Environment requirements
Hardware
A physical or virtual server with:
- 2 core CPU
- 2Gb RAM
- 40G storage
Software
- FIXICC H2 machine:
- RHEL 7 / RHEL 8
- OpenJDK 1.8
- Consul agent in client mode
- FIXEdge Cpp/Java machine:
- Consul agent in client mode
- On the network:
- PostgreSQL Database
- 1 user with DDL privileges (to run the database migration, can also be used to run normal FIXICC H2 operation)
- (Optional) 1 user without DDL privileges (to run normal FIXICC H2 operation)
- Consul cluster (can be deployed on the same machines as FIXEdge Cpp/Java or FIXICC H2)
- PostgreSQL Database
- Client workstations:
- Chrome browser
Preconfiguration
Before you start working with the FIXICC H2, install and configure the FIX Engine and Consul application.
Consul configuration
To find the Consul installation instructions, please follow this link.
For non-production use, you can run the Consul in developer mode with the command: consul agent -dev
.
For production use - please follow this link.
To configure the encrypted connection from FIXICC H2 to the Consul on the Consul side, please refer to this link.
FIXICC H2 settings
You should choose a directory on your workstation for FIXICC H2 files.
The FIXICC H2 instance is in the app.jar file. To complete the configuration, please create a local.app.properties file.
You can place the app.jar file for the FIXICC H2 application and local.app.properties (FIXICC H2 properties file) in the same directory, or store them separately.
Before you start your work, please set the database type for data storage.
The FIXICC H2 is compatible with PostgreSQL databases.
Please configure the FIXICC H2 according to the instance of the local.app.properties in your FIXICC H2 package, and set the following properties:
Name | Example value | Default Value | Description |
---|---|---|---|
*cuba.dbmsType | postgres |
| Type of the RDBMS |
cuba.dataSourceProvider | application |
| The value indicates that the data source must be configured using application properties |
*cuba.dataSource.username | C##CUBA |
| The username for the database |
*cuba.dataSource.password | cuba |
| The password for the database |
*cuba.dataSource.dbName | PTGSDB |
| The database name |
*cuba.dataSource.host | 10.68.21.182 |
| Host for the database |
*cuba.dataSource.port | 1521 |
| Port for the database |
| true |
| This property enables the use of HTTPS |
| 8501 |
| The number of the port configured for the Consul |
| false |
| Allows accepting the Consul's insecure certificate. Is not recommended to set "true" in production mode. |
fixicch2.fixServerType | FIXEdge CPP | all | Configures the type of the server to work with. Allowed values: FIXEdge CPP, FIXEdge Java, any other value means two types of supported servers. |
* - marks the mandatory parameter |
The following parameters can also be configurated through the "Application Properties" page on FIXICC H2:
Name | Example value | Default Value | Description |
---|---|---|---|
fixicch2.fixServerType | FIXEdge CPP | all | Configures the type of server to work with. Allowed values: FIXEdge CPP, FIXEdge Java, any other value means two types of supported servers. |
fixicch2.maxTimeToWaitServerStatusUpdate | 10 | 10 | Configures (in minutes) the max time slot for updating the server status from the Consul. If there were no events during the period, the Consul sends the response. The maximum value is 10 minutes. |
fixicch2.metricsUpdatePeriod | 1 | 1 | Configures (in seconds) the period for requesting metrics from FIXEdge |
fixicch2.mode | production | production | Marks the instance of the FIXICC H2 |
fixicch2.notificationTimeZone | UTC | UTC | Specifies the time zone to display the time of the notification |
fixicch2.pauseToReconnect | 2000 | 2000 | Specifies the pause between reconnection attempts |
Notice: If the parameters from the table above were configured in the local.app.properties file, values from the file would be applied despite values changed through the "Application Properties" page
Logging configuration
To configure the logging level for the FIXICC H2 application, please create a logback.xml file and put it in the same directory that the local.app.properties file is located in.
The logback.xml file is not mandatory.
For further information please refer to this link.
Start application
Start the FIXICC H2 from the command line with the following command:
java -Dapp.home=/opt/fixicch2-home -jar /opt/fixicch2/app.jar
This will start FIXICC H2 on port 8080, you can access it by browsing to http://fixicc-h2-machine:8080/app.
Where:
- "/opt/fixicch2-home" is the directory with the local.app.properties file, you should type the full path for the file;
- "/opt/fixicch2/" is the directory with the app.jar file, you should type the full path for the file.
Changing FIXICC H2 port
To run FIXICC H2 on another HTTP port you need to specify the {{fixicch2.http_port}} Java system property, e.g. to run FIXICC H2 on port 9090, you should start the FIXICC H2 from the command line with the following command:
java -Dapp.home=/opt/fixicch2-home -Dfixicch2.http_port=9090 -jar /opt/fixicch2/app.jar
HTTPS support
To run FIXICC H2 with HTTPS support you need to provide it with key store and trust store in JKS format. For production installations, you need to create JKS from the certificate and private key provided by a trusted certificate authority.
