Skip to content

Data Provider

This article provides a guide to deploying the data provider components of Confidential Computing. It details the configuration and deployment of the following components:

Each section outlines the necessary configurations, including database setup, service parameters, and Docker compose examples, ensuring a clear and structured approach to deploying the platform components.

Warning

Before deploying any component make sure you have followed the data provider sections in the getting started guide

1. Database

A PostgreSQL database is required for storage by Authentication and Key Management services.

Write SQL Init Script

If you already have a PostgreSQL database set up, you can skip this step and use your pre-existing database when configuring the rest of the components.

Fill in the database-init.sql file created in the storage configuration step with the following content:

CREATE
DATABASE cc_authentication;
CREATE
DATABASE cc_key_management;

GRANT ALL PRIVILEGES ON DATABASE
cc_authentication TO postgres;
GRANT ALL PRIVILEGES ON DATABASE
cc_key_management TO postgres;

This initialization script creates two separate databases, cc_authentication needed by the authentication service and cc_key_management needed by the key management service.

It then grants the postgres database user all privileges on the created databases.

Configure the Docker Image

In this guide we use the PostgreSQL Docker image to deploy the PostgreSQL databases. We use the following example Docker Compose configuration:

Click to expand: Database - Example Docker configuration 
services:
  confidential-computing-postgres:
    container_name: cc-postgres
    image: postgresql:18
    restart: unless-stopped
    environment:
      - POSTGRES_USERNAME=postgres
      - POSTGRES_PASSWORD=postgres
    expose:
      - "5432"
    volumes:
      - /path/to/database/storage:/var/lib/postgresql/18/data
      - /path/to/database/init-script:/docker-entrypoint-initdb.d
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres -d postgres"]
      interval: 2s
      retries: 5
      start_period: 10s
      timeout: 1s

This configuration initializes an empty PostgreSQL database with the user postgres and the password postgres. The two mapped volumes must correspond to the directories created in the storage step. The storage directory is used to persist database data.

Other deployed Docker services on the same Docker network will be able to connect to the database using cc-postgres:5432 as the database host.

Dependent services use a health check to ensure the database is ready before starting, with Docker configured to wait for a healthy database state, as shown in the examples.

Deploy the Component

  1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.

  2. Execute the following Docker Compose command to start the Authentication Service container:

    docker-compose up -d confidential-computing-postgres

  3. Check the logs of the database container to ensure it is running without errors:

    docker logs -f cc-postgres

2. Authentication

The authentication service is responsible for:

  • Managing user credentials
  • Creating users
  • Authenticating users to the Confidential Computing platform

Populate Configuration File

Fill in the following configuration in the authentication/conf/server.json file created in the storage configuration step:

    {
        "port": 8051, // (1)!
        "database": { // (2)!
            "persistenceUnitName": "model",
            "driver": "org.postgresql.Driver",
            "url": "jdbc:postgresql://cc-postgres:5432/cc_authentication", // (3)!
            "user": "postgres",
            "password": "postgres"
        },
        "keyManager": { // (4)!
            "url": "cc-key-management:8061" // (5)!
        },
        "tokenPrivateKey": "TOKEN_PRIVATE_KEY", // (6)!
        "tokenPublicKey": "TOKEN_PUBLIC_KEY", // (7)!
        "mail": {
            "type": "LOGGER"
        },
        "authentication": {
            "allowedServices": {}
        },
        "resetMail": {
            "from": "Partisia",
            "frontendUrl": "http://unused:1234"
        }
    }
  1. REST endpoint port to access the authentication service.
  2. Configures a hibernate connection for the database where users are stored.
  3. The URL to access the database. Defaults are based on the example database configuration.
  4. Configures access to the key management service, which handles private keys of users in the authentication service.
  5. The local URL to access the key management service.
  6. Private key for communication from the authentication service to the key management service.
  7. Public key for communication from the authentication service to the key management and backend services.

