Okta Privileged Access: How to Backup and Restore

OPA, PAM 3 Minutes

This article is to help with Backup and Restore process for Okta Privileged Access (OPA) components managed and maintained outside of the Okta infrastructure. Backing up your Okta PA server agent and Gateway configurations is a proactive safeguard against downtime, and other unwanted negative impacts to your business. OPA does not have capabilities to back up the current configuration or have a restore point.

Okta Privileged Access has 2 major components which are hosted and managed inside customer infrastructure and advised to take the backup of those components.

  1. Gateway
  2. Server Agent

As the components are standard binaries and configuration files on the Windows/Linux
OS, standard systems management processes and tools can be used.

Gateway:

Gateway Backup:

To prevent the loss of existing configurations on the currently running Gateway server, Okta recommends saving a backup of following files:

  • Gateway configuration file:
    • /etc/sft/sft-gatewayd.yaml
  • Session recordings: Take the backup of session recording files from the path configured inside the configuration file for session recordings.

If the gateway server also has the OPA agent installed, you should follow the Agent backup procedures below.

Notes:

  • As the restore mechanism is based on re-installing the gateway, there is no value in backing up the session state files (such as the files in /var/lib/sft-gatewayd), only the configuration file needs to be backed up.
  • If there are any files in folders/directories specified against the TrustedCAsDir setting in the sft-gatewayd.yaml file, they should be backed up or maintained in an external repository like GitHub.

Gateway Restore:

In case of Gateway failure, due to machine crash or Gateway software got corrupted, restore a configuration from a backup following below steps.

Option #1 (New Gateway Server): Recommended

  1. Deploy new instance of server
  2. Install the Okta PA Gateway software following the reference link
  3. Login to Gateway server and access the command prompt
  4. Copy the configuration file from the backup and paste into folder
    • /etc/sft
  5. Open a browser and login to OPA admin console and copy the gateway token
  6. Create a file as setup.token and paste the copied token and save the file
    • /var/lib/sft-gatewayd/setup.token
  7. Restart the gateway server to finish the enrollment
    • sudo systemctl restart sftd

Option #2 (Existing Gateway Server):

  1. Start the server
  2. (optional) If required, re-install the OPA Gateway software following the reference link
  3. Delete all the contents from the folder
    • /var/lib/sft-gatewayd
  4. Copy the configuration file from the backup and paste into folder
    • /etc/sft
  5. Open a browser and login to OPA admin console and copy the gateway token
  6. Create a file as setup.token and paste the copied token and save the file
    • /var/lib/sft-gatewayd/setup.token
  7. Restart the gateway server to finish the enrollment
    • sudo systemctl restart sftd

Note: Same enrollment token should be used during re-enrollment, which will bind the re-deployed gateway to the same label.

Server Agent:

Agent Backup:

To prevent the loss of existing configurations of running Agents on protected resources, Okta recommends taking backup of following files.

  • Linux Agent configuration file:
    • /etc/sft/sftd.yaml
  • Windows Agent configuration file:
    • C:\Windows\System32\config\systemprofile\AppData\Local\ScaleFT\sftd.yaml

Notes:

  • As the restore mechanism is based on re-installing the agent, there is no value in backing up the session state files (such as the files in /var/lib/sftd or the equivalent on Windows), only the configuration file needs to be backed up.

Agent Restore:

In case of Server agent failure, due to machine crash or agent software got corrupted, restore a configuration from a backup following below steps.

Linux:
  1. Start the server
  2. (optional) If required, re-install the agent. Reference link.
  3. Delete all the contents from the folder
    • /var/lib/sftd
  4. Copy the configuration file from the backup and place into folder
    • /etc/sft/
  5. Open a browser and login to OPA admin console and copy the existing enrollment token or generate a new enrollment token
  6. Create a file as enrollment.token, paste the token and save the file
    • /var/lib/sftd/enrollment.token
  7. Restart the Agent service to finish the enrollment
    • sudo systemctl restart sftd
Windows:
  1. Start the server
  2. (optional) If required, re-install the agent. Reference link.
  3. Delete all the contents from folder
    • C:\Windows\System32\config\systemprofile\AppData\Local\ScaleFT\state
  4. Copy the configuration file from the backup and place into folder
    • C:\Windows\System32\config\systemprofile\AppData\Local\ScaleFT\
  5. Open a browser and login to OPA admin console and copy the existing enrollment token or generate a new enrollment token
  6. Create a file as enrollment.token, paste the token and save the file
    • C:\Windows\System32\config\systemprofile\AppData\Local\ScaleFT\enrollment.token
  7. Run below command to open Windows Services screen
    • services.msc
  8. Locate the Agent service “ScaleFT Server Tools” and Restart.

Published by Rajesh Kumar

Over 20+ years of enterprise security professional with extensive experience in designing, implementing and integrating Identity and Access Management solutions across multitudes of market segments and industries (including public, retail, research, financial, HealthCare etc.).

Published

Leave a Reply