LDS Demo Runbook

Step-by-step guide for operating the Pauhu® Language Data Space connector at lds.pauhu.eu

Prerequisites: The connector runs on a Hetzner VM (Ubuntu 22.04, 16 GB RAM, 8 CPU, 150 GB disk) with Docker and Certbot installed. LDS version: 0.10.0prod.

Service URLs

Service	URL	Access
Connector UI	`https://lds.pauhu.eu/cui1/`	Authenticated (Keycloak)
EDC Control Plane	`https://lds.pauhu.eu/cp1/api/v1/ids`	Machine-to-machine (DAPS)
Keycloak Admin	`https://lds.pauhu.eu/auth/admin/master/console/`	localhost only (SSH tunnel)
Keycloak LDS Realm	`https://lds.pauhu.eu/auth/realms/LDS`	OAuth2 issuer
Storage Proxy	`https://lds.pauhu.eu/storage1`	Internal (S3-compatible)
Swagger UI	`https://lds.pauhu.eu/connector1/swagger-ui/`	localhost only (SSH tunnel)
Grafana Dashboard	`localhost:3100`	SSH tunnel only
LDS Registry	`https://language-data-space.eu/registryui/`	LDS participant credentials
LDS Federated Catalogue	`https://language-data-space.eu/fc`	Public

Security: Keycloak Admin, Swagger UI, and Grafana are blocked from public access by Nginx. Access them via SSH tunnel: ssh -L 8080:localhost:8080 root@lds.pauhu.eu

Open https://lds.pauhu.eu/cui1/ in your browser.
You will be redirected to Keycloak. Log in with your LDS realm credentials.
After authentication, the Connector UI dashboard appears with your published assets and contract negotiations.

To access Keycloak Admin (user management, realm configuration):

# SSH tunnel to the Hetzner VM
ssh -L 8443:localhost:443 root@lds.pauhu.eu

# Then open in browser:
# https://localhost:8443/auth/admin/master/console/

Change default credentials immediately. The Keycloak default is root/root. Change this on first login at the admin console.

Step 2: Access the Swagger UI

The EDC Control Plane exposes a management API documented via Swagger. This is restricted to localhost.

# SSH tunnel for Swagger access
ssh -L 8181:localhost:8181 root@lds.pauhu.eu

# Open in browser:
# http://localhost:8181/connector1/swagger-ui/

Key management API endpoints:

Endpoint	Method	Purpose
`/api/management/v2/catalog/request`	POST	Query the federated data catalogue
`/api/management/v3/assets/request`	POST	List published data assets
`/api/management/v3/assets`	POST	Create a new data asset
`/api/management/v2/policydefinitions`	POST	Create ODRL access policies
`/api/management/v2/contractdefinitions`	POST	Create contract definitions
`/api/management/v2/contractnegotiations`	GET	List active contract negotiations
`/api/management/v2/transferprocesses`	GET	List active data transfers

Step 3: Generate and upload the certificate

3a. Generate the TLS certificate

# On the Hetzner VM:
sudo certbot certonly --standalone -d lds.pauhu.eu

# Certificate files:
# /etc/letsencrypt/live/lds.pauhu.eu/fullchain.pem
# /etc/letsencrypt/live/lds.pauhu.eu/privkey.pem

3b. Generate EDC authentication keys

# From /opt/lds/deployment/
bash manageAuthKeys.sh

# This creates:
# cert1    — PEM certificate for LDS registry
# privatekey1 — private key for DAPS authentication

3c. Upload certificate to LDS Registry

Open https://language-data-space.eu/registryui/
Log in with your LDS Participant Registry credentials (provided by Athena Research Center).
Navigate to Connectors → Register new connector.

Fill in the registration form:

Field	Value
Connector name	`Pauhu Ltd`
Endpoint URL	`https://lds.pauhu.eu/cp1/api/v1/ids`
Certificate	Upload the `cert1` file (PEM format)

Submit. The registry issues a DAPS token that allows your connector to participate in the LDS federation.

