CCASS/3 is the Central Clearing And Settlement System implemented by Hong Kong Exchanges and Clearing Limited (HKEX). It is built on an open, robust, secure and flexible modularised architecture with full fledged services that meets the business needs of market participants. It is designed to provide efficient and dynamic clearing and settlement by adhering to international standards for securities messages and providing interactive communication with market participants through a standard message-based application programming interface.
CCASS/3 Host is the database server for keeping the CCASS operation data to support batch processing.
The middle-tier between participant terminals and CCASS/3 Host supports access methods, such as web interface and Application Program Interface (API). Security servers and Lightweight Directory Access Protocol (LDAP) servers are employed to provide a centralised authentication and authorisation service for controlling participant access.
The Securities and Derivatives Network (SDNet) is a robust and high efficiency closed user group network based on Optical Ethernet technology. It adopts the TCP/IP protocols with high security protection by means of firewall and intrusion detection system.
Participants can access the CCASS/3 system through two channels:
- CCASS/3 Terminal
- Participant Gateway
Participants can access CCASS/3 through a browser-based terminal, the
CCASS/3 Terminal (C3T), which uses market standard Internet technology.
Any PC running HKEX supported versions of Microsoft Windows, Internet
Explorer and Java Runtime Environment is able to access all CCASS
functions. All participant functions will be provided with an HTML
(windows) based presentation. This standard graphical user interface
will provide a user-friendly interface and will reduce training needs
Participant Gateway (PG) is a technical device to provide an access point
through which a Participant Supplied System (PSS) can access CCASS/3.
In order to reduce the development efforts of participants, Java-based
application programming interfaces are provided to participants’ PSS to
communicate with CCASS/3 through the PG. The application program is a
custom-built Java library that will assist the connection and handle all
the subsequent message interactions between participants’ back office
system and CCASS/3 Host.
Hypertext Transfer Protocol Secure (HTTPS) is used for communication
between PG and CCASS/3 middle tier. Socket is the communication method
between PG and PSS. The message format follows the industrial standards ISO
Network Communication Layer
The SDNet will ensure the reliable transmission of input between the user
device and the host. The network will control the transmission of all
information within the CCASS/3 system and will help to achieve the shortest
possible response time even at the highest data through-put rates, ensuring
fast and efficient clearing and settlement services at all times.
Security is a primary concern in the system design of CCASS/3. The
following security measures are employed in CCASS/3 to ensure
confidentiality and security:
Pre-defined User Group Authority
All participant functions are grouped into a member of user groups. The
availability of user groups for participants is pre-defined by the system.
CCASS/3 allows the delegation of administrative privileges to
organisational administrators, allowing them to manage user privileges and
benefits within their organisations.
CCASS/3 Terminal Level
Access to the CCASS/3 Terminal is authenticated by a smartcard as the
security token using digital certificate X.509 format.
Encryption is implemented through standard browser functions, using 128-bit
Secure Sockets Layer (SSL) key to prevent transactions from being exposed
to eavesdropping, tampering or message forgery risks.
Participant Gateway Level
As with the CCASS/3 Terminal and message level of security, access to PG is
also authenticated by smartcard and all data exchange between the PG and
CCASS/3 Host are encrypted using 128-bits SSL keys.
Firewalls, routers and intrusion detection devices are used to protect the
CCASS/3 network from unauthorised access through the public internet.