Access Gateway OS
Okta Access Gateway version 2020.09.2 and earlier versions are based on CentOS 7.
Access Gateway version 2020.10.5 through version 2021.8.0 are based on CentOS 8.
Both CentOS 7 and CentOS 8 are approaching End-of-Life. Okta will continue to support earlier versions of CentOS but may discontinue upgrades for these versions in the future.
Access Gateway version 2021.9.3 and later Okta Access Gateway Virtual Appliances (OVAs) are based on Oracle Enterprise Linux (OEL) 8. Oracle Enterprise Linux 8 has numerous benefits over CentOS, including: increased performance, stability, support and more.
To bring an entire cluster up to the latest version of Access Gateway based on Oracle Enterprise Linux (OEL):
- Add a worker node based on OEL to the cluster.
- Follow these instructions to make the new worker node the admin node.
- When complete, decommission the previous admin node.
- Replace each worker node with new nodes based on the latest version of Access Gateway based on OEL.
To bring a single instance of Access Gateway up to the latest OEL-based OVAs, you must reinstall Access Gateway completely. Upgrading the operating system of Access Gateway in place isn't supported.
To upgrade an Access Gateway cluster to the latest version see Admin renomination.
Before you begin
- Ensure you have sufficient capacity to add an Access Gateway instance. During the upgrade process, new instances of Access Gateway replace old instances. Sufficient capacity (memory, disk, and virtual machine (VM) resources) must be available to add a single new instance of Access Gateway. As instances are added, old instances are removed.
- Ensure you have access to and can administer load balancers. During this OS upgrade, instances running a newer version of the base operating system replace existing Access Gateway instances. You must be able to remove and add instances to your Access Gateway cluster and its associated load balancer.
- Ensure that you have access to and can edit DNS. During the admin renomination process, a new instance of Access Gateway is added as the cluster admin. This instance replaces the existing admin instance and must be registered in DNS with the same name as the current admin instance.
Upgrade process overview
Access Gateway clusters built using OVAs running Access Gateway version 2020.09.3 and earlier can't directly upgrade their underlying OS. To perform the upgrade, complete the following process:
While recommended, you aren't required to update to a newer version of the underlying operating system. You can update an older version of the underlying OS to Access Gateway v2020.10.5 and later. Okta reserves the right to stop or limit support for older versions of the underlying operating system at any time.
- Determine if the upgrade process is required. Only Access Gateway instances previous to Access Gateway 2020.10.5 need to perform the upgrade process. If your Access Gateway cluster was build using version 2020.10.5 or later you can upgrade normally. See Upgrade Access Gateway
- Add a Access Gateway 2020.10.5 Cluster admin. Using the admin renomination process add an admin node. See Perform admin renomination.
- Point the existing admin DNS instance name to the IP address of the new admin node.
- Decommission the old admin node. After the renominated admin node is running, decommission the old admin node. Remove it from any load balancers, and then stop and delete the VM.
- Replace cluster members. For each existing cluster member:
- Remove the existing cluster member from the load balancer.
- Add a cluster member that's running Access Gateway 2020.10.5 or later to your virtual environment.
- Add the replacement instance to the load balancer.
- Decommission the node that's been replaced.
- Repeat for each member of the cluster.
While replacing nodes within a cluster should be done in a timely fashion Access Gateway can function in a mixed version environment. Take the time necessary to plan out and upgrade your environment thoughtfully.