NetKernel News Volume 4 Issue 4 - RDF Reloaded, RDFa Parser, SSL Certificate Procedure

NetKernel News Volume 4 Issue 4

February 1st 2013

What's new this week?

Catch up on last week's news here

Repository Updates

The following updates are available in both NKSE and NKEE repositories...

  • rdf-jena-1.9.1
    • Updated to Jena 2.7.4 (see below)
  • rdf-rdfa-1.5.1
    • Updated to use Semargl parser (see below)
  • wiki-core-1.9.1
    • Added SliNKi as a set of macros.

The following updates are available in the NKEE repository...

  • nkee-mclient-1.6.1
    • Deletes expired licenses from pds: to eliminate false expiry warnings.

RDF Reloaded

After the recent preview release of the Sesame-based RDF library, we've switched attention back to the original Jena-based library. This week we've updated rdf-jena to use the latest 2.7.4 release (from its new home at Apache).

With the switch to Apache, the core Jena classpaths have remained the same, whilst auxiliary tools use the new org/apache/jena/* package root, which is now also exported from the module.

One thing you may need to note - Jena uses several internal APIs from the latest Xerces XML library but, due to the way it is packaged, Xerces attempts to provide JAXP classpaths also provided by the JVM (org.w3c.dom.* etc). We didn't want you to have to use JVM level endorsed overriding of the XML class libraries just to be able to use Jena to read/write XML/RDF - fortunately we managed to use a trick to cherry pick the internal classes of Xerces whilst not conflicting with the JAXP JVM-level APIs.

This is a long-winded way of saying - you will be able to just use rdf-jena out of the box without having to mess with your JVM.

Breaking News

Mr B. Sletten (RDF wizard) suggested that I point out that this version of Jena...

"Enables SPARQL 1.1. That's big news!"

Which, from some demo's I was shown yesterday, is enabling some very cool stuff which I believe will be appearing in some very large scale Semantic Big Data public APIs real soon!

RDFa Parser

To complete the RDF updates, we've also overhauled the RDFa parser module, rdf-rdfa. We've switched the underlying parser implementation to Semargl. This provides a much more complete and mature solution than previously and has the additional benefit of enabling RDFa 1.0 and 1.1 support. The version can now be selected with an argument to the parser endpoint. One further enhancement is that it eliminates the need to decide in advance if the HTML resource to be parsed is plain old HTML or XHTML - it just works with either.

The ROC level grammars are compatible so the internal change should have no impact on existing use of this module. However to reflect the enhancements we've now provided a simplified alias to the parser with a base of active:jRDFaParser.

As before, the result of the parse is a wrapped Jena model - which can be serialized to many formats with the Jena tools. If you want to use other formats or directly serialize from the parse - you can create your own parse-sink chain at the API level using the org.semarglproject.* classes which are exported from the module.

Planned Work

With these updates to the existing RDF libraries completed, our attention can now return to finalizing the Sesame module and providing an interoperability module with transreptors between the resource models. Watch this space.

SSL Certificate Procedure

Managing SSL certificates is one of those chores that comes around regularly - but with a very low frequency - which means its almost impossible to remember from one year to the next what you need to do. Here for the record is a step-by-step procedure which, on a Linux box with openssl, works very smoothly. Each step uses the hostname "" for illustration so just replace this with your own domain...

(Its also worth reviewing the guidance provided by Jetty.)

0. Create a new private key and CSR

openssl req -new -newkey rsa:4096 -nodes -keyout -out

When asked, make sure the qualified name is the hostname you want the certificate for. Upload (or cut and paste the text) the CSR to your SSL certificate authority and ask for the certificate.

1. Download the certificate.

You may get the opportunity to choose the type of server - usually "Apache" will give you the most standard result.

For example, with the GoDaddy "Apache" option you get a zip with two certs: and gd_bundle.crt

If this is what you get, then you need to do some work to associate the CA key chain with the host certificate...

2. Make sure cert and CA keys are in PEM format

Check like this...

openssl x509 -text -inform PEM -in
openssl x509 -text -inform PEM -in gd_bundle.crt

Even though they end with .crt mine were really PEM format!! (Thanks GoDaddy)

If they're not PEM then use openssl to convert to PEM.

3. Create concatenated keychain

Note, the left to right order of the cert and CA cert is critical...

cat gd_bundle.crt > jetty-chain.pem

Verify this worked using...

openssl x509 -text -inform PEM -in jetty-chain.pem

4. Create pkcs12 store with the private key and the certificate keychain...

openssl pkcs12 -export -inkey -in jetty-chain.pem -out jetty-chain.pkcs12

5. Import pkcs12 into Java keystore...

keytool -importkeystore -srckeystore jetty-chain.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

6. Check that the certificate has a certificate chain length...

keytool -list -keystore keystore -v

You should see...

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: 23-Jan-2013
Entry type: PrivateKeyEntry
Certificate chain length: 3

You want to see this Certificate chain length: 3 - where the chain length is greater than one to show that you've go the cert and the associate CA certificates chained.

7. Clone the key to give it "jetty" alias (and a new password if needed)

keytool -keyclone -keystore keystore -alias 1 -dest jetty -new xxxxnewpassswordxxxxxxx

8. Delete older key (Jetty doesn't like having 2 keys in the keystore)

keytool -delete -alias 1 -keystore keystore

Verify that keystore looks good...

keytool -list -keystore keystore

To see...

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

jetty, 23-Jan-2013, PrivateKeyEntry, 
Certificate fingerprint (SHA1): D2:38:DC:08:87:10:5D:EC:0B:44:87:25:09:A9:55:3A:FE:5D:54:7A

You're all set - take the keystore and deploy it to your server. Make sure the SSLConnection settings in the HTTPTransportConfig.xml in your Fulcrum point to the keystore and have the correct passwords etc.

Have a great weekend.


Please feel free to comment on the NetKernel Forum

Follow on Twitter:

@pjr1060 for day-to-day NK/ROC updates
@netkernel for announcements
@tab1060 for the hard-core stuff

To subscribe for news and alerts

Join the NetKernel Portal to get news, announcements and extra features.

NetKernel will ROC your world

Download now
NetKernel, ROC, Resource Oriented Computing are registered trademarks of 1060 Research

© 2008-2011, 1060 Research Limited