/
Drop Copy 4.0 Session Layer - Logon

Drop Copy 4.0 Session Layer - Logon

This topic describes the secure CME Globex logon process and scenarios for Drop Copy.

Contents

CME Globex API Secure Logon

CME Globex requires secure authentication for Drop Copy sessions on Convenience Gateway (CGW) and Market Segment Gateway (MSGW).

The logon procedure secures the client system logon with:

  • Customer identity verification - a client system logon request will be signed with security credentials issued and validated by CME Group.

  • Message confidentiality and integrity - to credential the logon message, the client system sends a keyed-hash message authentication code (HMAC) generated from a combination of the logon FIX tag values. When CME Globex receives the logon message, it uses the identical inputs to calculate the HMAC value to validate against the logon request. If the values do not match, CME Globex rejects the logon.

Drop Copy customers must use the logon procedure for all CME Group markets, including Partner Exchange markets hosted on the CME Globex platform.

Customers must create secure key pairs for Drop Copy Sessions in the CME Customer Center.

For more information on HMAC, please refer to:

Drop Copy Security Credentials

When the client system submits a secure Logon message to Drop Copy, the message will contain the security credentials required for identity and permissions verification.

Security credentials are secure key pairs available only to the customer and the CME Globex platform.

  • Access Key ID – used to sign Logon request to Drop Copy.

  • Secret Key – used to create HMAC signature.

Secure Key Pair Creation and Management in the CME Customer Center

When a customer creates a secure key pair, the credentials can be viewed and downloaded in the CME Customer Center.

  • Once created, credentials are accessible and available for multiple downloads in the CME Customer Center.

    • Clients are limited to 10 2FA tokens for logon and download per day.

  • A customer can have up to two secure key pairs for a Session ID for up to four weeks, after which the older secure key pair is automatically expired.

    • A newly created secure key pair will have a status of active, i.e., valid for logon.

    • The first secure key pair will expire in four weeks after the market close.

  • If a customer generates a third secure key pair:

    • One of the existing secure key pairs will be deleted, effective immediately, based on the customer selection. 

    • The remaining  secure key pair will expire in four weeks after the market close.

 The Request Center is closed on weekends, from 4:30 pm Friday to 10:00 am Sunday CT.

For security reasons, CME Group requires customers to change their security credentials every 12 months. Notification regarding pending security credential expiration will be sent to registered administrators.

In a Disaster Recovery (DR) scenario, if a customer has created or managed the secure key pair (Access Key ID + Secret Key) in production within 15 minutes prior to the disaster event, that security credential change may not be reflected in the DR environment; in such an unlikely event, customers should generate a new secure key pair upon CME Globex transition to the DR environment.

Logon Procedure

This section describes the steps to sign a logon request to Drop Copy. These steps are:

  1. Create Canonical FIX Message.

  2. Create Signature using Secret Key provided by CME and Canonical FIX Message.

  3. Populate Algorithm ID plus Access Key ID plus HMAC Signature in the credentials fields of the logon message.

Step 1 - Create Canonical FIX Message

To sign a logon request to Drop Copy, create a string that includes the following information from the logon FIX tag values. All values used to create the signature must match exactly to the tag values in the Logon message.

FIX tag values must be assembled in this order and values concatenated into a single string delimited by the new line character (i.e. ‘\n’).

Only the tag value—not the tag number—must be used for the calculation of HMAC signature.

Example: where tag 34=<999>, use only '999'.

  • tag 34-MsgSeqNum – sequence number sent by client system

  • tag 49-SenderCompID – sender comp ID including the Fault Tolerance Indicator (right-most character)

  • tag 50-SenderSubID – Operator ID

  • tag 52-SendingTime – timestamp in milliseconds, UTC time format. UTC Timestamps are sent in number of nanoseconds since Unix epoch synced to a master clock to microsecond accuracy.

  • tag 57-TargetSubID – recipient of message.

    • Drop Copy sessions,

      • CGW session – ‘G’

      • MSGW session - two digit market segment ID

  • tag 108-HeartBeatInterval – heartbeat interval specified in the logon message as number of seconds

  • tag 142-SenderLocationID – assigned value used to identify specific message originator's location (i.e. geographic location)

  • tag 369-LastMsgSeqNumProcessed – last message sequence number processed by the client system

    • This is an optional tag.

  • tag 1603-ApplicationSystemName – identifies system generating the message

  • tag 1604-ApplicationSystemVersion – identifies the version of the system generating the message

  • tag 1605-ApplicationSystemVendor – identifies the vendor of the application system

Example of creating canonical FIX message

Step 2 - Create Signature using Secret Key and Canonical FIX Message

The signature is a Base64 URL Encoding of the Canonical Message created in Step 1 using the Secret Key provided by CME.



How was your Client Systems Wiki Experience? Submit Feedback

Copyright © 2024 CME Group Inc. All rights reserved.