Author: Valéry Tschopp <tschopp@switch.ch> - SWITCH
$Date: 2006/08/11 11:13:05 $
$Revision: 1.8 $
THIS DOCUMENTATION IS DEPRECATED, PLEASE USE THE DOCUMENT install-target-1.2.1-solaris.html INSTEAD OF THIS.
The focus of this document is a detailed compilation and installation guide of Shibboleth Target 1.2 on a Sun Solaris host using Sun C/C++ Compilers.
Note: For general information about the deployment of Shibboleth within the SWITCHaai Federation, please consult the Deployment section of our website.
The installation requires to compile the Shibboleth Target and some libraries from source and therefore to install the necessary building tools and development libraries on your compile host.
List of libraries required by Shibboleth Target 1.2:
For any other platform, please refer directly to the original INSTALL.txt files. They can be found in the source directories <PROJECT>/opensaml-1.0/doc and <PROJECT>/shibboleth-1.2/doc.
They contain more detailed informations to build the Shibboleth Target 1.2 and the needed libraries from source on different architectures (Linux, Solaris, ...).
To install Shibboleth Target 1.2 from source you need some building/development tools. You require a modern C/C++ compiler, a program builder (make) and some development packages.
We choose to build the libraries and the Shibboleth Target 1.2 with Sun Forte Developer 7 C/C++ 5.4 Compiler, but other have successfully compiled using the the new Sun ONE Studio Compiler Colletion 8.0.
Forte Developer 7 C and C++ compilers are licensed softwares an normally installed under: /opt/SUNWspro
If it is not the case, contact your system administrator to install the Solaris packages (SPROcc and SPROcpl).Besides the standard Solaris make, building the Xerces-C and XML-Security-C libraries require to use the GNU make.
Building OpenSAML requires to use the GNU autoconf tool.
You can download the GNU make and autoconf precompiled binary packages for Solaris directly from Sunfreeware.com
The Shibboleth Target 1.2 is an Apache dynamic loadable module. Therefore, your Apache server must be compile with DSO support enable and the Apache's Extension Tool: apxs.
To build the Shibboleth Target 1.2 we highly recommend to use tcsh as shell. For some unknown reason, it was impossible to build the libraries using a bash shell.
You need to set the following environment variables PATH, CC and CXX to use the Sun C and C++ compilers:
root# setenv PATH /opt/SUNWspro/bin:$PATH root# setenv CC cc root# setenv CXX CC root# root# cc -V cc: Forte Developer 7 C 5.4 2002/03/09 usage: cc [ options] files. Use 'cc -flags' for details root# CC -V CC: Forte Developer 7 C++ 5.4 2002/03/09 root# which make /usr/ccs/bin/make root#
The Shibboleth Target 1.2 as well as the needed libraries will be installed in: /opt/shibboleth-1.2
OpenSSL is a toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
Many site have already locally installed the OpenSSL library. To compile the other libraries ensure you also have the libssl C headers installed.
You can download the OpenSSL precompiled binary package for Solaris directly from Sunfreeware.com or build it locally.
cURL is a tool for transferring files with URL syntax, supporting HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, kerberos, HTTP form based upload, proxies, cookies, user+password authentication, file transfer resume, http proxy tunneling and a busload of other useful tricks.
The libcurl 7.11.2 is the preferred version to build Shibboleth Target 1.2. Set the environment variable OPENSSL regarding your local configuration (in our case the OpenSSL library is installed under the /usr/local directory).
To build and install the libcurl library:
root# setenv OPENSSL /usr/local root# root# wget http://curl.haxx.se/download/curl-7.11.2.tar.gz ... root# tar xvzf curl-7.11.2.tar.gz ... root# cd curl-7.11.2 root# ./configure --prefix=/opt/shibboleth-1.2 --with-ssl=$OPENSSL \ --without-ca-bundle --disable-static ... root# make ... root# make install ... root#
The shared library is now installed in /opt/shibboleth-1.2/lib.
Log4cpp is library of C++ classes for flexible logging to files, syslog, IDSA and other destinations. It is modeled after the Log4j Java library, staying as close to their API as is reasonable.
Shibboleth Target 1.2 requires the library version 0.3.4b of log4cpp. You must set environment variables LD and LDFLAGS to build the library.
