Enterprise Access Point Setup Guide

Once an Access Point has been installed (see Access Point Installation), it can optionally be placed in Enterprise Mode to better fit into the networking environment and the division of administrative duties common in larger organizations. In this mode all SDK traffic must pass through the Access Point, and each user account has a unique signature maintained on the Access Point. This creates a two-part “multiple-signature” key which is required for all API calls made by enterprise organization members.

Advantages

  • Users cannot be added without the explicit participation of the IT department.
  • TripleBlind SDK script/API network traffic all passes through the Access Point, requiring only the single port 443 egress through the firewall.
  • All SDK script/API network traffic passes to the Access Point, which requires port 4443 (configurable) ingress traffic.

Disadvantages

  • Provisioning of new users is more complex, requiring access to the tbadmin command line tool run from the Access Point host machine.
  • SDK users will need to add additional parameters to their tripleblind.yaml.
  • External users will need to use a VPN in order to use the SDK.
  • Running operations from the web interface is not possible due to the additional signature which is only added by running an SDK script behind the Access Point.

Hosting Requirements

Basic Docker host system requirements:

  • 4 CPU cores (minimum)
  • 16 GB of RAM (minimum)
  • 100 GB+* of attached storage
    * Additional storage requirements depend on assets to be shared on the platform.
  • Static IP address (simplifies whitelisting)

IP Addresses to Whitelist

In general, it is recommended to whitelist by domain as some of our IP addresses may be changed without prior notice. We will notify Access Point administrators if the IP addresses to be whitelisted change.

Inbound Traffic:

  • 35.222.119.55 must be whitelisted to enable inbound traffic from the TripleBlind infrastructure to your Access Point.
  • Inbound traffic from your collaborators’ Access Points’ IP addresses.
  • Inbound traffic from the IP addresses of the machines of your SDK users (required for positioning and retrieving Assets).
  • Inbound traffic from your own Access Point’s IP address (with default setup, find this in the admin console).

Outbound Traffic:

  • tripleblind.app (104.21.14.248)
  • dev.tripleblind.app (172.67.160.210)
  • 52.165.33.19
  • 3.129.200.236
  • 34.68.6.20

ℹ️ The IP addresses or URLs of all counterparty organizations’ Access Points must be whitelisted for both inbound and outbound traffic in order to collaborate with external organizations.

ℹ️ If you do not provide your own SSL certificate and key, TripleBlind will generate temporary ones during the installation process via 🔗LetsEncrypt. In order to generate these, ALL inbound and outbound traffic must be allowed temporarily during the installation. You can revert back to your original whitelisted addresses once the setup is complete.

ℹ️ Your Access Point must have all of your counter-party certificate authorities in its chain of trust. Otherwise connections by their Access Point will be rejected when you attempt to perform collaborative operations. Contact TripleBlind support if you need assistance working with a non-standard Certificate Authority.

Ports

  • 443 (for egress traffic to the TripleBlind Router)
  • The default Enterprise Mode port open to the local network is port 4443. This can be changed in setup if desired.
  • Both HTTPS and WSS (WebSocket Secure) protocols must be enabled.

Cloud Computing

  • Google Cloud Platform (GCP), using n1-standard-4 machine type
  • Amazon Web Services (AWS), using t3.xlarge machine type
  • Microsoft Azure, using Standard_D4a_v4 machine type

An easy way to configure a server for TripleBlind is by subscribing through Cloud Marketplaces.

ℹ️ Both the default Access Point configuration and enterprise modes are highly secure. Enterprise mode should only be used if your organization’s networking environment requires the single point of ingress/egress through firewalls for all of your SDK users.

Entering Enterprise Mode

An administrator with command line access to the machine hosting the Access Point can place it in enterprise mode via the following command:

sudo ./tbadmin.sh enable enterprise-mode

There will then be a prompt to configure the Enterprise Mode port:

Enterprise Mode runs on port 4443 by default. [Press Enter to continue or enter a different port number]:

Adding Users

Creating a user is a three step process:

1. Add the user and set permissions via the web interface. This adds the user to the TripleBlind Router.

2. Run the below command on the Access Point server (supports one or more users):

sudo ./tbadmin.sh users add <user name>

3. This will create a user and return a token (access_point_token) which should be added to the user’s SDK directory within the tripleblind.yaml file with the following values:

  • sdkuser_token: Authorization Token for a user of the SDK (obtained in the web interface).
  • access_point_token: Authorization Token for AP setup (obtained from the add command).
  • access_point_url: URL of the Access Point. The port here should be the same port specified when enabling Enterprise Mode (4443 by default).

ℹ️ The token returned will need to be given to the SDK user at the time of generation. It cannot be retrieved.

Example adding a user

This user token (circled above) will need to be inserted by the SDK user (“steve”) in their local tripleblind.yaml config file as the access_point_token. Additionally, the access_point_url will also need to be configured with the address needed by the user to reach the Access Point. This is in addition to the user’s normal sdkuser_token.

Example tripleblind.yaml file for the user “steve”:

sdkuser_token: "1234567890123456789" # <--from Steve's My Account on the Router

# If your organization uses Enterprise mode, your administrator will give you
# a unique access_point_token as well as the access_point_url which your
# organization uses.
#
access_point_token: "c66bf072-ccb4-43ce-aa2f-bfe686706e87"
access_point_url: "https://accesspoint.acme.com:4443"