content
| - %META:TOPICPARENT{name="VOSIndex"}%
---+ Enhancing Virtuoso ODBC Data Access with the WebID Protocol
SQL-oriented connectivity to back-end databases is increasingly challenged by identity fidelity matters, which arise from the combination of user roles and privileges, data access tools, and connection origins. Basically, it's no longer adequate to frame user profiles solely by local data.
To address this problem, it's imperative that database access may be constrained by an identity mechanism that blends web-of-trust logic and existing transport protocols into a policy-based data-access matrix. Basically, this is what the WebID protocol delivers; hence, the deep integration of this capability in Virtuoso.
Virtuoso's SQL-channel connection security, over all data access mechanisms (ODBC, JDBC, ADO.NET, OLE DB, and XMLA), has been significantly enhanced by its implementation of the WebID Protocol, supporting TLS-based SQL session logins. Basically, WebIDs (verifiable identities) can be associated with database user accounts in the SQL/RDB realm, en route to creating powerful identity-oriented trust graphs, that can then drive sophisticated data access policies.
Exploiting the combined powers of Virtuoso and the WebID Protocol simply requires configuring Virtuoso's SQL listener to only accept SSL/TLS connections.
%TOC%
---++ How It's Done
A Virtuoso instance is configured to operate in SSL/TLS mode (either client-only or mutual authentication) by setting the
X509ClientVerify value in the database server configuration (INI ) file:
* 0 - Do not require SSL/TLS (default).
* 1 - Require trusted certificate.
* 2 - Request certificate; if provided, accept only if verified/trusted; traditional login is also acceptable.
* 3 - Request certificate; if provided, accept any certificate, including self-signed; traditional login is also acceptable.
---+++ Virtuoso INI Configuration
A typical INI file would contain the following:
[Parameters]
...
SSLServerPort = 1113
;PEM file holding a Public Key:
SSLCertificate = keys/server.crt
;PEM file holding Private Key associated with Public Key above:
SSLPrivateKey = keys/server.key
X509ClientVerify = 3
...
OR
;Public Key imported into Virtuoso's Native Key Store via PKCS#12 file import:
SSLCertificate ? ?= db:server_key
;Private Key imported into Virtuoso's Native Key Store via PKCS#12 file import:
SSLPrivateKey ? ? = db:server_key
Also note that on Windows, Virtuoso can be associated with the operating systems native keystore with regards to Public and Private Key access.
Presuming this instance were running on demo.example.com , a basic iSQL client could connect with this command:
isql demo.example.com:1113 "" -X client.p12 -T server.crt
Note: The client certificate file, client.p12 , contains a WebID which has been associated with a SQL-realm user account.
---++ Step-By-Step Example
---+++ Prerequisites
1. Packages: The following packages should be installed:
* [[http://s3.amazonaws.com/opldownload/uda/vad-packages/6.1/virtuoso/ods_framework_dav.vad][ods_framework_dav.vad]]
* [[http://s3.amazonaws.com/opldownload/uda/vad-packages/6.1/virtuoso/conductor_dav.vad][conductor_dav.vad]]
* [[http://s3.amazonaws.com/opldownload/uda/vad-packages/6.1/virtuoso/rdf_mappers_dav.vad][rdf_mappers_dav.vad]]
* [[http://s3.amazonaws.com/opldownload/uda/vad-packages/6.1/virtuoso/certgen_html_dav.vad][certgen_html_dav.vad]]
* Note: You can also use our [[http://id.myopenlink.net/certgen/][online Certificate Generator]]
1 Server version: Virtuoso server should have version 06.03.3131 or higher.
1 Personal WebID: you can create such following [[http://ods.openlinksw.com/wiki/ODS/GetAPersonalURIIn5MinutesOrLess][these steps]].
* Note: In the example we will use the following WebID for user "demo", as registered on the [[http://id.myopenlink.net/ods][ID.MyOpenLink]] Dataspace instance:
http://id.myopenlink.net/dataspace/person/demo#this
---+++ Basic Steps
---++++ 1 - Set up local CA certificate
1 Make sure using your local Virtuoso Instance Conductor ( for ex. accessible from http://example.com/conductor) you had set up a local CA certificate with name "id_rsa". [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSetupSSLVirtuoso#Generating%20CA-Authority%20Certificate%20%28%20.p12%20or%20.pfx%20%29][See example scenario]]
%BR%%BR%%BR%%BR%
---++++ 2 - Export the id_rsa certificate pem content
1 Execute from isql:
SQL> SELECT xenc_pem_export ('id_rsa');
