WebID+TLS+Delegation ACL Testing
A basic
First the Public Key (PEM file) for the Virtuoso self-signed certificate created previously when performing the Virtuoso TLS Setup needs to be downloaded from the dba
user account.
In the Conductor, a download link for each available cryptographic key may be found in the System Admin -> User Accounts -> Users tab:
Once downloaded, the PEM file may be loaded into an Operating System Keystore such that it is automatically available when needed, or passed in the connect string as the server public key (-T
parameter), to provide a full chain of trust for the connection.
Note the public key (PEM file) for the ca_list_shop_2016.pem
) and the Virtuoso PEM file can be combined into a single PEM file, which may then be passed to Virtuoso as part of the TLS connect string.
The isql
command line tool may be used to verify the
C:\Program Files\OpenLink Software\Virtuoso 7.2\database>..\bin\isql 1113 "" 1 -X WebIDTlsDelegation_id_myopenlink_net.p12 -T ca_list_shop_2016.pem -W http://id.myopenlink.net/DAV/home/wtd/YouID/WebIDTlsDelegation_id_myopenlink_net/profile.ttl#wtd Connected to OpenLink Virtuoso Driver: 07.20.3217 OpenLink Virtuoso ODBC Driver OpenLink Interactive SQL (Virtuoso), version 07.20.3217. Type HELP; for help and EXIT; to exit. SQL> sparql SELECT COUNT (*) FROM <OpenPermID-bulk-assetClass-20151111_095807.ttl.gz> WHERE {?s ?p ?o}; callret-0 INTEGER _______________________________________________________________________________ 2 1 Rows. -- 16 msec. SQL> sparql SELECT COUNT (*) FROM <penPermID-bulk-industry-20151111_095806.ttl.gz> WHERE {?s ?p ?o}; callret-0 INTEGER _______________________________________________________________________________ 0 1 Rows. -- 16 msec. SQL> SELECT * FROM sys_users; *** Error 42000: [OpenLink][Virtuoso ODBC Driver][Virtuoso Server]ACL01: Statement is prohibited at line 3 of Top-Level: SELECT * FROM sys_users SQL>
isql
can also be used to verify that connections using another user's -W
parameter) that has not been configured to allow the delegation of connections
C:\Program Files\OpenLink Software\Virtuoso 7.2\database>..\bin\isql 1113 "" 1 -X WebIDTlsDelegation_id_myopenlink_net.p12 -T ca_list_shop_2016.pem -W http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i Connected to OpenLink Virtuoso Driver: 07.20.3217 OpenLink Virtuoso ODBC Driver OpenLink Interactive SQL (Virtuoso), version 07.20.3217. Type HELP; for help and EXIT; to exit. SQL> sparql SELECT COUNT (*) FROM <OpenPermID-bulk-assetClass-20151111_095807.ttl.gz> WHERE {?s ?p ?o}; *** Error 42000: [OpenLink][Virtuoso ODBC Driver][Virtuoso Server]SQ033: SELECT access denied for column G of table DB.DBA.RDF_QUAD, user ID 5 at line 1 of Top-Level: sparql SELECT COUNT (*) FROM <OpenPermID-bulk-assetClass-20151111_095807.ttl.gz> WHERE {?s ?p ?o} SQL>
ODBC Connection
Details on how to configure and make and ODBC Connections can be found at:
Tracing
The VAL Configuration UI, accessible through the Conductor menus and links "System Admin > Packages > VAL Configure", includes a tracing option to debug SQL client connections made using certificates.
When enabled, console trace output similar to that below shows the progress of the login and delegation.
isql localhost:2113 "" 1 -X ./keys/software_agent.p12 -T ./keys/ca_list_shop_2016_with_localhost.pem -W http://id.myopenlink.net/DAV/home/jsmith/youid_profile.ttl#i
DB.DBA.USER_CERT_LOGIN: Checking VAL ACLs for Query scope in SQL realm DB.DBA.WEBID_CHECK_DELEGATE: Looking for existence of: <http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl#i> cert:onBehalfOf <http://id.myopenlink.net/DAV/home/jsmith/youid_profile.ttl#i> in <http:59FB336FB5FA814F086C2AD38D37D53C> DB.DBA.WEBID_CHECK_DELEGATE: Found onBehalfOf relation. Loading profile document http://id.myopenlink.net/DAV/home/jsmith/youid_profile.ttl DB.DBA.WEBID_CHECK_DELEGATE: Found public key of software agent in delegating user's profile document DB.DBA.USER_CERT_LOGIN: Agent/WebID <http://id.myopenlink.net/DAV/home/jsmith/youid_profile_160420.ttl#i> has SPARQL permissions: read: 1, write: 0, sponge: 0 DB.DBA.USER_CERT_LOGIN: Setting graph security callback