Using Named Graph for hosting WebID? Profile Document Data

This document details how a RDF Named Graph can be used for storing the WebID Profile Document data directly in the RDF Quad Store rather than in a TTL file.

1. Generate a Software Agent X509 Certificate using OpenLink Data Spaces (ODS) X509 certificate generator. The OpenLink public ODS instance http://id.myopenlink.net/ods , could be used for example or a local ODS instance can be setup.
2. The generated certificate will have a WebID of http://{cname}/dataspace/person/{userid} i.e. http://id.myopenlink.net/dataspace/person/u2990 using the OpenLink public ODS instance for a created userid of u2990. The generated X509 certificate p12 file can be saved to disk or loaded into target OS or Browser Key store as appropriate.
3. The :onBehalfOf relations can then be added as triples to the http://{cname}/dataspace named graph for the ODS instance to force the generation of the required RDF statements for the ODS user i.e. http://id.myopenlink.net/dataspace for the OpenLink public ODS instance for example. Note this named graph is not the WebID? of the created ODS user
4. For example, with a X509 generated ODS certificate with WebID of http://id.myopenlink.net/dataspace/person/u2990#this and a single delegation user of wtd, its required TTL profile document entries would be:
   

   
   ## Profile Document combining credentials of Software Agent and Registered Users ##
   
   ## This document leverages the portability of relative hash-based HTTP URIs as Entity Identifiers ##
   
   @prefix foaf:	<http://xmlns.com/foaf/0.1/> .
   @prefix oplcert: <http://www.openlinksw.com/schemas/cert#> .
   @prefix cert: <http://www.w3.org/ns/auth/cert#>. 
   @prefix acl: <http://www.w3.org/ns/auth/acl#> . 
   @prefix oplacl: <http://www.openlinksw.com/ontology/acl#>
   
   ## Software Agent Credentials ##
   
   <http://id.myopenlink.net/dataspace/person/u2990#this> 
   foaf:name "A Software Agent" ;
   oplcert:onBehalfOf <http://id.myopenlink.net/dataspace/person/u2990#wtd> ;
   cert:key [
                    cert:exponent "65537"^^xsd:integer ;
                    cert:modulus   
   "d515694af35ab5e39219c23271d46746c9c0ccb2e2ddef11f003a3cceb563038da2fb76c2851b86eac83800130bb5b98664fe1b1909535707111bf2f25104b9152b05ea47d750f9ceecae4f625aa0c0bea69ec3771c6fe8ae9a23965e58282f7c5b041dfb640c7562af8cad1a77ee099eabd2dab339ad9f8ed3871b6214e513cc9f8d6a70ecab42d54e9b79f0dc31aa28999af3924bda802e51f7e98dff5f9208e06151b6c6d78bd9af4580011bcfe7743969f418ee5f89c36f7f9a212afc450c36e32a431aa1590c69b720512cc25abb603ad31ed43929cc100a3271319ea9a5a54d926a8013b6b031f2c6909fbb4e7a3d18b536acff10709946e7a2047562"^^xsd:hexBinary
   ] .
   
   ## User Credentials (OnBehalfOf relation participants) ##
   
   <http://id.myopenlink.net/dataspace/person/u2990#wtd>  oplacl:hasIdentityDelegate <http://id.myopenlink.net/dataspace/person/u2990#this> .
   

   
   
   Requiring the following equivalent triple entries be inserted into the http://id.myopenlink.net/dataspace ODS instance named graph:
   
