Connect your Cloud Foundry clusters with Dynatrace

Connecting your Cloud Foundry clusters to Dynatrace enables

• full access to the dedicated Cloud Foundry overview page
• automatic detection of your Cloud Foundry organizations
• access to other Cloud Foundry process properties, like space, space ID, application, application ID, and instance index.

To connect your clusters with Dynatrace, follow the instructions below.

Prerequisites

• Review the list of supported applications and versions.
• Diego cells include the OneAgent BOSH add-on.

1. Start installation

Sign in to Dynatrace, select Deploy Dynatrace from the navigation menu and select Install ActiveGate.

2. Download the installer

How you download your installer depends on your setup and needs. You can choose to download an installer directly to the server where you plan to install Environment ActiveGate or you can download an installer to a different machine and then transfer the installer to the server.

1. Select the ActiveGate purpose.

2. Select Download installer.
   If you plan to download Environment ActiveGate directly to the server, make sure your system is up to date, especially SSL and related certificate libraries. Outdated libraries (for example, CA certificates) or missing OpenSSL will prevent the installer from downloading (Dynatrace uses encrypted connections, so OpenSSL is required to enable wget to access the server).

   • Download the installer using one of these options:
     • Run the command
       Copy the wget command from the text box and paste it into a terminal window on the machine where you plan to install the ActiveGate. Make sure you copy the command directly from the first text box; it contains your environment ID.
     • Download via browser
       No internet access on servers? You can download the installer by selecting the ActiveGate installer link at the bottom of the page and saving the installer script to any location on your system, thereby bypassing the wget command altogether.

• Verify the signature
  Wait for the download to complete. Then verify the signature by copying the command from the second Verify signature text box and pasting the command into your terminal window.

3. Run the installer

An install parameter (determined by the ActiveGate purpose you selected) is automatically set for the command to run the installer. Make sure you use the command displayed in the Dynatrace web UI that reflects the ActiveGate purpose.

Copy the installation script command from the Run the installer with root rights step and paste it into your terminal.

You only need root rights to install an ActiveGate. The user running the ActiveGate service doesn't require root rights. If you don't specify your own user to run the ActiveGate service, the installer will create and use the dtuserag user by default.

To install ActiveGate, run one of the following pairs of commands in the directory where you downloaded the installation script.

• Ubuntu Server

  shellcopydownload
  [user@ubuntu]# chmod + x Dynatrace-ActiveGate-Linux-x86-1.0.0.sh
  [user@ubuntu]# sudo ./Dynatrace-ActiveGate-Linux-x86-1.0.0.sh

• Red Hat Enterprise Linux

  shellcopydownload
  [user@rhel]# chmod + x Dynatrace-ActiveGate-Linux-x86-1.0.0.sh
  [user@rhel]# su ./Dynatrace-ActiveGate-Linux-x86-1.0.0.sh

• Other Linux distribution with root session

  shellcopydownload
  [root@host]# chmod + x Dynatrace-ActiveGate-Linux-x86-1.0.0.sh
  [root@host]# ./Dynatrace-ActiveGate-Linux-x86-1.0.0.sh

4. Certificate management

If you're using self-signed certificates for communication to external APIs, you can either add the certificate to the truststore or disable certificate validation.

Add the self-signed certificate to the truststore

• For ActiveGate version 1.167

Use the method described in Configure trusted root certificates on ActiveGate.

• For ActiveGate version 1.169+

1. Bring in the certificate from your cloud provider.
   In the following example, we extract the certificate from google.com and save it locally as dt_k8s_api.pem. The command is the same for Windows and Linux, assuming you have openssl installed on Windows.

   shellcopydownload
   echo Q | openssl s_client -connect google.com:443 | openssl x509 -outform PEM > dt_k8s_api.pem

   For Kubernetes, you can use the following command sequence to get the certificate:

   shellcopydownload
   [root@host]# API_ENDPOINT_URL=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
   [root@host]# if [[ $API_ENDPOINT_URL =~ (https?://.*):(\d*) ]]; then API_SERVER_PORT=$API_ENDPOINT_URL; else API_SERVER_PORT="$(echo $API_ENDPOINT_URL | sed -e "s/https:\/\///"):443"; fi
   [root@host]# echo -e "${YLW} API server:${NC} ${API_SERVER_PORT}"
   
   [root@host]# echo Q | openssl s_client -connect $API_SERVER_PORT 2>/dev/null | openssl x509 -outform PEM > dt_k8s_api.pem

2. Add the certificate to the keystore.
   You can provide a full path to the pem file location (including paths to remote locations) using the -file parameter, or copy the pem file to your ActiveGate and provide only the filename as indicated in the example.

   shellcopydownload
   [root@host]# sudo /opt/dynatrace/gateway/jre/bin/keytool -import -file dt_k8s_api.pem -alias dt_k8s_api -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks

   If you import multiple certificates, make sure that you provide a unique alias for each certificate that you import. If you use the same alias for each certificate, all previously used certificates will be overwritten.

   You can display the list of aliases and the certificate description using the keytool -list command.

   For example:

   shellcopydownload
   # sudo /opt/dynatrace/gateway/jre/bin/keytool -list -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks
   Enter keystore password:
   Keystore type: JKS
   Keystore provider: SUN
   Your keystore contains 1 entry
   dt_k8s_api, Apr 26, 2020,
   trustedCertEntry,
   Certificate fingerprint (SHA-256): 07:28:9A:F2:29:32:0D:64:F0:18:93:A1:CC:2E:49:21:E9:DA:40:82:9B:A8:71:B7:A4:2C:6D:8C:B3:90:31:31

3. Add the following entries in the /var/lib/dynatrace/gateway/config/custom.properties file.

   The entry in the custom.properties file may look like this:

   propertiescopydownload
   [collector]
   trustedstore = mytrusted.jks
   # the following entries are optional
   trustedstore-password = changeit
   trustedstore-type = JKS

   Encrypted password

   The password will be stripped and encrypted when you restart the ActiveGate service.

4. Restart ActiveGate services.

   • See Stop/restart ActiveGate

Disable certificate validation

Disabling certificate validation isn't recommended because it imposes security risks. However, if you still want to disable certificate validation for test environments, you need to do the following:

propertiescopydownload
[http.client.external]
hostname-verification = false
certificate-validation = false

5. Connect your clusters to Dynatrace

Note: We recommend using a Cloud Foundry admin read-only account that can view almost all Cloud Controller API resources, but can't modify them.

bashcopydownload
uaac user add ReadOnlyUser -p SecretPassword --emails something@example.com
uaac member add cloud_controller.admin_read_only ReadOnlyUser
uaac member add scim.read ReadOnlyUser

To connect your Cloud Foundry clusters to Dynatrace

1. In the Dynatrace web UI, go to Settings > Cloud and virtualization > Cloud Foundry.
2. Select Connect new foundation.
3. Enter your Cloud Foundry API target URL, your Authentication endpoint, your Cloud Foundry Username, and your Password.