%BR%%BR%%BR%%BR%
1 Copy the extracted content to a file for ex. with name "rca.pem".
---++++ 3 - Create Certificate from type Server/TLS
1 Go to http://cname/certgen/
%BR%%BR% src="%ATTACHURLPATH%/wod1.png" />%BR%%BR%
1 Enter "E-mail" for ex. "dba@example.com:
%BR%%BR%%BR%%BR%
1 Click "Skip lookup":
%BR%%BR%%BR%%BR%
1 In the presented "Certificate details" form:
* Enter "Name" for ex. "ODBC";
* Enter "Organization" for ex. "Example Inc.";
* Select "HTTP/TLS Server Identity" radio-box:
%BR%%BR%%BR%%BR%
1 Click "Next"
%BR%%BR%%BR%%BR%
1 In the presented "Signer Certificate" form leave the "Issuer" default value "Local CA" and click "Generate":
%BR%%BR%%BR%%BR%
1 Next in the "Format and Store" form enter password for the certificate and click "Download".
1 The "ODBC.p12" file should be stored in your local file system.
---++++ 4 - Load the generated "ODBC.p12" for "dba" account
1 Go to Conductor -> System Admin -> User Accounts -> "dba" -> Action "Edit":
%BR%%BR%%BR%%BR%
%BR%%BR%%BR%%BR%
1 Enter "Key Name": dbms, the key password and click "Choose File" to select the "ODBC.p12" certificate
%BR%%BR%%BR%%BR%
1 Click "Import Key".
1 On a successful import the dbms key should be presented in the "Cryptographic Keys" list:
%BR%%BR%%BR%%BR%
1 Click "Save".
---++++ 5 - Virtuoso INI Configuration
1 Configure your Virtuoso ini by editing the following lines to the Parameters section:
* Note: Alternatively you can save the public and private keys to PKCS#12 (.p12) file and then use this file from your file system via an INI file reference. However, in this mode, you will have to deal with a password challenge thus you have to start with -f option in order to provide a password to open the key.
...
[Parameters]
SSLServerPort = 1113
SSLCertificate = db:dbms
SSLPrivateKey = db:dbms
X509ClientVerify = 3
X509ClientVerifyDepth = 15
...
1 Restart the Virtuoso server.
---++++ 6 - Generate X.509 Certificate hosted Web ID
1 Go to http://cname/certgen/
%BR%%BR% src="%ATTACHURLPATH%/wod1.png" />%BR%%BR%
1 In the presented form:
* Enter "E-mail" for ex.: "demo@example.com"
* Enter "WebID" for ex.: "http://id.myopenlink.net/dataspace/person/demo#this"
%BR%%BR%%BR%%BR%
1 Click "Skip lookup":
%BR%%BR%%BR%%BR%
1 In the "Certificate details" form:
* Enter "Name" for ex. "Demo";
* Enter "Organization" for ex. "Example Inc.";
* Leave the select "WebID & S/MIME (email) Identity" radio-box. Another variant is also valid to select the "WebID Identity" radio-box.
%BR%%BR%%BR%%BR%
1 Click "Next":
%BR%%BR%%BR%%BR%
1 In the presented "Signer Certificate" form leave the "Issuer" default value "Local CA" and click "Generate":
%BR%%BR%%BR%%BR%
1 Next in the "Format and Store" form enter password for the certificate and leave selected the option "PKCS#12 file bundle".
1 Click "Download".
1 The "Demo.p12" file should be stored in your local file system -> the folder where isql is located.
1 Next select the option "PEM file" and click "Download".
1 The "Demo.pem" file should be stored in your local file system -> the folder where isql is located.
---++++ 7 - Adding the "Demo.pem" certificate to the Web ID owner FOAF file
1 Go to the instance where your user is registered. As in this example we have used user "demo" from the http://id.myopenlink.net/ods as next step we go to it:
