How to configure stunnel to enable SSL for FIX session
Since FIX Antenna C++/.NET version 2.13.0 and FIXEdge version, 5.9.0 SSL built-in support has been introduced. Refer to How to configure built-in SSL support for FIX sessions in FIXEdge for details. However, you can continue use stunnel with accordance to the current article if you wish.
- 1 Stunnel installation
- 2 Configuration example #1. FIXEdge's initiator connects to SSL acceptor over Stunnel
- 3 Configuration example #2. FIXEdge is a proxy between 2 counterparties.
- 3.1 Configuration on FIXEdge side
- 3.1.1 FIXEdge.properties
- 3.1.1.1 FIXEdge.properties
- 3.1.2 BL_Config.xml
- 3.1.3 stunnel.conf
- 3.1.1 FIXEdge.properties
- 3.2 Configuration on the Client side
- 3.2.1 stunnel.conf
- 3.2.2 Client's properties
- 3.1 Configuration on FIXEdge side
- 4 FIXEdge uses Windows certificate store for connection to an Exchange.
Stunnel installation
Download latest version of the installer from https://www.stunnel.org/downloads.html
Run the installer and answer questions to generate a certificate.
Configuration example #1. FIXEdge's initiator connects to SSL acceptor over Stunnel
Configure stunnel
Initiator FIX session
Run stunnel GUI Start from Start menu Run
Edit stunnel.conf from stunnel system tray icon context menu. Add a new SSL service
stunnel.conf
[fix_initiator_session1_tunnel] client = yes accept = 127.0.0.1:443 connect = <counterparty_ip>:443<counterparty_ip> - ip address of counterparty
Reload stunnel.conf from stunnel system tray icon context menu
Configure fix session in FIXEdge
Open FIXEdge.properties to specify Initiator FIX session parameters:
Initiator FIX session
FIXEdge.properties
FixLayer.FixEngine.Session.SSLInitiator.Role = Initiator FixLayer.FixEngine.Session.SSLInitiator.Host = 127.0.0.1 FixLayer.FixEngine.Session.SSLInitiator.Port = 443Connect to VPN (if necessary; if not, just skip this step);
Start FIXEdge.
Configuration example #2. FIXEdge is a proxy between 2 counterparties.
The current configuration describes the following scenario.
FIXEdge establishes SSL connection to Exchange. The client connects to FIXEdge over SSL. All messages from Exchange are routed to the Client and vice versa.
Stunnel is configured for Incoming and outgoing connections on FIXEdge's side and on the Client side.
The next configuration parameters are used in the configuration examples:
<exchange_ip> - Exchange's IP
<FIXEdge_ip> - FIXEdge IP
TCP port for SSL Connections on FIXEdge site: 443
TCP port for SSL Connections on Exchange site: 443
FIXEdge ListenPort from engine.properties: 8901
Configuration on FIXEdge side
FIXEdge.properties
FIXEdge has two configured sessions: EXCHANGE and CLIENT
FIXEdge.properties
FixLayer.FixEngine.Sessions = EXCHANGE, CLIENT
# -----------------[ FIXEdge connects to EXCHANGE as Initiator ] ------------------
FixLayer.FixEngine.Session.EXCHANGE.Role = Initiator
FixLayer.FixEngine.Session.EXCHANGE.HBI = 30
FixLayer.FixEngine.Session.EXCHANGE.Host = 127.0.0.1
FixLayer.FixEngine.Session.EXCHANGE.Port = 444
FixLayer.FixEngine.Session.EXCHANGE.Version = FIX44
FixLayer.FixEngine.Session.EXCHANGE.SenderCompID = FIXEDGE
FixLayer.FixEngine.Session.EXCHANGE.TargetCompID = EXCHANGE
# ... the rest parameters for EXCHANGE
# ----------------- [ FIXEdge accepts connection from the CLIENT] ----------
FixLayer.FixEngine.Session.CLIENT.Role = Acceptor
FixLayer.FixEngine.Session.CLIENT.Version = FIX44
FixLayer.FixEngine.Session.CLIENT.SenderCompID = FIXEDGE
FixLayer.FixEngine.Session.CLIENT.TargetCompID = CLIENT
# ... the rest parameters for CLIENT
BL_Config.xml
Simple routing configuration
<Rule>
<Source Name="CLIENT"/>
<Action>
<Send Name="EXCHANGE" />
</Action>
</Rule>
<Rule>
<Source Name="EXCHANGE"/>
<Action>
<Send Name="CLIENT" />
</Action>
</Rule>stunnel.conf
[Tunnel_for_EXCHANGE]
protocol = proxy
client = yes
accept = 127.0.0.1:444
connect = <exchange_ip>:443
[Tunnel_for_CLIENT]
protocol = proxy
accept = <FIXEdge_ip>:443
connect = 127.0.0.1:8901Configuration on the Client side
stunnel.conf
[Tunnel_for_FIXEdge]
protocol = proxy
client = yes
accept = 127.0.0.1:444
connect = <FIXEdge_ip>:443Client's properties
SenderCompID = Client
TargetCompID = FIXEDGE
Remote host = 127.0.0.1
Remote port = 444FIXEdge uses Windows certificate store for connection to an Exchange.
Import the certificate to windows certificate with a certutil tool
certutil -addstore -user -f "My" <filename>.crtConfigure Windows Certificate store in Stunnel
stunnel.conf
engine = capiand configure tunnel for the session requiring SSL Connection
stunnel.conf
[Exchange SSL connection] client = yes engineId = capi accept = 127.0.0.1:8443 connect = <exchange ip>:<exchange port><exchange ip> - Enchange connection IP
<exchange port> - Enchange connection portConfigure Initiator session in FIXEdge.properties
FIXEdge.properties
FixLayer.FixEngine.Session.EXCHANGE.Version = FIX44 FixLayer.FixEngine.Session.EXCHANGE.Role = Initiator FixLayer.FixEngine.Session.EXCHANGE.SenderCompID = FIXEDGE FixLayer.FixEngine.Session.EXCHANGE.TargetCompID = EXCHANGE FixLayer.FixEngine.Session.EXCHANGE.Host = 127.0.0.1 FixLayer.FixEngine.Session.EXCHANGE.Port = 8443 FixLayer.FixEngine.Session.EXCHANGE.HBI = 30 FixLayer.FixEngine.Session.EXCHANGE.RecreateOnLogout = true