Connect your Cloud Foundry foundations with Dynatrace

Connecting your Cloud Foundry foundations to Dynatrace enables

• full access to the dedicated Cloud Foundry overview page
• automatic detection of your Cloud Foundry organizations
• access to other Cloud Foundry process properties, like space, space ID, application, application ID, and instance index.

To connect your foundation with Dynatrace, follow the instructions below.

Start installation

Download the installer

Run the installer

Certificate management

Connect your foundation to Dynatrace

Prerequisites

• Review the list of supported applications and versions.
• Diego cells include the OneAgent BOSH add-on.

Start installation

Sign in to Dynatrace, select Deploy Dynatrace from the Dynatrace menu, and select then Install ActiveGate. For more information, see Installation.

Download the installer

How you download your installer depends on your setup and needs. You can choose to download an installer directly to the server where you plan to install an ActiveGate or you can download an installer to a different machine and then transfer the installer to the server.

1. Select Route OneAgent traffic as the ActiveGate purpose.
2. Select Download installer. There are two options:
   • Download via shell command. Copy and run the wget command.
   • Select the link to download the ActiveGate installer.

Run the installer

An install parameter (determined by the ActiveGate purpose you selected) is automatically set for the command to run the installer. Make sure you use the command displayed in the Dynatrace web UI that reflects the ActiveGate purpose.

Copy the installation script command from the Run the installer with root rights step and paste it into your terminal.

Customize installation

You can add additional parameters to the installation command to customize your installation. For example, to install ActiveGate in a different directory, use the INSTALL=<path> parameter:

bashcopydownload
[root@host]# /bin/bash Dynatrace-ActiveGate-Linux-x86-1.0.0.sh INSTALL=/hosted_app/dynatrace

Default installation settings

For installation defaults, including default directories, see ActiveGate default settings for Linux.

Certificate management

If you're using self-signed certificates for communication to external APIs, you can either add the certificate to the truststore or disable certificate validation.

Add the certificate to the truststore

1. Bring in the certificate from your cloud provider.
   In the following example, we extract the certificate from google.com and save it locally as dt_k8s_api.pem. The command is the same for Windows and Linux, assuming you have openssl installed on Windows.

   shellcopydownload
   echo Q | openssl s_client -connect google.com:443 | openssl x509 -outform PEM > dt_k8s_api.pem

   For Kubernetes, you can use the following command sequence to get the certificate:

   shellcopydownload
   [root@host]# API_ENDPOINT_URL=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
   [root@host]# if [[ $API_ENDPOINT_URL =~ (https?://.*):(\d*) ]]; then API_SERVER_PORT=$API_ENDPOINT_URL; else API_SERVER_PORT="$(echo $API_ENDPOINT_URL | sed -e "s/https:\/\///"):443"; fi
   [root@host]# echo -e "${YLW} API server:${NC} ${API_SERVER_PORT}"
   
   [root@host]# echo Q | openssl s_client -connect $API_SERVER_PORT 2>/dev/null | openssl x509 -outform PEM > dt_k8s_api.pem

2. Add the certificate to the keystore.
   You can provide a full path to the pem file location (including paths to remote locations) using the -file parameter, or copy the pem file to your ActiveGate and provide only the filename as indicated in the example.

   shellcopydownload
   [root@host]# sudo /opt/dynatrace/gateway/jre/bin/keytool -import -file dt_k8s_api.pem -alias dt_k8s_api -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks

   If you import multiple certificates, make sure that you provide a unique alias for each certificate that you import. If you use the same alias for each certificate, all previously used certificates will be overwritten.

   You can display the list of aliases and the certificate description using the keytool -list command.

   For example:

   shellcopydownload
   # sudo /opt/dynatrace/gateway/jre/bin/keytool -list -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks
   Enter keystore password:
   Keystore type: JKS
   Keystore provider: SUN
   Your keystore contains 1 entry
   dt_k8s_api, Apr 26, 2020,
   trustedCertEntry,
   Certificate fingerprint (SHA-256): 07:28:9A:F2:29:32:0D:64:F0:18:93:A1:CC:2E:49:21:E9:DA:40:82:9B:A8:71:B7:A4:2C:6D:8C:B3:90:31:31

3. Add the following entries in the /var/lib/dynatrace/gateway/config/custom.properties file.

   The entry in the custom.properties file may look like this:

   propertiescopydownload
   [collector]
   trustedstore = mytrusted.jks
   # the following entries are optional
   trustedstore-password = changeit
   trustedstore-type = JKS

   Encrypted password

   The password will be stripped and encrypted when you restart the ActiveGate service.

4. Restart the ActiveGate main service.

Alternatively, you can add the truststore file containing the Kubernetes CA certificate as an installation parameter. For details, see Trusted root certificates for ActiveGate.

Disable certificate validation

Disabling certificate validation isn't recommended because it imposes security risks. However, if you still want to disable certificate validation for test environments, you need to do the following:

1. From the Dynatrace menu, select Settings > Cloud and virtualization > Kubernetes.
2. Look for your cluster and select the Edit button next to it to edit the cluster settings.
3. Disable Require valid certificates for communication with API server.
4. Disable Verify hostname in certificate against Kubernetes API URL.
5. Select Save to save your changes. These setting override the settings in the ActiveGate custom.properties file.

Connect your foundation to Dynatrace

bashcopydownload
uaac user add ReadOnlyUser -p SecretPassword --emails something@example.com
uaac member add cloud_controller.admin_read_only ReadOnlyUser
uaac member add scim.read ReadOnlyUser

To connect your Cloud Foundry foundation to Dynatrace

1. In the Dynatrace web UI, go to Settings > Cloud and virtualization > Cloud Foundry.

2. Select Connect new foundation.

3. Enter your Cloud Foundry API target URL, your Authentication endpoint, your Cloud Foundry Username, and your Password.

4. optional Select the ActiveGate group.

   For more information about ActiveGate groups, see ActiveGate group.

5. optional Test your connection.

6. Select Save changes.

Manage permissions and configuration

• For fine-grained user permissions, see IAM policies.
• For easy configuration, use Settings API.

The schemaID for Cloud Foundry is builtin:cloud.cloudfoundry.