%BR%%BR%%BR%%BR%
1 Click "Sign In" and enter user demo credentials:
%BR%%BR%%BR%%BR%
1 Go to Profile Edit -> Security -> X.509 Certificates
%BR%%BR%%BR%%BR%
1 Enter in the "X.509 Certificate" text-area the content of the generated from above "Demo.pem":
%BR%%BR%
%BR%%BR%%BR%
1 Click "Save Certificate".
1 The created certificate should appear in the list of available for this user certificates:
%BR%%BR%%BR%%BR%
---++++ 8 - Setting Web ID to local user from type "SQL/ODBC"
1 Go to http://example.com/conductor:
%BR%%BR% src="%ATTACHURLPATH%/wod18.png" />%BR%%BR%
1 Enter "dba" user credentials and click "Login":
%BR%%BR%%BR%%BR%
1 Go to System Admin -> User Accounts
%BR%%BR%%BR%%BR%
1 For existing user from type "SQL/ODBC" ( or "SQL/ODBC and WebDAV" ) or for a new created user from the same type, edit the user's properties by clicking the "Edit" link. In this example we will use user "demo":
%BR%%BR%
%BR%%BR%%BR%
1 Enter in the "WebID for ODBC/SQL authentication" field the WebID from above, i.e.:
http://id.myopenlink.net/dataspace/person/demo#this
%BR%%BR%%BR%
1 Click "Save".
---++++ 9 - Creating sample table and granting access to it from the "SQL/ODBC" type user
1 Go to Conductor -> Database -> Interactive SQL
%BR%%BR%%BR%
1 Execute the following statements:
DROP TABLE EXAMPLE_DATA;
CREATE TABLE EXAMPLE_DATA
(
"id" INTEGER,
"name" VARCHAR(100),
PRIMARY KEY ("id")
);
INSERT
INTO EXAMPLE_DATA ("id", "name")
VALUES (1, 'John');
INSERT
INTO EXAMPLE_DATA ("id", "name")
VALUES (2, 'Kate');
INSERT
INTO EXAMPLE_DATA ("id", "name")
VALUES (3, 'Simon');
INSERT
INTO EXAMPLE_DATA ("id", "name")
VALUES (4, 'Ann');
SELECT * FROM EXAMPLE_DATA;
%BR%%BR%%BR%
%BR%%BR%%BR%
1 Grant select rights for user "demo":
GRANT SELECT
ON EXAMPLE_DATA
TO demo;
%BR%%BR%%BR%
%BR%%BR%%BR%
---++++ 10 - Configure ODBC DSN using the server public certificate
---+++++ Mac
1 Change respectively in the odbc.ini the following parameters values:
;odbc.ini
...
Encrypt=xx.p12
ServerCert=ss.pem
...
* So for ex. place the generated from above Demo.p12 and rca.pem certificates. Note that the password for the Demo.p12 certificate should be the same as the Virtuoso account ( demo in our example ):
;odbc.ini
...
Encrypt=Demo.p12
ServerCert=rca.pem
1 Open the iODBC Data Source Administrator:
%BR%%BR%%BR%
1 Click "Add".
1 Select Virtuoso (Open Source) driver for ex. and click "Finish"
%BR%%BR%%BR%
1 In the "Generic ODBC Driver Setup" form:
1 Specify "Data Source Name (DSN), for ex. "VirtuosoODBCDatabase";
%BR%%BR%%BR%
---+++++ Windows
1 Go to Start -> Settings -> Control Panel -> Administrative Tools -> Data Source (ODBC) -> System DSN:
%BR%%BR%%BR%
1 Click "Add".
1 Select the Virtuoso (Open Source) driver for ex.:
%BR%%BR%%BR%
1 Click "Finish".
1 In the presented "OpenLink Virtuoso DSN Configuration" Wizard:
1 Enter "Name", for ex: "VirtuosoODBCDatabase";
1 Specify in "Server" your Virtuoso host and SSL port, for ex: "localhost:1113";
1 Hatch "This server requires a secure connection (SSL)":
%BR%%BR%%BR%
1 Click "Next":
%BR%%BR%%BR%
1 In the presented form:
1 Choose for "Authentication method" for ex. "Public Key Authentication Protocol";
1 Hatch "Require the server to authenticate itself with this public key" and select the generated from above rca.pem public key for your Virtuoso Server:
%BR%%BR%%BR%
%BR%%BR%%BR%
1 Hatch "Connect to the Virtuoso Server to obtain default settings for the additional configuration options" and select the generated from above client X 509 Certificate Demo.p12 with pwd 1:
