The new Anaplan APIs and integration connectors leverage Certificate Authority (CA) issued certificates. These certificates can be obtained through your company's intermediary CA (typically issued by IT or Security group) or by purchasing it from a trusted Certificate Authority. Anaplan clients leveraging REST API v2.0 use both basic authentication and CA certificate-based authentication. Examples of these clients include Anaplan Connect 1.4.x, Informatica Anaplan Connector, and Mulesoft 2.0.1.
If you are migrating your Anaplan Connector scripts from v1.3.x to v1.4.x, your available options for authentication will be basic authentication or CA certificate-based authentication.
This article outlines steps to perform in preparation for CA certificate authentication.
You can obtain a certificate from CA authority by submitting a request or submit a request with a certificate signing request (CSR) containing your private key.
Contact your IT or Security Operations organization to determine if your company already has an existing relationship with a CA or intermediary CA.
The type of certificate needed is a TLS Web Client Authentication or an E-mail protection certificate. The OID can help your IT/Security request the correct type of certificate. The OIDs for this theses type of certificate are:
This section presents steps to import CA certificate into Internet Explorer and Mozilla Firefox. CA certificate will be exported in the next section to either a p12 or pfx format.
CA certificates may have .crt or .cer as file extensions.
Within Internet Explorer, click on the Settings icon and select Internet option.
Navigate to the Content tab and then click on Certificates.
Click Import to launch the Certificate Import Wizard.
Click Browse to search & select the CA Certificate file. This file may have a file extension of .crt or .cer.
If a password was used when requesting the Certificate, enter it in this screen. Ensure that the “Mark this key as exportable” option is selected and click Next.
Select the certificate store in which to import the certificate and click Next.
Review the setting and click Finish.
The certificate should appear in the certificate store selected.
Within Firefox, select Options from the settings menu.
In the Options window, click Privacy & Security from the navigation pane on the left. Scroll to the very bottom and click on the View Certificates… button.
In the Certificate Manager, click the Import… button and select the certificate to convert and click Open.
The certificate should now show up in the Certificate Manager.
This section presents steps to export CA certificate from Internet Explorer (pfx) and Mozilla Firefox (p12).
Select the certificate imported above and click the Export… button to initiate the Certificate Export Wizard.
Select the option “Yes, export the private key” and click Next.
Select the option for Personal Informatica Exchange – PCKS #12 (.PFX) and click Next.
Create a password, enter it and confirm it in the following screen. This password will be used later on in the process. Click Next to continue.
Select a location to export the file and click Save.
Verify the file location and click Next.
Review the export settings, ensure that the Export Keys settings says “Yes”, if not start the export over. If all looks good, click Next. A message will appear when the export is successful.
To export the certificate from Firefox, click the Backup… button in the Certificate Manager. Select a location and a name for the file. Ensure that the Save as type: is “PKCS12 Files (*.p12)”. Click the Save button to continue.
Enter a password to be used later when exporting the public and private keys. Click the OK button to finish.
If you haven't done so already, install the OpenSSL tool for your operating system. List of third party binary distributions may be found on www.openssl.org or here. Examples in this article are shown for Windows platform.
Execute the following to export the public and private keys exported above. In the commands listed below, the values that are customer-specific are in Bold Italics. There is a screen shot at the end of this section that shows all of the commands run in sequence and it shows how the passwords relate between the steps.
Examples in this article assume the location of the certificate as the working directory. If you are executing these commands from a different directory (ex: ...\openssl\bin), then ensure you provide absolute directory path to all the files.
Public key will be exported from the certificate (p12/pfx) using OpenSSL tool. The result is a .pem (public_key.pem) file that will be imported into Anaplan using Anaplan's Tenant Administrator client.
NOTE: The command below will prompt for a password. This password was created in steps above during export.
openssl pkcs12 -clcerts -nokeys -in <path to p12/pfx file> -out <path to public key file>
Remove everything before ---Begin Certificate --- (section highlighted in yellow). Ensure that the emailAddress value is populated with the user that will run the integrations.
The private key can be exported in two methods, one that will encrypt the private key and one that will leave the key non-encrypted.
This command will prompt for a password. This password is the password created in the export above. It will not prompt for a password for the output file.
openssl pkcs12 -nocerts -in <path to p12/pfx file> -out <path to unencrypted private key file> -nodes
This command will prompt for a password. This password is the password created in the export above. It will the prompt for a new password for the Private Key. It will also ask to confirm that password.
openssl pkcs12 -nocerts -in <path to p12/pfx file> -out <path to encrypted private key file>
When using the private key directly in an Anaplan Connect script, the file must be converted to PKCS8 format. The command below will convert that file.
openssl pkcs8 -inform PEM -in <path to encrypted private key file> -outform PEM -out <path to pkcs8 formatted private key file> -passout pass:<pkcs8 file password>
This command will prompt for the private key password from the step above. It will the prompt for a new password for the Bundle. It will also ask to confirm that password.
openssl pkcs12 -export -in <path to public key file> -inkey <path to encrypted private key file> -out <path to bundle file> -name <alias name for the entry>
In the command above,
Using keytool (typically found in <Java8>/bin), create a .jks file. This file will be referenced in Anaplan Connect 1.4 scripts for authentication. The Command below will prompt for a new password for the entry into the keystore. It will also ask to confirm that password. It will, then, prompt for the Bundle password from the step above.
keytool -importkeystore -destkeystore <path to java keystore file> -srckeystore <path to bundle file> -srcstoretype PKCS12
In the command above:
In this step, you will add public_key.pem file to list of certificates in Anaplan Tenant Administrator. This file was created & edited in the first two steps of the last section.
Log on to Anaplan Tenant Administrator. Navigate to Administration --> Security --> Certificates --> Add Certificate.
Since you will be migrating to CA Certificate-based authentication, you will need to upgrade your Anaplan Connect and associated scripts from v1.3.x to v1.4.x. Community article, Migrating from Anaplan Connect 1.3.x.x to Anaplan Connect 1.4.x will guide you through necessary steps. Follow the steps outlined in the article to edit & execute your Anaplan Connect 1.4 script. Examples provided (Windows & Linux) at the end of the article will validate authentication to Anaplan using CA Certificates.