Login/Register
QuickFIX/J CA Certificate Validation
Asked Answered
Solved javasslquickfixj
S

1

8

I have an application written using QuickFIX/J to connect with Bloomberg Server. Recently Bloomberg added CA certificate validation to their servers and they provide additional CA certificate file for handshaking.

My application connected using SSL and when disable CA certificate validation from Bloomberg side, application successfully connect to server and get the messages. Handshaking failed when enable CA validation.

Below are the steps I tried.

  1. Previously i'm using ImportKey Java class to add certificate and key. I changed it to add multiple certificates. If need I can post the Java class.
  2. When I connect to the server using openssl s_client it successfully connects to the server.

Is there anything that needs to be changed on Application level? Configuration? Or is there anything to do in the Java keystore level?

Error message comes when connecting is added below:

20160823-06:04:15, FIX.4.4:XXXX->XXXX, error> (Disconnecting: Socket exception (/XXXX.XXXX.XXX.XX:20237): javax.net.ssl.SSLHandshakeException: SSL handshake failed.) Successfully logged out for sessionId : FIX.4.4:XXXX->XXXX

Any help is appreciated!

The configuration:

[default]
# Settings which apply to all the Sessions.

ConnectionType=initiator
LogonTimeout=86400
ResetOnLogon=Y
UseDataDictionary=Y
MaxLatency=240

#StartTime=00:00:00
#EndTime=00:00:00

#StartTime=02:30:00
#EndTime=12:30:00

StartTime=02:21:00
EndTime=12:21:00

HeartBtInt=30
ReconnectInterval=5

[session]
# Settings specifically for one session
BeginString=FIX.4.4
SocketConnectHost=xxx.xxx.xxx.xxx
SocketUseSSL=Y
SocketKeyStorePassword=importkey
CheckLatency=N

#SendResetSeqNumFlag=Y

# new setups

FileLogHeartbeats=Y
##----- CAPS Configuration ---------##

FileStorePath=/etc/bloomburg-live/msgs
FileLogPath=/etc/bloomburg-live/logs
DataDictionary=/etc/bloomburg-live/conf/FIX44.xml
SocketKeyStore=/root/.keystore
TargetCompID=BLPSTP
SocketConnectPort=xxxxx
SenderCompID=CAPSTP

# log configuration

FileIncludeMilliseconds=Y
FileIncludeTimeStampForMessages=Y
ScreenLogShowHeartBeats=Y       
#Filter heartbeats from output (both incoming and outgoing)

PS - Application work without CA certificate validation. Error comes when enabling CA certificate validation.

Scolex answered 23/8, 2016 at 6:12 Comment(5)
Downvote? why is that?Scolex
Perhaps you should show the code fragment handling the certificate.Lornalorne
there is no code fragments only configurations. and there is no configuration to handle ca certificate.Scolex
Do the Secure Communication Options offer any way to configure this? (SocketUseSSL etc).Lornalorne
Yes, I added and its working. Problem is when they enable CA Validation handshaking failed. with general ssl key and certificate it is working perfectly. when they enable ca validation handshaking failed. there is no any configuration point for ca validation. i will add conf file to the question.Scolex
S
5

Yes, If the application previously worked with ssl. You dont need to do any changes in the application side. Normally Quickfix/j is processing ssl validation just like java. That means openssl and the java keytool will do the trick for you. So steps are listed below.

  1. Create pkcs12 keystore using trust certificate, private key and ca certificate.
$ openssl pkcs12 -export -chain -in certificate.pem -inkey encodedKey.pem -out keystore.p12 -name importkey -CAfile CAcertificate.pem

Enter Export Password: importkey Verifying - Enter Export Password: importkey

  1. Using keytool, import the PKCS12 keystore into the resulting keystore using by the quickfix/j called /root/.keystore. Again, you may select different passwords.
keytool -importkeystore -destkeystore /root/.keystore -srckeystore keystore.p12 -alias importkey
Enter destination keystore password: importkey
Re-enter new password: importkey
Enter source keystore password: importkey
  1. Change the configuration file and copy the keystore to the class path. 
SocketKeyStore=keystore.ImportKey
cp /root/.keystore keystore.ImportKey /your/classpath

Thats it. Please note, Adding ssl key and certificates to the java keystore is not working for quickfix/j due to quickfix/j is maintaining its own keystore. So make sure you add the keystore to the class path after the key adding process.

Reference - https://blogs.oracle.com/jtc/entry/installing_trusted_certificates_into_a

Scolex answered 15/9, 2016 at 3:44 Comment(3)
cp /root/.keystore where exactly is it copying ?Delmerdelmor
it should copy to your class path i will edit the answer. thanks for the mention.Scolex
I'm confused. I have no idea where this /root/.keystore is located. I'm on a Win OS btw. Also if I'm looking at where I installed my FIX program for testing, I'm not seeing any root subdirectory. These steps, are they for *nix systems? PS: I am also in the situation where I will connect to Bloomberg. Which version of QuickFIX/J were you using? 1.5.3? 1.6.x?Lornalorne

© 2022 - 2024 — McMap. All rights reserved.