FIXEdge Java with FIXICC H2: Deployment Guide

Owned by AntonA (Unlicensed)
Last updated: Nov 28, 2022
5 min read

PostgreSQL installation and configuration

NOTE!

- in case you already have postgres setup in your network, you can skip this part

- installation should be performed under the root user.

  1. To install PostgreSQL on Centos, install postgresql-server from yum repository

    yum install postgresql postgresql-server

    The initialize a new PostgreSQL installation

    postgresql-setup initdb

    If you need to install PostgreSQL in Ubuntu, you can use the following guide: https://wiki.postgresql.org/wiki/Apt

  2. By default PostgreSQL server is only accessible via Unix Domain Sockets or loopback IP interface (127.0.0.1) to the local users, the users are authenticated by the operating system, i.e. the OS user postgres can connect as PostreSQL user postgres without any additional authentication from the PostgreSQL server side. To allow PgAdmin4 and FIXICC H2 to work we need to enable access via a network.

    To enable network access to PostgreSQL server edit file /var/lib/pgsql/data/pg_hba.conf (on Centos) or /etc/postgresql/14/main/pg_hba.conf (on Ubuntu) and add the following lines:

    host    all     all     0.0.0.0/0       md5
host    all     all     ::0/0           md5

    It allows all users to connect from any host via TCP or SSL socket using hashed passwords.

    Remove lines that enable ident  connection to localhost:

    # IPv4 local connections:
host    all             all             127.0.0.1/32         ident
# IPv6 local connections:
host    all             all             ::1/128              ident

    To enable listening of all network interfaces edit file /var/lib/pgsql/data/postgresql.conf (on Centos) or /etc/postgresql/14/main/postgresql.conf (on Ubuntu), replace line:

    # listen_addresses = 'localhost'

    with

    listen_addresses = '*'

  3. enable and start postgresql server

    systemctl enable --now postgresql
systemctl status postgresql

Consul installation and configuration

  1. To install Consul on Centos, apply the following actions:

     - add HashiCorp repository:

        yum install -y yum-utils
    yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo

     -  install consul from yum repository

    yum -y install consul

    In order to install Consul on Ubuntu, follow the steps from https://learn.hashicorp.com/tutorials/consul/deployment-guide?in=consul/production-deploy#configure-consul-agents

  2. generate Consul CA and server certificate and private key

    openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout consul.key -out consul.crt -subj '/C=RU/L=Saratov/O=EPAM/OU=BFIX/CN=fixicch2.consul'

    NOTE!

    - replace '/C=RU/L=Saratov/O=EPAM/OU=BFIX/CN=fixicch2.consul' with your company identity

  3. configure consul as follows (/etc/consul.d/consul.json)

    Create consul.json file if missing in the directory.

    {
    "bind_addr": "{{GetInterfaceIP \"ens5\"}}",
    "bootstrap": true,
    "server": true,
    "addresses": {
        "https": "0.0.0.0"
    },
    "ports": {
        "http": -1,
        "https": 8501
    },
    "auto_encrypt": {
        "allow_tls": true,
        "tls": true
    },
    "client_addr": "0.0.0.0",
    "ui": true,
    "data_dir": "/var/lib/consul",
    "log_level": "INFO",
    "disable_update_check": true,
    "disable_anonymous_signature": true,
    "verify_server_hostname": false,
    "cert_file": "/etc/consul.d/consul.crt",
    "key_file": "/etc/consul.d/consul.key",
    "auto_encrypt": {
        "allow_tls": true
    }
}

    NOTE!

    - replace ens5 with your server's network interface

  4. remove or backup /etc/consul.d/consul.hcl

  5. remove ConditionFileNotEmpty in /usr/lib/systemd/system/consul.service

    ConditionFileNotEmpty=/etc/consul.d/consul.hcl

  6. change ownership and permissions for /var/lib/consul and /etc/consul.d directories

    chown -R consul:consul /var/lib/consul
chmod -R 775 /var/lib/consul
chown -R consul:consul /etc/consul.d

  7. enable and start consul server:

    systemctl enable --now consul
systemctl start consul

  8. consul UI should be available on https://server_ip:8501/ui/

FIXICC-H2 installation and configuration

  1. download latest package from https://clientspace.b2bits.com/product-58 (fixicc-h2-21Q4.1-84.el7.x86_64.rpm or fixicc-h2-21Q4.1-84.el7.x86_64.deb)

