Data Provider
This article provides a guide to deploying the data provider components of Confidential Computing. It details the configuration and deployment of the following components:
Each section outlines the necessary configurations, including database setup, service parameters, and Docker compose examples, ensuring a clear and structured approach to deploying the platform components.
Warning
Before deploying any component make sure you have followed the data provider sections in the getting started guide
1. Database
A PostgreSQL database is required for storage by Authentication and Key Management services.
Write SQL
Init Script
If you already have a PostgreSQL database set up, you can skip this step and use your pre-existing database when configuring the rest of the components.
Fill in the database-init.sql
file created in the
storage configuration
step with the following content:
CREATE
DATABASE cc_authentication;
CREATE
DATABASE cc_key_management;
GRANT ALL PRIVILEGES ON DATABASE
cc_authentication TO postgres;
GRANT ALL PRIVILEGES ON DATABASE
cc_key_management TO postgres;
This initialization script creates two separate databases, cc_authentication
needed by
the authentication service and cc_key_management
needed by
the key management service.
It then grants the postgres
database user all privileges on the created databases.
Configure the Docker Image
In this guide we use the Bitnami PostgreSQL Docker image to deploy the PostgreSQL databases. We use the following example Docker Compose configuration:
Click to expand: Database - Example Docker configuration
services:
confidential-computing-postgres:
container_name: cc-postgres
image: bitnami/postgresql:latest
restart: unless-stopped
environment:
- POSTGRESQL_USERNAME=postgres
- POSTGRESQL_PASSWORD=postgres
expose:
- "5432"
volumes:
- /path/to/database/storage:/bitnami/postgresql
- /path/to/database/init-script:/docker-entrypoint-initdb.d
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres -d postgres"]
interval: 2s
retries: 5
start_period: 10s
timeout: 1s
This configuration initializes an empty PostgreSQL database with the user postgres
and the password postgres
.
The two mapped volumes must correspond to the directories created in the
storage step.
The storage
directory is used to persist database data.
Other deployed Docker services on the same Docker network will be able to connect to the database using
cc-postgres:5432
as the database host.
Dependent services use a health check to ensure the database is ready before starting, with Docker configured to wait for a healthy database state, as shown in the examples.
Deploy the Component
- Open your terminal and navigate to the directory containing your
docker-compose.yml
file. -
Execute the following Docker Compose command to start the Authentication Service container:
docker-compose up -d confidential-computing-postgres
-
Check the logs of the authentication container to ensure it is running without errors:
docker logs -f cc-postgres
2. Authentication
The authentication service is responsible for:
- Managing user credentials
- Creating users
- Authenticating users to the Confidential Computing platform
Populate Configuration File
Fill in the following configuration in the authentication/conf/server.json
file created in
the storage configuration step:
{
"port": 8051, // (1)!
"database": { // (2)!
"persistenceUnitName": "model",
"driver": "org.postgresql.Driver",
"url": "jdbc:postgresql://cc-postgres:5432/cc_authentication", // (3)!
"user": "postgres",
"password": "postgres"
},
"keyManager": { // (4)!
"url": "cc-key-management:8061" // (5)!
},
"tokenPrivateKey": "TOKEN_PRIVATE_KEY", // (6)!
"tokenPublicKey": "TOKEN_PUBLIC_KEY", // (7)!
"mail": {
"type": "LOGGER"
},
"authentication": {
"allowedServices": {}
},
"resetMail": {
"from": "Partisia",
"frontendUrl": "http://unused:1234"
}
}
- REST endpoint port to access the authentication service.
- Configures a hibernate connection for the database where users are stored.
- The URL to access the database. Defaults are based on the example database configuration.
- Configures access to the key management service, which handles private keys of users in the authentication service.
- The local URL to access the key management service.
- Private key for communication from the authentication service to the key management service.
- It should be the key in the
tokenPrivateKey.pem
file from the getting started guide on a single line.
- It should be the key in the
- Public key for communication from the authentication service to the key management and backend
services.
- It should be the key in the
tokenPublicKey.pem
file from the getting started guide on a single line.
- It should be the key in the
Configure the Docker Image
In addition, you must configure the authentication service docker image
by adding the following to your docker-compose.yml
file:
Click to expand: Authentication - Example Docker configuration
services:
confidential-computing-authentication:
container_name: cc-authentication
image: registry.gitlab.com/secata/platform/authentication:latest
restart: unless-stopped
expose:
- "8051"
volumes:
- /path/to/authentication/conf:/conf
- /path/to/authentication/logs:/logs
- /path/to/authentication/storage:/storage
depends_on:
confidential-computing-postgres:
condition: service_healthy
The exposed port (in this configuration, "8051") is where other services will communicate with the key management
service.
This port should match the port specified in the server.json
configuration file.
The path of the three mapped volumes must correspond to the authentication folders created in the storage configuration step.
