Connect your Cloud Foundry clusters with Dynatrace

Connecting your Cloud Foundry clusters to Dynatrace enables

  • full access to the dedicated Cloud Foundry overview page
  • automatic detection of your Cloud Foundry organizations
  • access to other Cloud Foundry process properties, like space, space ID, application, application ID, and instance index.

To connect your clusters with Dynatrace, follow the instructions below.


1. Start installation

Sign in to Dynatrace, select Deploy Dynatrace from the navigation menu and select Install ActiveGate.

2. Download the installer

How you download your installer depends on your setup and needs. You can choose to download an installer directly to the server where you plan to install Environment ActiveGate or you can download an installer to a different machine and then transfer the installer to the server.

  1. Select the ActiveGate purpose.

  2. Select Download installer.
    If you plan to download Environment ActiveGate directly to the server, make sure your system is up to date, especially SSL and related certificate libraries. Outdated libraries (for example, CA certificates) or missing OpenSSL will prevent the installer from downloading (Dynatrace uses encrypted connections, so OpenSSL is required to enable wget to access the server).

    • Download the installer using one of these options:
      • Run the command
        Copy the wget command from the text box and paste it into a terminal window on the machine where you plan to install the ActiveGate. Make sure you copy the command directly from the first text box; it contains your environment ID.
      • Download via browser
        No internet access on servers? You can download the installer by selecting the ActiveGate installer link at the bottom of the page and saving the installer script to any location on your system, thereby bypassing the wget command altogether.
  • Verify the signature
    Wait for the download to complete. Then verify the signature by copying the command from the second Verify signature text box and pasting the command into your terminal window.

3. Run the installer

An install parameter (determined by the ActiveGate purpose you selected) is automatically set for the command to run the installer. Make sure you use the command displayed in the Dynatrace web UI that reflects the ActiveGate purpose.

Copy the installation script command from the Run the installer with root rights step and paste it into your terminal.

You only need root rights to install an ActiveGate. The user running the ActiveGate service doesn't require root rights. If you don't specify your own user to run the ActiveGate service, the installer will create and use the dtuserag user by default.

To install ActiveGate, run one of the following pairs of commands in the directory where you downloaded the installation script.

  • Ubuntu Server

    [user@ubuntu]# chmod + x  
    [user@ubuntu]# sudo ./
  • Red Hat Enterprise Linux

    [user@rhel]# chmod + x  
    [user@rhel]# su ./
  • Other Linux distribution with root session

    [root@host]# chmod + x  
    [root@host]# ./

4. Certificate management

If you're using self-signed certificates for communication to external APIs, you can either add the certificate to the truststore or disable certificate validation.

Add the self-signed certificate to the truststore

  • For ActiveGate version 1.167

Use the method described in Configure trusted root certificates on ActiveGate.

  • For ActiveGate version 1.169+

Bring in the certificate from your cloud provider.
In the following example, we extract the certificate from and save it locally as dt_k8s_api.pem. The command is the same for Windows and Linux, assuming you have openssl installed on Windows.

echo Q | openssl s_client -connect | openssl x509 -outform PEM > dt_k8s_api.pem

For Kubernetes, you can use the following command sequence to get the certificate:

[root@host]# API_ENDPOINT_URL=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
[root@host]# if [[ $API_ENDPOINT_URL =~ (https?://.*):(\d*) ]]; then API_SERVER_PORT=$API_ENDPOINT_URL; else API_SERVER_PORT="$(echo $API_ENDPOINT_URL | sed -e "s/https:\/\///"):443"; fi
[root@host]# echo -e "${YLW} API server:${NC} ${API_SERVER_PORT}"

[root@host]# echo Q | openssl s_client -connect $API_SERVER_PORT 2>/dev/null | openssl x509 -outform PEM > dt_k8s_api.pem

Add the certificate to the keystore.
You can provide a full path to the pem file location (including paths to remote locations) using the -file parameter, or copy the pem file to your ActiveGate and provide only the filename as indicated in the example.

[root@host]# sudo /opt/dynatrace/gateway/jre/bin/keytool -import -file dt_k8s_api.pem -alias dt_k8s_api -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks

If you import multiple certificates, make sure that you provide a unique alias for each certificate that you import. If you use the same alias for each certificate, all previously used certificates will be overwritten.

You can display the list of aliases and the certificate description using the keytool -list command.

For example:

# sudo /opt/dynatrace/gateway/jre/bin/keytool -list -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
dt_k8s_api, Apr 26, 2020,
Certificate fingerprint (SHA-256): 07:28:9A:F2:29:32:0D:64:F0:18:93:A1:CC:2E:49:21:E9:DA:40:82:9B:A8:71:B7:A4:2C:6D:8C:B3:90:31:31

Add the following entries in the /var/lib/dynatrace/gateway/config/ file.

The entry in the file may look like this:

trustedstore = mytrusted.jks
# the following entries are optional
trustedstore-password = changeit
trustedstore-type = JKS
Encrypted password

The password will be stripped and encrypted when you restart the ActiveGate service.

Restart ActiveGate services.

Disable certificate validation

Disabling certificate validation isn't recommended because it imposes security risks. However, if you still want to disable certificate validation for test environments, you need to do the following:

  1. From the Dynatrace menu, select Settings > Cloud and virtualization > Kubernetes.
  2. Look for your cluster and select the Edit button next to it to edit the cluster settings.
  3. Disable Require valid certificates for communication with API server.
  4. Disable Verify hostname in certificate against Kubernetes API URL.
  5. Select Save to save your changes.

These setting override the settings in the ActiveGate file.

5. Connect your clusters to Dynatrace

Note: We recommend using a Cloud Foundry admin read-only account that can view almost all Cloud Controller API resources, but can't modify them.

uaac user add ReadOnlyUser -p SecretPassword --emails
uaac member add cloud_controller.admin_read_only ReadOnlyUser
uaac member add ReadOnlyUser

To connect your Cloud Foundry clusters to Dynatrace

  1. In the Dynatrace web UI, go to Settings > Cloud and virtualization > Cloud Foundry.
  2. Select Connect new foundation.
  3. Enter your Cloud Foundry API target URL, your Authentication endpoint, your Cloud Foundry Username, and your Password.

If you haven't installed a trusted certificate to your ActiveGate, make sure to clear the Require valid certificates for communication with the API server (recommended) checkbox.