Configure the Docker Image

In addition, you must configure the authentication service docker image by adding the following to your docker-compose.yml file:

Click to expand: Authentication - Example Docker configuration 
services:
  confidential-computing-authentication:
    container_name: cc-authentication
    image: registry.gitlab.com/secata/platform/authentication:latest
    restart: unless-stopped
    expose:
      - "8051"
    volumes:
      - /path/to/authentication/conf:/conf
      - /path/to/authentication/logs:/logs
      - /path/to/authentication/storage:/storage
    depends_on:
      confidential-computing-postgres:
      condition: service_healthy

The exposed port (in this configuration, "8051") is where other services will communicate with the key management service. This port should match the port specified in the server.json configuration file.

The path of the three mapped volumes must correspond to the authentication folders created in the storage configuration step.

Deploy the Component

  1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.

  2. Execute the following Docker Compose command to start the Authentication Service container:

    docker-compose up -d confidential-computing-authentication

  3. Check the logs of the authentication container to ensure it is running without errors:

    docker logs -f cc-authentication

3. Key Management

The key management service manages the secret keys of users created by the authentication service. These secret keys are used to sign the transactions that are sent to the blockchain nodes.

Populate Configuration File

Fill in the following configuration in the key-management/conf/server.json file created in the storage configuration step:

    {
        "port": 8061, // (1)!
        "database": { // (2)!
            "persistenceUnitName": "model",
            "driver": "org.postgresql.Driver",
            "url": "jdbc:postgresql://cc-postgres:5432/cc_key_management", // (3)!
            "user": "postgres",
            "password": "postgres"
        },
        "authentication": { // (4)!
            "allowedServices": {},
            "tokenPublicKey": "TOKEN_PUBLIC_KEY" // (5)!
        }
    }
  1. Network port used to access the key management service.
  2. Configures a hibernate database connection for the database where users are stored.
  3. The URL to access the database. Defaults are based on the example database configuration.
  4. Configures access to the key management service from the authentication service configuration.
  5. Public key of the authentication service.

Configure the Docker Image

In addition, you must configure the key management docker image by adding the following to your docker-compose.yml file:

Click to expand: Key Management - Example Docker Configuration 
services:
  confidential-computing-key-management:
    container_name: cc-key-management
    image: registry.gitlab.com/secata/platform/key-management:latest
    restart: unless-stopped
    expose:
      - "8061"
    volumes:
      - /path/to/key-management/conf:/conf
      - /path/to/key-management/logs:/logs
      - /path/to/key-management/storage:/storage
    depends_on:
      confidential-computing-postgres:
        condition: service_healthy

The exposed port (in this configuration, "8061") is where other services will communicate with the authentication service. This port should match the port specified in the server.json configuration file.

The path of the three mapped volumes must correspond to the key management folders created in the storage configuration step.

Deploy the Component

  1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.

  2. Execute the following Docker Compose command to start the key management container:

    docker-compose up -d confidential-computing-key-management

  3. Check the logs of the key management container to ensure it is running without errors:

    docker logs -f cc-key-management

4. Confidential statistics

The confidential statistics service is a web application for accessing the confidential computing system. It is responsible for interacting with other components of the system through a browser-based UI. Using this component, users can manage analyses and data sources, view computation results, and perform additional tasks based on their role in the system.

Populate Configuration File

Fill in the following configuration in the confidential-statistics/conf/server.json file created in the storage configuration step:

    {
        "port": 8280, // (1)!
        "tokenPublicKey": "TOKEN_PUBLIC_KEY" // (2)!
        "blockchainUrl": "BLOCKCHAIN_NODE_PUBLIC_URL", // (3)!
        "authenticationUrl": "http://localhost:8051", // (4)!
        "keyManagementUrl": "http://localhost:8061", // (5)!
        "analysisContract": "ANALYSIS_CONTRACT_ADDRESS", // (6)!
    }
  1. Network port used to access the confidential statistics service.
  2. Public key of the authentication service.
  3. Url to a blockchain node REST endpoint.
    • Used to communicate with the blockchain. We recommend setting this to the deployed node that is physically closes to you to minimize latency. If you are deploying a node yourself, set the url to the url of the node you deployed.
  4. Internal URL of the locally deployed authentication service.
  5. Internal URL of the locally deployed key management service.
  6. Address of the smart contract that manages analyses.