To build and install the log4cpp library:
root# setenv LD 'CC -KPIC' root# setenv LDFLAGS -lpthread root# root# wget http://switch.dl.sourceforge.net/sourceforge/log4cpp/log4cpp-0.3.4b.tar.gz ... root# tar xvzf log4cpp-0.3.4b.tar.gz ... root# cd log4cpp-0.3.4b root# ./configure --prefix=/opt/shibboleth-1.2 --with-pthreads --disable-static \ --disable-doxygen ... root# make ... root# make install ... root# unsetenv LD LDFLAGS root#
The shared library is now installed in /opt/shibboleth-1.2/lib.
Xerces-C++ is a validating XML parser written in a portable subset of C++. Xerces-C++ makes it easy to give your application the ability to read and write XML data.
You have to use the version 2.5 of Xerces-C++, new version 2.6 is incompatible with Shibboleth 1.2. Make sure you set XERCESCROOT (don't forget the C) as appropriate. Make sure you set environment variable XERCESCROOT as appropriate. Also set the -x and -c switches as needed to specify your compilers to run Configure.
You must use GNU make to build the Xerces-C++ library. Set the environment variable MAKE regarding your local configuration (in our case /usr/local/bin/gmake).
To build and install the Xerces-C++ library:
root# setenv MAKE gmake root# root# wget http://archive.apache.org/dist/xml/xerces-c/Xerces-C_2_5_0/xerces-c-src_2_5_0.tar.gz ... root# tar xvzf xerces-c-src_2_5_0.tar.gz ... root# root# setenv XERCESCROOT `pwd`/xerces-c-src_2_5_0 root# root# cd xerces-c-src_2_5_0/src/xercesc root# ./runConfigure -p solaris -c cc -x CC -r pthread -P /opt/shibboleth-1.2 ... root# gmake ... root# gmake install ... root# unsetenv MAKE root#
The shared library is now installed in /opt/shibboleth-1.2/lib.
The XML Security C++ library is an implementation of the XML Digital Signature specification. Shibboleth Target 1.2 requires version 1.1.0 of the XML Security library.
You'll need to set environment variable XERCESCROOT as before, and also set environment variables OPENSSL and LD_LIBRARY_PATH according to your local OpenSSL installation.
GNU make is required to build the XML-Security C++ library. Therefore, set the environment variable MAKE according to your local configuration.
The permission of the install script install-sh need to be fixed and the environment variable INSTALL set with absolute path.
The file configure.ac must be patched. By default it set the compiler optimization flags CFLAGS and CXXFLAGS with -O2 and this flag is not supported by Sun Forte Compiler. Therefore, you must edit the file src/configure.ac and modify two lines (containing CFLAGS and CXXFLAGS) as follow:
...
if test "$enable_debug" = "yes" ; then
CFLAGS="${CFLAGS} -g"
CXXFLAGS="${CXXFLAGS} -g"
else
##CFLAGS="${CFLAGS} -O2 -DNDEBUG"
##CXXFLAGS="${CXXFLAGS} -O2 -DNDEBUG"
CFLAGS="${CFLAGS} -xO2 -DNDEBUG"
CXXFLAGS="${CXXFLAGS} -xO2 -DNDEBUG"
fi
...
Then run autoconf to regenerate the configure script.
To build and install the XML Security library:
root# setenv XERCESCROOT `pwd`/xerces-c-src_2_5_0 root# setenv OPENSSL /usr/local root# setenv LD_LIBRARY_PATH $OPENSSL/lib root# setenv MAKE gmake root# root# wget http://xml.apache.org/dist/security/c-library/xml-security-c-1.1.0.tar.gz ... root# tar xvzf xml-security-c-1.1.0.tar.gz ... root# cd xml-security-c-1.1.0/src root# root# chmod 755 install-sh root# setenv INSTALL `pwd`/install-sh root# root# vi configure.ac root# autoconf root# root# ./configure --prefix=/opt/shibboleth-1.2 --without-xalan ... root# gmake ... root# gmake install ... root# unsetenv MAKE root#
The shared library is now installed in /opt/shibboleth-1.2/lib.
SAML (Security Assertion Markup Language) is a standard for the formation and exchange of authentication, attribute, and authorization data as XML. OpenSAML is a library which can be used to build, transport, and parse SAML messages. It is able to store the individual information fields that make up a SAML message, build the correct XML representation, and parse XML back into the individual fields before handing it off to a recipient. OpenSAML supports the SOAP binding for the exchange of SAML request and response objects.
The OpenSAML 1.0 library is required by Shibboleth Target 1.2.
Set the environment variable OPENSSL regarding your local configuration. You should also run GNU autoconf to regenerate the configure script.
