Certificate Authorization Using the Anaplan API

This post summarizes steps to convert your security certificate to PEM format and test it in a cURL command with Anaplan. The current production API version is v1.3.

Using a certificate to authenticate will eliminate the need to update your script when you have to change your Anaplan password. To use a certificate for authentication with the API, it first has to be converted into a Base64 encoded string recognizable by Anaplan. Information on how to obtain a certificate can be found in Anapedia.

This article assumes that you already have a valid certificate tied to your user name.

Steps:

1. To properly convert your Anaplan certificate to be usable with the API, first you will need openssl (https://www.openssl.org/). Once you have that, you will need to convert the certificate to PEM format. The PEM format uses the header and footer lines “-----BEGIN CERTIFICATE-----“, and “-----END CERTIFICATE-----“.

2. If your certificate is not in PEM format, you can convert it to the PEM format using the following OpenSSL command. “certificate-(certnumber).cer” is name of source certificate, and “certtest.pem” is name of target PEM certificate.

openssl x509 -inform der -in certificate-(certnumber).cer -out certtest.pem

View the PEM file in a text editor. It should be a Base64 string starting with “-----BEGIN CERTIFICATE-----“, and ending with “-----END CERTIFICATE-----“.

3. View the PEM file to find the CN (Common Name) using the following command:

openssl x509 -text -in certtest.pem

It should look something like "Subject: CN=(Anaplan login email)". Copy the Anaplan login email.

4. Use a Base-64 encoder (e.g. https://www.base64encode.org/ ) to encrypt the CN and PEM string, separated by a colon. For example, paste this in:

(Anaplan login email):-----BEGIN CERTIFICATE-----(PEM certificate contents)-----END CERTIFICATE-----


5. You now have the encrypted string necessary to authenticate API calls. For example, using cURL to GET a list of the Anaplan workspaces for the user that the certificate belongs to:

curl -H "Authorization: AnaplanCertificate (encrypted string)" https://api.anaplan.com/1/3/workspaces
The content in this article has not been evaluated for all Anaplan implementations and may not be recommended for your specific situation.
Please consult your internal administrators prior to applying any of the ideas or steps in this article.
Comments

This is a great guide for implementing certificate-based authentication with our API. However, I would strongly advise using Python, or something similar to decode and encode the certificate. This saves you plugging your certificate information into any online tool. I don’t trust that isn’t cached anywhere, and if the site isn’t using TLS then you’re sending your credentials without any encryption.

 

import base64


def cert_connect_string(cert_path):
	#Convert cer file to PEM
	#cmd="openssl x509 -inform der -in "+cert_path+" -out cert.pem"
	#os.popen(cmd)
	#Use of the pem file
	cert_file = cert_path
	with open(cert_file, "r") as my_cert_file:
			my_cert_text = my_cert_file.read()
	cert = crypto.load_certificate(crypto.FILETYPE_PEM, my_cert_text)
	subject = cert.get_subject()
	issued_to = subject.CN    # the Common Name field
	issuer = cert.get_issuer()
	issued_by = issuer.CN
	#return my_cert_text
	connect_string = issued_to+":"+my_cert_text
	return connect_string

def anaplan_cert_connect(cert_path):
	#return authentication_txt
	headers = { 'Authorization':'AnaplanCertificate %s' % base64.b64encode(cert_connect_string(cert_path))}
	url = "https://api.anaplan.com/1/3/workspaces/"
	r = requests.get(url, headers=headers)
	return r.text
Labels (1)
0 Kudos