Host Server Setup RHEL/CentOS 9

Installation Prerequisites

VM with Linux x64 installed - RedHat, CentOS, Oracle Linux 9
Root access to the server
The Domain name (For accessing the Sentinel Application)
SSL Certificate for Domain
SMTP Server Credentials

NGINX Server Installation (Step One)

To install NGINX, run the following command:

sudo dnf install nginx

Add NGINX to the firewall:

firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent

Reload the firewall and verify that HTTP and HTTPS protocols are allowed:

firewall-cmd --reload
firewall-cmd --list-services –zone=public

Update the SELINUX Policy to allow interconnection from NGINX to Sentinel:

setsebool -P httpd_can_network_connect 1

Create `sentinel.conf` in nginx config folder:

touch /etc/nginx/conf.d/sentinel.conf

Add the following:

upstream sentinel {
	server 127.0.0.1:8787;
}

proxy_cache_path /var/cache/nginx/sentinel levels=1:2 keys_zone=sentinel_cache:50m max_size=1g inactive=60m use_temp_path=off;

server {
	listen 80;
	listen [::]:80;
	server_name sentinel.yourdomain.com;

	return 301 https://$host$request_uri;
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name sentinel.yourdomain.com;

	ssl_certificate /path/to/sentinel.certificate;
	ssl_certificate_key /path/to/sentinel.certificate.private_key;

	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:30m;
	ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
# ssl_dhparam /path/to/dhparam.pem;

	# intermediate configuration
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers off;

	# HSTS (ngx_http_headers_module is required) (63072000 seconds)
	add_header Strict-Transport-Security “max-age=63072000” always;

	# OCSP stapling
	#ssl_stapling on;
	#ssl_stapling_verify on;

	# verify chain of trust of OCSP response using Root CA and Intermediate certs
	#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

	# replace with the IP address of your resolver
	resolver 8.8.8.8;

	gzip on;
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 7;
	gzip_buffers 32 128k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	location /_ping {
		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header Accept-Encoding $http_accept_encoding;

		proxy_pass http://sentinel;
	}

	location /static/ {
		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header Accept-Encoding $http_accept_encoding;

		proxy_cache sentinel_cache;
		proxy_ignore_headers Cache-Control;
		proxy_cache_lock on;
		proxy_cache_valid any 24h;
		add_header X-Cache-Status $upstream_cache_status;

		proxy_pass http://sentinel;
	}

	location / {
		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header Accept-Encoding $http_accept_encoding;

		if ($request_method = ‘OPTIONS’) {
			add_header ‘Access-Control-Allow-Origin’ ‘https://sentinel.yourdomain.com’;
			add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, OPTIONS’;

			add_header ‘Access-Control-Allow-Headers’ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization’;
			add_header ‘Access-Control-Max-Age’ 1728000;
			add_header ‘Content-Type’ ‘text/plain charset=UTF-8’;
			add_header ‘Content-Length’ 0;
			return 204;
		}

		if ($request_method = ‘POST’) {
			add_header ‘Access-Control-Allow-Origin’ ‘https://sentinel.yourdomain.com’;
			add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, OPTIONS’;
			add_header ‘Access-Control-Allow-Headers’ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization’;
		}

		proxy_pass http://sentinel;
	}
}

Replace the following:

Sentinel Domain – sentinel.yourdomain.com
Certificate / Chained Certificates – /path/to/sentinel.certificate
Certificate Private Key – /path/to/sentinel.certificate.private_key

Verify that the folder exists and is owned by the NGINX User - `/var/cache/nginx/sentinel`

mkdir -p /var/cache/nginx/sentinel
chown -R nginx:root /var/cache/nginx/sentinel
chmod 0700 /var/cache/nginx/sentinel

Enable NGINX SYSTEMD Service: Start service / check status:

systemctl enable nginx
systemctl restart nginx
systemctl status nginx

Java Runtime Environment (Step Two)

Sentinel requires Java Runtime Environment (JRE). Long Term Supported OpenJDK 21 is preferred.

eInstall via Package Manager:

dnf install graalvm-21-jdk
# OR
dnf install jdk-21-headless

Check Java Version:

java -version

PostgreSQL Database (Step Four)

Sentinel requires the PostgreSQL 14+ database to be installed. Follow this article for PostgreSQL installation instructions.

