Using Named Graph for hosting WebID Profile Document Data This document details how a RDF Named Graph can be used for storing the WebID Profile Document data directly in the RDF Quad Store rather than in a TTL file. Generate a Software Agent X509 Certificate using OpenLink Data Spaces (ODS) X509 certificate generator. The OpenLink public ODS instance http://id.myopenlink.net/ods , could be used for example or a local ODS instance can be setup. The generated certificate will have a WebID of http://{cname}/dataspace/person/{userid} i.e. http://id.myopenlink.net/dataspace/person/u2990 using the OpenLink public ODS instance for a created userid of u2990. The generated X509 certificate p12 file can be saved to disk or loaded into target OS or Browser Key store as appropriate. The :onBehalfOf relations can then be added as triples to the http://{cname}/dataspace named graph for the ODS instance to force the generation of the required RDF statements for the ODS user i.e. http://id.myopenlink.net/dataspace for the OpenLink public ODS instance for example. Note this named graph is not the WebID of the created ODS user For example, with a X509 generated ODS certificate with WebID of http://id.myopenlink.net/dataspace/person/u2990#this and a single delegation user of wtd, its required TTL profile document entries would be: ## Profile Document combining credentials of Software Agent and Registered Users ## ## This document leverages the portability of relative hash-based HTTP URIs as Entity Identifiers ## @prefix foaf: <http://xmlns.com/foaf/0.1/> . @prefix oplcert: <http://www.openlinksw.com/schemas/cert#> . @prefix cert: <http://www.w3.org/ns/auth/cert#>. @prefix acl: <http://www.w3.org/ns/auth/acl#> . @prefix oplacl: <http://www.openlinksw.com/ontology/acl#> ## Software Agent Credentials ## <http://id.myopenlink.net/dataspace/person/u2990#this> foaf:name "A Software Agent" ; oplcert:onBehalfOf <http://id.myopenlink.net/dataspace/person/u2990#wtd> ; cert:key [ cert:exponent "65537"^^xsd:integer ; cert:modulus "d515694af35ab5e39219c23271d46746c9c0ccb2e2ddef11f003a3cceb563038da2fb76c2851b86eac83800130bb5b98664fe1b1909535707111bf2f25104b9152b05ea47d750f9ceecae4f625aa0c0bea69ec3771c6fe8ae9a23965e58282f7c5b041dfb640c7562af8cad1a77ee099eabd2dab339ad9f8ed3871b6214e513cc9f8d6a70ecab42d54e9b79f0dc31aa28999af3924bda802e51f7e98dff5f9208e06151b6c6d78bd9af4580011bcfe7743969f418ee5f89c36f7f9a212afc450c36e32a431aa1590c69b720512cc25abb603ad31ed43929cc100a3271319ea9a5a54d926a8013b6b031f2c6909fbb4e7a3d18b536acff10709946e7a2047562"^^xsd:hexBinary ] . ## User Credentials (OnBehalfOf relation participants) ## <http://id.myopenlink.net/dataspace/person/u2990#wtd> oplacl:hasIdentityDelegate <http://id.myopenlink.net/dataspace/person/u2990#this> . Requiring the following equivalent triple entries be inserted into the http://id.myopenlink.net/dataspace ODS instance named graph: insert into <http://id.myopenlink.net/dataspace> { <http://id.myopenlink.net/dataspace/person/u2990#this> <http://www.openlinksw.com/schemas/cert#onBehalfOf> <http://id.myopenlink.net/dataspace/person/u2990#wtd> } insert into <http://id.myopenlink.net/dataspace> { [] <http://www.w3.org/ns/auth/cert#exponent> 65537 } insert into <http://id.myopenlink.net/dataspace> { [] <http://www.w3.org/ns/auth/cert#modulus> "d515694af35ab5e39219c23271d46746c9c0ccb2e2ddef11f003a3cceb563038da2fb76c2851b86eac83800130bb5b98664fe1b1909535707111bf2f25104b9152b05ea47d750f9ceecae4f625aa0c0bea69ec3771c6fe8ae9a23965e58282f7c5b041dfb640c7562af8cad1a77ee099eabd2dab339ad9f8ed3871b6214e513cc9f8d6a70ecab42d54e9b79f0dc31aa28999af3924bda802e51f7e98dff5f9208e06151b6c6d78bd9af4580011bcfe7743969f418ee5f89c36f7f9a212afc450c36e32a431aa1590c69b720512cc25abb603ad31ed43929cc100a3271319ea9a5a54d926a8013b6b031f2c6909fbb4e7a3d18b536acff10709946e7a20475621"^^<http://www.w3.org/2001/XMLSchema#hexBinary> } insert into <http://id.myopenlink.net/dataspace> {<http://id.myopenlink.net/dataspace/person/u2990#wtd> <http://www.openlinksw.com/ontology/acl#hasIdentityDelegate> <http://id.myopenlink.net/dataspace/person/u2990#this> } Then assuming the p12 file was downloaded to a name of u2990_ods_cert.p12 with a password of 1, a WebID+TLS+Delegation connection with isql can be made onBehalfOf the wtd designated delation user, with the command: $ ./isql opllinux6.usnet.private:1113 "" 1 -X u2990_ods_cert.p12 -T ca_list_shop_2016.pem -W http://id.myopenlink.net/dataspace/person/u2990#wtd Connected to OpenLink Virtuoso Driver: 07.20.3217 OpenLink Virtuoso ODBC Driver OpenLink Interactive SQL (Virtuoso), version 07.20.3217. Type HELP; for help and EXIT; to exit. SQL> sparql SELECT * FROM <OpenPermID-bulk-assetClass-20151111_095807.ttl.gz> WHERE {?s ?p ?o}; s p o LONG VARCHAR LONG VARCHAR LONG VARCHAR _______________________________________________________________________________ #this #relatedTo #that #kingsley #knows #hugh 2 Rows. -- 95 msec. SQL> The VAL debug trace output of the delegation connection request is as follows: DB.DBA.USER_CERT_LOGIN: Checking VAL ACLs for Query scope in SQL realm DB.DBA.WEBID_CHECK_DELEGATE: Looking for existence of: <http://id.myopenlink.net/dataspace/person/u2990#this> cert:onBehalfOf <http://id.myopenlink.net/dataspace/person/u2990#wtd> in <http:2A8D08FED2F735F4B178D7789DF26A16> DB.DBA.WEBID_CHECK_DELEGATE: Found onBehalfOf relation. Loading profile document http://id.myopenlink.net/dataspace/person/u2990 DB.DBA.WEBID_CHECK_DELEGATE: Found public key of software agent in delegating user's profile document DB.DBA.USER_CERT_LOGIN: Agent/WebID <http://id.myopenlink.net/dataspace/person/u2990#wtd> has SPARQL permissions: read: 1, write: 0, sponge: 0 DB.DBA.USER_CERT_LOGIN: Setting graph security callback Related Virtuoso WebID+TLS+Delegation Step by Step Configuration Guide Virtuoso Server WebID+TLS+Delegation Setup Software Agent & WebID Profile Document Creation WebID+TLS+Delegation VAL ACL Creation WebID+TLS+Delegation ACL Testing