Command Line Management Console reference

Access Gateway Management console is a command line interface to the Access Gateway instance that allows you to modify configuration that are not available in the Admin UI Console.

The purpose of this reference is to list the current Access Gateway Management console commands available within the oag-mgmt user account. These commands can be used to configure and monitor Access Gateway Management.

The following menus are available on the command line management Console:

Note

Note

To avoid publication of public IP addresses that belong to Okta or any other organization, the IPv4 addresses used in Okta Access Gateway technical documentation are fictional and are from the private IP address range based on CIDR 192.168/16.

First Login


The first time you sign in to the Access Gateway Management console you will be required to change the default-password. Okta recommends that the first time you log into the Access Gateway Admin UI console you also change the Admin UI password.On successful password change, you will be redirected to the Access Gateway Management console main page.

Jump_to_top_↑

Network

The Network menu contains options for checking the status of the network and modifying the network settings.

Network command Overview

  1. Manage network interfaces: Enter the sub-menu to manage network interfaces including routing for the Access Gateway appliance.
  2. Test network configuration: Enter the sub-menu to attempt connection to several websites and also checks the NGINX configuration and status.
  3. Edit /etc/hosts: Allows you to edit the /etc/hosts file on the Access Gateway appliance.
  4. Setup NIC bonding: Enter the sub-menu to configure a NIC bonding configuration similar to a static network configuration.
  5. Proxy settings: Enter the sub-menu to set up a proxy connection for the Access Gateway appliance, or remove a proxy configuration from the appliance.
  6. Ping: Determines if a destination host is reachable from the Access Gateway appliance.
  7. Connectivity test: Validates a connection between the Access Gateway appliance and any other system. Use this tool to valide if a backend application or server is able to reach the Access Gateway.
  8. Manage DNS Settings - Configure DNS such as primary and secondary DNS servers.
  9. Manage Trusted Domains - Enable, disable, and view trusted domains.
  10. s — Show running configuration: Displays the current configuration of the Access Gateway appliance.
  11. v — View configuration change plan: Displays the configuration change plan.
  12. c — Commit changes to system: Commit any unsaved changes to the Access Gateway appliance.
  13. r — Restart Networking: Restart the networking services on the Access Gateway appliance.
  14. x — Exit: Exit to the Management Console.

Jump_to_top_↑

Service

The Services menu allows you to start, stop, and restart services on the Access Gateway appliance, as well as check the status of the running services and regenerate an SSL certificate. The available services you can view are NGINX, Access Gateway Admin, NTP and Session Cache.

Services command overview

  1. NGINX: Open the NGINX agent management sub-menu.
  2. Access Gateway Admin: Open the Access Gateway Admin management sub-menu.
  3. NTP: Open the NTP management sub-menu.
  4. Session Cache: Open the Session Cache sub-menu.

Jump_to_top_↑

Kerberos

The Kerberos menu allows you to list or destroy Kerberos tickets.

When listing a ticket, the software provides the Kerberos principal and Kerberos ticket held in the credential cache or keytab file.

Destroying a user’s active Kerberos authorization is achieved by overwriting and deleting the credential cache that contains them.

Press 3 to select the Kerberos sub-menu.

Kerberos command overview

  1. List: List credential caches.
  2. Destroy: Destroy all credential caches.
  3. Exit: exit the Kerberos sub-menu.

Jump_to_top_↑

Monitor

The Monitor menu allows you to view the Access Gateway logs.

Press 4 to enter the Monitoring sub-menu.

  1. Monitor Logs: Display the monitor log. Enter [ctrl][c] to exit Monitor Logs.
  2. Enable Debug: Enable debug for all services.
  3. Disable Debug: Disable debug for all services.
  4. Exit: exit the monitor sub-menu.
Caution

Caution

Enabling debug on a running Access Gateway system elevates the logging level from INFO to DEBUG and causes a considerable rise in the number of log messages generated.
Enabling debug monitoring should only be used when debugging applications and services. Failure to disable debug monitor could cause out of disk errors and system degradation. Always return the debug state to disabled (INFO) after diagnosing system or application errors.

Jump_to_top_↑

System

The System menu allows you to change the hostname, install or remove a package, perform an update, reboot, shutdown, or reset the Access Gateway instance. .

System command overview

  1. Change Hostname: Change the hostame of the Access Gateway instance.
  2. High Availability Configuration: Configure and manage Access Gateway high availability.
  3. Install Package: Install a named packaged.
  4. Remove Package: Remove a named package.
  5. Update: Update the system.
  6. Reboot: Reboot the system.
  7. Shutdown: Shutdown the system.
  8. Reset: Reset the system to original default settings.

