Trayport Joule Direct Connectivity Guide 02/11/2020
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Trayport® Joule Direct
Connectivity Guide
02/11/2020Trayport Guide This document describes the options to connect your company to Trayport ® using public access Internet or private networks. Legal Notice All rights reserved. The software contains proprietary information of Trayport® Limited; it is provided under a licence agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited. Due to continued product development this information may change without notice. The information and intellectual property contained herein is confidential between Trayport Limited and the client and remains the exclusive property of Trayport Limited. If you find any problems in the documentation, please report them to us in writing. Trayport Limited does not warrant that this document is error-free. This guide is for the client's internal use with a licensed Trayport product only. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Trayport Limited. All information submitted to Trayport will be subject to Trayport’s Privacy Policy as amended from time to time. The privacy policy can be found at www.trayport.com. Trayport is a registered trademark of Trayport Limited. This document was written using Author-it in British English. It was last updated on 02/11/2020 (16:51). 7th Floor, 9 Appold Street, London, EC2A 2AP Trayport Home Page http://www.trayport.com Copyright© 2020 Trayport
Contents
Chapter 1: Production Environments .................................................................................................... 2
1.1 Public Internet Connectivity................................................................................................................................ 2
1.1.1 Allocated External IP Space ........................................................................................................................ 2
1.1.1.1 Centrally Provided Services............................................................................................................... 2
1.1.1.2 Dedicated Services ............................................................................................................................ 2
1.1.2 Joule Direct Aliases ..................................................................................................................................... 3
1.1.3 Connecting to Joule Direct via a Proxy ...................................................................................................... 3
1.2 Private Connectivity............................................................................................................................................. 4
1.2.1 BT Radianz ................................................................................................................................................... 4
1.2.1.1 Network Address Translation (NAT) Details ..................................................................................... 4
1.2.1.2 Bandwidth .......................................................................................................................................... 4
1.2.1.3 SAF+ Extra service.............................................................................................................................. 4
1.2.2 Singapore Hub ............................................................................................................................................ 5
1.2.3 Leased Lines and Direct Peering ................................................................................................................ 5
1.3 TLS/SSL & Certificates.......................................................................................................................................... 5
1.3.1 Root Certificates ......................................................................................................................................... 5
1.3.2 Certificate Validation .................................................................................................................................. 6
Chapter 2: Test Environments .............................................................................................................. 7
2.1 Connectivity ......................................................................................................................................................... 7
2.2 Joule Direct Virtual Market ................................................................................................................................. 7
2.3 Custom & Private Testing .................................................................................................................................... 7
Appendix A: Centrally Provided Services ...............................................................................................8
Appendix B: Specific IP Internet Addresses and Ports ............................................................................9
B.1 Production Addresses ......................................................................................................................................... 9
B.2 Client UAT Addresses ........................................................................................................................................ 10
B.3 Client Integration Addresses............................................................................................................................. 11
Appendix C: Specific BT Radianz IP Addresses and Ports ...................................................................... 12
Appendix D: Specific Private Connectivity IP Addresses and Ports ........................................................ 13
Glossary ............................................................................................................................................ 14Chapter 1: Production Environments
Trayport’s production environments operate out of two data centres located in the United Kingdom. These are
accessible over public Internet connections and using dedicated private links.
1.1 Public Internet Connectivity
You can connect to Trayport's services using the Internet. Trayport uses two providers for failover purposes.
However, Trayport recommends that you use private networks, such as BT Radianz or our Singapore hub.
1.1.1 Allocated External IP Space
Trayport’s allocated IP blocks are:
• 91.233.152.0/22 (91.233.152.0 - 91.233.155.255)
• 94.199.142.0/23 (94.199.142.0 - 94.199.143.255)
All Trayport offered Internet based services will be contained within this space, with the exception of the
www.trayport.com website. However, we appreciate that some of your security policies may not allow for this
entire range to be opened. Please refer to the more detailed information in the following sections.
1.1.1.1 Centrally Provided Services
Trayport uses a variety of techniques to ensure our services are reachable on the Internet as often as possible.
For the majority of services, there is a single range of IP addresses that are accessible at all times, even though
the traffic will be balanced and routed between data centres and presented over redundant Internet Service
Providers (ISPs).
Some services support a second passive connection to reduce failover time. In order to force the advertisement
of these over a different ISP, a second IP range is used.
• A list of Centrally Provided Services can be found in Centrally Provided Services on page 8.
• A list of specific IP addresses and ports can be found in Specific IP Internet Addresses and Ports on page 9.
Description Prefix Range Supernet
91.233.153.64 -
Primary Range 91.233.153.64/27
91.233.153.95
91.233.153.64/26
Primary Range 91.233.153.96 -
91.233.153.96/27
Future Expansion 91.233.153.127
1.1.1.2 Dedicated Services
Other production and UAT services may be provided anywhere within the 91.233.152.0/22 or 94.199.142.0/23
blocks, however this will not change without notice.
