Overview
This article describes how to configure SSL for FIX session.
Configuration is available for FIXEdge installations on both Windows and Linux starting from FIX Antenna C++/.NET version 2.13.0 and FIXEdge version 5.9.0.
Prepare a certificate and private key for FIXEdge
The following instruction shows how to use a self-signed certificate in FIXEdge. If a certificate is ready the generation step can be skipped.
Create self-signed SSL certificate via open SSL using the following instructions:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -nodes -days XXX -keyout key.pem
Copy the created certificate and key to FIXEdge/FixEdge1/conf folder (or any other one).
Configure SSL Initiator in FIXEdge
Add the following properties to your FIX session in FIXEdge.properties file pointing to certificate storage determined on the previous step:
FIXEdge supports pem, pfx (since version 6.8), and der (since version 6.8) certificates for Iniciator sessions.
minimal configuration
FixLayer.FixEngine.Sessions = FIXInitiator FixLayer.FixEngine.Session.FIXInitiator.Version = FIX44 FixLayer.FixEngine.Session.FIXInitiator.Role = Initiator FixLayer.FixEngine.Session.FIXInitiator.SenderCompID = FIXEdge FixLayer.FixEngine.Session.FIXInitiator.TargetCompID = Target FixLayer.FixEngine.Session.FIXInitiator.Host = *** remote host requiring SSL **** FixLayer.FixEngine.Session.FIXInitiator.Port = *** remote port **** FixLayer.FixEngine.Session.FIXInitiator.HBI = 10 # **** SSL specific configuration ***** FixLayer.FixEngine.Session.FIXInitiator.SSL = true # SSL protocol(s) to be used (comma separated list). Supported valid values: SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2. FixLayer.FixEngine.Session.FIXInitiator.SSLProtocols = TLSv1_1, TLSv1_2 FixLayer.FixEngine.Session.FIXInitiator.SSL = true
full configuration with a certificate and private key
Configure SSL Acceptors in FIXEdge
All FIXEdge acceptors are listening to the connections on ListenSSLPort defined in the engine.properties and use mutual configuration.
FIXEdge supports pem, pfx (since version 6.7), and der (since version 6.7) certificates for Acceptor sessions.
ListenSSLPort = 8905 SSLCertificate = FIXEdge1/conf/cert.pem SSLPrivateKey = FIXEdge1/conf/key.pem SSLProtocols = TLSv1_2
Optionally non-secure connections can be restricted for a specific session set SSL session property to true in FIXEdge.properties
A full list of supported parameters can be found here: Using SSL in acceptor.
Configure Ciphers for SSL Acceptors in FIXEdge
The cipher list can be defined in the engine.properties see Ciphers configuration in FIX Antenna C++ based applications for details
SSLCiphersList = AES+aRSA:AES+aECDH:AES+aECDSA:@STRENGTH