  2. install rpm package fixicc-h2-21Q4.1-84.el7.x86_64.rpm on Centos
       

    rpm -i fixicc-h2-21Q4.1-84.el7.x86_64.rpm

    or install deb package on Ubuntu

    sudo dpkg -i fixicc-h2-21Q4.1-84.el7.x86_64.deb

  3. create a user and a database for FIXICC H2 in postgresql

    CREATE USER <DBUSER> WITH CREATEDB PASSWORD '<DBPASSWORD>';
CREATE DATABASE <DBNAME>;
GRANT ALL PRIVILEGES ON DATABASE <DBNAME> TO <DBUSER>;

  4. generate keystore for FIXICC-H2

    cd /etc/fixicc-h2/
keytool -genkey -noprompt -alias jetty -keyalg RSA -dname 'CN=admin, OU=EPM-BFIX, O=EPAM Systems, L=Unknown, S=Unknown, C=Unknown' -keystore keystore.jks -storepass <STORE_PASSWORD> -keypass <KEY_PASSWORD> -ext 'SAN=IP:127.0.0.1'

  5. Edit /etc/fixicc-h2/local.app.properties and set properties as follows

    cuba.rest.anonymousEnabled = true
cuba.anonymousLogin = anonymous

cuba.dbmsType = postgres
cuba.dataSourceProvider = application
cuba.dataSource.username = <DBUSERNAME>
cuba.dataSource.password = <DBPASSWORD>
cuba.dataSource.dbName = <DBNAME>
cuba.dataSource.host = 127.0.0.1
cuba.dataSource.port = 5432

fixicch2.consul.encrypted_connection = true
fixicch2.consul.host = 127.0.0.1
fixicch2.consul.port = 8501
fixicch2.consul.insecure_connection_enabled = true
fixicch2.fixServerType = all
fixicch2.consul.check.tls_skip_verify=true

fixicch2.secure_http_port = 8443
fixicch2.key_store_path = keystore.jks
fixicch2.trust_store_path = keystore.jks

fixicch2.prometheus.host = 127.0.0.1

  6. edit /usr/lib/systemd/system/fixicc-h2.service as follows

    [Unit]
Description=FIXICC-H2
After=syslog.target network.target

[Service]
Type=simple
User=<USER>
Group=<GROUP>
SuccessExitStatus=143
Environment=FIXICC_H2_KEY_STORE_PASSWORD=<PASSWORD> FIXICC_H2_KEY_MANAGER_PASSWORD=<PASSWORD> FIXICC_H2_TRUST_STORE_PASSWORD=<PASSWORD>
ExecStart=/bin/bash -c '/usr/bin/java -Dapp.home=/etc/fixicc-h2/ -Dfixicch2.secure_http_port=8443 -Dfixicch2.key_store_path=/etc/fixicc-h2/keystore.jks -Dfixicch2.trust_store_path=/etc/fixicc-h2/keystore.jks -jar /usr/lib64/fixicc-h2/21Q4.1/app.jar'
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

    NOTE!

    - The path to app.jar on Ubuntu will be a bit different: /usr/lib/fixicc-h2/21Q4.1/app.jar

  7. enable and start fixicc-h2 server:

    systemctl enable --now fixicc-h2
systemctl start fixicc-h2
  8. FIXICC-H2 UI should be available on https://server_ip:8443/app/

FEJ installation (rpm or deb package) and configuration

  1. download latest package from https://clientspace.b2bits.com/product-42 (fixedge-java-1.9.1-1.el7.x86_64.rpm or fixedge-java_1.9.1_amd64.deb)

  2. install rpm package fixedge-java-1.9.1-1.el7.x86_64.rpm on Centos

    rpm -i fixedge-java-1.9.1-1.el7.x86_64.rpm

    or install deb package on Ubuntu

    sudo dpkg -i fixedge-java_1.9.1_amd64.deb
  3. copy your fixaj2-license.bin file into your /etc/fixedge-java directory

  4. in /etc/fixedge-java/fixedge.properties replace the line

    #rest.service.name=REST-AdminAPI

    with 

    rest.service.name=REST-AdminAPI

    and replace the line

    metrics.enable=false

    with 

    metrics.enable=true


    then replace Discovery Service Configuration section with the following one:

