Setup Access Gateway using Oracle Cloud Infrastructure


Overview

The purpose of this guide is to walk through the process of installing the Access Gateway software appliance into an Oracle Cloud Infrastructure (OCI)instance.

Oracle OCI can import and use the Okta Access Gateway virtual appliance. In order to use the OVA with OCI we must:

  • Create a .restricted Object Storage Bucket

Prerequisites


What’s covered in this guide


Download the latest OVA image.

To download the latest Okta Access Gateway OVA Image

  1. Download the Okta Access Gateway image from the Settings > Downloads page in Okta.

  2. When prompted save the file to an appropriate location.


Upload Access Gateway OVA image to OCI.

An OCI Object Storage bucket can be created using either the CLI or via UI. .

To create an OCI Storabte bucket using the UI

  1. Login to AWS as root.

  2. Select Services.

  3. In the Storage section click S3.

  4. Click + Create Bucket.

  5. Enter an appropriate name, for example my-access-gateway-bucket.

  6. From the Region drop down select the correct region.

  7. Follow the wizard steps finish creating the bucket.

Upload the Okta Access Gateway OVA to the bucket

To upload the OVA to the bucket using the UI:

  1. Navigate to the OVA file, select it and click Next.

  2. Click Next thru the follow on upload steps.
    When complete the OVA will be uploaded to the bucket.

Note: Files can be uploaded to an existing bucket using the aws s3 cp command. For example,

aws s3 cp Okta-Access-Gateway.ova s3://my-access-gateway-bucket
aws s3 ls s3://my-access-gateway-bucket
2019-09-11 12:36:00   . . .  Okta-AccessGateway.ova


Convert and import the OVA Image to an Amazon Image (AMI)

Importing an OVA to AWS is a multi-step process.

  1. Open a terminal window.

  2. Create the required vmimport IAM identity role to import images
    Note: AWS requires the use of the vmimport identity role when importing an OVA.

    1. Create a json file, representing the trust policy for the vmimport IAM identity role as follows:
      {
          "Version": "2012-10-17",
          "Statement":[ {
              "Effect": "Allow",
              "Principal": { "Service": "vmie.amazonaws.com" },
              "Action": "sts:AssumeRole",
              "Condition": {
              "StringEquals":{ "sts:Externalid": "vmimport"}
                  }
            }]
      }

      trust-policy.json

    2. In a terminal window create the IAM identity role using the aws iam create-role command using the new trust policy, as shown:

      aws iam create-role --role-name vmimport --assume-role-policy-document "file://~/Downloads/trust-policy.json

      Which should return a result similar to:
      {
          "Role": {
              AssumeRolePolicyDocument": {. . . }
              ...
      	"Arn": "arn:aws:iam::809227661992:role/vmimport"
          }
      }

    3. Create a role policy to associate the new IAM identity with the previously created bucket.

      {
          "Version":"2012-10-17",
          "Statement":[{
              "Effect":"Allow",
                       "Action":[
                        "s3:GetBucketLocation",
                        "s3:GetObject",
                        "s3:ListBucket" 
                        ],
               "Resource":[
                   "arn:aws:s3:::BUCKET_NAME",
                   "arn:aws:s3:::BUCKET_NAME/*"
                ]
             }, {
              "Effect":"Allow",
                      "Action":[
                        "s3:GetBucketLocation",
                        "s3:GetObject",
                        "s3:ListBucket",
                        "s3:PutObject",
                        "s3:GetBucketAcl"
                        ],
                  "Resource":[
                   "arn:aws:s3:::BUCKET-NAME",
                   "arn:aws:s3:::BUCKET-NAME/*"
                   ]
             }, {
               "Effect":"Allow",
                        "Action":[
                         "ec2:ModifySnapshotAttribute",
                         "ec2:CopySnapshot",
                         "ec2:RegisterImage",
                         "ec2:Describe*"],
                  "Resource":"*"
              }
          ]
      }
      role-policy.json

      Replacing BUCKET_NAME with the previously created buckets name.

    4. Grant an inline role policy to vmimport identity granting various rights to access S3 bucket and perform ec2 operations using the aws iam put-role-policyy command. For example:

      aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://~/Downloads/role-policy.json"

      Note the aws iam put-role-policy command does not return any value on success.

  3. Using the vmimport identity to convert the OVA image to an AMI image

    1. Create a json file representing the locations for the containers used during the import.
      
      [
          {
              "Description": "DESCRIPTION",
              "Format": "ova",
              "UserBucket": {
                  "S3Bucket": "BUCKET_NAME",
                  "S3Key": "FILE_NAME"
              }
          }
      ]
      containers.json

      Replacing:
      BUCKET_NAME with the bucket name. For example "access-gateway-bucket".
      DESCRIPTION with an appropriate description. For example, "Okta Access Gateway".
      FILE_NAME with the specific name of the OVA file. For example "Okta-AccessGateway.ova".

    2. Begin the import process using a command similar to: :
      aws ec2 import-image --description "Okta Access Gateway" --license-type "BYOL" --disk-containers "file://~/Downloads/containers.json" 
    3. Examine the output of command and note the task id associated with the import process.

      
      {
      	"Status": "active", 
      	"LicenseType": "BYOL", 
      	"Description": "AG2019.ova.", 
      	"SnapshotDetails": [...], 
      	"Progress": "2", 
      	"StatusMessage": "pending", 
      	    "ImportTaskId": "import-ami-08800a79da64acae7"
      }
      

    4. Examine the progress of the import using the task id
      aws ec2 describe-import-image-tasks --import-task-ids TASK_ID
      Where task id is the value from the prior step. For example:
      aws ec2 describe-import-image-tasks --import-task-ids import-ami-08800a79da64acae7

      Import progress is noted in the Progress json element and represents a percentage from 0-100%.

      1. Monitor the import until it reaches status completed. For example:

        {
            "ImportImageTasks": [
        	{
        		"Status": "completed", 
        		"LicenseType": "BYOL", 
        		"Description": "AG2019.ova.",
        		ImageId": "ami-0c20c537e7f8dd6a5"
        }

        Note the ImageId field, it will be used to confirm the image import in the AWS console.

  4. Confirm that the import completed in the AWS console

    1. Return to the AWS console

    2. Navigate to Services > EC2.

    3. In the left hand navigation pane select Images > AMI.

    4. Examine the image list, searching for the image with matching id.


      AWS AMI Image list


AWS Specific Post Installation

The following AWS post installation steps are required to complete the deployement of Okta Access Gateway in an AWS environment.


Next Steps

After Okta Access Gateway has been installed there are a number of common post installation tasks that should be performed.
Including:

For More Information

Top