This topic describes the secure CME Globex logon process and scenarios for iLink and Drop Copy including:
Table of Contents |
---|
CME Globex API Secure Logon
CME Globex requires secure authentication for iLink and Drop Copy sessions on Convenience Gateway (CGW) and Market Segment Gateway (MSGW).
...
- Message confidentiality and integrity - to credential the logon message, the client system sends a keyed-hash message authentication code (HMAC) generated from a combination of the logon FIX tag values. When CME Globex receives the logon message, it uses the identical inputs to calculate the HMAC value to validate against the logon request. If the values do not match, CME Globex rejects the logon.
Noteinfo |
---|
iLink and Drop Copy customers must use the logon procedure for all CME Group markets, including Partner Exchange markets hosted on the CME Globex platform. |
Note |
---|
Customers must create secure key pairs for iLink and Drop Copy Sessions in the CME Customer Center. |
Info |
---|
For more information on HMAC, please refer to: |
Testing and Certification
Certification via AutoCert+ is required for the CME Globex API secure logon. An iLink and Drop Copy certification suite is currently available in AutoCert+.
Note: Customers must create secure key pairs for New Release and CERT iLink and Drop Copy Sessions in the Request Center NR/CERT.
Click here to access the help file to learn about the Request Center NR/CERT.
...
platform. |
Info |
---|
Customers must create secure key pairs for iLink and Drop Copy Sessions |
...
in the CME Customer Center. |
Info |
---|
For more information on HMAC, please refer to: |
iLink and Drop Copy Security Credentials
When the client system submits a secure Logon message to iLink or Drop Copy, the message will contain the security credentials required for identity and permissions verification.
...
Panel | ||||
---|---|---|---|---|
| ||||
When a customer creates a secure key pair, the credentials can be viewed and downloaded in the CME Customer Center.
For security reasons, CME Group requires customers to change their security credentials every 12 months. Notification regarding pending security credential expiration will be sent to registered administrators.
|
Logon Procedure
This section describes the steps to sign a logon request to iLink and Drop Copy. These steps are:
- Create Canonical FIX Message.
- Create Signature using Secret Key provided by CME and Canonical FIX Message
- Populate Algorithm ID plus Access Key ID plus HMAC Signature in the credentials fields of the logon message
Step 1 - Create Canonical FIX Message
To sign a logon request to iLink and Drop Copy, create a string that includes the following information from the logon FIX tag values. All values used to create the signature must match exactly to the tag values in the Logon message.
FIX tag values must be assembled in this order and values concatenated into a single string delimited by the new line character (i.e. ‘\n’).
Noteinfo |
---|
Only the tag value—not the tag number—must be used for the calculation of HMAC signature. Example: where tag 34=<999>, use only '999'. |
- tag 34-MsgSeqNum – sequence number sent by client system
- tag 49-SenderCompID – sender comp ID including the Fault Tolerance Indicator (right-most character)
- tag 50-SenderSubID – Operator ID
- tag 52-SendingTime – timestamp in milliseconds, UTC time format. UTC Timestamps are sent in number of nanoseconds since Unix epoch synced to a master clock to microsecond accuracy.
- tag 57-TargetSubID – recipient of message.
- For iLink and Drop Copy sessions,
- CGW session – ‘G’
- MSGW session - two digit market segment ID
- For iLink and Drop Copy sessions,
- tag 108-HeartBeatInterval – heartbeat interval specified in the logon message as number of seconds
- tag 142-SenderLocationID – assigned value used to identify specific message originator's location (i.e. geographic location)
- tag 369-LastMsgSeqNumProcessed – last message sequence number processed by the client system
- This is an optional tag.
- tag 1603-ApplicationSystemName – identifies system generating the message
- tag 1604-ApplicationSystemVersion – identifies the version of the system generating the message
- tag 1605-ApplicationSystemVendor – identifies the vendor of the application system
Example of creating canonical FIX message
Step 2 - Create Signature using Secret Key and Canonical FIX Message
The signature is a Base64 URL Encoding of the Canonical Message created in Step 1 using the Secret Key provided by CME.
...
Example Signature: oHZ2Dx1ihFAp7kHOFcJPkijm27xfApJFp-ZhsSCxr3s
Example of creating Base 64 URL Encoding using HMAC SHA256
Signature calculation in Java:
...