%BR%%BR%%BR%
1 Click "Next":
%BR%%BR%%BR%
1 Click "Finish".
1 The freshly created System DSN should be presented in the list of available DSN-s:
%BR%%BR%%BR%
---++++ 11 - Perform ODBC login with certificate that contains the Web ID from above
---++ Related
* [[VirtSPARQLEndpointProtection][Safeguarding your Virtuoso-hosted SPARQL Endpoint]]
* [[VirtTipsAndTricksGuideSPARQLEndpointProtection][SPARQL Endpoint Protection Methods Collection]]
* [[http://docs.openlinksw.com/virtuoso/][Virtuoso documentation]]
* [[http://docs.openlinksw.com/virtuoso/rdfsparql.html#rdfsupportedprotocolendpoint][SPARQL Service Endpoint]]
* [[http://docs.openlinksw.com/virtuoso/rdfsparql.html#rdfsupportedprotocolendpointuri][Service Endpoint Security]]
* [[http://docs.openlinksw.com/virtuoso/rdfsparql.html#sparqwebservicetbl][Managing a SPARQL Web Service Endpoint]]
* [[http://docs.openlinksw.com/virtuoso/rdfsparql.html][SPARQL]]
* [[VirtTipsAndTricksGuide][Virtuoso Tips and Tricks Collection]]
* [[VirtSPARQLDET][SPARQL Endpoint DET Configuration Guide]]
* [[VirtSPARQLSecurityWebID][WebID Protocol & SPARQL Endpoint ACLs Tutorial]]
* [[VirtOAuthSPARQL][SPARQL OAuth Tutorial]]
* [[VirtTipsAndTricksGuideSPARQLEndpoints][Securing SPARQL endpoints]]
* [[http://ods.openlinksw.com/wiki/ODS/OdsSPARQLAuth][SPARUL over SPARQL using the http://cname:port/sparql-auth endpoint]]
* [[VirtAuthServerUI][Virtuoso Authentication Server UI]]
* [[VirtSPARQLSSL][Manage a SPARQL-WebID based Endpoint]]
* [[VirtSetupSSL][Configure Virtuoso instance as an X.509 Certificate Authority and HTTPS listener]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSSetupSSL][Configure Virtuoso+ODS instance as an X.509 Certificate Authority and HTTPS listener]]
* [[http://ods.openlinksw.com/wiki/ODS/VirtODSSecurityWebID][WebID Protocol Support in OpenLink Data Spaces]]
* Manage ODS Datadspaces Objects WebID Access Control Lists (ACLs):
* [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebID][ODS Briefcase WebID based ACL Guide]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDPerson][Person Entity WebID based ACL Guide]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDGroup][Group Entity WebID based ACL Guide]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDPublic][Public WebID based ACL Guide]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACL][ODS Feed Manager WebID based ACL Guide]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACLPerson][Person Entity Specific ACL]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACLGroup][Group Entity Specific ACL]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACLPublic][Public Specific ACL for anyone with a WebID]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACL][ODS Calendar WebID based ACL Guide]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACLPerson][Person Entity Specific ACL]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACLGroup][Group Entity Specific ACL]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACLPublic][Public Specific ACL for anyone with a WebID]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACL][ODS Bookmark Manager WebID based ACL Guide]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACLPerson][Person Entity Specific ACL]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACLGroup][Group Entity Specific ACL]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACLPublic][Public Specific ACL for anyone with a WebID]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACL][ODS Address Book WebID based ACL Guide]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACLPerson][Person Entity Specific ACL]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACLGroup][Group Entity Specific ACL]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACLPublic][Public Specific ACL for anyone with a WebID]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSPkiSetup][Guide for Set up a X.509 certificate issuer and HTTPS listener and generate ODS user certificates.]]
* [[http://ods.openlinksw.com/wiki/ODS/VirtODSPubSubHub][Setting up PubSubHub in ODS]]
* [[http://ods.openlinksw.com/wiki/ODS/VirtPubSubHub][PubSubHubbub Demo Client Example]]
* [[http://ods.openlinksw.com/wiki/ODS/VirtFeedPubSubHub][Feed subscription via PubSubHub protocol Example ]]
* [[http://ods.openlinksw.com/wiki/ODS/VirtPubSubHubACL][Setting Up PubSubHub to use WebID Protocol or IP based control lists]]
* [[http://ods.openlinksw.com/wiki/ODS/OdsKeyImport][CA Keys Import using Conductor]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateX509Certificate][Generate an X.509 Certificate hosted WebID Guide]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateWebIDX509CertOSKeystore][Generate an X.509 Certificate (with a WebID watermark) to be managed by host operating system keystore]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateWebIDX509CertBrsKeystore][Generate an X.509 Certificate (with a WebID watermark) to be managed by a browser-based keystore]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSWebIDIdP][Using Virtuoso's WebID Verification Proxy Service with a WebID-bearing X.509 certificate]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSWebIDIdpProxy][Using Virtuoso's WebID Identity Provider (IdP) Proxy Service with an X.509 certificate]]
* [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDShareFile][ODS Briefcase WebID Protocol Share File Guide]]
* [[http://esw.w3.org/topic/foaf+ssl][WebID Protocol Specification]]
* [[https://foaf.me/simpleLogin.php][Test WebID Protocol Certificate page]]
* [[http://test.foafssl.org/cert/][WebID Protocol Certificate Generation page]]
|