I have an application written using QuickFIX/J to connect with Bloomberg Server. Recently Bloomberg added CA certificate validation to their servers and they provide additional CA certificate file for handshaking.
My application connected using SSL and when disable CA certificate validation from Bloomberg side, application successfully connect to server and get the messages. Handshaking failed when enable CA validation.
Below are the steps I tried.
ImportKey
Java class to add certificate and key.
I changed it to add multiple certificates. If need I can post the
Java class.Is there anything that needs to be changed on Application level? Configuration? Or is there anything to do in the Java keystore level?
Error message comes when connecting is added below:
20160823-06:04:15, FIX.4.4:XXXX->XXXX, error> (Disconnecting: Socket exception (/XXXX.XXXX.XXX.XX:20237): javax.net.ssl.SSLHandshakeException: SSL handshake failed.) Successfully logged out for sessionId : FIX.4.4:XXXX->XXXX
Any help is appreciated!
The configuration:
[default]
# Settings which apply to all the Sessions.
ConnectionType=initiator
LogonTimeout=86400
ResetOnLogon=Y
UseDataDictionary=Y
MaxLatency=240
#StartTime=00:00:00
#EndTime=00:00:00
#StartTime=02:30:00
#EndTime=12:30:00
StartTime=02:21:00
EndTime=12:21:00
HeartBtInt=30
ReconnectInterval=5
[session]
# Settings specifically for one session
BeginString=FIX.4.4
SocketConnectHost=xxx.xxx.xxx.xxx
SocketUseSSL=Y
SocketKeyStorePassword=importkey
CheckLatency=N
#SendResetSeqNumFlag=Y
# new setups
FileLogHeartbeats=Y
##----- CAPS Configuration ---------##
FileStorePath=/etc/bloomburg-live/msgs
FileLogPath=/etc/bloomburg-live/logs
DataDictionary=/etc/bloomburg-live/conf/FIX44.xml
SocketKeyStore=/root/.keystore
TargetCompID=BLPSTP
SocketConnectPort=xxxxx
SenderCompID=CAPSTP
# log configuration
FileIncludeMilliseconds=Y
FileIncludeTimeStampForMessages=Y
ScreenLogShowHeartBeats=Y
#Filter heartbeats from output (both incoming and outgoing)
PS - Application work without CA certificate validation. Error comes when enabling CA certificate validation.
Yes, If the application previously worked with ssl. You dont need to do any changes in the application side. Normally Quickfix/j is processing ssl validation just like java. That means openssl and the java keytool will do the trick for you. So steps are listed below.
$ openssl pkcs12 -export -chain -in certificate.pem -inkey encodedKey.pem -out keystore.p12 -name importkey -CAfile CAcertificate.pem
Enter Export Password: importkey Verifying - Enter Export Password: importkey
keytool -importkeystore -destkeystore /root/.keystore -srckeystore keystore.p12 -alias importkey Enter destination keystore password: importkey Re-enter new password: importkey Enter source keystore password: importkey
SocketKeyStore=keystore.ImportKey cp /root/.keystore keystore.ImportKey /your/classpath
Thats it. Please note, Adding ssl key and certificates to the java keystore is not working for quickfix/j due to quickfix/j is maintaining its own keystore. So make sure you add the keystore to the class path after the key adding process.
Reference - https://blogs.oracle.com/jtc/entry/installing_trusted_certificates_into_a
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With