Access Point Administration

An Access Point can optionally run in enterprise mode, giving more administrative and networking control to the IT departments within an enterprise. See the Access Point Installation and (optionally) the Enterprise Access Point Setup Guide for information on configuring your Access Point. This guide covers ongoing maintenance when operating in this configuration.

The tbadmin Utility

During the Access Point installation process the tbadmin.sh script was downloaded to the machine which hosts the Docker image. It can be retrieved or updated at any time by running: 

curl -Lo tbadmin.sh https://eval.tripleblind.app/downloads/tbadmin.sh && chmod +x tbadmin.sh

This utility provides all the tools needed to easily administer your Access Point.

Launching and Upgrading your Access Point

To upgrade your Access Point to the latest version run: 

sudo ./tbadmin.sh update

If you wish to pin your Access Point to a particular version, you can do so by launching it with an explicit version. For example: 

sudo ./tbadmin.sh launch --version=1.38.1

Access Point configuration settings

A variety of parameters are stored within the tripleblind.env file which configures how the Access Point is run. These values can be modified at any time by running the tbadmin utility, which will save the change and re-launch the Access Point to apply updates.

For example, the following command will change the domain name used to reach your Access Point: 

sudo ./tbadmin.sh launch --domain=some.new.domain.com –cert=/path/to/crt –key=/path/to/key

By default the system is configured with the most restrictive settings. Additional features, such as allowing the usage of Blind Join, can be enabled via: 

sudo ./tbadmin.sh enable blind-join

Viewing Logs

Detailed logs are kept on the Access Point which can easily be accessed using the following command: 

sudo ./tbadmin.sh logs

The logs can also be monitored continuously by adding the -f flag: 

sudo ./tbadmin.sh logs -f

Production Monitoring

The Access Point exposes a /ping endpoint that can be used for uptime monitoring. An example of monitoring this endpoint could be via a script running on the Access Point (with a localhost/ping), or externally via https://<ap_domain_name>/ping, i.e. https://provider-34-71-101-84.tripleblind.app/ping. A reasonable alert setup would be every 10 seconds with an alert triggered if the ping doesn’t respond with a 200 after 3 times in a row. .

Enterprise Administration

Some installations will want to run their Access Point in Enterprise Mode to meet the needs and requirements of their IT infrastructure. When in this mode, there are several additional commands available via tbadmin to maintain the local user list. See the Enterprise Access Point Setup Guide for information on configuring your Access Point.

User Management

While in Enterprise Mode, user authentication is controlled by the organization directly. This list is completely inaccessible to TripleBlind and the Router’s web interface, providing a strong security and control guarantee. Administration of this list is performed locally on the host machine via the tbadmin utility.

ℹ️ The Router piece of the user account is still configured via the web interface. Both local-auth and Router tokens are needed to setup a user account.

Adding Users

Creating a user is a three step process:

1. Add the user and set permissions via the web interface. This adds the user to the TripleBlind Router.

2. Run the below command on the Access Point server (supports one or more users): 

sudo ./tbadmin.sh users add <user name>

3. This will create a user and return a token (access_point_token) which should be added to the user’s SDK directory within the tripleblind.yaml file with the following values:

  • sdkuser_token: Authorization Token obtained in the web interface
  • access_point_token: obtained from the add command
  • access_point_url: URL of the Access Point. The port here should be the same port specified when enabling Enterprise Mode (4443 by default).

ℹ️ The token returned will need to be given to the SDK user at the time of generation. It cannot be retrieved.

Example adding a user

This user token (circled above) will need to be inserted by the SDK user (“steve”) in their local tripleblind.yaml config file as the access_point_token. Additionally, the access_point_url will also need to be configured with the address needed by the user to reach the Access Point. This is in addition to the user’s normal sdkuser_token.

Example tripleblind.yaml file for the user “steve”: 

sdkuser_token: "1234567890123456789" # <--from Steve's My Account on the Router

# If your organization uses Enterprise mode, your administrator will give you
# a unique access_point_token as well as the access_point_url which your
# organization uses.
#
access_point_token: "c66bf072-ccb4-43ce-aa2f-bfe686706e87"
access_point_url: "https://accesspoint.acme.com:443"

Listing Users

Configured local-auth (enterprise) users can be viewed using: 

sudo ./tbadmin.sh local-auth list

Removing Users

Users can be removed by using: 

sudo ./tbadmin.sh local-auth remove {username}

.