Okta Access Gateway Post Installation
After your Okta Access Gateway has been imported there are a number of common post installation tasks that must be performed, which include:
- Determine the IP Address of the Okta Access Gateway virtual application.
- Configure admin /etc/hosts entry
- Initialize the Command Line console
- Reset Passwords
- Initialize Access Gateway Admin UI Console
- Configure DNS
- Add Applications
- Manage Certificates
- Administer the Access Gateway Support VPN.
To configure the Access Gateway instance, you must add a line to the host file on all machines that need access to this Access Gateway instance. The following procedure details how to obtain the IP address of the Okta Access Gateway virtual application.
Note: This procedure assumes you are accessing the newly imported gateway locally, immediately post install and is for on-prem instances only.
Log in to the Access Gateway server using these credentials:
We recommend that you change the password after logging in.
Once you are logged in, the system will provide you with several menu options.
Enter 1 to enter the Network menu.
If required, configure the static network configuration (option 1) and then commit the configuration (option c).
Enter s to display the running network configuration.
The eth0 section on the next page shows the IP address of the server. Make note of this IP address, as it will be used later in this guide.
Continue to press Enter until you return to the Network menu.
Perform a connectivity test to Okta and your internal application.
Select option 9, host: www.okta.com, port 443.
Perform the same test with the site & port of an application that Okta Access Gateway will connect to.
Press X to exit the Network menu, and press X again to exit the UI.
Add a line to the host file on the clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. computer running a browser for configuration.
Use the IP address you collected above.
<ipaddress of Access Gateway instance> adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page.
In order to access Access Gateway add the following entry to your local etc.hosts file. For OSX/Linux this file can be found in /etc/hosts. Under Windows the host file can be found in c:\windows\system32\drivers\etc\hosts.
Within this file add the single entry:
ip of instance admin
## # Host Database # . . . # Example IP address of Okta Access Gateway 192.168.32.129 admin
Using command line ssh, connect to the new instance:
$ ssh oag-mgmt@admin oag-mgmt@... password:OktaMgmt@123
Reset the Gateway
Note: On-premises installations are not required to re-initialize the gateway
At the command line main menu:
- Select 5 System.
- Select 7 - Reset.
Select Y to clear the configuration.
Select Y to initialize the system.
Note: The instance may pause for 2-3 minutes but will respond and will return to the system menu.
After the system is initialized successfully, press any key to return to the menu.
Press x to return to the main menu.
Select 1 - Network
Select 3 - Test network configuration .
Okta Access Gateway will attempt to contact www.okta.com and report any errors.
Select 9 - Connectivity test.
Enter www.okta.com as host and 443 as port.
Confirm that the connection was successful:
The connectivity test and reset were successful.
The first time you log in to the Access Gateway Management Console, we highly recommend that you change the password for the oag-mgmt user. Note: When using SSH to access the Access Gateway Management Console some features may be disabled.
Start the Access Gateway VM and open a terminal window. Default credentials are given below:
The first time you log in to the Access Gateway Management Console, we highly recommend that you change the password for the the oag-mgmt account. See the Change Password section for more information
Once logged in, the Access Gateway appliance will provide you with various menu options similar to those shown below.
Select 6 Change password to change the command line console password.
Select 7 Change Access Gateway Password to change the Admin UI Password.
See Access Gateway password policies for more information and general password policy.
After the gateway has been installed, network access must be configured.
Okta Access Gateway uses the HTTP_HOST header variable supplied by the browser to map the hostname to specific applications. Multiple host names are used to access gateway instance. Below are the suggested hostnames that should be created within your DNS domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)..
|Domain Name||IP Address|
|gw-admin-[yourdomain].gateway.info||IP Address of Okta Gateway instance.
(AWS Elastic IP, otherwise instance IP address)
*Not strictly required, but recommend for initial Access Gateway testing.
Note:During initial testing and development, these values are often entered into the local /etc/hosts file.
See here for details of certificate management.
Configure Administration Access using SAML
Refer to Configure Administration Access using SAML for more details.
Add an Okta Org as Access Gateway idP
Refer to Configure your Okta tenant as an Identity Provider for more details.
Add a sample cookie app to Access Gateway
Refer to Add a Sample Cookie Application for more details.
Add a sample header app to Access Gateway
Refer to Add a Sample Header Application for more details.
Add a sample policy app to Access Gateway
Refer to Add a Sample Policy Application for more details.
Add a sample proxy app to Access Gateway
Refer to Add a Sample Proxy Application for more details.
Add a header based application to Access Gateway
Refer to Add a Generic Header Application for more details.
Monitor logs, restart services, and edit hosts file
To monitor the logs, restart services, or edit the hosts file on the appliance, refer to the Access Gateway Command Line Management Console Reference for more information.