Timeout error while CA Certificate Authentication for file Import.

Dear Expert ,

I am trying to Import Data into Anaplan via Anaplan Connect Script. I am trying to Import with Certificate based authentication in Script but getting time out error as shown below. Could you please help me with the solution to deal with .Is there any ways to see the error log??

Script :

@Echo off

rem For Windows OS : This example explains the usage of Certificate Authentication with privateKey with Anaplan Connect.

rem It also loads a source text file and runs an Anaplan import into a module.

rem For details of how to configure this script visit https://help.anaplan.com/anapedia/Content/Downloads/DL_Downloads.html

set CertPath="C:\Anaplan\PubCert1.pem"

set PrivateKey="C:\Anaplan\PRVTKEY.pem:XYZ"

set WorkspaceId="8a81b00f706eee3a01XXXXXXXX"

set ModelId="285CD8FB662648F9824XXXXXXXXXX"

set ServiceUrl="https://api.anaplan.com"

set AuthUrl="https://auth.anaplan.com"

set FileName="TeXXXST.csv"

set FilePath="C:\Anaplan\anaplan-connect-1.4.4\anaplan-connect\TeXXXST.csv"

set ImportName="Z_Dat_Int_TST_PRC"

set DumpName="Client Location for Dumping the Errored data from Import"

set Chunksize=1

set Operation=-debug -service %ServiceUrl% -auth %AuthUrl% -workspace %WorkspaceId% -model %ModelId% -chunksize %Chunksize% -file %FileName% -put %FilePath% -import %ImportName% -execute -output %DumpName%

set Credentials=-certificate %CertPath% -pkey %PrivateKey%

rem *** End of settings - Do not edit below this line ***

setlocal enableextensions enabledelayedexpansion || exit /b 1

cd %~dp0

set Command=.\AnaplanClient.bat %Credentials% %Operation%

@Echo %Command%

cmd /c %Command%

pause

Appreciate your guidance!

Warm Regards

Deep

Accepted answers

All comments

JaredDolich

@Deepu

Adding data integration pros @MarkWarren @ben_speight @DaanishSoomar

DaanishSoomar

Thanks @JaredDolich!

Hi @Deepu - let’s try to narrow this down a bit further. Going to ask some questions which can help isolate the root cause.

1) Is this the 1st time you have experienced this issue?

2) Have you run a script successfully in the past?

3) Does your network run through a proxy? Can you try running this script on a different network?

4) Can you please check with your internal IT team: if they can whitelist the following domains?
https://community.anaplan.com/t5/Common-Support-Questions/Domain-and-IP-Whitelisting/ta-p/58738

5) Has the user associated with the Certificate been added to the model as a non-SSO workspace administrator?

6) Does the script work with basic authentication?

Deepu

Hi ,

Thanks @JaredDolich!

Dear Dsoomar - Please find my Answer in Bold.

1) Is this the 1st time you have experienced this issue? - Yes ,

2) Have you run a script successfully in the past? - No, First time checking outside the client network to avoid firewall restriction. Within Client Network it will not work since White listing not done for Api/Auth and Proxy also not setup for same

3) Does your network run through a proxy? Can you try running this script on a different network? - Yes , I am trying to run the Script from outside the Client network to avoid any proxy and restriction.

4) Can you please check with your internal IT team: if they can whitelist the following domains? - Yes , I did and Requested the Client to White list the API/AUTH.Anaplan.com , But they are not agree to whitelist due to their security policy.
https://community.anaplan.com/t5/Common-Support-Questions/Domain-and-IP-Whitelisting/ta-p/58738

5) Has the user associated with the Certificate been added to the model as a non-SSO workspace administrator? Yes , User is added to model as SSO enabled user with proper Authorization for Model and Workspace.

6) Does the script work with basic authentication? NO , Client not ready to provide the Basic Authentication for the User in Anaplan , that is why we are using S/MIME Certificate based Authentication with unencrypted private key.

Hope for your kind Guidance/support on subjected matter.

Warm Regards

Deep

ben_speight

I don't think this is specific to the authentication method - it looks like the API request gave up after about a minute. If something else is happening with that model (eg open/save/import/export) that takes longer then the request can time out. You can adjust the retry timeout (-rt) and max retry count (-mrc); I think the maximum timeout is the default (a minute) but the default count can be increased from the default (and minimum) 3 up to 15 which may help.

DaanishSoomar

Hi @Deepu -

Thanks for the responses. These certainly help narrow down the issue further.

Some clarifying questions which will then help determine your next steps:

1) The error message which you posted, is that error also occurring when you run the script outside of the client network? The account tied to running the script will need to be configured to be a non-SSO workspace administrator. Without this, the script will not be able to authenticate. I know from back when I was at Anaplan, there were conversations about SSO authentication eventually being a feature that would be released down the road, I am not sure where the Product team is on that, barring that a non-SSO Workspace Administrator account is a requirement to authenticate with Anaplan Connect.

