Installing Sentinel Runtime

Objectives

Setting up a Horizon Sentinel running on one of the following Operating Systems
Secure access with encrypted passwords to the Karaf shell
Sentinel can be configured with the Karaf Shell from the server via ssh admin@localhost -p 8301
Sentinel is running as user sentinel without root permissions

Requirements

Linux physical server or a virtual machine running a supported Linux operating system
Internet access to download the installation packages
Ensure DNS is configured, localhost and your servers host name is resolved properly
Horizon Core instance runs on latest stable release
Java installed OpenJDK 11
System user with administrative permissions (sudo) to perform the installation tasks NOTE: If you run Debian, you have to install and configure sudo yourself. A guide can be found in the Debian Wiki.

Time synchronization is a critical part of operating a monitoring system. Ensure you have a functional time synchronization process running with your operating system. If you are not familiar with this topic, the knowledgebase article Ensure time synchronization for your OpenNMS components is a good starting point.

Installing the Sentinel package

CentOS/RHEL 8
CentOS/RHEL 7
Ubuntu
Debian

Install OpenJDK 11 JRE runtime

sudo dnf -y install java-11-openjdk-headless

Add repository and import GPG key

sudo dnf -y install https://yum.opennms.org/repofiles/opennms-repo-stable-rhel8.noarch.rpm
sudo rpm --import https://yum.opennms.org/OPENNMS-GPG-KEY

Installing the of Horizon Sentinel

sudo dnf -y install opennms-sentinel

Disable the OpenNMS Horizon repository after installation to prevent unwanted upgrades when upgrading other packages on the server. After upgrade, Horizon requires manual steps to upgrade configuration files or migrate database schemas to a new version. For this reason, it is recommended to exclude the Horizon packages from update except when you are planning on performing an upgrade.

Disable auto updates for Horizon Sentinel

sudo dnf config-manager --disable opennms-repo-stable-*

Verify directory structure with the tree command

sudo dnf -y install tree
tree /opt/sentinel -L 1

Directory structure after successful installation

/opt/sentinel
├── bin
├── COPYING
├── deploy
├── etc
├── lib
└── system

Enable Horizon Sentinel on system boot and start immediately

sudo systemctl enable --now sentinel

Install OpenJDK 11 JRE runtime

sudo yum -y install java-11-openjdk-headless

Add repository and import GPG key

sudo yum -y install https://yum.opennms.org/repofiles/opennms-repo-stable-rhel7.noarch.rpm
sudo rpm --import https://yum.opennms.org/OPENNMS-GPG-KEY

Installing the of Horizon Sentinel

sudo yum -y install opennms-sentinel

Disable the OpenNMS Horizon repository after installation to prevent unwanted upgrades when upgrading other packages on the server. After upgrade, Horizon requires manual steps to upgrade configuration files or migrate database schemas to a new version. For this reason, it is recommended to exclude the Horizon packages from update except when you are planning on performing an upgrade.

Disable auto updates for Horizon Sentinel

sudo yum -y install yum-utils
sudo yum-config-manager --disable opennms-repo-stable-*

Verify directory structure with the tree command

sudo yum -y install tree
tree /opt/sentinel -L 1

Directory structure after successful installation

/opt/sentinel
├── bin
├── COPYING
├── deploy
├── etc
├── lib
└── system

Enable Horizon Sentinel on system boot and start immediately

sudo systemctl enable --now sentinel

Add OpenNMS repository GPG key

sudo apt-key adv --fetch-keys https://debian.opennms.org/OPENNMS-GPG-KEY

Add apt repository

sudo add-apt-repository -s 'deb https://debian.opennms.org stable main'

You can safely ignore the message about conflicting distributions (expected stable but got opennms-xx).