Configure the Docker Image

In addition, you must configure the backend docker image by adding the following to your docker-compose.yml file:

Click to expand: Backend - Example Docker Configuration 
services:
  confidential-computing-backend:
    container_name: cc-backend
    image: registry.gitlab.com/secata/confidential-computing/backend/backend:latest
    restart: unless-stopped
    expose:
      - "8031"
    volumes:
      - /path/to/backend/conf:/conf
      - /path/to/backend/logs:/logs
      - /path/to/backend/storage:/storage

The exposed port (in this configuration, "8031"") is where other services will communicate with the backend service. This port should match the port specified in the server.json configuration file.

The path of the three mapped volumes must correspond to the backend folders created in the storage configuration step.

Deploy the Component

  1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.

  2. Execute the following Docker Compose command to start the backend container:

    docker-compose up -d confidential-computing-statistics

  3. Check the logs of the confidential statistics container to ensure it is running without errors:

    docker logs -f cc-statistics

6. Data Runway

The data runway is the component responsible for encrypting and uploading data to the Blockchain in a secure way.

Populate Configuration File

Fill in the following configuration in the data-runway/conf/server.json file created in the storage configuration step:

    {
        "restEndpointPort": 1111, // (1)!
        "engineNetworkTcpAddress": "EXECUTION_ENGINE_TCP_HOST", // (2)!
        "readerNodeEndpoint": "BLOCKCHAIN_NODE_REST_URL",
        "tcpReaderAddresses": ["BLOCKCHAIN_NODE_TCP_HOST"], // (3)!
        "blockchainShards": 0,
        "storagePath": "STORAGE_PATH", // (4)!
        "transactionPrivateKey": "TRANSACTION_PRIVATE_KEY", // (5)!
        "tcpNetworkPrivateKey": "TCP_PRIVATE_KEY", // (6)!
        "globalOffChainConfig": { // (7)!
        }
    }
  1. Mandatory config value, but unused for the data runway, as the data runway does not support any REST functionality. Can be any value.
  2. Hostname or IP address and port for this execution engine's TCP communication. As the data runway does not communicate with other execution engines, this can be a dummy value.
  3. List of blockchain node TCP hosts. Should be on the form publickey:domain:port.
    • The public key is the base64 encoded public part of the external listener key used by the blockchain node.
  4. Path to the folder used for persistent storage. The path is specified inside the Docker container.
  5. ECDSA Private key identifying the Execution Engine when sending transactions to on-chain nodes.
  6. ECDSA private key identifying the Execution Engine when communicating with other Execution Engines.
  7. Configuration related to off-chain nodes.

Configure the Docker Image

In addition, you must configure the data runway docker image by adding the following to your docker-compose.yml file:

Click to expand: Data Runway - Example Docker Configuration 
services:
  confidential-computing-runway:
    container_name: cc-data-runway
    image: registry.gitlab.com/secata/pbc/core/execution-container/execution-container-standalone:latest
    restart: unless-stopped
    ports:
      - "8071:8071"
      - "9000:9000"
    volumes:
      - /path/to/data-runway/conf:/conf
      - /path/to/data-runway/logs:/logs
      - /path/to/data-runway/storage:/storage

The path of the three mapped volumes must correspond to the data runway folders created in the storage step.

Deploy the Component

  1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.

  2. Execute the following Docker Compose command to start the Data Runway service container:

    docker-compose up -d confidential-computing-runway

  3. Check the logs of the data runway container to ensure it is running without errors:

    docker logs -f cc-data-runway