<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Privileged Access - Amazon Linux Gateway Known Issues
May 15, 2026
Okta Classic Engine
Privileged Access
Okta Identity Engine
Overview

This article outlines a known issue when installing and starting the Okta Privileged Access (OPA) gateway on newer versions of Amazon Linux. On these systems, the gateway can fail to start because the session log temporary storage directory and the session log directory reside on different filesystems.

Applies To
  • Okta Privileged Access (OPA)
  • Database Integration Early Access / Beta
  • Gateway Configured as Infrastructure Orchestrator or Server Access Proxy
  • Newer versions of Amazon Linux (for example, Amazon Linux 2023)
Cause

The OPA gateway requires that the SessionLogTempStorageDirectory (default: /tmp) and the session log directory (/var/log/sft/sessions) be located on the same device/filesystem. On newer Amazon Linux versions, /tmp is mounted as a separate tmpfs, while /var/log/sft/sessions lives on the root filesystem. Because the two paths are on different devices, the gateway fails to start up.

 

The directories can be confirmed as on different devices by comparing their device IDs:

stat -c "%d" /tmp
stat -c "%d" /var/log/sft/sessions

 

If the two commands return different numbers, the system is affected by this issue. If they return the same number, the system is not affected, and the gateway should start normally.

 

Related errors can also be inspected in the gateway logs:

systemctl status sft-gatewayd
journalctl -u sft-gatewayd

 

 

Solution

Configure the OPA gateway to use a SessionLogTempStorageDirectory that resides on the same filesystem as /var/log/sft/sessions.

 

  1. Create a temporary storage directory on the same filesystem as /var/log/sft/sessions.

    For example:
    sudo mkdir -p /var/lib/sft-gatewayd/session-tmp
  2. Open the gateway configuration file:
    sudo vi /etc/sft/sft-gatewayd.yaml
  3. Add (or update) the SessionLogTempStorageDirectory value so it points to the new directory:
    SessionLogTempStorageDirectory: /var/lib/sft-gatewayd/session-tmp
  4. Verify the two directories are now on the same device:
    stat -c "%d" /var/lib/sft-gatewayd/session-tmp
stat -c "%d" /var/log/sft/sessions

    Both commands must return the same number.

  5. Save the file, then restart the gateway:
    sudo systemctl restart sft-gatewayd

 

Related References

Recommended content

Still looking for help?
Loading
Okta Privileged Access - Amazon Linux Gateway Known Issues