Sentinel Help Center
  • Sentinel Overview
    • Dashboard
    • Environments
    • User Hub
    • Requests
    • Reports
  • Installation & Updates
    • Sentinel Shortcuts [From PS]
    • Sentinel VM Requirements
    • Host Server Setup RHEL/CentOS 8
    • Host Server Setup RHEL/CentOS 9
    • Sentinel Server Update
    • Oracle Database Account
    • PostgreSQL Backups
  • Settings
    • Sentinel Accounts
    • Databases
    • System Settings
    • Single Sign-On
    • Access Request Settings
    • Role Groups
    • Role Approvers
    • Custom Forms
    • Sensitive Data Settings
    • Security Log
  • Security Administration
    • Menu Functions
    • Direct Access
    • Users
      • User Access Updates
      • User Profile Features
    • Roles
      • Role Updates
      • Role Features
    • Permission Lists
      • Permission List Updates
      • Permission List Features
    • Dynamic Security
    • Temporary Access
    • Fluid Security
    • Security Matrix
    • Compare Reports
  • Security Reports
    • Security Reports Setup
    • Page Analysis
    • User Access
    • Role Access
    • Permission List Access
    • Query Analysis
    • Compare Users
    • PeopleTools Access
    • Portal Menus
  • Audit Review
    • Audit Review Setup
    • Privileged Access
    • Sensitive Data
    • Segregation of Duties
    • Correction Access
    • Restricted Roles
    • Role Changes
    • Notifications
    • Manager Reports
  • Access Requests
    • Implementation Guide
    • Submit New Request
    • Review & Approve Requests
    • Workflows & Routing
    • Apply Changes
  • Resources
    • User Training Guide
    • Policies
      • Policy Overview
      • Data Privacy
      • Cloud Security
      • Software Development
      • Disaster Recovery
      • Service Level Agreement
      • Employees
Powered by GitBook
On this page
  1. Installation & Updates

Host Server Setup RHEL/CentOS 8

PreviousSentinel VM RequirementsNextHost Server Setup RHEL/CentOS 9

Last updated 1 day ago

Installation Prerequisites

  • VM with Linux x64 installed - RedHat, CentOS, Oracle Linux 8

  • Root access to the server

  • The Domain name (For accessing the Sentinel Application)

  • SSL Certificate for Domain

  • SMTP Server Credentials

NGINX Server Installation (Step One)

Download and install the version. Sentinel supports version 1.16+. Install and issue the following commands:

sudo yum install yum-utils

Add NGINX yum repository. To do this, create the file named /etc/yum.repos.d/nginx.repo with the following contents: 

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Set NGINX-STABLE repository as the default in yum config manager:

sudo yum-config-manager --enable nginx-stable

To install NGINX, run the following command: 

sudo yum install nginx

Add NGINX to the firewall: 

firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent

Reload the firewall and verify that HTTP and HTTPS protocols are allowed: 

firewall-cmd --reload
firewall-cmd --list-services –zone=public

Update the SELINUX Policy to allow interconnection from NGINX to Sentinel: 

setsebool -P httpd_can_network_connect 1

Create `sentinel.conf` in nginx config folder:

touch /etc/nginx/conf.d/sentinel.conf

Add the following:

upstream sentinel {
	server 127.0.0.1:8787;
}

proxy_cache_path /var/cache/nginx/sentinel levels=1:2 keys_zone=sentinel_cache:50m max_size=1g inactive=60m use_temp_path=off;

server {
	listen 80;
	listen [::]:80;
	server_name sentinel.yourdomain.com;

	return 301 https://$host$request_uri;
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name sentinel.yourdomain.com;

	ssl_certificate /path/to/sentinel.certificate;
	ssl_certificate_key /path/to/sentinel.certificate.private_key;

	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:30m;
	ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
# ssl_dhparam /path/to/dhparam.pem;

