License Management

Note

GW is Gateway, LM is License Manage.

How it works?

You should install the roq-tools package and generate your own public/private keys using the roq-keygen program.

You should communicate your public key to Roq so it can be associated with your license agreement.

The gateway will compute a hash of its flags and config file.

Note

This computation only includes the login from your sub-accounts. Secrets and passwords are not included in the computation.

The gateway will collect some system metrics, e.g.

  • Hostname

  • The output from cpuid to identify CPU features,

  • Memory counters

  • Hostname

The gateway regularly contacts Roq’s license server to authenticate itself.

These are the steps involved with authentication

  • Gateway creates a Flatbuffers request containing the config hash and the metrics

  • Gateway seals the request using libsodium using your private key (generated with roq-keygen) and Roq’s public key

  • Gateways sends the sealed request along with your public key to the license server

  • License manager opens the sealed request using its own private key

  • License manager matches your public key to an existing license agreement

  • License manager responds to your gateway with HTTP status code 200 and an access token upon success

  • License manager responds to your gateway with HTTP status code 400 if

    • there is no associated license agreement

    • there are no available licenses

  • Gateway will on success (HTTP status code 200) replace the locally cached access token

Service interruption?

The gateway will cache the acquired (sealed) token on the local filesystem.

When a gateway restarts, it will first read the last cached token and open it using libsodium. If the token is still valid, the gateway will resume operation as if it had already acquired a token from Roq’s license server.

Before the token expires, the gateway will have to acquire a new token from Roq’s license server.

Worst case?

Contact Roq support staff and request an access token.

Is it safe?

  • The request message contains a SHA256 of the sorted set of logins. This hash does not reveal any secrets from your configuration file.

  • You generate your own public/private key pair using roq-keygen. Nobody else can request an access token using your license when you keep your private key safe.

  • The communication between gateway and Roq’s license server uses TLS.

    Note

    The certificate is not being validated. If you wish, you can intercept all communication (MitM) and verify what is being transmitted.

What exactly is being sent?

  • request_time_utc

  • token_expiry_time_utc (desired)

  • package_name

  • package_version

  • package_build_number

  • package_build_host

  • hostname

  • network_hostname

  • machine_id (/etc/machine-id)

  • machine (uname -m)

  • cpuid (registers)

  • cpu_vendor

  • cpu_brand

  • number_of_processors

  • cache_line_size

  • page_size

  • kernel_name (uname -s)

  • kernel_release (uname -r)

  • kernel_version (uname -v)

  • system_uptime

  • system_total_memory

  • system_available_memory

  • system_total_swap

  • system_available_swap

  • process_id

  • process_start_time_utc

  • process_max_rss

  • service_name

  • api_name

  • api

  • instance

  • instance

  • session_id

  • is_uat

  • cpu_affinity

  • symbols (count)

  • total_symbols (count)

  • config_hash

  • accounts (count)

  • users (count)

  • create_order (count)

  • modify_order (count)

  • cancel_order (count)

  • cancel_all_orders (count)

  • mass_quote (count)

  • cancel_quotes (count)

  • please_report (count)

  • please_report_details (optional)

  • download_trades (bool)

  • download_orders (bool)

  • event_log (bool)

  • position_manager (bool)

  • risk_manager (bool)

  • journal (bool)

  • udp_publish (bool)

  • internal_latency_sum (histogram)

  • internal_latency_count_500ns (histogram)

  • internal_latency_count_1us (histogram)

  • internal_latency_count_2us (histogram)

  • internal_latency_count_5us (histogram)

  • internal_latency_count_10us (histogram)

  • internal_latency_count_20us (histogram)

  • internal_latency_count_inf (histogram)

  • external_latency_sum (histogram)

  • external_latency_count_10us (histogram)

  • external_latency_count_100us (histogram)

  • external_latency_count_1ms (histogram)

  • external_latency_count_10ms (histogram)

  • external_latency_count_100ms (histogram)

  • external_latency_count_1s (histogram)

  • external_latency_count_inf (histogram)

Note

The metrics are relevant for Roq’s monitoring of various use-cases.

  • System metrics help Roq understand various constraints such as available CPU features.

  • Application metrics help Roq understand what parts of the software is being used.

None of these fields can reveal anything about your trading strategy or any other secrets.

Examples

Any number of market data gateways can be deployed

  • You are allowed to slice symbols however you like.

  • Hash(package_name, []) is independent of symbols.

The same gateway may be used for different exchange APIs

For the same list of account logins, you’re allowed to deploy gateways with different --api flags (when supported).

  • Hash(package_name, [A1, A2]) is independent of the --api flag.

You should ensure the TOML config is shared between different APIs

You can not have one TOML config with a subset of the accounts defined in another TOML config.

  • Hash(package_name, [A1, A2]) is DIFFERENT from Hash(package_name, [A1, A2, A3])

References