<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

Okta Privileged Access Database Integration Early Access - Setup Token Gateway Role Known Issues

Last Updated:

Okta Classic Engine
Privileged Access
Okta Identity Engine

Overview

This article outlines a known issue when enrolling an Okta Privileged Access (OPA) gateway for Database Integration. The gateway must be enrolled with a setup token that was created with the Infrastructure orchestrator gateway role. If the setup token was created with a different role (for example, Server access proxy), or an existing non-orchestrator token is reused, the gateway will not start as an Infrastructure Orchestrator and cannot manage database integrations.

Applies To

  • Okta Privileged Access - Database Integration Early Access / Beta
  • Okta Privileged Access gateway intended to run as Infrastructure Orchestrator

Cause

When creating a gateway setup token in Resource Administration > Gateways > Setup Tokens > Add setup token, the "Choose gateway role for this token" selector offers two options:

  • Server access proxy — brokers SSH and RDP sessions to Linux and Windows servers.
  • Infrastructure orchestrator — discovers resources and manages the access lifecycle for databases and other infrastructure.

The Database Integration feature requires a gateway that is registered as an Infrastructure Orchestrator. A gateway enrolled with a Server access proxy token (or any existing token that was not created with the Infrastructure orchestrator role) will not start in the orchestrator role, even if Orchestrator.Enabled: true is set in /etc/sft/sft-gatewayd.yaml. As a result, the gateway cannot support database integrations.

You can verify which role a token was issued for in the Setup Tokens list, under the Used for column. Tokens intended for database integration must show Infrastructure Orchestrator.

 

Solution

Re-enroll the gateway using a setup token created with the Infrastructure orchestrator role.

  1. Stop the running gateway:

sudo systemctl stop sft-gatewayd

  1. Remove the existing contents of the gateway state directory /var/lib/sft-gatewayd (sudo access is required):

sudo rm -rf /var/lib/sft-gatewayd/*

  1. Follow the Configure gateway and setup tokens guide to create a new gateway setup token with the Infrastructure orchestrator role, and use that token to start the gateway as an Infrastructure Orchestrator.

Related Documentation

Recommended content

Still looking for help?
Loading
Okta Support - Okta Privileged Access Database Integration Early Access - Setup Token Gateway Role Known Issues