	# intermediate configuration
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers off;

	# HSTS (ngx_http_headers_module is required) (63072000 seconds)
	add_header Strict-Transport-Security “max-age=63072000” always;

	# OCSP stapling
	#ssl_stapling on;
	#ssl_stapling_verify on;

	# verify chain of trust of OCSP response using Root CA and Intermediate certs
	#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

	# replace with the IP address of your resolver
	resolver 8.8.8.8;

	gzip on;
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 7;
	gzip_buffers 32 128k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	location /_ping {
		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header Accept-Encoding $http_accept_encoding;

		proxy_pass http://sentinel;
	}

	location /static/ {
		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header Accept-Encoding $http_accept_encoding;

		proxy_cache sentinel_cache;
		proxy_ignore_headers Cache-Control;
		proxy_cache_lock on;
		proxy_cache_valid any 24h;
		add_header X-Cache-Status $upstream_cache_status;

		proxy_pass http://sentinel;
	}

	location / {
		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header Accept-Encoding $http_accept_encoding;

		if ($request_method = ‘OPTIONS’) {
			add_header ‘Access-Control-Allow-Origin’ ‘https://sentinel.yourdomain.com’;
			add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, OPTIONS’;

			add_header ‘Access-Control-Allow-Headers’ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization’;
			add_header ‘Access-Control-Max-Age’ 1728000;
			add_header ‘Content-Type’ ‘text/plain charset=UTF-8’;
			add_header ‘Content-Length’ 0;
			return 204;
		}

		if ($request_method = ‘POST’) {
			add_header ‘Access-Control-Allow-Origin’ ‘https://sentinel.yourdomain.com’;
			add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, OPTIONS’;
			add_header ‘Access-Control-Allow-Headers’ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization’;
		}

		proxy_pass http://sentinel;
	}
}

Replace the following:

  • Sentinel Domain – sentinel.yourdomain.com

  • Certificate / Chained Certificates – /path/to/sentinel.certificate

  • Certificate Private Key – /path/to/sentinel.certificate.private_key

Verify that the folder exists and is owned by the NGINX User - `/var/cache/nginx/sentinel`

mkdir -p /var/cache/nginx/sentinel
chown -R nginx:root /var/cache/nginx/sentinel
chmod 0700 /var/cache/nginx/sentinel

Enable NGINX SYSTEMD Service: Start service / check status:

systemctl enable nginx
systemctl restart nginx
systemctl status nginx
Java Runtime Environment (Step Two)

Sentinel requires Java Runtime Environment (JRE). Long Term Supported OpenJDK 21 or later is preferred.

eInstall via Package Manager:

yum install java-21-openjdk

Check Java Version: 

java -version
Time Synchronisation Daemon (Step Three)

The Sentinel VM should have the same time zone setting as your PeopleSoft environment. A time synchronization daemon, such as NTPD or Chrony, should be used.

Install Chrony: 

yum install chrony

Enable and start SYSTEMD NTPD service: 

systemctl enable chronyd
systemctl start chronyd
systemctl status chronyd
PostgreSQL Database (Step Four)

Sentinel requires the PostgreSQL 17+ database to be installed. Follow this article for .

Run the following to add a PostgreSQL Repository to the package manager and install PostgreSQL: 

sudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm

# Disable the built-in PostgreSQL module:
sudo dnf -qy module disable postgresql

# Install PostgreSQL:
sudo dnf install -y postgresql17-server

Check that the default SYSTEMD service is stopped:

systemctl stop postgresql-17.service
systemctl status postgresql-17.service

Copy the default service file into etc directory: 

cp /usr/lib/systemd/system/postgresql-17.service /etc/systemd/system/postgre-snt.service

Create PostgreSQL data directory and set owner to PostgreSQL User:

mkdir -p /opt/pgdata17
chown postgres:postgres /opt/pgdata17

Find and update the service file with the following: 

