Configuration
PyTAK's configuration parameters can be set two ways:
- In an INI-style configuration file, typically
config.ini
- As environment variables.
PyTAK has the following built-in configuration parameters:
-
COT_URL
- Default:
udp+wo://239.2.3.1:6969
(TAK Mesh SA, Multicast UDP, write-only)
Destination for TAK Data (Cursor on Target Events). Supported values are:
- TLS Unicast:
tls://host:port
- TCP Unicast:
tcp://host:port
- UDP Multicast:
udp://group:port
(aka Mesh SA) - UDP Unicast:
udp://host:port
- UDP Broadcast:
udp+broadcast://network:port
- UDP Write-only:
udp+wo://host:port
- stdout or stderr:
log://stdout
orlog://stderr
N.B.
+wo
modifier stands for 'write-only', and allows multiple PyTAK applications to run on a single bound-interface without monopolizing a port. If you're getting a 'cannot bind to port' or 'port occupied error', try adding the+wo
modifier. - Default:
-
TAK_PROTO
- Default:
0
("TAK Protocol - Version 0", XML)
Sets TAK Protocol to use for CoT output, one of:
0
("TAK Protocol - Version 0", XML)2
("TAK Protocol - Version 1" Mesh, Protobuf)3
("TAK Protocol - Version 1" Stream, Protobuf) TK (FIXME: Is this correct?)
- Default:
-
DEBUG
- Default:
0
(False)
Sets debug-level logging. Any value other than
0
is considered True. False if unset. - Default:
-
FTS_COMPAT
- Default:
0
(disabled)
If set, implements random-seconds-sleep period to avoid FTS DoS protections.
- Default:
-
PYTAK_SLEEP
- Default:
0
(disabled)
If set, implements given sleep period of seconds between emitting CoT Events. Only supports integers (seconds), not sub-seconds.
- Default:
-
PREF_PACKAGE
N.B. PyTAK must be installed with with_crypto support, or the Python
cryptography
module must be installed.PyTAK supports importing TAK Data Packages containing TAK Server connection settings, TLS certificates, etc.
To use a .zip file with PyTAK, set the
PREF_PACKAGE
config parameter to the path to the .zip file.For example, given a Pref Package named
ADSB3_FIRE.zip
, you could either:- Using
config.ini
: Add the linePREF_PACKAGE=ADSB3_FIRE.zip
- Using the commandline of a utility: Add the argument
-p ADSB3_FIRE.zip
- Using
-
PYTAK_MULTICAST_LOCAL_ADDR
- Default:
0.0.0.0
For systems with multiple IP network interfaces, specifies which IP interface to use for the multicast group.
- Default:
-
PYTAK_NO_HELLO
- Default:
False
Disable the "Hello" Event transmitted by PyTAK on initial connection to a TCP or UDP host.
- Default:
CoT Event Attributes¶
-
COT_STALE
- Default:
120
(2 minutes)
CoT Event stale time in seconds.
- Default:
TLS Support¶
PyTAK supports sending & receiving TAK Data over TLS. This section describes the various configuration parameters that can be set for TLS network connections.
Minimum TLS Configuration
At a minimum, to use TLS with PyTAK, the following two conditions must be met:
-
Specify
tls://
in theCOT_URL
config parameter.For example:
COT_URL=tls://takserver.example.com:8089
-
Specify the path to the TLS cert with the
PYTAK_TLS_CLIENT_CERT
config parameter.For example:
PYTAK_TLS_CLIENT_CERT=/etc/pytak-cert.pem
Please Note
- Client Certificates, Client Key, CA Certificate & Key must be specified in PEM format.
TLS Verifications¶
PyTAK uses standard TLS Verifications when establishing TLS sockets to TAK Servers.
-
TLS Server Common Name Verification
-
TLS Server Certificate Verification
TLS Configuration Parameters¶
PyTAK can send & receive data over TLS by setting the following configuration parameters:
-
PYTAK_TLS_CLIENT_CERT
Path to a file containing the unencrypted plain-text PEM format Client Certificate.
This file can contain both the Client Cert & Client Key, or the Client Cert alone. In the later case (cert alone),
PYTAK_TLS_CLIENT_KEY
must be set to the Client Key.For example, to connect to a TAK Server using TLS on port 8089:
PYTAK_TLS_CLIENT_CERT=/etc/pytak_client_cert_and_key.pem COT_URL=tls://takserver.example.com:8089
For reference, the TAK Server
CoreConfig.xml
would contain a line like this:<input auth="x509" _name="tlsx509" protocol="tls" port="8089" archive="false"/>
-
PYTAK_TLS_CLIENT_KEY
(optional)Path to a file containing the unencrypted plain-text PEM format Client Private Key for the associated
PYTAK_TLS_CLIENT_CERT
. -
PYTAK_TLS_DONT_VERIFY
- Default:
0
(verify)
When set to
1
(don't verify), Disable destination TLS Certificate Verification. Will print a WARNING if set to1
. - Default:
-
PYTAK_TLS_DONT_CHECK_HOSTNAME
- Default:
0
(verify)
When set to
1
(don't verify), disables destination TLS Certificate Common Name (CN) Verification. Will print a WARNING if set to1
. - Default:
-
PYTAK_TLS_CLIENT_CAFILE
(optional)Path to a file containing the CA Trust Store to use for remote certificate verification.
-
PYTAK_TLS_SERVER_EXPECTED_HOSTNAME
(optional)
Expected hostname or CN of the connected server. Not used unless verifying hostname.
-
PYTAK_TLS_CLIENT_CIPHERS
(optional)- Default:
ALL
Colon ("
:
") seperated list of TLS Cipher Suites to allow.For example, to set FIPS-only ciphers:
PYTAK_TLS_CLIENT_CIPHERS=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
- Default:
-
PYTAK_TLS_CLIENT_PASSWORD
(optional)Password for PKCS#12 (.p12) password protected certificates or password protected Private Keys.