Create a connected app
- keytool (comes with a Java installation)
- Salesforce account that can create connected apps
The connected app will need a certificate attached to it.
You can use an existing certificate or create a new one.
Here are the steps to create a certificate using
- Step 1 - Create a certificate and its private key. You can accept all default options.
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
This will create two files called
- Step 2 - Merge both files into one. You can use a text editor, cat, etc.
cat cert.pem key.pem >> full_cert.pem
After this step, you should have a file called
- Step 3 - Add this certificate to a Java Keystore (jks) file. This will later be used in Dynatrace.
full_cert.pem file to pkcs12. You must set a password when prompted.
openssl pkcs12 -export -out full_cert.pkcs12 -in full_cert.pem
Add the file to a new Java keystore.
Set a password for the keystore (destination password).
The source password is the one you created with the previous command.
keytool -importkeystore -srckeystore full_cert.pkcs12 -srcstoretype pkcs12 -destkeystore full_cert.jks -deststoretype JKS
After this is done, you should have five files. You will only use two of them:
- cert.pem (Used when creating the connected app in salesforce)
- full_cert.jks (Used by Dynatrace to connect to Salesforce. Must be placed in the ActiveGate file system)
In Salesforce Lightning, go to Setup > Apps > App Manager.
Select New Connected App.
Give the app a name and add the contact email.
API (Enable OAuth Settings), enable:
Enable OAuth Settings
- Use digital signatures
The callback URL won't be used. you can use something like
cert.pem file you created under
Use digital signatures.
Selected OAuth Scopes, add:
(api) scope, which should be called
Manage user data via APIs (api)
(refresh_token, offline_access) scope, which should be called
Perform requests at any time (refresh_token, offline_access)
The names might differ depending on the version of Salesforce. Use the ones that end with
Leave all other options as is. Select Save.
Now it's time to set up the
OAuth Policy permitted users.
On the connected app page, select Manage, then Edit Policies.
Under OAuth Policies select Admin approved users are pre-authorized.
On the same connected app page, under Profiles, select Manage Profiles.
Add a profile for users that are approved to use this connected app, like
full_cert.jks file somewhere in the ActiveGate file system.
On Linux, the user
dtuserag must be able to
read this file.
The path to this file will later be used in the Dynatrace extension configuration page.
For this setup, this is how the endpoint will look in Dynatrace:
- Do not use the lightning URL as the instance. It must be the
- The alias for the certificate inside the JKS you created is
1 because it was not specified.
Consumer Key can be copied from Setup > Apps > App Manager > View in Salesforce.
The logs under
%PROGRAMDATA% (windows) or
/var/lib (Linux) give you more details if you run into trouble.
The full path is
A good example log:
Errors will also be sent to a custom device. Here's an example of an error when using the lightning URL instead of the classic URL: