Setting Up OpenSSL and Creating a JWT Connected App in Salesforce

Share This Post

Step 1: Download and Install OpenSSL

  1. Download OpenSSL: Download OpenSSL from the official website or a trusted source.
  2. Install OpenSSL: Follow the installation instructions and install OpenSSL on your system.
  3. Set Environment Variable PATH:
    • Include the OpenSSL binary path C:\Program Files\OpenSSL-Win64\bin in your system’s PATH environment variable.

Step 2: Configure OpenSSL and Generate Keys

  1. Set OPENSSL_CONF Path:
set OPENSSL_CONF=C:\openssl\share\openssl.cnf
  1. Generate an RSA Private Key: Execute the following command to generate a private key (server.pass.key):
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
  1. Create a Key File: Convert server.pass.key to server.key (your RSA private key):
openssl rsa -passin pass:x -in server.pass.key -out server.key
  1. Request and Generate a Certificate Signing Request (CSR):
openssl req -new -key server.key -out server.csr


During execution, provide the following information:

  • Country Name: IN
  • State or Province Name: Rajasthan
  • Locality Name: Jaipur
  • Organization Name: Techmatrix
  • Organizational Unit Name: TMX
  • Common Name: (Leave blank)
  • Email Address: youremail@gmail.com
  1. Generate the SSL Certificate:
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

Step 3: Create a JWT Connected App in Salesforce

3.1 Create the Connected App

  1. Navigate to Setup:
    • Go to Setup in Salesforce.
    • Search for “Connected Apps” and click Setting Up OpenSSL and Creating a JWT Connected App in Salesforce“New Connected App.”
  2. Fill in the Details:
    • Name: Provide a name for the app.
    • Email: Provide your email address.
    • Enable OAuth Settings:
      • Callback URL: http://localhost:1717/OauthRedirect
      • Check “Use Digital Signature” and upload the server.crt file created earlier.
      • Select OAuth Scopes:
        • Manage user data via APIs (api)
        • Manage user data via Web browsers (web)
        • Perform requests at any time (refresh_token, offline_access)
  3. Save the App.

3.2 Admin Approvals

  1. Go to Setup -> Manage Apps -> Connected Apps.
  2. Click Manage against your connected app.
  3. Set Permitted Users to Admin approved users are pre-authorized.
  4. Save the changes.

3.3 Assign Access

  1. Go to Setup -> Manage Users -> Profiles or Permission Sets.
  2. Select the profile or permission set (e.g., “Integration profile”).
  3. Click Assigned Connected Apps and assign the connected app.

Step 4: Create a JWT Token

4.1 JWT Token Structure

  1. Headers:
{“alg”:”RS256″}
  1. Payload:
{
  “iss”: “Client_ID from Step 3.1”,
  “sub”: “UserName”,
  “aud”: “https://login.salesforce.com”,
  “exp”: “Current Timestamp + 2 minutes”
}
  1. Signature: Generate the signature using the server.key.

4.2 Tools for Testing

Use https://jwt.io/ to create and validate your JWT token. You can obtain the current timestamp from https://unixtimestamp.com.

Step 5: Obtain Access Token via Postman

  1. HTTP Method: POST
  2. URL: https://login.salesforce.com/services/oauth2/token
  3. Headers:
    • grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
    • assertion: Provide the JWT token created in Step 4.

Step 6: Obtain Access Token via Apex

A JSON Web Token (JWT) is divided into three parts: Header, Payload, and Signature. Here’s a breakdown of each:

1. Header

The Header contains metadata about the token, such as the algorithm used for signing and the token type. Typically, it looks like this:

{
  “alg”: “HS256”,
  “typ”: “JWT”
}
  • alg: Specifies the algorithm for signing the token, e.g., HS256 (HMAC with SHA-256).
  • type: Indicates the type of token, usually JWT.

2. Payload

The Payload carries the actual data that needs to be verified or shared. This section can include information like usernames, roles, or any other claims relevant to authentication or authorization. For example:

{
  “username”: “test@test.com”,
  “password”: “testpassword”
}
  • The Payload is often called the “claims” section because it contains statements about an entity (e.g., a user) and additional metadata.

3. Signature

The Signature is the result of combining the Header and Payload with a secret key provided by the third-party system. This combination is then encoded using Base64.

Below is the apex code which can be used to generate the token:-

String header = ‘{“alg”: “HS256″,”typ”:”jwt”}’;
String payload = ‘{“username”:”test@test.com”,”password”:”testpassword”}’;
string jwt = base64URLencode(blob.valueof(header)) + ‘.’ +base64URLencode(blob.valueof(payload));

Blob key = blob.valueof(‘secret key provided’);
blob signature = Crypto.generateMac(‘hmacSHA256’,Blob.valueof(jwt),key);

system.debug(‘final data –> ‘+jwt+’.’+base64URLencode(signature));

public String base64URLencode(Blob input){
        String output = encodingUtil.base64Encode(input);
        output = output.replace(‘+’, ‘-‘);
        output = output.replace(‘/’, ‘_’);
        while ( output.endsWith(‘=’)){
            output = output.subString(0,output.length()-1);
        }
//output = output.replaceAll(‘=’,”);
        return output;
    }

Summary

You have successfully set up OpenSSL, created an SSL certificate, configured a Salesforce-connected app, and generated a JWT token for authentication. Use Postman to validate and obtain access tokens for further integration.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Validation Rule Practice Question – Part 2

Validation rules are an essential feature in Salesforce that ensures data quality by enforcing specific conditions when users input data into fields. Whether you’re a