Create a connected app
Requirements
- OpenSSL
- keytool (comes with a Java installation)
- Salesforce account that can create connected apps
Certificates
The connected app will need a certificate attached to it.
You can use an existing certificate or create a new one.
Here are the steps to create a certificate using openssl and keytool.
- Step 1 - Create a certificate and its private key. You can accept all default options.
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
This will create two files called cert.pem and key.pem.
- Step 2 - Merge both files into one. You can use a text editor, cat, etc.
cat cert.pem key.pem >> full_cert.pem
After this step, you should have a file called full_cert.pem
- Step 3 - Add this certificate to a Java Keystore (jks) file. This will later be used in Dynatrace.
Convert the full_cert.pem file to pkcs12. You must set a password when prompted.
openssl pkcs12 -export -out full_cert.pkcs12 -in full_cert.pem
Add the file to a new Java keystore.
Set a password for the keystore (destination password).
The source password is the one you created with the previous command.
keytool -importkeystore -srckeystore full_cert.pkcs12 -srcstoretype pkcs12 -destkeystore full_cert.jks -deststoretype JKS
After this is done, you should have five files. You will only use two of them:
- key.pem
- cert.pem (Used when creating the connected app in salesforce)
- full_cert.pem
- full_cert.pkcs12
- full_cert.jks (Used by Dynatrace to connect to Salesforce. Must be placed in the ActiveGate file system)
Connected app
In Salesforce Lightning, go to Setup > Apps > App Manager.
Select New Connected App.
https://dt-cdn.net/hub/new_connected_app.png
Give the app a name and add the contact email.
Under API (Enable OAuth Settings), enable:
Enable OAuth Settings- Use digital signatures
The callback URL won't be used. you can use something like http://localhost
Upload the cert.pem file you created under Use digital signatures.
https://dt-cdn.net/hub/app_settings_1.png
Under Selected OAuth Scopes, add:
- The
(api) scope, which should be called Manage user data via APIs (api)
- The
(refresh_token, offline_access) scope, which should be called Perform requests at any time (refresh_token, offline_access)
The names might differ depending on the version of Salesforce. Use the ones that end with (api) and (refresh_token, offline_access).
https://dt-cdn.net/hub/app_settings_2.png
Leave all other options as is. Select Save.
Now it's time to set up the OAuth Policy permitted users.
On the connected app page, select Manage, then Edit Policies.
Under OAuth Policies select Admin approved users are pre-authorized.
https://dt-cdn.net/hub/policy.png
Select Save.
On the same connected app page, under Profiles, select Manage Profiles.
Add a profile for users that are approved to use this connected app, like System Administrator.
https://dt-cdn.net/hub/profiles.png
Configure Dynatrace
Place the full_cert.jks file somewhere in the ActiveGate file system.
On Linux, the user dtuserag must be able to read this file.
The path to this file will later be used in the Dynatrace extension configuration page.
For this setup, this is how the endpoint will look in Dynatrace:
Important notes:
- Do not use the lightning URL as the instance. It must be the
Classic URL.
- The alias for the certificate inside the JKS you created is
1 because it was not specified.
- The
Consumer Key can be copied from Setup > Apps > App Manager > View in Salesforce.
https://dt-cdn.net/hub/endpoint_connected_app.png
Troubleshooting
The logs under %PROGRAMDATA% (windows) or /var/lib (Linux) give you more details if you run into trouble.
The full path is /var/lib/dynatrace/remotepluginmodule/log/remoteplugin/custom.remote.python.salesforce_eventstream/SalesforceEventStream.log
A good example log:
https://dt-cdn.net/hub/log.png
Errors will also be sent to a custom device. Here's an example of an error when using the lightning URL instead of the classic URL:
https://dt-cdn.net/hub/problem_0vw7Eyy.png