Environment=PGDATA=/opt/pgdata17/

Reload the SYSTEMD Daemon and start Postgre-SNT service: 

systemctl daemon-reload
systemctl status postgres-snt

Init PostgreSQL data directory: 

/usr/pgsql-17/bin/postgresql-17-setup initdb postgres-snt

Navigate to the data directory and add the following directives to the postgresql.conf file: 

# bind to localhost IP address or change to local network address in case
# Sentinel server and DB server uses separate VM
listen_addresses = ‘127.0.0.1’

# set strong password encryption
password_encryption = scram-sha-256

Edit pg_hba.conf file in PostgreSQL data directory to allow connections from the Sentinel server: 

# Use localhost IP or local network address if separate VM’s are used
host sentinel dean 127.0.0.1/32 scram-sha-256

Start PostgreSQL instance using SYSTEMD and check status: 

systemctl start postgres-snt
systemctl status postgres-snt

Create a database and list databases to ensure that it was created: 

sudo -u postgres createdb sentinel
sudo -u postgres psql -l
sudo -u postgres psql sentinel -c "CREATE EXTENSION IF NOT EXISTS btree_gin;"

Create a user dean, set a password, and grant access to the Sentinel database: 

sudo -u postgres createuser dean
sudo -u postgres psql -c "ALTER USER dean WITH ENCRYPTED PASSWORD 'SetPassword';"
sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE sentinel to dean;"

PostgreSQL version 15+:

In case of PostgreSQL version 15 and above additional permissions should be granted:

sudo -u postgres psql -c "GRANT ALL ON SCHEMA public TO dean;"

Replace 'SetPassword' with a preferable password. Verify that users can connect: 

psql -U dean --host 127.0.0.1 sentinel -c "Select 1;"

Optional - Create a .pgpass file in /root folder to be able to automatically pass connection settings to backup scripts: 

echo "127.0.0.1:5432:sentinel:dean:SetPassword" > /root/.pgpass
chmod 0600 /root/.pgpass
Setup Sentinel Server (Step Five)

Create a folder for Sentinel Software, usually /opt/sentinel :

mkdir -p /opt/sentinel

Copy the Sentinel server file to /opt/sentinel/ and create SYMLINK: 

cd /opt/sentinel
ln -sf sentinel-23.3.1.jar sentinel.jar

Create a service file for the Sentinel server: 

touch /etc/systemd/system/sentinel.service

Add the following content to the file and set credentials for PostgreSQL: 

[Unit]
Description=Seninel Server daemon

[Service]
#User=userowner
Type=simple
Restart=always
# Use following line for local PostgreSQL
After=postgres-snt.service

Environment=DB_NAME=sentinel
Environment=DB_USER=dean
Environment=DB_PASSWORD=SetPassword
Environment=DB_HOST=127.0.0.1
Environment=DB_PORT=5432

ExecStart=/usr/bin/java -Xms4g -Xmx16g -jar /opt/sentinel/sentinel.jar start --port 8787 --hostname 127.0.0.1

[Install]
WantedBy=multi-user.target

Update SYSTEMD configuration and enable the Sentinel server: 

systemctl daemon-reload
systemctl enable sentinel.service

Using your License Key and PostgreSQL database credentials, run Sentinel's INIT job: 

DB_NAME=sentinel DB_PASSWORD=SetPassword DB_HOST=127.0.0.1 DB_PORT=5432 \ 
java -jar sentinel.jar register --license-key "Your-licence-key"

Using an email, create the first account with admin level access: 

DB_NAME=sentinel DB_PASSWORD=SetPassword DB_HOST=127.0.0.1 DB_PORT=5432 \
java -jar sentinel.jar create_user --email "admin@your.domain"

Start the Sentinel server and check status: 

systemctl start sentinel.service
systemctl status sentinel.service

Using a Chrome browser (required), enter the Sentinel domain to load the application.

Stable Nginx
PostgreSQL installation instructions