TSS Node Deployment

Currently, the client can deploy the TSS Node on an off-the-shelf server, a server that supports Intel® Software Guard Extensions (Intel® SGX), or Apple MacBook. For more information, please refer to the “Deployment Methods” section in “TSS Node User Guide.”

This section uses an off-the-shelf server as an example. For more information on the SGX-ready physical server, please refer to the “Environment Preparation: SGX-Ready Server” section in “TSS Node User Guide.”

Environment Preparation

Minimum Requirements:

  • CPU: AMD64 or ARM64, 2 cores, a clock speed of 2.5 GHz

  • Memory: 4G

  • Hard disk: 64G SSD

  • Operating system: Ubuntu Server 20.04 LTS or above

Recommended Settings:

  • CPU: AMD64 or ARM64, 4 cores, a clock speed of 3.0 GHz

  • Memory: 8G

  • Hard disk: 128G SSD

  • Operating system: Ubuntu Server 20.04 LTS or above

Network Requirements:

  • No inbound connections are required

  • When the server is being installed or upgraded:

    • Able to access the apt sources of the system to install all necessary dependencies

    • Able to access the Docker Engine installation files to install the Docker Engine

    • Able to access docker.io registry (the public Docker registry)

    • Able to access the Intel website to download the driver (applicable to a SGX-ready server)

  • When the server is running:

    • Development environment: able to access port 443 of ws.tss.dev.cobo.com

    • Production environment: able to access port 443 of ws.tss.cobo.com

    • Able to access the callback server set up by the client

Access Requirements:

  • An account with sudo access

TSS Node Installation

Please contact the Cobo customer support to acquire a version of the TSS Node package that fits your server model and deployment method. The following takes the off-the-shelf server as an example.

cobo-tss-node-generic-<VERSION>.tgz      (TSS Node file)
cobo-tss-node-generic-<VERSION>.tgz.sha256         (hash file)

Please check the SHA256 (256-bit) checksums to verify whether the TSS Node package is valid.

sha256sum cobo-tss-node-generic-<VERSION>.tgz

The SHA256 (256-bit) checksums must be the same as the file hash value. For example:

$ cat cobo-tss-node-generic-<VERSION>.tgz.sha256 
7e2ba53dfc79458ab30b8e8ce8278e2fd93932e10bb6af725b0beb055965d1f2  cobo-tss-node-generic-<VERSION>.tgz
$ sha256sum cobo-tss-node-generic-<VERSION>.tgz
7e2ba53dfc79458ab30b8e8ce8278e2fd93932e10bb6af725b0beb055965d1f2  cobo-tss-node-generic-<VERSION>.tgz

Once verified, please execute the following command to unzip the TSS Node package.

tar -xzf cobo-tss-node-generic-<VERSION>.tgz

The following directory will be shown after you unzip the TSS Node package:

cobo-tss-node-generic
├── configs
│   └── cobo-tss-node-config.yaml.template (default configuration file template)
└── tss-node.sh (startup script)

Please create a copy of cobo-tss-node-config.yaml.template and rename it as cobo-tss-node-config.yaml. You can then paste the new file under the configs directory. For more information, please refer to the “TSS Node Configuration Method” section in “TSS Node User Guide.”

Unless otherwise specified, all subsequent commands in this user guide should be executed under the root directory of the unzipped TSS Node package (e.g. the cobo-tss-node-generic path).

Please execute the following command to check whether all required dependencies and drives have been installed. If this is the first time that you install the TSS Node, the latest container images will also be pulled.

sudo ./tss-node.sh status

Output example:

$ sudo ./tss-node.sh status
[sudo] password for ubuntu:   (ubuntu account password)
Checking docker engine ... OK, version: 20.10.22
Checking container image ... Image not found: coboglobal/tss-node:v0.3.0

Going to pull container image coboglobal/tss-node:v0.3.0 ...

Login Succeeded
v0.3.0: Pulling from coboglobal/tss-node
4e7e0215f4ad: Pull complete
7fd35d9d7f31: Pull complete
86c277e0f34d: Pull complete
4f4fb700ef54: Pull complete
Digest: sha256:9dd6c67522b6f36df61e2a945d6093683fd4c980e5e15d3bcdd661ca8e062578
Status: Downloaded newer image for coboglobal/tss-node:v0.3.0
docker.io/coboglobal/tss-node:v0.3.0
Checking container image ... OK, id: sha256:8ab0c7353f5b62cdff5bdc6d9a436f0d99079d404b080aa6a61f594fe6446ba8

Checking TSS-node daemon ... not running

Please use './tss-node.sh start' to start the daemon.
Please use './tss-node.sh init' if the tss-node is not initialized yet.

By now, all dependencies are deemed as having been successfully configured and the TSS Node is ready for initialization.

