Page tree
Skip to end of metadata
Go to start of metadata

Introduction

In order to configure SSL connection between server and client you need to have SSL certificate and private key. After getting them you will be able to configure FIXEdge so that the SSL connection between server and client(s) can be established.

How to get SSL certificate and private key

There are two ways to get the SSL certificate and the private key:

  1. Create the self-signed SSL certificate and the private key via OpenSSL.
    The instruction about how to create such a certificate and key can be found here: How to configure built-in SSL support for FIX session in FIXEdge
    This type of certificates is only suitable for testing period, because most clients don't trust self-signed certificates.
  2. Prepare a Certificate Signing Request (CSR) from a Certificate Authority (CA), for example, "DigiCert".
    In order to do it, you should create the private key file and then generate CSR.
    You can find the instruction here: https://www.ssl.com/how-to/manually-generate-a-certificate-signing-request-csr-using-openssl/

    During this process you have to provide the following information for CA:
    1. commonName (for example, “CN=B2BITS”)

    2. organizationalUnitName (for example, “OU=Dev”)

    3. organizationName (for example, “O=EPAM Systems”)

    4. localityName (for example, “L=Newtown”)

    5. stateOrProvinceName - should not be abbreviated (for example, “S=Pennsylvania”)

    6. countryName - two-letter ISO code for the country where your organization is located (for example, “C=US”)

    7. emailAddress - an email address to contact the organization. Usually the email address of the certificate administrator or IT department

    CA will create the SSL certificate based on provided information. After that you should install this certificate on your server.

Do not forget to back up your private key and certificate in a secure place. Share private key only with entitled personnel.

How to validate the SSL certificate

After you got the certificate you can check all information about it using the command line opened in the same folder where the certificate is placed:

openssl x509 -in cert.pem -text

where cert.pem is a certificate name.

You will see the following information:

openssl x509 -in cert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11159143049149737040 (0x9add3d7ac256e850)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=PA, L=Newtown, O=EPAM Systems, OU=Dev
        Validity
            Not Before: Oct 19 14:46:36 2015 GMT
            Not After : Oct 18 14:46:36 2016 GMT
        Subject: C=US, ST=PA, L=Newtown, O=EPAM Systems, OU=Dev
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                61:6F:72:A0:D0:99:36:0D:E3:89:8B:53:7A:4F:12:75:01:CA:E4:B3
            X509v3 Authority Key Identifier:
                keyid:61:6F:72:A0:D0:99:36:0D:E3:89:8B:53:7A:4F:12:75:01:CA:E4:B3
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         ...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

How to validate the private key

In order to check the private key you can use the following command:

openssl rsa -in key.pem -check

where privateKey.key is a private key name.

You will see the following information:

openssl rsa -in key.pem -check
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
<actual key here>
-----END RSA PRIVATE KEY-----

The certificate and the private key can be merged into the one file (for example, cert.pem).

Types of SSL protocols

There are a lot of SSL protocols. FIXEdge supports SSL v2.0, SSL v3.0, TLS v1.0, TLS v1.1, TLS v1.2. By default only TLS v1.0, TLS v1.1, TLS v1.2 protocols are enabled in FIX Edge.

It's highly recommended to use TLS v1.1 or TLS v1.2 protocol, because SSL protocol versions were deprecated (see: Deprecating SSL v3.0 )

Recommended TLS 1.1 and TLS 1.2 protocols are supported only by OpenSSL version 1.0.1 and higher (see:  https://www.openssl.org/news/changelog.html ).

How to configure FIXEdge

The article which describes how to configure FIXEdge for SSL connection can be found here: How to configure built-in SSL support for FIX session in FIXEdge

  • No labels