For further assistance please contact: Trayport Support on +44 (0) 20 7960 5555 or support@trayport.com.
21.1.2 Joule Direct Aliases
The following aliases provide quick and easy access to the Joule Direct trading platform and test environment.
Environment Internet Alias BT Radianz Private
Production jouledirect jouledirectradianz jouledirectprivate
User-Acceptance jouledirecttest jouledirecttestradianz jouledirecttestprivate
Integration jouledirectintegration
Note
A dedicated Radianz link via Singapore is available for clients based in Asia. Contact your Trayport Technical
Client Manager for more information.
Enter the alias in the Server Address field in the Joule login screen.
1.1.3 Connecting to Joule Direct via a Proxy
Joule Direct supports connection via a proxy. The proxy address should be specified when you log in to Joule,
before the Joule Direct address, separated by a slash (/). For example: http://proxy.server.com/jouledirect.
By default, when connecting via a proxy, Joule Direct attempts to connect using port 443 on the target and port
8080 on the proxy. If you wish to use another port for the proxy , you should specify the port number following
the proxy server address, separated by a colon. For example: http://proxy.server.com:20000/jouledirect.
31.2 Private Connectivity You have two options to connect to Trayport using private networks: • BT Radianz • WAN link to Singapore 1.2.1 BT Radianz Trayport uses BT Radianz for all incoming private connections given its high performance, resilience, and prominence in the financial market. Should you have an existing relationship with BT Radianz please contact your account manager regarding connectivity to Trayport. Alternatively Trayport can approach BT Radianz on your behalf. Contact details will be exchanged and a regional account manager will contact you regarding initial discussions on Radianz service provision. Our SAN identifier is: Trayport_mngdservice_LON 1.2.1.1 Network Address Translation (NAT) Details BT Radianz is specific to each company connected to the service. BT Radianz provides the NAT details and assigns a new IP address to you once the service has been provisioned. 1.2.1.2 Bandwidth The bandwidth required for each Joule user depends on the following factors: • Permissions assigned to the user. • Services and features enabled on the server and used. • Number and type of the venues the server is connected to. • Permissions assigned by the venue. Under current market conditions, services and products available, Trayport recommends not less than 512 KBps as minimum bandwidth for each Read/Write user and 256 KBps for each Read-only user. This is assuming that there is no connectivity to the European Energy Exchange, NASDAQ OMX Exchange and the Intercontinental Exchange. Please always consult with Trayport for your bandwidth estimate before contacting BT Radianz for connectivity. 1.2.1.3 SAF+ Extra service Trayport strongly recommends the SAF+ Extra service, which will allow you to “burst” into the bearer’s spare capacity preventing possible packet losses during peak hours. For example, when the Joule Front-End connects to the system or a new marketsheet is loaded from the server, it is expected to be a peak in the bandwidth usage. This peak is expected to be higher than 2 Mbps depending on various configuration aspects, for example the user's permissions, the size of the instrument collection and the time of the day. This can vary from client to client and can change depending on the market conditions and products available. Trayport recommends that clients review their bandwidth usage on a regular basis taking into consideration any future change in order to ensure that the allocated bandwidth meet their requirements. This data should be collected and averaged over a minimum one second interval. If you require any assistance regarding the capacity analysis please don't hesitate to contact us at Trayport Support on +44 (0) 20 7960 5555 or support@trayport.com. 4
1.2.2 Singapore Hub
In order to improve service delivery, Trayport operates a dedicated Wide Area Network link (WAN) to Singapore.
If you are based in Asia you can connect into the platform using the dedicated WAN link to our London data
centres rather than over the Internet.
Note
For details of how to connect to the Singapore Hub, please contact your Trayport Client Relationship
Manager.
1.2.3 Leased Lines and Direct Peering
Trayport does not accept requests for leased lines or direct peering. For private connectivity, Trayport suggests
that you use BT Radianz (see page 4).
1.3 TLS/SSL & Certificates
All of our centrally provided services and the majority of our other services use Secure Sockets Layer (SSL).
Trayport uses Thawte Consulting as the intermediary issuer of certificates, with DigiCert Inc. acting as the root
certificate authority.
In order for the API application to check that all certificates in the Joule Direct certificate chain are valid
(meaning not revoked), a call to the Thawte revocation server is made. Firewall rules must allow this
connectivity. Additionally the IP address of the revocation server changes periodically to avoid DoS attacks. To
ensure connectivity is constantly available, the firewall rule should take all IP addresses associated with the
relevant Thawte/DigiCert DNS entries into account. The following web page provides some general information
from DigiCert on CRL:
• https://www.digicert.com/kb/util/utility-test-ocsp-and-crl-access-from-a-server.htm
1.3.1 Root Certificates
The following root certificates must be present in the Trusted Root Certification Authorities folder:
• DigiCert Global Root CA
• DigiCert High Assurance EV Root CA
• DigiCert Global Root G2
If you are using Windows Update to manage your operating system’s pki trust, some of these certificates may
already be present in the Trusted Root Certification Authorities folder.
