Anaplan Connect : SSL handshake error

Anaplan API: Basic Authentication failed! (Retryable: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target executing POST https://auth.anaplan.com/token/authenticate (SSL handshake: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (Validator: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (Sun cert path builder: unable to find valid certification path to requested target))))

 

Solution for SSL handshake error 

 

How to Add Anaplan’s Domain Certificates to your Java TrustStore:

 

 

Get the Certificate for Anaplan’s Domains:

Typically, whitelisted a domain, or adding a domain to your “exception” list within your network security or firewall settings will automatically add the domain’s certificate to your internal Java TrustStore/KeyStore.
However, there is a chance that this needs to be done manually by using both OpenSSL and the Keytool within Windows to find the root certificate and add it to the Java TrustStore.
 

Get Root Certificate for “api.anaplan.com”:

Determine the root CA cert:
OpenSSL Command: s_client -showcerts -connect api.anaplan.com:443
The root certificate that we will need to copy is the first certificate string returned in Command Prompt console.

 


Copy and Paste the Root certificate for “api.anaplan.com” into your text editor.
Starting at the “----BEGIN CERTIFICATE----” and going to the end of “----END CERTIFICATE----“, highlight the text and right-click -> Copy, or press “CTRL + C”
Open your text editing program and right-click -> Paste, or “CTRL + V” to paste the certificate string into a new text document.
Save the new text document as “Anaplan_API.pem”
 

 

Get Root Certificate for “auth.anaplan.com”:

Determine the root CA cert:
OpenSSL Command: s_client -showcerts -connect auth.anaplan.com:443
The root certificate that we will need to copy is the first certificate string returned in Command Prompt console.

 


Copy and Paste the Root certificate for “api.anaplan.com” into your text editor.
Starting at the “----BEGIN CERTIFICATE----” and going to the end of “----END CERTIFICATE----“, highlight the text and right-click -> Copy, or press “CTRL + C”
Open your text editing program and right-click -> Paste, or “CTRL + V” to paste the certificate string into a new text document.
Save the new text document as “Anaplan_Auth.pem”
 

 

Import the Anaplan Domain Certificates into the Java TrustStore:

In the following steps, we will now add the downloaded certificate files into your machine’s Java TrustStore so that all traffic going through your Java installation will trust the Anaplan domains and allow for a successful connection (SSL Handshake).
 

Import “api.anaplan.com” Certificate into the Java TrustStore:

Open a new instance of Command Prompt as an Administrator
Determine the path to your Java JRE installation
If you have installed the JDK version of Java, be sure to find the path to the JRE folder as this contains the “cacerts” file that we will be importing to.
Typical locations of Java JRE are:
      “C:\Program Files\Java\jre_1.8.0_xxx”
      Or, “C:\Program Files (x86)\Java\jre_1.8.0_xxx”
Run the following command in your Command Prompt window:
keytool -import -keystore "C:\Program Files\Java\jre_1.8.0_xxx\lib\security\cacerts" -alias AnaplanAPIcert -file "C:\path-to-cert-file\Anaplan_API.pem"
      Be sure to replace the items in red with your specific folder path for each
You will be prompted for the Java TrustStore Password:
The default password is: changeit
You will then be prompted with the following input question:
Trust this certificate? [no]:
      Type the letter y
      Press Enter
If successful, you will see the message below in your Command Prompt Window:
Certificate was added to keystore
Continue on to the next step where we will import the “auth.anaplan.com” certificate.
 

Import “auth.anaplan.com” Certificate into the Java TrustStore:

Run the following command in your Command Prompt window:
keytool -import -keystore "C:\Program Files\Java\jre_1.8.0_xxx\lib\security\cacerts" -alias AnaplanAuthcert -file "C:\path-to-cert-file\Anaplan_Auth.pem"
      Be sure to replace the items in red with your specific folder path for each
You will be prompted for the Java TrustStore Password:
The default password is: changeit
You will then be prompted with the following input question:
Trust this certificate? [no]:
      Type the letter y
      Press Enter
If successful, you will see the message below in your Command Prompt Window:
Certificate was added to keystore
 

 

Test Your Anaplan Connect Script to Confirm SSL Handshake Succeeds:

Run your Anaplan Connect script to verify that the newly added certificates are properly trusted by Java and allow for communication (SSL Handshake) to the Anaplan server.
If you are still receiving an error, review the steps taken to import the certificates into the Java TrustStore and reach out to your internal IT team for assistance.
If the issue cannot be resolved by your internal IT team, you may reach out to Support@anaplan.com for additional guidance, however, please note that Java TrustStore troubleshooting falls outside of Anaplan Support’s scope.

 

Best Answer

Answers