Enterprise Access Point Setup Guide
Once an Access Point has been installed (see Access Point Installation), it can optionally be placed in Enterprise Mode to better fit into the networking environment and the division of administrative duties common in larger organizations. In this mode all SDK traffic must pass through the Access Point, and each user account has a unique signature maintained on the Access Point. This creates a two-part “multiple-signature” key which is required for all API calls made by enterprise organization members.
- Users cannot be added without the explicit participation of the IT department.
- TripleBlind SDK script/API network traffic all passes through the Access Point, requiring only the single port
443egress through the firewall.
- All SDK script/API network traffic passes to the Access Point, which requires port
4443(configurable) ingress traffic.
- Provisioning of new users is more complex, requiring access to the
tbadmincommand line tool run from the Access Point host machine.
- SDK users will need to add additional parameters to their
- External users will need to use a VPN in order to use the SDK.
- Running operations from the web interface is not possible due to the additional signature which is only added by running an SDK script behind the Access Point.
Basic Docker host system requirements:
- 4 CPU cores (minimum)
- 16 GB of RAM (minimum)
- 100 GB+* of attached storage
* Additional storage requirements depend on assets to be shared on the platform.
IP Addresses to Whitelist
In general, it is recommended to whitelist by domain as some of our IP addresses may be changed without prior notice. We will notify Access Point administrators if the IP addresses to be whitelisted change.
126.96.36.199must be whitelisted to enable inbound traffic from the TripleBlind Router to your Access Point.
- Inbound traffic from your own IP address.
- tripleblind.app (
- dev.tripleblind.app (
ℹ️ The IP addresses or URLs of all counterparty organizations’ Access Points must be whitelisted for both inbound and outbound traffic in order to collaborate with external organizations.
ℹ️ If you do not provide your own SSL certificate and key, TripleBlind will generate temporary ones during the installation process via 🔗LetsEncrypt. In order to generate these, ALL inbound and outbound traffic must be allowed temporarily during the installation. You can revert back to your original whitelisted addresses once the setup is complete.
443(for egress traffic to the TripleBlind Router)
- The default Enterprise Mode port open to the local network is port
4443. This can be changed in setup if desired.
- Both HTTPS and WSS (WebSocket Secure) protocols must be enabled.
- Google Cloud Platform (GCP), using
- Amazon Web Services (AWS), using
- Microsoft Azure, using
An easy way to configure a server for TripleBlind is by subscribing through Cloud Marketplaces.
ℹ️ Both the default Access Point configuration and enterprise modes are highly secure. Enterprise mode should only be used if your organization’s networking environment requires the single point of ingress/egress through firewalls for all of your SDK users.
Entering Enterprise Mode
An administrator with command line access to the machine hosting the Access Point can place it in enterprise mode via the following command:
sudo ./tbadmin.sh enable enterprise-mode
There will then be a prompt to configure the Enterprise Mode port:
Enterprise Mode runs on port 4443 by default. [Press Enter to continue or enter a different port number]:
Creating a user is a three step process:
1. Add the user and set permissions via the web interface. This adds the user to the TripleBlind Router.
2. Run the below command on the Access Point server (supports one or more users):
sudo ./tbadmin.sh users add <user name>
3. This will create a user and return a token (access_point_token) which should be added to the user’s SDK directory within the
tripleblind.yaml file with the following values:
sdkuser_token:Authorization Token for a user of the SDK (obtained in the web interface).
access_point_token:Authorization Token for AP setup (obtained from the
access_point_url:URL of the Access Point. The port here should be the same port specified when enabling Enterprise Mode (
ℹ️ The token returned will need to be given to the SDK user at the time of generation. It cannot be retrieved.
Example adding a user
This user token (circled above) will need to be inserted by the SDK user (“steve”) in their local
tripleblind.yaml config file as the
access_point_token. Additionally, the
access_point_url will also need to be configured with the address needed by the user to reach the Access Point. This is in addition to the user’s normal
tripleblind.yaml file for the user “steve”:
sdkuser_token: "1234567890123456789" # <--from Steve's My Account on the Router # If your organization uses Enterprise mode, your administrator will give you # a unique access_point_token as well as the access_point_url which your # organization uses. # access_point_token: "c66bf072-ccb4-43ce-aa2f-bfe686706e87" access_point_url: "https://accesspoint.acme.com:4443"