51.3.2 Certificate Validation
Certificates are validated either using Online Certificate Status Protocol (OCSP) or a Certificate Revocation List
(CRL) associated with the intermediate certificate authority.
These locations are hosted by Thawte on IP addresses that regularly change. The following web page provides
information regarding DigiCert Trusted Root Authority Certificates:
• https://www.digicert.com/kb/digicert-root-certificates.htm
For further information, please contact Trayport Support on +44 (0) 20 7960 5555 or support@trayport.com
Tip
Trayport's recommendation is to whitelist *.thawte.com/* and *.digicert.com/* for access through port 80.
6Chapter 2: Test Environments
2.1 Connectivity
Connectivity is provided through public access Internet services only.
2.2 Joule Direct Virtual Market
Joule Direct Virtual Market is a trading solution environment exclusively accessible to Trayport Joule Direct
clients and SaaS clients. The primary purpose of the environment is to allow you to perform UAT testing of both
new API features and new Joule functionality.
The environment will always be kept up-to-date with the latest software releases and is often upgraded well in
advance to promote new software to a client's Production environment. This gives you the opportunity get a
pre-release look at new features without impacting your current Production processes.
2.3 Custom & Private Testing
If you require a custom or private testing solution, please contact Trayport Support on +44 (0) 20 7960 5555 or
support@trayport.com.
7Appendix A: Centrally Provided Services
The following services are provided in the smaller IP space as defined in Allocated External IP Space on page 2.
Service Address Description
Joule Installation joule.trayport.com Installation and upgrades for the Joule client.
Monitoring monitoring.trayport.com Endpoint for on premise systems which submit
monitoring data to Trayport for analysis or which are
enrolled with a Price Reporting Agency.
Support support.trayport.com Services which are used to enhance support:
• Joule Diagnostics
• Joule automated crash analysis
8Appendix B: Specific IP Internet Addresses
and Ports
This appendix provides connectivity details for Joule Direct services when connecting via the internet. For BT
Radianz connectivity details see Specific Private Connectivity IP Addresses and Ports on page 13.
B.1 Production Addresses
Data IP Address Ports
Service DNS Name
Centre
Joule Direct DC1 joule.dc1.trayport.com 91.233.155.64 443
Trading
System
Joule Direct DC2 joule.dc2.trayport.com 91.233.153.64 443
Trading
System
Joule Direct DC1 joule.dc1b.trayport.com 91.233.155.65 443
Trading
System
Joule Direct DC2 joule.dc2b.trayport.com 91.233.153.65 443
Trading
System
Joule Mobile DC1 jm.jouledirect.trayport.com 94.199.142.32 443
Joule Mobile DC2 jm.jouledirect.trayport.com 94.199.143.32 443
Joule Direct DC1 admin.jouledirect.trayport.com 94.199.142.33 443
Admin
Joule Direct DC2 admin.jouledirect.trayport.com 94.199.143.33 443
Admin
Customer DC1 cp.jouledirect.trayport.com 94.199.142.13 443
Portal
Customer DC2 cp.jouledirect.trayport.com 94.199.143.13 443
Portal
Enhanced - support.trayport.com 91.233.153.18 443
Support
Joule - joule.trayport.com 91.233.152.180 443
Download
9B.2 Client UAT Addresses
Data IP Address Ports
Service DNS Name
Centre
Joule Direct DC1 uat.joule.dc1.trayport.com 94.199.142.30 443
Trading System
Joule Direct DC2 uat.joule.dc2.trayport.com 94.199.143.30 443
Trading System
Joule Direct DC1 uat.joule.dc1b.trayport.com 94.199.142.31 443
Trading System
Joule Direct DC2 uat.joule.dc2b.trayport.com 94.199.143.31 443
Trading System
Joule Mobile DC1 https://uat.jm.jouledirect.trayport.com 91.233.155.95 443
Joule Mobile DC2 https://uat.jm.jouledirect.trayport.com 91.233.153.95 443
Joule Direct DC1 https://uat.admin.jouledirect.trayport.com 91.233.155.95 443
Admin
Joule Direct DC2 https://uat.admin.jouledirect.trayport.com 91.233.153.95 443
Admin
Customer Portal DC1 uat.cp.jouledirect.trayport.com 94.199.143.14 443
Customer Portal DC2 uat.cp.jouledirect.trayport.com 94.199.143.14 443
Enhanced Support - support.trayport.com 91.233.153.18 443
Joule Download - joule.trayport.com 91.233.152.180 443
10B.3 Client Integration Addresses
Data IP Address Ports
Service DNS Name
Centre
Joule Direct DC1 integration.joule.dc1.trayport.com 94.199.142.9 443
Trading
System
Joule Direct DC2 integration.joule.dc2.trayport.com 94.199.143.9 443
Trading
System
Joule Direct DC1 integration.admin.jouledirect.trayport.com 94.199.142.10 443
