@hgardon

That www.test.com is a hostname for testing purposes.

You need to contact your internal team who generates those certificate and private key files to verify what the problem is.

To connect to an encrypted server, you need to install the certificate file on the client's machine and the application needs to use that certificate file to connect to the encrypted server.

For example, on Windows machines, you can use the openssl tool to convert the cert.pem to the cert.crt file.

openssl x509 -outform der -in cert.pem -out cert.crt

Then, install the cert.crt file on Windows machines.

I checked and found that the wsapi_tryitnow doesn't support the wss:// connections. Therefore, you need to use other tools instead, such as Postman or Python.

Hello @hgardon,

Most of your question is answered in a similar question here.

Since you are using Java, I would recommend that you use RTSDK - EMA Java which will ease a lot of development troubles like session and subscription management. EMA also has an option to use WebSockets as a transport layer - although I don't see any benefits of using it with local RTDS.

Here are Quickstart and Tutorials for EMA Java.

@hgardon

Currently, ADS supports WebSocket encrypted connections via the following configurations.

The encrypted WebSocket server requires a server certification file and server private key file. Typically, you need to contact your IT support team to generate this file. Otherwise, you can use the OpenSSL tool to generate these files for testing purpose. Please refer to the Configuring Encrypted Connections on ADS article.

Then, you need to add the certificate file to the Java truststore file (cacerts), as mentioned in that article.

Yes, you need to use the wss for the Websocket Encrypted connections.

 server = String.format("wss://%s:%s/WebSocket", hostname, port);

You can also refer to the Example on GitHub that shows how to establish a secure Websocket connection to Refinitiv Real-Time Optimized server.

Hello,

Thank you a lot for your answers.
@Gurpreet Unfortunately, we can not switch to EMA at this moment so we continue with WebSocket API.

@Jirapongse thank you for your input, so we generated the two following certificates :

* trrt.cer
* trrt.pem

and we updated the distribution.cnf with the below :

We restarted all the services at the infra level.
We udpated the websocket.js file to :

Unfortunately, when trying to connect through wsapi_tryitnow, we got the following error :



Is there something we missed ?

Thanks,

Hi @Jirapongse ,

Indeed, I checked the ads logs and we have the below error :

<trrt.1.ads: Error: Fri Mar 08  18:40:30 2024>
WS Server "distribution_ws_sink" initialization failed: </local/jenkins/workspace/RTDSCore_Release/OS/RH8-64/esdk/source/rtsdk/Cpp-C/Eta/Impl/Transport/ripcsslutils.c:1658> Error: 2001 ripcSSLSetupCTXServer() error loading certificate from file trrt.cerOpenSSL Error string: error:02001002:system library:fopen:No such file or directory:fopen('trrt.cer','r'):crypto/bio/bss_file.c:288:
OpenSSL Error string: error:20074002:BIO routines:file_ctrl:system lib:crypto/bio/bss_file.c:290:
OpenSSL Error string: error:140DC002:SSL routines:use_certificate_chain_file:system lib:ssl/ssl_rsa.c:596:

Do you know where we need to put the certificates files ?
Currently they are located into these folders :

./SOFTWARE/globalconfig/trrt.cer

./SOFTWARE/globalconfig/trrt.pem

./SOFTWARE/ads3.6.1.L1.linux.rrg/config/trrt.pem

./SOFTWARE/ads3.6.1.L1.linux.rrg/config/trrt.cer

Thanks,

@Jirapongse
Thanks,
I used absolute paths and I do not have the error anymore, but now I have :

<trrt.1.ads: Error: Mon Mar 11  16:41:24 2024>
WS Server "distribution_ws_sink" initialization failed: </local/jenkins/workspace/RTDSCore_Release/OS/RH8-64/esdk/source/rtsdk/Cpp-C/Eta/Impl/Transport/ripcsslutils.c:1669> Error: 2001 ripcSSLSetupCTXServer() error loading private key from file /opt/refinitiv/SOFTWARE/globalconfig/trrt.pemOpenSSL Error string: error:2807106B:UI routines:UI_process:processing error:while reading strings:crypto/ui/ui_lib.c:545:
OpenSSL Error string: error:0906406D:PEM routines:PEM_def_callback:problems getting password:crypto/pem/pem_lib.c:59:
OpenSSL Error string: error:0907B068:PEM routines:PEM_read_bio_PrivateKey:bad password read:crypto/pem/pem_pkey.c:64:
OpenSSL Error string: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl/ssl_rsa.c:537:

What does it means ? Our certificates are corrupted ?
We need to create new ones ?

Edit : I created new ones following the doc here : https://developers.lseg.com/en/article-catalog/article/configuring-encrypted-connections-on-ads

I have a question about : openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj '/CN=www.test.com'

www.test.com is the machine that is hosting the ADS infra ?

With this change, I have no more error when restarting ads but I still can not connect to the infra using wsapi_tryitnow.

Hi @Jirapongse ,

Just to let you know that we finally managed to make it work !

Thanks a lot for the support !