Deploy the Component
- Open your terminal and navigate to the directory containing your
docker-compose.yml
file. -
Execute the following Docker Compose command to start the Authentication Service container:
docker-compose up -d confidential-computing-authentication
-
Check the logs of the authentication container to ensure it is running without errors:
docker logs -f cc-authentication
3. Key Management
The key management service manages the secret keys of users created by the authentication service. These secret keys are used to sign the transactions that are sent to the blockchain nodes.
Populate Configuration File
Fill in the following configuration in the key-management/conf/server.json
file created in
the storage configuration step:
{
"port": 8061, // (1)!
"database": { // (2)!
"persistenceUnitName": "model",
"driver": "org.postgresql.Driver",
"url": "jdbc:postgresql://cc-postgres:5432/cc_key_management", // (3)!
"user": "postgres",
"password": "postgres"
},
"authentication": { // (4)!
"allowedServices": {},
"tokenPublicKey": "TOKEN_PUBLIC_KEY" // (5)!
}
}
- Network port used to access the key management service.
- Configures a hibernate database connection for the database where users are stored.
- The URL to access the database. Defaults are based on the example database configuration.
- Configures access to the key management service from the authentication service configuration.
- Public key of the authentication service.
- Should match with the
tokenPublicKey
field of the authentication service configuration.
- Should match with the
Configure the Docker Image
In addition, you must configure the key management docker image
by adding the following to your docker-compose.yml
file:
Click to expand: Key Management - Example Docker Configuration
services:
confidential-computing-key-management:
container_name: cc-key-management
image: registry.gitlab.com/secata/platform/key-management:latest
restart: unless-stopped
expose:
- "8061"
volumes:
- /path/to/key-management/conf:/conf
- /path/to/key-management/logs:/logs
- /path/to/key-management/storage:/storage
depends_on:
confidential-computing-postgres:
condition: service_healthy
The exposed port (in this configuration, "8061") is where other services will communicate with the authentication
service.
This port should match the port specified in the server.json
configuration file.
The path of the three mapped volumes must correspond to the key management folders created in the storage configuration step.
Deploy the Component
- Open your terminal and navigate to the directory containing your
docker-compose.yml
file. -
Execute the following Docker Compose command to start the key management container:
docker-compose up -d confidential-computing-key-management
-
Check the logs of the authentication container to ensure it is running without errors:
docker logs -f cc-key-management
4. Backend
The backend service is the link between the data provider frontend and the blockchain. It is responsible for forwarding signed transactions from the frontend to the blockchain, and fetching data from the blockchain smart contract states to present in the frontend.
Populate Configuration File
Fill in the following configuration in the backend/conf/server.json
file created in
the storage configuration step:
{
"port": 8031, // (1)!
"blockchainUrl": "BLOCKCHAIN_NODE_PUBLIC_URL", // (2)!
"dataCatalogContract": "DATA_CATALOG_CONTRACT_ADDRESS", // (3)!
"accountContract": "ACCOUNT_CONTRACT_ADDRESS", // (4)!
"analysisContract": "ANALYSIS_CONTRACT_ADDRESS", // (5)!
"fixedPointPrecision": 16, // (6)!
"authentication": { // (7)!
"tokenPublicKey": "TOKEN_PUBLIC_KEY" // (8)!
}
}
- Network port used to access the backend service.
- Url to a blockchain node REST endpoint.
- Used to communicate with the blockchain. We recommend setting this to the deployed node that is physically closes to you to minimize latency. If you are deploying a node yourself, set the url to the url of the node you deployed.
- Address of the smart contract that stores data catalogs metadata.
- Address of the smart contract that stores user account metadata.
- Address of the smart contract that manages analyses.
- The scaling factor of decimal numbers. Should match across all participating organizations.
- Configuration related to the authentication service.
- Public key of the authentication service.
- Should match the
tokenPublicKey
field of the authentication service configuration.
- Should match the
Configure the Docker Image
In addition, you must configure the backend docker image
by adding the following to your docker-compose.yml
file:
Click to expand: Backend - Example Docker Configuration
services:
confidential-computing-backend:
container_name: cc-backend
image: registry.gitlab.com/secata/confidential-computing/backend/backend:latest
restart: unless-stopped
expose:
- "8031"
volumes:
- /path/to/backend/conf:/conf
- /path/to/backend/logs:/logs
- /path/to/backend/storage:/storage
The exposed port (in this configuration, "8031"") is where other services will communicate with the backend service.
This port should match the port specified in the server.json
configuration file.
The path of the three mapped volumes must correspond to the backend folders created in the storage configuration step.
