How to configure secure connection for FIX session

FIX Antenna Java supports configuring secure transport separately for each initiator session. The same configuration options can be defined for the SSLFIXServer instance (will be applied to acceptor sessions, initialized by this server instance).

Please check a list of configuration options below:

PropertyDescriptionDefault value 
enableSSLEnables or disables secure transport for an initiator session.false
keyStorePathPath to a Keystore, which contains private keys for secure connection
keyStorePasswordKeystore password
trustStorePathPath to a Truststore. Usually contains a chain of trusted certificates.
trustStorePasswordTruststore password
sslKeystoreTypeThe type of Keystore.
See the Keystore section in the Java Cryptography Architecture Standard Algorithm Name Documentation for information about standard types.
Examples of value: JKS, JCEKS, PKCS12, PKCS11
JKS
sslTruststoreTypeThe type of Truststore.
See the KeyStore section in the Java Cryptography Architecture Standard Algorithm Name Documentation for information about standard types.
Examples of value: JKS, JCEKS, PKCS12, PKCS11
JKS
sslKeystoreKeyAlias

Alias filter for used entities in Keystore. The only keys with defined alias will be used for a secure connection if this property is defined.

Note:

sslKeystoreKeyAlias is case-sensitive, but the Keytool saves upper case letters to the alias only when parameter -storetype CaseExactJKS is given while creating the KeyStore.


sslTruststoreKeyAliasAlias filter for used entities in Truststore. The only certificates with defined alias will be used for a secure connection if this property is defined.
sslProtocolSSL protocol.
See the SSLContext section in the Java Cryptography Architecture Standard Algorithm Name Documentation for information about standard protocol names.
Examples of value: SSL, SSLv2, SSLv3, TLS, TLSv1, TLSv1.1, TLSv1.2.
TLSv1.2
keyManagerAlgorithmKey manager factory algorithm name (see Customizing the Default Key Managers and Trust Managers). Possible values are SunX509, PKIX.SunX509
trustManagerAlgorithmTrust manager factory algorithm name (see Customizing the Default Key Managers and Trust Managers). Possible values are SunX509, PKIX.SunX509
sslServerNeedClientAuthDefine if authentication is required for the server-side socket. This option is working only for the SSLFIXServer instance.false

The sample of creating an initiator FIX session with secure connection:

// Creating connection parameters for initiator
SessionParameters params = new SessionParameters();
params.setHost("localhost");
params.setPort(3000);
params.setSenderCompId("initiator");
params.setTargetCompId("target");
        
// Define options for secure connection
params.getConfiguration().setProperty(Configuration.ENABLE_SSL, "true");
params.getConfiguration().setProperty(Configuration.KEY_STORE_PATH, "etc/keystore.jks");
params.getConfiguration().setProperty(Configuration.KEY_STORE_PASSWORD, "keypass");
params.getConfiguration().setProperty(Configuration.TRUST_STORE_PATH, "etc/truststore.jks");
params.getConfiguration().setProperty(Configuration.TRUST_STORE_PASSWORD, "trustpass");

// Create and establish secure connection
FIXSession fixSession = params.createInitiatorSession();
fixSession.connect();