Contents

Switch Command Lines

Summary

Details of command line parameters used by the SwitchCommandLine entry in the Tachyon Switch Host 's Tachyon.Switch.Host.exe.config file.

This page is for information only. Do not make configuration changes unless instructed to do so by 1E.

On this page:

Switch Command Lines

The Tachyon Switch Host has a Tachyon.Switch.Host.exe.config file, which has one or more SwitchCommandLine keys. If there is more than one Switch then each key is uniquely numbered: key="SwitchCommandLine.n"

The following is an example default key.

<add key="SwitchCommandLine" value="-cfgName=ACME-TCNMST-SW1 -config=https://tachyon.acme.local:443/Core -NoStdOut -NoSumm -NoSw2Sw -Log=INFO" />

The configuration file has a single command-line for each Switch, which should not need to be updated after installation. However, there are some complex scenarios where 1E may instruct you to make some changes.

ParametersCommentNotes

-cfgname=<name>

Specifies which row to use in the TachyonMaster database SwitchConfiguration table by matching the <name> using the following rules:

  1. If -cfgName=<name> is specified, then the Switch expects to find a matching name in the SwitchConfiguration table. The convention for <name>=<hostname>-<switchnumber> where Switch number is unique and starts with SW1
  2. If -cfgName=<name> is not specified, then the Switch will use the configuration where <name> is the hostname of the server on which the Switch is running
  3. If the SwitchConfiguration table does not have a row matching the server's name or hostname, then the Switch will use the default * row.

If there is no match then the Switch will log an error and will not start.

Example -cfgName=ACME-TCNMST-SW1

For a Switch on a DMZ Server this will be -cfgName=ACME-TCNDMZ-SW1 if ACME-TCNDMZ is the hostname of the DMZ server.

-config=<fqdn>

The fully qualified domain name (fqdn) used by the Switch to connect to the Core. For example -config=https://tachyon.acme.local:443/Core

Included in template config.

-dmz

Allows the use of the Switch on a Tachyon DMZ Server that is not domain-joined and is using SAML. Not required for domain-joined Tachyon DMZ Server.

-fips

Add this parameter to force client-Switch communications to use only FIPS-compliant algorithms.

Windows and .NET Framework support a range of cryptographic algorithms, collectively known as cipher suites. There are various ways you can configure operating systems to permit use of specific cipher suites and security policies, which can include or enforce the use of FIPS-compliant algorithms. Tachyon components, including Switches, use whichever algorithms you have permitted without additional configuration. To enforce use of FIPS-compliant algorithms therefore requires you to correctly configure the OS of servers and devices. Tachyon Switches are an exception because they do not rely on Windows, and will negotiate the strongest algorithm an client is permitted to use, which may not be FIPS-compliant, but will always negotiate the strongest FIPS-compliant algorithm if the -fips parameter is used.


-ignoreClientCerts

The Switch does not require clients to present certificates. Requires SecurityLevel to be set to 4 (default is 5).

Instructs the Switch to ignore any client certificate presented. Tachyon clients are allowed to connect if they provide no client certifiacte, an invalid client certificate, or a valid client certificate.

Added by Tachyon Setup if Switches require client certificates to be presented by Tachyon Agents is unchecked in Tachyon Setup: Client certificates screen.

For a new installation, Tachyon Setup also changes the SecurityLevel from default 5 to 4 in the SwitchConfiguration table of the TachyonMaster database.

New in Tachyon v4.0.

-log.<log area>=<logging level>

Specifies the logging level for a logging area. The default value is -log=0 (same as -log=info) which provides logging of all Switch areas at info level.

The following table shows permitted logging levels.

ValueDescription
Error

Only outputs errors. An error is a serious problem, typically requiring operator intervention of some sort to restore full functionality.

Warn

Outputs errors and warnings. A warning indicates a potential problem, where the system can nonetheless function without intervention.

Info

Outputs general information in addition to the errors and warnings. This is the default.

Debug

Outputs debugging information in addition to all the previous levels.

TraceOutputs the maximum information available. Used only in exceptional circumstances as it will generate huge amounts of logging output.
Logging levels should only be changed from info only if requested by 1E Support and reset to info after investigation is complete.

The method of configuring logging levels for the Tachyon Switch changed in v3.3 to using the above text values, but retains -log=0 as the default to mean the same as -log=info.

1E Support may ask you to increase or reduce specific areas of logging. The example below increases the level of logging for http, decreases metrics, and leaves other areas as normal.

-log=info -log.http=debug -log.metrics=warn

Included in template config as -log=0

New in Tachyon v4.0.
-NoStdOutPrevent the Switch echo logging to stdout in addition to the Switch log file. Remove only for testing.
-NoSumm

Prevent the Switch logging warnings about not being able to connect to the Summarizer component.

If this parameter is omitted, the Switch will attempt to report to a Summarizer using the URL specified in the SummaryUrl value in the SwitchConfiguration table, and log errors if it cannot connect.

The Summarizer component is used for performance monitoring and available as a separate installed component, only if required.

Included in template config.
-NoSw2SwDisable switch-to-switch communications.Included in template config.

-skipCrlChecks

The Switch does not attempt to retrieve certificate revocation lists. Requires SecurityLevel to be set to 4 (default is 5).

This affects the Switch and clients, that is the Switch does not check the CRL of its own certificate, nor those of clients.

This does not affect browsers connecting to Explorer, or the internal functions the server.