View Source

This document describes how to configure, compile, and install the Shibboleth components
on Solaris 10. The SP is built to run under the native apache2 server. Components that
use SSL are linked with the native OpenSSL libraries. All executables and libraries are
built with a runtime library path so that LD_LIBRARY_PATH is not necessary. This is the
recommended practice for Solaris. Additional components all install into /usr/local.

SP Components

I have versions of these scripts that I used under Opensolaris 2009.6 with Shib 2.1. See geneva.rutgers.edu/shib21-opensolaris.tar. They assume (1) ssl is in /usr/local/ssl, (2) apache 2.2 installed from the repository, (3) shib goes into /usr/local/shibboleth. --hedrick@rutgers.edu

Openssl
This is present in /usr/sfw and can be used by other components.

libcurl
This is a library for URL manipulation. It has no non-native dependancies. The
version name is curl-7.18.2. Configure with this script:

#!/bin/sh
# Built on Solaris 10 with the native OpenSSL libraries
# Using Shibboleth recommended options

PATH=/usr/sfw/bin:/opt/SUNWspro/bin:/usr/bin:/usr/ccs/bin:/usr/dt/bin:/usr/openwin/bin:/usr/sbin; export PATH

env     CC=cc \
        INSTALL=/usr/ucb/install \
        LDFLAGS="-R/usr/sfw/lib" \
        ./configure \
        --with-ssl=/usr/sfw \
        --disable-static \
        --without-ca-bundle \
        --enable-thread

#!/end

Compile with `make'.

log4shib
This is a C++ logging library that's specific to shibboleth. It also has no
non-native dependancies. The version name is log4shib-1.0. Configure with this
script:

#!/bin/sh
# Built on Solaris 10 with the native OpenSSL libraries
# Using Shibboleth recommended options

PATH=/usr/sfw/bin:/opt/SUNWspro/bin:/usr/bin:/usr/ccs/bin:/usr/dt/bin:/usr/openwin/bin:/usr/sbin; export PATH

env     CC=cc \
        CXX=CC \
        CFLAGS=-xO2 \
        CXXFLAGS=-xO2 \
        INSTALL=/usr/ucb/install \
        LDFLAGS="-R/usr/sfw/lib" \
        ./configure \
        --disable-static \
        --disable-doxygen

#!/end

Compile with `make'.

Xerces-C
This is an XML parser for C++ from Apache Foundation. The recommended version is 2.8.0,
which is also the current version. It has no non-native dependancies. The version name is
xerces-c-2.8.0. Configure with this script:

#!/bin/sh
# Built on Solaris 10
# Using Shibboleth recommended options
# Requires GNU make

PATH=/usr/sfw/bin:/opt/SUNWspro/bin:/usr/bin:/usr/ccs/bin:/usr/dt/bin:/usr/openwin/bin:/usr/sbin; export PATH
XERCESCROOT=/usr/local/src/xerces-c/xerces-c-src_2_8_0; export XERCESCROOT

cd src/xercesc

env CFLAGS=-xO2 \
    CXXFLAGS=-xO2 \
    INSTALL=/usr/ucb/install \
    ./runConfigure -p solaris -c cc -x CC \
    -r pthread -b 32 -P /usr/local

# LDFLAGS="-R/usr/sfw/lib"

#!/end

Compile with this script:

#!/bin/sh

XERCESCROOT=/usr/local/src/xerces-c/xerces-c-src_2_8_0; export XERCESCROOT
LD_RUN_PATH=/usr/local/lib; export LD_RUN_PATH
# DBGFLAGS=-g; export DBGFLAGS

cd src/xercesc

exec gmake "$@"

#!/end

XML-Security-C
This is the Apache C++ XML Signature and Encryption library. The recommended version is
1.4.0, also the current version. It requires OpenSSL and Xerces-C. The version name is
xml-security-c-1.4.0. Configure with this script:

#!/bin/sh
# Built on Solaris 10
# Using Shibboleth recommended options
# Requires GNU make
# Requires mapfile to define EVP_aes_192_cbc and EVP_aes_256_cbc

PATH=/usr/sfw/bin:/opt/SUNWspro/bin:/usr/bin:/usr/ccs/bin:/usr/dt/bin:/usr/openwin/bin:/usr/sbin; export PATH
XERCESCROOT=/usr/local/src/xerces-c/xerces-c-src_2_8_0; export XERCESCROOT

env CC=cc CXX=CC \
    CFLAGS=-xO2 \
    CXXFLAGS=-xO2 \
    INSTALL=/usr/ucb/install \
    LD_OPTIONS="-M mapfile" \
    ./configure \
    --disable-static \
    --without-xalan \
    --with-openssl=/usr/sfw

# LDFLAGS="-R/usr/sfw/lib"

#!/end

This is `mapfile', required to work around a Solaris SSL library bug:

{
        global:
                EVP_aes_192_cbc = FUNCTION FILTER libcrypto_extra.so.0.9.7;
                EVP_aes_256_cbc = FUNCTION FILTER libcrypto_extra.so.0.9.7;
                EVP_aes_192_ecb = FUNCTION FILTER libcrypto_extra.so.0.9.7;
                EVP_aes_256_ecb = FUNCTION FILTER libcrypto_extra.so.0.9.7;
};

Compile with this script:

#!/bin/sh

_pwd=${PWD:-`pwd`}
XERCESCROOT=/usr/local/src/xerces-c/xerces-c-src_2_8_0; export XERCESCROOT
LD_RUN_PATH=/usr/sfw/lib:/usr/local/lib; export LD_RUN_PATH
LD_OPTIONS="-M $_pwd/mapfile"; export LD_OPTIONS

exec gmake "$@"

#!/end

XMLTooling-C
This is a library used by OpenSAML 2. It requires log4shib, libcurl, OpenSSL, Xerces-C,
and XML-Security-C. Make sure that you don't have another version of OpenSSL installed
in /usr/local. The version name is xmltooling-1.0. Configure with this script:

#!/bin/sh
# Built on Solaris 10
# Using Shibboleth recommended options
# Requires GNU make
# Requires packages: curl-7.18.2 log4shib-1.0 xerces-c-2.8.0
#    xml-security-c-1.4.0

PATH=/usr/sfw/bin:/opt/SUNWspro/bin:/usr/bin:/usr/ccs/bin:/usr/dt/bin:/usr/openwin/bin:/usr/sbin; export PATH
# XERCESCROOT=/usr/local/src/xerces-c/xerces-c-src_2_8_0; export XERCESCROOT

env CC=cc CXX=CC \
    CFLAGS=-xO2 \
    CXXFLAGS=-xO2 \
    INSTALL=/usr/ucb/install \
    ./configure \
    --with-log4shib=/usr/local \
    --with-xerces=/usr/local \
    --with-xmlsec=/usr/local \
    --with-openssl=/usr/sfw \
    --with-curl=/usr/local

#!/end

Compile with this script:

#!/bin/sh

# XERCESCROOT=/usr/local/src/xerces-c/xerces-c-src_2_8_0; export XERCESCROOT
LD_RUN_PATH=/usr/sfw/lib:/usr/local/lib; export LD_RUN_PATH
# DBGFLAGS=-g; export DBGFLAGS

exec gmake "$@"

#!/end

OpenSAML-C
This is a set of C++ and Java libraries for SAML. It requires log4shib, libcurl, OpenSSL, Xerces-C, XML-Security-C, and XMLTooling-C. The version name is opensaml-2.0.
Configure with this script:

#!/bin/sh
# Built on Solaris 10
# Using Shibboleth recommended options
# Requires GNU make
# Requires packages: curl-7.18.2 log4shib-1.0 xerces-c-2.8.0
#    xml-security-c-1.4.0 xmltooling-1.0

