Access Point Administration
An Access Point can optionally run in enterprise mode, giving more administrative and networking control to the IT departments within an enterprise. See the Access Point Installation for information on configuring your Access Point. This guide covers ongoing maintenance when operating in this configuration.
The tbadmin Utility
During the Access Point installation process the tbadmin.sh script was downloaded to the machine which hosts the Docker image. It can be retrieved or updated at any time by running:
curl -Lo tbadmin.sh https://tripleblind.app/downloads/tbadmin.sh && chmod +x tbadmin.sh && ./tbadmin.sh install
This utility provides all the tools needed to easily administer your Access Point.
Launching and Upgrading your Access Point
To upgrade your Access Point to the latest version run:
sudo tbadmin update
If you wish to pin your Access Point to a particular version, you can do so by launching it with an explicit version. For example:
sudo tbadmin launch --version=1.38.1
Access Point configuration settings
A variety of parameters are stored within the tripleblind.env file which configures how the Access Point is run. These values can be modified at any time by running the tbadmin utility, which will save the change and re-launch the Access Point to apply updates.
For example, the following command will change the domain name used to reach your Access Point:
sudo tbadmin launch --domain=some.new.domain.com –cert=/path/to/crt –key=/path/to/key
By default the system is configured with the most restrictive settings. Additional features, such as allowing the usage of Blind Join, can be enabled via:
sudo tbadmin enable blind-join
Access Point Environment Variables
TB_LANDLOCK_OPTION="UNGUARDED"— Allow preprocessing and postprocessing Python scripts to execute on an Access Point running under a host operating system that does not support the Landlock technology introduced in the Linux kernel 5.13. This was incorporated into Ubuntu 21.04, RHEL 8.4, and Fedora 34, so any older versions would require this setting in order to run pre/postprocessing Python scripts.🛑Use this with care! Scripts will have full access to the file system and network resources when this is defined on a system that does not support Landlock.
Viewing Logs
Detailed logs are kept on the Access Point which can easily be accessed using the following command:
sudo tbadmin logs
The logs can also be monitored continuously by adding the -f flag:
sudo tbadmin logs -f
Production Monitoring
The Access Point exposes a /ping endpoint that can be used for uptime monitoring. An example of monitoring this endpoint could be via a script running on the Access Point (with a localhost/ping), or externally via https://<ap_domain_name>/ping, i.e. https://provider-34-71-101-84.tripleblind.app/ping. A reasonable alert setup would be every 10 seconds with an alert triggered if the ping doesn’t respond with a 200 after 3 times in a row.
Help
Use the -h or --help flag to see a list of all available commands and arguments:
tbadmin -h
.
Secrets Management
TripleBlind can work with many different data sources for Assets, including a variety of database connections. These assets encapsulate a connection string, which typically includes the path to the database along with a set of credentials. Whenever the asset is utilized, the Access Point connects to the database using this string to then execute the asset’s SQL to produce a view of data or a report.
The credentials in the connection string are usually sensitive and should be available to a limited number of trusted users, such as the Access Point administrators. Additionally, credentials should periodically be rotated as part of security best practices. Both of these needs are served by named secrets, allowing administrators to manage the secret values and only expose the secret names to users. The TripleBlind Secrets Manager stores and utilizes the secrets on the Access Point, never exposing them to organization users, asset consumers or TripleBlind.
Defining a Secret
To insert a new secret or update an existing one, use the command:
sudo tbadmin secrets set NAME VALUE
Where NAME is the name of the secret and VALUE is the secret string value. You can share the NAME with asset creators, they will never be able to view the protected VALUE.
If an entry with the same NAME already exists, the VALUE is simply updated.
Inventorying Saved Secrets
A list of the secret key names can be retrieved with this command:
sudo tbadmin secrets list
Deleting a Secret
An existing secret can be removed from the store with the command:
sudo tbadmin secrets remove NAME
Learn more about how to use the secrets in the SDK for performing TripleBlind operations in the Using Named Secrets under Asset Owner Operations.