2) If you need to run this script on the client network eventually, you will need to whitelist domains and open port 443 to enable the connection to be established properly. I know there are some additional operators that you can use to point your script to run through the proxy, here's a good reference. Though I believe you will still be required to whitelist domains prior to avoid interference with the firewall/proxy.

This can be a sensitive area I know with IT teams and security policies, do you have a point of contact such as an Anaplan Business Partner? They typically have contacts within the client organization that can help assist in these difficult conversations.

@eric_paulsen - do you know if your team can assist here? I believe this may be a potential conversation that would need to occur as without whitelisting, we may be at a roadblock. I remember we dealt with clients in the past who had strict security policies, do you recall the steps we took for them? Any other ideas?

Let me know if you have any further questions.

DaanishSoomar

If this does not help, perhaps @Deepu you could open a Support ticket by emailing support@anaplan.com. @eric_paulsen and his team can assist by taking a look at details tied to the account, credentials, and error logs on the backend.

Orangutangle

Download the Securly Certificate CRT file.
Navigate to Finder > Applications > Utilities > Keychain Access.
Select "System" in the left-hand column.
Open 'File > Import Items' and import the certificate file into the "System" keychain.

Deepu

Hi Dsoomar ,

The account tied to running the script will need to be configured to be a non-SSO workspace administrator. -- Does it mean my Credential should not be SSO enabled? Basic Authentication client is not willing to provider for Anaplan Model/workspace.

While I am running the Script out side the Client Environment , Below Shown error I am getting .

Kindly Advice , Thank you in advance for your kind Advice and Guidance so far!

thanks & Regards

Deep

DaanishSoomar

Hi @Deepu,

Yes that is correct. In order for you to run data integrations, the account associated with the certificate needs to be marked as a non-SSO Workspace administrator.

At this point, I would recommend reaching out to support@anaplan.com and they can connect you with the client’s Business Partner. The issue I am afraid is equally technical as it is non-technical meaning you probably are going to be working with your client from a relationship and security perspective both. Since I do not work for Anaplan I do not believe I am the right person to advise on how to handle the particular client situation but the Business Partner will.

Hopefully I was able to help provide insight into the underlying technical reason. If it offers any comfort at all, the Certificate user should not be logging into the model through frontdoor the sole purpose of this account should be to run Integrations.

Deepu

Hi Dsoomar ,

I checked in Anaplan Connect Guide where they have mentioned as "If the actions you want Anaplan Connect to run are for models in a workspace using single sign-on, we
recommend using Certificate Authority (CA) Authentication"

So my Point here is yes we are using SSO User Id and that is reason we are doing CA Certificate based Authentication in Script . But still its not able to Authenticate. Does it means User Should not be SSO enabled even in case if we are using Certificate based Authentication . And also can you please tell me how Basic Authentication is different from Certificate based Authentication i means Does both the Id must be NO SSO enabled?

DaanishSoomar

Hi Deepu,

I just reached out to the colleague of mine @JonFerneau who helped write the CA Cert guide- with regards to your question, this was the response I received as you raised a valid question.

“You only need to be non-SSO workspace admin when you’re dealing with cross workspace actions. It wouldn’t hold true in this particular scenario. The issue with timeout is either a restricted network or not trusting Anaplan’s security cert. Since this is being run outside of the client’s restricted network, it is more likely that the computer it is running on does not trust Anaplan’s security cert.

The latest post on the Community should help to clear up the timeout issue.”

the post from @ben_speight

Orangutangle

I'm happy to see the issue is now solved. Thank you for updating us with the outcome.

My Indigo Card

Quick Links

Can you help?

Unanswered questions

Create a Filter to show all the elements of that level based on selection in hierarchy
Hello Community members, Requirement Details: I have 5 levels of composite hierarchy list (A1, A2, A3, A4, A5). I have published a module in UX, Now the requirement is If user select a list member from A4 level in the context selector or Custom Filter I have to display all the list members under that A4 level. How can I…
import monthly data with months in columns
is there a way to import data with months in columns (usual excel table view)? I have to transform the data so there are rows to cover each period in the upload data form, but I am wondering if there is a better way to just import the data as is with the months in the columns. please let me know what you think. thank you,
Cloudworks Big Query Integration Fail
Hello, I am receiving an 'Anaplan Upload Failed' Status Description when testing my integration with a Big Query dataset. The integration imports data from BQ to our Anaplan model. No other details given in the error log. I suspect that Cloudworks is not even picking up the file but am not sure what we did wrong on the set…