Amazon Web Services post deploy tasks

During this task we will perform common required post deployment tasks:

Task(s) Description
Reset Access Gateway and verify Access Gateway must be initialized after first boot. This is done using the Access Gateway Management console, a command line interface for managing basic system functions.
Specify hostname Access Gateway defaults to a known gateway hostname which can be changed.
Configure required DNS
Configure required /etc/hosts admin and other DNS entries.
Initialize Access Gateway Admin UI console Initialize the cookie domain and instance hostname.
Configure your Okta tenant as an identity provider Configure Okta tenant as an identify provider.
Configure SAML access to from your Okta tenant Configure Okta tenant to allow access to Access Gateway using SAML.
Integrating applications

Add one or more Access Gateway sample or other applications.

Reset the instance

At the command line main menu:

  1. Sign in to the Access Gateway Management console.

    Use either ssh oag-mgmt@admin, or with virtual environments (for example, Oracle VirtualBox), use the command window provided by the environment.

    Username: oag-mgmt Password: <default-password>

    The first time you sign in to Access Gateway Management console you must change the default password. See Initial sign in to Access Gateway Management console for more information.

  2. Select 5 System.
  3. Select 7 - Reset.
  4. Select Y to clear the configuration.
  5. Select Y to initialize the system.

The instance will pause for 1-2 minutes during reset.

After the system is successfully initialized, press any key to return to the menu.

Verify Configuration

  1. Press x to return to the main menu.
  2. Select 1 - Network .
  3. Select 2 - Test network configuration.
    Okta Access Gateway will attempt to contact www.okta.com and report any errors.
  4. Select 7 - Connectivity test.
    Enter www.okta.com as host and 443 as port.
  5. Confirm that the connection was successful.

Specify hostname

After initial login, change the underlying virtual appliance hostname.

Set the hostname of the appliance to a different name than the Access Gateway hostname. The hostname admin is reserved for the admin UI, and can't be used as the appliance hostname.

  1. Sign in to the Access Gateway Management console.

    Use either ssh oag-mgmt@admin, or with virtual environments (for example, Oracle VirtualBox), use the command window provided by the environment.

    Username: oag-mgmt Password: <default-password>

    The first time you sign in to Access Gateway Management console you must change the default password. See Initial sign in to Access Gateway Management console for more information.

  2. Enter 5 - System.
  3. Enter 1 - Change Hostname.
  4. At the Enter new hostname: prompt, enter the replacement hostname.
  5. Enter Y to continue, or N to cancel.
  6. Enter X to return to the system menu.

Configure required DNS

After initial deployment Access Gateway requires several specific DNS entries, including an entry in a local /etc/hosts ( or Windows equivalent) for initial configuration. Configure the following /etc/hosts and DNS entries.

Value Description

Example

admin Initial IP address of Access Gateway.
Entered into the local /etc/hosts or Windows equivalent.
Used only when initially configuring Access Gateway.
Note: For AWS this is elastic IP, otherwise instance IP address of Access Gateway instance.

/etc/hosts:
192.168.A.B admin

gw-admin.[yourdomain.tld]

IP address of Access Gateway, entered into DNS typically as an A record.

During testing and initial deployment this value can be added to /etc/hosts but should be recorded in DNS for production environments.

gw-admin.atko.xyz which might point to 192.168.A.B

gw [.yourdomain.tld] Access Gateway service listener.
Typically this value is entered as a DNS CNAME record pointing to the gw-admin[.yourdomain.tld].

gw.atko.xyz CNAME record pointing to oag-admin.atko.xyz

DNS summary of the settings for an Access Gateway node with cookie domain atko.com and gateway oag-atko.com

Please note:

  • Host entries are only required for status checks.
  • Entries are for a specific given Access Gateway node and are not application domains.
  • Entries should always be pointing to the host IP for the Access Gateway node.

Once configured the Access Gateway Admin UI console should be reachable using the https://gw-admin.[yourdomain.tld] entry as well as the http://admin from a local browser.

Initialize Access Gateway Admin UI console

Initialize Access Gateway by specifying cookie and related domain addresses.

  1. If required, open a browser and navigate to https://admin/ and sign in. The default credentials are:

    Username: admin

    Password: <default-password>

    The first time you sign in to the Access Gateway Admin UI console, you must change the default password. See Initial sign in to Access Gateway Admin UI console.

