5.7 OAuth Authentication

OAuth authentication allows users to log in to Sentinel using OAuth 2.0 providers such as Google or Facebook. This section provides instructions for configuring Sentinel to work with Google as the OAuth provider.

NOTE:By design, OAuth authentication does not support single logout. To completely log out of a Sentinel session when you are using OAuth authentication, you must clear your browser cache and cookies.

NOTE:Before you continue, ensure that you have read the enablement considerations and met all prerequisites. For more information, see Enablement Considerations and Prerequisites for MFA, Kerberos, and OAuth.

5.7.1 Creating Credentials for the Google Web Application

  1. In your browser, go to https://console.developers.google.com/.

  2. Create the credentials for a web application. For more information, click the Help button on the toolbar to see the Google documentation.

5.7.2 Configuring the Sentinel Server for OAuth Authentication

  1. Log in to the Sentinel server as the novell user.

  2. Run the following command:

    touch /etc/opt/novell/sentinel/3rdparty/jetty/contexts/osp.xml

  3. In the /etc/opt/novell/sentinel/config directory, open the osp-configuration.properties file and add the following new properties:

    • com.netiq.sentinel.osp.login.method=google

    • com.netiq.sentinel.osp.google.enabled=true

    • com.netiq.sentinel.osp.google.client-secret=google app secret

      Where google app secret is the Google client secret.

    • com.netiq.sentinel.osp.google.client-id=google app client id

      Where google app client id is the Google client ID.

    • com.netiq.sentinel.osp.instance-data-enabled=true

    • com.netiq.sentinel.osp.as.scope=subtree

    • com.netiq.sentinel.osp.instance-data-enabled=true

  4. Import the Google certificates to the Sentinel keystore. In a command prompt, go to /opt/novell/sentinel/jdk/jre/bin and use the following command for each certificate:

    ./keytool -importcert -file <google.crt> -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -alias google

    Where <google.crt> is the name of the Google certificate you want to import.

    NOTE:You must run this command separately for each of the Google certificates.

  5. Restart the Sentinel server. Use the following command:

    rcsentinel restart

  6. (Conditional) If you are using Sentinel in High Availability (HA) mode, log in to the active node of the HA cluster and run the following command:

    csync2 -x -v

5.7.3 Configuring Sentinel in FIPS Mode to Use Google OAuth

To import the Google server chain certificates to the NSS database, complete the following steps:

  1. Copy the Google certificate to the Sentinel server.

  2. Run the following script:

    create_mfa_fips_keys.sh <nss_password/password_file>

    Where nss_password is the password for the NSS database and password_file is the file that stores the NSS password. Specify only one of these.

  3. Import the Google certificates to the Sentinel server. Use the following command for each certificate:

    /usr/bin/certutil -A -d sql:/etc/opt/novell/sentinel/3rdparty/nss -t "CT,CT,CT" -n google -i /<location to certificate>/FileName.crt

    For example:

    /usr/bin/certutil -A -d sql:/etc/opt/novell/sentinel/3rdparty/nss -t "CT,CT,CT" -n google -i /root/sai/google.crt

    NOTE:You must run this command separately for each of the Google certificates.

  4. Restart the Sentinel server. Use the following command:

    rcsentinel restart

  5. (Conditional) If you are using Sentinel in High Availability (HA) mode, log in to the active node of the HA cluster and run the following command:

    csync2 -x -v