Configuring the Order Server OTC connection
Before You Begin
Before you configure the Order Server OTC connection on the SGX_OTC Gateway, review the exchange document, “Connecting to Titan OTC through TLS (SSL)” and perform the steps listed in “How does 2-way TLS work in Titan OTC”. On the SGX_OTC Gateway, you will need to do the following:
- Download and install the stunnel software on your SGX_OTC Gateway machine. This software needs to be configured on the SGX_OTC Gateway so that the Order Server can connect to the Titan OTC server.
- Download the Titan OTC Certificate Authority’s root certificate (global_root_certificate.pem) and save it in <root drive>:\tt\config on your gateway machine. Download the certificate type based on the "Connection Matrix" in the exchange document.
- Purchase a certificate for the SGX_OTC Gateway from an authorized CA.
Converting the certificate to PEM format
Based on the format of your purchased certificate, you may need to convert the certificate to the PEM file format (*.pem) for use by the stunnel software on the SGX_OTC Gateway machine.
Note: It’s possible that certificates purchased from different certificate authorities may be in various certificate formats (e.g., PFX). The instructions in this topic are for converting PFX files to PEM for use on the TT SGX_OTC Gateway. For other file formats, you will have to determine how best to convert your certificates to PEM.
- Open a cmd window (Windows Command prompt) on the gateway server machine.
- Store the purchased certificate (e.g, sgx.pfx) in any working directory on the gateway machine (e.g, <root drive>:\tt\config\SGX_Titan_OTC_certs). Note: After the conversion, the *.pem files need to be stored in a directory under \tt\config.
- Install the opensource conversion tools (https://slproweb.com/products/Win32OpenSSL.html) on the gateway (e.g., C:\OpenSSL-Win32)
- Enter: cd <path to purchased certificate> (e.g., cd <root drive>:\tt\config\SGX_Titan_OTC_certs).
- Type and enter the following command to convert the certificate, where:
- -in — is the certificate purchased from the CA that is being converted (e.g., sgx.pfx)
- -out — is the converted output file in PEM format (e.g., sgx.pem)
- Enter the import password provided by the authorized CA (e.g., it may be provided by the CA in a separate .txt file)
- Open the converted sgx.pem file in a text editor. The PEM file contains both the private and public key portions of the purchased certificate. You need to open the converted certifcate in a text editor to extract the two keys. Note: This step is necessary for converting PFX files to PEM, but may not be necessary for other purchased certificate file formats. You will need to research how to convert your file format and discuss the conversion with the exchange.
- Copy-and-paste the public and private keys to separate PEM files:
- Copy the the private key content between BEGIN PRIVATE KEY and END PRIVATE KEY (including these two lines) and paste in a private key PEM file (e.g., sgx.key.pem)
- Copy the public key content between BEGIN CERTIFICATE and END CERTIFICATE (including these two lines) and paste in a public key PEM file (e.g., sgx.crt.pem)
- Save the "sgx.key.pem" private key and “sgx.crt.pem” public key in a directory under \tt\config (e.g., use the "tt\config\SGX_Titan_OTC_certs" directory that you created in Step 2).
Configuring a Titan OTC connection
Use this procedure to configure the stunnel software that the SGX_OTC Gateway Order Server uses to connect to the Titan OTC server.
Note: Before you begin, ensure that the stunnel software has been installed on the gateway machine.
- Click the stunnel GUI icon on your Windows desktop to start running stunnel.
- In the stunnel GUI, click Configuration > Edit ConfigurationClicking Edit Configuration will open stunnel.conf in a text editor.
- Copy the sample .conf file from TT and paste it in stunnel.conf. Note: The TT .conf file provides parameters for connecting to the Titan OTC Conformance environment via VPN. You will need to determine your type of connectivity in production and configure the corresponding IP addresses provided in the “Connection Matrix” section of the “Connecting to Titan OTC through TLS (SSL)” document.
- Make the necessary configuration changes in stunnel.conf:
- connect = 10.37.253.231:9443 ← Refer to “Connecting to Titan OTC through TLS (SSL)” to enter the IP address and port for the desired connectivity and environment (e.g., VPN Conformance)
- cert = C:\tt\config\SGX_Titan_OTC_certs\sgx.crt.pem ←The "sgx.crt.pem" public key file on the gateway machine at "tt\config"
- key = C:\tt\config\SGX_Titan_OTC_certs\sgx.key.pem ← The "sgx.key.pem" private key file on the gateway machine at "tt\config"
- checkHost = *.qa.sgx.com ← Refer to “Connecting to Titan OTC through TLS (SSL)” to CN host name for the desired connectivity and environment (e.g., VPN Conformance)
- Save the changes and close the stunnel.conf file.
- In the stunnel GUI, click Configuration > Reload Configuration
- Open hostinfo.cfg in a text editor and add the IP and port from the accept parameter in stunnel.conf to the ExchangeIP and ExchangePort parameters in the same [OrderSession] section: