Host Server Setup RHEL/CentOS 9
Installation Prerequisites
VM with Linux x64 installed - RedHat, CentOS, Oracle Linux 9
Root access to the server
The Domain name (For accessing the Sentinel Application)
SSL Certificate for Domain
SMTP Server Credentials
NGINX Server Installation (Step One)
To install NGINX, run the following command:
sudo dnf install nginxAdd NGINX to the firewall:
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanentReload the firewall and verify that HTTP and HTTPS protocols are allowed:
firewall-cmd --reload
firewall-cmd --list-services –zone=publicUpdate the SELINUX Policy to allow interconnection from NGINX to Sentinel:
setsebool -P httpd_can_network_connect 1Create `sentinel.conf` in nginx config folder:
touch /etc/nginx/conf.d/sentinel.confAdd the following:
upstream sentinel {
server 127.0.0.1:8787;
}
proxy_cache_path /var/cache/nginx/sentinel levels=1:2 keys_zone=sentinel_cache:50m max_size=1g inactive=60m use_temp_path=off;
server {
listen 80;
listen [::]:80;
server_name sentinel.yourdomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sentinel.yourdomain.com;
ssl_certificate /path/to/sentinel.certificate;
ssl_certificate_key /path/to/sentinel.certificate.private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:30m;
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
# ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security “max-age=63072000” always;
# OCSP stapling
#ssl_stapling on;
#ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# replace with the IP address of your resolver
resolver 8.8.8.8;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 7;
gzip_buffers 32 128k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
location /_ping {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding $http_accept_encoding;
proxy_pass http://sentinel;
}
location /static/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding $http_accept_encoding;
proxy_cache sentinel_cache;
proxy_ignore_headers Cache-Control;
proxy_cache_lock on;
proxy_cache_valid any 24h;
add_header X-Cache-Status $upstream_cache_status;
proxy_pass http://sentinel;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding $http_accept_encoding;
if ($request_method = ‘OPTIONS’) {
add_header ‘Access-Control-Allow-Origin’ ‘https://sentinel.yourdomain.com’;
add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, OPTIONS’;
add_header ‘Access-Control-Allow-Headers’ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization’;
add_header ‘Access-Control-Max-Age’ 1728000;
add_header ‘Content-Type’ ‘text/plain charset=UTF-8’;
add_header ‘Content-Length’ 0;
return 204;
}
if ($request_method = ‘POST’) {
add_header ‘Access-Control-Allow-Origin’ ‘https://sentinel.yourdomain.com’;
add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, OPTIONS’;
add_header ‘Access-Control-Allow-Headers’ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization’;
}
proxy_pass http://sentinel;
}
}
Replace the following:
Sentinel Domain –
sentinel.yourdomain.comCertificate / Chained Certificates –
/path/to/sentinel.certificateCertificate Private Key –
/path/to/sentinel.certificate.private_key
Verify that the folder exists and is owned by the NGINX User - `/var/cache/nginx/sentinel`
mkdir -p /var/cache/nginx/sentinel
chown -R nginx:root /var/cache/nginx/sentinel
chmod 0700 /var/cache/nginx/sentinelEnable NGINX SYSTEMD Service: Start service / check status:
systemctl enable nginx
systemctl restart nginx
systemctl status nginxPostgreSQL Database (Step Four)
Sentinel requires the PostgreSQL 17+ database to be installed. Follow this article for PostgreSQL installation instructions.