   

   
   insert into <http://id.myopenlink.net/dataspace> { <http://id.myopenlink.net/dataspace/person/u2990#this> <http://www.openlinksw.com/schemas/cert#onBehalfOf> <http://id.myopenlink.net/dataspace/person/u2990#wtd> }
   
   insert into <http://id.myopenlink.net/dataspace> { [] <http://www.w3.org/ns/auth/cert#exponent> 65537 }
   
   insert into <http://id.myopenlink.net/dataspace> { [] <http://www.w3.org/ns/auth/cert#modulus> "d515694af35ab5e39219c23271d46746c9c0ccb2e2ddef11f003a3cceb563038da2fb76c2851b86eac83800130bb5b98664fe1b1909535707111bf2f25104b9152b05ea47d750f9ceecae4f625aa0c0bea69ec3771c6fe8ae9a23965e58282f7c5b041dfb640c7562af8cad1a77ee099eabd2dab339ad9f8ed3871b6214e513cc9f8d6a70ecab42d54e9b79f0dc31aa28999af3924bda802e51f7e98dff5f9208e06151b6c6d78bd9af4580011bcfe7743969f418ee5f89c36f7f9a212afc450c36e32a431aa1590c69b720512cc25abb603ad31ed43929cc100a3271319ea9a5a54d926a8013b6b031f2c6909fbb4e7a3d18b536acff10709946e7a20475621"^^<http://www.w3.org/2001/XMLSchema#hexBinary> }
   
   insert into <http://id.myopenlink.net/dataspace> {<http://id.myopenlink.net/dataspace/person/u2990#wtd> <http://www.openlinksw.com/ontology/acl#hasIdentityDelegate> <http://id.myopenlink.net/dataspace/person/u2990#this> }
   

   
   
5. Then assuming the p12 file was downloaded to a name of u2990_ods_cert.p12 with a password of 1, a WebID+TLS+Delegation connection with isql can be made onBehalfOf the wtd designated delation user, with the command:
   

   
   $ ./isql opllinux6.usnet.private:1113 "" 1 -X u2990_ods_cert.p12 -T ca_list_shop_2016.pem -W http://id.myopenlink.net/dataspace/person/u2990#wtd
   Connected to OpenLink Virtuoso
   Driver: 07.20.3217 OpenLink Virtuoso ODBC Driver
   OpenLink Interactive SQL (Virtuoso), version 07.20.3217.
   Type HELP; for help and EXIT; to exit.
   SQL> sparql SELECT * FROM <OpenPermID-bulk-assetClass-20151111_095807.ttl.gz> WHERE {?s ?p ?o};
   s                                                                                 p                                                                                 o
   LONG VARCHAR                                                                      LONG VARCHAR                                                                      LONG VARCHAR
   _______________________________________________________________________________
   
   #this                                                                             #relatedTo                                                                        #that
   #kingsley                                                                         #knows                                                                            #hugh
   
   2 Rows. -- 95 msec.
   SQL>
   

   
   
6. The VAL debug trace output of the delegation connection request is as follows:
   

   
   DB.DBA.USER_CERT_LOGIN: Checking VAL ACLs for Query scope in SQL realm
   DB.DBA.WEBID_CHECK_DELEGATE: Looking for existence of: <http://id.myopenlink.net/dataspace/person/u2990#this> cert:onBehalfOf <http://id.myopenlink.net/dataspace/person/u2990#wtd> in <http:2A8D08FED2F735F4B178D7789DF26A16>
   DB.DBA.WEBID_CHECK_DELEGATE: Found onBehalfOf relation. Loading profile document http://id.myopenlink.net/dataspace/person/u2990
   DB.DBA.WEBID_CHECK_DELEGATE: Found public key of software agent in delegating user's profile document
   DB.DBA.USER_CERT_LOGIN: Agent/WebID <http://id.myopenlink.net/dataspace/person/u2990#wtd>
   			has SPARQL permissions: read: 1, write: 0, sponge: 0
   DB.DBA.USER_CERT_LOGIN: Setting graph security callback
   

   
   

Related

• Virtuoso WebID+TLS+Delegation Step by Step Configuration Guide
• Virtuoso Server WebID+TLS+Delegation Setup
• Software Agent & WebID Profile Document Creation
• WebID+TLS+Delegation VAL ACL Creation
• WebID+TLS+Delegation ACL Testing