Deploy the Component
- Open your terminal and navigate to the directory containing your
docker-compose.yml
file. -
Execute the following Docker Compose command to start the backend container:
docker-compose up -d confidential-computing-backend
-
Check the logs of the authentication container to ensure it is running without errors:
docker logs -f cc-backend
5. Data Provider Frontend
The data provider frontend is a web interface to interact with Confidential Computing as a data provider. It allows data providers to:
- Approve analyses for computation
- Upload data for analysis,
- Approve computation results before release to analysts
Populate Configuration File
Fill in the following configuration in the data-provider-frontend/conf/config.js
file created in
the storage configuration step:
var CONFIG = {
serverType: "ORGANIZATION_NAME", // (1)!
runwayUrl: "cc-data-runway:8091", // (2)!
confidentialComputing: { // (3)!
authenticationUrl: "cc-authentication:8061", // (4)!
keyManagementUrl: "cc-key-management:8051", // (5)!
backendUrl: "cc-backend:8051", // (6)!
chainId: "Partisia Confidential Computing",
dataCatalogContract: "DATA_CATALOG_CONTRACT_ADDRESS", // (7)!
analysisContract: "ANALYSIS_CONTRACT_ADDRESS", // (8)!
},
vprTheme: { // (9)!
primaryColor: "#FF6E01", // (10)!
secondaryColor: "#00335F", // (11)!
organizationIcon: "ORGANIZATION_ICON_PATH", // (12)!
windowsTitle: "Confidential Computing Data Owner", // (13)!
},
orgId: ORGANIZATION_ID, // (14)!
};
- The name of your organization.
- The local URL to communicate with the data runway to upload data.
- Configuration specific to the blockchain infrastructure in Confidential Computing.
- The local URL to communicate with the authentication service for users to log in.
- The local URL to communicate with the key management service to sign transactions.
- The local URL to communicate with the backend.
- Address of the smart contract that stores data catalogs metadata.
- Address of the smart contract that manages analyses.
- Theme configuration for the frontend.
- Primary color for the frontend theme.
- Secondary color for the frontend theme.
- Path to the organization logo image.
- It should be a path in the mapped Docker container to the image logo file from the storage step.
- Title to be displayed in the web browser tab.
- Unique ID (integer) assigned to your organization for deployment.
Configure the Docker Image
In addition, you must configure the data provider frontend docker image
by adding the following to your docker-compose.yml
file:
Click here to view: data provider frontend - Example Docker Configuration
services:
confidential-computing-cc-data-provider-frontend:
container_name: cc-data-provider-frontend
image: registry.gitlab.com/secata/confidential-computing/frontend/node:latest
restart: unless-stopped
ports:
- "8084:80"
volumes:
- /path/to/data-provider-frontend/conf:/usr/share/nginx/html/conf
The bound port is where the data provider frontend will be available.
Using the example configuration, it will be available at
http://cc-data-provider-frontend:8084
on the host network.
The path of the mapped volume must correspond to the data provider frontend folder created in the storage step.
Deploy the Component
- Open your terminal and navigate to the directory containing your
docker-compose.yml
file. -
Execute the following Docker Compose command to start the data provider frontend container:
docker-compose up -d confidential-computing-cc-data-provider-frontend
-
Check the logs of the authentication container to ensure it is running without errors:
docker logs -f cc-data-provider-frontend
6. Data Runway
The data runway is the component responsible for encrypting and uploading data to the Blockchain in a secure way.
Populate Configuration File
Fill in the following configuration in the data-runway/conf/server.json
file created in
the storage configuration step:
{
"port": 8091, // (1)!
"temporaryStorageFolderPath": "STORAGE_PATH", // (2)!
"lenientCsvParser": true,
"privateKey": "RUNWAY_PRIVATE_KEY", // (3)!
"blockchainReaderNodeBaseUrl": "BLOCKCHAIN_NODE_REST_URL", // (4)!
"numberOfShards": 0,
"uploadGasAmount": 100000000,
"analysisContractAddress": "ANALYSIS_CONTRACT_ADDRESS", // (5)!
"fixedPointPrecision": 16 // (6)!
}
- REST endpoint to access the data runway.
- Path to the mapped storage folder inside the docker container.
- ECDSA private key of the data runway blockchain account, used to sign transactions.
- It should be the key in the
runwayPrivateKey
file from the key generation step.
- It should be the key in the
- REST URL of the closest deployed blockchain node.
- Address of the analysis smart contract.
- The scaling factor of decimal numbers.
- Should match across all participating organizations.
Configure the Docker Image
In addition, you must configure the data runway docker image
by adding the following to your docker-compose.yml
file:
Click to expand: Data Runway - Example Docker Configuration
services:
confidential-computing-runway:
container_name: cc-data-runway
image: registry.gitlab.com/secata/confidential-computing/runway/runway-rest-server:latest
restart: unless-stopped
expose:
- "8091"
volumes:
- /path/to/data-runway/conf:/conf
- /path/to/data-runway/logs:/logs
- /path/to/data-runway/storage:/storage
The exposed port is where data can be uploaded, either manually or through the data owner frontend.
The path of the three mapped volumes must correspond to the data runway folders created in the storage step.
Deploy the Component
- Open your terminal and navigate to the directory containing your
docker-compose.yml
file. -
Execute the following Docker Compose command to start the Authentication Service container:
docker-compose up -d confidential-computing-runway
-
Check the logs of the authentication container to ensure it is running without errors:
docker logs -f cc-data-runway