In order to configure SSL connection between server and client you need to have SSL certificate and private key. After getting them you will be able to configure FIXEdge so that the SSL connection between server and client(s) can be established.
Types of SSL protocols
There are a lot of SSL protocols. FIXEdge supports SSL v2.0, SSL v3.0, TLS v1.0, TLS v1.1, TLS v1.2. By default only TLS v1.0, TLS v1.1, TLS v1.2 protocols are enabled in FIX Edge.
Recommended TLS 1.1 and TLS 1.2 protocols are supported only by OpenSSL version 1.0.1 and higher (see: https://www.openssl.org/news/changelog.html ).
How to get SSL certificate and private key
There are two ways to get the SSL certificate and the private key:
- Create the self-signed SSL certificate and the private key via OpenSSL.
The instruction about how to create such a certificate and key can be found here: SSL with self-signed certificates
This type of certificates is only suitable for testing period, because most clients don't trust self-signed certificates.
- Prepare a Certificate Signing Request (CSR) from a Certificate Authority (CA), for example, "DigiCert".
In order to do it, you should create the private key file and then generate CSR.
You can find the instruction here: https://www.ssl.com/how-to/manually-generate-a-certificate-signing-request-csr-using-openssl/
During this process you have to provide the following information for CA:
commonName (for example, “CN=B2BITS”)
organizationalUnitName (for example, “OU=Dev”)
organizationName (for example, “O=EPAM Systems”)
localityName (for example, “L=Newtown”)
stateOrProvinceName - should not be abbreviated (for example, “S=Pennsylvania”)
countryName - two-letter ISO code for the country where your organization is located (for example, “C=US”)
emailAddress - an email address to contact the organization. Usually the email address of the certificate administrator or IT department
Do not forget to back up your private key and certificate in a secure place. Share private key only with entitled personnel.
SSL with self-signed certificates
Self-signed certificates can be used in some cases (for testing purposes). Before creating certificates, make sure that OpenSSL Toolkit is installed.
The OpenSSL project does not distribute any code in binary form, and does not officially recommend any specific binary distributions. An informal list of third party products can be found on the wiki.
First of all you have to create Certificate Authority (CA) certificate along with its private key. Use the following command file to generate the Private key (line 1) and SSL (Certificate Authority) CA root certificate (line 2) files that can be used to generate further certificates:
%1 - file name for certificate (.crt) and private key (.key);
%2 - common name (CN), can match the organization name for the CA certificate.
CA certificate allows is used to create and sign other certificate.
Use the following command file to generate
- Certificate (.crt),
- Private key (.key),
- Encrypted Private key (-enc.key),
- Certificate and Private key in .pfx format.
%1 - file name for certificate (.crt), private key (.key) and password used for encryption where required;
%2 - file name of CA certificate (.crt) and its private key (.key);
%3 - common name (CN) is used to define the server name which will be used for secure SSL connection. Your SSL certificate is valid only if hostname matches the CN.
Server verification by the client and client verification by the server are possible. Two CA certificates and two certificates signed with that CA certificates respectively are required two utilize both sides verification at the same time. Both types of verification are supported by FIXEdge.
How to validate the SSL certificate
After you got the certificate you can check all information about it using the command line opened in the same folder where the certificate is placed:
where cert.pem is a certificate name.
You will see the following information:
How to validate the private key
In order to check the private key you can use the following command:
where privateKey.key is a private key name.
You will see the following information:
The certificate and the private key can be merged into the one file (for example, cert.pem).
How to configure FIXEdge
The article which describes how to configure FIXEdge for SSL connection can be found here: How to configure built-in SSL support for FIX session in FIXEdge