Installing the of Horizon Sentinel

sudo apt -y install opennms-sentinel

Disable the OpenNMS Horizon repository after installation to prevent unwanted upgrades when upgrading other packages on the server. After upgrade, Horizon requires manual steps to upgrade configuration files or migrate database schemas to a new version. For this reason, it is recommended to exclude the Horizon packages from update except when you are planning on performing an upgrade.

sudo apt-mark hold opennms-sentinel

Verify directory structure with the tree command

sudo apt -y install tree
tree /usr/share/sentinel -L 1

Directory structure after successful installation

/usr/share/sentinel
├── bin
├── data -> /var/lib/sentinel/data
├── deploy -> /var/lib/sentinel/deploy
├── etc -> /etc/sentinel
├── lib
└── system

Enable Horizon Sentinel on system boot and start immediately

sudo systemctl enable --now sentinel

Install gnupg and add OpenNMS repository GPG key

sudo apt -y install gnupg ca-certificates
sudo apt-key adv --fetch-keys https://debian.opennms.org/OPENNMS-GPG-KEY

Add apt repository

sudo apt -y install software-properties-common
sudo add-apt-repository -s 'deb https://debian.opennms.org stable main'
sudo apt update

You can safely ignore the message about conflicting distributions (expected stable but got opennms-xx).

Installing the of Horizon Sentinel

sudo apt -y install opennms-sentinel

Disable the OpenNMS Horizon repository after installation to prevent unwanted upgrades when upgrading other packages on the server. After upgrade, Horizon requires manual steps to upgrade configuration files or migrate database schemas to a new version. For this reason, it is recommended to exclude the Horizon packages from update except when you are planning on performing an upgrade.

sudo apt-mark hold opennms-sentinel

Verify directory structure with the tree command

sudo apt -y install tree
tree /usr/share/sentinel -L 1

Directory structure after successful installation

/usr/share/sentinel
├── bin
├── data -> /var/lib/sentinel/data
├── deploy -> /var/lib/sentinel/deploy
├── etc -> /etc/sentinel
├── lib
└── system

Enable Horizon Sentinel on system boot and start immediately

sudo systemctl enable --now sentinel

Secure Access to Karaf Shell

Change the default user/password admin/admin for the Karaf shell and encrypt it.

CentOS/RHEL 7/8
Debian/Ubuntu

Enable password encryption

sudo vi /opt/sentinel/etc/org.apache.karaf.jaas.cfg

#
# Boolean enabling / disabling encrypted passwords
#
encryption.enabled = true(1)
#...
encryption.algorithm = SHA-512(2)

1	Enable password encryption from `false` to `true`
2	Set a secure encryption algorithm like `SHA-512`

As soon the file is saved, Karaf will immediately encrypt the password in users.properties.

Set a secure admin password for Karaf

sudo vi /opt/sentinel/etc/users.properties

# All users, groups, and roles entered in this file are available after Karaf startup
# and modifiable via the JAAS command group. These users reside in a JAAS domain
# with the name "karaf".
#
# OPENNMS: Change the admin user from 'karaf' to 'admin'
admin = {CRYPT}C7AD...{CRYPT},_g_:admingroup(1)

1	Replace the whole string `{CRYPT}C7AD…{CRYPT}` with your new password in plaintext. As soon you save the file the password will be SHA-512 encrypted.

Set restrictive file permissions

sudo chmod 600 /opt/sentinel/etc/users.properties

Enable password encryption

sudo vi /usr/share/sentinel/etc/org.apache.karaf.jaas.cfg

#
# Boolean enabling / disabling encrypted passwords
#
encryption.enabled = true(1)
#...
encryption.algorithm = SHA-512(2)

1	Enable password encryption from `false` to `true`
2	Set a secure encryption algorithm like `SHA-512`

As soon the file is saved, Karaf will immediately encrypt the password in users.properties.

Set a secure admin password for Karaf

sudo vi /usr/share/sentinel/etc/users.properties

# All users, groups, and roles entered in this file are available after Karaf startup
# and modifiable via the JAAS command group. These users reside in a JAAS domain
# with the name "karaf".
#
# OPENNMS: Change the admin user from 'karaf' to 'admin'
admin = {CRYPT}C7AD...{CRYPT},_g_:admingroup(1)

1	Replace the whole string `{CRYPT}C7AD…{CRYPT}` with your new password in plaintext. As soon you save the file the password will be SHA-512 encrypted.

Set restrictive file permissions

sudo chmod 600 /usr/share/sentinel/etc/users.properties

Password or encryption algorithm changes happen immediately. It is not required to restart the Sentinel

By default the Karaf Shell is restricted to 127.0.0.1. If you want enable remote access, set sshHost=0.0.0.0 in org.apache.karaf.shell.cfg. The change is applied immediately and a Sentinel restart is not required. If you have a firewall running on your host, allow 8301/tcp to grant access to the Karaf Shell.

Set up flow processing

To set up flow processing with Sentinel, see scale flows data.