Services allow you to authenticate and login to servers using a service user. This enables you to leverage the security of ephemeral certificates when building automation that requires access to remote servers.
Let's explore services with a basic example. Let's suppose you use your CI servers to deploy the latest build to your application servers. A typical solution for this would be to use static SSH keys without a passphrase and rely on SSH to perform whatever operations are required on the remote server. By defining a service in Advanced Server Access you'll be able to eliminate the static credential, and ensure that your CI user only has access to production when you intend it to.
Let's dive deeper into this example and explore how you could configure Jenkins to use service authentication to SSH to remote hosts.
To get started, configure these basic requirements first:
- Install the Advanced Server Access agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. and enroll the server in Advanced Server Access
- Install the Advanced Server Access clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. on the server
- Identify the UID of the Jenkins user (on Linux you can use a command similar to this:
id -u <user name>)
- Create a service user and add an API key to it
- Make sure the service user is provisioned on the servers you'd like to access
Now you can create a service which can securely authenticate to servers with Jenkins.
To create a service, navigate to the services tab on the server details page of the source server you identified earlier, where Jenkins is running.
Here you should see a list of existing services for this server and a button to create a new service. Click this button and it will prompt you to select the service user to authenticate as and the UID of the Jenkins user.
The final step for enabling service authentication is to configure sft. On your jenkins server, run
sft config service_auth.enable true. This tells sft that it should attempt to use service authentication instead of expecting an enrolled client.
You should now be able to SSH to remote hosts managed by Advanced Server Access with a command like
sft ssh <server-name>.
In order to fully leverage service authentication in Jenkins, you will want to configure an SSH proxycommand for the jenkins user so that you can transparently authenticate while using any command that relies on SSH. To do this, run
sft proxycommand --config, and copy the output into the SSH configuration file for the Jenkins user (for example,
/home/jenkins/.ssh/config). See SSH setup.