During the writing of my book Programming for Betfair I tried to make things as simple as possible out of respect for newcomers to programming. I utilised the standard login procedure for Betfair, consisting of a username/password pair. However, when programming a new algorithmic trading platform for Betfair the most annoying aspect of the process is having to log into the servers every time you test the software. During the course of a day that is a lot of logging in, especially if you use two-factor authentication.
I have been requested by a reader to provide a tutorial for authentication with a digital certificate and so I have written this article. The process was a lot easier than I had imagined. For readers of my book I also provide code which replaces the LoginForm.
Firstly, I shall point out that the certificate that you will create will be self-signed so don't imagine that you are now a certification authority and can start handing out certificates to anyone. The certificates on your browser, which authenticate websites to you, are signed by trusted third-parties. These third-parties have gone through rigorous procedures to permit their certificates to be installed inside your browser. Your certificate will be self-signed and used only for authenticating your application to Betfair and nothing else.
Betfair trusts you to sign your own certificate for your own account and no more. It is up to the user of the certificate to ensure that their security had not been compromised. That means if your account has been broken into because you have allowed someone to gain access to your private key then you are at fault and not Betfair.
Betfair trusts you to sign your own certificate for your own account and no more. It is up to the user of the certificate to ensure that their security had not been compromised. That means if your account has been broken into because you have allowed someone to gain access to your private key then you are at fault and not Betfair.
The Process of Creating a Self-Signed Digital Certificate
These instructions are for Windows users. If you use another operating system then it is up to you to decipher these instructions. I cannot provide any help with that.
1) Download the OpenSSL package from Shining Light Productions. Choose the topmost Win32 OpenSSL v*.*.* Light version of the software. I have a 64-bit operating system and running the 32-bit version of the software is not going to make any difference. OpenSSL provides all the tools for creating your own certificates.
2) After downloading the package (and virus checking it) install the application, as the installer suggests, at the root of your C: drive. If asked where to copy the OpenSSL DLLs then make sure they go into the Windows system directory. The final dialog of the installer asks if you want to make a donation. If you want to then do so but if you don't then make sure you untick the check box before clicking the Finish button otherwise you will be frog-marched off to the donation site. OpenSSL is now installed.
3) Click on your Windows menu and then right-click on Computer so that you can choose its Properties. You will then see a dialog, click on Advanced system settings on the left-hand side and the following dialog will be displayed. In Windows 10, Advanced System Settings can be found by right clicking the window on the task bar and selecting system in the menu.
Now click the Environment Variables button.
Now click the Environment Variables button.
4) In the next dialog click on the New button in the System variables section, as in the following picture. Add the variable name OPENSSL_CONF, variable value C:\OpenSSL-Win32\bin\openssl.cfg and click the OK button. OpenSSL is now fully configured. If you use a different operating system to Windows 7 then consult Google.
5) Copy an updated openssl.cfg file from this link
https://drive.google.com/open?id=0B1-pQWsdUuPtNHV1c0dRa292Qm8
and replace the existing file in the C:\OpenSSL-Win32\bin directory. This new file commands OpenSSL to create a client side certificate rather than a server side certificate.
6) Now download this batch file
https://drive.google.com/open?id=0B1-pQWsdUuPtYWt6MkxxelhtR0U
that I have created and which will automatically create a self-signed digital certificate for you. Once downloaded right-click the file and run it as an administrator. You won't be able to create a certificate unless you are doing so as an adminstrator.
https://drive.google.com/open?id=0B1-pQWsdUuPtNHV1c0dRa292Qm8
and replace the existing file in the C:\OpenSSL-Win32\bin directory. This new file commands OpenSSL to create a client side certificate rather than a server side certificate.
6) Now download this batch file
https://drive.google.com/open?id=0B1-pQWsdUuPtYWt6MkxxelhtR0U
that I have created and which will automatically create a self-signed digital certificate for you. Once downloaded right-click the file and run it as an administrator. You won't be able to create a certificate unless you are doing so as an adminstrator.
A command line interpreter window will open during the process. At some point you will be requested to enter some data, as in the following example
Country Name (2 letter code) [AU]: - e.g. GB (for Great Britain) etc.
State or Province Name (Full Name) [Some-State]: - England or whatever
Locality Name (eg, city) []: - London or whatever
Organization Name (eg, company) [Internet Widgits Pty Ltd]: - leave blank and hit return
Organizational Unit Name (eg, section) []:- leave blank and hit return
Common Name (e.g. server FQDN or YOUR name) []: your real name as known by Betfair
Email Address []: the one known to Betfair
You are then asked for a password. I didn't bother and just hit return. This password would have to be included in your authentication which already includes your username and password pair.
If asked for an optional company name then don't give one hit return.
And if asked for an export password, again don't give one and hit return and again for confirmation of the password.
When the process is complete you will see four new files in the C:\OpenSSL-Win32\bin directory;
client-2048.crt - your digital certificate
client-2048.csr - a certificate signing request
client-2048.key - your private key
client-2048.p12 - used to authenticate your application to Betfair
Your certificate file will be given to Betfair and your P12 moved to the root at C:\ and used in the login process. Copies of all should be saved somewhere safe offline.
7) Now login to the Betfair website. At the top of the screen, click My Account and then My Betfair Account in the dropdown menu. You will then see another dropdown menu called My details. Click on this and then Security settings. You will then see your security settings page. Click on the Edit link next to Automated Betting Program Access. You can now browse to your client-2048.crt file and upload it to Betfair. After the upload make sure the status is set to On.
