rvsd

Command

Syntax

rvsd  -store filename
      [-http [ip_address:]http_port]
      [-https [ip_address:]https_port]
      [-http-only]
      [-https-only]
      [-no-http]
      [-no-permanent]
      [-listen [socket_protocol:|ip_address:]tcp_port]
      [-no-lead-wc | -lead-wc]
      [-no-multicast]
      [-reliability time]
      [-max-consumer-buffer size]
      [-rxc-max-loss loss]
      [-rxc-recv-threshold bps]
      [-rxc-send-threshold bps]
      [-reuse-port inbox_port]
      [-logfile log_filename]
      [-log-max-size size]
      [-log-max-rotations n]
      [-log-config config_log_filename]
      [-foreground]
      [-udp-ttl hops]
      [-tls-min-proto-version version]
      [-tls-max-proto-version version]
      [-tls-ciphers string1:string2:stringN]
      [-tls-ciphersuites name1:name2:nameN]
      [-no-wc]

Purpose

The command rvsd starts the Rendezvous secure communications daemon process—the secure counterpart to rvd.

Remarks

This section describes only those aspects where rvsd differs from rvd. For details that both daemons share, see rvd.

Although rvd usually starts automatically, administrators must start rvsd by explicit command.

Command Line Parameters

rvsd

Parameter

Description

-store filename

This file contains the security parameters that configure rvsd.

rvsd reads this file when the process starts, and writes this file each time you change the configuration using the browser administration interface.

The secure daemon store file contains very sensitive information. Store it on the local file system of the secure daemon’s host computer, with tight file access, in a physically secure environment. Ensure timely backup to secure media.

See also Store Files.

-http ip_address:http_port

-http http_port

-https ip_address:https_port

-https https_port

The browser administration interface accepts connections on this HTTP or HTTPS port. Permit administration access only through the network interface specified by this IP address.

To limit access to a browser on the rvsd host computer, specify 127.0.0.1 (the local host address).

When the IP address is absent, the daemon accepts connections through any network interface on the specified HTTP or HTTPS port.

If the explicitly specified HTTP port is already occupied, the program exits.

If the explicitly specified HTTPS port is already occupied, the program selects an ephemeral port.

When the -http parameter is entirely absent, the default behavior is to accept connections from any computer on HTTP port 7580; If this default port is unavailable, the operating system assigns an ephemeral port number.

When the -https parameter is entirely absent, the default behavior is to accept secure connections from any computer on an ephemeral HTTPS port.

In all cases, the program prints (in its start banner and log file) the actual HTTP and HTTPS ports where it accepts browser administration interface connections.

-http-only

Disable HTTPS (secure) connections, leaving only an HTTP (non-secure) connection.

-https-only

Disable HTTP (non-secure) connections, leaving only an HTTPS (secure) connection.

-no-http

Disable all HTTP and HTTPS connections, overriding -http and -https.

-listen tcp_port

-listen ip_address:tcp_port

-listen socket_protocol:tcp_port

rvsd (and by extension, rvsrd operating within the local network) opens an TLS client socket to establish communication between itself and its client programs. The -listen parameter specifies the TLS port where the Rendezvous daemon listens for connection requests from client programs. This -listen parameter of the secure daemon corresponds to the daemon parameter of the transport creation call (they must specify the same TLS port number).

The IP address specifies the network interface through which this daemon accepts TLS connections.

To bar connections from remote programs, specify IP address 127.0.0.1 (the loopback interface).

When the IP address is absent, the daemon accepts connections from any computer on the specified TLS port.

When this parameter is entirely absent, the default behavior is to accept connections from any computer on TLS port 7500.

For more detail about the choreography that establishes conduits, see Daemon Client Socket—Establishing Connections.

Warning 

This parameter does not correspond to the service parameter of the transport creation call—but rather to the daemon parameter.

-no-permanent

If present (or when rvd starts automatically), rvd exits after 1 minute during which no transports are connected to it.

If not present, rvd runs indefinitely until terminated.

This parameter is not available with IPM.

-no-lead-wc

-lead-wc

Sending to subjects with lead wildcards (for example, > or *.foo) can cause unexpected behavior in some applications, and cause network instability in some configurations. This option lets you selectively screen wildcard sending.

When -no-lead-wc is present, the daemon quietly rejects client requests to send outbound messages to subjects that contain wildcards in the lead element. The daemon does not report excluded messages as errors.

When -lead-wc is present (or when neither flag is present), the daemon allows sending messages to subjects with lead wildcards.

This parameter is not available with IPM.

-log-config config_log_filename

Send duplicate log output to this file for log items that record configuration changes. The daemon never rotates nor removes this special log file. Instead, this file remains as a record of all configuration changes.

When absent, the default is stderr.

-reliability time

These parameters are the same as for rvd.

For details, see Command Line Parameters.

-max-consumer-buffer size

-rxc-max-loss loss

-rxc-recv-threshold bps

-rxc-send-threshold bps

-reuse-port inbox_port

-logfile log_filename

-log-max-size size

-foreground

-udp-ttl hops

-tls-min-proto-version version

-tls-max-proto-version version

Set the minimum or maximum supported protocol versions for the ctx using OpenSSL calls SSL_CTX_set_min_proto_version and SSL_CTX_set_max_proto_version.

-tls-ciphers string1:string2:stringN

Set the list of available ciphers (TLSv1.2 and earlier) using OpenSSL call SSL_CTX_set_cipher_list.

-tls-ciphersuites name1:name2:nameN

Configure the available TLSv1.3 ciphersuites using OpenSSL call SSL_CTX_set_ciphersuites.

-no-wc

Silently drop any messages published by clients that contain any wild card tokens.