How to connect to CME Globex using Secure Logon
CME secure logon provides an ability to logon using the SHA256 digital signature technique. This logon feature has been introduced by CME recently and provides the highest security.
It's needed to obtain a security keys file from CME in order to use it . Once it is available, FIX Antenna can be configured to use secure logon for connecting to CME.
It can be done both ways using API or with a configuration file (FIXEdge.properties).
The first approach - using API:
3 members of SessionExtraParametes structure have to be set before passing it to createSession() API call.
- cmeSecureKeysFile_ that contains a path to CME keys files. E.g.: CMEKeys.txt.
- customSessionType_ has to be set to Engine::CME_SECURE_LOGON. It tells the engine to use CME secure logon scheme.
- sendLastMsgSeqNumProcessed_ has to be set to true.
The second approach - using FIXEdge.properties file:
3 additional session configuration parameters have to be set.
- FixLayer.FixEngine.Session.Session_Name.CMESecureKeysFile that contains a path to CME keys files.
- FixLayer.FixEngine.Session.Session_Name.CustomSessionType has to be set to CME_SECURE_LOGON. It tells the engine to use CME secure logon scheme.
- FixLayer.FixEngine.Session.Session_Name.sendLastMsgSeqNumProcessed has to be set to true.
Troubleshooting notes
CME Secure Logon procedure fails due to HMAC timestamp check
CME drops the connection just after receiving logon with a Logout (5) message for iLink and drop copy sessions.
Root cause
CME Globex requires secure authentication and logon should have keyed-hash message authentication code (HMAC). If the code is invalid the connection is not established.
For HMAC calculation FIX Engine uses SendingTime and if local time is not synchronized it may lead to generate a wrong HMAC.
Solution
- Make sure that time is synchronized
- Ask CME about the details of Secure Logon failure