Dashboard > QuickFIX/J > ... > Previous Wish List Features > SSL Support
QuickFIX/J Log In | Sign Up   View a printable version of the current page.
SSL Support
Browse Space    
Added by Steve Bate, last edited by Steve Bate on Jul 31, 2006  (view change)
Labels: 
(None)

Summary: Use MINA's SSL filters to add integrated SSL support to initiators/acceptors.

Many FIX providers use SSL for securing fix communications. At the moment the only way I know of to use quickfixj with SSL is using a tunnelling tool like stunnel. However this has some disadvantages, like requiring a permanent port open on the local machine, which then requires firewall level security. MINA, the protocol code from apache that quickfixj is built on has some built-in code for SSL support. It would be great if quickfixj could use this code to allow SSL connections just to be configured in the config file.

 Information for development

 I haven't got the SSL with MINA working yet, but here is a rough plan

Some sample code for using SSLFilter can be found at http://svn.apache.org/viewvc/directory/trunks/mina/examples/src/main/java/org/apache/mina/examples/echoserver/Main.java?revision=400068&view=markup

I think it only works with Java 1.5, but quickfixj is working fine with Java 1.5 for me.

  1. Adapt the config file and SessionSettings.java so it has some SSL Settings. For example, SocketUseSSL=Y SocketUseSSLCertificate=mycertificate.pem
  2. Add the MINA-Filter SSL jar to the optional and test jars directory
  3. Add acceptance tests to check that these settings are used
  4. Modify AbstractSocketAcceptor.getIOAcceptor to use the MINA SSL filter if necessary
  5. Modify AbstractSocketInitiator appropriately

I've added an example SSL filter to MINA Filters, but it also relies on Spring - Brad Harvey

Configuring STunnel

I managed to set up stunnel fairly easily, so this is just a quick summary of the steps I used to get it working.

  • Get stunnel. You can either do this as part of your unix distribution, using cygwin for windows, or download from stunnel.org. I downloaded the windows version from stunnel.org
  • To test it, configure stunnel on two difference machines. Or if you have a provider already then link straight to their machine. On my machine stunnel added a start menu item saying "Edit stunnel.conf". The counterparty should tell you the machine or IP to connect to (brokermachine below) and the port to connect to (442 below). 9876 was an arbitrary spare port I chose on my machine. Remember whatever number you use, you'll use it later. I edited mine to look like:

; stunnel.conf
client = yes
; was stunnel.pem
cert = mycertificate.pem

[executor]
accept = 9876
connect = brokermachine:442

  • If you are just testing, you can use the default stunnel.pem certificate at both ends. If not, you'll need to create a certificate, and place it in your stunnel directory. My broker gave me instructions on doing this, which involved converting a windows .pfx file to a .pem file using openssl. openssl was available under cygwin. The command line I used was:

openssl pkcs12 -in "mycertificate.pfx" -out mycertificate.pem -nodes

  • You'll then need to configure quickfixj to connect to the port on your stunneling machine, not the remote machine. This is where you need your id and the id of the counterparty, and the port you chose earlier. My config file looks like:

[default]
FileStorePath=output/trader
BeginString=FIX.4.2
ConnectionType=initiator

[session]
SenderCompID=MY_ID_SUPPLIED_BY_BROKER
TargetCompID=BROKER_ID_SUPPLIED_BY_BROKER
SocketConnectHost=localhost
SocketConnectPort=9876
StartTime=00:00:00
EndTime=00:00:00
HeartBtInt=30
ReconnectInterval=5

  • And after all this, you should be running fine!
Site powered by a free Open Source Project / Non-profit License (more) of Confluence - the Enterprise wiki.
Learn more or evaluate Confluence for your organisation.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.1.5a Build:#411 Mar 16, 2006) - Bug/feature request - Contact Administrators

SourceForge.net Logo