Amazon Web Services post-deployment tasks

During this task we will perform common required post deployment tasks:

Task(s) Description
Command line console initial login Reset the Access Gateway Management console password.

Reset the instance

Access Gateway must be initialized after first boot. This is done using the Access Gateway Management console, a command line interface for managing basic system functions.
Specify hostname Access Gateway defaults to a known gateway hostname which can be changed.
Configure required DNS
Configure required /etc/hosts admin and other DNS entries.
Admin console initial login
Connect to the Access Gateway Admin UI console and reset the default password.
Initialize Access Gateway Admin UI console Initialize the cookie domain and instance hostname.
Configure your Okta tenant as an identity provider Configure Okta tenant as an identify provider.
Configure SAML access to from your Okta tenant Configure Okta tenant to allow access to Access Gateway using SAML.
Integrate applications

Add one or more Access Gateway sample or other applications.

Command line console initial login

See Sign in to Access Gateway for the first time.

Reset the instance

At the command line main menu:

  1. Sign in to the Access Gateway Management console.

    Use either ssh oag-mgmt@admin, or with virtual environments (for example, Oracle VirtualBox), use the command window provided by the environment.

    Username: oag-mgmt Password: <default-password>

    The first time you sign in to Access Gateway Management console you must change the default password. See Sign in to Access Gateway for the first time.

  2. Select 5 System.
  3. Select 7 - Reset.
  4. Select Y to clear the configuration.
  5. Select Y to initialize the system.

The instance will pause for 1-2 minutes during reset.

After the system is successfully initialized, press any key to return to the menu.

Verify Configuration

  1. Press x to return to the main menu.
  2. Select 1 - Network .
  3. Select 2 - Test network configuration.
    Okta Access Gateway will attempt to contact www.okta.com and report any errors.
  4. Select 7 - Connectivity test.
    Enter www.okta.com as host and 443 as port.
  5. Confirm that the connection was successful.

Specify hostname

After initial login, change the underlying virtual appliance hostname.

Set the hostname of the appliance to a different name than the Access Gateway hostname. The hostname admin is reserved for the admin UI, and can't be used as the appliance hostname.

  1. Sign in to the Access Gateway Management console.

    Use either ssh oag-mgmt@admin, or with virtual environments (for example, Oracle VirtualBox), use the command window provided by the environment.

    Username: oag-mgmt Password: <default-password>

    The first time you sign in to Access Gateway Management console you must change the default password. See Sign in to Access Gateway for the first time.

  2. Enter 5 - System.
  3. Enter 1 - Change Hostname.
  4. At the Enter new hostname: prompt, enter the replacement hostname.
  5. Enter Y to continue, or N to cancel.
  6. Enter X to return to the system menu.

Configure required DNS

After initial deployment Access Gateway requires several specific DNS entries, including an entry in a local /etc/hosts ( or Windows equivalent) for initial configuration. Configure the following /etc/hosts and DNS entries.

Value Description

Example

admin Initial IP address of Access Gateway.
Entered into the local /etc/hosts or Windows equivalent.
Used only when initially configuring Access Gateway.
Note: For AWS this is elastic IP, otherwise instance IP address of Access Gateway instance.

/etc/hosts:
192.168.A.B admin

gw-admin.[yourdomain.tld]

IP address of Access Gateway, entered into DNS typically as an A record.

During testing and initial deployment this value can be added to /etc/hosts but should be recorded in DNS for production environments.

gw-admin.atko.xyz which might point to 192.168.A.B

gw [.yourdomain.tld] Access Gateway service listener.
Typically this value is entered as a DNS CNAME record pointing to the gw-admin[.yourdomain.tld].

gw.atko.xyz CNAME record pointing to oag-admin.atko.xyz

DNS summary

Name

Value

Description

Access Gateway domain gw.mysite.mycompany.com The default endpoint used to provide Access Gateway authentication and authorization services.
Access Gateway admin domain gw-admin.mysite.mycompany.com The endpoint used to provide admin UI services. Use this domain to access the local admin app.
Access Gateway default cookie domain mysite.mycompany.com The default cookie domain used for Access Gateway.

Please note:

  • Host entries are only required for status checks.
  • Entries are for a specific given Access Gateway node and are not application domains.
  • Entries should always be pointing to the host IP for the Access Gateway node.

Once configured the Access Gateway Admin UI console should be reachable using the https://gw-admin.[yourdomain.tld] entry as well as the http://admin from a local browser.

GUI console initial login

After configuring a local /etc/hosts entry log into the console using that entry and then reset the Management console management console password.

  1. Open https://admin/ in your browser and sign in using the default credentials. See Default Access Gateway credentials.

  2. Enter a new password, then re-enter it to verify. See Access Gateway password strength requirements.
  3. Click Next or Done.

Initialize Access Gateway Admin UI console

See Initialize the Access Gateway Admin UI console for instructions.

Configure Okta as IDP

See Configure an Identity Provider in Access Gateway for instructions.

Next steps

Configure Amazon Web Services high availability - Optionally configure Amazon Web Services load balancer and high availability.