Author: Valéry Tschopp <tschopp@switch.ch> - SWITCH
$Date: 2006/08/11 11:33:27 $
$Revision: 1.8 $
Shibboleth Target 1.2.x is outdated and not supported anymore. You must install the Shibboleth Service Provider 1.3 instead. Please refer to the new documentation: Install Shibboleth Service Provider 1.3 on Solaris
Note: For general information about the deployment of Shibboleth within the SWITCHaai Federation, please consult the Deployment section of our website.
The focus of this document is a detailed compilation and installation guide of Shibboleth Target 1.2.1a on a Sun Solaris host using Sun C/C++ Compilers.
The installation requires to compile the Shibboleth Target and some libraries from source and therefore to install the necessary building tools and development libraries on your compile host.
List of libraries required by Shibboleth Target 1.2.1a:
For any other platform than Debians stable, please refer directly to the original INSTALL.txt files. They can be found in the source directories <PROJECT>/opensaml-1.0.1/doc and <PROJECT>/shibboleth-1.2.1/doc.
They contain more detailed informations to build the Shibboleth Target 1.2.1a and the needed libraries from source on different architectures (OSX, Linux, Solaris).
To install Shibboleth Target 1.2.1a from source you need some building/development tools. You require a modern C/C++ compiler, a program builder (make) and some development packages.
We choose to build the libraries and the Shibboleth Target 1.2.1a with Sun Forte Developer 7 C/C++ 5.4 Compiler, but other have successfully compiled using the the new Sun ONE Studio Compiler Colletion 8.0.
Forte Developer 7 C and C++ compilers are licensed softwares an normally installed under: /opt/SUNWspro
If it is not the case, contact your system administrator to install the Solaris packages (SPROcc and SPROcpl).Besides the standard Solaris make, building the Xerces-C and XML-Security-C libraries require to use the GNU make (gmake).
You can download the GNU make and autoconf precompiled binary packages for Solaris directly from Sunfreeware.com
The Shibboleth Target 1.2.1a is an Apache dynamic loadable module. Therefore, your Apache server must be compile with DSO support enable and the Apache's Extension Tool: apxs.
To build the Shibboleth Target 1.2.1a we highly recommend to use tcsh as shell. For some unknown reason, it was impossible to build the libraries using a bash shell.
You need to set the following environment variables PATH, CC and CXX to use the Sun C and C++ compilers:
root# setenv PATH /opt/SUNWspro/bin:$PATH root# setenv CC cc root# setenv CXX CC root# root# cc -V cc: Forte Developer 7 C 5.4 2002/03/09 usage: cc [ options] files. Use 'cc -flags' for details root# CC -V CC: Forte Developer 7 C++ 5.4 2002/03/09 root# which make /usr/ccs/bin/make root#
The Shibboleth Target 1.2.1a components as well as the needed libraries will be installed in: /opt/shibboleth-1.2.1
OpenSSL is a toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
Many site have already locally installed the OpenSSL library. To compile the other libraries ensure you also have the libssl C headers installed.
You can download the OpenSSL precompiled binary package for Solaris directly from Sunfreeware.com or build it locally.
cURL is a tool for transferring files with URL syntax, supporting HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, kerberos, HTTP form based upload, proxies, cookies, user+password authentication, file transfer resume, http proxy tunneling and a busload of other useful tricks.
The libcurl 7.12.2 is the preferred version to build Shibboleth Target 1.2.1a. But any version from about 7.11.1 on will work.
Set the environment variable OPENSSL regarding your local configuration (in our case the OpenSSL library is installed under the /usr/local directory).
To build and install the libcurl library:
root# setenv OPENSSL /usr/local root# root# wget http://curl.haxx.se/download/curl-7.12.2.tar.gz ... root# tar xvzf curl-7.12.2.tar.gz ... root# cd curl-7.12.2 root# ./configure --prefix=/opt/shibboleth-1.2.1 --with-ssl=$OPENSSL \ --without-ca-bundle --disable-static ... root# make ... root# make install ... root#
The shared library is now installed in /opt/shibboleth-1.2.1/lib.
Log4cpp is library of C++ classes for flexible logging to files, syslog, IDSA and other destinations. It is modeled after the Log4j Java library, staying as close to their API as is reasonable.
Unfortunately this project is in a limbo state and pending future decisions, internet2's Shibboleth Project is usi ng a snapshot release. With this latest snapshot, scripts has been fixed on the supported platforms and some bug f ixes have been added.
Shibboleth Target 1.2.1a requires the special library version 0.3.5rc1 from internet2 of log4cpp.
