine.Session.FIXSession.SenderCompID = SID
FixLayer.FixEngine.Session.FIXSession.TargetCompID = TID
FixLayer.FixEngine.Session.FIXSession.SenderSubID = SSUB
FixLayer.FixEngine.Session.FIXSession.TargetSubID = TSUB
FixLayer.FixEngine.Session.FIXSession.Host = *** remote host requiring SSL ****
FixLayer.FixEngine.Session.FIXSession.Port = *** remote port ****
FixLayer.FixEngine.Session.FIXSession.HBI = 10
# Other session parameters are intentionally omited
# **** SSL specific configuration *****
FixLayer.FixEngine.Session.FIXSession.SSL = true 
FixLayer.FixEngine.Session.FIXSession.SSLCheckPrivateKey = true
# Path to SSL certificate 
FixLayer.FixEngine.Session.FIXSession.SSLCertificate = C:/B2BITS/FIXEdge/FixEdge2/conf/cert.pem
# Path to SSL private key. Parameter is optional. 
# If it is omitted Engine tries to load private key from the same file as SSLCertificate parameter states. 
FixLayer.FixEngine.Session.FIXSession.SSLPrivateKey = C:/B2BITS/FIXEdge/FixEdge2/conf/key.pem
# SSL protocol(s) to be used (comma separated list). Supported valid values: SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2.
FixLayer.FixEngine.Session.FIXSession.SSLProtocols = SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2 

See also:

Configure SSL Acceptors in FIXEdge

All FIXEdge acceptors are listening to the connections on ListenSSLPort defined in the engine.properties and use mutual configuration.

FIXEdge supports  pem, pfx (since version 6.7), and der  (since version 6.7) certificates for Acceptor sessions.

engine.properties
ListenSSLPort = 8905
SSLCertificate = FIXEdge1/conf/cert.pem
SSLPrivateKey = FIXEdge1/conf/key.pem
SSLProtocols = TLSv1_2

Optionally non-secure connections can be restricted for a specific session set SSL session property to true in FIXEdge.properties

FIXEdge.properties 
FixLayer.FixEngine.Sessions = SSLAcceptor

FixLayer.FixEngine.Session.SSLAcceptor.Version = FIX44
FixLayer.FixEngine.Session.SSLAcceptor.Role = Acceptor
FixLayer.FixEngine.Session.SSLAcceptor.SenderCompID = FIXEDGE
FixLayer.FixEngine.Session.SSLAcceptor.TargetCompID = CLIENT
FixLayer.FixEngine.Session.SSLAcceptor.SSL = true

A full list of supported parameters can be found here: Using SSL in acceptor.

Configure Ciphers for SSL Acceptors in FIXEdge

The cipher list can be defined in the engine.properties see Ciphers configuration in FIX Antenna C++ based applications for details

engine.properties
SSLCiphersList = AES+aRSA:AES+aECDH:AES+aECDSA:@STRENGTH
  • No labels