Configure the Okta Privileged Access server agent
This topic explains how to configure the Okta Privileged Access server agent.
- Command-line options
- Configuration file
- Custom labels
- System generated labels
- Environment variables
- Configure the Okta Privileged Access server agent
Command-line options
- --conf: Provides an alternative configuration file path.
- --debug-device-info: Prints detected device information to stderr and then exits.
- -h, --help: Displays help.
- -v, --version: Displays version.
- --syslog: Forces syslog logging.
Configuration file
You can control the Okta Privileged Access server agent by manually creating a configuration file. The location of the configuration file depends on the operating system running the server agent.
-
Linux: /etc/sft/sftd.yaml
- Windows: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\sftd.yaml
If a configuration file hasn't been created or is unavailable, the server agent uses the following default values.
Restart the server agent before changes to the configuration file take effect.
Enrollment Options
| Option | Default value | Description |
|---|---|---|
| AutoEnroll | True | Forces the server agent to attempt to automatically enroll during the initial startup. |
| EnrollmentTokenFile | Linux: /var/lib/sftd/enrollment.token Windows: |
Specifies the path to a separate file containing an enrollment token. The default value depends on the operating system running the server agent.
After the server is enrolled, the server agent deletes this token file.
If using this option, you must manually create the token file and add an enrollment token created on the Okta Privileged Access platform. See Server Enrollment. |
| InitialURL | unset |
When AutoEnroll is set to True, this option specifies a URL used to automatically enroll the server. If the EnrollmentTokenFile option is also configured, this option is ignored.
Note: This option is only used by legacy installations not hosted by Okta Privileged Access instances. |
Log Options
The location of the log file depends on the operating system running the server agent.
- Linux: sftd uses the system logger when available
- Windows: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\Logs
Log files are rotated after 5 MB and only the 10 most recent log files are kept.
| Option | Default value | Description |
|---|---|---|
| LogLevel | INFO | Controls the verbosity of the logs. Valid values include:
|
Connection Options
| Option | Default value | Description |
|---|---|---|
| AccessAddress | unset |
Specifies the network address (IPv4 or IPv6) used by clients to access servers with multiple interfaces or behind DNATs. If you set a sftd AccessAddress to DNS FQDN, a message appears on the console warning you that the host key for the IP address has been added to the list of known hosts permanently. See the KB article for additional information. |
| AccessInterface | unset | Specifies the interface used by clients to negotiate connections to the host. Only needed by hosts with a specific public IP address associated with a known interface. Example: AccessInterface: eth0 |
| AltNames | unset |
Specifies a list of alternative server hostnames. These names can be used as targets for sft ssh.
Example: AltNames: ["web01", "web01.example.com"] |
| Bastion | unset | Specifies a bastion host used automatically by clients when connecting to this server. |
| BufferFile | /var/lib/sftd/buffer.db | Specifies the path prefix to the files used for the server agent local buffer store. Individual buffer file names consist of the path prefix, followed by a period and an incremental number (for example, buffer.db.1). Buffer files are automatically removed after being synchronized. |
| CanonicalName | unset | Specifies the name that clients should use when connecting to this host. This option overrides the name returned by the hostname command. |
| ForwardProxy | unset | Specifies the URL of an HTTP CONNECT proxy that the server agent uses for outbound network connectivity to the Okta Privileged Access platform. Alternatively, the HTTPS_PROXY environment variable can be used to configure this proxy.
Example: ForwardProxy: https://myproxydomain.com:8080 |
| ServerFile | /var/lib/sftd/device.server | Specifies the path to a file used to store the server URL of the server that it connects to. |
| SSHDConfigFile | /etc/ssh/sshd_config | Specifies the path to the sshd configuration file.
Note: The server agent modifies this file. |
|
SSHDPort |
unset |
Specifies a port to use when negotiating SSH connections. This option is only needed if the default port (22) isn't being used. This option tells the sft client (ScaleFT Client-Tools) how to connect to the sftd Agent (ScaleFT Server-Tools). You must also modify the sshd_config file on the server agent server to listen on the specified port. |
| TokenFile | /var/lib/sftd/device.token | Specifies the path to a file used to store the secret authentication token for Okta Privileged Access. |
|
TrustedUserCAKeysFile |
/var/lib/sftd/ssh_ca.pub | Specifies the path to a file used by the server agent to store a list of trusted SSH Certificate Authorities. |
Access Broker Options
The Okta Privileged Access server agent automatically runs an access broker process. The access broker authenticates clients using certificates issued by the Okta Privileged Access platform.
On Windows servers, the access broker is also responsible for proxying RDP connections. See Windows Internals.
|
Option |
Default value |
Description |
|---|---|---|
| BrokerAccessPort | 4421 | Specifies a port used by clients to reach the access broker. |
| BrokerListenHost | unset | Specifies the network address (IPv4 or IPv6) used by the access broker to listen for connections. By default, the access broker listens for connections on every available interface. |
| BrokerListenPort | 4421 | Specifies a port used by the access broker to listen for connections. |
| DisableBroker | unset | Controls the operation status of the access broker. Set to True to restrict the access broker from running on the server.
Note: Disabling the access broker process isn't recommended on Windows. See Windows Internals. |
Custom labels
Custom labels may impact server accessibility. A user with access to the config files of the server can change files. This causes the server to become accessible or inaccessible based on the labels that they choose. Okta recommends exercising caution when using custom labels.
Labels allow teams to define key:value pairs used to control server access to specific groups. Labels are formatted as key:value pairs to allow teams to define a schema that best fits their needs. Add labels in the server configuration file to configure and categorize the servers. These labels are used in the Okta Privileged Access console to select specific servers for access. See Security policy.
You must indent any key pairs within a Label YAML dictionary using two spaces:
Labels: label_1: value_1 label_2: value_2
System generated labels
When you add a server to Okta Privileged Access, several system-generated labels are created based on characteristics such as hostname, server type, operating system, AWS, Azure, or Google Cloud Platform (GCP) account ID.
The following are the list of system-generated labels.
|
Label |
Description |
|---|---|
| system.hostname | The hostname of the server |
| system.canonical_name | The server alias used by clients to connect to the server. See Connection Options. |
| system.os | The OS version of the server, such as CentOS 6 or Debian 9.13 |
| system.os_type |
The OS family of the server. Valid values are linux and windows. |
|
system.cloud_provider |
The cloud provider for the server. Valid values are aws for AWS, gce for GCP, azure for Azure. |
|
system.aws_account_id |
The account ID of the AWS server |
|
system.aws_availability_zone |
The specific availability zone (AZ) of the AWS server |
|
system.gcp_project_id |
The project ID of the GCP server |
|
system.azure_location |
The specific region of the Azure server |
Environment variables
On startup, the server agent reads the following variables:
SFT_DEBUG: Prints more debugging to stderr when set.