To build and install the log4cpp library:
root# wget http://wayf.internet2.edu/shibboleth/log4cpp-0.3.5rc1.tar.gz ... root# tar xvzf log4cpp-0.3.5rc1.tar.gz ... root# cd log4cpp-0.3.5rc1 root# ./configure --prefix=/opt/shibboleth-1.2.1 --with-pthreads --disable-static \ --disable-doxygen ... root# make ... root# make install ... root#
The shared library is now installed in /opt/shibboleth-1.2.1/lib.
Xerces-C++ is a validating XML parser written in a portable subset of C++. Xerces-C++ makes it easy to give your application the ability to read and write XML data.
As the latest version 2.6 of Xerces-C++ is incompatible with Shibboleth, a special 2.6.1 release of Xerces-C++ wit h fixes applied has been created by the internet2's Shibboleth Project for use with OpenSAML and Shibboleth. The O penSAML configure script will detect and block the use of 2.6.0. For the most part, any prior version since 2.3.0 should also work.
You must use GNU make to build the Xerces-C++ library. Set the environment variable MAKE regarding your local configuration (in our case /usr/local/bin/gmake).
The Xerces-C++ shared library isn't statically linked with other Shibboleth's shared libraries. Therefore, set the environment variable LDFLAGS to statically link Xerces-C++.
To build and install the Xerces-C++ library:
root# setenv MAKE gmake root# setenv LDFLAGS -R/opt/shibboleth-1.2.1/lib root# root# wget http://wayf.internet2.edu/shibboleth/xerces-c-src_2_6_1.tar.gz ... root# tar xvzf xerces-c-src_2_6_1.tar.gz ... root# cd xerces-c-src_2_6_1 root# setenv XERCESCROOT `pwd` root# cd src/xercesc root# ./runConfigure -p solaris -c cc -x CC -r pthread -P /opt/shibboleth-1.2.1 ... root# gmake ... root# gmake install ... root# unsetenv MAKE LDFLAGS root#
The shared library is now installed in /opt/shibboleth-1.2.1/lib.
The XML Security C++ library is an implementation of the XML Digital Signature specification. Shibboleth Target 1.2.1a requires version 1.1.0 of the XML Security library.
You'll need to set environment variable XERCESCROOT as before, and also set environment variables OPENSSL and LD_LIBRARY_PATH according to your local OpenSSL installation.
Due to a problem with the configure script, you will need to set the environment variables CC and LDFLAGS.
GNU make is required to build the XML-Security C++ library. Therefore, set the environment variable MAKE according to your local configuration.
The permission of the install script install-sh need to be fixed and the environment variable INSTALL set with absolute path.
To build and install the XML Security library:
root# setenv XERCESCROOT `pwd`/xerces-c-src_2_6_1 root# setenv OPENSSL /usr/local root# setenv LD_LIBRARY_PATH $OPENSSL/lib root# setenv CC CC root# setenv LDFLAGS -R/opt/shibboleth-1.2.1/lib root# setenv MAKE gmake root# root# wget http://xml.apache.org/dist/security/c-library/old/xml-security-c-1.1.0.tar.gz ... root# tar xvzf xml-security-c-1.1.0.tar.gz ... root# cd xml-security-c-1.1.0/src root# root# chmod 755 install-sh root# setenv INSTALL `pwd`/install-sh root# root# ./configure --prefix=/opt/shibboleth-1.2.1 --without-xalan ... root# gmake ... root# gmake install ... root# unsetenv MAKE LDFLAGS CC LD_LIBRARY_PATH INSTALL root#
The shared library is now installed in /opt/shibboleth-1.2.1/lib.
SAML (Security Assertion Markup Language) is a standard for the formation and exchange of authentication, attribute, and authorization data as XML. OpenSAML is a library which can be used to build, transport, and parse SAML messages. It is able to store the individual information fields that make up a SAML message, build the correct XML representation, and parse XML back into the individual fields before handing it off to a recipient. OpenSAML supports the SOAP binding for the exchange of SAML request and response objects.
The OpenSAML 1.0.1 library is required by Shibboleth Target 1.2.1a.
Set the environment variable OPENSSL regarding your local configuration.
GNU make is required to build the OpenSAML library. Therefore, set the environment variable MAKE according to your local configuration.
To build and install the OpenSAML library:
root# setenv OPENSSL /usr/local root# setenv MAKE gmake root# root# wget http://wayf.internet2.edu/shibboleth/opensaml-1.0.1.tar.gz ... root# tar xvzf opensaml-1.0.1.tar.gz ... root# cd opensaml-1.0.1 root# root# ./configure --prefix=/opt/shibboleth-1.2.1 --with-curl=/opt/shibboleth-1.2.1 \ --with-log4cpp=/opt/shibboleth-1.2.1 --with-openssl=$OPENSSL ... root# gmake ... root# gmake install ... root#
The shared library is now installed in /opt/shibboleth-1.2.1/lib.
