Skip to main content

Configuration

Prerequisites

  • Linux: glibc v2.27+

Installation

To install the TimeBase Python client (python dxapi):

  • Use the Deltix PyPI Nexus repository https://nexus.deltixhub.com/repository/epm-rtc-public-python/simple, for example:

    pip install dxapi==5.5.23 --extra-index-url https://<user>:<password>@nexus.deltixhub.com/repository/epm-rtc-public-python/simple

Feature-Server Compatibility

The following features require the specific dxapi and TimeBase server versions denoted below:

FeatureDxapi versionTimeBase server version
Stream spaces API5.4.05.4.25
SSL5.4.45.4.55
32-bit entity ID5.4.105.5.26
Stream locks API5.4.205.5.65
Change application name, Ranged locks, JSON stream schema5.4.285.5.67, 5.6.18
Entities (symbols) as strings API5.4.315.5.78, 5.6.24
Select from stream spaces API5.5.05.5.83, 5.6.25
TimeBase web port5.5.185.5.102, 5.6.71, 5.7.3
Delete stream data API, Select from multiple stream spaces5.5.315.6.109

Supported Python Versions

Platformdxapi v5.4.0 - v5.4.31dxapi v5.5.0 - v5.5.23dxapi v5.5.8 - v5.5.23dxapi v5.5.30+
Windows x64Python 3.6 - 3.11Python 3.8 - 3.11Python 3.8 - 3.12Python 3.8 - 3.12
Linux amd64 (glibc 2.27+)Python 3.6 - 3.11Python 3.8 - 3.11Python 3.8 - 3.12Python 3.8 - 3.12
Linux arm64Python 3.8 - 3.12
Centos 7 (glibc 2.17+)Python 3.9
MacOS amd64Python 3.6 - 3.11Python 3.8 - 3.11Python 3.8 - 3.12Python 3.8 - 3.12
MacOS arm64Python 3.8 - 3.11Python 3.8 - 3.11Python 3.8 - 3.12Python 3.8 - 3.12

Special Tags:

  • 5.5.25+glibc2.17 - Support for legacy environments with glibc 2.17 and Python 3.6.

Environment Variables

NameDescription
DXAPI_LOG_PATHThe path to dxapi logs. To switch off logging, set DXAPI_LOG_PATH to a directory that does not exist or to /dev/null.
SSL_CERT_FILE  The path to a file with trusted certificates* (for example, /etc/ssl/cert.pem). Default value is $OPENSSLDIR/cert.pem.

$OPENSSLDIR:
- Windows: %CommonProgramFiles%\SSL
- Linux: /usr/local/ssl
- MacOS: /ect/ssl
SSL_CERT_DIR  Points to a directory containing CA certificates in PEM format (for example, /etc/ssl/certs). Default value is $OPENSSLDIR/certs.

The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must be available. If more than one CA certificate with the same name hash value exists, the extension must be different (for example, 9d66eef0.0, 9d66eef0.1, etc.)
DXAPI_SSL_TRUST_ALLWhen set to true, switches off certificate verification.
DXAPI_SSL_TERMINATION  When set to true, uses SSL termination (for example, for setups with NLB).
DXAPI_LOADER_MIN_CHUNK_SIZEData is not written by loader until this amount is stored in the buffer.
DXAPI_LOADER_MAX_CHUNK_SIZEData loader chunks are never written bigger than this size.
DXAPI_LOADER_CLOSE_TIMEOUT_MSLoader await time if server drops connection gracelessly. Default value is 30000.

* The file can contain several CA certificates identified as follows:

-----BEGIN CERTIFICATE-----
... (CA certificate in base64 encoding) ...
-----END CERTIFICATE-----

Connection URIs

  • dxtick://: Direct connection to a server
  • dstick://: Direct connection to a server with required SSL
  • dxctick://: Connection to a random endpoint of a cluster
  • dsctick://: Connection to a random endpoint of a cluster with required SSL

URIs may contain a user's credentials like dxctick://user:Pa$$w0rd@host1:9000|1.2.3.4:9000. Endpoints may contain IPv4 addresses. IPv6 addresses are not supported. For example:

"localhost:8011"          # connection to dxtick://localhost:8011 with default scheme
"dstick://localhost:9011" # SSL connection to localhost:9011
"dxctick://host1:8010|host2:8011|host2:8012" # connection to a random endpoint in cluster
"dsctick://host1:9010|host2:9011|host2:9012" # connection to a random endpoint in cluster with required SSL

SSL Configuration

Common SSL Flow

The TimeBase server can be configured to use SSL. To connect to the server securely, dxapi must verify the server's certificate unless DXAPI_SSL_TRUST_ALL is set to true.

The C++ dxapi utilizes the OpenSSL library to handle SSL connections and follows the OpenSSL flow for loading certificates. By default, OpenSSL relies on predefined directories that store trusted CA certificates. On many systems, these directories include:

  • Linux: /etc/ssl/certs, /usr/share/ca-certificates, /etc/pki/tls/certs
  • macOS: /System/Library/OpenSSL, /private/etc/ssl
  • Windows: OPENSSLDIR + /certs
note

For MacOS, install arm64 SSL with brew install openssl@1.1.

OpenSSL can use the following environment variables to specify custom locations for certificate files and directories:

  • SSL_CERT_FILE: Specifies the path to the file containing trusted certificates.
  • SSL_CERT_DIR: Specifies the path to the directory containing trusted certificates.

For Windows, if SSL_CERT_DIR does not exist, is empty, or SSL_CERT_FILE is not set, dxapi attempts to load certificates from the Windows Certificate Manager (ROOT, CA, and MY stores).

Certificate Pinning

To pin a self-signed certificate from a file in DER format:

  • Specify the file path using the DXAPI_SSL_CERT_FILE environment variable.

SSL Termination Flow

In this case, the TimeBase server is configured without SSL, but the load balancer between dxapi and the TB server is configured with SSL termination.

The environment variable DXAPI_SSL_TERMINATION must be set to true.

tip

Refer to TimeBase SSL Termination for more information.