Tenant token

The tenant token is used by OneAgents and ActiveGates to report data to Dynatrace. Dynatrace automatically generates the tenant token and adds it to OneAgent and ActiveGate installers on download.

Access a tenant token

To obtain a tenant token for your environment, execute the GET connectivity information for OneAgent request of the Deployment API. You will find the tenant token in the tenantToken field of the response body. You'll need your PaaS token to authenticate the request.

Rotate tenant token

You can change the tenant token as needed (for example, to adhere to internal security policies or respond to unintended exposure). The procedure for changing the tenant token is called tenant token rotation.

To rotate the token, you need to generate a new token, assign it to all OneAgents and ActiveGates that report data to the environment, and then disable the old token.

To avoid data loss, both old and new tokens are valid during the rotation process. During rotation, do not deploy any new OneAgents until all your ActiveGates are configured with the new tenant token.

  1. Start the rotation and generate a new tenant token by executing the POST start rotation request.

    The request returns the new token in the active field of the response body.

  2. Add the new token to ActiveGates. For each ActiveGate:

    1. Stop ActiveGate.

    2. In the authorization.properties file of ActiveGate configuration directory, find the entry for the required environment and specify the new token in the tenantToken field.

    3. Depending on your ActiveGate purpose:

      • Route OneAgent traffic and monitor remote technologies: Find the entry for the required environment in the ruxitagent.conf and extensions.conf files, and specify the new token in the tenantToken.

        Windows: %PROGRAMFILES%\dynatrace\remotepluginmodule\agent\conf
        Linux: /opt/dynatrace/remotepluginmodule/agent/conf

      • Install the zRemote module for z/OS monitoring: Find the entry for the required environment and specify the new token in the tenantToken field.

        Windows: %PROGRAMFILES%\dynatrace\zremote\agent\conf\ruxitagent.conf
        Linux: /opt/dynatrace/zremote/agent/conf/ruxitagent.conf

    4. Windows only Change the value of the registry entry: HKEY_LOCAL_MACHINE\Software\Dynatrace\Dynatrace ActiveGate\common\tenant_token.

    5. Start ActiveGate.

  3. Add the new token to OneAgents. For each OneAgent:

    1. Add the new token to the communication settings of the OneAgent.

      Use the --set-tenant-token command of the OneAgent command-line interface.

    2. Restart OneAgent.

    You can combine both steps into one command:

    oneagentctl --restart-service --set-tenant-token={new token}

  4. Finish the rotation by executing the POST finish rotation request. This finishes the process and renders the old token invalid.

Related topics