How to use TLS certificates from JKS with password protection in FIXEdge C++ and FIX Antenna C++ products.
JKS is a key store that uses Java applications. FIX Antenna C++ based applications (like FIXEdge) supports PKCS 12 format Â
Convert JKS to PKCS 12 format file with *.pfx extension using keytool application. Keytool is included in JDK package.
keytool -importkeystore -srckeystore initiator.jks -srcstoretype JKS -destkeystore initiator.pfx -deststoretype PKCS12 -destkeypass <password> -deststorepass <password>
Where:
- initiator.jks - filename of JKS key store
- initiator.pfx - resulting filename of PKCS12 key store file
- <password> - a new password for PKCS12 key store, we recommend keeping the same password that was used for jks in order to avoid issues related to a wrong password.
PKCS12 file password and key password should be the same.
Add the newly created pfx to the session configuration in FIXEdge.properties.
The example below demonstrates properties for 2-way TLS.
FIXEdge.properties
# ... other FIX session properties # TLS Configuration part FixLayer.FixEngine.Session.TLSSession.Role = Initiator FixLayer.FixEngine.Session.TLSSession.Host = <Target IP> FixLayer.FixEngine.Session.TLSSession.Port = <Target port> FixLayer.FixEngine.Session.TLSSession.SSL = true FixLayer.FixEngine.Session.TLSSession.SSLProtocols = TLSv1_2 FixLayer.FixEngine.Session.TLSSession.SSLCertificate = FIXEdge1/conf/initiator.pfx FixLayer.FixEngine.Session.TLSSession.SSLCertificatePassword = <password> FixLayer.FixEngine.Session.TLSSession.SSLValidatePeerCertificate = true FixLayer.FixEngine.Session.TLSSession.SSLCACertificate = FIXEdge1/conf/initiatorCA.pem
- Certificates in the example are placed to FIXEdge1/conf/.
- initiatorCA.pem - it is the CA certificate for the counterparty exported to a pem format.