Skip to main content

1E 9.x (on-premises)

Switch Command Lines

Details of command line parameters used by the SwitchCommandLine entry in the Tachyon Switch Host 's Tachyon.Switch.Host.exe.config file.

Warning

This page is for information only. Do not make configuration changes unless instructed to do so by 1E.

Switch Command Lines

The Tachyon Switch Host has a Tachyon.Switch.Host.exe.config file, which has one or more SwitchCommandLine keys. If there is more than one Switch then each key is uniquely numbered: key="SwitchCommandLine.n"

The following is an example default key.

<add key="SwitchCommandLine" value="-cfgName=ACME-TCNMST-SW1 -config=https://tachyon.acme.local:443/Core -NoStdOut -NoSumm -NoSw2Sw -Log=INFO" />

The configuration file has a single command-line for each Switch, which should not need to be updated after installation. However, there are some complex scenarios where 1E may instruct you to make some changes.

Parameters

Comment

Notes

-cfgname=<name>

Specifies which row to use in the TachyonMaster database SwitchConfiguration table by matching the <name> using the following rules:

  1. If -cfgName=<name> is specified, then the Switch expects to find a matching name in the SwitchConfiguration table. The convention for <name>=<hostname>-<switchnumber> where Switch number is unique and starts with SW1

  2. If -cfgName=<name> is not specified, then the Switch will use the configuration where <name> is the hostname of the server on which the Switch is running

  3. If the SwitchConfiguration table does not have a row matching the server's name or hostname, then the Switch will use the default * row.

If there is no match then the Switch will log an error and will not start.

Example -cfgName=ACME-TCNMST-SW1

For a Switch on a DMZ Server this will be -cfgName=ACME-TCNDMZ-SW1 if ACME-TCNDMZ is the hostname of the DMZ server.

-config=<fqdn>

The fully qualified domain name (fqdn) used by the Switch to connect to the Core. For example -config=https://tachyon.acme.local:443/Core

Included in template config.

-dmz

Allows the use of the Switch on a DMZ Server that is not domain-joined and is using SAML. Not required for domain-joined DMZ Server.

-fips

Add this parameter to force client-Switch communications to use only FIPS-compliant algorithms.

Windows and .NET Framework support a range of cryptographic algorithms, collectively known as cipher suites. There are various ways you can configure operating systems to permit use of specific cipher suites and security policies, which can include or enforce the use of FIPS-compliant algorithms. 1E components, including Switches, use whichever algorithms you have permitted without additional configuration. To enforce use of FIPS-compliant algorithms therefore requires you to correctly configure the OS of servers and devices. Switches are an exception because they do not rely on Windows, and will negotiate the strongest algorithm an client is permitted to use, which may not be FIPS-compliant, but will always negotiate the strongest FIPS-compliant algorithm if the -fips parameter is used.

-ignoreClientCerts

The Switch does not require clients to present certificates. Requires SecurityLevel to be set to 4 (default is 5).

Instructs the Switch to ignore any client certificate presented. 1E clients are allowed to connect if they provide no client certificate, an invalid client certificate, or a valid client certificate.

Added by 1ESetup if Switches require client certificates to be presented by 1E Client is unchecked in Client certificates screen.

For a new installation, 1E Setup also changes the SecurityLevel from default 5 to 4 in the SwitchConfiguration table of the TachyonMaster database.

-log.<log area>=<logging level>

Specifies the logging level for a logging area. The default value is -log=0 (same as -log=info) which provides logging of all Switch areas at info level.

The following table shows permitted logging levels.

Value

Description

Error

Only outputs errors. An error is a serious problem, typically requiring operator intervention of some sort to restore full functionality.

Warn

Outputs errors and warnings. A warning indicates a potential problem, where the system can nonetheless function without intervention.

Info

Outputs general information in addition to the errors and warnings. This is the default.

Debug

Outputs debugging information in addition to all the previous levels.

Trace

Outputs the maximum information available. Used only in exceptional circumstances as it will generate huge amounts of logging output.

Warning

Logging levels should only be changed from info only if requested by 1E Support and reset to info after investigation is complete.

1E Support may ask you to increase or reduce specific areas of logging. The example below increases the level of logging for http, decreases metrics, and leaves other areas as normal.

-log=info -log.http=debug -log.metrics=warn

Included in template config as -log=0

-NoStdOut

Prevent the Switch echo logging to stdout in addition to the Switch log file. Remove only for testing.

-NoSumm

Prevent the Switch logging warnings about not being able to connect to the Summarizer component.

If this parameter is omitted, the Switch will attempt to report to a Summarizer using the URL specified in the SummaryUrl value in the SwitchConfiguration table, and log errors if it cannot connect.

The Summarizer component monitors performance and is a separately installed component, only if required.

Included in template config.

-NoSw2Sw

Disable switch-to-switch communications.

Included in template config.

-skipCrlChecks

The Switch does not attempt to retrieve certificate revocation lists. Requires SecurityLevel to be set to 4 (default is 5).

This affects the Switch and clients, that is, the Switch does not check the CRL of its own certificate, nor those of clients.

This does not impact browsers connecting to Explorer, or the internal functions of the server.

Warning

SecurityLevel is configurable in the SwitchConfiguration table of the TachyonMaster database. Typically, each Switch will have its own row in this table, and therefore has its own configuration.

By default, SecurityLevel is 5, and is only changed to allow Switches to use lower security options.

Do NOT change the SecurityLevel unless required. ONLY change this to the value required to support the necessary Switch configuration.