’s New Trading System F7 Eurex Repo Release 1.0

Transcription

Eurex Repo’s New Trading System F7
Release 1.0
F7 Connectivity Guide
Version
V 1.0.8
Date
18 November 2014
Eurex Repo
V 1.0.8
1. Introduction
4
2. Network
5
2.1 Repo Connectivity
5
2.1.1 Leased Line
6
2.1.2 Internet
7
2.2 Eurex Repo connectivity security features
7
2.3 URLs and IP ranges
8
2.3.1 F7 GUI
8
2.3.2 F7 API
8
3. Member Section
9
4. Leased line connectivity ordering
10
4.1 New connection
10
4.2 Location details
11
4.3 Connection type
12
4.4 Data center details
13
4.5 Request summary
14
5. Eurex Repo F7 x.509 certificates
16
5.1 x.509 Certificate creation with OpenSSL
16
5.1.1 Step 1: Download OpenSSL
17
5.1.2 Step 2: Create Private Key
17
5.1.3 Step 3: Create self-signed certificate
17
5.1.4 Step 4 create PKCS#12 file
20
5.1.5 Step 5: Upload certificate
20
5.2 x.509 Certificate creation with Java keytool
20
5.2.1 Create keystore
21
5.2.2 Create truststore
22
5.2.3 Export certificate for upload
22
5.2.4 Import AMQP server certificate (F7 API only)
23
5.2.5 Client PKCS#12 certificate for installation into the F7 GUI user’s browser
23
5.3 Certificate validity period
24
5.4 Eurex Repo certificate upload
24
5.5 User ID Configuration
25
5.6 Environment
26
2
Eurex Repo
V 1.0.8
5.7 Account Name Field
26
5.8 ‘Description’ field
27
5.9 Certificate upload verification
27
5.10 Username and password authentication
28
5.11 Additional IP Address check (Internet access)
28
6. Further information and contacts
29
7. Change Log
30
3
Eurex Repo
V 1.0.8
1.
Introduction
Eurex Repo is continuously extending its product scope, functionality and markets to
improve its services and to attract additional customer groups. In 2014 Eurex Repo
will go a considerable step further by introducing a new web based trading system to
embrace the requirements of a state-of-the-art trading environment. This new trading
system called F7 will serve as a solid foundation for future growth and has been
designed to meet the highest demands.
Today’s global markets demand new standards of flexibility and performance. The 7
Market Technology series from Deutsche Börse Group offers a range of innovations
in trading, clearing, risk management and connectivity – advanced infrastructure that
lets you adapt to whatever the future brings.
This document describes the connectivity options and the ordering and setup
process for Eurex Repo’s new trading system F7. It considers Eurex Repo
participants who are new to the order process at Deutsche Börse but is also valid for
Eurex Repo participants which already have Deutsche Börse infrastructure (for
example existing Eurex participants which want to order additional Eurex Repo
connectivity).
4
Eurex Repo
V 1.0.8
2.
Network
In order to support the respective Eurex Repo’s F7 services, Deutsche Börse Group
has established an efficient infrastructure representing a dedicated global IP network.
Access from a participant location to Eurex Repo’s F7 must always be established
via the Deutsche Börse Group's IP network or alternatively via the Internet.
Any participant connection to the back end systems must be established via Access
Points (AP). APs, to which leased lines connect, are located throughout the world in
major financial centers where Eurex Repo’s participants are concentrated.
This concept allows Eurex Repo to extend its private network up to the demarcation
point of the carrier at the participant’s site. Each AP is connected to the respective
hosts via redundant leased lines. Participants are connected to an AP via dedicated
leased lines and/or via the Internet.
2.1 Repo Connectivity
Eurex Repo’s F7 system minimizes the footprint on the participant’s infrastructure. F7
removes the local Service Connector from the client and implements a browser
based GUI solution which requires zero maintenance by the Eurex Repo participant.
Eurex Repo’s F7 new connectivity concept
Both, the browser based GUI and the F7 API can connect to Eurex Repo’s F7
system either via leased line or via Internet.
5
Eurex Repo
V 1.0.8
In either case a client authentication will be done by using x.509 certificates. The
certificate will be used to encrypt all data transmitted between the browser based
GUI or any third party application.
F7 GUI or
3rd party POA
Internet
Eurex Repo’s F7
Back End
Eurex Repo’s F7
connect server
Authenticate with
x509 certificate
F7 GUI or
3rd party POA
Leased Line
Connectivity options
2.1.1
Leased Line
All leased line connections must be ordered from Deutsche Börse – directly or via a
technical service provider. The Deutsche Börse network is a highly efficient network
focused on highest availability by simultaneously providing lowest latency.
Eurex Repo’s F7 Trading participants who already have existing Deutsche Börse
network connectivity in place will be able to order a dedicated channel, providing that
sufficient bandwidth is available.
As the new system connects each individual user of Eurex Repo’s F7 system directly
to the trading platform, bandwidth requirements are directly proportional to the
number of active users. Bandwidth consumption per active trader is expected to be
around 0.420 Mbit/s. Bandwidth options will be offered in the following sizes:
Number of active users
Bandwidth Option
1
0.5 Mbit/s
Up to 2
1.0 Mbit/s
Up to 6
3.0 Mbit/s
Up to 12
5.0 Mbit/s
Up to 25
10.0 Mbit/s
Eurex Repo’s F7 bandwidth options for leased lines
6
Eurex Repo
V 1.0.8
The previously used software VPN encryption will no longer be required as all traffic
will be secured by use of x.509 certificates for authentication and encryption.
2.1.2
Internet
It will be possible to use the new F7 trading GUI as well as the F7 API via the
Internet. The previously used software VPN encryption will no longer be required as
all traffic will be secured by use of x.509 certificates for basic authentication and
connection encryption.
As the new system connects each individual user of Eurex Repo’s F7 system directly
to the trading platform, bandwidth requirements are directly proportional to the
number of active users. Users connecting via Internet should expect
0.420 Mbit/s
bandwidth consumption per active trader
2.2 Eurex Repo connectivity security features
For the connection via Internet, the Repo participant can choose one of the following
options:



Allow Internet access without restrictions (per default)
Completely disable Internet access and restricting to leased line (x.509 upload
page)
Allow Internet access for registered IP addresses
For the connection via leased line, the incoming IP address is checked against the
known network information for the corresponding Eurex Repo participant. In case a
participant has a Service Provider, the IP address is also checked against the known
networks of the Service Provider.
On login via leased line it is checked if the IP-address of the user is part of the
corresponding network.
7
Eurex Repo
V 1.0.8
2.3 URLs and IP ranges
2.3.1 F7 GUI
The Eurex Repo’s F7 GUI can be accessed via links or URLs. These URLs differ
based on the type of connection (Leased line vs. Internet) and based on the
environment (Production vs. Simulation).
Any of these four URLs can be placed in the bookmarks of the user’s browser, or
placed as links on the desktop.
Environment
Type
URL
Leased Line
https://simulation.vpn.eurexrepo.com:9443/TRADING_GUI
IP: 193.29.95.215:9443/TRADING_GUI
https://simulation.eurexrepo.com:9443/TRADING_GUI
IP: 193.29.90.164:9443/TRADING_GUI
https://production.vpn.eurexrepo.com:8443/TRADING_GUI
IP: 193.29.95.216:8443/TRADING_GUI
https://production.eurexrepo.com:8443/TRADING_GUI
IP: 193.29.90.165:8443/TRADING_GUI
Simulation
Internet
Leased Line
Production
Internet
2.3.2 F7 API
The F7 API connection gateways are accessed via direct IP addresses. These IP
addresses differ based on the type of connection (Leased line vs. Internet) and
based on the environment (Production vs. Simulation).
Environment
Simulation
Production
Port
Type
IP Address
Leased Line
193.29.95.217 / 255.255.255.240
11575
Internet
193.29.90.166 / 255.255.255.240
11575
Leased Line
193.29.95.218 / 255.255.255.240
11475
Internet
193.29.90.167 / 255.255.255.240
11475
8
Eurex Repo
V 1.0.8
3.
Member Section
The Eurex Repo member section can be entered via this web address:
https://member.eurexrepo.com
It is also accessible from the Eurex Trading, Eurex Clearing and Xetra member
section by using the switch portal link at the top of the page.
This will lead you to the welcome page of the Eurex Repo member section.
9
Eurex Repo
V 1.0.8
4.
Leased line connectivity ordering
In order to start the order process press “Technical Connection” and select
“Requests & Configuration” on the left hand side of the page.
An overview of your installations and their respective configuration will be displayed.
4.1 New connection
Select the tab “New Request” and then press “New Connection”
You have now entered the line order frame. Use the “Dedicated Leased Line
Connections” tick mark for Eurex Repo leased line orders.
10
Eurex Repo
V 1.0.8
This is also true if you already have a dedicated line where additional space for
Eurex Repo is available.
The next step is the location selection and the selection of the person who is the
“Line Responsible”.
4.2 Location details
For the location you can select an existing location or create a new location. The new
location creation is self-explanatory.
11
Eurex Repo
V 1.0.8
In order to select the “Line Responsible” you have to press “Select”. A new pop up
window will show the persons who are already registered for your company and
allows to edit them or to create a new contact.
Please note that the “Line Responsible” should be a person who always has
immediate access to the location where the line will be delivered. This is the person
who will be contacted by the carrier.
Here you can also use the tick box at the bottom of the frame in order to choose a
second location with another “Line Responsible”.
4.3 Connection type
The next step is to select the connection (type). For Eurex Repo you can choose one
channel on a leased line or two channels on two leased lines (for highest reliability).
Please tick the appropriate box in order to achieve this.
12
Eurex Repo
V 1.0.8
In the lower half of the screen, under “Market/Channels” you have to choose “Eurex
Repo” by scrolling down and selecting the tick box, then choose the participant ID
(“Member ID”) used for this Eurex Repo connection, the bandwidth and finally the
Base Installation in which this line should be placed. For a new installation select
“New Base”.
4.4 Data center details
The next step is important when a new physical line has to be delivered. In order to
achieve a smooth handling by all involved parties, room and line details have to be
specified.
13
Eurex Repo
V 1.0.8
Room description, floor, room number, media, interface are mandatory fields. It has
to be specified if a line installation can be done within business hours or not, whether
the router and end facility are located in the same room or not and if it is Rackmountable or a Desktop (stand-alone) device.
If this is a new location, a new room can be created; else an existing room can be
used.
In the case that you have ordered two lines into two different locations (split location)
also the room in the second location has to be selected or created and specified in
an additional step.
4.5 Request summary
In the next step an overview of the request is shown. By pressing “Add to the request
basket” your request is then placed in the request basket. Please review this page
thoroughly and add the overall “Technical Contact” for this request (typically the
person who also will perform the connection test).
14
Eurex Repo
V 1.0.8
It is advisable to use the “Check Request” in order to perform a consistency check of
your request. Tick the box in order to agree to the conditions and finally press
“Approve” in order to finalize this order.
15
Eurex Repo
V 1.0.8
5.
Eurex Repo F7 x.509 certificates
To ensure the highest possible level of security and privacy against eavesdropping, a
two-factor authentication is required for every participant. Both parts of the
authentication process need to be completed successfully before access to the Eurex
Repo GUI is granted or an F7 API application can connect.
The two-factor authentication process involves on the one hand the creation and
usage of self-signed SSL certificates to establish and ensure an encrypted
connection between the Eurex Repo participant and Eurex Repo.
Certificate authentication is required for both Internet and Leased Line access.
On the other hand every single GUI user has to be authenticated by means of the
individual username and password to be able to log into the GUI.
Please note:
Certificates can have user or participant scope or some other participant specific
scope (e.g. location, unit, market etc.). Every participant needs at least one certificate
in order to access Eurex Repo but may use an unlimited number for various reasons.
In any case the uploaded certificate must match the PKCS#12 file installed in the
browser.
For a successful upload to the portal, a self-signed SSL certificate (crt.-file) is
required which needs to comply with the following parameters:

