Update to Integration Certificate Expiration

Expert

Based on customer feedback and to allow admins additional time to transition to new integration clients, Anaplan will be issuing a new Anaplan certificate on December 8, 2018. You will need to take action based on the integration client and authentication method you are using:

Integration Client
Authentication 
Action Required?
Anaplan Connect 1.3.3.5 or lower Anaplan Certificate Yes
Anaplan Connect 1.4 CA Certificate No
Informatica Anaplan Connector Anaplan Certificate Yes
Informatica Anaplan Connector CA Certificate No
Mulesoft 2.x CA Certificate No
SnapLogic 1.x Anaplan Certificate Yes
Boomi x.x Basic Authentication No
Tableau 1.0 Anaplan Certificate  Yes
Any client Basic Authentication No

If your integration client and authentication method has a "Yes" in the "Action Required" column, then you must take action on December 8 to prevent disruption to your integrations.

By December 8, 2018 you have two options:

  • Continue using your existing client (e.g. Anaplan Connect 1.3.3.5) by downloading a new certificate on December 8, 2018
  • Use a client that supports CA certificates (e.g. Anaplan Connect 1.4) by implementing this before December 8, 2018

Anaplan is extending the deadline to migrate to Certificate Authority (CA) certificates to December 2019. In order to support this, on December 8, 2018, Anaplan will update our production certificate. This will replace validation for Anaplan certificates and existing Anaplan certificates will cease to work once this certificate has been issued.

This new certificate is intended to be used for existing clients on the legacy certificate authentication (such as Anaplan Connect 1.3.3.5). This certificate will not work on clients using the CA certificates (such as Anaplan Connect 1.4). 

Although customers will now have two options to choose from, Anaplan recommends that customers update their integration clients to a version that supports Certificate Authentication 2.0 which uses a CA certificate.

Note that web login, web SSO, and basic authentication to integrations are not impacted by this event.

Why is this change happening?

The current Anaplan certificate used by some customers for their integrations is set to expire in December. Customers who are impacted have been updating their clients to use CA certificates. However, we have received feedback that customers need more time to complete these updates and wanted to continue to use their existing clients. In order to support the existing clients, Anaplan will be issuing a new certificate on December 8, 2018 which can be used for certificate authentication. The benefit of this option is that customers can continue to use their existing clients and will have more time to update their clients to use CA certificates after December 2018.

What is the impact on customers?

If you are using basic authentication (username and password) to authenticate to Anaplan Integrations:

Basic authentication does not use a certificate, meaning the certificate expiration doesn't impact you. You can continue to use whatever integration client that you are using today.

If you have already transitioned to a new integration client:

Customers who have already implemented a new integration client (such as Anaplan Connect 1.4 or Informatica Anaplan Connector) can avoid the impact of the certificate expiration by using Certificate Authentication 2.0 or basic authentication. These clients support this new type of authentication which requires customers to provide their own Certificate Authority (CA) certificate. This is the recommended route for customers as Certificate Authentication 2.0 is the expected and future method for using certificate authentications with Anaplan integration clients. As you will be using your own provided CA certificate, you are not impacted by the Anaplan-issued certificate expiration and cannot use the new Anaplan-issued certificate. However, you must implement before December 8, 2018.

If you are still on a legacy client:

You should download new certificate on December 8, 2018 and apply it to your integration client. Only after you download a new certificate and update your integration client will your integration continue to function. You can obtain this new certificate by generating it from the My Account page starting on December 8, 2018, following the planned maintenance window. You'll also be able to download additional certificates after this date.

To obtain a new certificate:

  1. Anaplan has a planned maintenance window on December 8, 2018. After this window is complete, you can obtain a new certificate.
  2. Login to Anaplan on December 8, 2018.
  3. Navigate to My Account > Certificates tab and download the new Anaplan Certificate.  For more information, see Certificates in Anapedia.
  4. Replace your existing Anaplan Certificate with the new one in your Integrations
    1. Copy new Certificate to the location where your Integration client needs it to be present (for example, the folder on server where Anaplan Connect is installed).
    2. Modify your Integration scripts or connection settings to point to the new Certificate file

Your Integrations will run after making above changes. Every integration client will have different steps to apply a certificate.

