Access Point Installation Guide

Access Point System Requirements

To participate in the TripleBlind platform, an organization must host a TripleBlind Access Point. This Access Point serves two main purposes: secure the organization’s data or algorithmic assets, and provide computational power for joint operations.

The Access Point is designed as a cloud native component. It is built around Docker technologies, isolating the host infrastructure from internal details and enabling simple deployment and upgrades. Interaction and management is done through the web interface and the Python SDK.

Hosting Requirements

Basic Docker host system requirements:

  • 4 CPU cores (minimum)
  • 16 GB of RAM (minimum)
  • 100 GB+* of attached storage
    * Additional storage requirements depend on assets to be shared on the platform.
  • Static IP address (simplifies whitelisting)

IP Addresses to Whitelist

In general, it is recommended to whitelist by domain as some of our IP addresses may be changed without prior notice. We will notify Access Point administrators if the IP addresses to be whitelisted change.

Inbound Traffic:

  • 35.222.119.55 must be whitelisted to enable inbound traffic from the TripleBlind infrastructure to your Access Point.
  • Inbound traffic from your collaborators’ Access Points’ IP addresses.
  • Inbound traffic from the IP addresses of the machines of your SDK users (required for positioning and retrieving Assets).
  • Inbound traffic from your own Access Point’s IP address (with default setup, find this in the admin console).

Outbound Traffic:

  • tripleblind.app (104.21.95.47)
  • dev.tripleblind.app (172.67.143.2)
  • 52.165.33.19
  • 3.129.200.236
  • 34.68.6.20

ℹ️The IP addresses or URLs of all counterparty organizations’ Access Points must be whitelisted for both inbound and outbound traffic in order to collaborate with external organizations.

ℹ️If you do not provide your own SSL certificate and key, TripleBlind will generate temporary ones during the installation process via 🔗LetsEncrypt. In order to generate these, ALL inbound and outbound traffic must be allowed temporarily during the installation. You can revert back to your original whitelisted addresses once the setup is complete.

ℹ️Your Access Point must have all of your counter-party certificate authorities in its chain of trust. Otherwise connections by their Access Point will be rejected when you attempt to perform collaborative operations. Contact TripleBlind support if you need assistance working with a non-standard Certificate Authority.

Ports

  • 443
  • Both HTTPS and WSS (WebSocket Secure) protocols must be enabled.

Networking Requirements

  • One static public IP address for the container
  • Port 443 open to the Internet for the container
  • SSL Certificate and Key (if hosting on a custom domain name)

Cloud Computing

Your Access Point can be hosted on a machine you maintain or on any of the popular Cloud Computing platforms. Here are some of the most popular along with known-good machine types:

  • Google Cloud Platform (GCP), using n1-standard-4 machine type
  • Amazon Web Services (AWS), using t3.xlarge machine type
  • Microsoft Azure, using Standard_D4a_v4 machine type

An easy way to configure a server for TripleBlind is by subscribing through Cloud Marketplaces.

Azure Setup

You can find the TripleBlind offering in the 🔗Azure Marketplace.

Amazon Web Services Setup

You can find the TripleBlind offering in the 🔗AWS Marketplace.

Physical Server Setup

  • Linux (64-bit Ubuntu 18.04+, Debian Stretch 9+, RHEL/CentOS 7+)
    • NOTE: Secure Python preprocessing and postprocessing requires Linux kernel 5.13 or later (e.g. Ubuntu 22.04+, RHEL 8.5+). Execution of trusted scripts can also be supported on older kernels.
  • Windows Server 2019, Windows 10 64-bit: Pro, Enterprise, or Education (Build 16299 or later)

ℹ️For Windows servers, Docker requires Windows 10+ on hardware that supports Hyper-V.

Installation Instructions

After provisioning a Server/VM and receiving your Administrator login credentials, log in to the TripleBlind web interface at 🔗tripleblind.app. If your Access Point is not yet installed, you see the following screen.

You can also get to this page by selecting the Access Point menu item at the left of the screen, and then by selecting Setup Guide in the upper right hand corner under the three dot menu.


Select Setup your Access Point, which takes you to the following page that presents minimum system requirements and provides the commands you need to run on your provisioned system.

Next, log in to your server via SSH using a terminal window and execute the commands presented on the page shown above. You can copy the commands from the page, paste them into your terminal command line, and press enter to execute.