RSA and DSA key algorithms and SHA-2 signature algorithms (e.g. SHA224,
SHA256, SHA384, SHA512) are supported

Compliant with X.509v3 standard

Key length needs to be between 1976 and 4096 bits
o Common Name (CN) has to contain complete account name (5-digit
participant ID followed by 3 digits “GUI” or “API” depending on the
application the certificate will be used for, thereafter a free user defined
string from 1 to 13 characters must be used for your internal
description.
5.1 x.509 Certificate creation with OpenSSL
The following chapter outlines the procedure for creating a self signed x.509
certificate and a PKCS#12 file for installation into a F7 GUI user’s browser using the
tool “OpenSSL”.
This chapter describes the recommended procedure for F7 GUI users. See next
chapter for F7 API users.
Please note, in the following examples the following is assumed:

You have the OpenSSL binary in your PATH.
16
Eurex Repo
V 1.0.8

You are in a directory where you have write permissions to create files.
The following examples use a participant ID “INTER” – replace this with you own
participant ID.
Three files will be created:

A private key (INTER.key)

A self signed certificate for upload to the Eurex Repo Member section
(INTER.crt)

A private PKCS#12 certificate for installation into the browser of a F7 GUI
User (INTER.p12)
The following examples show “<passphrase>” where an individual passphrase needs
to be entered. ”. Change this to a passphrase of your own choice.
5.1.1 Step 1: Download OpenSSL
The Eurex Repo participant has to download and install “OpenSSL” (recommended
freeware tool) to create keys, self-signed certificates and PKCS#12 certificate files
(recommended source: www.openssl.org, version1.0.0o or 1.0.1j).
Avoid 1.0.1 versions up to and including 1.0.1f due to heartbleed blug
5.1.2 Step 2: Create Private Key
The participant has to create a private key by using OpenSSL (e.g. RSA private key,
2048 bit).
Example command line for the participant ID INTER:
openssl genrsa -des3 -out INTER.key 2048
This results in:
Generating RSA private key, 2048 bit long modulus
.......................................................+++
.......................................................+++
e is 65537 (0x10001)
Enter pass phrase for INTER.key:<passphrase>
Verifying - Enter pass phrase for INTER.key: <passphrase>
After entering the necessary information the private key will be saved automatically in
the current working directory.
5.1.3 Step 3: Create self-signed certificate
The participant has to create a “self-signed certificate”.
17
Eurex Repo
V 1.0.8

A “self-signed certificate” can be created by using OpenSSL (.crt-file compliant
with X.509v3 standard and a validity of 365 days). For creation the
passphrase for the private key created above is required.
openssl req -new -x509 -sha256 -days 365 -key INTER.key -out INTER.crt
This results in:
Enter pass phrase for INTER.key: <passphrase>
The user is asked to enter the information that will be incorporated into his certificate
request (the so-called Distinguished Name or a DN.)
There are quite a few fields to be filled in. Some of the fields can be left blank. For
some fields there will be a default value. If a user enters '.', the field will be left blank.
----Country Name (2 letter code) [GB]:DE
State or Province Name (full name) [Berkshire]:Hessen
Locality Name (eg, city) [Newbury]:Frankfurt
Organization Name (eg, company) [My Company Ltd]:Int Test GmbH
Organizational Unit Name (eg, section) []:Repo
Common Name (eg, your name or your server's hostname) []:INTERGUIFRTRD123
E-Mail Address []:
It is important that the entered Common Name always consists of the own participant
ID, in this example “INTER” followed by “GUI” or “API” depending on the application
the certificate will be used for and a free identifying string.
o The first 5 digits are your participant ID (“INTER” in this example)
o The next 3 digits identify the purpose of the certificate. If the certificate
will be used for GUI access “GUI” has to be entered. If the certificate is
used to connect to the API “API” has to be entered.
o Thereafter a free user defined string from 1 to 13 characters must be
used for your internal description.
The Common Name must be identical to the free text field of the account name
provided during the upload of the self-signed certificate into the member section.
After entering the necessary information, the self-signed certificate will be saved
automatically in the current working directory.