8) For readers of my book you will need to alter your code for automatic authentication thus
a) Create a new Module called Authentication.vb (Use the module creation in the book as reference) and add the following code to it (remembering to replace the red words with your details as appropriate). You will notice that the certificate location is expected to be in the root of the directory so you must move the P12 file that you created to there. If you want the P12 to be elsewhere then you must change the code.
Imports System.IO
Imports System.Net
Imports System.Text
Imports Newtonsoft.Json
Imports System.Security.Cryptography
Imports System.Security.Cryptography.X509Certificates
Module Authentication
Imports System.Net
Imports System.Text
Imports Newtonsoft.Json
Imports System.Security.Cryptography
Imports System.Security.Cryptography.X509Certificates
Module Authentication
Public Sub Login()
Try
Try
Dim postData As String = _
"username=YOUR_USERNAME&password=YOUR_PASSWORD"
"username=YOUR_USERNAME&password=YOUR_PASSWORD"
Dim cert As New X509Certificate2("C:\client-2048.p12", "")
Dim request As HttpWebRequest = _
WebRequest.Create("https://identitysso.betfair.com/api/certlogin")
request.Method = "POST"
request.ContentType = "application/x-www-form-urlencoded"
request.Headers.Add("X-Application: YOUR_APPKEY")
request.ClientCertificates.Add(cert)
request.Accept = "application/json"
Using dataStream As Stream = request.GetRequestStream()
request.Method = "POST"
request.ContentType = "application/x-www-form-urlencoded"
request.Headers.Add("X-Application: YOUR_APPKEY")
request.ClientCertificates.Add(cert)
request.Accept = "application/json"
Using dataStream As Stream = request.GetRequestStream()
Using writer As New _
StreamWriter(dataStream, Encoding.[Default])
writer.Write(postData)
End Using
End Using
Using stream As Stream = DirectCast(request.GetResponse(), _
Using stream As Stream = DirectCast(request.GetResponse(), _
HttpWebResponse).GetResponseStream()
Using reader As New StreamReader(stream, Encoding.[Default])
Dim loginResponse As LoginResponse = _
JsonConvert.DeserializeObject(Of LoginResponse)(reader.ReadToEnd())
Form1.Print(loginResponse.sessionToken)
SportsAPI.ssoid = loginResponse.sessionToken
AccountsAPI.ssoid = loginResponse.sessionToken
End Using
End Using
Catch ex As Exception
Form1.Print(Now & " - Login Error: " & ex.Message)
End Try
End Sub
'Class for non-interactive login
Public Class LoginResponse
Public sessionToken As String
Public loginStatus As String
End Class
End Module
Note - Some users have reported that the endpoint https://identitysso.betfair.com/api/certlogin doesn't work for them and they had to change it to https://identitysso-cert.betfair.com/api/certlogin My original certificate still works so maybe there are now two endpoints; one for original users and another for newer users.
Please ensure that "username=YOUR_USERNAME&password=YOUR_PASSWORD" does not contain any spaces. The Print statement above in blue is a test that will print out your ssoid on successful authentication. Delete or comment out this line after testing.
If you have yet to create the AccountsAPI module then comment out the line AccountsAPI.ssoid = loginResponse.sessionToken and uncomment the line when you have created the module.
b) Now change the Form1_Load subroutine in Form1.vb as follows
Private Sub Form1_Load(sender As Object, e As EventArgs) _
Handles MyBase.Load
'LoginForm.Show()
Login()
initialise()
End Sub
by commenting out the LoginForm.Show() statement as LoginForm.vb is no longer needed and then adding the call to the Login() subroutine in Authentication.vb, followed by the initialise() call that used to be in LoginForm.vb
You should now be able to access Betfair without having to type in your username/password pair. I recommend that you keep two-factor authentication on the manual login to the Betfair website as you cannot automatically login there. If there are any problems then let me know.
Note
The instructions in this article were tested in February 2017 and were found to be still working. If you can prove otherwise then I would be interested to know. Any problems are probably peculiar to your computer's set up and you should either contact the creators of the OpenSSL software or the wider OpenSSL community.
Further Reading
Programming for Betfair
A guide to creating sports trading applications, is now available on Amazon. You do not need any programming experience...
As Rory says: At the end of createcert.bat script you are prompted for an "Export Password", it is not mentioned above and pressing enter to bypass seems to mean that the client-2048.p12 is never created. Do you have a fix foe this?
ReplyDeleteThe P12 is created when I bypass the Export Password.
DeleteWorks a treat! :0)
ReplyDeleteGood stuff
ReplyDeleteI dont know what I'm doing wrong, but can't get this working. When I try to upload the "client-2048.crt" file to betfair, I get a big red X that says no SSL certificate uploaded.
ReplyDeleteI also do not get a P12 file created as per the first persons comment here....dunno what gives :(
If you have followed the instructions correctly then the problem can only be the installation of the software and your computer's interaction with it.
DeleteUnfortunately, such a situation is out of my control and not something I can help with. You would have to seek help on an appropriate security forum.
Thank you so much for this tip, it was very helpful, thank you!
ReplyDeleteWorked like charm, one more addition for new user: change bat file and place current open-ssl path.
ReplyDeleteThanks Again
Worked great for me. Just had to update as per Lavish's comment above, and update the login endpoint from:
ReplyDeletehttps://identitysso.betfair.com/api/certlogin
to:
https://identitysso-cert.betfair.com/api/certlogin
Interesting. My original certificate still works fine.
DeleteI'll put both endpoints into the article.
Thanks for explaining the issue.
Hi, what is the process for moving to a new PC given that the setup works fine on the old PC. Is it just a case of copying the client-2048 files across to the new PC along with your bots or is there more to it than that. On my new PC I have the files copied over, OpenSSL is installed and when I run a login I get CERT-AUTH-REQUIRED
ReplyDeleteThanks for any help