What you need:
- Server-side keystore in JKS or PKCS12 format
- Client-side keystore in JKS or PKCS12 format
- [Optional] Server-side Trust Store in JKS or PKCS12 format
- Client-side Trust Store in JKS or PKCS12 format
Server Side Configuration
Enable SSL
Set configuration properties (UI):
"fix.inbound.default.sslEnabled": "Y",
"fix.inbound.default.sslProtocols": "TLSv1.3"
"fix.inbound.default.sslKeyStore" : "/path/to/your/keystore.jks",
"fix.inbound.default.sslKeyStorePassword" : "password",
"fix.inbound.default.sslKeyStoreType" : "JKS",
| NOTE If you are running on SaaS, the value for the sslKeyStore variable will always be /usr/local/algotrader/keystore/identity.jks |
Optionally, edit the fix-acceptor.cfg file. Add to [default] section:
SocketUseSSL=Y
EnabledProtocols=TLSv1.3
SocketKeyStore=/path/to/your/keystore.pfx
SocketKeyStorePassword=password
KeyStoreType=PKCS12
Enable client authentication (mTLS)
In Wyden's implementation of FIX, the initiator always authenticates the acceptor's certificate. If you want to enable mutual authentication, you need to enable it on the server side as well.
NOTE: Enabling client authentication requires Trust Store to be configured. See the following sections.
Set the configuration property (UI):
"fix.inbound.default.sslNeedClientAuth": "Y"
Optionally, edit the fix-acceptor.cfg file. Add to [default] section:
NeedClientAuth=Y
Configure server-side Trust Store (mTLS)
If you have enabled NeedClientAuth=Y, Trust Store configuration is required, this will cause mutual certificate authentication.
| NOTE Your Trust Store must contain certificates of all clients (initiators) that are allowed to connect with your Inbound-FIX. Clients that have proper FIX session and API Key/Secret pair but are not listed in Trust Store, will be rejected during SSL Handshake. |
To generate a truststore from the client certificates, use Java Keytool :
keytool -import -file client.crt -alias clientCA -keystore truststore.jks -deststoretype JKS
| NOTE If you are running on SaaS, please upload truststore to the instance using SFTP (instructions can be found in the article), and provide the path for the sslTrustStore variable following the schema /usr/local/upload/configs/<truststore_filename> |
Set configuration properties (UI):
"fix.inbound.default.sslTrustStore": "/path/to/your/truststore.jks",
"fix.inbound.default.sslTrustStorePassword" : "password",
"fix.inbound.default.sslTrustStoreType" : "JKS",
Optionally, edit the fix-acceptor.cfg file. Add to [default] section:
SocketTrustStore=/path/to/your/truststore.jks
SocketTrustStorePassword=password
TrustStoreType=JKS
Client Side Configuration
| NOTE Client-side Trust Store must contain the server's certificate. If NeedClientAuth=Y on the server side is enabled, the client-side key store must match with the server-side trust store. |
If you are running on SaaS, please generate truststore following the next instructions
- Fetch the server certificate
openssl s_client -showcerts -connect <instance_address>:9880 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' > server.crt
- Generate truststore using Java Keytool
keytool -import -file server.crt -alias serverCA -keystore truststore.jks -deststoretype JKS
The FIX configuration of the initiator should look as follows:
[default]
SocketUseSSL=Y
EnabledProtocols=TLSv1.3
SocketKeyStore=/path/to/initiator/keystore.jks
SocketKeyStorePassword=password
KeyStoreType=JKS
SocketTrustStore=/path/to/initiator/truststore/truststore.jks
SocketTrustStoreType=JKS
SocketTrustStorePassword=password
Comments
0 comments
Article is closed for comments.