Java sample code to connect to WSS (RTDS)

hgardon

Hello,

We are updating our application to be able to support WebSocket secured connection with RTDS.

We have several questions :

First, we udpated our ADS to be compatible with secured connection updating the below property :

*ads*distribution_ws_sink*connectionType : 1

Then we restarted the ads.

Is it all ?

Do we need to update/change other properties ?

What about these ones ?

*ads*distribution_ws_sink*serverCert :

*ads*distribution_ws_sink*serverPrivateKey :

Secondly, how can we test the connection ?

With wsapi_tryitnow, we can see that the connection to non secured WebSocket API is done through :

var WS_URL = 'ws://' + hostName + ':' + portNumber + '/WebSocket';

_websocket = new WebSocket(WS_URL, "tr_json2");

Is it the same with WSS ?

Do we need to change WS_URL from 'ws://' to 'wss://' ?

Do we need to change anything else ?

Thanks for the help.

Regards,

Find more posts tagged with

websockets

#technology

Accepted answers

Jirapongse

@hgardon

That www.test.com is a hostname for testing purposes.

You need to contact your internal team who generates those certificate and private key files to verify what the problem is.

To connect to an encrypted server, you need to install the certificate file on the client's machine and the application needs to use that certificate file to connect to the encrypted server.

For example, on Windows machines, you can use the openssl tool to convert the cert.pem to the cert.crt file.

openssl x509 -outform der -in cert.pem -out cert.crt

Then, install the cert.crt file on Windows machines.

I checked and found that the wsapi_tryitnow doesn't support the wss:// connections. Therefore, you need to use other tools instead, such as Postman or Python.

All comments

Gurpreet

Hello @hgardon,

Most of your question is answered in a similar question here.

Since you are using Java, I would recommend that you use RTSDK - EMA Java which will ease a lot of development troubles like session and subscription management. EMA also has an option to use WebSockets as a transport layer - although I don't see any benefits of using it with local RTDS.

Here are Quickstart and Tutorials for EMA Java.

Jirapongse

@hgardon

Currently, ADS supports WebSocket encrypted connections via the following configurations.

The encrypted WebSocket server requires a server certification file and server private key file. Typically, you need to contact your IT support team to generate this file. Otherwise, you can use the OpenSSL tool to generate these files for testing purpose. Please refer to the Configuring Encrypted Connections on ADS article.

Then, you need to add the certificate file to the Java truststore file (cacerts), as mentioned in that article.

Yes, you need to use the wss for the Websocket Encrypted connections.

 server = String.format("wss://%s:%s/WebSocket", hostname, port);

You can also refer to the Example on GitHub that shows how to establish a secure Websocket connection to Refinitiv Real-Time Optimized server.

wasin.w

Hello @hgardon

Additionally, this Choosing a Real-time Streaming API article might help you too.

hgardon

Hello,

Thank you a lot for your answers.
@Gurpreet Unfortunately, we can not switch to EMA at this moment so we continue with WebSocket API.

@Jirapongse thank you for your input, so we generated the two following certificates :

* trrt.cer
* trrt.pem

and we updated the distribution.cnf with the below :

We restarted all the services at the infra level.
We udpated the websocket.js file to :

Unfortunately, when trying to connect through wsapi_tryitnow, we got the following error :

Is there something we missed ?

Thanks,

Jirapongse

@hgardon

I can't see the pictures.

You can check the ADS log file to make sure that the server ran properly with those configurations.

hgardon

Hi @Jirapongse ,

Indeed, I checked the ads logs and we have the below error :

<trrt.1.ads: Error: Fri Mar 08  18:40:30 2024>
WS Server "distribution_ws_sink" initialization failed: </local/jenkins/workspace/RTDSCore_Release/OS/RH8-64/esdk/source/rtsdk/Cpp-C/Eta/Impl/Transport/ripcsslutils.c:1658> Error: 2001 ripcSSLSetupCTXServer() error loading certificate from file trrt.cerOpenSSL Error string: error:02001002:system library:fopen:No such file or directory:fopen('trrt.cer','r'):crypto/bio/bss_file.c:288:
OpenSSL Error string: error:20074002:BIO routines:file_ctrl:system lib:crypto/bio/bss_file.c:290:
OpenSSL Error string: error:140DC002:SSL routines:use_certificate_chain_file:system lib:ssl/ssl_rsa.c:596:

Do you know where we need to put the certificates files ?
Currently they are located into these folders :

./SOFTWARE/globalconfig/trrt.cer

./SOFTWARE/globalconfig/trrt.pem

./SOFTWARE/ads3.6.1.L1.linux.rrg/config/trrt.pem

./SOFTWARE/ads3.6.1.L1.linux.rrg/config/trrt.cer

Thanks,

Jirapongse

@hgardon

You can use absolute paths in the configurations.

*ads*distribution_ws_sink*serverCert : /<path>/cert.pem
*ads*distribution_ws_sink*serverPrivateKey : /<path>/key.pem

hgardon

@Jirapongse
Thanks,
I used absolute paths and I do not have the error anymore, but now I have :

<trrt.1.ads: Error: Mon Mar 11  16:41:24 2024>
WS Server "distribution_ws_sink" initialization failed: </local/jenkins/workspace/RTDSCore_Release/OS/RH8-64/esdk/source/rtsdk/Cpp-C/Eta/Impl/Transport/ripcsslutils.c:1669> Error: 2001 ripcSSLSetupCTXServer() error loading private key from file /opt/refinitiv/SOFTWARE/globalconfig/trrt.pemOpenSSL Error string: error:2807106B:UI routines:UI_process:processing error:while reading strings:crypto/ui/ui_lib.c:545:
OpenSSL Error string: error:0906406D:PEM routines:PEM_def_callback:problems getting password:crypto/pem/pem_lib.c:59:
OpenSSL Error string: error:0907B068:PEM routines:PEM_read_bio_PrivateKey:bad password read:crypto/pem/pem_pkey.c:64:
OpenSSL Error string: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl/ssl_rsa.c:537:

What does it means ? Our certificates are corrupted ?
We need to create new ones ?

Edit : I created new ones following the doc here : https://developers.lseg.com/en/article-catalog/article/configuring-encrypted-connections-on-ads

I have a question about : openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj '/CN=www.test.com'

www.test.com is the machine that is hosting the ADS infra ?

With this change, I have no more error when restarting ads but I still can not connect to the infra using wsapi_tryitnow.

Jirapongse

@hgardon

That www.test.com is a hostname for testing purposes.

You need to contact your internal team who generates those certificate and private key files to verify what the problem is.

To connect to an encrypted server, you need to install the certificate file on the client's machine and the application needs to use that certificate file to connect to the encrypted server.

For example, on Windows machines, you can use the openssl tool to convert the cert.pem to the cert.crt file.

openssl x509 -outform der -in cert.pem -out cert.crt

Then, install the cert.crt file on Windows machines.

I checked and found that the wsapi_tryitnow doesn't support the wss:// connections. Therefore, you need to use other tools instead, such as Postman or Python.

hgardon

Hi @Jirapongse ,

Just to let you know that we finally managed to make it work !

Thanks a lot for the support !

EXPLORE OUR SITES