How to set up connection to CME STP for CME STP Trade Capture solution based on FIXEdge version prior 5.9

RHEL

Preface 

According to the CME announcement, CME Group services will support Transport Layer Security (TLS) version 1.2 only, and TLS 1.0 and 1.1 will be disabled.

New - Information Security Update

CME Group is committed to our customers’ information security. To deliver the best security and customer experience, effective Sunday, December 18 (trade date Monday, December 19), the listed CME Group services will support Transport Layer Security (TLS) version 1.2 only, and TLS 1.0 and 1.1 will be disabled. Customers are encouraged to upgrade to TLS 1.2 immediately; please contact your system administrator or network provider today to ensure seamless access.

This change will be effective in New Release on Tuesday, August 29.

Back to Top

CME STP Trade Capture solution based on FIXEdge version prior 5.9 doesn't support TLS 1.2.

There are two options how to establish the connection between CME STP Trade Capture solution based on FIXEdge version prior 5.9 and CME STP via HTTPS with TLS 1.2:

1. Upgrade FIXEdge to the newest version (5.9 and higher).
2. Setup a proxy that converts HTTPS from TLS 1.0 to TLS 1.2.

 If you consider an upgrade, please contact SupportFIXAntenna@epam.com.

The article below covers setup a proxy that converts HTTPS from TLS 1.0 to TLS 1.2 based on nginx web-server.

Setup a proxy server based on nginx

1. Download and install nginx server: Setup nginx server on Linux, Setup nginx server on Windows

2. Add the following settings to the nginx.conf file in the http{} section (assumed that the certificate file is placed in C:\B2BITS\cert.pem):

   upstream cmeforward {
   keepalive 50;
   server servicesnr.cmegroup.com:443;
   }
   server {
   listen 443 ssl;
   server_name CMEForwarding;
   keepalive_timeout 5;
   ssl_certificate C:\B2BITS\cert.pem;
   ssl_certificate_key C:\B2BITS\cert.pem;
   ssl_session_timeout 5m;
   ssl_protocols TLSv1;
   ssl_ciphers HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers on;
   location / {
   rewrite ^/(.*)$ /$1 break;
   proxy_pass https://cmeforward;
   proxy_ssl_session_reuse on;
   add_header Keep-Alive 'timeout=5, max=100';
   }
   }

   
   Here are the examples of configuration files: nginx_linux_example.conf, nginx_windows_example.conf.

3. Make sure that the listen port of nginx server (parameter - listen 443 ssl) is open and it isn't used by other applications.

4. Change the value of TransportLayer.CMESTP.ServerName property in the FIXEdge.properties file with the nginx box address. Assuming that nginx is installed on the same box change this line:

   TransportLayer.CMESTP.ServerName = https://servicesnr.cmegroup.com

   with 

   TransportLayer.CMESTP.ServerName = https://localhost

5. Start nginx server.

6. Start the configured instance of FIXEdge.

Setup nginx server on Linux

1. To set up the yum repository for RHEL 7, create the file named /etc/yum.repos.d/nginx.repo with the following contents:

   [nginx]
   name=nginx repo
   baseurl=http://nginx.org/packages/rhel/7/$basearch/
   gpgcheck=0
   enabled=1

2. Install nginx server:

   # yum install nginx

3. Start nginx server by the following command:

   # service nginx start

Note, that nginx/Linux can be managed using the following commands:

# service nginx stop
# service nginx status

For more details regarding nginx server installation on Linux please ref to https://nginx.org/en/linux_packages.html.

Setup nginx server on Windows

1. Unpack the distribution.
2. Run nginx server with command line from the nginx directory:

start nginx

Nginx server as a Windows standard console application can be managed using the following commands:

nginx -s stop fast shutdown
nginx -s quit graceful shutdown

For more details regarding nginx server installation on Windows please ref to http://nginx.org/en/docs/windows.html.