Building Shibboleth SP 1.3 on Solaris

Please note that these instructions are for the 1.3 SP only; new deployments should use version 2.x. Please see https://spaces.internet2.edu/display/SHIB2/NativeSPSolarisInstall for help on building 2.x for Solaris.

This page has notes on building the Shibboleth SP 1.3 software on Solaris.  Since the support from internet2 for downloadable binary packages on Solaris seems weak, we will likely need to build and package the software ourselves for our Solaris-based web servers.  (Also see  https://spaces.internet2.edu/display/SHIB/SolarisNotes).

The initial test build was done on an Athena 9.4/Solaris 10 machine, which was already running Apache 1.3 with mod_ssl.  (It also previously contained an installation of cURL (version 7.16.0) in /usr/local, which is another prerequisite of the Shibboleth SP, and is also a prerequisite of WebAuth; cURL was rebuilt using the Sun compiler for subsequent builds).  The following procedure assumes that Shibboleth should be installed under the prefix /usr/local/shibboleth.  It also assumes that the system already has the GNU build tools installed; in particular, most of the source packages must be built using gmake.  But, note that postings on the Shibboleth users list mention problems seen with gcc/g++ builds on Solaris, and recommend using Sun's compiler (cc/CC); gcc was used for the initial test build below, though.

Build steps: 

• Download and extract the various source tarballs from http://shibboleth.internet2.edu/downloads/
• To use the Sun compiler instead of gcc, set the CC and CXX environment variables to cc and CC, respectively.  For gcc, set the values to gcc and g++, respectively.
• Set the OPENSSL environment variable for the build.  Initially I tried /usr/sfw for this, which has the stock Solaris 10 OpenSSL; while things built OK with this setting, the resulting Apache module did not work, probably because mod_ssl had been built against the Athena OpenSSL.  I then set the variable to point at the Athena version (i.e. /usr/athena).  NOTE: To build against a different openssl from the one that the pkg-config program in your PATH will know about, also set the PKG_CONFIG_PATH variable accordingly, i.e. to $OPENSSL/lib/pkgconfig.  NOTE: If you build openssl using the compiler in SunStudio 11 (by default its build system will use the Sun compiler if present), a bug in the compiler causes flawed code to be produced,  which is manifested by the failure of "gmake test".  The bug is fixed in patch 120760 (revision 05 or higher); a workaround is to add the flag  "-W2,-Rloop_reform" after "-xdepend" in the settings for solaris-sparcv9-cc in the Configure script.  Patch 120760 was applied to the sunsoft locker's version of Studio 11 as of 4/10/07, so builds compiled after that date using the locker should be OK.
• Set the umask to 022; if the umask is restrictive (e.g. 077), some directories will be created so that Apache cannot access them (see below).
• For curl:
  • ./configure --disable-static --without-ca-bundle --enable-thread --prefix=/usr/local/shibboleth
  • gmake
  • gmake install
• For log4cpp:
  • ./configure --disable-static --disable-doxygen --prefix=/usr/local/shibboleth
  • gmake
  • gmake install
• For xerces-c (see http://xml.apache.org/xerces-c/build.html):
  • Set the XERCESCROOT environment variable to the top of the source tree, as unpacked from the tar file, e.g. /usr/local/build/xerces-c-src_2_6_1
  • cd $XERCESCROOT/src/xercesc
  • ./runConfigure -p solaris -c $CC -x $CXX -r pthread -b 32 -P /usr/local/shibboleth
  • gmake
  • gmake install
• For xml-security-c:
  • Download version 1.2.1 from http://xml.apache.org/security/dist/c-library/.  Note that 1.3.1 is the latest version, but we encountered problems with this version after enabling signed assertions on the IdP -- the validation of the assertion fails.  The binaries from internet2 use 1.2.1.  Unfortunately, 1.2.1's build system has problems on Solaris, particularly when using Sun's compiler, so you have to resort to some hackery to get it to build; http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/sp/install-sp-1.3-solaris.html#shibboleth-sp was a useful guide for much of this.
  • cd src
  • ZEST:patch the configure script to use the correct optimization option, and to correctly specify the library search path to find the OpenSSL crypto library
  • ZEST:patch enc/XSECCryptoX509.cpp so that it compiles using the Sun C++ compiler
  • LDFLAGS="-L$OPENSSL/lib -lCrun" ./configure --without-xalan --prefix=/usr/local/shibboleth    # maybe also specify --with-xerces instead of using environment variable?
  • gmake
  • gmake install
• For opensaml (see note above concerning openssl location though):
  • ./configure --prefix=/usr/local/shibboleth --with-curl=/usr/local --with-log4cpp=/usr/local/shibboleth --with-openssl=/usr/sfw -C
  • gmake
  • gmake install
• For shibboleth-sp (finally):
  • ./configure --with-saml=/usr/local/shibboleth --with-log4cpp=/usr/local/shibboleth --enable-apache-13 --with-apxs=/usr/apache-1.3/bin/apxs --prefix=/usr/local/shibboleth -C
    (For Apache 2.2, and presumably 2.0 as well, also specify the path to apr-1-config, e.g. "--with-apr1=/usr/local/apache2/bin/apr-1-config", and change the --enable-apache option accordingly.  When using Sun's compiler, also specify "CXXFLAGS='-library=Cstd,Crun' LDFLAGS=-lz", per the Solaris build notes on the Shibboleth wiki).
  • gmake
    This builds successfully, but gets lots of warnings about the -pthread option not being recognized in gcc; doc/INSTALL.txt says you can set CFLAGS in the environment before running configure (i.e. to use -pthreads).
  • gmake install

