Timeout error while CA Certificate Authentication for file Import.
Dear Expert ,
I am trying to Import Data into Anaplan via Anaplan Connect Script. I am trying to Import with Certificate based authentication in Script but getting time out error as shown below. Could you please help me with the solution to deal with .Is there any ways to see the error log??
Appreciate your guidance!
Adding data integration pros @MarkWarren @ben_speight @DaanishSoomar2
Hi @Deepu - let’s try to narrow this down a bit further. Going to ask some questions which can help isolate the root cause.
1) Is this the 1st time you have experienced this issue?
2) Have you run a script successfully in the past?
3) Does your network run through a proxy? Can you try running this script on a different network?
4) Can you please check with your internal IT team: if they can whitelist the following domains?
5) Has the user associated with the Certificate been added to the model as a non-SSO workspace administrator?
6) Does the script work with basic authentication?1
Dear Dsoomar - Please find my Answer in Bold.
1) Is this the 1st time you have experienced this issue? - Yes ,
2) Have you run a script successfully in the past? - No, First time checking outside the client network to avoid firewall restriction. Within Client Network it will not work since White listing not done for Api/Auth and Proxy also not setup for same
3) Does your network run through a proxy? Can you try running this script on a different network? - Yes , I am trying to run the Script from outside the Client network to avoid any proxy and restriction.
4) Can you please check with your internal IT team: if they can whitelist the following domains? - Yes , I did and Requested the Client to White list the API/AUTH.Anaplan.com , But they are not agree to whitelist due to their security policy.
5) Has the user associated with the Certificate been added to the model as a non-SSO workspace administrator? Yes , User is added to model as SSO enabled user with proper Authorization for Model and Workspace.
6) Does the script work with basic authentication? NO , Client not ready to provide the Basic Authentication for the User in Anaplan , that is why we are using S/MIME Certificate based Authentication with unencrypted private key.
Hope for your kind Guidance/support on subjected matter.
I don't think this is specific to the authentication method - it looks like the API request gave up after about a minute. If something else is happening with that model (eg open/save/import/export) that takes longer then the request can time out. You can adjust the retry timeout (-rt) and max retry count (-mrc); I think the maximum timeout is the default (a minute) but the default count can be increased from the default (and minimum) 3 up to 15 which may help.1
Hi @Deepu -
Thanks for the responses. These certainly help narrow down the issue further.
Some clarifying questions which will then help determine your next steps:
1) The error message which you posted, is that error also occurring when you run the script outside of the client network? The account tied to running the script will need to be configured to be a non-SSO workspace administrator. Without this, the script will not be able to authenticate. I know from back when I was at Anaplan, there were conversations about SSO authentication eventually being a feature that would be released down the road, I am not sure where the Product team is on that, barring that a non-SSO Workspace Administrator account is a requirement to authenticate with Anaplan Connect.
2) If you need to run this script on the client network eventually, you will need to whitelist domains and open port 443 to enable the connection to be established properly. I know there are some additional operators that you can use to point your script to run through the proxy, here's a good reference. Though I believe you will still be required to whitelist domains prior to avoid interference with the firewall/proxy.
This can be a sensitive area I know with IT teams and security policies, do you have a point of contact such as an Anaplan Business Partner? They typically have contacts within the client organization that can help assist in these difficult conversations.
@eric_paulsen - do you know if your team can assist here? I believe this may be a potential conversation that would need to occur as without whitelisting, we may be at a roadblock. I remember we dealt with clients in the past who had strict security policies, do you recall the steps we took for them? Any other ideas?
Let me know if you have any further questions.0
If this does not help, perhaps @Deepu you could open a Support ticket by emailing [email protected] @eric_paulsen and his team can assist by taking a look at details tied to the account, credentials, and error logs on the backend.0
- Download the Securly Certificate CRT file.
- Navigate to Finder > Applications > Utilities > Keychain Access.
- Select "System" in the left-hand column.
- Open 'File > Import Items' and import the certificate file into the "System" keychain.
Hi Dsoomar ,
The account tied to running the script will need to be configured to be a non-SSO workspace administrator. -- Does it mean my Credential should not be SSO enabled? Basic Authentication client is not willing to provider for Anaplan Model/workspace.
While I am running the Script out side the Client Environment , Below Shown error I am getting .
Kindly Advice , Thank you in advance for your kind Advice and Guidance so far!
thanks & Regards
Yes that is correct. In order for you to run data integrations, the account associated with the certificate needs to be marked as a non-SSO Workspace administrator.
At this point, I would recommend reaching out to [email protected] and they can connect you with the client’s Business Partner. The issue I am afraid is equally technical as it is non-technical meaning you probably are going to be working with your client from a relationship and security perspective both. Since I do not work for Anaplan I do not believe I am the right person to advise on how to handle the particular client situation but the Business Partner will.
Hopefully I was able to help provide insight into the underlying technical reason. If it offers any comfort at all, the Certificate user should not be logging into the model through frontdoor the sole purpose of this account should be to run Integrations.0
Hi Dsoomar ,
I checked in Anaplan Connect Guide where they have mentioned as "If the actions you want Anaplan Connect to run are for models in a workspace using single sign-on, we
recommend using Certificate Authority (CA) Authentication"
So my Point here is yes we are using SSO User Id and that is reason we are doing CA Certificate based Authentication in Script . But still its not able to Authenticate. Does it means User Should not be SSO enabled even in case if we are using Certificate based Authentication . And also can you please tell me how Basic Authentication is different from Certificate based Authentication i means Does both the Id must be NO SSO enabled?
I just reached out to the colleague of mine @JonFerneau who helped write the CA Cert guide- with regards to your question, this was the response I received as you raised a valid question.
“You only need to be non-SSO workspace admin when you’re dealing with cross workspace actions. It wouldn’t hold true in this particular scenario. The issue with timeout is either a restricted network or not trusting Anaplan’s security cert. Since this is being run outside of the client’s restricted network, it is more likely that the computer it is running on does not trust Anaplan’s security cert.
The latest post on the Community should help to clear up the timeout issue.”
the post from @ben_speight1
I'm happy to see the issue is now solved. Thank you for updating us with the outcome.0