This page has notes on building the Shibboleth SP software on Solaris. Since the support from internet2 for downloadable binary packages on Solaris seems weak, we will likely need to build and package the software ourselves for our Solaris-based web servers. (Also see https://spaces.internet2.edu/display/SHIB/SolarisNotes).
The test build was done on an Athena 9.4/Solaris 10 machine, which was already running Apache 1.3 with mod_ssl. It also previously contained an installation of cURL (version 7.16.0) in /usr/local, which is another prerequisite of the Shibboleth SP. (It is also a prerequisite of WebAuth). The following procedure assumes that Shibboleth should be installed under the prefix /usr/local/shibboleth. It also assumes that the system already has the GNU build tools installed; in particular, most of the source packages must be built using gmake. But, note that postings on the Shibboleth users list mention problems seen with gcc/g++ builds on Solaris, and recommend using Sun's compiler (cc/CC); gcc was used for the initial test build below, though.
Build steps:
- Download the various source tarballs from http://shibboleth.internet2.edu/downloads/
- Set the OPENSSL environment variable for the build. Initially I tried /usr/sfw for this, which has the stock Solaris 10 OpenSSL; while things built OK with this setting, the resulting Apache module did not work, probably because mod_ssl had been built against the Athena OpenSSL (i.e. in /usr/athena).
- Set the umask to 022; if the umask is restrictive (e.g. 077), some directories will be created so that Apache cannot access them (see below).
- For log4cpp:
- ./configure --disable-static --disable-doxygen --prefix=/usr/local/shibboleth
- gmake
- gmake install
- For xerces-c (see http://xml.apache.org/xerces-c/build.html):
- Set the XERCESROOT environment variable to the top of the source tree, as unpacked from the tar file, e.g. /usr/local/build/xerces-c-src_2_6_1
- cd $XERCESROOT/src/xercesc
- ./runConfigure -p solaris -c gcc -x g++ -r pthread -b 32 -P /usr/local/shibboleth
- gmake
- gmake install
- For xml-security-c:
- Download from http://xml.apache.org/security/dist/c-library/
- ./configure --without-xalan --prefix=/usr/local/shibboleth # maybe also specify --with-xerces instead of using environment variable?
- gmake
- gmake install
- For opensaml (see note above concerning openssl location though):
- ./configure --prefix=/usr/local/shibboleth --with-curl=/usr/local --with-log4cpp=/usr/local/shibboleth --with-openssl=/usr/sfw -C
- gmake
- gmake install
- For shibboleth-sp (finally):
- ./configure --with-saml=/usr/local/shibboleth --with-log4cpp=/usr/local/shibboleth --enable-apache-13 --with-apxs=/usr/apache-1.3/bin/apxs --prefix=/usr/local/shibboleth -C
(For Apache 2.2, and presumably 2.0 as well, also specify the path to apr-1-config, e.g. "--with-apr1=/usr/local/apache2/bin/apr-1-config", and change the --enable-apache option accordingly). - gmake
This builds successfully, but gets lots of warnings about the -pthread option not being recognized in gcc; doc/INSTALL.txt says you can set CFLAGS in the environment before running configure (i.e. to use -pthreads). - gmake install
- ./configure --with-saml=/usr/local/shibboleth --with-log4cpp=/usr/local/shibboleth --enable-apache-13 --with-apxs=/usr/apache-1.3/bin/apxs --prefix=/usr/local/shibboleth -C
To configure Apache 1.3, create $APACHE_ROOT/conf/shib.conf, and include that from httpd.conf, e.g.:
# # Load the Shibboleth module. # LoadModule mod_shib /usr/local/shibboleth/libexec/mod_shib_13.so # # Global Configuration # This is the XML file that contains all the global, non-apache-specific # configuration. Look at this file for most of your configuration parameters. # ShibSchemaDir /usr/local/shibboleth/share/xml/shibboleth ShibConfig /usr/local/shibboleth/etc/shibboleth/shibboleth.xml # # An Apache handler needs to be established for the "handler" location. # This applies the handler to any requests for a resource with a ".sso" # extension. # <Files *.sso> SetHandler shib-handler </Files> # # Another way of addressing this is to apply Shibboleth # globally to the site in "lazy" session mode: # <Location /> # AuthType shibboleth # require shibboleth # </Location> # # Used for example logo and style sheet in error templates. # <IfModule mod_alias.c> Alias /shibboleth-sp/main.css /usr/local/shibboleth/doc/shibboleth/main.css Alias /shibboleth-sp/logo.jpg /usr/local/shibboleth/doc/shibboleth/logo.jpg </IfModule> # # Configure the module for content # # You can now do most of this in shibboleth.xml using the RequestMap # but you MUST enable AuthType shibboleth for the module to process # any requests, and there MUST be a require command as well. To # enable Shibboleth but not specify any session/access requirements # use "require shibboleth". # <Location /secure> AuthType shibboleth ShibRequireSession On require valid-user </Location> ScriptAlias /shib-testenv "/usr/apache-1.3/cgi-bin/printenv" <Location /shib-testenv> AuthType shibboleth ShibRequireSession On require valid-user </Location>
Note that the configuration is slightly different from the Apache 2.0 configuration.
To start Apache, the LD_LIBRARY_PATH must be set for the module to be loaded, e.g. to /usr/local/shibboleth/lib:/usr/local/lib:/usr/athena/lib:/usr/sfw/lib
Note that certain directories under /usr/local/shibboleth were created with mode 700 (apparently from installing while umask was 077), i.e. so that Apache can't access them. The workaround is to set the umask to 022 before installing. This is presumably something we can fix easily in the build system.
Note that an rc script is installed in /usr/local/shibboleth/etc/shibboleth/shibd, but this is apparently Linux-specific, as it uses #!/bin/bash, sources /etc/rc.d/init.d/functions, etc. You can just run shibd directly, e.g. "/usr/local/shibboleth/sbin/shibd &".