Participant may check the generated “self-signed certificate” by using
OpenSSL.
openssl x509 -text -in INTER.crt -noout
18
Eurex Repo
V 1.0.8
This results in:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8e:e3:e3:0b:97:63:7c:3c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Hessen, L=Frankfurt, O=XYT Test GmbH, OU=Repo,
CN=INTERGUIFRTRD123
Validity
Not Before: Nov 28 16:53:26 2011 GMT
Not After : Nov 27 16:53:26 2012 GMT
Subject: C=DE, ST=Hessen, L=Frankfurt, O=XYT Test GmbH, OU=Repo,
CN=INTERGUIFRTRD123
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d1:79:44:42:eb:60:26:55:4a:d0:9d:49:25:c3:
44:6f:ea:50:83:1c:91:f1:68:b3:65:01:bc:df:fc:
ab:ba:59:a9:ab:4e:82:46:e1:ce:d8:c4:c7:bb:13:
8f:bf:ec:10:16:13:77:96:2f:74:0a:74:83:77:d6:
b3:2e:67:e0:5b:9c:1c:69:4c:bf:c2:91:48:34:62:
60:ae:7c:67:63:bb:c8:45:0f:35:42:da:9e:90:a4:
fd:7c:5f:76:9d:e7:47:8b:2e:2d:4a:f2:12:f3:92:
04:17:eb:db:10:dd:bb:7c:b8:3b:8c:5c:f5:72:f6:
e2:37:ec:0f:9b:bd:45:25:31:1b:be:fa:1c:f0:80:
f0:b7:a2:11:f1:e0:20:81:62:d7:da:b5:9b:ab:ad:
61:9e:11:cd:7f:b2:8c:13:64:44:9f:60:dc:b4:0c:
a3:de:6a:21:25:7e:7a:b1:7b:4f:fa:e9:42:9c:af:
8a:2d:6e:c7:88:0a:bd:a3:ce:b0:c6:70:e8:7d:2d:
69:3b:93:84:96:26:70:5d:3d:04:50:e9:e2:27:ad:
3a:a3:32:d3:58:09:47:92:32:f2:32:8e:2f:f7:e4:
00:30:61:8c:59:de:a7:81:28:7f:83:17:19:61:2f:
14:d2:94:7c:00:4a:8c:1f:a6:29:52:01:c3:28:d0:
5e:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
01:51:CD:A2:29:3B:44:58:C4:51:92:F9:A7:52:52:C5:F2:ED:38:62
X509v3 Authority Key Identifier:
keyid:01:51:CD:A2:29:3B:44:58:C4:51:92:F9:A7:52:52:C5:F2:ED:38:62
DirName:/C=DE/ST=Hessen/L=Frankfurt/O=XYT Test GmbH/OU=Repo/CN= INTERGUIFRTRD123
serial:8E:E3:E3:0B:97:63:7C:3C
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
36:5c:31:89:75:f1:22:be:02:18:80:9b:4a:56:b4:da:15:a1:
9e:cc:f8:55:b6:4b:39:cf:82:78:b0:c2:75:e5:75:31:21:02:
04:b5:7d:bf:93:ce:13:ef:09:3f:0e:a4:15:d9:dc:99:81:98:
02:53:55:2c:7c:2d:a4:1f:da:cb:00:6f:9e:65:2f:53:a8:a5:
c4:b7:66:c2:38:47:e3:e6:45:e7:d9:4b:14:7e:c5:52:14:22:
63:60:4b:73:63:68:60:80:bf:85:c2:aa:21:8e:63:ea:c5:e2:
a2:42:a8:67:42:c6:b8:a8:30:01:2e:b0:e6:72:03:e7:c8:a4:
13:81:8f:dc:d1:f3:26:34:41:61:33:3f:db:6b:66:47:bd:27:
19
Eurex Repo
V 1.0.8
07:c3:f2:b2:16:10:7a:76:06:73:9d:c0:62:c5:35:17:b7:d7:
bf:e5:8d:7d:45:4c:7f:50:fe:06:dd:c8:ed:97:2a:51:2d:b8:
51:2e:e9:b0:98:c9:c1:08:e9:92:8b:86:54:17:48:5d:b3:d2:
3c:9e:2e:2c:e5:f2:a0:1d:39:a6:8d:cb:88:e0:6f:bf:7e:df:
e8:da:cd:27:c6:b7:60:54:7a:0c:37:5e:73:7f:b9:7d:6c:57:
dc:6b:fe:be:a8:07:ab:78:d8:ed:22:cc:e6:eb:56:4c:42:fb:
1d:bf:7d:04
5.1.4 Step 4 create PKCS#12 file
The participant creates PKCS#12 file by using the stored private key and the selfsigned certificate (.crt-file) in OpenSSL.
Example command line for the participant ID “INTER”:
openssl pkcs12 -export -clcerts -in INTER.crt -inkey INTER.key -out INTER.p12
The PKCS#12 file will be saved automatically in the current working directory.
Afterwards install the PKCS#12 file in every user’s web browser.
Please refer to your individual browser documentation on how to manage browser
certificates. For example, for Firefox this information can be found following this link:
http://www.mozilla.org/projects/security/pki/psm/help_21/using_certs_help.html#using_certs_my
5.1.5 Step 5: Upload certificate
Upload the .cer-file (X.509v3 compliant) into the member section via Internet. See
chapter 5.4 for details.
5.2 x.509 Certificate creation with Java keytool
The following chapter outlines the procedure for creating a self signed x.509
certificate, the creation of a keystore and a truststore, and finally the import of the F7
API broker certificate into the truststore, using the Java tool “keytool”.
Java keytool is part of the standard Java distribution. It is a key and certificate
management utility, organizing certificates in keystores and truststores which can
then be accessed by Java applications.
This chapter describes the recommended procedure for F7 API users using Java
applications. Additionally chapter 5.2.5 describes how to extract a browser
compatible certificate for GUI usage.
Please note, in the following examples the following is assumed:

You have the keytool in your PATH.

You are in a directory where you have write permissions to create files.
The following examples use a participant ID “INTER” – replace this with your own
participant ID.
20
Eurex Repo
V 1.0.8
Four files will be created:

A keystore, containing your private key(s)

A truststore, containing the public key(s) from other parties (i.e. Eurex Repo)

A public certificate for upload to the Eurex Repo Member section

A private certificate for installation into the browser of a F7 GUI User
The following examples use a participant ID “INTER” – replace this with your own
participant ID.
The following examples use always a password “mypass”. Change this to a
password of your own choice.
5.2.1 Create keystore
The first step is to create a F7 certificate and a keystore to store the new certificate
in. The command line example below determines the parameters of the certificate
(RSA algorithm, key size 2048, one year validity, SHA256 signature and a keystore
file name “INTER.ks” and a store password “mypass”):
keytool -genkey -keyalg RSA -keysize 2048 -validity 365 -sigalg SHA256withRSA
-alias inter -keystore INTER.ks -storepass mypass
A number of parameters have to be entered manually
What is your first and last name?
[Unknown]: INTERAPIFRTRD123
What is the name of your organizational unit?
[Unknown]: Repo
What is the name of your organization?
[Unknown]: Int Test GmbH
What is the name of your City or Locality?
[Unknown]: Frankfurt
What is the name of your State or Province?
[Unknown]: Hessen
What is the two-letter country code for this unit?
[Unknown]: DE
Is CN= INTERAPIFRTRD123, OU=Repo, O=Int Test GmbH, L=Frankfurt, ST=Hessen, C=DE
correct?
[no]: yes
It is important that the entered Common Name always consists of the own participant
ID, in this example “INTER” followed by “GUI” or “API” depending on the application
the certificate will be used for and a free identifying string.
o The first 5 digits are your participant ID (“INTER” in this example)
21
Eurex Repo
V 1.0.8
o The next 3 digits identify the purpose of the certificate. If the certificate
The Common Name must be identical to the free text field of the account name
provided during the upload of the self-signed certificate into the member section.
At this point a keystore file “INTER.ks” has been created, containing one certificate
with an alias name “inter” for reference
5.2.2 Create truststore
In a second step, the same procedure is repeated to create a truststore file
“INTER.ts”:
keytool -genkey -keyalg RSA -keysize 2048 -validity 365 -sigalg SHA256withRSA
-alias inter -keystore INTER.ts -storepass mypass
Again a number of parameters have to be entered manually
What is your first and last name?
[Unknown]: INTERAPITRDFR123
What is the name of your organizational unit?
[Unknown]: Repo
What is the name of your organization?
[Unknown]: Int Test GmbH
What is the name of your City or Locality?
[Unknown]: Frankfurt
What is the name of your State or Province?
[Unknown]: Hessen
What is the two-letter country code for this unit?
[Unknown]: DE
Is CN= INTERAPITRDFR123, OU=Repo, O=Int Test GmbH, L=Frankfurt, ST=Hessen, C=DE
correct?
[no]: yes
5.2.3 Export certificate for upload
Now the certificate for INTER will be extracted from the keystore previously created.
Note the option “-rfc” to ensure the output format will be accepted by the member
section when uploading the certificate to the Eurex Repo webpage.
keytool -export -rfc -alias inter -file INTER.cer -keystore INTER.ks
The name of the exported file for upload to the member section is “INTER.cer”. It
should look similar to the example output below:
22
Eurex Repo
V 1.0.8
cat INTER.cer
-----BEGIN CERTIFICATE----MIIDaDCCAlCgAwIBAgIEU7ErtzANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJERTEPMA0GA1UE
CBMGSGVzc2VuMRIwEAYDVQQHEwlGcmFua2Z1cnQxGDAWBgNVBAoTD0RldXRzY2hlIEJvZXJzZTEN
MAsGA1UECxMEUmVwbzEZMBcGA1UEAxMQUEFLRVJUUkRGUkdVSTEyMzAeFw0xNDA2MzAwOTE5NTFa
Fw0xNTA2MzAwOTE5NTFaMHYxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xEjAQBgNVBAcT
CUZyYW5rZnVydDEYMBYGA1UEChMPRGV1dHNjaGUgQm9lcnNlMQ0wCwYDVQQLEwRSZXBvMRkwFwYD
VQQDExBQQUtFUlRSREZSR1VJMTIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvtd2
1RMolLWVmK4H1M/7JKh2R9xP0avqTvKDqlspyNggTFd2JeVV8i0mckkHhR7kddasR0LJ5W5E17en
EJ8/dGJFVy/NMZZJLcSIyaaB+7vfW7oaeF3Um502RnoIUFX+wni6qODN4Zz7WmdYGbXVu9HsFkYG
tceW5c6pdC3vpGnqsiTt1LrrulibDOEsGx4+YczEpwTrvX0uK7nLmyaudmL18RJfGqondJSsnDCB
arqhu7Wa9BAYzjTQjTpfej8Lar4lOW+C8XWxvNlAQOKL4EwYklQcNb4Q6kwr6m+EadkTLucsjnkm
mfm5NLaJpR1bXp5wDPY6pdzCtb2yYsBY4QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA9O2CoEzOZ