Run the following to add a PostgreSQL Repository to the package manager and install PostgreSQL:
# Add postgresql repo
sudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm
# Disable the built-in PostgreSQL module
sudo dnf -qy module disable postgresql
# Install PostgreSQL:
sudo dnf install -y postgresql17-server postgresql17-contrib postgresql17
sudo /usr/pgsql-17/bin/postgresql-17-setup initdb
sudo systemctl enable postgresql-17
sudo systemctl start postgresql-17
Check that the default SYSTEMD service is stopped:
systemctl stop postgresql-17.service
systemctl status postgresql-17.serviceCopy the default service file into etc directory:
sudo systemctl edit postgresql-17.service
# Add following lines to configure data directory for postgresql
# For example /opt/pgdata/
[Service]
Environment=PGDATA=/opt/pgdata/Create PostgreSQL data directory and set owner to PostgreSQL User:
mkdir -p /opt/pgdata
chown postgres:postgres /opt/pgdataReload the SYSTEMD Daemon and start Postgre-SNT service:
systemctl daemon-reload
systemctl status postgresql-17Init PostgreSQL data directory:
sudo /usr/pgsql-17/bin/postgresql-17-setup initdb postgresql-17Navigate to the data directory and add the following directives to the postgresql.conf file:
postgresql.conf file: # bind to localhost IP address or change to local network address in case
# Sentinel server and DB server uses separate VM
listen_addresses = ‘127.0.0.1’
# set strong password encryption
password_encryption = scram-sha-256Edit pg_hba.conf file in PostgreSQL data directory to allow connections from the Sentinel server:
# Use localhost IP or local network address if separate VM’s are used
host sentinel dean 127.0.0.1/32 scram-sha-256Start PostgreSQL instance using SYSTEMD and check status:
systemctl start postgresql-17
systemctl status postgresql-17
systemctl enable postgresql-17Create a database and list databases to ensure that it was created:
sudo -u postgres createdb sentinel
sudo -u postgres psql -l
sudo -u postgres psql sentinel -c "CREATE EXTENSION IF NOT EXISTS btree_gin;"Create a user dean, set a password, and grant access to the Sentinel database:
sudo -u postgres createuser dean
sudo -u postgres psql -c "ALTER USER dean WITH ENCRYPTED PASSWORD 'SetPassword';"
sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE sentinel to dean;"PostgreSQL version 15+:
In case of PostgreSQL version 15 and above additional permissions should be granted:
sudo -u postgres psql -c "GRANT ALL ON SCHEMA public TO dean;"Replace 'SetPassword' with a preferable password. Verify that users can connect:
psql -U dean --host 127.0.0.1 sentinel -c "Select 1;"Optional - Create a .pgpass file in /root folder to be able to automatically pass connection settings to backup scripts:
.pgpass file in /root folder to be able to automatically pass connection settings to backup scripts: echo "127.0.0.1:5432:sentinel:dean:SetPassword" > /root/.pgpass
chmod 0600 /root/.pgpassSetup Sentinel Server (Step Five)
Create a folder for Sentinel Software, usually /opt/sentinel :
mkdir -p /opt/sentinelCopy the Sentinel server file to /opt/sentinel/ and create SYMLINK:
cd /opt/sentinel
ln -sf sentinel-23.3.1.jar sentinel.jarCreate a service file for the Sentinel server:
touch /etc/systemd/system/sentinel.serviceAdd the following content to the file and set credentials for PostgreSQL:
[Unit]
Description=Seninel Server daemon
[Service]
#User=userowner
Type=simple
Restart=always
# Use following line for local PostgreSQL
After=postgres-snt.service
Environment=DB_NAME=sentinel
Environment=DB_USER=dean
Environment=DB_PASSWORD=SetPassword
Environment=DB_HOST=127.0.0.1
Environment=DB_PORT=5432
ExecStart=/usr/bin/java -Xms4g -Xmx16g -jar /opt/sentinel/sentinel.jar start --port 8787 --hostname 127.0.0.1
[Install]
WantedBy=multi-user.targetUpdate SYSTEMD configuration and enable the Sentinel server:
systemctl daemon-reload
systemctl enable sentinel.serviceUsing your License Key and PostgreSQL database credentials, run Sentinel's INIT job:
DB_NAME=sentinel DB_PASSWORD=SetPassword DB_HOST=127.0.0.1 DB_PORT=5432 \
java -jar sentinel.jar register --license-key "Your-licence-key"Using an email, create the first account with admin level access:
DB_NAME=sentinel DB_PASSWORD=SetPassword DB_HOST=127.0.0.1 DB_PORT=5432 \
java -jar sentinel.jar create_user --email "[email protected]"Start the Sentinel server and check status:
systemctl start sentinel.service
systemctl status sentinel.serviceUsing a Chrome browser (required), enter the Sentinel domain to load the application.
Last updated