| Attributes | Values |
|---|
| type
| |
| Date Created
| |
| Date Modified
| |
| label
| |
| maker
| |
| Title
| |
| isDescribedUsing
| |
| has creator
| |
| attachment
| |
| content
| - %META:TOPICPARENT{name="VirtWTDStepByStepConfigGuide"}%
---+ WebID+TLS+Delegation ACL Testing
A basic WebID+TLS+Delegation connection can now be made as detailed below.
First the Public Key (PEM file) for the Virtuoso self-signed certificate created previously when performing the [[VirtWTDServerSetup][Virtuoso TLS Setup]] needs to be downloaded from the
dba user account. In the Conductor, a download link for each available cryptographic key may be found in the System Admin -> User Accounts -> Users tab:
%BR%%BR%  %BR%%BR%
Once downloaded, the PEM file may be loaded into an Operating System Keystore such that it is automatically available when needed, or passed in the connect string as the server public key (-T parameter), to provide a full chain of trust for the connection. Note the public key (PEM file) for the YouID generated certificate (e.g., [[https://download3.openlinksw.com/certificates/ca_list_shop_2016.pem][ca_list_shop_2016.pem]]) and the Virtuoso PEM file can be combined into a single PEM file, which may then be passed to Virtuoso as part of the TLS connect string.
The isql command line tool may be used to verify the WebID+TLS+Delegation connection, as shown below:
C:\Program Files\OpenLink Software\Virtuoso 7.2\database>..\bin\isql 1113 "" 1 -X WebIDTlsDelegation_id_myopenlink_net.p12 -T ca_list_shop_2016.pem -W http://id.myopenlink.net/DAV/home/wtd/YouID/WebIDTlsDelegation_id_myopenlink_net/profile.ttl#wtd
Connected to OpenLink Virtuoso
Driver: 07.20.3217 OpenLink Virtuoso ODBC Driver
OpenLink Interactive SQL (Virtuoso), version 07.20.3217.
Type HELP; for help and EXIT; to exit.
SQL> sparql SELECT COUNT (*) FROM WHERE {?s ?p ?o};
callret-0
INTEGER
_______________________________________________________________________________
2
1 Rows. -- 16 msec.
SQL> sparql SELECT COUNT (*) FROM WHERE {?s ?p ?o};
callret-0
INTEGER
_______________________________________________________________________________
0
1 Rows. -- 16 msec.
SQL> SELECT * FROM sys_users;
*** Error 42000: [OpenLink][Virtuoso ODBC Driver][Virtuoso Server]ACL01: Statement is prohibited
at line 3 of Top-Level:
SELECT * FROM sys_users
SQL>
isql can also be used to verify that connections using another user's WebID profile document (-W parameter) that has not been configured to allow the delegation of connections OnBehalfOf the Software agent, cannot execute SPARQL queries:
C:\Program Files\OpenLink Software\Virtuoso 7.2\database>..\bin\isql 1113 "" 1 -X WebIDTlsDelegation_id_myopenlink_net.p12 -T ca_list_shop_2016.pem -W http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i
Connected to OpenLink Virtuoso
Driver: 07.20.3217 OpenLink Virtuoso ODBC Driver
OpenLink Interactive SQL (Virtuoso), version 07.20.3217.
Type HELP; for help and EXIT; to exit.
SQL> sparql SELECT COUNT (*) FROM WHERE {?s ?p ?o};
*** Error 42000: [OpenLink][Virtuoso ODBC Driver][Virtuoso Server]SQ033: SELECT access denied for column G of table DB.DBA.RDF_QUAD, user ID 5
at line 1 of Top-Level:
sparql SELECT COUNT (*) FROM WHERE {?s ?p ?o}
SQL>
---++ ODBC Connection
Details on how to configure and make and ODBC Connections can be found at:
* [[http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/WebIDTLSDelegationWhatWhyHow#ODBC%20Connection][ODBC DSN Configuration]]
* [[http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/WebIDTLSDelegationWhatWhyHow#ODBC%20CPPDemo%20Interactive%20SQL%20Application][CPPDemo Sample Application]]
---++Tracing
The VAL Configuration UI, accessible through the Conductor menus and links "System Admin > Packages > VAL Configure", includes a tracing option to debug SQL client connections made using certificates.
