OAuth authentication allows users to log in to Sentinel using OAuth 2.0 providers such as Google or Facebook. This section provides instructions for configuring Sentinel to work with Google as the OAuth provider.
NOTE:By design, OAuth authentication does not support single logout. To completely log out of a Sentinel session when you are using OAuth authentication, you must clear your browser cache and cookies.
NOTE:Before you continue, ensure that you have read the enablement considerations and met all prerequisites. For more information, see Enablement Considerations and Prerequisites for MFA, Kerberos, and OAuth.
In your browser, go to https://console.developers.google.com/.
Create the credentials for a web application. For more information, click the Help button on the toolbar to see the Google documentation.
Log in to the Sentinel server as the novell user.
Run the following command:
touch /etc/opt/novell/sentinel/3rdparty/jetty/contexts/osp.xml
In the <sentinel_installation_path>/etc/opt/novell/sentinel/config directory, open the osp-configuration.properties file and add the following new properties:
com.netiq.sentinel.osp.login.method=google
com.netiq.sentinel.osp.google.enabled=true
com.netiq.sentinel.osp.google.client-secret=google app secret
Where google app secret is the Google client secret.
com.netiq.sentinel.osp.google.client-id=google app client id
Where google app client id is the Google client ID.
com.netiq.sentinel.osp.instance-data-enabled=true
com.netiq.sentinel.osp.as.scope=subtree
com.netiq.sentinel.osp.instance-data-enabled=true
Import the Google certificates to the Sentinel keystore. In a command prompt, go to <sentinel_installation_path>/opt/novell/sentinel/jdk/jre/bin and use the following command for each certificate:
./keytool -importcert -file <google.crt> -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -alias google
Where <google.crt> is the name of the Google certificate you want to import.
NOTE:You must run this command separately for each of the Google certificates.
Restart the Sentinel server. Use the following command:
systemctl restart sentinel.service
or
<sentinel_installation_path>/opt/novell/sentinel/bin/server.sh restart
(Conditional) If you are using Sentinel in High Availability (HA) mode, log in to the active node of the HA cluster and run the following command:
csync2 -x -v
To import the Google server chain certificates to the NSS database, complete the following steps:
Copy the Google certificate to the Sentinel server.
Run the following script:
create_mfa_fips_keys.sh <nss_password/password_file>
Where nss_password is the password for the NSS database and password_file is the file that stores the NSS password. Specify only one of these.
Import the Google certificates to the Sentinel server. Use the following command for each certificate:
/usr/bin/certutil -A -d sql:/etc/opt/novell/sentinel/3rdparty/nss -t "CT,CT,CT" -n google -i /<location to certificate>/FileName.crt
For example:
/usr/bin/certutil -A -d sql:/etc/opt/novell/sentinel/3rdparty/nss -t "CT,CT,CT" -n google -i /root/sai/google.crt
NOTE:You must run this command separately for each of the Google certificates.
Restart the Sentinel server. Use the following command:
systemctl restart sentinel.service
or
<sentinel_installation_path>/opt/novell/sentinel/bin/server.sh restart
(Conditional) If you are using Sentinel in High Availability (HA) mode, log in to the active node of the HA cluster and run the following command:
csync2 -x -v