Note that the SDSS Federation no longer accepts new applications to join. Applications should instead be made to join the UK Federation. The information on this page is of historical interest only.
These are notes from a Shibboleth 1.2 installation on bodach.ucs.ed.ac.uk (bodach), which is a service machine running Solaris 2.8.
Global
Port List
The installation described here uses the following ports:
- 8005 for Tomcat shutdown (default)
- 8009 for Tomcat AJP (default)
- 8080 for Tomcat HTML (default)
- 8081 for Apache HTML
Java SDK
Bodach has an installation of something like 1.2.2 as standard (!) and also a 1.4.2_05, the latest and greatest from Sun in /usr/j2sdk1.4.2_05. The bad news is that Sun changed the public interface of something that a part of Shibboleth was relying on (probably wrongly, it is some horrid internal function table or other) and therefore 1.4.2_05 is no good right now.
I therefore downloaded a copy of 1.4.2_04 (same as Scott Cantor runs on all his boxes) and installed that locally to our shibb user, in ~/bin/j2sdk1.4.2_04
.bashrc
Edited ~/.bashrc to allow us to get things done:
export JAVA_HOME=~/bin/j2sdk1.4.2_04 PATH=~/bin:$JAVA_HOME/bin:/usr/local/GNU/bin:/usr/X/bin:/usr/local/bin:/usr/bin:/usr/ccs/bin export LD_LIBRARY_PATH=/usr/local/GNU/lib
After OpenSSL was installed, changed this to:
export LD_LIBRARY_PATH=/usr/local/GNU/lib:~/shibb12/openssl/lib
This gives us:
- xterm et al
- Java 1.4.2_04
- xemacs
- a "global" OpenSSL
I thought it made sense to have the java set up globally within the user.
Made the following directory structure:
- ~/bin for "global" commands
- ~/tarballs for downloaded hunks
- ~/shibb12 for the Shibboleth 1.2 install itself
- ~/shibb12/src for sources and builds of parts of the shibb12 installs
- ~/src for sources of things to install "globally"
Tomcat
Downloaded binary tarball of Tomcat 5.0.27 and unpacked into ~/shibb12/jakarta-tomcat-5.0.27
Running ~/shibb/jakarta-tomcat-5.0.27/bin/startup.sh seems to start up Tomcat such that it can be seen on the following URL:
http://bodach.ucs.ed.ac.uk:8080/
This means no-one else has grabbed the Tomcat ports already, and is fine by me.
Edited $CATALINA_HOME/conf/tomcat-users.xml to add the following (password removed, obviously):
<role rolename="admin"/> <role rolename="manager"/> ... <user username="iay" password="........" roles="admin,manager"/>
Verified that remote administration now works.
Removed xercesImpl.jar and xml-apis.jar from ~/shibb12/jakarta-tomcat-5.0.27/common/endorsed so that they won't clash with the ones from Shibboleth.
Shibboleth Origin
Unpacked shibboleth-origin-1.2 tarball into ~/shibb12/src/shibboleth-origin-1.2
Copied endorsed libraries across.
Copied shibboleth.war across.
Change server.xml to add tomcatAuthentication="false" to AJP connector on port 8009 as previous document.
Verification URL gives flying pig error as expected (hooray!):
http://bodach.ucs.ed.ac.uk:8080/shibboleth/HS
OpenSSL
Downloaded and unpacked latest OpenSSL sources to ~/shibb12/src/openssl-0.9.7d
./config --prefix=$HOME/shibb12/openssl threads shared no-idea make depend make make test make install
Bad things happen if you try and say ~/shibb12 etc in the ./config line above. It also turns out to be a bad idea to build OpenSSL with the --openssldir optional parameter.
Apache
Downloaded Apache 2.0.50 source tarball and unpacked into ~/shibb12/src/httpd-2.0.50
./configure --prefix=$HOME/shibb12/apache --enable-ssl --with-ssl=$HOME/shibb12/openssl make make install
Changes to httpd.conf:
Listen 8081
Then:
~/shibb21/apache/bin/apachectl start
Set up conf/shibb-pass using bin/htpasswd
JK2 Connector
Downloaded latest JK2 binary release for Solaris (2.0.43) and copied mod_jk2-2.0.43.so to ~/shibb12/apache/modules.
Create ~/shibb12/apache/conf/workers2.properties:
[logger.apache2] level=DEBUG [shm] file=/disk/mirror-0/homes/shibb/shibb12/apache/logs/shm.file [channel.socket:localhost:8009] port=8009 host=127.0.0.1 [ajp13:localhost:8009] channel=channel.socket:localhost:8009
Changes to httpd.conf:
LoadModule jk2_module modules/mod_jk2-2.0.43.so
...