  2. Enter a cookie domain and hostname for the Access Gateway instance, and click Next.

    The values cookie and hostname are typically of the form:

    FieldDescriptionExample
    Cookie domainThe name of the domain without prefixmysite.mycompany.com
    Access Gateway HostnameCookie domain prefixed with [gw]gw.mysite.mycompany.com

    Setup wizard page 1

  3. Click Done.

  4. Return to the Access Gateway browser and sign in again using the new admin domain.

  5. After signing in, you are directed to the Access Gateway Admin Topology page.

    Topology page

Configure Okta as IDP

After Access Gateway has been installed, and typical post installation tasks have been performed, your Okta tenant must be configured as an IDP. This page lists the tasks to configure your Okta tenant as an Okta Access Gateway Identity Provider.

Tasks

Configuring Okta as the identity provider for Access Gateway involves three individual tasks.

  1. Create an Okta Service Account for Access Gateway
    1. In your browser, go to your Okta org and sign in as an administrator.

      Okta recommends creating a specific service account in Okta to create the Access Gateway API key. This is important because Okta logs every action performed by an API key under the user that created the key. In the interest of maintaining accurate logs, Okta recommends a dedicated Access Gateway service account.

    2. In the Admin Console, go to Directory > People.
    3. Click Add Person.
    4. For the Service Account, enter a first name and family name.
    5. For the Username and Primary email values, enter a dummy email. For example service.admin@domain.com.

      Use dummy values for the Username and Primary email to avoid interference between the service account and your own account. If you need to request a password reset, adding your own email address for the Secondary email ensures you can activate and maintain the service account.

    6. For the Secondary email, enter your valid administrator email.
    7. Select the checkbox for Send user activation email and click Save. You should now see your newly created service account under the Activated people tab with a Password reset status.
    8. In the Admin Console, go to Security > Administrators.
    9. Click Add Administrator.
    10. For the Grant administrator role to value, enter the name of the service account created earlier.
    11. Select the Super Administrator checkbox, and click Add Administrator. You should now have two super administrator accounts.
    12. Sign out of your Okta administrator account.
    13. In the email account for your service account, open the activation email you received from Okta and click the activation link.
    14. Set a password and a security question, and select a security image for the account.
    15. Upon completion, sign in with the new service account credentials.
  2. Create an Okta API Token
    1. Navigate to your Okta org.

    2. In the Admin Console, go to Security > API.
    3. On the API page, click Create Token.
    4. Enter a Token Name in the dialog box, and click Create Token.

      Use a name that easily identifies the token’s purpose. In this case, the token is being used in the Access Gateway appliance, so including or Access Gateway, OAG, or other relevant information is recommended.

    5. Copy the displayed Token Value in a safe place.
    6. Once you close the pop-up window, you can never display the token value again.
      Ensure you copy the token to a safe, secure location (such as a password manager or secure note database) for future reference.

    7. Click Ok, got it.
  3. Configure an IDP in Access Gateway
    1. In your browser, navigate to the Access Gateway Admin UI console and sign in as an administrator.
    2. Select the Settings tab.
    3. Click the Identity Providers pane.
    4. Click + and select OKTA.
    5. In the Add New Okta IDP dialog enter:

      • Name field - enter an appropriate name for the IDP such as Okta IDP.

      • Okta Org - Enter your okta org which is typically one of {your org name}.oktapreview.com, {your org name}.okta.com, or something similar.

        Note this field is blank in the following screen shot, but must be completed.

      • Okta API Token - Paste the value you copied from your Okta org when you created the Okta API token.

      Access Gateway Add New Okta IDP dialog shown with Name, Okta Org and Okta API token highlighted.

    6. Click Not Validated. After the Okta API Token is validated successfully, the Not Validated button changes to Validated
    7. Click Okay. The Settings tab displays your Okta IDP status.
    8. Verify that it displays the status as Valid.

      Access Gateway setting page shown with with new Okta IDP added with valid status.

    9. Navigate to the Topology tab to test the IDP’s connection.
    10. Click the Okta IDP icon to be redirected to your Okta tenant which should look like the following:

      Access Gateway topography page shown with new IDP highlighted.

Next steps

Configure Amazon Web Services high availability - Optionally configure Amazon Web Services load balancer and high availability.