SSL / TLS Certificates

Eurex Clearing interfaces are using TLS encryption and certificate based client authentication to ensure the security. Both the public keys of the AMQP broker as well as the client certificate have to be provided to the client. Without them, the clients will be unable to connect / authenticate.

Client certificate

The guide for generating the client certificates is part of the “Volume A: Connectivity” document. Java clients require the client certificate to be provided in the Java Keystore format (JKS), where it is encrypted and protected by password. When using the keytool utility to generate the certificate, it will be created already in the JKS format. In case other tools were used to generate the certificate, it has to be converted first.

Following command can be used to convert certificate from PKCS12 format to the JKS format⁴:

$ keytool -importkeystore -srckeystore -srcstoretype PKCS12 -destkeystore

For example:

$ keytool -importkeystore -srckeystore ABCFR_ABCFRALMMACC1.p12 -srcstoretype PKCS12 -destkeystore ABCFR_ABCFRALMMACC1.keystore
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias carex_testcalmmacc1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

During the conversion, new password to the JKS certificate as well as the password for the existing KPCS12 file has to be entered.

A certificate which is ready to be used by a Java client might look very similar to this:

$ keytool -list -v -keystore ABCFR_ABCFRALMMACC1.keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: abcfr_abcfralmmacc1
Creation date: Feb 10, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN= ABCFR_ABCFRALMMACC1
Issuer: CN= ABCFR_ABCFRALMMACC1
Serial number: 54bce281
Valid from: Mon Jan 19 11:54:57 CET 2015 until: Fri Jan 19 11:54:57 CET 2018
Certificate fingerprints:
MD5: AA:22:FD:83:43:26:8B:79:30:CA:74:6D:31:7B:BA:72
SHA1: FE:46:CD:84:86:49:34:15:7F:1D:D8:A5:B0:BE:CA:F6:19:C2:A6:3B
SHA256: 40:8B:A1:1F:68:58:90:0D:B2:1D:4C:F0:77:2D:CD:39:E3:73:62:B9:FA:CF:BF:EA:A5:08:08:F2:86:4F:8A:70
Signature algorithm name: SHA512withRSA
Version: 3
*******************************************
*******************************************

The keystore file needs to be provided to the Java client together with the password.

Broker public keys

When connecting to the broker, the Member application should verify the identity of the AMQP broker in order to protect against man in the middle attacks. The Eurex Clearing AMQP brokers use certificates signed by a trusted certification authority (CA). The public keys of Eurex Clearing interfaces can be used to verify their identity. Each interface has its own unique keys for simulation and production environments.

The public key(s) should be stored in a file called “truststore”. The truststore is stored in Java Keystore (JKS) format, where it is encrypted and protected by password. The truststore file needs to be provided to the Java client together with the password. The truststore can contain multiple public keys.

The public keys of the AMQP broker are available on the website of Eurex Clearing under the following path:

Eurex Clearing FIXML Interface: http://www.eurexclearing.com Technology Eurex Clearing classic system / Eurex Clearing’s C7 System documentation  Eurex Clearing Interfaces

Eurex Clearing FpML Interface: https://member.eurexclearing.com  Clearing Resources  Releases  EurexOTC Clear  Interest Rate Swaps -> IRS Release 3.0  Interfaces  Eurex Clearing FpML Interface

Eurex Clearing Margin Calculator Interface: https://member.eurexclearing.com  Clearing Resources  Releases  EurexOTC Clear  Interest Rate Swaps -> IRS Release 3.0  Interfaces  Eurex Clearing FpML Interface

They can be easily loaded into a new truststore using import functionality of the keytool utility.⁵

keytool -importcert -file -alias simulation -keystore

Enter keystore password: <Password>

Owner: CN=ecag-fixml-simu1.deutsche-boerse.com

Issuer: CN=VeriSign Class 3 Secure Server CA - G3

Serial number: ad5500000002b7f9b8f4f31234af

Valid from: Tue Apr 15 18:35:26 CEST 2012 until: Sun Apr 14 18:35:26 CEST 2014

Certificate fingerprints:

MD5: 8F:AE:D7:14:CD:37:3F:3B:E8:E7:F2:42:F3:14:BE:4E

SHA1: 94:52:92:97:7C:0A:D7:23:11:E6:43:69:B0:1F:C5:1B:9F:C2:D3:9B

Signature algorithm name: SHA1withRSA

Version: 3Trust this certificate? [no]: yes

Certificate was added to keystore

The and as well as the <Password> values have to be replaced according to Member’s environment. The resulting truststore file should contain the public keys of all brokers as trusted certificate entry:

keytool -list -keystore

Enter keystore password: <Password>

Keystore-Typ: jks

Keystore-Provider: SUN

Your keystore contains 2 entries

simulation, 28.04.2011, trustedCertEntry,

Certificate fingerprint (MD5): 86:58:B9:E1:83:80:E6:68:63:7E:92:EA:30:4A:D5:91

production, 28.04.2011, trustedCertEntry,

Certificate fingerprint (MD5): 86:63:B9:EA:83:80:E6:6F:6C:AE:92:EB:40:A2:31:53

SSL / TLS debugging

In case of problems with the SSL / TLS connection, the applications using Apache Qpid Java API have a SSL debugging mode. This mode can be activated using the system property

-Djavax.net.debug=ssl

⁴. Some of the Java clients are able to use the PKCS12 format directly ↩

⁵. See “Volume A: Connectivity” for more details about the keytool utility. ↩