    ###################################################################
#################  DISCOVERY SERVICE CONFIGURATION  ###############
###################################################################
# Name of server, if it is not empty, server will be registered in Discovery by this name. Otherwise, it will not be registered.
server.name=ServerA
# Name of protocol, used for server registration in Service Discovery
protocol.name=FIX

service.discovery.enabled=true

# Health check interval (Service Discovery)
service.discovery.healthcheck.interval=10

# Service Discovery attempt period, milliseconds
service.discovery.attempt.period=10000

# To use original sessionConfigManager and scheduleConfigManager beans set 'false' or comment it
# To use fixxicch2 session and schedule config managers set 'true'
server.useFixicch2ConfigManager=true
server.useFixicch2RoutingConfigManager=true

fixicch2.enable=true

# Fixicch2 service name in Service Discovery
fixicch2.service=FIXICC-H2-Secure

# Fixicch2 URL prefix if Service Discovery is used to define IP and port
fixicch2.url.prefix=https

# Timeout for attempts to connect to Service Discovery, mc
fixicch2.service.discovery.connection.timeout=60000

# Max time to wait Service Discovery Fixicc H2 health status update, min
fixicch2.service.discovery.status.update.timeout=10

# Pause to reconnect to FIXICC H2 URL in case of errors, mc
fixicch2.reconnect.pause=2000

fixicch2.reconnect.attempt=3

consul.host = 127.0.0.1
consul.port = 8501
server.checkHost = 127.0.0.1

# True if insecure connection through https to FIXICC H2 is enabled.
fixicch2.insecure.connection.enabled=false

# FIXICC H2 client keystore properties
fixicch2.keystore.path=/etc/fixedge-java/ssl/fixicch2/keystore.jks
fixicch2.keystore.password=<PASSWORD>

service.discovery.encrypted.connection=true
service.discovery.insecure.connection.enabled=true

fixicch2.cache.path=/var/log/fixedge-java/cache

  5. copy fixicc-h2 keystore

    cp /etc/fixicc-h2/keystore.jks /etc/fixedge-java/ssl/fixicch2/keystore.jks 
chown fixedge-java:fixedge-java /etc/fixedge-java/ssl/fixicch2/keystore.jks

  6. enable and start fej server:

    systemctl enable --now fixedge-java
systemctl start fixedge-java
  7. after startup fej server should appear in fixicc-h2 UI

FEJ installation (zip) and configuration

  1. download latest package from https://clientspace.b2bits.com/product-42 (fixedge-java-1.9.1.zip)

  2. unzip fixedge-java-1.9.1.zip

    unzip fixedgej-1.9.1 /etc
mv /etc/fixedgej-1.9.1 /etc/fixedge-java
  3. copy your fixaj2-license.bin file into your /etc/fixedge-java/conf directory

  4. in /etc/fixedge-java/conf/fixedge.properties replace the line

    #rest.service.name=REST-AdminAPI

    with 

    rest.service.name=REST-AdminAPI

    and replace the line

    metrics.enable=false

    with 

    metrics.enable=true

    then replace Discovery Service Configuration section with the following one:

    ###################################################################
#################  DISCOVERY SERVICE CONFIGURATION  ###############
###################################################################
# Name of server, if it is not empty, server will be registered in Discovery by this name. Otherwise, it will not be registered.
server.name=ServerA
# Name of protocol, used for server registration in Service Discovery
protocol.name=FIX

service.discovery.enabled=true

# Health check interval (Service Discovery)
service.discovery.healthcheck.interval=10

# Service Discovery attempt period, milliseconds
service.discovery.attempt.period=10000

# To use original sessionConfigManager and scheduleConfigManager beans set 'false' or comment it
# To use fixxicch2 session and schedule config managers set 'true'
server.useFixicch2ConfigManager=true
server.useFixicch2RoutingConfigManager=true

fixicch2.enable=true

# Fixicch2 service name in Service Discovery
fixicch2.service=FIXICC-H2-Secure

# Fixicch2 URL prefix if Service Discovery is used to define IP and port
fixicch2.url.prefix=https

# Timeout for attempts to connect to Service Discovery, mc
fixicch2.service.discovery.connection.timeout=60000

# Max time to wait Service Discovery Fixicc H2 health status update, min
fixicch2.service.discovery.status.update.timeout=10

