Access Point Administration
An Access Point can optionally run in enterprise mode, giving more administrative and networking control to the IT departments within an enterprise. See the Access Point Installation and (optionally) the Enterprise Access Point Setup Guide for information on configuring your Access Point. This guide covers ongoing maintenance when operating in this configuration.
The tbadmin Utility
During the Access Point installation process the tbadmin.sh script was downloaded to the machine which hosts the Docker image. It can be retrieved or updated at any time by running:
curl -Lo tbadmin.sh https://eval.tripleblind.app/downloads/tbadmin.sh && chmod +x tbadmin.sh && ./tbadmin.sh install
This utility provides all the tools needed to easily administer your Access Point.
Launching and Upgrading your Access Point
To upgrade your Access Point to the latest version run:
sudo tbadmin update
If you wish to pin your Access Point to a particular version, you can do so by launching it with an explicit version. For example:
sudo tbadmin launch --version=1.38.1
Access Point configuration settings
A variety of parameters are stored within the tripleblind.env file which configures how the Access Point is run. These values can be modified at any time by running the tbadmin utility, which will save the change and re-launch the Access Point to apply updates.
For example, the following command will change the domain name used to reach your Access Point:
sudo tbadmin launch --domain=some.new.domain.com –cert=/path/to/crt –key=/path/to/key
By default the system is configured with the most restrictive settings. Additional features, such as allowing the usage of Blind Join, can be enabled via:
sudo tbadmin enable blind-join
Viewing Logs
Detailed logs are kept on the Access Point which can easily be accessed using the following command:
sudo tbadmin logs
The logs can also be monitored continuously by adding the -f flag:
sudo tbadmin logs -f
Production Monitoring
The Access Point exposes a /ping endpoint that can be used for uptime monitoring. An example of monitoring this endpoint could be via a script running on the Access Point (with a localhost/ping), or externally via https://<ap_domain_name>/ping, i.e. https://provider-34-71-101-84.tripleblind.app/ping. A reasonable alert setup would be every 10 seconds with an alert triggered if the ping doesn’t respond with a 200 after 3 times in a row.
Help
Use the -h or --help flag to see a list of all available commands and arguments:
tbadmin -h
.
Secrets Management
TripleBlind can work with many different data sources for Assets, including a variety of database connections. These assets encapsulate a connection string, which typically includes the path to the database along with a set of credentials. Whenever the asset is utilized, the Access Point connects to the database using this string to then execute the asset’s SQL to produce a view of data or a report.
The credentials in the connection string are usually sensitive and should be available to a limited number of trusted users, such as the Access Point administrators. Additionally, credentials should periodically be rotated as part of security best practices. Both of these needs are served by named secrets, allowing administrators to manage the secret values and only expose the secret names to users. The TripleBlind Secrets Manager stores and utilizes the secrets on the Access Point, never exposing them to organization users, asset consumers or TripleBlind.
Defining a Secret
To insert a new secret or update an existing one, use the command:
sudo tbadmin secrets set NAME VALUE
Where NAME is the name of the secret and VALUE is the secret string value. You can share the NAME with asset creators, they will never be able to view the protected VALUE.
If an entry with the same NAME already exists, the VALUE is simply updated.
Inventorying Saved Secrets
A list of the secret key names can be retrieved with this command:
sudo tbadmin secrets list
Deleting a Secret
An existing secret can be removed from the store with the command:
sudo tbadmin secrets remove NAME
Learn more about how to use the secrets in the SDK for performing TripleBlind operations in the Using Named Secrets under Asset Owner Operations.
Enterprise Administration
Some installations will want to run their Access Point in Enterprise Mode to meet the needs and requirements of their IT infrastructure. When in this mode, there are several additional commands available via tbadmin to maintain the local user list. See the Enterprise Access Point Setup Guide for information on configuring your Access Point.
User Management
While in Enterprise Mode, user authentication is controlled by the organization directly. This list is completely inaccessible to TripleBlind and the Router’s web interface, providing a strong security and control guarantee. Administration of this list is performed locally on the host machine via the tbadmin utility.
ℹ️ The Router piece of the user account is still configured via the web interface. Both local-auth and Router tokens are needed to setup a user account.
Adding Users
Creating a user is a three step process:
1. Add the user and set permissions via the web interface. This adds the user to the TripleBlind Router.
2. Run the below command on the Access Point server (supports one or more users):
sudo tbadmin users add <user name>
3. This will create a user and return a token (access_point_token) which should be added to the user’s SDK directory within the tripleblind.yaml file with the following values:
sdkuser_token:Authorization Token obtained in the web interfaceaccess_point_token:obtained from theaddcommandaccess_point_url:URL of the Access Point. The port here should be the same port specified when enabling Enterprise Mode (4443 by default).
ℹ️ The token returned will need to be given to the SDK user at the time of generation. It cannot be retrieved.
Example adding a user
This user token (circled above) will need to be inserted by the SDK user (“steve”) in their local tripleblind.yaml config file as the access_point_token. Additionally, the access_point_url will also need to be configured with the address needed by the user to reach the Access Point. This is in addition to the user’s normal sdkuser_token.
Example tripleblind.yaml file for the user “steve”:
sdkuser_token: "1234567890123456789" # <--from Steve's My Account on the Router # If your organization uses Enterprise mode, your administrator will give you # a unique access_point_token as well as the access_point_url which your # organization uses. # access_point_token: "c66bf072-ccb4-43ce-aa2f-bfe686706e87" access_point_url: "https://accesspoint.acme.com:443"
Listing Users
Configured local-auth (enterprise) users can be viewed using:
sudo tbadmin local-auth list
Removing Users
Users can be removed by using:
sudo tbadmin local-auth remove {username}
.