For testing purposes, you can generate a self-signed certificate by yourself.
keytool -genkey -noprompt -alias jetty -keyalg RSA -dname 'CN=admin, OU=EPM-BFIX, O=EPAM Systems, L=Unknown, S=Unknown, C=Unknown' -keystore keystore.jks -storepass fixicch2 -keypass fixicch2
Note here the name of the file (keystore.jks
) and passwords (fixicch2
)
To run FIXICC H2 with HTTPS enabled, you need to provide the following parameters:
Name | Example value | Where | Description |
---|---|---|---|
fixicch2.secure_http_port | 8443 | Java system property | HTTPS port to listen |
fixicch2.key_store_path | keystore.jks | Java system property | Path to key store (jks file) |
fixicch2.trust_store_path | keystore.jks | Java system property | Path to trust store (jks file). This is used if validating client certificates and is typically set to the same path as the keystore |
FIXICC_H2_KEY_STORE_PASSWORD | fixicch2 | Environment variable | Key store password in plain text |
FIXICC_H2_KEY_MANAGER_PASSWORD | fixicch2 | Environment variable | Key Manager password |
FIXICC_H2_TRUST_STORE_PASSWORD | fixicch2 | Environment variable | Trust store password |
For details on these paramters please refer to the Jetty 9 Documentation on parameters keyStorePath
, keyStorePassword
, keyManagerPassword
, trustStorePath
, and trustStorePassword
.
LDAP authentication
To configure the FIXICC H2 authentication via LDAP you can follow the following instruction:
- Deploy the LDAP server
Set the following properties in the local.app.properties file:
Name Example value Default value Description ldap.contextSourceUrl
ldap://localhost:389
ldap://localhost:10389
Defines a URL for reaching the LDAP server ldap.contextSourceUserName
cn=admin,dc=epm-bfix,dc=local
uid=admin,ou=system
Indicates a username (principal) used for authentication. This is normally the distinguished name of the admin user.
ldap.contextSourceBase
dc=epm-bfix,dc=local
dc=springframework,dc=org
Defines a base DN. If configured, all operations on contexts retrieved from ContextSource will be relative to this DN. By default, an empty name is set (i.e. all operations are related to the directory root).
ldap.contextSourcePassword
ADMIN_PASSWORD
secret
Defines a password used for authentication. Login with default parameters for the first time. Then you can change the password in env docker-compose. ldap.referral
follow
follow
Defines the strategy to handle referrals, as described in this documentation ldap.sessionExpiringPeriodSec
120
30
Indicates a period in seconds after which the system terminates a user session if you deactivate the user or assign a new access group/matching rules to them ldap.userSynchronizationBatchSize
100
100
Defines the number of users that can be synchronized during the execution of the synchronizeUsersFromLdap()
scheduled taskldap.userSynchronizationOnlyActiveProperty
true
true
If set to true
, thesynchronizeUsersFromLdap()
scheduled task updates only the value of the Active attribute. Otherwise, the system updates all user details.ldap.cubaGroupForSynchronization
Company
Company
Defines access groups that are checked when the system executes the synchronizeUsersFromLdap()
scheduled task.ldap.cubaGroupForSynchronizationInverse
false
false
If set to true
, the system checks all groups when executing thesynchronizeUsersFromLdap()
scheduled task (except for the ones specified inldap.cubaGroupForSynchronization
)ldap.synchronizeCommonInfoFromLdap
true
true
If set to true
, thesynchronizeUsersFromLdap()
scheduled task updates the values of the following user attributes in accordance with their state on the LDAP server side: Email, Name, First name, Last name, Middle name, Position, Language)cuba.web.standardAuthenticationUsers
admin, anonymous
admin, anonymous
Defines users that can log in to the system using standard CUBA credentials ldap.expiringSessionNotificationCron
*/10 * * * * *
*/10 * * * * *
Defines the cron expression for retrieving expired sessions from the middleware layer ldap.addonEnabled
true
false
If set to true
, the LDAP add-on is enabledldap.expiringSessionsEnable
true
true
If set to true
, the system sends notifications to inform the user that their session is about to expire- If the group and user weren't set earlier you should create a posix group and a user in LDAP
- Start the FIXICC H2
- Select Administration > LDAP > LDAP Config in the menu on the left-side (items 1→2→3 in the figure below)
- Check the connection by clicking Test Connection (item 4 in the figure below)
Figure. The "Test Connection" button. - If the connection is successful, the FIXICC H2 will show the following message:
Figure. The successful LDAP connection. - Go to the LDAP Matching Rules page by clicking LDAP Matching Rules
- Select the default rule in the table and click Edit or press Enter on your keyboard to edit the default rule
Figure. The "LDAP Matching Rules" page. - Add the Role - system-full-access or your own role (in this case, the role's permissions must provide access to Allow all screens):
- Click Add (see below):
Figure. The "Add" button for adding the permissions. - Select the Role in the table (item 1 in the figure above)
- Confirm your choice by clicking Select (item 2 in the figure above)
- Logout by clicking the arrow at the bottom of the left-side menu (see below)
Figure. The "Logout" button. - Login with the user's data whose role was added to the LDAP Matching Rules