Skip to content

Data Provider

This article provides a guide to deploying the data provider components of Confidential Computing. It details the configuration and deployment of the following components:

Each section outlines the necessary configurations, including database setup, service parameters, and Docker compose examples, ensuring a clear and structured approach to deploying the platform components.

Warning

Before deploying any component make sure you have followed the data provider sections in the getting started guide

1. Database

A PostgreSQL database is required for storage by Authentication and Key Management services.

Write SQL Init Script

If you already have a PostgreSQL database set up, you can skip this step and use your pre-existing database when configuring the rest of the components.

Fill in the database-init.sql file created in the storage configuration step with the following content:

CREATE
DATABASE cc_authentication;
CREATE
DATABASE cc_key_management;

GRANT ALL PRIVILEGES ON DATABASE
cc_authentication TO postgres;
GRANT ALL PRIVILEGES ON DATABASE
cc_key_management TO postgres;

This initialization script creates two separate databases, cc_authentication needed by the authentication service and cc_key_management needed by the key management service.

It then grants the postgres database user all privileges on the created databases.

Configure the Docker Image

In this guide we use the Bitnami PostgreSQL Docker image to deploy the PostgreSQL databases. We use the following example Docker Compose configuration:

Click to expand: Database - Example Docker configuration
services:
  confidential-computing-postgres:
    container_name: cc-postgres
    image: bitnami/postgresql:latest
    restart: unless-stopped
    environment:
      - POSTGRESQL_USERNAME=postgres
      - POSTGRESQL_PASSWORD=postgres
    expose:
      - "5432"
    volumes:
      - /path/to/database/storage:/bitnami/postgresql
      - /path/to/database/init-script:/docker-entrypoint-initdb.d
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres -d postgres"]
      interval: 2s
      retries: 5
      start_period: 10s
      timeout: 1s

This configuration initializes an empty PostgreSQL database with the user postgres and the password postgres. The two mapped volumes must correspond to the directories created in the storage step. The storage directory is used to persist database data.

Other deployed Docker services on the same Docker network will be able to connect to the database using cc-postgres:5432 as the database host.

Dependent services use a health check to ensure the database is ready before starting, with Docker configured to wait for a healthy database state, as shown in the examples.

Deploy the Component

  1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.
  2. Execute the following Docker Compose command to start the Authentication Service container:

    docker-compose up -d confidential-computing-postgres
    
  3. Check the logs of the authentication container to ensure it is running without errors:

    docker logs -f cc-postgres
    

2. Authentication

The authentication service is responsible for:

  • Managing user credentials
  • Creating users
  • Authenticating users to the Confidential Computing platform

Populate Configuration File

Fill in the following configuration in the authentication/conf/server.json file created in the storage configuration step:

    {
        "port": 8051, // (1)!
        "database": { // (2)!
            "persistenceUnitName": "model",
            "driver": "org.postgresql.Driver",
            "url": "jdbc:postgresql://cc-postgres:5432/cc_authentication", // (3)!
            "user": "postgres",
            "password": "postgres"
        },
        "keyManager": { // (4)!
            "url": "cc-key-management:8061" // (5)!
        },
        "tokenPrivateKey": "TOKEN_PRIVATE_KEY", // (6)!
        "tokenPublicKey": "TOKEN_PUBLIC_KEY", // (7)!
        "mail": {
            "type": "LOGGER"
        },
        "authentication": {
            "allowedServices": {}
        },
        "resetMail": {
            "from": "Partisia",
            "frontendUrl": "http://unused:1234"
        }
    }
  1. REST endpoint port to access the authentication service.
  2. Configures a hibernate connection for the database where users are stored.
  3. The URL to access the database. Defaults are based on the example database configuration.
  4. Configures access to the key management service, which handles private keys of users in the authentication service.
  5. The local URL to access the key management service.
  6. Private key for communication from the authentication service to the key management service.
  7. Public key for communication from the authentication service to the key management and backend services.

Configure the Docker Image

In addition, you must configure the authentication service docker image by adding the following to your docker-compose.yml file:

Click to expand: Authentication - Example Docker configuration
services:
  confidential-computing-authentication:
    container_name: cc-authentication
    image: registry.gitlab.com/secata/platform/authentication:latest
    restart: unless-stopped
    expose:
      - "8051"
    volumes:
      - /path/to/authentication/conf:/conf
      - /path/to/authentication/logs:/logs
      - /path/to/authentication/storage:/storage
    depends_on:
      confidential-computing-postgres:
      condition: service_healthy

The exposed port (in this configuration, "8051") is where other services will communicate with the key management service. This port should match the port specified in the server.json configuration file.

The path of the three mapped volumes must correspond to the authentication folders created in the storage configuration step.

Deploy the Component

  1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.
  2. Execute the following Docker Compose command to start the Authentication Service container:

    docker-compose up -d confidential-computing-authentication
    
  3. Check the logs of the authentication container to ensure it is running without errors:

    docker logs -f cc-authentication
    

3. Key Management

The key management service manages the secret keys of users created by the authentication service. These secret keys are used to sign the transactions that are sent to the blockchain nodes.