To configure Apache 1.3, create $APACHE_ROOT/conf/shib.conf, and include that from httpd.conf, e.g.:

#
# Load the Shibboleth module.
#
LoadModule mod_shib /usr/local/shibboleth/libexec/mod_shib_13.so

#
# Global Configuration
# This is the XML file that contains all the global, non-apache-specific
# configuration.  Look at this file for most of your configuration parameters.
#
ShibSchemaDir /usr/local/shibboleth/share/xml/shibboleth
ShibConfig /usr/local/shibboleth/etc/shibboleth/shibboleth.xml

#
# An Apache handler needs to be established for the "handler" location.
# This applies the handler to any requests for a resource with a ".sso"
# extension.
#
<Files *.sso>
SetHandler shib-handler
</Files>
#
# Another way of addressing this is to apply Shibboleth
# globally to the site in "lazy" session mode:
# <Location />
# AuthType shibboleth
# require shibboleth
# </Location>

#
# Used for example logo and style sheet in error templates.
#
<IfModule mod_alias.c>
  Alias /shibboleth-sp/main.css /usr/local/shibboleth/doc/shibboleth/main.css
  Alias /shibboleth-sp/logo.jpg /usr/local/shibboleth/doc/shibboleth/logo.jpg
</IfModule>

#
# Configure the module for content
#
# You can now do most of this in shibboleth.xml using the RequestMap
# but you MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
#
<Location /secure>
  AuthType shibboleth
  ShibRequireSession On
  require valid-user
</Location>

ScriptAlias /shib-testenv "/usr/apache-1.3/cgi-bin/printenv"
<Location /shib-testenv>
  AuthType shibboleth
  ShibRequireSession On
  require valid-user
</Location>

Note that the configuration is slightly different from the Apache 2.0 configuration. 

To start Apache, the LD_LIBRARY_PATH must be set for the module to be loaded, e.g. to /usr/local/shibboleth/lib:/usr/local/lib:/usr/athena/lib:/usr/sfw/lib

Note that certain directories under /usr/local/shibboleth were created with mode 700 (apparently from installing while umask was 077), i.e. so that Apache can't access them.  The workaround is to set the umask to 022 before installing.  This is presumably something we can fix easily in the build system.

Note that an rc script is installed in /usr/local/shibboleth/etc/shibboleth/shibd, but this is apparently Linux-specific, as it uses #!/bin/bash, sources /etc/rc.d/init.d/functions, etc.  You can just run shibd directly, e.g. "/usr/local/shibboleth/sbin/shibd &".