Setup Access Gateway using Oracle Cloud Infrastructure

Overview

The purpose of this guide is to walk through the process of installing the Access Gateway software appliance into an Oracle Cloud Infrastructure (OCI)instance.

Oracle OCI can import and use the Okta Access Gateway virtual appliance. In order to use the OVA with OCI we must:

Create a .restricted Object Storage Bucket

Prerequisites

You have reviewed all Prerequisites for Deploying Access Gateway
You have installed Oracle Virtual Box version 6.0 or later.
You have installed the Oracle Virtual Box extension pack.
You have installed and are familiar with the Oracle Cloud Infrastructure CLI.

What’s covered in this guide

Download the latest OVA image.

Download the latest OVA image.

To download the latest Okta Access Gateway OVA Image

Download the Okta Access Gateway image from the Settings > Downloads page in Okta.
When prompted save the file to an appropriate location.

Upload Access Gateway OVA image to OCI.

An OCI Object Storage bucket can be created using either the CLI or via UI. .

To create an OCI Storabte bucket using the UI

Login to AWS as root.
Select Services.
In the Storage section click S3.
Click + Create Bucket.
Enter an appropriate name, for example my-access-gateway-bucket.
From the Region drop down select the correct region.
Follow the wizard steps finish creating the bucket.

Upload the Okta Access Gateway OVA to the bucket

To upload the OVA to the bucket using the UI:

Navigate to the OVA file, select it and click Next.
Click Next thru the follow on upload steps.
When complete the OVA will be uploaded to the bucket.

Note: Files can be uploaded to an existing bucket using the aws s3 cp command. For example,
aws s3 cp Okta-Access-Gateway.ova s3://my-access-gateway-bucket
aws s3 ls s3://my-access-gateway-bucket
2019-09-11 12:36:00   . . .  Okta-AccessGateway.ova

Convert and import the OVA Image to an Amazon Image (AMI)

Importing an OVA to AWS is a multi-step process.

Open a terminal window.

Create the required vmimport IAM identity role to import images
Note: AWS requires the use of the vmimport identity role when importing an OVA.

Create a json file, representing the trust policy for the vmimport IAM identity role as follows:

{
    "Version": "2012-10-17",
    "Statement":[ {
        "Effect": "Allow",
        "Principal": { "Service": "vmie.amazonaws.com" },
        "Action": "sts:AssumeRole",
        "Condition": {
        "StringEquals":{ "sts:Externalid": "vmimport"}
            }
      }]
}

trust-policy.json

In a terminal window create the IAM identity role using the aws iam create-role command using the new trust policy, as shown:

aws iam create-role --role-name vmimport --assume-role-policy-document "file://~/Downloads/trust-policy.json

Which should return a result similar to:

{
    "Role": {
        AssumeRolePolicyDocument": {. . . }
        ...
	"Arn": "arn:aws:iam::809227661992:role/vmimport"
    }
}

Create a role policy to associate the new IAM identity with the previously created bucket.

{
    "Version":"2012-10-17",
    "Statement":[{
        "Effect":"Allow",
                 "Action":[
                  "s3:GetBucketLocation",
                  "s3:GetObject",
                  "s3:ListBucket" 
                  ],
         "Resource":[
             "arn:aws:s3:::BUCKET_NAME",
             "arn:aws:s3:::BUCKET_NAME/*"
          ]
       }, {
        "Effect":"Allow",
                "Action":[
                  "s3:GetBucketLocation",
                  "s3:GetObject",
                  "s3:ListBucket",
                  "s3:PutObject",
                  "s3:GetBucketAcl"
                  ],
            "Resource":[
             "arn:aws:s3:::BUCKET-NAME",
             "arn:aws:s3:::BUCKET-NAME/*"
             ]
       }, {
         "Effect":"Allow",
                  "Action":[
                   "ec2:ModifySnapshotAttribute",
                   "ec2:CopySnapshot",
                   "ec2:RegisterImage",
                   "ec2:Describe*"],
            "Resource":"*"
        }
    ]
}

role-policy.json

Replacing BUCKET_NAME with the previously created buckets name.

Grant an inline role policy to vmimport identity granting various rights to access S3 bucket and perform ec2 operations using the aws iam put-role-policyy command. For example:
```
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://~/Downloads/role-policy.json"
```
Note the aws iam put-role-policy command does not return any value on success.

Using the vmimport identity to convert the OVA image to an AMI image
1. Create a json file representing the locations for the containers used during the import.
```
[
    {
        "Description": "DESCRIPTION",
        "Format": "ova",
        "UserBucket": {
            "S3Bucket": "BUCKET_NAME",
            "S3Key": "FILE_NAME"
        }
    }
]
```
  containers.json
  Replacing:
  BUCKET_NAME with the bucket name. For example "access-gateway-bucket".
  DESCRIPTION with an appropriate description. For example, "Okta Access Gateway".
  FILE_NAME with the specific name of the OVA file. For example "Okta-AccessGateway.ova".
2. Begin the import process using a command similar to: :
```
aws ec2 import-image --description "Okta Access Gateway" --license-type "BYOL" --disk-containers "file://~/Downloads/containers.json" 
```
3. Examine the output of command and note the task id associated with the import process.
```
{
	"Status": "active", 
	"LicenseType": "BYOL", 
	"Description": "AG2019.ova.", 
	"SnapshotDetails": [...], 
	"Progress": "2", 
	"StatusMessage": "pending", 
	    "ImportTaskId": "import-ami-08800a79da64acae7"
}
```
4. Examine the progress of the import using the task id
  aws ec2 describe-import-image-tasks --import-task-ids TASK_ID
  Where task id is the value from the prior step. For example:
  aws ec2 describe-import-image-tasks --import-task-ids import-ami-08800a79da64acae7
  
  Import progress is noted in the Progress json element and represents a percentage from 0-100%.
  1. Monitor the import until it reaches status completed. For example:
```
{
    "ImportImageTasks": [
	{
		"Status": "completed", 
		"LicenseType": "BYOL", 
		"Description": "AG2019.ova.",
		ImageId": "ami-0c20c537e7f8dd6a5"
}
```
    Note the ImageId field, it will be used to confirm the image import in the AWS console.
Confirm that the import completed in the AWS console
1. Return to the AWS console
2. Navigate to Services > EC2.
3. In the left hand navigation pane select Images > AMI.
4. Examine the image list, searching for the image with matching id.

AWS Specific Post Installation

The following AWS post installation steps are required to complete the deployement of Okta Access Gateway in an AWS environment.

Deploy the imported AMI instance

Next Steps

After Okta Access Gateway has been installed there are a number of common post installation tasks that should be performed.
Including:

For More Information

See Okta Access Gateway Post Installation for a complete task list.
See Access Gateway Command Line Management Console Reference for a complete list of management console commands.
See Access Gateway Admin UI Console Overview for an overview of the Access Gateway UI console.

Top