Populate Configuration File

Fill in the following configuration in the key-management/conf/server.json file created in the storage configuration step:

    {
        "port": 8061, // (1)!
        "database": { // (2)!
            "persistenceUnitName": "model",
            "driver": "org.postgresql.Driver",
            "url": "jdbc:postgresql://cc-postgres:5432/cc_key_management", // (3)!
            "user": "postgres",
            "password": "postgres"
        },
        "authentication": { // (4)!
            "allowedServices": {},
            "tokenPublicKey": "TOKEN_PUBLIC_KEY" // (5)!
        }
    }
  1. Network port used to access the key management service.
  2. Configures a hibernate database connection for the database where users are stored.
  3. The URL to access the database. Defaults are based on the example database configuration.
  4. Configures access to the key management service from the authentication service configuration.
  5. Public key of the authentication service.

Configure the Docker Image

In addition, you must configure the key management docker image by adding the following to your docker-compose.yml file:

Click to expand: Key Management - Example Docker Configuration
services:
  confidential-computing-key-management:
    container_name: cc-key-management
    image: registry.gitlab.com/secata/platform/key-management:latest
    restart: unless-stopped
    expose:
      - "8061"
    volumes:
      - /path/to/key-management/conf:/conf
      - /path/to/key-management/logs:/logs
      - /path/to/key-management/storage:/storage
    depends_on:
      confidential-computing-postgres:
        condition: service_healthy

The exposed port (in this configuration, "8061") is where other services will communicate with the authentication service. This port should match the port specified in the server.json configuration file.

The path of the three mapped volumes must correspond to the key management folders created in the storage configuration step.

Deploy the Component

  1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.
  2. Execute the following Docker Compose command to start the key management container:

    docker-compose up -d confidential-computing-key-management
    
  3. Check the logs of the authentication container to ensure it is running without errors:

    docker logs -f cc-key-management
    

4. Backend

The backend service is the link between the data provider frontend and the blockchain. It is responsible for forwarding signed transactions from the frontend to the blockchain, and fetching data from the blockchain smart contract states to present in the frontend.

Populate Configuration File

Fill in the following configuration in the backend/conf/server.json file created in the storage configuration step:

    {
        "port": 8031, // (1)!
        "blockchainUrl": "BLOCKCHAIN_NODE_PUBLIC_URL", // (2)!
        "dataCatalogContract": "DATA_CATALOG_CONTRACT_ADDRESS", // (3)!
        "accountContract": "ACCOUNT_CONTRACT_ADDRESS", // (4)!
        "analysisContract": "ANALYSIS_CONTRACT_ADDRESS", // (5)!
        "fixedPointPrecision": 16, // (6)!
        "authentication": { // (7)!
            "tokenPublicKey": "TOKEN_PUBLIC_KEY" // (8)!
        }
    }
  1. Network port used to access the backend service.
  2. Url to a blockchain node REST endpoint.
    • Used to communicate with the blockchain. We recommend setting this to the deployed node that is physically closes to you to minimize latency. If you are deploying a node yourself, set the url to the url of the node you deployed.
  3. Address of the smart contract that stores data catalogs metadata.
  4. Address of the smart contract that stores user account metadata.
  5. Address of the smart contract that manages analyses.
  6. The scaling factor of decimal numbers. Should match across all participating organizations.
  7. Configuration related to the authentication service.
  8. Public key of the authentication service.

Configure the Docker Image

In addition, you must configure the backend docker image by adding the following to your docker-compose.yml file:

Click to expand: Backend - Example Docker Configuration
services:
  confidential-computing-backend:
    container_name: cc-backend
    image: registry.gitlab.com/secata/confidential-computing/backend/backend:latest
    restart: unless-stopped
    expose:
      - "8031"
    volumes:
      - /path/to/backend/conf:/conf
      - /path/to/backend/logs:/logs
      - /path/to/backend/storage:/storage

The exposed port (in this configuration, "8031"") is where other services will communicate with the backend service. This port should match the port specified in the server.json configuration file.

The path of the three mapped volumes must correspond to the backend folders created in the storage configuration step.

