Amazon Web Services post deploy tasks

During this task we will perform common required post deployment tasks:

Task(s) Description
Reset Access Gateway and verify Access Gateway must be initialized after first boot. This is done using the Access Gateway Management console, a command line interface for managing basic system functions.
Specify hostname Access Gateway defaults to a known gateway hostname which can be changed.
Configure required DNS
Configure required /etc/hosts admin and other DNS entries.
Initialize Access Gateway Admin UI console Initialize the cookie domain and instance hostname.
Configure your Okta tenant as an identity provider Configure Okta tenant as an identify provider.
Configure SAML access to from your Okta tenant Configure Okta tenant to allow access to Access Gateway using SAML.
Integrate applications

Add one or more Access Gateway sample or other applications.

Reset the instance

At the command line main menu:

  1. Sign in to the Access Gateway Management console.

    Use either ssh oag-mgmt@admin, or with virtual environments (for example, Oracle VirtualBox), use the command window provided by the environment.

    Username: oag-mgmt Password: <default-password>

    The first time you sign in to Access Gateway Management console you must change the default password. See Initial sign in to Access Gateway Management console.

  2. Select 5 System.
  3. Select 7 - Reset.
  4. Select Y to clear the configuration.
  5. Select Y to initialize the system.

The instance will pause for 1-2 minutes during reset.

After the system is successfully initialized, press any key to return to the menu.

Verify Configuration

  1. Press x to return to the main menu.
  2. Select 1 - Network .
  3. Select 2 - Test network configuration.
    Okta Access Gateway will attempt to contact www.okta.com and report any errors.
  4. Select 7 - Connectivity test.
    Enter www.okta.com as host and 443 as port.
  5. Confirm that the connection was successful.

Specify hostname

After initial login, change the underlying virtual appliance hostname.

Set the hostname of the appliance to a different name than the Access Gateway hostname. The hostname admin is reserved for the admin UI, and can't be used as the appliance hostname.

  1. Sign in to the Access Gateway Management console.

    Use either ssh oag-mgmt@admin, or with virtual environments (for example, Oracle VirtualBox), use the command window provided by the environment.

    Username: oag-mgmt Password: <default-password>

    The first time you sign in to Access Gateway Management console you must change the default password. See Initial sign in to Access Gateway Management console.

  2. Enter 5 - System.
  3. Enter 1 - Change Hostname.
  4. At the Enter new hostname: prompt, enter the replacement hostname.
  5. Enter Y to continue, or N to cancel.
  6. Enter X to return to the system menu.

Configure required DNS

After initial deployment Access Gateway requires several specific DNS entries, including an entry in a local /etc/hosts ( or Windows equivalent) for initial configuration. Configure the following /etc/hosts and DNS entries.

Value Description

Example

admin Initial IP address of Access Gateway.
Entered into the local /etc/hosts or Windows equivalent.
Used only when initially configuring Access Gateway.
Note: For AWS this is elastic IP, otherwise instance IP address of Access Gateway instance.

/etc/hosts:
192.168.A.B admin

gw-admin.[yourdomain.tld]

IP address of Access Gateway, entered into DNS typically as an A record.

During testing and initial deployment this value can be added to /etc/hosts but should be recorded in DNS for production environments.

gw-admin.atko.xyz which might point to 192.168.A.B

gw [.yourdomain.tld] Access Gateway service listener.
Typically this value is entered as a DNS CNAME record pointing to the gw-admin[.yourdomain.tld].

gw.atko.xyz CNAME record pointing to oag-admin.atko.xyz

DNS summary of the settings for an Access Gateway node with cookie domain atko.com and gateway oag-atko.com

Please note:

  • Host entries are only required for status checks.
  • Entries are for a specific given Access Gateway node and are not application domains.
  • Entries should always be pointing to the host IP for the Access Gateway node.

Once configured the Access Gateway Admin UI console should be reachable using the https://gw-admin.[yourdomain.tld] entry as well as the http://admin from a local browser.

Initialize Access Gateway Admin UI console

Initialize Access Gateway by specifying cookie and related domain addresses.

  1. Open https://admin/ in your browser and sign in using the default credentials. See Access Gateway default credentials.

    You're prompted to change the default password. See Initial sign in to Access Gateway Admin UI console.

  2. Enter a cookie domain and hostname for the Access Gateway instance, and click Next. A standard practice is to set the hostname to be the cookie domain prefixed with gw. For example:

    • SSO Cookie domain: mysite.mycompany.com
    • Access Gateway Hostname: gw.mysite.mycompany.com
  3. Click Done.

  4. Return to the Access Gateway browser and sign in again using the new admin domain.

  5. The Access Gateway Admin Topology page opens.

Configure Okta as IDP

Configuring Okta as the Identity Provider (IdP) for Access Gateway involves three individual tasks.

  1. Create an Okta service account for Access Gateway

    Okta recommends that you create and use a dedicated service account to create the Access Gateway API key. This helps maintain accurate logs since Okta logs every action performed by an API key under the user that created the key.

    1. In the Admin Console, go to Directory > People.
    2. Click Add Person.
    3. For the Service Account, enter a first name and family name.
    4. For the Username and Primary email values, enter a placeholder email. For example, service.admin@domain.com.

      Use placeholder values for the Username and Primary email to avoid interference between the service account and your account. Enter your email address as the Secondary email. Then, if you need to request a password reset, you're able to activate and maintain the service account.

    5. For the Secondary email, enter your valid administrator email.
    6. Select the checkbox for Send user activation email and click Save. You should now see your newly created service account under the Activated people tab with a Password reset status.
    7. In the Admin Console, go to Security > Administrators.
    8. Click Add Administrator.
    9. For the Grant administrator role to value, enter the name of the service account created earlier.
    10. Select the Super Administrator checkbox, and click Add Administrator. You should now have two super administrator accounts.
    11. Sign out of your Okta administrator account.
    12. In the email account for your service account, open the activation email you received from Okta and click the activation link.
    13. Set a password and a security question, and select a security image for the account.
    14. Upon completion, sign in with the new service account credentials.
  2. Create an Okta API token
    1. In the Admin Console, go to Security > API.
    2. Click Create token.
    3. Enter a token name that identifies the token's purpose. For example, you might include Access Gateway or OAG in the name.
    4. Click Create token.
    5. Copy the Token Value and store it in a secure location, such as a password manager, for future reference. After you close this window, you can no longer view the token value.
    6. Click Ok, got it.
  3. Configure an IdP in Access Gateway
    1. In your browser, go to the Access Gateway Admin UI console and sign in as an administrator.
    2. Select the Settings tab.
    3. Click the Identity Providers pane.
    4. Click + and select OKTA.
    5. Enter the following:

      • Name: Enter a meaningful name for the IdP (for example, Okta IdP).

      • Okta Org: Enter your org (for example, orgname.oktapreview.com, orgname.okta.com, or similar).

      • Okta API Token: Paste the token value that you copied from your Okta org when you created the Okta API token.

    6. Click Not Validated. This label changes to Validated when the Okta API Token is successfully validated,
    7. Click Okay. The Settings tab displays your Okta IdP status, which should be Valid.
    8. Click the Topology tab. Your IdP is represented by an icon labeled with the name that you entered.
    9. Click your IdP's icon. If it's configured correctly, you're redirected to your Okta tenant.

Next steps

Configure Amazon Web Services high availability - Optionally configure Amazon Web Services load balancer and high availability.