Author: Valéry Tschopp <tschopp@switch.ch> - SWITCH
$Date: 2006/08/11 11:33:27 $
$Revision: 1.10 $
Shibboleth Target 1.2.x is outdated and not supported anymore. You must install the Shibboleth Service Provider 1.3 instead. Please refer to the new documentation: Install Shibboleth Service Provider 1.3 on Debian 3.1 (sarge)
Note: For general information about the deployment of Shibboleth within the SWITCHaai Federation, please consult the Deployment section of our website.The focus of this document is a detailed building and installation description of Shibboleth Target 1.2.1a on a Debian GNU/Linux 3.0 (woody) stable host using GNU C/C++ compilers.
The installation requires to compile the Shibboleth Target and some libraries from source and therefore to install the necessary building tools and development libraries on your compile host.
List of libraries required by Shibboleth Target 1.2.1a:
For any other platform than Debians stable, please refer directly to the original INSTALL.txt files. They can be found in the source directories <PROJECT>/opensaml-1.0.1/doc and <PROJECT>/shibboleth-1.2.1/doc.
They contain more detailed informations to build the Shibboleth Target 1.2.1a and the needed libraries from source on different architectures (OSX, Linux, Solaris).
Debian GNU/Linux is the reference platform here at SWITCH. The facility to update/upgrade packages and maintain a high security on the host guided our choice.
The tradeoff installing Shibboleth Target 1.2.1a on Debian stable are:
Building the libraries and the Shibboleth Target 1.2.1a will require at least GCC 3.0.4 C/C++ compiler. This compiler can be installed alongside an existing compiler.
Use apt-get to install/update the gcc/g++ 3.0.4 packages:
root# apt-get -u install gcc-3.0 g++-3.0 make ... root#
Installing these compiler packages will also install a lot of dependent packages.
You need to set environment variables CC and CXX to use the 3.0.4 C and C++ compilers:
root# export CC=gcc-3.0 root# export CXX=g++-3.0 root# export LD_RUN_PATH=/opt/shibboleth-1.2.1/lib root#
The Shibboleth Target 1.2.1a is an Apache dynamic loadable module. Therefore, it must be linked against Apache server and requires the Apache's apxs tool and Apache header files.
To install the Apache development package (C headers and apxs):
root# apt-get -u install apache-dev root#
Depending on your current installation, this could also install other dependent packages.
The Shibboleth Target 1.2.1a as well as the needed libraries will be installed in: /opt/shibboleth-1.2.1
For security reason the default Debian OpenSSL 0.9.6c library package is used. The other libraries needed by Shibboleth Target 1.2.1a are not available for the Debian stable and, therefore, must also be compiled and installed from source.
OpenSSL is a toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library
As mentioned, the default Debian OpenSSL 0.9.6c library package is used. To compile the other libraries you must also install the libssl development package (C headers).
Use apt-get to install/update the libssl 0.9.6c and the libssl development packages:
root# apt-get -u install libssl0.9.6 libssl-dev ... root#
Depending on your current installation, this could install other dependent packages.
cURL is a tool for transferring files with URL syntax, supporting HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, kerberos, HTTP form based upload, proxies, cookies, user+password authentication, file transfer resume, http proxy tunneling and a busload of other useful tricks.
The libcurl 7.12.2 is the preferred version to build Shibboleth Target 1.2.1a But any version from about 7.11.1 on will work.
To build and install the libcurl library:
root# wget http://curl.haxx.se/download/curl-7.12.2.tar.gz ... root# tar xvzf curl-7.12.2.tar.gz ... root# cd curl-7.12.2 root# ./configure --prefix=/opt/shibboleth-1.2.1 --with-ssl --without-ca-bundle \ --disable-static ... root# make ... root# make install ... root# cd ..
The shared library is now installed in /opt/shibboleth-1.2.1/lib.
Log4cpp is library of C++ classes for flexible logging to files, syslog, IDSA and other destinations. It is modeled after the Log4j Java library, staying as close to their API as is reasonable.
Unfortunately this project is in a limbo state and pending future decisions, internet2's Shibboleth Project is using a snapshot release. With this latest snapshot, scripts have been fixed on the supported platforms and some bug fixes have been added.
Shibboleth Target 1.2.1a requires the special library version 0.3.5rc1 from internet2 of log4cpp.
To build and install the log4cpp library:
root# wget http://wayf.internet2.edu/shibboleth/log4cpp-0.3.5rc1.tar.gz ... root# tar xvzf log4cpp-0.3.5rc1.tar.gz ... root# cd log4cpp-0.3.5rc1 root# ./configure --prefix=/opt/shibboleth-1.2.1 --with-pthreads --disable-static \ --disable-doxygen ... root# make ... root# make install ... root# cd ..
The shared library is now installed in /opt/shibboleth-1.2.1/lib.
Xerces-C++ is a validating XML parser written in a portable subset of C++. Xerces-C++ makes it easy to give your application the ability to read and write XML data.
As the latest version 2.6 of Xerces-C++ is incompatible with Shibboleth, a special 2.6.1 release of Xerces-C++ with fixes applied has been created by the internet2's Shibboleth Project for use with OpenSAML and Shibboleth. The OpenSAML configure script will detect and block the use of 2.6.0. For the most part, any prior version since 2.3.0 should also work.
