Skip to content

Communication

Ports Overview

Port Component Protocol TLS Direction Purpose
8445 Director HTTPS Server cert Inbound API, admin UI, launcher connections
8446 Agent HTTPS mTLS Inbound Director session management

Communication Flows

Agent -> Director

Endpoint When TLS Auth Purpose
POST /v1/agent/register First startup, or after cert loss HTTPS (TOFU) GUID (UUIDv4) Submit CSR, get signed cert
POST /v1/agent/renew Every ~12 hours mTLS Current cert Submit new CSR, get renewed cert
POST /v1/agent/update Every update_interval (default 30s) mTLS Current cert Report sessions + system stats

Director -> Agent

Endpoint When TLS Purpose
POST /v1/sessions User requests session mTLS Create session on agent
DELETE /v1/sessions/{id} User closes session mTLS Close session on agent
POST /v1/config Admin changes config mTLS Set DCV config parameters

Launcher -> Director

Endpoint When TLS Auth Purpose
POST /v1/user/login User login HTTPS None (credentials in body) Authenticate, sets dcvix_session cookie
GET /v1/user/servers After login HTTPS Session cookie List available servers for user
POST /resolveSession DCV Gateway HTTPS Gateway IP whitelist Resolve DCV session

mTLS Trust Model

flowchart TD
    subgraph Director
        CA[CA cert + key<br/>/var/lib/dcvix-director/]
        SC[Server cert<br/>dcvix-director]
    end
    subgraph Agent
        AC["Agent cert<br/>dcvix-agent-{guid}"]
        AK[Agent key<br/>Ed25519]
    end
    subgraph Launcher
        LT[Trusts director's<br/>server cert]
    end

    CA -->|Signs| SC
    CA -->|Signs| AC
    SC -->|Verified by| LT
    AC -->|Verified by| CA
    AK -->|Signs CSR| AC

Certificate Hierarchy

Certificate Issuer Subject Validity Key type
CA Self-signed dcvix CA 10 years ECDSA P-256
Director server CA dcvix-director + DNS names 10 years ECDSA P-256
Agent CA dcvix-agent-{guid} 14 days Ed25519

Agent Certificates

  • 14-day validity: short enough to limit damage from key compromise, long enough to absorb director outages
  • Renewal every ~12 hours: missed renewal windows don't cause immediate failure
  • Key usage: digitalSignature + serverAuth + clientAuth - used for both server and client mTLS

Director Server Certificate

  • 10-year validity: practically permanent
  • Auto-generated: DNS names include dcvix-director, localhost, the system hostname, and its FQDN
  • IP addresses: 127.0.0.1 is included for local health checks
  • hostname -f must match: The FQDN is resolved via hostname -f. Agents verify the server cert's CN/SAN against the hostname they use to reach the director - a mismatch causes connection rejection.

Trust on First Use (TOFU)

When an agent has no pre-deployed CA cert, the first registration request connects without certificate verification (InsecureSkipVerify: true).

flowchart TD
    A[Agent starts] --> B{ca.pem exists?}
    B -- No --> C[TOFU mode: accept any server cert]
    C --> D[POST /v1/agent/register]
    D --> E[Success: store CA cert from response]
    E --> F[All future connections: strict CA verification]
    B -- Yes --> G[Strict mode: verify against pre-deployed CA]
    G --> H[POST /v1/agent/register]
    H --> F

The director's CA fingerprint is logged at startup so administrators can verify it out-of-band.

In high-security environments, TOFU can be skipped entirely by bundling the director's CA certificate (ca.pem) with the agent installation package. The agent will then use strict certificate verification from the very first connection, eliminating the TOFU window entirely.

HTTP API Conventions

  • Most API JSON fields use camelCase. Agent stats use snake_case (free_memory, cpu_usage, load1). Fields from the dcv CLI use kebab-case (num-of-connections, creation-time, last-disconnection-time).
  • Admin endpoints are under /v1/admin/ and require admin authentication
  • Agent endpoints are under /v1/agent/ and use either TOFU or mTLS depending on the endpoint
  • User endpoints are under /v1/user/ and require a valid dcvix_session cookie (PASETO token)