Download the CLI

The first required step is to download the Access Point command line interface (CLI) tool, which is used in subsequent steps and dramatically simplifies the installation process.

curl -Lo tbadmin.sh https://tripleblind.app/download/tbadmin.sh && chmod +x tbadmin.sh

Installing Your Access Point

The following optional configurations can be selected for your Access Point configuration.

sudo tbadmin launch --auth-token=<YOUR TOKEN> --tb-environment=<YOUR ENV>

ℹ️The auth-token in this and the following examples will be unique for your Access Point. To collect the token, head to the My Account page, accessible from the top right corner menu of the web interface. Only the Authentication Token of the Organization Admin’s account can be used to set up an Access Point.

ℹ️The --tb-environment=<YOUR_ENV> variable should be used when your organization is using its own dedicated Router. For example, if you are using acme.tripleblind.com, this value would be acme. Otherwise it may be disregarded.

Use Custom Domain

Select this optional configuration if you would prefer to use a custom domain for your Access Point, instead of having TripleBlind assign one.

Enable Blind Join and Blind Query Capabilities

Select this optional configuration if you plan to use Blind Join and Blind Query. Care must be taken when using the Blind Join and Blind Query capabilities to ensure that no sensitive data is shared. Refer to Privacy Assurances & Risk in the Getting Started section of the User Guide for additional information. Use caution when enabling them. This setting can be changed later in Access Point Settings.

Enable Verbose Setup

Select this optional configuration if you would like to see more verbose log file output, which can be helpful if you experience issues when installing your Access Point.

After you have selected the optional items you want to use, copy the resulting command, which is modified based on your selections, and execute it in your terminal window.

Enabling GPUs

If your host machine has a GPU you can connect it to the Access Point by adding the flag --gpu to the tbadmin command you use to launch the Access Point.

ℹ️The Access Point will fail to launch if you use this flag and the host machine does not have a GPU or if the host machine does not have the necessary GPU drivers.

Validation Server

Before launching the Access Point, the tbadmin script will launch a validation server. Its purpose is to check whether your server meets the minimum requirements and can communicate with the TripleBlind Router. It can also be an aid in troubleshooting any issues that you may encounter during the installation process.

The validation server will check the following:

  • A WSS (websocket) connection between the server and the TripleBlind router can be established.
  • The server satisfies the minimum CPU, memory and storage requirements.

Any problems the validation server runs into will be highlighted in red, then it will proceed with the launch.

View Logs

If you encounter issues during Access Point installation, execute this command in your terminal window to view logs and troubleshoot your Access Point setup.

To keep the log stream open, add the -f flag:

sudo tbadmin logs -f

After successfully installing your Access Point, you can go to 🔗tripleblind.app to begin using TripleBlind.

Access Point migration

The performance of the Access Point is partially dependent on the resources of the host machine. If it becomes necessary to increase the computational resources available to the Access Point, it can be migrated to a stronger machine.

To begin the migration, prepare the new host machine as if you were launching a fresh Access Point. This can be done again via a cloud marketplace offering or manually.

As the main migration step, it is necessary to move the Asset directory to the new host machine. The Asset directory location is defined by the value of TB_ASSETDIRECTORY within the configuration file /var/tripleblind/tripleblind.env. Typically, it is located at /mnt/host/. It is necessary to fully copy this folder onto the new machine. You can use a tool like scp, for example with the command (issued from the new machine):

sudo scp -i keyfile.pem username@from_ipaddress:/mnt/host/ username@to_ipaddress:/mnt/host/

Once the Asset directory has been copied to the new machine, you can proceed to launch an Access Point on the new machine as usual. It will pick up all the Assets within the directory and will be ready to resume where left off. During the launch, you may be prompted to confirm an override of the Access Point domain - answer y to confirm to the TripleBlind router that you’re changing the physical location and IP address of your Access Point.

Hosted Jupyter Notebook SDK

Commonly, each user installs the TripleBlind SDK on their own machine for development work. However in some deployment scenarios it is easier for the Access Point administrator to prepare and host the SDK on behalf of their users, eliminating the need to install and upkeep the SDK on their own machine.

To support this, we recommend a separate Virtual Machine to host the SDK. Port 443 needs to be open on the machine for the SDK to work. Download the tbadmin script following the instructions above. Then use the sudo tbadmin run-jupyter command. This will launch a Jupyter Notebook instance, creating a browser-accessible development environment for your users.

After running the command, you will be prompted to create a password — make sure you store this for later. Once the setup is complete you should see the message SDK is running at url:port. This port must be open to the internet so that the users can access the Jupyter Notebook instance with the preloaded SDK by opening this address.