Project 5: Design IAM Architecture in OCI.

OCI has its own tool kit called OKIT to design this Architecture.

Git : https://github.com/oracle/oci-designer-toolkit/blob/master/documentation/Installation.md

Blog For Governance: https://docs.oracle.com/en/solutions/iam-governance-solution/index.html#GUID-9EA304AE-A9F3-4955-9965-144BE4714319

Blog for IAM, IDCS and OKTA integration: https://blogs.oracle.com/futurestate/post/oci-implementation-series-integrate-okta-iam-with-oci-identity-domain-in-hybrid-cloud-environment-setup

OKIT Installation guide:

Reference: https://www.linkedin.com/pulse/how-set-up-headless-okit-oci-badr-tharwat

Oracle recently announced the launch of The OCI Designer Toolkit (OKIT) this cool tool can generate OCI compatible Terraform file using a drag and drop interface it is also able to graphically represent an OCI compartment visually (more on OKIT here). Currently the tool can be run locally through Docker or Vagrant, however this doesn’t work for people using lower spec'd machines or are using popular platforms that doesn’t allow for a local docker instance to work (iPad pro and the likes). In this How to I'll explain how to build an OKIT instance on a headless OCI compute node that can be accessed securely through SSH tunnel.

https://www.ateam-oracle.com/introduction-to-okit-the-oci-designer-toolkit

No alt text provided for this image

To set up and securely avail OKIT to your local host you need to do 4 things:

Set up a headless linux machine on OCI and enable SSH access Install Docker Pull OKIT docker container and run it Access using ssh tunnel I. Set up the linux machine

I.A Provision

Through the OCI console, provision a compute node using the lowest available specs, make sure to check the assign public IP checkbox and use SSH key that you have access to.

No alt text provided for this image No alt text provided for this image Once the machine is provisioned note down the public IP assigned to the machine. Make sure that 22 port is added to the public subnet the machine is created in, from the instance page click on public subnet > Default security group and then make sure there is a rule availing port 22.

No alt text provided for this image No alt text provided for this image Connect to the machine over SSH using the key you used while creating the instance

#ssh opc@158.101.230.4 -i .ssh/id_rsa_okit

I. B. Configure

  1. Disable Firewall

#sudo systemctl disable firewalld

  1. Install Docker

https://blogs.oracle.com/virtualization/install-docker-on-oracle-linux-7-v2

sudo cd /etc/yum.repos.d/

#sudo wget http://yum.oracle.com/public-yum-ol7.repo

#sudo nano public-yum-ol7.repo

Edit the file to enable repos ol7_UEKR4, ol7_addons

No alt text provided for this image No alt text provided for this image Install docker

sudo yum install docker-engine

Start the services

sudo systemctl start docker

sudo systemctl enable docker

Validate that the service is up

sudo systemctl status docker

sudo systemctl start docker

Output should look similar to this

No alt text provided for this image Validate the installation by running the hello-world container

sudo docker run hello-world

No alt text provided for this image Now docker is up and running, next step would be installing OKIT

III. Install and start OKIT container

The A-team have prepared an installation how to which I'm using portions of here, the full version can be found here

III.A Install git

cd $HOME

sudo yum install git

III. B Clone the OKIT repo

git clone -b v0.6.0 --depth 1 https://github.com/oracle/oci-designer-toolkit.git

III.C Build the container

cd oci-designer-toolkit/

#sudo docker build --tag okit --file ./containers/docker/Dockerfile --force-rm ./containers/docker/

EXPORT PATHS

export OKIT_ROOT_DIR=pwd

export OCI_CONFIG_DIR=$OKIT_ROOT_DIR/containers/oci

III.D Start OKIT image

#sudo docker run -d --rm -p 80:80 --name okit --hostname okit -v $OCI_CONFIG_DIR:/root/.oci -v $OKIT_ROOT_DIR/okitweb:/okit/okitweb -v $OKIT_ROOT_DIR/visualiser:/okit/visualiser -v $OKIT_ROOT_DIR/log:/okit/log okit

The output should look like this

No alt text provided for this image

IV. Set up the SSH tunnel (On your Local Machine)

SSH tunneling is used to secure OKIT, even though technically it is possible to avail OKIT directly to the internet I strongly recommend not to do so as it'll be significantly less secure than the approach used here

From your local machine set up the tunnel as follows

#ssh -v -N -L 8888:127.0.0.1:80 opc@<OCI_SERVER_IP> -i <PRIVATE_KEY>

Alternatively you can create the tunnel using putty as described here, From your browser navigate to

http://localhost:8888/okit/designer

No alt text provided for this image You can then integrate OKIT with your own tenancy by placing your configuration file in the following location on the OKIT server $OKIT_ROOT_DIR/containers/oci as per the instructions available in the OKIT installation guide here

IMPORTANT NOTE NEVER UPLOAD YOUR KEYS INTO A SHARED TENANCY, the configuration of OKIT calls for that however under a shared model this would put your keys and accessed tenancies at risk**