cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

Private key for setting up Amazon IAM identity center (AWS SSO) on Dynatrace Managed

ta12345
Newcomer

I'm just cross-posting the question I made in StackOverflow
rsa - Private Key needed to set up Amazon IAM Identity Center (AWS SSO) on Dynatrace Managed? - Stac...

 

I've been trying to setup AWS SSO for the on-premise version of Dynatrace, Dynatrace managed, using the following tutorials:

Source 1: https://www.dynatrace.com/support/help/manage/access-control/user-management-and-sso

Source 2: https://aws.amazon.com/blogs/apn/aws-single-sign-on-integration-guide-for-dynatrace/

 

The thing is that the Amazon tutorial (source 2) is for the SaaS version of Dynatrace, it requires you to add a domain, but there is no such option in Dynatrace managed.

The Dynatrace documentation led me to a tutorial specific to Dynatrace managed:
Source 1.1: https://www.dynatrace.com/support/help/managed-cluster/users-and-groups-setup/manage-users-and-group...

Specifically This section confuses me: https://www.dynatrace.com/support/help/shortlink/managed-saml#saml-signing-certificate-update

 

It asks me to submit a private key and a certificate, but I don't know where from! Amazon SSO gave me a certificate, but it did not give me a private key.

I'm going to the version 1 cluster API for Dynatrace https://172.31.0.1/rest-api-doc/index-managed.jsp  (I use a different IP obviously)

Right now for testing I have both the Dynatrace standard login option and the SSO login option, but I'm trying to get SSO working so I can remove the regular login.

 

If I click on the single sign in option, it will successfully redirect me to AWS Identity Provider. But after signing in and clicking on the Dynatrace app I created in the Identity provider, it just shows me this error:

 

I'm not sure what logs it's referring to. The only log I found was some generic "cosmay@companyemail.com failed to login" I also tried looking in the "/var/opt/dynatrace-managed/log/server" directory of the machine that runs my Dynatrace managed cluster, but there's 134 log files in there and I don't know where to look.

I also tried just straight up generating my own private key and certificate file with commands from this question: https://serverfault.com/a/224127 mainly the openssl genrsa 2048 > host.key and the openssl req -new -x509 -nodes -sha256 -days 365 -key host.key -out host.cert I'm also removing the newlines in the file with tr --delete '\n' < host.cert so it can work with JSON.

I'm thinking that maybe my key and certificate are the wrong format? When I try plugging them into the Dynatrace v1 API I get various errors depending on how I try to format it:

{
  "error": {
    "code": 400,
    "message": "Private key is invalid. Should be PKCS #8 standard, PEM base64-encoded format. IllegalArgumentException: Cannot decode private key. Error: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : DerInputStream.getLength(): lengthTag=111, too big."
  }
}
{
  "error": {
    "code": 400,
    "message": "Certificate is invalid. Should be X.509 standard, PEM base64-encoded format. Cannot get public certificate from Public key certificate - CertificateException: java.io.IOException: Incomplete data"
  }
}

And If I try formatting the HTTP PUT request (on https://172.31.0.1/rest-api-doc/index-managed.jsp) to look more like the template I get a more generic 400 error:

Failed. The input is invalid.

So I'm guessing the issue is that I'm not generating the private key and certificate in the correct formats.

But maybe I'm not even supposed to be making my own key and certificate? I just think that I should be making my own key and certificate for SAML because I glanced https://stackoverflow.com/a/34590477/20833958 and it looks like I make my own key and certificate.

Maybe the AWS Identity provider is supposed to give those to me? I don't get why Dynatrace wouldn't just generate its own private key and certificate. I'm just completely lost on this.

1 REPLY 1

Mohamed_Hamdy
DynaMight Champion
DynaMight Champion

Hi @ta12345,

I think we need to check the logs for more details, you might find more information in server.0.0.log file

Certified Dynatrace Professional | Certified Dynatrace Services Delivery - Observability & CloudOps | Dynatrace Partner - yourcompass.ca

Featured Posts