Code Block |
---|
// This exmaple is using Crypto++ library version 5.6.5 from https://www.cryptopp.com/ // g++ -I/usr/include/cryptopp hmacexample.cpp -o hmac.exe -lcryptopp -lpthread #include <iostream> using std::cout; using std::cerr; using std::endl; #include <string> using std::string; #include <cstdlib> using std::exit; #include "cryptopp/cryptlib.h" using CryptoPP::Exception; #include "cryptopp/hmac.h" using CryptoPP::HMAC; #include "cryptopp/sha.h" using CryptoPP::SHA256; #include "cryptopp/base64.h" using CryptoPP::Base64URLEncoder; using CryptoPP::Base64URLDecoder; #include "cryptopp/filters.h" using CryptoPP::StringSink; using CryptoPP::StringSource; using CryptoPP::HashFilter; string calculateHMAC(string &key, string &canonicalRequest) { string decoded_key, calculatedHmac, encodedHmac; try { // Decode the key since it is base64url encoded StringSource(key, true, new Base64URLDecoder( new StringSink(decoded_key) ) // Base64URLDecoder ); // StringSource // Calculate HMAC HMAC < SHA256 > hmac((byte*)decoded_key.c_str(), decoded_key.size()); StringSource(canonicalRequest, true, new HashFilter(hmac, new StringSink(calculatedHmac) ) // HashFilter ); // StringSource } catch(const CryptoPP::Exception& e) { cerr << e.what() << endl; exit(1); } // base64url encode the HMAC and strip padding StringSource(calculatedHmac, true, new Base64URLEncoder( new StringSink(encodedHmac) ) // Base64URLEncoder ); // StringSource return encodedHmac; } |
Step 3 - Populate Algorithm ID plus Access Key ID plus HMAC Signature in the new credentials fields of the logon message
- tag 354-EncodedTextLen - contains the length of AccessKeyID
- tag 355-EncodedText - contains the AccessKeyID
- tag 1400-EncryptedPasswordMethod - contains the AlgorithmID defined as CME-1-SHA-256
- tag 1401-EncryptedPasswordLen - contains the length of the HMAC signature
- tag 1402-EncryptedPassword - contains the HMAC signature. HMAC signature must be encoded in Base 64 Encoding with URL and Filename Safe Alphabet.
If any of these tags are missing, the client systems will receive a Logout message in response. The Logout message will not include detailed rationale for the failure to help protect the security of client sessions.
Secure Logon from Client System to CME Globex
This diagram illustrates the data processing required for the client system to submit a secure Logon message to CME Globex.
...
- HMAC authentication response contains incorrect SenderCompID
- 58=Invalid Logon. Logout Forced
- HMAC authentication response fails because HMAC Signature does not match
- 58=Invalid Logon. Logout Forced
- HMAC authentication response fails because Access Key ID does not match
- 58=Invalid Logon. Logout Forced
- HMAC authentication response contains incorrect SenderCompID
Noteinfo |
---|
Invalid Logon (tag 35=A) due to HMAC authentication will be counted towards Automated iLink Port Closure. |
Secure Logon from CME Globex to Client System
This diagram illustrates how CME Globex validates the secure client Logon using the same inputs used by the client system to generate the HMAC signature.
Gliffy | ||||
---|---|---|---|---|
|
Tag 52-SendingTime Validation
iLink and Drop Copy logon requests must reach CME Globex within 5 seconds to prevent a stale logon. Timestamps (tag 52-SendingTime) submitted by the client system in the Logon (tag 35-MsgTpe=A) message older than 5 seconds will be rejected. CME Globex will send a Logout (tag 35-MsgType=5) message to the client system.
Info |
---|
To ensure the timestamp value submitted in tag 52 is current, CME Group strongly recommends the following Network Time Protocol guidelines. |
Logon Scenarios
Client systems use the Logon (tag 35-MsgType=A) message for authentication with CME Globex. There are three Logon scenarios:
...
Info |
---|
If there is a logon failure, the client system must reset the inbound and outbound sequence number to '1' until the client system establishes a successful Beginning of Week Logon. |
Noteinfo |
---|
The client system must submit the Logon message within 60 seconds after establishing a TCP/IP connection. If the client system does not submit the Logon message within 60 seconds, the TCP/IP socket connection is assumed to be stale and the socket is closed. |
See also: Session Layer - Fault Tolerance for a discussion of setting the Fault Tolerance Indicator (FTI) at logon and failover scenarios.
Beginning of Week Logon
The Beginning of Week Logon message must be populated with:
...
Sequence Numbers - If the client system outbound* sequence number is not reset to '1' prior to the Beginning of Week Logon, and the client system sends a Logon (tag 35-MsgType=A) message, the client is logged out. The logout message will have the following in tag 58-Text=Failed to reset sequence numbers at beginning of the week. Logout forced. The client must then reset sequence numbers and reattempt the logon.
Mid-Week Logon
Mid-Week Logon is used for any subsequent logon after a successful Beginning of Week Logon. The Mid-Week Logon uses a sequence number series that continues from the next sequence number where the client logged off or was disconnected.
...
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
Mid-Week Logon and Undelivered Messages
Mid-Week Logon provides handling for undelivered messages which were sent while the client system was logged out:
...
Gliffy | ||||||
---|---|---|---|---|---|---|
|
In-Session Logon
Note | title | Warning
---|
Info |
In-Session Logon should only be used to recover from catastrophic failure, since all messages sent prior to the reset will not be recoverable.. |
Info |
---|
The client system must send a Test Request (tag 35-MsgType=1) message before sending an In-Session Logon (tag 35-MsgType=A) message. If not sent in that order, the client system may lose messages that cannot be requested again as the sequence number may be reset to '1' for both parties, client and CME Globex. |
...
Info |
---|
Do not use tag 141-ResetSeqNumFlag to recover from network disconnects during the week. |
In-Session Logon Used to Reset Sequence Number
The following diagram illustrates a successful In-Session Logon scenario where the client system uses a iLink 2 Test Request message and resets sequence numbers to '1' due to a catastrophic failure.
...