Note: Some new integration clients, like Informatica Anaplan Connector, support both certificate authentication methods. If you use Informatica to integrate with Anaplan using certificates and are unable to switch to using a CA certificate at this time, you can obtain a new Anaplan-issued certificate on December 8, 2018, and use that with your Informatica integration.

Which authentication method does an integration client support?

This change only impacts certificate authentication with integration clients. Logging in to Anaplan via the web with standard login or SSO is not impacted. Integration authentication with basic authentication is also not impacted. The CA certificate that customers provide for Certificate Authentication 2.0 is not compatible with Certificate Authentication 1.0.

What is important is what version your integration client supports.

Integration Client
Basic Auth.
Certificate Auth. 1.0 (Anaplan certs)
Certificate Auth. 2.0 (CA certs)
Note
Anaplan Connect 1.3.3.5 X X    
Anaplan Connect 1.4 X   X  
Informatica Anaplan Connector X X X  
Mulesoft 2.0.1 X   X  
Boomi 1.x X     This version of the client never supported certificate authentication
Boomi 2.x X   X Boomi has informed Anaplan that this is scheduled for Q1 2019
SnapLogic 1.x X X    
SnapLogic 2.x X   X Snaplogic has informed Anaplan that this is scheduled for Nov 10
Tableau 1.x X X    
Tableau 2.x X   X This has not yet been released
Workiva X     Workiva has confirmed that existing Anaplan integrations are not impacted
Docusign Integration N/A N/A N/A Docusign integration is not impacted

Note: Consult individual user guides for any additional steps required to implement CA authentication with an individual connector.

  • If your integration client supports Certificate Authentication 1.0, then you can use this client with the new certificate that will be available on December 8.
  • If your integration client supports Certificate Authentication 2.0, then you can use this client with a CA certificate that you will provide.

How do I apply the certificate issued on December 8?

Assuming that you are using a supported integration client, complete the following steps on December 8:

  1. Log in to Anaplan and go to the My Account page
  2. Click on the Certificates tab, then click the Create new Certificate button. This procedure is documented in Anapedia.
  3. Once you have the certificate, apply it to your integration client. Instructions for applying them are different for every client

What if I'm using a custom integration client?

  • If you have developed your own integration client to Anaplan or are using a custom integration client developed by a partner or system integrator, the impact depends on what API version was used to develop your connector. If you are using basic authentication to authenticate to Anaplan via integrations, you're not impacted. 
  • If your custom integration client was developed using API 1.3 and you authenticate with Anaplan certificates, you can download the new certificate on December 8 if you wish to continue using this integration client with certificate authentication. If you want to use a CA certificate, you need to update your custom client to use API 2.0.
  • If your custom integration client was developed using API 2.0 and you authenticate with CA certificates, you'll be unable to use the new Anaplan-issued certificate on December 8, 2018. You are already using a CA-issued certificate as API 2.0 only supports certificates issued by a CA.

More information about API 2.0 can be found here: https://anaplanbulkapi20.docs.apiary.io/#

How long will this new Certificate Authentication 1.0 certificate last?

The new certificates issued on December 8, 2018 will expire after 1 year. However, the expectation is that you will use this time period to migrate to Certificate Authentication 2.0 as soon as you can. We are issuing this new 1.0 certificate in order to give customers the time to make the switch - all new development will be based on Certificate Authentication 2.0.

For example, Anaplan has recently released an API as part of the new Audit feature. This API has only ever supported Certificate Authentication 2.0.

What if I have more questions?

Review our Certificate Expiration FAQs.

Questions, Comments, or Concerns?

Do you have feedback or questions on the “Update to Integration Certificate Expiration” blog post?  Share your thoughts on our Anaplan generated Certificates to expire Dec 10, 2018 Community thread

1 Comment
Occasional Contributor

Great summary, Chanaveer.  Concise and informative.