TSS Node Initialization

Please execute the following command:

sudo ./tss-node.sh init

Output example:


$ sudo ./tss-node.sh init
[sudo] password for ubuntu:  (ubuntu account password)
Type password (at least 16 characters):  (enter password)
Retype password:  (re-enter password)
INFO[2023-01-13T05:12:04Z] Initialize database: db/secrets.db
INFO[2023-01-13T05:12:04Z] Initialize Node ID: cobo73VA6C6WvofPg8tWYmqvdUF1cPYhd7EmGUxTexz5HCzYe
INFO[2023-01-13T05:12:04Z] Generate callback public key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAomg0FRc8qm/vdNnjBDBv
DzKK7cZeeoRFAw2xcuaKWyCRHazERYAmICWG+q6dGZ8eS0C8AUqeqf23LlY3gDtr
KSkCvW/r78nkDgg+LH3rK3S0wdOfNFO21D3d3iKlOf6tLVvywfLsza7zwCx5dIKg
v+Z8ZEsy0/Qo4chS6OYAQntu8CYitzdVoDdm0pXxBFy4woKy7nkJZEMhAe/8nXDQ
Y6Xk1s3U/NT+q/zP3/3PVzu4ALnAEAA5jLV20cAiEPyrN0vZGPP4/rgpEfOlDEVp
jSGfW+Tui7RhmLZQhq9iQyaZlXCojbTuZJkjwjCGsd/T3UjT4FR3Kiofsf3i4RVR
TQIDAQAB
-----END PUBLIC KEY-----
INFO[2023-01-13T05:12:04Z] Start to initialize TSS parameters; the process may take several minutes
INFO[2023-01-13T05:12:11Z] Complete initialization of TSS parameters
INFO[2023-01-13T05:12:11Z] Complete initialization of TSS Node keys and data
  • During TSS Node initialization, the system will check whether Docker Engine has been successfully installed and build the container image; you'll be prompted to approve the auto installation of Docker Engine

  • You'll need to set a password to encrypt the secrets generated during TSS Node initialization; the disaster recovery process is required if you lost access or need to modify the password; you're recommended to set a complex password between 16-32 characters using a password manager (e.g. 1Password) and store the password on a secure device

The Node ID will be generated automatically (e.g. cobo73VA6C6WvofPg8tWYmqvdUF1cPYhd7EmGUxTexz5HCzYe) and serve as the unique identifier of the TSS Node. This Node ID will be used when you configure the TSS Node on Cobo Custody Web.

TSS Node Startup

Please execute the following command:

sudo ./tss-node.sh start

Output example:

$ sudo ./tss-node.sh start
Container started: 4d33d31066279927bd0f9e283aa60454ac02a040a6f49e684ee372321bd41065
Wait a few seconds ..
Enter password: (type password)
cobo-tss-node
Version: v0.3.0
Build mode: prod
Git commit: 45431a4b3d4ad8ddf4a52aab619f41353310f0ba
Build time: 20230112T111204

INFO[2023-01-13T05:13:32Z] Waiting for password input on HTTP endpoint.
Embedded Risk Control Rule:
|__ Enable: false
INFO[2023-01-13T05:15:09Z] TSS Node ID: cobo73VA6C6WvofPg8tWYmqvdUF1cPYhd7EmGUxTexz5HCzYe
INFO[2023-01-13T05:15:09Z] WebSocket connecting to wss://ws.tss.dev.cobo.com/ws
INFO[2023-01-13T05:15:10Z] Start to register service

Note:

If the TSS Node has not been configured on Cobo Custody Web, the TSS Node startup status will be returned as "failed.” You may, however, proceed with the subsequent steps first.

Once you have successfully configured the TSS Node on Cobo Custody Web, the startup status will be updated to the following:

INFO[2022-11-18T10:13:38+08:00] TSS Node registration accepted

You can press Ctrl+C to exit, and the TSS Node will continue to run on the backend.

To check the TSS Node status, please execute the following command:

sudo ./tss-node.sh status

To view container logs, please execute the following command:

sudo ./tss-node.sh log

You can press Ctrl+C to exit, and the TSS Node will continue to run on the backend.

To stop the TSS Node, please execute the following command:

sudo ./tss-node.sh stop

TSS Node on Cobo Custody Web & MPC Root Extended Public Key Derivation

To configure/add the TSS Node on Cobo Custody Web, please refer to the following steps:

  • The client who has been granted the admin right can log in to Cobo Custody Web

  • Head to "MPC TSS Node" under "Settings" to add the TSS Node; the TSS Nodes managed by the other two parties must be kept online during this process

  • All three parties must jointly generate three MPC key shares, which will be stored locally in a distributed manner

  • The MPC root extended public key will also be generated, which can be used to derive all wallet addresses under this MPC wallet via BIP 32

MPC Key Share Management

The successfully generated MPC key shares will be encrypted and stored locally in the database file of the TSS Node package. The default path is db/secrets.db.

You are recommended to back up the database file and the password you've used to encrypt the database file when initializing the TSS Node. The two backup files should be stored in separate devices. For more information, please refer to “MPC Key Share User Guide.”

TSS Node Callback Mechanism

You can set up a callback mechanism for the TSS Node. Once the callback mechanism is successfully enabled, the TSS Node will send a request to the callback server upon receiving a task from the Cobo Custody backend. The TSS Node will execute the task only if it is approved by the callback server. For more information on TSS Node, please refer to “TSS Node User Guide.”

MPC Key Share Management

The successfully generated MPC key shares will be encrypted and stored locally in the database file of the TSS Node package. The default path is db/secrets.db.

You are recommended to back up the database file and the password you've used to encrypt the database file when initializing the TSS Node. The two backup files should be stored in separate devices. For more information, please refer to “MPC Key Share User Guide.”

TSS Node Callback Mechanism

You can set up a callback mechanism for the TSS Node. Once the callback mechanism is successfully enabled, the TSS Node will send a request to the callback server upon receiving a task from the Cobo Custody backend. The TSS Node will execute the task only if it is approved by the callback server. For more information on TSS Node, please refer to “TSS Node User Guide.”

Last updated