Switch Command Lines
The Tachyon Switch Host has a Tachyon.Switch.Host.exe.config file, which has one or more SwitchCommandLine keys. If there is more than one Switch then each key is uniquely numbered: key="SwitchCommandLine.n"
The following is an example default key.
<add key="SwitchCommandLine" value="-cfgName=ACME-TCNMST-SW1 -config=https://tachyon.acme.local:443/Core -NoStdOut -NoSumm -NoSw2Sw -Log=INFO" />
The configuration file has a single command-line for each Switch, which should not need to be updated after installation. However, there are some complex scenarios where 1E may instruct you to make some changes.
Specifies which row to use in the TachyonMaster database SwitchConfiguration table by matching the <name> using the following rules:
If there is no match then the Switch will log an error and will not start.
|For a Switch on a DMZ Server this will be -cfgName=ACME-TCNDMZ-SW1 if ACME-TCNDMZ is the hostname of the DMZ server.|
The fully qualified domain name (fqdn) used by the Switch to connect to the Core. For example -config=https://tachyon.acme.local:443/Core
|Included in template config.|
|Allows the use of the Switch on a Tachyon DMZ Server that is not domain-joined and is using SAML. Not required for domain-joined Tachyon DMZ Server.|
Add this parameter to force client-Switch communications to use only FIPS-compliant algorithms.
Windows and .NET Framework support a range of cryptographic algorithms, collectively known as cipher suites. There are various ways you can configure operating systems to permit use of specific cipher suites and security policies, which can include or enforce the use of FIPS-compliant algorithms. Tachyon components, including Switches, use whichever algorithms you have permitted without additional configuration. To enforce use of FIPS-compliant algorithms therefore requires you to correctly configure the OS of servers and devices. Tachyon Switches are an exception because they do not rely on Windows, and will negotiate the strongest algorithm an client is permitted to use, which may not be FIPS-compliant, but will always negotiate the strongest FIPS-compliant algorithm if the -fips parameter is used.
The Switch does not require clients to present certificates. Requires SecurityLevel to be set to 4 (default is 5).
Instructs the Switch to ignore any client certificate presented. Tachyon clients are allowed to connect if they provide no client certifiacte, an invalid client certificate, or a valid client certificate.
Added by Tachyon Setup if Switches require client certificates to be presented by Tachyon Agents is unchecked in Tachyon Setup: Client certificates screen.
For a new installation, Tachyon Setup also changes the SecurityLevel from default 5 to 4 in the SwitchConfiguration table of the TachyonMaster database.
-log.<log area>=<logging level>
Specifies the logging level for a logging area. The default value is -log=0 (same as -log=info) which provides logging of all Switch areas at info level.
The following table shows permitted logging levels.
Logging levels should only be changed from info only if requested by 1E Support and reset to info after investigation is complete.
The method of configuring logging levels for the Tachyon Switch changed in v3.3 to using the above text values, but retains -log=0 as the default to mean the same as
1E Support may ask you to increase or reduce specific areas of logging. The example below increases the level of logging for http, decreases metrics, and leaves other areas as normal.
-log=info -log.http=debug -log.metrics=warn
Included in template config as -log=0
|-NoStdOut||Prevent the Switch echo logging to stdout in addition to the Switch log file. Remove only for testing.|
Prevent the Switch logging warnings about not being able to connect to the Summarizer component.
If this parameter is omitted, the Switch will attempt to report to a Summarizer using the URL specified in the SummaryUrl value in the SwitchConfiguration table, and log errors if it cannot connect.
The Summarizer component is used for performance monitoring and available as a separate installed component, only if required.
|Included in template config.|
|-NoSw2Sw||Disable switch-to-switch communications.||Included in template config.|
The Switch does not attempt to retrieve certificate revocation lists. Requires SecurityLevel to be set to 4 (default is 5).
This affects the Switch and clients, that is the Switch does not check the CRL of its own certificate, nor those of clients.
This does not affect browsers connecting to Explorer, or the internal functions the server.