How to use TLS certificates from JKS with password protection in FIXEdge C++ and FIX Antenna C++ products.

JKS is a key store that uses Java applications. FIX Antenna C++ based applications (like FIXEdge) supports PKCS 12 format  

Convert JKS to PKCS 12 format file with *.pfx extension using keytool application. Keytool is included in JDK package.

keytool -importkeystore -srckeystore initiator.jks -srcstoretype JKS -destkeystore initiator.pfx -deststoretype PKCS12 -destkeypass <password> -deststorepass <password>

Where:

  • initiator.jks - filename of JKS key store
  • initiator.pfx - resulting filename of PKCS12 key store file
  • <password> - a new password for PKCS12 key store, we recommend keeping the same password that was used for jks in order to avoid issues related to a wrong password.
    PKCS12 file password and key password should be the same.

Add the newly created pfx to the session configuration in FIXEdge.properties.
The example below demonstrates properties for 2-way TLS.

FIXEdge.properties
# ... other FIX session properties 
# TLS Configuration part
FixLayer.FixEngine.Session.TLSSession.Role = Initiator
FixLayer.FixEngine.Session.TLSSession.Host = <Target IP>
FixLayer.FixEngine.Session.TLSSession.Port = <Target port>
FixLayer.FixEngine.Session.TLSSession.SSL = true
FixLayer.FixEngine.Session.TLSSession.SSLProtocols = TLSv1_2
FixLayer.FixEngine.Session.TLSSession.SSLCertificate = FIXEdge1/conf/initiator.pfx 
FixLayer.FixEngine.Session.TLSSession.SSLCertificatePassword = <password>
FixLayer.FixEngine.Session.TLSSession.SSLValidatePeerCertificate = true
FixLayer.FixEngine.Session.TLSSession.SSLCACertificate = FIXEdge1/conf/initiatorCA.pem
  • Certificates in the example are placed to FIXEdge1/conf/.
  • initiatorCA.pem - it is the CA certificate for the counterparty exported to a pem format.