Access Point Administration

An Access Point can optionally run in enterprise mode, giving more administrative and networking control to the IT departments within an enterprise. See the Access Point Installation and (optionally) the Enterprise Access Point Setup Guide for information on configuring your Access Point. This guide covers ongoing maintenance when operating in this configuration.

The tbadmin Utility

During the Access Point installation process the tbadmin.sh script was downloaded to the machine which hosts the Docker image. It can be retrieved or updated at any time by running:

curl -Lo tbadmin.sh https://eval.tripleblind.app/downloads/tbadmin.sh && chmod +x tbadmin.sh && ./tbadmin.sh install

This utility provides all the tools needed to easily administer your Access Point.

Launching and Upgrading your Access Point

To upgrade your Access Point to the latest version run:

sudo tbadmin update

If you wish to pin your Access Point to a particular version, you can do so by launching it with an explicit version. For example:

sudo tbadmin launch --version=1.38.1

Access Point configuration settings

A variety of parameters are stored within the tripleblind.env file which configures how the Access Point is run. These values can be modified at any time by running the tbadmin utility, which will save the change and re-launch the Access Point to apply updates.

For example, the following command will change the domain name used to reach your Access Point:

sudo tbadmin launch --domain=some.new.domain.com –cert=/path/to/crt –key=/path/to/key

By default the system is configured with the most restrictive settings. Additional features, such as allowing the usage of Blind Join, can be enabled via:

sudo tbadmin enable blind-join

Access Point Environment Variables


  • TB_LANDLOCK_OPTION="UNGUARDED" — Allow preprocessing and postprocessing Python scripts to execute on an Access Point running under a host operating system that does not support the Landlock technology introduced in the Linux kernel 5.13. This was incorporated into Ubuntu 21.04, RHEL 8.4, and Fedora 34, so any older versions would require this setting in order to run pre/postprocessing Python scripts.

    🛑Use this with care! Scripts will have full access to the file system and network resources when this is defined on a system that does not support Landlock.

Viewing Logs

Detailed logs are kept on the Access Point which can easily be accessed using the following command:

sudo tbadmin logs

The logs can also be monitored continuously by adding the -f flag:

sudo tbadmin logs -f

Production Monitoring

The Access Point exposes a /ping endpoint that can be used for uptime monitoring. An example of monitoring this endpoint could be via a script running on the Access Point (with a localhost/ping), or externally via https://<ap_domain_name>/ping, i.e. https://provider-34-71-101-84.tripleblind.app/ping. A reasonable alert setup would be every 10 seconds with an alert triggered if the ping doesn’t respond with a 200 after 3 times in a row.

Help

Use the -h or --help flag to see a list of all available commands and arguments:

tbadmin -h

.


Secrets Management

TripleBlind can work with many different data sources for Assets, including a variety of database connections. These assets encapsulate a connection string, which typically includes the path to the database along with a set of credentials. Whenever the asset is utilized, the Access Point connects to the database using this string to then execute the asset’s SQL to produce a view of data or a report.


The credentials in the connection string are usually sensitive and should be available to a limited number of trusted users, such as the Access Point administrators. Additionally, credentials should periodically be rotated as part of security best practices. Both of these needs are served by named secrets, allowing administrators to manage the secret values and only expose the secret names to users. The TripleBlind Secrets Manager stores and utilizes the secrets on the Access Point, never exposing them to organization users, asset consumers or TripleBlind.

Defining a Secret

To insert a new secret or update an existing one, use the command:

sudo tbadmin secrets set NAME VALUE

Where NAME is the name of the secret and VALUE is the secret string value. You can share the NAME with asset creators, they will never be able to view the protected VALUE.


If an entry with the same NAME already exists, the VALUE is simply updated.

Inventorying Saved Secrets

A list of the secret key names can be retrieved with this command:

sudo tbadmin secrets list

Deleting a Secret

An existing secret can be removed from the store with the command:

sudo tbadmin secrets remove NAME

Learn more about how to use the secrets in the SDK for performing TripleBlind operations in the Using Named Secrets under Asset Owner Operations.



Enterprise Administration

Some installations will want to run their Access Point in Enterprise Mode to meet the needs and requirements of their IT infrastructure. When in this mode, there are several additional commands available via tbadmin to maintain the local user list. See the Enterprise Access Point Setup Guide for information on configuring your Access Point.

User Management

While in Enterprise Mode, user authentication is controlled by the organization directly. This list is completely inaccessible to TripleBlind and the Router’s web interface, providing a strong security and control guarantee. Administration of this list is performed locally on the host machine via the tbadmin utility.

ℹ️The Router piece of the user account is still configured via the web interface. Both local-auth and Router tokens are needed to setup a user account.

Adding Users

Creating a user is a three step process:

1. Add the user and set permissions via the web interface. This adds the user to the TripleBlind Router.

2. Run the below command on the Access Point server (supports one or more users):

sudo tbadmin users add <user name>

3. This will create a user and return a token (access_point_token) which should be added to the user’s SDK directory within the tripleblind.yaml file with the following values:

  • sdkuser_token: Authorization Token obtained in the web interface
  • access_point_token: obtained from the add command
  • access_point_url: URL of the Access Point. The port here should be the same port specified when enabling Enterprise Mode (4443 by default).

ℹ️The token returned will need to be given to the SDK user at the time of generation. It cannot be retrieved.

Example adding a user

This user token (circled above) will need to be inserted by the SDK user (“steve”) in their local tripleblind.yaml config file as the access_point_token. Additionally, the access_point_url will also need to be configured with the address needed by the user to reach the Access Point. This is in addition to the user’s normal sdkuser_token.

Example tripleblind.yaml file for the user “steve”:

sdkuser_token: "1234567890123456789" # <--from Steve's My Account on the Router

# If your organization uses Enterprise mode, your administrator will give you
# a unique access_point_token as well as the access_point_url which your
# organization uses.
#
access_point_token: "c66bf072-ccb4-43ce-aa2f-bfe686706e87"
access_point_url: "https://accesspoint.acme.com:443"

Listing Users

Configured local-auth (enterprise) users can be viewed using:

sudo tbadmin local-auth list

Removing Users

Users can be removed by using:

sudo tbadmin local-auth remove {username}