Jump_to_top_↑

Change Password

The Change Password menu allows you to change the password for the oag-mgmt user. You will be asked to confirm the current password and enter/confirm the new password to successfully change the password.

See Access Gateway password policies for more information on acceptable passwords.

  1. Press 6 on the main menu to change the password.

  2. Enter the current password for the oag-mgmt user.

  3. Enter a new password.

  4. Confirm the new password.

  5. The system displays a Password reset successful message if the password is accepted; alternatively, an error is displayed if the password fails to meet the minimum requirements.

  6. Press Enter to return to the main menu.

Jump_to_top_↑

Change Web Console Password

The Change Web Console Password menu allows you to change the password for the administrator on the Access Gateway Admin UI console. You will be asked to confirm the current password and enter/confirm the new password to successfully change the password.

See Access Gateway password policies for more information on acceptable passwords.

  1. Press 7 on the main menu to change the password.

  2. Enter the current password for the admin user for the Admin UI Console.

  3. Enter a new password.

  4. Confirm the new password.

  5. The system displays a Password reset successful message if the password is accepted; alternatively, an error is displayed if the password fails to meet the minimum requirements.

  6. Press Enter to return to the main menu.

Jump_to_top_↑

Support Connection

The Support Connection menu option allows you to enable and disable support connections, as well as VPN status (enabled or disabled), which will resemble:

Support Connection...
Status: Disabled/Enabled

Support Connection command overview

Enabling or disabling the support connection is a 'toggle' operation. When the support connection is enabled, only disable is displayed. Conversely, when the support connection is disabled, only enable is displayed.

Enter:

  1. Enable Support Connection: Enable support connection functionality
  2. Disable Support Connection:Disable support connection functionality.

Enable support connection

Note

Enabling the support connection requires an API token.
To obtain an API token:

  1. Sign in to your okta org as an administrator.
  2. Select Security > API.
  3. Click Create Token.
  4. Name the token, for example Access Gateway 2021.02 token and click Create Token.
  5. Copy the token value, and then click OK, got it.

  1. Press 1 to enable, or x to exit and return to the prior menu. .

  2. Press y to confirm, or n to cancel.

  3. Enter your Okta org as either {yourorg}.oktapreview.com or {yourorg}.okta.com as appropriate. 
  4. Paste the API token obtained as described in the associated note.
    Access Gateway will then validate the token and enabled the support connection.
    Validation and enabling the support connection can anywhere from 1-2 to 20 seconds and is tracked by a progress indicator.
  5. The support connection is now enabled. Press x to return to the prior menu or 2 to disable.

Disable support connection

  1. Press 2 to disable, or x to exit and return to the prior menu. .

  2. Press y to confirm, or n to cancel.

  3. The support connection is now disabled. Press x to return to the prior menu or 1 to enable.

 

Jump_to_top_↑

Client certificate chains

The Client certificate chain menu option allows you to view, add, delete, and otherwise manage client certificate chains and Certificate Revocation list (CRL) settings. See Certificate chain operations for complete details

View a certificate chain

  1. Press c to enter the certificate chain management menu.
  2. Use the Up/down arrows to select a certificate chain.
    Use the i/ keys to scroll the list up or down..
  3. Press the enter key to display a selected certificate.
  4. Press x to the main menu.

Add a certificate chain

  1. Press c to enter the certificate chain management menu.
  2. Pressa to add a certificate chain.
  3. Paste the certificate into the command window, entering [Ctrl-d] when complete.
    Note

    Invalid or expired certificate chains will result in an errors and not be loaded.

  4. Press x to the main menu.

Delete a certificate chain

Access Gateway can:

  • Delete entire certificate chains - remove a certificate chain completely, including all intermediary and child certificates.

Delete an entire certificate chain

  1. Press c to enter the certificate chain management menu.
  2. Use the Up/down arrows to select a certificate chain.
    Use the i/k keys to scroll the list up or down.
  3. Press d key to start the delete process.
  4. In the delete pop-up menu, select an index representing a certificate chain to delete.
  5. When prompted enter y to confirm the deletion or n to cancel.
  6. Press x to the main menu.

Show or hide certificate chain details

The show hide menu is a toggle, enter h to hide, or s to show certificate details.

  1. Press c to enter the certificate chain management menu.
  2. Enter s to show details, h to hide details.

Manage CRL settings

  1. Press c to enter the certificate chain management menu.
  2. Press e to begin editing Certificate Revocation List settings.
  3. Enter the CRL download frequency in hours, default is 6, maximum 24h, minimum 1h.
  4. Enter the CRL cache interval, default is 24, max 72.
  5. Press x to the main menu.

Jump_to_top_↑

Exit

The Exit menu option exits the Access Gateway Management console to the main operating system login.

Jump_to_top_↑