Tuesday, June 21, 2016

Setting Up a SOLiD Server Using the WebID from databox.me {draft}

The SOLiD Server [1] is a later generation of the personal data store rww.io described in Dr. Andrei Sambra's Dissertation [2] and implemented as part of CIMBA or Client-Integrated MicroBlogging Application [3].

CIMBA decoupled the front end of the web application from the back end data such that the data can exist on any server and the front end application can exist on another server. Sandro Hawke posted several videos beginning with the title "Building Social Applications with Linked Data Platform (LDP) -- Crosscloud"
Part 2 of this video series [4] shows a demonstration of CIMBA by Dr. Andrei Sambra.

Although CIMBA was targeted towards microblogging, the personal data store can be targeted at any front end application. For microblogging, and other applications, a special standard pattern is developed that utilizes the linked data platform [5],[6].

SOLiD, a platform  that gained a lot of energy in mid-2015 with the Crosscloud project [7], is described on GitHub [8] and serves as a foundation in the initiative. It follows the Linked Data Platform standard that is used to build the LDP server Apache Marmotta [9] and in Fedora 4 in Islandora [10] for organizing library collections, amongst other things. One thing that is unique about SOLiD is its use of the WebID URI in the authentication and authorization process.

Athough many implementations of SOLiD exist [11], the one with present significant effort is for Node.js. This is available through the link at [1].

In a previous post [15], the use of databox.me to create a WebID, client certificate, and private key was presented. This is useful for authenticating as a user to a SOLiD based server and authorizing the user to access resources through the access control language [12].

In order to launch our own SOLiD server, we need a server side certificate to support HTTPS in order to verify the servers integrity to the client [13]. We could run it without TLS/SSL, that is over HTTP, but this is risky. For proof of this, the author has run a SOLiD server (previously called ldnode) with a Linked Data File Manager called WARP [14]; and achieved an environment on localhost (i.e. on the local machine) that looked very similar to rww.io when it was operational.

Fortunately, the README for node-solid-server [1] goes into how to set this up. We already created a client side certificate and private key with databox.me and stored it in our browser. The public personal profile document  created upon databox.me signup and used for FOAF+SSL authentication is available at http://bshambaugh.databox.me/profile/card .

We could have a similar setup elsewhere as the requirement for FOAF+SSL is that we have RDF somewhere that points a WebID to a public key (in this case, modulus and exponent) along with the following in the browser:  a client certificate in the form of the previous databox.me post along with the corresponding private key.

To create the server side certificate (as opposed to the client side certificate to authenticate an entity with a WebID)  to allow the SOLiD server to serve itself over HTTPS we have multiple options. We could purchase one online signed by a root certificate authority [16], obtain a free one through a service like letsencrypt [17], or create our own self-signed certificate with openssl (or the like).

Since we are testing SOLiD locally, lets try using a server side certificate. The README [1] suggests the following commands:

openssl genrsa 2048 > ../localhost.key
openssl req -new -x509 -nodes -sha256 -days 3650 -key ../localhost.key -subj '/CN=*.localhost' > ../localhost.cert

This creates a private key called localhost.key and a certificate called localhost.cert in the directory above the local one. I went ahead and added the extension .pem to both of them since they are already in the PEM [18] format.

cp localhost.key localhost.key.pem
cp localhost.cert localhost.cert.pem

Now that we have our server certificates, we need to have node-solid-server running. In order to do this, we need Node.js v6.  I chose to also have the latest version of Ubuntu, 16.04 to run Node. N.B: I was running with Ubuntu 12.04 before but I discovered that this required a special configuration as the version of g++ included with the distribution did not support some of the recent additions in v8 requiring me to configure for another C compiler [19].

I found the instructions at Digital Ocean useful [20], specifically the section titled "How To Install Using NVM" .

Once I have Node.js Installed I can install node solid server. I do this by following the instructions in the README [1]. Specifically:

npm install -g solid-server

Now that I have solid server installed with the -g flag (which means I can access it globally) I can tell it about my server side certificates. There are two ways to do this.
I can either use the solid-server installation to create a json file to point to them, or I can tell solid about then at each startup.

To create the json [21] file I use the following command:

solid init

I then follow by pressing enter for each input request except for those that prompt with a y/N option or a path the SSL private key or SSL certificate.

For the y/N options I select y (at least for "Enable WebID authentication"). For the path to the SSL certificate and SSL key I point to the relative path to them. Since the ones I created were in the present directory where initiated solid with "solid init" then they are simply localhost.key (or localhost.key.pem) and localhost.cert (or localhost.cert.pem or localhost.crt.pem, or localhost.crt) .

Going through this process creates a file called config.json . After this I can go ahead and start the solid server from the same directory using the command:

solid start

Alternatively, I may want to avoid  using the config.json file and pass everything in as an input parameter in the shell at startup. I found it effective to delete the config.json file (if it exists) before trying this.

solid start ---port 8443 --ssl-key localhost.key.pem --ssl-cert localhost.cert.pem \
--webid -v

I am specifying port 8443, localhost.key.pem as private key for my server certificate, localhost.cert.pem as the server certificate, use of webid based authentication with --webid, and verbose output in the shell with -v .

[1] https://github.com/solid/node-solid-server
[2] https://halshs.archives-ouvertes.fr/tel-00917965/document
[3] http://crosscloud.org/2014/iswc-sambra-pdf.pdf
[4] https://www.youtube.com/watch?v=GtnB7aM1mTM
[5] https://www.w3.org/TR/ldp-primer/
[6] https://www.youtube.com/watch?v=Yth7O6yeZRE&t=1h34m50s
[7] http://crosscloud.org/
[8] https://github.com/solid/solid
[9] http://marmotta.apache.org/
[10] https://www.youtube.com/watch?v=9wTFAwvBRbY
[11] http://crosscloud.org/2016/www-mansour-pdf.pdf
[12] https://www.w3.org/wiki/WebAccessControl
[13] http://robertheaton.com/2014/03/27/how-does-https-actually-work/
[14] https://github.com/linkeddata/warp
[15] http://adistributedeconomy.blogspot.com/2016/06/creating-client-side-certificate.html
[16] https://en.wikipedia.org/wiki/Root_certificate
[17] https://letsencrypt.org/
[18] http://how2ssl.com/articles/working_with_pem_files/
[19] https://github.com/nodesource/distributions/blob/master/OLDER_DISTROS.md
[20] https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-ubuntu-16-04
[21] http://json.org/

No comments:

Post a Comment