Zsih1sR21U54ne/xwqgBgY89nGdiv9J+H3iIO2+UDTXS+9X1pyK0QYRJ8LnrxzkgfexrzGlIwMCy
7PQNPJWWutglnE9+TiGzWgZOmR5FMwBHulMp9hMn7GBegsOpDL5Hd645S9hjj/P1X6CVZiLPuo03
cv2l+/KRhG7s9gfHR2L5Gas4i9a/2UWa4osOLJM5////vDR77b/p5Rxu0p2c8897wUgVFM4AP0wS
q5vXWv5Cfj375RzTDB3VjEEAsiC74GvITYJTJo1aS+WIHWLcHHV+E6PQsYUD7NAWd6GnIw/slau+
KwPrxm+1jyuPp2pdrKIqcqcM+Z
Upload the .cer-file (X.509v3 compliant) into the member section via Internet. See
chapter 5.4 for details.
5.2.4 Import AMQP server certificate (F7 API only)
In case the keystore / truststore is used for the F7 API the AMQP server/broker
certificate by Eurex Repo needs to be imported into the truststore.
The server/broker certificate of Eurex Repo F7 API can be downloaded in the Eurex
Repo Member Section > Repo Resources > Trading System T7 > System
Documentation > Relase 1.0 > Eurex Repo Trading Interfaces.
Assuming the AMQP server/broker certificate by Eurex Repo is stored in a file
“Broker.crt” it can be imported in the previously created truststore (INTER.ts) by the
following command:
keytool -import -file Broker.crt -keystore INTER.ts -storepass mypass -alias
f7apiserver
5.2.5 Client PKCS#12 certificate for installation into the F7 GUI user’s browser
The following command exports the certificate in a format which can be
imported into the browser of a F7 GUI user:
keytool -importkeystore -srckeystore N:\INTER.ks -destkeystore N:\INTER.p12
-deststoretype PKCS12
Enter destination keystore password: mypass
Re-enter new password: mypass
23
Eurex Repo
V 1.0.8
Enter source keystore password: mypass
Entry for alias inter successfully imported.
Import command completed:
failed or cancelled
1 entries successfully imported, 0 entries
Please refer to your individual browser documentation on how to manage browser
certificates.
By following the steps in the chapters 5.2.1 to 5.2.5 four files have been created:
INTER.ks
INTER.ts
INTER.cer
INTER.p12
#
#
#
#
Keystore
Truststore
Cert for Upload
Cert for Browser
5.3 Certificate validity period
To ensure security we recommend a validity period of 365 days for certificates. The
upload of a new certificate in good time prior to the end of the validity period will be
required.
Please note: the Eurex Repo system is not actively informing users about
approaching certificate expiry dates.
5.4 Eurex Repo certificate upload
For a secure connection to the Eurex Repo F7 GUI or API the participant has to
upload a self-signed certificate file to the member section, while additionally installing
the complementary browser certificate file (in the format ‘PKCS#12’) in his webbrowser.
For uploading a certificate navigate to the Eurex Repo member section, select
“Technical Connection” and then “Eurex Repo Certificates” under the menu
“Technical User Administration”:
24
Eurex Repo
V 1.0.8
5.5 User ID Configuration
The setup of an account (by clicking on ‘Create user’) is required to assign a
participant ID (given in the ‘Account Name’, e.g. INTER) and an environment (e.g.
Simulation or Production) to a certificate to be uploaded.
By using participant-based certificates every participant has to create only one single
account associated with one single certificate in the member section. With this
account and the additional installation of the certificate in the web-browser of each
individual user, all the Eurex Repo F7 GUI or API users of a participant can access
and use the Eurex Repo F7 GUI or third party application after entering their
individual username and password.
Please note that the member section is only used for the certificate handling for a
participant. All individual Eurex Repo F7 GUI users not yet set-up in the current
system of a participant need to be setup separately by submitting a ‘User Setup
Form’ (“Händler Antrag” / “Info User Antrag”) to Eurex Repo and will be provided via
email with their individual username and password, which is needed to login to the
Eurex Repo F7 GUI or a third party application.
Please note that for the setup and usage of the Eurex Repo F7 GUI or third party
software in a new environment (e.g. Simulation or Production) a new certificate has
25
Eurex Repo
V 1.0.8
to be created and uploaded. A separate certificate should be used for the Eurex
Repo API connection.
5.6 Environment
Select the environment the new certificate will be used in: production or simulation.
5.7 Account Name Field
The Account Name consists of a drop-down list and a free text field.

In a first step the participant ID needs to be selected from the drop-down list.
All participant IDs, for which an account can be setup, are selectable here
(e.g. INTER).

