Server name resolution
Okta Privileged Access implements a custom name resolution system, which is used to resolve user-supplied names to a server registered with Okta Privileged Access.
For example, if you run sft ssh web0, the name web0 will be resolved in Okta Privileged Access. Similarly, if the agent on web0 has a config file that specifies Bastion: bastion.example.com, then bastion.example.com is resolved to establish a tunnel to web0.
If Okta Privileged Access is unable to resolve a name to an enrolled server, it falls back to using locally supported name resolution and authentication methods to access the server. For example, if you run sft ssh web0.example.com and Okta Privileged Access is unable to resolve web0.example.com to a server enrolled in Okta Privileged Access, then the client behaves as though you ran ssh web0.example.com without using Okta Privileged Access.
Active servers
Okta Privileged Access only matches names against active servers. A server is considered active if the following conditions are true:
- The server was enrolled in Okta Privileged Access
- The server wasn't later deleted from Okta Privileged Access
- The Okta Privileged Access agent was recently running on the server, and able to contact the Okta Privileged Access platform. Currently the threshold is 96 hours (4 days), but this is subject to change.
As a special case, if an unmanaged server is created in Okta Privileged Access, it's considered active until it's deleted.
Matching
When resolving a name, Okta Privileged Access looks for any server matching one of the following values.
Server ID
The server's id, a random UUID automatically assigned by the Okta Privileged Access platform during enrollment.
Hostname
The server's hostname, as reported by the operating system on the server. If the OS hostname ends in local, then this is ignored by the platform. For example, if the OS hostname is web0.local, you can access the server as web0, but not as web0.local.
If a CanonicalName value is specified in the Okta Privileged Access agent configuration, then this value is used in place of the OS hostname.
AltNames
Any AltNames values specified in the Okta Privileged Access agent configuration file on the server. AltNames can be used to add other aliases to servers.
Default IP address
The default IP address of the server, as determined by Okta Privileged Access.
Instance ID
If the server is an AWS or GCE cloud instance, then this is the provider-assigned ID of the instance.
Ambiguous names
If a name supplied to the Okta Privileged Access client resolves to more than one server, the client returns an error to avoid inadvertently connecting to an unintended server.
One side effect of this is that if a server is replaced with a new server with the same hostname, or if the agent is forced to re-enroll, an admin must manually delete the original server record before the shared name can address the new one. Alternatively, users can specify an unambiguous name such as the server ID, or wait for the original server record to become inactive.
If a Bastion name supplied in a Okta Privileged Access agent configuration is ambiguous, the Okta Privileged Access platform attempts to choose the best fit by ranking matches in descending order of preference by matching:
- id or CanonicalName
- Cloud Instance ID
- Hostname
- AltNames
- Default IP Address
Ties are broken arbitrarily.
IP addresses
After a server has been resolved, Okta Privileged Access attempts to determine the IP address that should be used to address the server.
If the server is being accessed directly by the Okta Privileged Access client, the client attempts to use the server's default IP address as described in the following section.
If the server is being accessed through one or more bastions, and the immediately preceding bastion resides in the same AWS VPC or GCE Network as the server, Okta Privileged Access prefers the server's corresponding private IP address. Otherwise Okta Privileged Access uses the default IP address.
Default IP address
Each server enrolled in Okta Privileged Access is assigned a default IP address, which is the first available value from:
- An AccessAddress value is specified in the Okta Privileged Access agent configuration file.
- The public_ip_v4 address of an AWS instance, based on the instance's metadata.
- The external or internal IP address of a GCE or Azure instance, based on the instance's metadata.
- The numerically lowest IPv4 address in a public address range.
- The numerically lowest IPv4 address in a private range.