PATH=/usr/sfw/bin:/opt/SUNWspro/bin:/usr/bin:/usr/ccs/bin:/usr/dt/bin:/usr/openwin/bin:/usr/sbin; export PATH
# XERCESCROOT=/usr/local/src/xerces-c/xerces-c-src_2_8_0; export XERCESCROOT

env CC=cc CXX=CC \
    CFLAGS=-xO2 \
    CXXFLAGS=-xO2 \
    INSTALL=/usr/ucb/install \
    ./configure \
    --with-log4shib=/usr/local \
    --with-xerces=/usr/local \
    --with-xmlsec=/usr/local \
    --with-xmltooling=/usr/local \
    --with-openssl=/usr/sfw \
    --with-curl=/usr/local

#!/end

Compile with this script:

#!/bin/sh

# XERCESCROOT=/usr/local/src/xerces-c/xerces-c-src_2_8_0; export XERCESCROOT
LD_RUN_PATH=/usr/sfw/lib:/usr/local/lib; export LD_RUN_PATH
# DBGFLAGS=-g; export DBGFLAGS

exec gmake "$@"

#!/end

Shibboleth
This is the SP itself. It requires OpenSSL, log4shib, Xerces-C, XML-Security-C,
XMLTooling-C, and OpenSAML-C. In order to use apxs on Solaris 10, add this symlink:

/usr/apache2/build -> /var/apache2/build

Installing this component does not update the apache2 configuration files. The version
name is shibboleth-2.0. Configure with this script:

#!/bin/sh
# Built on Solaris 10
# Using Shibboleth recommended options
# Requires GNU make
# Requires packages: log4shib-1.0 xerces-c-2.8.0
#    xml-security-c-1.4.0 xmltooling-1.0 opensaml-2.0

PATH=/usr/sfw/bin:/opt/SUNWspro/bin:/usr/bin:/usr/ccs/bin:/usr/dt/bin:/usr/openwin/bin:/usr/sbin; export PATH
# XERCESCROOT=/usr/local/src/xerces-c/xerces-c-src_2_8_0; export XERCESCROOT

env CC=cc CXX=CC \
    CFLAGS=-xO2 \
    CXXFLAGS="-xO2 -library=Cstd,Crun" \
    INSTALL=/usr/ucb/install \
    ./configure \
    --enable-apache-20 \
    --with-log4shib=/usr/local \
    --with-xerces=/usr/local \
    --with-xmlsec=/usr/local \
    --with-xmltooling=/usr/local \
    --with-openssl=/usr/sfw \
    --with-saml=/usr/local \
    --with-apxs2=/usr/apache2/bin/apxs

# LDFLAGS="-R/usr/sfw/lib"

#!/end

Compile with this script:

#!/bin/sh

# XERCESCROOT=/usr/local/src/xerces-c/xerces-c-src_2_8_0; export XERCESCROOT
LD_RUN_PATH=/usr/sfw/lib:/usr/local/lib; export LD_RUN_PATH
# DBGFLAGS=-g; export DBGFLAGS

exec gmake "$@"

#!/end

Installation

Some components will need to be installed so that others can be built. This is noted
in the configure scripts. All components can be installed with either `make install'
or by executing the make script with the `install' option. At my university, we don't
install them directly but build packages first, and then install them from the packages.
If there is interest, I can make these packages available. They are compiled for the
x86 flavour of Solaris 10 only.

Apache2 configuration

On Solaris 10, all apache2 configuration files reside in /etc/apache2. You will have
to insert:

Include /usr/local/etc/shibboleth/apache2.config

into ssl.conf. Just before:

#   Pass Phrase Dialog:

is a good place. As well, you will have to comment out this line in the same file:

SSLCryptoDevice pkcs11

This prevents a mysterious interaction with the Shibboleth module that causes CGI
execution to hang because apache is waiting on a mutex.

`shibd' should be started at boot time. On Solaris 10, this is done with an SMF
manifest. These typically reside in /var/svc/manifest. The `site' subdirectory is
a suitable place for locally-added manifests.

Log files for the apache module are defined in /usr/local/etc/shibboleth/native.logger.
Likewise, for shibd they are defined in /usr/local/etc/shibboleth/shibd.logger. These
can be changed to more suitable locations, or the /usr/local/var/log/shibboleth directory
can be replaced to a symlink, to /var/log/shibboleth for example.