Skip to main content

AQUILA - SalesForce Integration Using JWT Authentication

Salesforce requires secure communication protocols for authorization and data exchange between external applications and Salesforce orgs. This involves creating digital certificates, configuring external client apps, and establishing secure authentication methods. OpenSSL provides the cryptographic tools needed to generate private keys and self-signed certificates for secure communication over networks.

Integration Overview

This integration supports secure communication through:

  • JWT (JSON Web Token) authentication using digital certificates
  • OAuth authentication with external client apps
  • Self-signed certificates and keystore management

Organizations can authorize Salesforce CLI commands and establish secure API connections using these authentication methods.

Compatibility

  • Supports Salesforce CLI authorization via JWT Bearer Flow
  • Compatible with macOS, Linux, and Windows operating systems
  • Requires OpenSSL for certificate generation
  • Requires Java keytool for keystore conversion

Installing OpenSSL

OpenSSL is an open-source software library that provides tools and protocols for secure communication over networks. It helps encrypt data so that information like passwords, credit card numbers, and private messages stay secure when sent over the internet.

Step 1:

Install OpenSSL on your system:

sudo apt install openssl

image.png

Step 2:

Verify OpenSSL installation by running:

  • macOS/Linux: which openssl
  • Windows: where openssl

image.png

Creating a Private Key and Self-Signed Digital Certificate

A digital certificate and the private key used to sign the certificate are needed to authorize an organization using the org login jwt command. While it is strongly advised to utilize a certificate issued by a certifying authority, you can use OpenSSL to generate a self-signed certificate to get started.

This process produces two files:

  • server.key — The private key used when authorizing an org with the org login jwt command
  • server.crt — The digital certificate uploaded when creating the required external client app
Step 1:

Open a terminal (macOS and Linux) or command prompt (Windows).

Step 2:

Create a directory to hold the generated files and navigate to it:

mkdir /Users/jdoe/JWT
cd /Users/jdoe/JWT
Step 3:

Create a private key and save it as server.key file:

Remember to change "<your password>" to the password of your choice.

openssl genpkey -aes-256-cbc -algorithm RSA -pass pass:<your password> -out server.pass.key -pkeyopt rsa_keygen_bits:2048

image.png

openssl rsa -passin pass:<your password> -in server.pass.key -out server.key

image.png

Step 4:

 Use the server.key file to create a certificate signing request and save it as server.csr:

openssl req -new -key server.key -out server.csr

image.png

When prompted, enter details about your organization. (Optional)

Step 5:

Create a self-signed digital certificate using the server.key and server.csr files:

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

image.png

Creating an External Client App in Your Salesforce Organization

Salesforce CLI requires an external client app in the org that you're authorizing. An external client app is a packageable framework that enables a third-party application (Salesforce CLI) to integrate with Salesforce using APIs and security protocols. You must create your own external client app when authorizing the org with the org login jwt command.

Step 1:

Log in to your Salesforce Organization.

Step 2:

From the Quick Find box in Setup, enter App Manager, then click App Manager.

image.png

Step 3:

Click New External Client App.

Step 4:

Update the basic information as needed, such as the external client app name and your contact email address.

Note: The email address provided must be valid, as Salesforce will use it to communicate with your team regarding any updates or issues related to your application usage.

image.png

Step 5:

Under API (Enable OAuth Settings), click Enable OAuth.

image.png

Step 6:

Under App Settings, in the Callback URL box, enter:

http://localhost:1717/OauthRedirect

image.png

If port 1717 is already in use, specify an available port and update your sfdx-project.json file:

"oauthLocalPort" : "1919"
Step 7:

In the OAuth Scopes section, select these scopes:

  • Manage user data via APIs (api)
  • Manage user data via Web browsers (web)
  • Perform requests at any time (refresh_token, offline_access)

image.png

Step 8:

(Required for JWT) In the Flow Enablement section, select Enable Client Credentials Flow and Enable JWT Bearer Flow.

image.png

Step 9:

(Required for JWT) Click Upload Files and upload your digital certificate file (server.crt).

image.png

Step 10:

Click Create.

Step 11:

Click Edit to configure additional settings.

Step 12:

(Required for JWT) Click the Policies tab and configure the following:

  • Open OAuth Policies
  • In the Plugin Policies section, set Permitted Users to Admin approved users are pre-authorized
  • Click OK
  • In the App Policies section, select the profiles and permission sets that are pre-authorized to use this external client app

image.png

image.png

Step 13:

Navigate to the Policies tab if not already there.

Step 14:

In the App Authorization section, under OAuth Policies, click Expire refresh token after a specific time.

Step 15:

Configure token expiration settings:

  • Refresh Token Validity Period: Enter 90
  • Refresh Token Validity Unit: Select Day(s)
Step 16:

In the Session Timeout in Minutes box, enter 15.

Step 17:

Click Save.

image.png

Your external client app is now ready to use.

Converting server.crt to JKS Keystore File

To use the certificate with Salesforce, convert it to a Java KeyStore (JKS) format.

Step 1:

Clone the server.key file and save it as server.pem.

cp server.key server.pem

Note: Step 2 - 4 are Optional

Step 2:

Create a PKCS12 keystore file (minimum password length: 6 characters):

openssl pkcs12 -export -in server.crt -inkey server.pem -out keystore.p12
Step 3:

Convert the PKCS12 file to JKS format:

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore servercert.jks -deststoretype JKS

You will be prompted to create a password. Remember this password for future use.

Step 4:

Change the default alias (Salesforce doesn't support alias "1"):

keytool -keystore servercert.jks -changealias -alias 1 -destalias <name of certificate>
Required fields for JWT Authentication Integration:
  • JWT Authentication Audience URL
  • JWT Authentication Client Key Path (full file folder path)
  • Username (email address)
  • Client ID (Consumer Key)
  • Instance URL
Provide this required fields to CyTech Support.

 

Reference Link:

 

                       Create an External Client App in Your Org | Salesforce DX Developer Guide | Salesforce Developers

 

If you need further assistance, kindly contact our support at support@cytechint.com for prompt assistance and guidance.

 

Back to top