Run the following to add a PostgreSQL Repository to the package manager and install PostgreSQL:

# Add postgresql repo
sudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm

# Disable the built-in PostgreSQL module
sudo dnf -qy module disable postgresql

# Install PostgreSQL:
sudo dnf install -y postgresql17-server postgresql17-contrib postgresql17

sudo /usr/pgsql-17/bin/postgresql-17-setup initdb
sudo systemctl enable postgresql-17
sudo systemctl start postgresql-17

Check that the default SYSTEMD service is stopped:

systemctl stop postgresql-17.service
systemctl status postgresql-17.service

Copy the default service file into etc directory:

sudo systemctl edit postgresql-17.service

# Add following lines to configure data directory for postgresql
# For example /opt/pgdata/
[Service]
Environment=PGDATA=/opt/pgdata/

Create PostgreSQL data directory and set owner to PostgreSQL User:

mkdir -p /opt/pgdata
chown postgres:postgres /opt/pgdata

Reload the SYSTEMD Daemon and start Postgre-SNT service:

systemctl daemon-reload
systemctl status postgresql-17

Init PostgreSQL data directory:

sudo /usr/pgsql-17/bin/postgresql-17-setup initdb postgresql-17

Navigate to the data directory and add the following directives to the `postgresql.conf` file:

# bind to localhost IP address or change to local network address in case
# Sentinel server and DB server uses separate VM
listen_addresses = ‘127.0.0.1’

# set strong password encryption
password_encryption = scram-sha-256

Edit pg_hba.conf file in PostgreSQL data directory to allow connections from the Sentinel server:

# Use localhost IP or local network address if separate VM’s are used
host sentinel dean 127.0.0.1/32 scram-sha-256

Start PostgreSQL instance using SYSTEMD and check status:

systemctl start postgresql-17
systemctl status postgresql-17
systemctl enable postgresql-17

Create a database and list databases to ensure that it was created:

sudo -u postgres createdb sentinel
sudo -u postgres psql -l

Create a user dean, set a password, and grant access to the Sentinel database:

sudo -u postgres createuser dean
sudo -u postgres psql -c "ALTER USER dean WITH ENCRYPTED PASSWORD 'SetPassword';"
sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE sentinel to dean;"

PostgreSQL version 15+:

In case of PostgreSQL version 15 and above additional permissions should be granted:

sudo -u postgres psql -c "GRANT ALL ON SCHEMA public TO dean;"

Replace 'SetPassword' with a preferable password. Verify that users can connect:

psql -U dean --host 127.0.0.1 sentinel -c "Select 1;"

Optional - Create a `.pgpass` file in `/root` folder to be able to automatically pass connection settings to backup scripts:

echo "127.0.0.1:5432:sentinel:dean:SetPassword" > /root/.pgpass
chmod 0600 /root/.pgpass

Setup Sentinel Server (Step Five)

Create a folder for Sentinel Software, usually /opt/sentinel :

mkdir -p /opt/sentinel

Copy the Sentinel server file to /opt/sentinel/ and create SYMLINK:

cd /opt/sentinel
ln -sf sentinel-23.3.1.jar sentinel.jar

Create a service file for the Sentinel server:

touch /etc/systemd/system/sentinel.service

Add the following content to the file and set credentials for PostgreSQL:

[Unit]
Description=Seninel Server daemon

[Service]
#User=userowner
Type=simple
Restart=always
# Use following line for local PostgreSQL
After=postgres-snt.service

Environment=DB_NAME=sentinel
Environment=DB_USER=dean
Environment=DB_PASSWORD=SetPassword
Environment=DB_HOST=127.0.0.1
Environment=DB_PORT=5432

ExecStart=/usr/bin/java -Xms4g -Xmx16g -jar /opt/sentinel/sentinel.jar start --port 8787 --hostname 127.0.0.1

[Install]
WantedBy=multi-user.target

Update SYSTEMD configuration and enable the Sentinel server:

systemctl daemon-reload
systemctl enable sentinel.service

Using your License Key and PostgreSQL database credentials, run Sentinel's INIT job:

DB_NAME=sentinel DB_PASSWORD=SetPassword DB_HOST=127.0.0.1 DB_PORT=5432 \ 
java -jar sentinel.jar register --license-key "Your-licence-key"

Using an email, create the first account with admin level access:

DB_NAME=sentinel DB_PASSWORD=SetPassword DB_HOST=127.0.0.1 DB_PORT=5432 \
java -jar sentinel.jar create_user --email "admin@your.domain"

Start the Sentinel server and check status:

systemctl start sentinel.service
systemctl status sentinel.service

Using a Chrome browser (required), enter the Sentinel domain to load the application.

PreviousHost Server Setup RHEL/CentOS 8 NextSentinel Server Update

Last updated 1 month ago