FIX Migration

Learn how to migrate your existing FIX connection to the new infrastructure.

The FIX infrastructure upgrade improves performance, reliability and security for FIX connections. This change enables multiple FIX connections for a single account and improves TLS certificate management, among other changes.

note

All existing FIX users are required to migrate to the new infrastructure no later than May 4, 2024. Contact your Paxos Representative for details.

Upgrade your FIX connection in both the Sandbox and Production environments. Migrate to the Sandbox environment first for testing purposes. Once the connection is working in Sandbox, follow a similar procedure for the Production connection(s).

tip

Learn more about FIX Best Practices, including how to use multiple connections and managing sequence number resets.

1. Generate a Certificate Signing Request (CSR)

Generate the certificate signing request (CSR) following your internal key management best practices. Make sure to use the RSA key algorithm. Paxos recommends a key length of 4096 bits.

As a secondary security measure, a Paxos Support will contact you to verify its content. Please include the following technical contact information:

• Name
• Email
• Phone

Send the CSR and technical contact information to connectivity@paxos.com.

Paxos will follow up with next steps.

2. Set Up SSL

Paxos will configure the connection and reply back with the client certificate used for session connection. Bundle exchange_{comp_id}_certificate.crt (the certificate Paxos sent to you) with the key on your side:

Sandbox

cat private.key exchange_{comp_id}_certificate.crt > sandbox.itbitprod.pem  

Production

cat private.key exchange_{comp_id}_certificate.crt > production.itbitprod.pem 

Most FIX users can use stunnel to add encryption functionality to the client. stunnel is suitable for large deployments and does not require client code changes.

Sandbox

Sandbox stunnel.conf

client = yes
foreground = yes
pid = /home/src/itbit.stunnel.pid
socket =l:TCP_NODELAY=1
socket =r:TCP_NODELAY=1

[itbit-sandbox]
client = yes
accept = 127.0.0.1:1234
cert = /{PATH-TO-CERT}/sandbox.itbitprod.pem
connect = {comp_id}.exchange.gfix.sandbox.itbitprod.com:4198
CAfile = /{PATH-TO-CERT}/ca.crt
verifyChain = yes
checkHost = gfix-service.gfix-exchange.sandbox.itbitprod.com

Production

Production stunnel.conf

client = yes
foreground = yes
pid = /home/src/itbit.stunnel.pid
socket =l:TCP_NODELAY=1
socket =r:TCP_NODELAY=1

[itbit-production]
client = yes
accept = 127.0.0.1:1234
cert = /{PATH-TO-CERT}/production.itbitprod.pem
connect = {comp_id}.exchange.gfix.prod.itbitprod.com:4198
CAfile = /{PATH-TO-CERT}/ca.crt
verifyChain = yes
checkHost = gfix-service.gfix-exchange.prod.itbitprod.com

Once complete, test your connection to our servers. Contact connectivity@paxos.com with test results of for help with an alternative to stunnel.

---

✉️ Question? Contact us:
Crypto Brokerage Support | Commodities Settlement Support | Help Desk

📃 Check out our Changelog.