Anaplan issuing new certificate on Dec 8, 2018

Update (May 31, 2019)

Please see the Anaplan-Generated Certificates to Expire at the End of 2019 blog for more information.

Original message:

Based on customer feedback and to allow admins additional time to transition to new integration clients, Anaplan will be issuing a new Anaplan certificate on December 8, 2018. The current Anaplan certificate will stop working on December 8. You will need to take action based on your integration client and authentication. 

Please refer to the Update to Integration Certificate Expiration blog post and Certificate Expiration FAQs for more information.

Do you have questions about the new Anaplan-generated certificates? Share your thoughts below. Click the Reply button below to post.

Tagged:

Answers

  • Hi,

     

    Just wondering, if we revert back to Basic Authentication, can we store the username and password encrypted in a file and then pass the encrypted strings to Anaplan Connect, if so how it that done? I would also want to know, will these integration accounts have to change their passwords according to the current poilicies? If so, then Basic Authentication doesn't seem like a viable option for customers that do not have any CA based setup in place. 

  • Hi Upali, with Basic Auth, user name & password are saved in the Anaplan Connect integration batch file. We cannot encrypt the user name & password. If client is SSO enabled, they must identify an integration user ID & set it up as an Exception user. 

     

    More information is available at this link: https://community.anaplan.com/t5/Internal-Release-Notes/Anaplan-generated-Certificates-to-Expire-December-10-2018/ba-p/36175

     

     

  • Thanks Chanveer...

     

    One more thing, if the Integration user is set as an exception user and we are going to use Basic Authentication. Will we need to change the password from time to time?

  • We’re currently using Anaplan Connect as our integration into Anaplan, however are undertaking areas of work to move to the HTTP API.

     

    Is there any changes we have to do to use the CA-signed certificate for API authentication, or is it the same as current? I.e. convert .cer to .pem and base64 encode with a username to send as an auth header to the API?

  • Hi,

    I have about 20 connect scripts, that run daily (overnight), if i "Switch to Basic Authentication", i have to have my password visible in all these scripts, and also have to update them every time my password expires, which could cause stoppages or issues in process, and was the reason i changed to certificates in the first place.

     

    I looked at the "Upgrade to the latest API clients" but can find nothing on the website to explain things, and as far as i can see nobody on site has administration app access.

     

    Any advice please

     


  • Hi,

     

    With the changes to the Anaplan generated certificates, a number of customers have asked;

    Many thanks for your help

     

    R

  • Hi @UpaliKW, Yes, with Basic Auth, password needs to be reset every 3 months. Users can avoid this by moving to CA Certificates for Auth.

  • Hi @winstonquan, please refer to https://anaplanauthentication.docs.apiary.io/# for mechanism for API authentication using CA certificates.

  • Hi @winstonquan, please refer to https://anaplanauthentication.docs.apiary.io/# for mechanism for API authentication using CA certificates. We will release the v2.0 Integration APIs in near-term and you should find more information in the updated API user guide.

  • Hi @DeveloperCYT, we are planning to release an updated Anaplan Connect (AC) v1.4 in the near term. This provides support for CA certificates. You can migrate your AC 1.3.x.x integration scripts to AC 1.4 at your convenience. Please watch the Anaplan product releases page.

  • Thanks for this - do we have a hard date for the release or an initial view of the documentation?

    A 2 month deprecation timeline for such an important area is quick short for a enterprise application.
  • Hi @winstonquan, I believe your query is about Anaplan Connect (AC) v1.4 availability. We released it on yesterday, Sep 21st. Please refer to Anaplan blog posts. You can download AC v1.4 from Anaplan Community and start building integrations with CA certificates.

  • Hi Chanaveer, are we able to start connecting to the v2.0 HTTP APIs now given that v1.4 of Anaplan Connect is being distributed for customers and ready to use in production environments?

    If so, is there any documentation around the v2.0 HTTP APIs available now?
  • Hi @winstonquan, if you are looking to create custom integration by directly invoking REST APIs, please wait for Anaplan to release the v2.0 API & user guide. If you are interested in Anaplan Connect v.14, you can use it without needing to refer to the API guide. Thanks.

  • Thanks Chanaveer.

    Would you have timings for the REST API documentation to be released?
  • Hi,

     

    I have been able to get a certifcate and created a key_store file and was able to run imports into Anaplan using AC1.4. However, just wondering, is there a way to not show the key_store password in the batch file? The password is visible in plain text.

  • Hi @UpaliKW, the keystore alias & password must be saved in the script file. This allows AC 1.4 to extract the Private Key & Public Certificate. Alias & password are standard features on JAVA keystores.

     

    Customer must install AC 1.4 & its Integration scripts on a secure server & limit access to that server.

  • Hi,

     

    to start with, could you list examples of valid Certificates? I don't mean the root authorities, but the actual certificate product? There seems to be quite big price spread, what should be considered when buying?

  • Hi Henri:

    You can begin by contacting your IT or Security Operations organization to determine if your company already has an existing relationship with a CA or intermediary CA.

    • If your organization has an existing relationship with a CA or Intermediate CA you can request a client certificate be issued for your integration user.
    • If your organization does not have an existing CA relationship, then you would need to contact an Intermediary CA which has one of the supported Root CA's digitally signing the Intermediary CA's certificate.

    As you noted, there are many categories of certificates that a CA offers(for example: SAN certificates, wildcard certificates, code-signing certificates, and others). You should request a client certificate only. The process for procuring the certificate may take a few weeks for some validation that the CA must perform. We recommend you allow time for the procurement process. Once the CA issues the certificate file, follow their documented steps for making this file available in your environment.

  • Hi,

    I try to be more precise with my questions. 

    Within client certificate providers there is quite big price spread. One provider also offers several types of client certificates. Does it matter which one I choose, or to be exact, recommend my customers to choose?
    I guess only the email address needs to be identified, but I couldn't find any info that explicitly stated that.

    So, is the email identification enough?

     

    Certi.JPG

     

     

  • Thanks for keeping us updated on the latest developments.  This very helpful for all of the clients we're supporting.

  • Hi Henri:  the Class 1 will probably work:  can you please confirm with the provider that their cert will meet each of the requirements documented under "Certificate Requirements" in this document https://help.anaplan.com/anapedia/Content/Administration_and_Security/Tenant_Administration/Security/ProcuringCACertificates.htm

     

    Thank you,

    Connie

  • Very helpful -- initally we got to the end of the process "saving to Open Tenant Admistration >> Administration >> Security >> Certificates >> Add Certificate, came to the realization we received a server certificate not a Client/Email Certificate.