Try TT Now

TTM Network Administration

TTM Anonymous

Overview

Remote Client and Remote Host Daemons support anonymous authentication, which uses a simplified version of the STS (Station-to-Station) protocol. This authentication scheme assumes that public keys are automatically installed with the X_TRADER software, and that the certificates and private keys are installed and managed by a CA administrator.

How Anonymous Authentication and Encryption Works

Before encryption is enabled, the client upgrades to version of X_TRADER that includes TTM version 3.2.1 or later. This version includes the TT Root Public Key. Additionally, the CA administrator copies the shared keys and certificates to the Remote Host Daemons (described in Copying the Keys and Certificates to the Remote Host Daemon).

Next, the Remote Host Daemon is configured for encryption. This includes setting the preferred algorithm, the key exchange type, and the key length (described in Configuring the Encryption Parameters) and enabling encryption (described in Enabling Encryption on The Remote Host Daemon).

Finally, encryption is enabled on the Remote Clients (described in Enabling Encryption on Remote Clients).

After encryption is configured and enabled, the Remote Clients and Remote Host Daemons exchange handshakes before transmitting data. These handshakes include the encryption messages, which contain calculated shared keys and encrypted private keys that can only be unencrypted by a receiver with the shared key.

Additionally the system verifies that the encryption parameters in the ttmd.cfg file match on both sides. If the encryption algorithm or keysize does not match between a Remote Client and Remote Host Daemon, the Remote Host Daemon’s settings are used.

If the exchange of certificates and keys was successful, data on the configured services is now encrypted between the Remote Client and Remote Host Daemons. the figure called Successful X_TRADER to X_TRADER Remote Host Encryption Setup shows a successful encryption setup.

Successful X_TRADER to X_TRADER Remote Host Encryption Setup

  1. The Remote Client Daemon system sends a Diffie-Hellman authentication file to the receiving Remote Host Daemon.
  2. The receiving side returns a Diffie-Hellman authentication file, the stored broker certificate, and the encrypted key.
  3. The initiating side returns its encrypted key.
  4. Data between the Remote Client and Remote Host Daemons is now compressed, encrypted, sent over the network, unencrypted, and then uncompressed.
Note

If TTM must support Remote Clients running TTM 3.2.0 or earlier, add the allow_insecure_connections parameter to the <General> section of the ttmd.cfg file of the Remote Host and set it to true. For more information, refer to the section called Allowing Older Remote Clients to Connect (Dual Mode).

Copying the Keys and Certificates to the Remote Host Daemon

Encryption requires that the following files exist in the ~tt/config directory on each Remote Host Daemon:

  • The root certificate
  • The private key (also known as the client or personal key)
  • The local certificate (also known as the signed client certificate)

These files are created by the Certificate Authority (CA) and then distributed to the Remote Host Daemons and Remote Clients. The root certificate is the same for all members of a group, but the private key and local certificate files are unique to each server.

Note

You do not need to copy any files to the X_TRADER workstations. X_TRADER workstations running TTM 3.2.1 or later already include the required TT Root Public Certificate.

Configuring the Encryption Parameters

Configure the encryption parameters in the ttmd.cfg file on the Remote Client and Remote Host Daemons. If the default values are acceptable, the parameters do not need to be added.

Encryption Parameters
ParameterDescription

encryption_algorithm

The algorithm to use (3DES or AES). The default is AES.

key_exchange_method

The type of authentication used. X_TRADER Remote Hosts typically use anonymous authentication (STS_half), but can be configured for peer-to-peer authentication as well (sts_full). The default is sts_half.

encryption_key_length

The length of the key, in bits (128 or 256). The default is 128 bits.

Note: If the encryption_algorithm is 3des, the encryption_key_length must be 256.

Example ttmd.cfg - Encryption Parameters

<TTMConfiguration>

<General>

. . .

encryption_algorithm=aes

key_exchange_method=sts_half

encryption_key_length=128

</General>

. . .