#
# Other Tomcat contexts
#
<Location /jsp-examples/>
JkUriSet worker ajp13:localhost:8009
</Location>
<Location /servlets-examples/>
JkUriSet worker ajp13:localhost:8009
</Location>
<Location /admin/>
JkUriSet worker ajp13:localhost:8009
</Location>
<Location /manager/>
JkUriSet worker ajp13:localhost:8009
</Location>
<Location /tomcat-docs/>
JkUriSet worker ajp13:localhost:8009
</Location>
#
# Shibboleth contexts
#
<Location /shibboleth/>
JkUriSet worker ajp13:localhost:8009
</Location>
<Location /shibboleth/HS>
AuthType Basic
AuthName "local authentication required"
AuthUserFile /disk/mirror-0/homes/shibb/shibb12/apache/conf/shibb-pass
</Location>
<Location /shibboleth-wayf/>
JkUriSet worker ajp13:localhost:8009
</Location>
Target
Libcurl
Made sure LD_LIBRARY_PATH had SSL libraries in it.
./configure --disable-static --without-ca-bundle --enable-thread --with-ssl=$HOME/shibb12/openssl --prefix=$HOME/shibb12/shibboleth make make install
log4cpp
NB the -pthreads in the following, for Linux this would be -pthread
./configure --prefix=$HOME/shibb12/shibboleth --with-pthreads=yes --enable-static=no --enable-doxygen=no CXXFLAGS="-pthreads" make make install
Xerces
cd ~/shibb12/src/xerces-c-src_2_5_0 export XERCESCROOT=`pwd` cd src/xercesc ./runConfigure -p solaris -c gcc -x g++ -r pthread -b 32 -P $HOME/shibb12/shibboleth make make install
XML Security
cd ~/shibb12/src/xml-security-c-1.1.0/src export OPENSSL=$HOME/shibb12/openssl ./configure --prefix=$HOME/shibb12/shibboleth --without-xalan make make install
As predicted, the install step fails on Solaris. Their recipe to do it manually is also wrong, alas. Reading between the lines, this is what they meant as translated into our configuration:
cp -r ../include/xsec $HOME/shibb12/shibboleth/include cp ../lib/libxml-security-c.so.11.0 $HOME/shibb12/shibboleth/lib cd !$ ln -s libxml-security-c.so.11.0 libxml-security-c.so.11 ln -s libxml-security-c.so.11.0 libxml-security-c.so
OpenSAML
cd ~/shibb12/src/opensaml-1.0 ./configure --prefix=$HOME/shibb12/shibboleth --with-curl=$HOME/shibb12/shibboleth --with-log4cpp=$HOME/shibb12/shibboleth --with-openssl=$HOME/shibb12/openssl -C make cd test ./tester -dump file -skipis ./tester -edir . cd .. make install
Shibboleth Target
cd ~/shibb12/src/shibboleth-1.2 rm -rf ~/shibb12/shibboleth/include/rpc ./configure --prefix=$HOME/shibb12/shibboleth --with-log4cpp=$HOME/shibb12/shibboleth --with-openssl=$HOME/shibb12/openssl --enable-apache-20 --with-apxs2=$HOME/shibb12/apache/bin/apxs -C
Configuring for Shibboleth 1.3 additionally seems to require:
... --with-saml=$HOME/shibb13/shibboleth --with-apr=$HOME/shibb13/apache/bin/apr-config
In either case (1.2/1.3) then:
make make install export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:~/shibb12/shibboleth/lib ~/shibb12/shibboleth/bin/shibtest -h test-hanldle -f urn:mace:shibboleth:test:nameIdentifier -q urn:mace:inqueue:example.edu
Start shar manually (NB LD_LIBRARY_PATH already set):
~/shibb12/shibboleth/bin/shar -f &
Added stuff from ~/shibb12/shibboleth/etc/shibboleth/apache2.config to the end of httpd.conf
Created ~/shibb12/apache/htdocs/secure/index.html as a basic test file. Accessed it like this:
http://bodach.ucs.ed.ac.uk:8081/secure/index.html
Observed redirect to standard WAYF. Modified ~/shibb12/shibboleth/etc/shibboleth/shibboleth.xml to change the test wayfURL from https://wayf.internet2.edu/InQueue/WAYF to http://bodach.ucs.ed.ac.uk:8081/shibboleth/HS to use local handle server as fake WAYF. Modified AttributeAuthority for the Localhost Test Deployment from https://localhost/shibboleth/AA to http://bodach.ucs.ed.ac.uk:8081/shibboleth/AA to use local attribute authority.
Changed origin's config file ~/shibb12/jak.../webapps/shibboleth/WEB-INF/classes/conf/localhost-sites.xml so that the localhost test site's acceptance url is not https://localhost/Shibboleth.shire but http://bodach.ucs.ed.ac.uk:8081/Shibboleth.shire
It now does the loop the loop to the target page...