FIX Migration
The FIX infrastructure upgrade improves performance, reliability and security for FIX connections. This change enables multiple FIX connections for a single account and improves TLS certificate management, among other changes.
All existing FIX users are required to migrate to the new infrastructure no later than May 4, 2024. Contact your Paxos Representative for details.
Upgrade your FIX connection in both the Sandbox and Production environments. Migrate to the Sandbox environment first for testing purposes. Once the connection is working in Sandbox, follow a similar procedure for the Production connection(s).
Learn more about FIX Best Practices, including how to use multiple connections and managing sequence number resets.
1. Generate a Certificate Signing Request (CSR)
Generate the certificate signing request (CSR) following your internal key management best practices. Make sure to use the RSA key algorithm. Paxos recommends a key length of 4096 bits.
As a secondary security measure, a Paxos Support will contact you to verify its content. Please include the following technical contact information:
- Name
- Phone
Send the CSR and technical contact information to connectivity@paxos.com.
Paxos will follow up with next steps.
2. Set Up SSL
Paxos will configure the connection and reply back with the client certificate used for session connection.
Bundle exchange_{comp_id}_certificate.crt
(the certificate Paxos sent to you) with the key on your side:
- Sandbox
- Production
cat private.key exchange_{comp_id}_certificate.crt > sandbox.itbitprod.pem
cat private.key exchange_{comp_id}_certificate.crt > production.itbitprod.pem
Most FIX users can use stunnel to add encryption functionality to the client. stunnel is suitable for large deployments and does not require client code changes.
- Sandbox
- Production
client = yes
foreground = yes
pid = /home/src/itbit.stunnel.pid
socket =l:TCP_NODELAY=1
socket =r:TCP_NODELAY=1
[itbit-sandbox]
client = yes
accept = 127.0.0.1:1234
cert = /{PATH-TO-CERT}/sandbox.itbitprod.pem
connect = {comp_id}.exchange.gfix.sandbox.itbitprod.com:4198
CAfile = /{PATH-TO-CERT}/ca.crt
verifyChain = yes
checkHost = gfix-service.gfix-exchange.sandbox.itbitprod.com
client = yes
foreground = yes
pid = /home/src/itbit.stunnel.pid
socket =l:TCP_NODELAY=1
socket =r:TCP_NODELAY=1
[itbit-production]
client = yes
accept = 127.0.0.1:1234
cert = /{PATH-TO-CERT}/production.itbitprod.pem
connect = {comp_id}.exchange.gfix.prod.itbitprod.com:4198
CAfile = /{PATH-TO-CERT}/ca.crt
verifyChain = yes
checkHost = gfix-service.gfix-exchange.prod.itbitprod.com
Once complete, test your connection to our servers. Contact connectivity@paxos.com with test results of for help with an alternative to stunnel.
✉️ Question? Contact us:
Crypto Brokerage Support | Commodities Settlement Support | Help Desk📃 Check out our Changelog.