Admin
Joule Direct DC2 integration.admin.jouledirect.trayport.com 94.199.143.10 443
Admin
Enhanced - support.trayport.com 91.233.158.18 443
Support
Joule - joule.trayport.com 91.233.152.180 443
Download
11Appendix C: Specific BT Radianz IP
Addresses and Ports
Data IP Address Ports
Service DNS Name
Centre
Joule Direct Trading System DC1 joule.dc1.radianz.trayport.com 75.124.41.224 443
(Production)
Joule Direct Trading System DC2 joule.dc2.radianz.trayport.com 75.96.211.17 443
(Production)
Joule Direct Trading System DC1 joule.dc1b.radianz.trayport.com 75.124.41.225 443
(Production)
Joule Direct Trading System DC2 joule.dc2b.radianz.trayport.com 75.96.211.18 443
(Production)
Joule Direct Trading System DC1 uat.joule.dc1.radianz.trayport.com 75.124.41.229 443
(User-Acceptance Testing)
Joule Direct Trading System DC2 uat.joule.dc2.radianz.trayport.com 75.96.211.22 443
(User-Acceptance Testing)
Joule Direct Trading System DC1 uat.joule.dc1b.radianz.trayport.com 192.199.157.246 443
(User-Acceptance Testing)
Joule Direct Trading System DC2 uat.joule.dc2b.radianz.trayport.com 75.96.211.23 443
(User-Acceptance Testing)
12Appendix D: Specific Private Connectivity
IP Addresses and Ports
Data IP Address Ports
Service DNS Name
Centre
Joule Direct Trading System DC1 joule.dc1.private.trayport.com 94.199.140.33 443
(Production)
Joule Direct Trading System DC2 joule.dc2.private.trayport.com 94.199.141.33 443
(Production)
Joule Direct Trading System DC1 joule.dc1b.private.trayport.com 94.199.140.34 443
(Production)
Joule Direct Trading System DC2 joule.dc2b.private.trayport.com 94.199.141.34 443
(Production)
Joule Direct Trading System DC1 uat.joule.dc1.private.trayport.com 94.199.140.65 443
(User-Acceptance Testing)
Joule Direct Trading System DC2 uat.joule.dc2.private.trayport.com 94.199.141.65 443
(User-Acceptance Testing)
Joule Direct Trading System DC1 uat.joule.dc1b.private.trayport.com 94.199.140.66 443
(User-Acceptance Testing)
Joule Direct Trading System DC2 uat.joule.dc2b.private.trayport.com 94.199.141.66 443
(User-Acceptance Testing)
13Glossary
The following table provides definitions of the terms used in this document.
Term Definition
CIDR CIDR (Classless Inter-Domain Routing, sometimes known as supernetting) is a way to
allocate and specify the Internet addresses used in inter-domain routing more flexibly
than with the original system of Internet Protocol (IP) address classes.
CRL A certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial
numbers for certificates) that have been revoked, and therefore, entities presenting
those (revoked) certificates should no longer be trusted.
IP Address A unique string of numbers separated by periods that identifies each computer using the
Internet Protocol to communicate over a network.
OCSP The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining
the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on
the Internet standards track. It was created as an alternative to certificate revocation
lists (CRL), specifically addressing certain problems associated with using CRLs in a public
key infrastructure (PKI).
PKI A public key infrastructure (PKI) is a set of hardware, software, people, policies, and
procedures needed to create, manage, distribute, use, store, and revoke digital
certificates. In cryptography, a PKI is an arrangement that binds public keys with
respective user identities by means of a certificate authority (CA).
SSL Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are
cryptographic protocols designed to provide communication security over the Internet.
They use X.509 certificates and hence asymmetric cryptography to authenticate the
counterparty with whom they are communicating, and to exchange a symmetric key.
This session key is then used to encrypt data flowing between the parties.
Supernetwork A supernetwork, or supernet, is an Internet Protocol (IP) network that is formed from the
combination of two or more networks (or subnets) with a common Classless Inter-
Domain Routing (CIDR) prefix. The new routing prefix for the combined network
aggregates the prefixes of the constituent networks.
X.509 In cryptography, X.509 is a standard for a public key infrastructure (PKI) and Privilege
Management Infrastructure (PMI). X.509 specifies, amongst other things, standard
formats for public key certificates, certificate revocation lists, attribute certificates, and a
certification path validation algorithm.
14You can also read