In the free text field a 1 to 16 digit uppercase alphanumeric value has to be
provided.
o The first 3 digits identify the purpose of the certificate. If the certificate
Please note: The information “Account Name” has to match the Common Name of
the certificate.
The complete Account Name should look like this:
26
Eurex Repo
V 1.0.8
The Common Name (CN) of the certificate must match the account name. For our
example participant ID the name of certificate would look like this
‘INTERGUIEUREXREPOUSER’ or “INTERGUITRDFRI123” or
“INTERAPITRDFR123” from the examples used earlier in this document.
Please note: If the Account Name and the Common Name of the certificate differ it
will not be possible to upload the certificate. The Account Name of the certificate
must contain the string “GUI” or “API” after the 5 digit participant ID, else the
certificate will be rejected by the Eurex Repo application.
5.8 ‘Description’ field
As the field ‘Description’ is a free text field any information can be provided.
However, for a better overview it is recommended to provide some information
regarding the certificate (e.g. technical information), the participant (e.g. participant
ID) and the environment in which the certificate is being used.
Example for participant ‘INTER’:
5.9 Certificate upload verification
If a problem occurs during the upload process or if a mandatory field is empty, an
error message will appear in the member section (see two examples below).
27
Eurex Repo
V 1.0.8
If no error message appears after clicking on ‘save’ the certificate has been uploaded
successfully to the member section and the new account should be displayed in the
overview screen, including ‘User ID’ and ‘Description’.
5.10
Username and password authentication
In order to login and use the Eurex Repo GUI or a third party application the
participant must complete the second part of the two-factor authentication process username and password authentication.
5.11
Additional IP Address check (Internet access)
Default any user of the given participant is permitted to access the application from
any IP address. If the participant wants to restrict the default access, a list of IP
addresses can be entered in the member section. As a result it will only be possible
to access the application from these IP addresses. Here is an example where access
is limited from one IP address only:
Internet access for the given participant can be completely blocked by setting the
corresponding radio-button.
28
Eurex Repo
V 1.0.8
6.
Further information and contacts
Eurex Repo‘s web page http://eurexrepo.com is the central source for all relevant
information needed to migrate to Eurex Repo’s new trading system F7. General
information and FAQs can be found at: Technical Support > New Trading System F7.
Additional items are also available:


Access the Member Section “Requests & Configuration”
www.eurexrepo.com > Member Section > Technical Connection > Requests &
Configuration
Documents for the new repo architecture, including F7 API documentation,
are available at:
www.eurexrepo.com > Member Section > Repo Resources > New Trading
System F7 > System Documentation > Release 1.0
With the start of simulation an additional source of information will be made available