Deploy the Component

  1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.
  2. Execute the following Docker Compose command to start the backend container:

    docker-compose up -d confidential-computing-backend
    
  3. Check the logs of the authentication container to ensure it is running without errors:

    docker logs -f cc-backend
    

5. Data Provider Frontend

The data provider frontend is a web interface to interact with Confidential Computing as a data provider. It allows data providers to:

  • Approve analyses for computation
  • Upload data for analysis,
  • Approve computation results before release to analysts

Populate Configuration File

Fill in the following configuration in the data-provider-frontend/conf/config.js file created in the storage configuration step:

    var CONFIG = {
        serverType: "ORGANIZATION_NAME", // (1)!
        runwayUrl: "cc-data-runway:8091", // (2)!
        confidentialComputing: { // (3)!
            authenticationUrl: "cc-authentication:8061", // (4)!
            keyManagementUrl: "cc-key-management:8051", // (5)!
            backendUrl: "cc-backend:8051", // (6)!
            chainId: "Partisia Confidential Computing",
            dataCatalogContract: "DATA_CATALOG_CONTRACT_ADDRESS", // (7)!
            analysisContract: "ANALYSIS_CONTRACT_ADDRESS", // (8)!
        },
        vprTheme: { // (9)!
            primaryColor: "#FF6E01", // (10)!
            secondaryColor: "#00335F", // (11)!
            organizationIcon: "ORGANIZATION_ICON_PATH", // (12)!
            windowsTitle: "Confidential Computing Data Owner", // (13)!
        },
        orgId: ORGANIZATION_ID, // (14)!
    };
  1. The name of your organization.
  2. The local URL to communicate with the data runway to upload data.
  3. Configuration specific to the blockchain infrastructure in Confidential Computing.
  4. The local URL to communicate with the authentication service for users to log in.
  5. The local URL to communicate with the key management service to sign transactions.
  6. The local URL to communicate with the backend.
  7. Address of the smart contract that stores data catalogs metadata.
  8. Address of the smart contract that manages analyses.
  9. Theme configuration for the frontend.
  10. Primary color for the frontend theme.
  11. Secondary color for the frontend theme.
  12. Path to the organization logo image.
    • It should be a path in the mapped Docker container to the image logo file from the storage step.
  13. Title to be displayed in the web browser tab.
  14. Unique ID (integer) assigned to your organization for deployment.

Configure the Docker Image

In addition, you must configure the data provider frontend docker image by adding the following to your docker-compose.yml file:

Click here to view: data provider frontend - Example Docker Configuration
services:
  confidential-computing-cc-data-provider-frontend:
    container_name: cc-data-provider-frontend
    image: registry.gitlab.com/secata/confidential-computing/frontend/node:latest
    restart: unless-stopped
    ports:
      - "8084:80"
    volumes:
      - /path/to/data-provider-frontend/conf:/usr/share/nginx/html/conf

The bound port is where the data provider frontend will be available. Using the example configuration, it will be available at http://cc-data-provider-frontend:8084 on the host network.

The path of the mapped volume must correspond to the data provider frontend folder created in the storage step.

Deploy the Component

  1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.
  2. Execute the following Docker Compose command to start the data provider frontend container:

    docker-compose up -d confidential-computing-cc-data-provider-frontend
    
  3. Check the logs of the authentication container to ensure it is running without errors:

    docker logs -f cc-data-provider-frontend
    

6. Data Runway

The data runway is the component responsible for encrypting and uploading data to the Blockchain in a secure way.

Populate Configuration File

Fill in the following configuration in the data-runway/conf/server.json file created in the storage configuration step:

    {
        "port": 8091, // (1)!
        "temporaryStorageFolderPath": "STORAGE_PATH", // (2)!
        "lenientCsvParser": true,
        "privateKey": "RUNWAY_PRIVATE_KEY", // (3)!
        "blockchainReaderNodeBaseUrl": "BLOCKCHAIN_NODE_REST_URL", // (4)!
        "numberOfShards": 0,
        "uploadGasAmount": 100000000,
        "analysisContractAddress": "ANALYSIS_CONTRACT_ADDRESS", // (5)!
        "fixedPointPrecision": 16 // (6)!
    }
  1. REST endpoint to access the data runway.
  2. Path to the mapped storage folder inside the docker container.
  3. ECDSA private key of the data runway blockchain account, used to sign transactions.
    • It should be the key in the runwayPrivateKey file from the key generation step.
  4. REST URL of the closest deployed blockchain node.
  5. Address of the analysis smart contract.
  6. The scaling factor of decimal numbers.
    • Should match across all participating organizations.

Configure the Docker Image

In addition, you must configure the data runway docker image by adding the following to your docker-compose.yml file:

Click to expand: Data Runway - Example Docker Configuration
services:
  confidential-computing-runway:
    container_name: cc-data-runway
    image: registry.gitlab.com/secata/confidential-computing/runway/runway-rest-server:latest
    restart: unless-stopped
    expose:
      - "8091"
    volumes:
      - /path/to/data-runway/conf:/conf
      - /path/to/data-runway/logs:/logs
      - /path/to/data-runway/storage:/storage

The exposed port is where data can be uploaded, either manually or through the data owner frontend.

The path of the three mapped volumes must correspond to the data runway folders created in the storage step.

Deploy the Component

  1. Open your terminal and navigate to the directory containing yourdocker-compose.yml file.
  2. Execute the following Docker Compose command to start the Authentication Service container:

    docker-compose up -d confidential-computing-runway
    
  3. Check the logs of the authentication container to ensure it is running without errors:

    docker logs -f cc-data-runway