Installing Sentinel Runtime Objectives Setting up a Horizon Sentinel running on one of the following Operating Systems Secure access with encrypted passwords to the Karaf shell Sentinel can be configured with the Karaf Shell from the server via ssh admin@localhost -p 8301 Sentinel is running as user sentinel without root permissions Requirements Linux physical server or a virtual machine running a supported Linux operating system Internet access to download the installation packages Ensure DNS is configured, localhost and your servers host name is resolved properly Horizon Core instance runs on latest stable release Java installed OpenJDK 8, OpenJDK 11 System user with administrative permissions (sudo) to perform the installation tasks If you run Debian, you have to install and configure sudo yourself. A guide can be found in the Debian Wiki. Installing the Sentinel package CentOS/RHEL 8 CentOS/RHEL 7 Ubuntu Debian Install OpenJDK 11 JRE runtime sudo dnf -y install java-11-openjdk-headless Add repository and import GPG key sudo dnf -y install https://yum.opennms.org/repofiles/opennms-repo-stable-rhel7.noarch.rpm sudo rpm --import https://yum.opennms.org/OPENNMS-GPG-KEY Installing the of Horizon Sentinel sudo dnf -y install opennms-sentinel Disable the OpenNMS Horizon repository after installation to prevent unwanted upgrades when upgrading other packages on the server. After upgrade, Horizon requires manual steps to upgrade configuration files or migrate database schemas to a new version. For this reason, it is recommended to exclude the Horizon packages from update except when you are planning on performing an upgrade. Disable auto updates for Horizon Sentinel sudo dnf config-manager --disable opennms-repo-stable-* Verify directory structure with the tree command sudo dnf -y install tree tree /opt/sentinel -L 1 Directory structure after successful installation /opt/sentinel ├── bin ├── COPYING ├── deploy ├── etc ├── lib └── system Enable Horizon Sentinel on system boot and start immediately sudo systemctl enable --now sentinel Install OpenJDK 11 JRE runtime sudo yum -y install java-11-openjdk-headless Add repository and import GPG key sudo yum -y install https://yum.opennms.org/repofiles/opennms-repo-stable-rhel7.noarch.rpm sudo rpm --import https://yum.opennms.org/OPENNMS-GPG-KEY Installing the of Horizon Sentinel sudo yum -y install opennms-sentinel Disable the OpenNMS Horizon repository after installation to prevent unwanted upgrades when upgrading other packages on the server. After upgrade, Horizon requires manual steps to upgrade configuration files or migrate database schemas to a new version. For this reason, it is recommended to exclude the Horizon packages from update except when you are planning on performing an upgrade. Disable auto updates for Horizon Sentinel sudo yum -y install yum-utils sudo yum-config-manager --disable opennms-repo-stable-* Verify directory structure with the tree command sudo yum -y install tree tree /opt/sentinel -L 1 Directory structure after successful installation /opt/sentinel ├── bin ├── COPYING ├── deploy ├── etc ├── lib └── system Enable Horizon Sentinel on system boot and start immediately sudo systemctl enable --now sentinel Add OpenNMS repository GPG key sudo apt-key adv --fetch-keys https://debian.opennms.org/OPENNMS-GPG-KEY Add apt repository sudo add-apt-repository -s 'deb https://debian.opennms.org stable main' The message with conflicting distributions stable but got opennms-xx can be safely ignored. Installing the of Horizon Sentinel sudo apt -y install opennms-sentinel Disable the OpenNMS Horizon repository after installation to prevent unwanted upgrades when upgrading other packages on the server. After upgrade, Horizon requires manual steps to upgrade configuration files or migrate database schemas to a new version. For this reason, it is recommended to exclude the Horizon packages from update except when you are planning on performing an upgrade. sudo apt-mark hold opennms-sentinel Verify directory structure with the tree command sudo apt -y install tree tree /usr/share/sentinel -L 1 Directory structure after successful installation /usr/share/sentinel ├── bin ├── data -> /var/lib/sentinel/data ├── deploy -> /var/lib/sentinel/deploy ├── etc -> /etc/sentinel ├── lib └── system Enable Horizon Sentinel on system boot and start immediately sudo systemctl enable --now sentinel Install gnupg and add OpenNMS repository GPG key sudo apt -y install gnupg sudo apt-key adv --fetch-keys https://debian.opennms.org/OPENNMS-GPG-KEY Add apt repository sudo apt -y install software-properties-common sudo add-apt-repository -s 'deb https://debian.opennms.org stable main' sudo apt update The message with conflicting distributions stable but got opennms-xx can be safely ignored. Installing the of Horizon Sentinel sudo apt -y install opennms-sentinel Disable the OpenNMS Horizon repository after installation to prevent unwanted upgrades when upgrading other packages on the server. After upgrade, Horizon requires manual steps to upgrade configuration files or migrate database schemas to a new version. For this reason, it is recommended to exclude the Horizon packages from update except when you are planning on performing an upgrade. sudo apt-mark hold opennms-sentinel Verify directory structure with the tree command sudo apt -y install tree tree /usr/share/sentinel -L 1 Directory structure after successful installation /usr/share/sentinel ├── bin ├── data -> /var/lib/sentinel/data ├── deploy -> /var/lib/sentinel/deploy ├── etc -> /etc/sentinel ├── lib └── system Enable Horizon Sentinel on system boot and start immediately sudo systemctl enable --now sentinel Secure Access to Karaf Shell Change the default user/password admin/admin for the Karaf shell and encrypt it. CentOS/RHEL 7/8 Debian/Ubuntu Enable password encryption sudo vi /opt/sentinel/etc/org.apache.karaf.jaas.cfg # # Boolean enabling / disabling encrypted passwords # encryption.enabled = true(1) #... encryption.algorithm = SHA-512(2) 1 Enable password encryption from false to true 2 Set a secure encryption algorithm like SHA-512 As soon the file is saved, Karaf will immediately encrypt the password in users.properties. Set a secure admin password for Karaf sudo vi /opt/sentinel/etc/users.properties # All users, groups, and roles entered in this file are available after Karaf startup # and modifiable via the JAAS command group. These users reside in a JAAS domain # with the name "karaf". # # OPENNMS: Change the admin user from 'karaf' to 'admin' admin = {CRYPT}C7AD...{CRYPT},_g_:admingroup(1) 1 Replace the whole string {CRYPT}C7AD…{CRYPT} with your new password in plainttext. As soon you save the file the password will be SHA-512 encrypted. Set restrictive file permissions sudo chmod 600 /opt/sentinel/etc/users.properties Enable password encryption sudo vi /usr/share/sentinel/etc/org.apache.karaf.jaas.cfg # # Boolean enabling / disabling encrypted passwords # encryption.enabled = true(1) #... encryption.algorithm = SHA-512(2) 1 Enable password encryption from false to true 2 Set a secure encryption algorithm like SHA-512 As soon the file is saved, Karaf will immediately encrypt the password in users.properties. Set a secure admin password for Karaf sudo vi /usr/share/sentinel/etc/users.properties # All users, groups, and roles entered in this file are available after Karaf startup # and modifiable via the JAAS command group. These users reside in a JAAS domain # with the name "karaf". # # OPENNMS: Change the admin user from 'karaf' to 'admin' admin = {CRYPT}C7AD...{CRYPT},_g_:admingroup(1) 1 Replace the whole string {CRYPT}C7AD…{CRYPT} with your new password in plainttext. As soon you save the file the password will be SHA-512 encrypted. Set restrictive file permissions sudo chmod 600 /usr/share/sentinel/etc/users.properties Changing the password or encryption algorithm get applied immediately. It is not required to restart the Sentinel By default the Karaf Shell is restricted to 127.0.0.1. If you want enable remote access, set sshHost=0.0.0.0 in org.apache.karaf.shell.cfg. The change is applied immediately and a Sentinel restart is not required. If you have firewall running on your host, allow 8301/tcp to grant access to the Karaf Shell. Sentinel Setting up Flow Processing