Overview

...

1. FIXEdge side. Establish SSL connection to LDAP service (out of scope)
2. LDAP Service side. Accept connection from FIXEdge (out of scope) 
3. LDAP Service side. Accept connection from FIXICC-agent (out of scope)
4. FIXICC-agent side. Establish SSL connection to LDAP service
5. FIXEdge side. Accept SSL connection from FIXICC-agent
6. FIXICC-agent side. Establish SSL connection to FIXEdge
   
7. FIXICC-agent side. Accept SSL connections.
8. FIXICC GUI side. Establish SSL connections.
9. Enable SSL connections between FIXEdge and FIX-clients

FIXEdge uses OpenSSL for a secure connection.

FIXICC and FIXICC-agent package includes and run on JRE 1.8.x. Java Virtual Machine determines which secure layer to use, in Java 8 it is TLS 1.2 by default.

Enabling SSL/TLS connection in java applications (FIXICC GUI, FIXICC-agent)

In order to establish SSL/TLS connection between two java applications, one can use KeyStores and TrustStores:

• KeyStore is used for storing of private keys and certificates. It's commonly used on the server-side.
• TrustStore is used for storing trusted certificates and public keys for trusted certificate authorities CA and self-signed certificates. It's commonly used on the client-side.

keytool is a official java tool for keys and certificates management. Here is an example of how to create these storages by using keytool that is part of J2SE SDK(http://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html).

Manage KeyStores and TrustStores

...

keytool -keystore fixiccKeystore.key -genkey -alias fixicc

The program will ask for certificate owner information and request to enter a password for the KeyStore.
fixiccKeystore.key - is a resulted KeyStore file.

...

The program will request a password <keystore_password> for fixiccKeystore.key which was entered during "Create KeyStore with the certificate" step.

Import certificate to TrustStore 

...

FIXICC-agent side. Accept SSL connections.

Enable SSL connections in agent.properties:

 AgentServerEnableSSL=true 

...

FIXICC GUI side. Establish SSL connections.

Enable SSL connections in fixengine.properties

 enableSSL=true

...

FIXICC-agent side. Establish SSL connection to FIXEdge

Enable SSL initiator connections in fixengine.properties:

enableSSL=true

Set remote port parameter name in fixicc-agent to SSL port configured in FIXEdge that should be used for SSL connection (i.e. ListenSSLPort from engine.properties)

EngineProperty.AdminSessionPort = ListenSSLPort

Import FIXEdge public certificate (see SSLCertificate parameter value from engine.properties) to TrustStore

keytool -import -file fixedge.crt -alias fixedgeSrv -keystore fixiccTrustStore.key

...

FIXEdge side. Accept SSL connection from FIXICC-agent

Enable SSL connections in engine.properties:

ListenSSLPort = 8905
SSLCertificate = FIXEdge1/conf/cert.pem
SSLPrivateKey = FIXEdge1/conf/key.pem
SSLProtocols = TLSv1_2

...

...

FIXICC-agent side. Establish SSL connection to FIXEdge

Enable SSL initiator connections in fixengine.properties:

enableSSL=true

Import FIXEdge public certificate (see SSLCertificate parameter value from engine.properties) to TrustStore

keytool -import -file fixedge.crt -alias fixedgeSrv -keystore fixiccTrustStore.key

...

FIXEdge side. Accept SSL connection from FIXICC-agent

Enable SSL connections in engine.properties:

ListenSSLPort = 8905
SSLCertificate = FIXEdge1/conf/cert.pem
SSLPrivateKey = FIXEdge1/conf/key.pem
SSLProtocols = TLSv1_2
Monitoring.ListenPort = 8905

...

...

FIXICC-agent side. Establish SSL connection to LDAP service

Enable SSL initiator connections in fixengine.properties:

enableSSL=true

...

LDAP Service side. Accept connection from FIXICC-agent

Out of the scope of this article.

Enable SSL connections between FIXEdge and FIX-clients

...

• How to configure built-in SSL support for FIX sessions in FIXEdge
• How to use SSL with FIX Antenna C++ and FIX Antenna .NET

In case if FIX Client doesn't have SSL support in the applications, proxies application like STunnel can be used for it.

See an example of the configuration here: How to configure stunnel to enable SSL for FIX session#InitiatorFIXsession

Enable SSL connections between FIXEdge and LDAP service

Out of the scope of this article.

Troubleshooting

FIXICC-agent. SSL debugging

...

FIXEdge rejects SSL connection from FIXICC-agent

The administrative session from FIXICC-agent is rejected when it is trying to connect over SSL to SSL port with reason:

 Administrative client is rejected: connect port of the client (8905) is different from expected (8900).

where:

• 8905 - port accepting SSL connection. See ListenSSLPort parameter.
• 8900 - target port for FIXICC-agent administration session defined in EngineProperty.AdminSessionPort parameter in agent.properties. See FIXICC-agent side. Establish SSL connection to FIXEdge for details.

It can be solved with removing, commenting the property Monitoring.ListenPort in engine.properties or setting it equal to ListenSSLPort (see Enable SSL connections between FIXICC-agent and FIXEdge (Version2))

An example of error output in FIXEdge or FIX Antenna logs:

...