When enabled, console trace output similar to that below shows the progress of the login and delegation.
isql localhost:2113 "" 1 -X ./keys/software_agent.p12 -T ./keys/ca_list_shop_2016_with_localhost.pem -W http://id.myopenlink.net/DAV/home/jsmith/youid_profile.ttl#i
DB.DBA.USER_CERT_LOGIN: Checking VAL ACLs for Query scope in SQL realm
DB.DBA.WEBID_CHECK_DELEGATE: Looking for existence of: cert:onBehalfOf in
DB.DBA.WEBID_CHECK_DELEGATE: Found onBehalfOf relation. Loading profile document http://id.myopenlink.net/DAV/home/jsmith/youid_profile.ttl
DB.DBA.WEBID_CHECK_DELEGATE: Found public key of software agent in delegating user's profile document
DB.DBA.USER_CERT_LOGIN: Agent/WebID
has SPARQL permissions: read: 1, write: 0, sponge: 0
DB.DBA.USER_CERT_LOGIN: Setting graph security callback
---++Trouble Shooting
* If when making a SQL connection with the VAL Trace certificate based SQL client logins option enabled the error "DB.DBA.USER_CERTLOGIN: Agent/WebID has no SPARQL permissions - Reverting to normal non-VAL authentication" followed by the error "DB.DBA.WEBID_CHECKAUTH: WebID certificate-based authentication unsuccessful. Trying fingerprint authentication and other identity claims", then the URIQA DefaultHost setting in the INI (virtuoso.ini) file does not match the {URIQA-DefaultHost-INI-file-setting} in the ACL script as detailed in the [[VirtWTDVALACLCreation][WebID+TLS+Delegation VAL ACL Creation]] documentation, and needs to be corrected. See example of complete trace output:
DB.DBA.WEBID_CHECK_AUTH: Extracting all WebID URIs from the X.509 certificate
DB.DBA.WEBID_CHECK_AUTH: Checking WebID
DB.DBA.WEBID_CHECK_AUTH: Loading WebID profile document
DB.DBA.WEBID_CHECK_DELEGATE: Looking for existence of: cert:onBehalfOf in
DB.DBA.WEBID_CHECK_DELEGATE: Found onBehalfOf relation. Loading profile document http://id.myopenlink.net/DAV/home/hugh/YouID/WTD_id_myopenlink_net_hugh/facebook.ttl
DB.DBA.WEBID_CHECK_DELEGATE: Found public key of software agent in delegating user's profile document
DB.DBA.WEBID_CHECK_AUTH: Returning WebID
DB.DBA.USER_CERT_LOGIN: Agent/WebID has no SPARQL permissions - Reverting to normal non-VAL authentication
DB.DBA.WEBID_CHECK_AUTH: Extracting all WebID URIs from the X.509 certificate
DB.DBA.WEBID_CHECK_AUTH: Checking WebID
DB.DBA.WEBID_CHECK_AUTH: Loading WebID profile document
DB.DBA.WEBID_CHECK_DELEGATE: Looking for existence of: cert:onBehalfOf in
DB.DBA.WEBID_CHECK_DELEGATE: Found onBehalfOf relation. Loading profile document http://id.myopenlink.net/DAV/home/hugh/YouID/WTD_id_myopenlink_net_hugh/facebook.ttl
DB.DBA.WEBID_CHECK_DELEGATE: Found public key of software agent in delegating user's profile document
DB.DBA.WEBID_CHECK_AUTH: WebID certificate-based authentication unsuccessful. Trying fingerprint authentication and other identity claims
DB.DBA.WEBID_CHECK_AUTH: Returning WebID )
DB.DBA.USER_CERT_LOGIN: After FOAF_SSL_LOGIN: user_name: (NULL), rc: 0
---+++Related
* [[VirtWTDSoftwareAgentDocCreation][Virtuoso WebID+TLS+Delegation Step by Step Configuration Guide]]
* [[VirtWTDServerSetup][Virtuoso Server WebID+TLS+Delegation Setup]]
* [[VirtWTDSoftwareAgentDocCreation][Software Agent & WebID Profile Document Creation]]
* [[VirtWTDVALACLCreation][WebID+TLS+Delegation VAL ACL Creation]]
* [[VirtWTDWebIdProfileDocInNamedGraph][Using Named Graph for hosting WebID Profile Document Data]] |
| id
| - 273b3b212110931b7a44b4923b17b7fa
|
| link
| |
| has container
| |
| http://rdfs.org/si...ices#has_services
| |
| atom:title
| |
| links to
| |
| atom:source
| |
| atom:author
| |
| atom:published
| |
| atom:updated
| |
| topic
| |
| is made
of | |
| is container of
of | |
| is link
of | |
| is http://rdfs.org/si...vices#services_of
of | |
| is links to
of | |
| is creator of
of | |
| is atom:entry
of | |
| is atom:contains
of | |
![[RDF Data]](/fct/images/sw-rdf-blue.png)
![[cxml]](/fct/images/cxml_doc.png)
![[csv]](/fct/images/csv_doc.png)
![[text]](/fct/images/ntriples_doc.png)
![[turtle]](/fct/images/n3turtle_doc.png)
![[ld+json]](/fct/images/jsonld_doc.png)
![[rdf+json]](/fct/images/json_doc.png)
![[rdf+xml]](/fct/images/xml_doc.png)
![[atom+xml]](/fct/images/atom_doc.png)
![[html]](/fct/images/html_doc.png)