Contact: For LDS Participant Registry credentials, contact Penny Labropoulou at Athena Research Center: penny@athenarc.gr

Step 4: Configure EDC and start

# On the Hetzner VM, from /opt/lds/deployment/

# 1. Configure EDC with Pauhu settings
bash configureEDC1.sh

# 2. Start all containers
bash startEDC1.sh

# 3. Verify all containers are running
docker compose -f docker-compose1.yaml ps

Expected containers (11 core services):

Container	Port	Purpose
`pg1`	5432	PostgreSQL database
`edc1`	8080, 8181	EDC Control Plane
`edc1dp`	9090, 9091	EDC Data Plane
`proxy1`	8081	API Proxy
`ui1`	9876	Connector UI
`storage1`	9080	S3-compatible storage
`iam1`	8040	Keycloak IAM
`iam-database1`	3308	Keycloak MySQL
`nginxconn`	443	Nginx reverse proxy
`edcvault1`	8200	HashiCorp Vault
`es1`	9200	Elasticsearch

Step 5: Configure R2 storage

The connector uses Cloudflare R2 (S3-compatible) for data storage. Configure the storage endpoint in .env:

S3LIKE_ENDPOINT=https://<account-id>.eu.r2.cloudflarestorage.com
S3LIKE_BUCKET=pauhu-lds-data-eu
S3LIKE_REGION=weur
S3LIKE_ACCESS_KEY=<R2_ACCESS_KEY>
S3LIKE_SECRET_KEY=<R2_SECRET_KEY>

EU jurisdiction: All R2 buckets use EU jurisdiction. Data never leaves the European Union.

Step 6: Publish data assets

Once the connector is running and registered, publish Pauhu datasets to the LDS federation. Use the Connector UI or the management API:

# Create a data asset (via management API)
curl -X POST http://localhost:8181/api/management/v3/assets \
  -H "Content-Type: application/json" \
  -d '{
    "@context": { "edc": "https://w3id.org/edc/v0.0.1/ns/" },
    "@type": "Asset",
    "properties": {
      "name": "EUR-Lex Legal Corpus",
      "description": "EU legislation, case law, and preparatory acts with EuroVoc annotations",
      "contenttype": "application/json"
    },
    "dataAddress": {
      "type": "AmazonS3",
      "region": "weur",
      "bucketName": "pauhu-lds-data-eu",
      "keyName": "eurlex/"
    }
  }'

Repeat for each of the 21 EuroVoc domain datasets. All assets use ODRL access policies with tiered pricing (see Pricing).

Step 7: Harden the connector

Run the IEC 62443-3-3 SL-3 hardening script:

bash harden-lds-connector.sh

This applies:

UFW firewall: allow ports 22 (SSH), 80 (HTTP redirect), 443 (HTTPS) only
Admin path restrictions: /auth/admin/, /connector1/swagger-ui/, /grafana/ blocked from public
SSH hardening: key-only authentication, password auth disabled
Fail2ban: 3 failed attempts = 1 hour ban
Service binding: Redis, MySQL, Loki, Keycloak bound to 127.0.0.1
Auto-updates: unattended-upgrades for security patches

Step 8: Verify the deployment

# Health check (from any machine)
curl -s https://lds.pauhu.eu/cp1/api/v1/ids | head -20

# Query the federated catalogue
curl -X POST http://localhost:8181/api/management/v2/catalog/request \
  -H "Content-Type: application/json" \
  -d '{}'

# List published assets
curl -X POST http://localhost:8181/api/management/v3/assets/request \
  -H "Content-Type: application/json" \
  -d '{}'

Troubleshooting

Problem	Check	Fix
Connector UI shows 502	`docker compose -f docker-compose1.yaml ps`	Restart: `bash startEDC1.sh`
DAPS token rejected	Check cert1 expiry and registry status	Re-run `bash manageAuthKeys.sh` and re-upload cert1
Storage upload fails	Verify R2 credentials in `.env`	Test with `aws s3 ls --endpoint-url $S3LIKE_ENDPOINT s3://$S3LIKE_BUCKET/`
TLS certificate expired	`sudo certbot certificates`	`sudo certbot renew`

LDS Connector Deployment Guide — full technical deployment documentation
API Documentation — all Pauhu API endpoints
Security — zone isolation, encryption, access control
Developer Docs — MCP server, CLI, container setup