For most up-to-date information, please check our Implementation News at:
www.eurexrepo.com > Technical Support > New Trading System F7 >
Implementation News
Please do not hesitate to contact us in case of any questions.
Technical Support
Functional Support
Customer Technical Support
Eurex Repo Administration & Operation
+49 (0) 69 2 11-1 08 77
+41 (0) 43 430 72 20
cts@deutsche-boerse.com
funchelp@eurexrepo.com
Eurex Repo Sales
Member Section Team
Eurex Repo Sales
+49-(0) 69-2 11-1 78 88
+49 (0) 69 2 11-1 40 40
member.section@deutsche-boerse.com
sales@eurexrepo.com
29
Eurex Repo
V 1.0.8
7.
Change Log
Version
Chapter, page
1.0.1
Date
Change
31.07.2014
Added “API” / “GUI” differentiation for x.509 certificates
1.0.3
5.1, 5.2
28.08.2014
Improved description of certificate creation with openssl
and keytool
1.0.4
5.1, 5.2
15.09.2014
Corrected two misspelled CN names
1.0.5
5.7
24.09.2014
Corrected screenshot with username specification (not
showing the participant ID anymore)
1.0.6
2.3.2
01.10.2014
Adjusted netmasks
5.7
08.10.2014
Corrected screenshot with Account Name
08.10.2014
Adjusted wording for Account Name/ Common Name user
defined string
1.0.7
5.1.1
28.10.2014
Added remark about OpenSSL versions affected by
heartbleed bug
1.0.8
5.2.5
18.11.2014
Deleted outdated link
30
© Eurex 2014
Deutsche Börse AG (DBAG), Clearstream Banking AG (Clearstream), Eurex Frankfurt AG, Eurex Clearing AG (Eurex Clearing) as well as Eurex Bonds GmbH (Eurex
Bonds) and Eurex Repo GmbH (Eurex Repo) are corporate entities and are registered under German law. Eurex Zürich AG is a corporate entity and is registered under
Swiss law. Clearstream Banking S.A. is a corporate entity and is registered under Luxembourg law. U.S. Exchange Holdings, Inc. and International Securities Exchange
Holdings, Inc. (ISE) are corporate entities and are registered under U.S. American law. Eurex Frankfurt AG (Eurex) is the administrating and operating institution of Eurex
Deutschland. Eurex Deutschland and Eurex Zürich AG are in the following referred to as the “Eurex Exchanges”.
All intellectual property, proprietary and other rights and interests in this publication and the subject matter hereof (other than certain trademarks and service marks listed
below) are owned by DBAG and its affiliates and subsidiaries including, without limitation, all patent, registered design, copyright, trademark and service mark rights. While
reasonable care has been taken in the preparation of this publication to provide details that are accurate and not misleading at the time of publication DBAG, Clearstream,
Eurex, Eurex Clearing, Eurex Bonds, Eurex Repo as well as the Eurex Exchanges and their respective servants and agents (a) do not make any representations or
warranties regarding the information contained herein, whether express or implied, including without limitation any implied warranty of merchantability or fitness for a
particular purpose or any warranty with respect to the accuracy, correctness, quality, completeness or timeliness of such information, and (b) shall not be responsible or
liable for any third party’s use of any information contained herein under any circumstances, including, without limitation, in connection with actual trading or otherwise or
for any errors or omissions contained in this publication.
This publication is published for information purposes only and shall not constitute investment advice respectively does not constitute an offer, solicitation or
recommendation to acquire or dispose of any investment or to engage in any other transaction. This publication is not intended for solicitation purposes but only for use as
general information. All descriptions, examples and calculations contained in this publication are for illustrative purposes only.
Eurex and Eurex Clearing offer services directly to members of the Eurex exchanges respectively to clearing members of Eurex Clearing. Those who desire to trade any
products available on the Eurex market or who desire to offer and sell any such products to others or who desire to possess a clearing license of Eurex Clearing in order to
participate in the clearing process provided by Eurex Clearing, should consider legal and regulatory requirements of those jurisdictions relevant to them, as well as the
risks associated with such products, before doing so.
Eurex derivatives are currently not available for offer, sale or trading in the United States or by United States persons (other than EURO STOXX 50® Index Futures, EURO
STOXX 50® ex Financials Index Futures, EURO STOXX® Select Dividend 30 Index Futures, EURO STOXX® Index Futures, EURO STOXX® Large/Mid/Small Index
Futures, STOXX® Europe 50 Index Futures, STOXX® Europe 600 Index Futures, STOXX® Europe 600 Banks/Industrial Goods & Services/Insurance/Media/Travel &
Leisure/Utilities Futures, STOXX® Europe Large/Mid/Small 200 Index Futures, Dow Jones Global Titans 50 IndexSM Futures (EUR & USD), DAX®/MDAX®/TecDAX®
Futures, SMIM® Futures, SLI Swiss Leader Index® Futures, MSCI World/Europe/Japan/AC Asia Pacific ex Japan Index Futures and VSTOXX® Futures as well as Eurex
inflation/commodity/weather/property and interest rate derivatives).
Trademarks and Service Marks
Buxl®, DAX®, DivDAX®, eb.rexx®, Eurex®, Eurex Bonds®, Eurex Repo®, Eurex Strategy WizardSM, Euro GC Pooling®, FDAX®, FWB®, GC Pooling®,,GCPI®, MDAX®,
ODAX®, SDAX®, TecDAX®, USD GC Pooling®, VDAX®, VDAX-NEW ® and Xetra® are registered trademarks of DBAG.
Phelix Base® and Phelix Peak® are registered trademarks of European Energy Exchange AG (EEX).
All MSCI indexes are service marks and the exclusive property of MSCI Barra.
RDX® is a registered trademark of Vienna Stock Exchange AG.
IPD® UK Annual All Property Index is a registered trademark of Investment Property Databank Ltd. IPD and has been licensed for the use by Eurex for derivatives.
®
®
®
SLI , SMI and SMIM are registered trademarks of SIX Swiss Exchange AG.
The STOXX® indexes, the data included therein and the trademarks used in the index names are the intellectual property of STOXX Limited and/or its licensors Eurex
derivatives based on the STOXX® indexes are in no way sponsored, endorsed, sold or promoted by STOXX and its licensors and neither STOXX nor its licensors shall
have any liability with respect thereto.
Dow Jones, Dow Jones Global Titans 50 IndexSM and Dow Jones Sector Titans IndexesSM are service marks of Dow Jones & Company, Inc. Dow Jones-UBS Commodity
IndexSM and any related sub-indexes are service marks of Dow Jones & Company, Inc. and UBS AG. All derivatives based on these indexes are not sponsored, endorsed,
sold or promoted by Dow Jones & Company, Inc. or UBS AG, and neither party makes any representation regarding the advisability of trading or of investing in such
products.
All references to London Gold and Silver Fixing prices are used with the permission of The London Gold Market Fixing Limited as well as The London Silver Market Fixing
Limited, which for the avoidance of doubt has no involvement with and accepts no responsibility whatsoever for the underlying product to which the Fixing prices may be
referenced.
PCS® and Property Claim Services® are registered trademarks of ISO Services, Inc.
Korea Exchange, KRX, KOSPI and KOSPI 200 are registered trademarks of Korea Exchange Inc.
BSE and SENSEX are trademarks/service marks of Bombay Stock Exchange (BSE) and all rights accruing from the same, statutory or otherwise, wholly vest with BSE.
Any violation of the above would constitute an offence under the laws of India and international treaties governing the same.
The names of other companies and third party products may be trademarks or service marks of their respective owners.

’s New Trading System F7 Eurex Repo Release 1.0

Transcription

Similar documents

Euribor renaissance at Eurex?

Michael Pachelo

Math Tier 2

Certificate of Registration Evans Chemetics LP

Calbag Portland

ISO 9001

Certificate of Registration Lintech International LLC

Certificate of Registration - Best Global Source

Certificate of Registration Glasseal Products Inc.

ISO 14001 - Renosol Corporation