Menu
I've been working on a client API using QuickFIX and I'm planning to use SSL and certificate based authentication. I generated self signed certificates for acceptor and initiator the following way:
1) Generate and export server/acceptor certificate:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -keystore server.jks
keytool -export -alias server -file server.cer -keystore server.jks
2) Generate and export client/initiator certificate:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias client -keystore client.jks
keytool -export -alias client -file client.cer -keystore client.jks
3) Import server/acceptor certificate to client keystore:
keytool -import -v -trustcacerts -alias server -file server.cer -keystore client.jks
4) Import client/initiator certificate to server/acceptor keystore:
keytool -import -v -trustcacerts -alias client -file client.cer -keystore server.jks
Acceptor config:
SocketUseSSL=Y
SocketKeyStore=server.jks
SocketKeyStorePassword=password
Initiator config:
SocketUseSSL=Y
SocketKeyStore=client.jks
SocketKeyStorePassword=password
Everything seems to work fine and data is getting encrypted. However, if I remove the initiator's client.jks keystore file, I will get a QuickFIX log entry saying "client.jks: keystore not found, using empty keystore". Strange thing, the initiator is still able to connect and establish a valid FIX session. I would expected the connection to be dropped immediately since no valid certificate is provided. Am I missing something?
942
The client certificate is not required by default, you must set this: NeedClientAuth=Y
152
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