# Pause to reconnect to FIXICC H2 URL in case of errors, mc
fixicch2.reconnect.pause=2000

fixicch2.reconnect.attempt=3

consul.host = 127.0.0.1
consul.port = 8501
server.checkHost = 127.0.0.1

# True if insecure connection through https to FIXICC H2 is enabled.
fixicch2.insecure.connection.enabled=false

# FIXICC H2 client keystore properties
fixicch2.keystore.path=/etc/fixedge-java/conf/ssl/fixicch2/keystore.jks
fixicch2.keystore.password=<PASSWORD>

service.discovery.encrypted.connection=true
service.discovery.insecure.connection.enabled=true

fixicch2.cache.path=/etc/fixedge-java/logs/cache
  5. add group and user fixedge-java


    sudo groupadd --system fixedge-java
sudo useradd -s /sbin/nologin --system -g fixedge-java fixedge-java

  6. copy fixicc-h2 keystore

    cp /etc/fixicc-h2/keystore.jks /etc/fixedge-java/conf/ssl/fixicch2/keystore.jks 
chown -R fixedge-java:fixedge-java /etc/fixedge-java/

  7. add new file /etc/systemd/system/fixedge-java.service:

    [Unit]
Description=Fixedge-java
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
User=fixedge-java
Group=fixedge-java
ExecReload=/bin/kill -HUP \$MAINPID
ExecStart=/etc/fixedge-java/bin/runConsole.sh

SyslogIdentifier=fixedge-java
Restart=always

[Install]
WantedBy=multi-user.target

  8. enable and start fej server:

    systemctl enable --now fixedge-java
systemctl start fixedge-java
  9. after startup fej server should appear in fixicc-h2 UI

Prometheus installation and configuration

  1. To install Prometheus on Ubuntu, follow the following guide: https://computingforgeeks.com/install-prometheus-server-on-debian-ubuntu-linux/

  2. add below in the end of /etc/prometheus/prometheus.yml:

      - job_name: 'serverA'
    metrics_path: /prometheus/metrics
    scheme: https
    tls_config:
        insecure_skip_verify: true
    static_configs:
    - targets: ['127.0.0.1:9010']

FIXEye Agent installation and configuration

FIXEye Agent installation instruction mentioned below is not applicable for RHEL systems.

  1. download latest package from https://clientspace.b2bits.com/product-36 (fixeye-agent-2.3.0.168-1.el7.x86_64.rpm or fixeye-agent-2.3.0.168-1.el7.x86_64.deb)

  2. install rpm package fixeye-agent-2.3.0.168-1.el7.x86_64.rpm on Centos
       

    rpm -i fixeye-agent-2.3.0.168-1.el7.x86_64.rpm

    or install deb package on Ubuntu

    sudo dpkg -i fixeye-agent-2.3.0.168-1.el7.x86_64.deb
  3. copy your fixeye-agent.license file into /etc/fixeye/ directory

  4. generate Fixeye CA and server certificate and private key

    openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout fixeye.key -out fixeye.crt -subj '/C=RU/L=Saratov/O=EPAM/OU=BFIX/CN=fixicch2.fixeye'

    NOTE!

    - replace '/C=RU/L=Saratov/O=EPAM/OU=BFIX/CN=fixicch2.fixeye' with your company identity

  5. edit /etc/fixeye/fixeye-agent.config as follows

    -rest-port 8882 -rest-pkey "/etc/fixeye/fixeye.key" -rest-cert "/etc/fixeye/fixeye.crt" --propfile "/etc/fixeye/fixeye-agent.properties" -f "/var/lib/fixedge-java/*.in" "/var/lib/fixedge-java/*.out" --pidfile "/var/log/fixeye/fixeye-agent.pid" -licfile "/etc/fixeye/fixeye-agent.license"

  6. add below in the end of /etc/fixeye/fixeye-agent.properties

    Consul.Enabled=true
Consul.Host=localhost
Consul.Port=8501
Consul.ReconnectInterval=1000
Consul.ServerName=ServerA
Consul.Services.Host=localhost
Consul.Services.HealthChecks.Interval=5
Consul.Services.HealthChecks.Timeout=5
Consul.SSL=true
Consul.SSL.CertificateAuthority=/etc/fixeye/consul.crt

  7. copy consul certificate

    cp /etc/consul.d/consul.crt /etc/fixeye/consul.crt
chown -R fixeye:fixeye /etc/fixeye/

  8. enable and start fixeye-agent server:

    systemctl enable --now fixeye-agent
systemctl start fixeye-agent