QuickFIX/J CA Certificate Validation

Question

I have an application written using QuickFIX/J to connect with Bloomberg Server. Recently Bloomberg added CA certificate validation to their servers and they provide additional CA certificate file for handshaking.

My application connected using SSL and when disable CA certificate validation from Bloomberg side, application successfully connect to server and get the messages. Handshaking failed when enable CA validation.

Below are the steps I tried.

1. Previously i'm using ImportKey Java class to add certificate and key. I changed it to add multiple certificates. If need I can post the Java class.
2. When I connect to the server using openssl s_client it successfully connects to the server.

Is there anything that needs to be changed on Application level? Configuration? Or is there anything to do in the Java keystore level?

Error message comes when connecting is added below:

20160823-06:04:15, FIX.4.4:XXXX->XXXX, error> (Disconnecting: Socket exception (/XXXX.XXXX.XXX.XX:20237): javax.net.ssl.SSLHandshakeException: SSL handshake failed.) Successfully logged out for sessionId : FIX.4.4:XXXX->XXXX

Any help is appreciated!

---

The configuration:

[default]
# Settings which apply to all the Sessions.

ConnectionType=initiator
LogonTimeout=86400
ResetOnLogon=Y
UseDataDictionary=Y
MaxLatency=240

#StartTime=00:00:00
#EndTime=00:00:00

#StartTime=02:30:00
#EndTime=12:30:00

StartTime=02:21:00
EndTime=12:21:00

HeartBtInt=30
ReconnectInterval=5

[session]
# Settings specifically for one session
BeginString=FIX.4.4
SocketConnectHost=xxx.xxx.xxx.xxx
SocketUseSSL=Y
SocketKeyStorePassword=importkey
CheckLatency=N

#SendResetSeqNumFlag=Y

# new setups

FileLogHeartbeats=Y
##----- CAPS Configuration ---------##

FileStorePath=/etc/bloomburg-live/msgs
FileLogPath=/etc/bloomburg-live/logs
DataDictionary=/etc/bloomburg-live/conf/FIX44.xml
SocketKeyStore=/root/.keystore
TargetCompID=BLPSTP
SocketConnectPort=xxxxx
SenderCompID=CAPSTP

# log configuration

FileIncludeMilliseconds=Y
FileIncludeTimeStampForMessages=Y
ScreenLogShowHeartBeats=Y       
#Filter heartbeats from output (both incoming and outgoing)

PS - Application work without CA certificate validation. Error comes when enabling CA certificate validation.

Answer 1

Yes, If the application previously worked with ssl. You dont need to do any changes in the application side. Normally Quickfix/j is processing ssl validation just like java. That means openssl and the java keytool will do the trick for you. So steps are listed below.

1. Create pkcs12 keystore using trust certificate, private key and ca certificate.

$ openssl pkcs12 -export -chain -in certificate.pem -inkey encodedKey.pem -out keystore.p12 -name importkey -CAfile CAcertificate.pem

Enter Export Password: importkey Verifying - Enter Export Password: importkey

2. Using keytool, import the PKCS12 keystore into the resulting keystore using by the quickfix/j called /root/.keystore. Again, you may select different passwords.

keytool -importkeystore -destkeystore /root/.keystore -srckeystore keystore.p12 -alias importkey
Enter destination keystore password: importkey
Re-enter new password: importkey
Enter source keystore password: importkey

3. Change the configuration file and copy the keystore to the class path.

SocketKeyStore=keystore.ImportKey
cp /root/.keystore keystore.ImportKey /your/classpath

Thats it. Please note, Adding ssl key and certificates to the java keystore is not working for quickfix/j due to quickfix/j is maintaining its own keystore. So make sure you add the keystore to the class path after the key adding process.

Reference - https://blogs.oracle.com/jtc/entry/installing_trusted_certificates_into_a