Make sure you set XERCESCROOT (don't forget the C) as appropriate. Also set the -x and -c switches as needed to specify your compilers to run Configure.
To build and install the Xerces-C++ library:
root# wget http://wayf.internet2.edu/shibboleth/xerces-c-src_2_6_1.tar.gz ... root# tar xvzf xerces-c-src_2_6_1.tar.gz ... root# cd xerces-c-src_2_6_1 root# export XERCESCROOT=`pwd` root# cd src/xercesc root# ./runConfigure -p linux -c gcc-3.0 -x g++-3.0 -r pthread -P /opt/shibboleth-1.2.1 ... root# make ... root# make install ... root# cd ../../..
The shared library is now installed in /opt/shibboleth-1.2.1/lib.
The XML Security C++ library is an implementation of the XML Digital Signature specification.
Shibboleth Target 1.2.1a requires version 1.1.0 of the XML Security library. You'll need to set XERCESCROOT as before, and also set OPENSSL if your OpenSSL installation isn't in a standard place like /usr/lib.
To build and install the XML Security library:
root# wget http://xml.apache.org/dist/security/c-library/old/xml-security-c-1.1.0.tar.gz ... root# tar xvzf xml-security-c-1.1.0.tar.gz ... root# cd xml-security-c-1.1.0/src root# ./configure --prefix=/opt/shibboleth-1.2.1 --without-xalan ... root# make ... root# make install ... root# cd ../..
The shared library is now installed in /opt/shibboleth-1.2.1/lib.
SAML (Security Assertion Markup Language) is a standard for the formation and exchange of authentication, attribute, and authorization data as XML. OpenSAML is a library which can be used to build, transport, and parse SAML messages. It is able to store the individual information fields that make up a SAML message, build the correct XML representation, and parse XML back into the individual fields before handing it off to a recipient. OpenSAML supports the SOAP binding for the exchange of SAML request and response objects.
The OpenSAML 1.0.1 library is required by Shibboleth Target 1.2.1a.
To build and install the OpenSAML library:
root# wget http://wayf.internet2.edu/shibboleth/opensaml-1.0.1.tar.gz ... root# tar xvzf opensaml-1.0.1.tar.gz ... root# cd opensaml-1.0.1 root# ./configure --prefix=/opt/shibboleth-1.2.1 --with-curl=/opt/shibboleth-1.2.1 \ --with-log4cpp=/opt/shibboleth-1.2.1 ... root# make ... root# make install ... root# cd ..
The shared library is now installed in /opt/shibboleth-1.2.1/lib.
Building the Shibboleth Target's shar, libraries, test programs, and Apache module is more or less like building OpenSAML.
You need to have an Apache in place. You don't have to use the full Apache source code, however you will need to provide the necessary build flags during configure, or ideally, let Shibboleth's configure script use your Apache's apxs script to extract the necessary information.
Also, at a minimum, Apache needs to be built with mod_so enabled for dynamically loading modules. If you encounter problems with crashing or apparent module conflicts, make sure Apache and any modules were built with threading support.
Apache2 is not available on Debian stable, therefore the Shibboleth Target 1.2.1a module can be built only for Apache 1.3.X.
Meanwhile, if you have locally compiled/installed an Apache2 webserver, you can compile the Shibboleth Target 1.2.1a module for it. Just add these options to the configure script: --enable-apache-20 --with-apxs2=<PATH_TO_APXS2>.
To build and install the Shibboleth Target Apache module:
root# wget http://wayf.internet2.edu/shibboleth/shibboleth-1.2.1a.tar.gz ... root# tar xvzf shibboleth-1.2.1a.tar.gz ... root# cd shibboleth-1.2.1 root# ./configure --prefix=/opt/shibboleth-1.2.1 --enable-apache-13 --with-apxs \ --with-log4cpp=/opt/shibboleth-1.2.1 ... root# make ... root# make install ... root# cd ..
The Shibboleth Target shar is now installed in /opt/shibboleth-1.2.1/bin, the Apache module in /opt/shibboleth-1.2.1/libexec and the shared library in /opt/shibboleth-1.2.1/lib.
Now that the Shibboleth Target 1.2.1a installation is completed, you must set the correct access permission to the log directory. You can also setup some useful administrative links to help integrating Shibboleth in the Debian environment.
On Debian the Apache webserver is run under the special www-data user. You must grant this user write access to the Shibboleth log directory to allow the Shibboleth Target 1.2.1a Apache module to log its operations in shire.log and rotates the log files.
Set the correct access permission to the log directory:
root# cd /opt/shibboleth-1.2.1/var/log root# chown root:www-data shibboleth root# chmod 775 shibboleth root#
Setup useful Debian administrative links:
root# cd /opt root# ln -s shibboleth-1.2.1 shibboleth root# cd /etc root# ln -s /opt/shibboleth-1.2.1/etc/shibboleth shibboleth root# cd /var/log root# ln -s /opt/shibboleth-1.2.1/var/log/shibboleth shibboleth root#
Now that you have successfully compile and install the Shibboleth middleware, you should go further and configure your resource for the SWITCHaai Federation.
The SWITCHaai Configuration Guide (Debian and Solaris) will explain you how to configure the Shibboleth software to be member of the SWITCHaai Federation.
$Id: install-target-1.2.1-debian.html,v 1.10 2006/08/11 11:33:27 tschopp Exp $