To build and install the OpenSAML library:
root# setenv OPENSSL /usr/local root# root# wget http://wayf.internet2.edu/shibboleth/opensaml-1.0.tar.gz ... root# tar xvzf opensaml-1.0.tar.gz ... root# cd opensaml-1.0 root# root# autoconf root# root# ./configure --prefix=/opt/shibboleth-1.2 --with-curl=/opt/shibboleth-1.2 \ --with-log4cpp=/opt/shibboleth-1.2 --with-openssl=$OPENSSL ... root# make ... root# make install ... root#
The shared library is now installed in /opt/shibboleth-1.2/lib.
Building the Shibboleth Target's shar, libraries, test programs, and Apache module is more or less like building OpenSAML.
You need to have an Apache in place. You don't have to use the full Apache source code, however you will need to provide the necessary build flags during configure, or ideally, let Shibboleth's configure script use your Apache's apxs script to extract the necessary information.
Also, at a minimum, Apache needs to be built with mod_so enabled for dynamically loading modules. If you encounter problems with crashing or apparent module conflicts, make sure Apache and any modules were built with threading support.
Set the environment variable OPENSSL regarding your local installation and configuration of OpenSSL. You must also run GNU autoconf to regenerate the configure script.
The source file shib-target/XMLRequestMapper.cpp must be patched. The first modification is a bug fix and the second is due because the Sun Forte Compiler is much more strict than gcc (these fixes are already integrated in official CVS tree). Therefore, you must edit the file shib-target/XMLRequestMapper.cpp and modify the two lines as highlighted below:
...
const Override* Override::locate(const char* path) const
{
char* dup=strdup(path);
//char* sep=strchr(path,'?');
char* sep=strchr(dup,'?');
if (sep)
*sep=0;
for (char* pch=dup; *pch; pch++)
...
const char* split_url(const char* url, string& vhost)
{
const char* path=NULL;
//char* slash=strchr(url,'/');
const char* slash=strchr(url,'/');
if (slash)
{
slash=strchr(slash,'/');
...
The Solaris C++ libraries libCstd and libCrun must be statically referenced by the Shibboleth Apache module (for both Apache 1.3 and 2.x). Set the C++ compiler and linker options CXXFLAGS, LD and LDFLAGS accordingly.
Your must also specify the path to Apache and Apache2 Extension Tool: apxs if you want to build the module. Use the configure options --with-apxs=<PATH_TO_APXS> and --with-apxs2=<PATH_TO_APXS2> to build the respective Apache module.
To build and install the Shibboleth Target Apache module:
root# setenv OPENSSL /usr/local root# root# wget http://wayf.internet2.edu/shibboleth/shibboleth-1.2.tar.gz ... root# tar xvzf shibboleth-1.2.tar.gz ... root# cd shibboleth-1.2 root# root# setenv CXXFLAGS "$CXXFLAGS -library=Cstd,Crun" root# setenv LD CC root# setenv LDFLAGS "-lCstd -lCrun" root# root# autoconf root# root# ./configure --prefix=/opt/shibboleth-1.2 \ --with-log4cpp=/opt/shibboleth-1.2 \ --with-openssl=$OPENSSL \ --enable-apache-13 --with-apxs=/usr/apache/bin/apxs \ --enable-apache-20 --with-apxs2=/usr/apache2/bin/apxs \ --disable-mysql ... root# make ... root# make install ... root#
The Shibboleth Target shar is now installed in /opt/shibboleth-1.2/bin, the Apache module in /opt/shibboleth-1.2/libexec and the shared library in /opt/shibboleth-1.2/lib.
Now that the Shibboleth Target 1.2 installation is completed, you must set the correct access permission to the log directory. You can also setup some useful administrative links to help integrating Shibboleth in your environment.
The Apache webserver could be run under the special www user. You must grant this user write access to the Shibboleth log directory to allow the Shibboleth Target 1.2 Apache module to log its operations in shire.log and rotates the log files.
Set the correct access permission to the log directory regarding the owner of the apache process:
root# cd /opt/shibboleth-1.2/var/log root# chown root:www shibboleth root# chmod 775 shibboleth root#
You can also setup some useful administrative links:
root# cd /opt root# ln -s shibboleth-1.2 shibboleth root# cd /etc root# ln -s /opt/shibboleth-1.2/etc/shibboleth shibboleth root# cd /var/log root# ln -s /opt/shibboleth-1.2/var/log/shibboleth shibboleth root#
$Id: install-target-1.2-solaris.html,v 1.8 2006/08/11 11:13:05 tschopp Exp $