Building the Shibboleth Target's shar, libraries, test programs, and Apache module is more or less like building OpenSAML.
You need to have an Apache in place. You don't have to use the full Apache source code, however you will need to provide the necessary build flags during configure, or ideally, let Shibboleth's configure script use your Apache's apxs script to extract the necessary information.
Also, at a minimum, Apache needs to be built with mod_so enabled for dynamically loading modules. If you encounter problems with crashing or apparent module conflicts, make sure Apache and any modules were built with threading support.
Set the environment variable OPENSSL regarding your local installation and configuration of OpenSSL.
The source file shib-target/XMLRequestMapper.cpp must be patched. The modification is due because the Sun Forte Compiler is much more strict than gcc. Therefore, you must edit the file shib-target/XMLRequestMapper.cpp and modify the line in function split_url as highlighted below:
...
const char* split_url(const char* url, string& vhost)
{
const char* path=NULL;
//char* slash=strchr(url,'/');
const char* slash=strchr(url,'/');
if (slash)
{
slash=strchr(slash,'/');
...
The Solaris C++ libraries libCstd and libCrun must be statically referenced by the Shibboleth Apache module (for both Apache 1.3 and 2.x). Set the C++ compiler and linker options CXXFLAGS, LD and LDFLAGS accordingly. Sun C/C++ compilers don't define the __sparc__ preprocessor constant, therefor, define the constant __sparc__ in the CFLAGS and in the CXXFLAGS environment variables.
GNU make is required to build the Shibboleth Target. Therefore, set the environment variable MAKE according to your local configuration.
Your must also specify the path to Apache and Apache2 Extension Tool: apxs if you want to build the module. Use the configure options --with-apxs=<PATH_TO_APXS> and --with-apxs2=<PATH_TO_APXS2> to build the respective Apache module.
To build and install the Shibboleth Target SHAR and Apache modules:
root# setenv OPENSSL /usr/local root# setenv CXXFLAGS "$CXXFLAGS -D__sparc__ -library=Cstd,Crun" root# setenv LD CC root# setenv LDFLAGS "-lCstd -lCrun" root# setenv CFLAGS "$CFLAGS -D__sparc__" root# setenv MAKE gmake root# root# wget http://wayf.internet2.edu/shibboleth/shibboleth-1.2.1a.tar.gz ... root# tar xvzf shibboleth-1.2.1a.tar.gz ... root# cd shibboleth-1.2.1 root# root# root# ./configure --prefix=/opt/shibboleth-1.2.1 \ --with-log4cpp=/opt/shibboleth-1.2.1 \ --with-openssl=$OPENSSL \ --enable-apache-13 --with-apxs=/usr/apache/bin/apxs \ --enable-apache-20 --with-apxs2=/usr/apache2/bin/apxs \ --disable-mysql ... root# gmake ... root# gmake install ... root#
The Shibboleth Target shar is now installed in /opt/shibboleth-1.2.1/bin, the Apache modules in /opt/shibboleth-1.2.1/libexec and the shared libraries in /opt/shibboleth-1.2.1/lib.
Now that the Shibboleth Target 1.2.1a installation is completed, you must set the correct access permission to the log directory. You can also setup some useful administrative links to help integrating Shibboleth in your environment.
The Apache webserver could be run under the special www user. You must grant this user write access to the Shibboleth log directory to allow the Shibboleth Target 1.2.1a Apache modules to log its operations in shire.log and rotates the log files.
Set the correct access permission to the log directory regarding the owner of the apache process:
root# cd /opt/shibboleth-1.2.1/var/log root# chown root:www shibboleth root# chmod 775 shibboleth root#
You can also setup some useful administrative links:
root# cd /opt root# ln -s shibboleth-1.2.1 shibboleth root# cd /etc root# ln -s /opt/shibboleth-1.2.1/etc/shibboleth shibboleth root# cd /var/log root# ln -s /opt/shibboleth-1.2.1/var/log/shibboleth shibboleth root#
Now that you have successfully compile and install the Shibboleth middleware, you should go further and configure your resource for the SWITCHaai Federation.
The SWITCHaai Configuration Guide (Debian and Solaris) will explain you how to configure the Shibboleth software to be member of the SWITCHaai Federation.
$Id: install-target-1.2.1-solaris.html,v 1.8 2006/08/11 11:33:27 tschopp Exp $