The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

SPSolarisInstall

Owned by Scott Cantor
Last updated: May 19, 2011Version comment
4 min read

It's strongly recommended that Solaris deployments of the Shibboleth SP be built from source, although there are binaries available for Solaris 2.8. Solaris does not come with GCC 3, but various versions can be obtained from http://www.sunfreeware.com. Use of GCC is recommended, but new releases of Sun's Forte compiler have been used successfully with some tinkering with configuration scripts. If building your own, GCC must be configured to use Sun's linker. Note that you should use a consistent version of GCC across any other C++ libraries in use within Apache, but other C++ code on your server can freely use a different version as long as the necessary libstdc++.so for a given version is available.

1. Prepare the Environment:

A long list of additional software required that changes more frequently is maintained alongside the build instructions.

  • Apache 1.3.x:Apache 1.3.x must be compiled with mod_so for DSO module support, and should include SSL support (preferably using mod_ssl=), and EAPI support (which =mod_ssl requires and provides).
    Portions of the libphp4 Apache module are written in C++, as is the Shibboleth SP. There is a known conflict on Unix-based platforms between the PHP extensions libpspell.so and libsablot.so which will manifest itself as segmentation faults when starting Apache. If a site wants to use libphp4.so and Shibboleth at the same time, then one of the following may be done:
    • Remove the options --with-pspell and --with-xslt-sablot from PHP's configuration;
    • Rebuild these two modules using the same version of GCC that was used to compile Shibboleth.
  • Apache 2.0.x: Apache 2.0.x must be compiled with mod_so for DSO module support, and should include SSL support which is available but not included by default.
    Portions of the libphp4 Apache module are written in C++, as is the Shibboleth SP. There is a known conflict on Unix-based platforms between the PHP extensions libpspell.so and libsablot.so which will manifest itself as segmentation faults when starting Apache. If a site wants to use libphp4.so and Shibboleth at the same time, then one of the following may be done:
    • Remove the options --with-pspell and --with-xslt-sablot from PHP's configuration;
    • Rebuild these two modules using the same version of GCC that was used to compile Shibboleth.
  • OpenSSL: The shared library version of OpenSSL is required by Shibboleth. The static libraries may be installed as well if necessary for other applications, but cannot be linked into mod_ssl or any other Apache modules. If mod_ssl's libssl.so module is linked against the static version, bus errors will result.
    To check how mod_ssl was built, run the ldd command against libssl.so in the Apache libexec/ folder and check the output for references to libssl.so.0.9.7 . If you see an earlier version mentioned, or no mention of it at all, then OpenSSL 0.9.7 must be built with shared libraries from source, and the Apache module rebuilt with it.

openssl-0.9.7g , the latest security fix release, has been tested, but any 0.9.7 version should work.

    • If the OpenSSL libraries are not in the system's search path, they should be added to the LD_LIBRARY_PATH used by Apache. You will also usually need to add /opt/shibboleth/lib to LD_LIBRARY_PATH as well.

2. Install Shibboleth:

Shibboleth should usually be built from source on Solaris. To build the actual module, please follow the separate build directions before continuing on.

There is a set of binaries available for Solaris 2.8 available from the main download site that you may attempt to use. It's strongly discouraged to use these in production.

3. Configure Shibboleth:

Add the newly compiled or installed modules to Apache next.

  1. Edit httpd.conf :
    • Shibboleth includes configuration directives in the files /opt/shibboleth/etc/shibboleth/apache.config , /opt/shibboleth/etc/shibboleth/apache2.config , and /opt/shibboleth/etc/shibboleth/apache22.config which must be Included in the httpd.conf file used locally. Be wary of placing the Include directive in the wrong VirtualHost .
    • The UseCanonicalName directive should be set to On or resource mapping errors will result.
    • Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.
  2. /opt/shibboleth/sbin/shibd must be independently started and run in order to handle access requests. In most cases, the build process ensures that shibd can locate the configuration file and schemas, but the SHIBCONFIG and SHIBSCHEMAS environment variables may be used as well. Command line options can also be used to specify them.
  3. By default, the Shibboleth module is configured to log information on behalf of Apache to /var/log/httpd/native.log , though this can be changed by modifying the .logger files pointed to by the configuration. For this log to be created, Apache must have permission to write to this file, which may require that the file be manually created and permissions assigned to whatever user Apache is configured to run under. If the file does not appear when Apache runs with the modules loaded, check for permission problems or change the location used.
  4. shibd creates its own separate logs at /var/log/shibboleth/shibd.log and must have appropriate write permissions itself as well.

At this point, you should have a fully functional SP, but before it can be tested, you'll need to configure it to interoperate with an !IdP. Many federations will provide these for their community, and TestShib is available for anyone to test with.