</TTMConfiguration>

Enabling Encryption on The Remote Host Daemon

You can enable the Remote Host Daemon to encrypt data as follows:

  • For all services: To configure this type of encryption, add encryption_enabled=true to the <General> section of the ttmd.cfg file. To disable encryption, omit the encryption_enabled parameter (the default value is false), or set encryption_enabled=false.

    Example ttmd.cfg - Encryption

    <TTMConfiguration>

    <General>

    . . .

    encryption_algorithm=aes

    key_exchange_method=sts_half

    encryption_key_length=128

    encryption_enabled = true

    </General>

    <MulticastGroups> ... <MulticastGroups>

    </TTMConfiguration>

  • By individual service, so that it encrypts data for one service, and leaves data on another service unencrypted. To configure this type of encryption, add encryption_enabled=true to the <Service> section, under <LocalServices> in the ttmd.cfg file. To disable encryption, omit the encryption_enabled parameter (the default value is false), or set encryption_enabled=false.

    Example ttmd.cfg - Encryption

    <TTMConfiguration>

    <General>

    . . .

    encryption_algorithm=aes

    key_exchange_method=sts_half

    encryption_key_length=128

    </General>

    <MulticastGroups> ... <MulticastGroups>

    <LocalServices>

    <Service1>

    Service = 8900

    encryption_enabled = true

    compression_level = true

    TcpNoDelay = true

    </Service1>

    <Service2>

    Service = 8901

    encryption_enabled = false

    compression_level = true

    TcpNoDelay = true

    </Service2>

    </LocalServices>

    </TTMConfiguration>

Note

All connections to service on port 10200 will be authenticated but only the ones with this flag will be encrypted.

Enabling Encryption on Remote Clients

To enable encryption on Remote Clients, add encryption_enabled=true to the <General> section of the ttmd.cfg file. To disable encryption, omit the encryption_enabled parameter (the default value is false), or set encryption_enabled=false.

Note

If encryption is enabled on the Remote Host Daemon, the data will be encrypted, even if encryption_enabled=false on the Remote Client. If encryption is disabled on the Remote Host Daemon and enabled on the Remote Client Daemon, the system will log errors to the ttmd.log file and the connection will not be established.

Allowing Older Remote Clients to Connect (Dual Mode)

By default, if encryption is enabled on the Remote Host to which a Remote Client attempts to connect, that client must have the appropriate root certificate in the Remote Client’s tt/config directory. Because TTM 3.2.0 does not include the root certificate, unless you manually add this file, connections from 3.2.0 and earlier clients will fail.

However, if your environment must also support Remote Clients running TTM 3.2.0 or earlier, you can allow the older clients to connect by adding the allow_insecure_connections=true parameter to the <General> section of the ttmd.cfg file. If this parameter is omitted, it defaults to false.

Note

TTM 4.2.2 does not allow older Remote Clients to connect to Remote Hosts that only have encryption enabled per service (in the <LocalServices> section)

Note

If the Remote Client supports encryption (TTM 3.1.x or 3.2.0), do not enable encryption on the Remote Client. If the encryption_enabled parameter has been added to the Remote Client’s ttmd.cfg file and set to true, older clients will fail to connect to the Remote Host.

To allow older Remote Clients to connect to the Remote Host:

  1. Using Notepad, open the Remote Host’s ttmd.cfg file (typically located in <root drive>:ttconfig).
  2. In the <General> section, add the following line:

    allow_insecure_connections=true

  3. If the Remote Client supports encryption (TTM 3.1.x or 3.2.0), make sure that the encryption_enabled parameter is either omitted or set to false (in the <General> section of Remote Client’s ttmd.cfg file).

    A Remote Host will now accept unencrypted connections from Remote Clients that do not have the appropriate root certificate (i.e. a Remote Client running version 3.2.0 or earlier).

Using Peer-to-Peer Authentication on X_TRADER Remote Hosts

If the X_TRADER Remote Hosts is configured to use peer-to-peer authentication, set the key_exchange_method to sts_full (refer to Configuring the Encryption Parameters) and then copy the certificates, keys, and CRLs to the X_TRADER client and X_TRADER Remote host as described in Copying the Keys and Certificates to the Remote Host Daemon.