Learn how to implement your specific CA certificate into your current data integration process for minimal downtime during the Anaplan Certificate to CA certificate transition period.
Step 1: Manage your CA certificate with Anaplan Administration
This is the first step in integrating your CA certificate. You need to upload the "Public Certificate.pem" file to the list of certificates in the Anaplan Tenant Administrator.
- As a user account with Tenant Admin access, log in to Anaplan .
- Use the menu to navigate to Administration > Security > Certificates
- Select "Add Certificate".
- Navigate to the folder where you've saved the previously edited "Public Certificate.pem" file that contains only one of the encoded strings between the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" sections and select this file to upload.
- Once you've successfully uploaded your "Public Certificate.pem" file, you're ready to implement this CA certificate into your API process.
Certificate upload process returns an error message
If you receive the error "email should not be blank [null]" while uploading your "Public Certificate.pem" file, this is caused by an incorrect certificate being uploaded to Administration.
If you have multiple certificate strings in your "Public Certificate. pem" file during the "Edit Public Certificate.pem" steps, you may have used the incorrect encoded string.
To troubleshoot, test replacing the Encoded String in your "Public Certificate pem" file with one of the other Encoded Strings in the "Additional Certificate Strings.txt" file created earlier in our guide.
NOTE: In our experience, the correct certificate string is either the first string or last string in the initially extracted "Public Certificate.pem" file, depending on which CA Vendor provided your certificate.
If this does not resolve your issue then you may have acquired a certificate that is not of the "S/MIME" type (does not contain the email address attribute) and will therefore need to go through the Certificate Acquisition steps again to acquire an "S/MIME" certificate from a supported CA provider.
If you have received a different error message during the certificate upload process, please submit a case via our Support portal .
Step 2: Set up your API Integration to implement a CA certificate into Anaplan Connect v1.4 or higher
You have two options:
1. Add the "Public Certificate.pem" and "Private Key.pem" files directly into your scripts
Provide the -certificate and -privateKey operators in your scripts.
Encrypted key
Set the password at the end of the privatekey's file path.
Example: "C: \Anaplan_Connect\Certs\PrivateKey.pem:Passphrase"
Unencrypted key
There is no password to include with the key. However, you must keep the colon () delimiter at the end of the private key's file path.
The example script provided is setup to use an Unencrypted Private Key with the CA Certificate.
If you have implemented the correct CA Certificate, you will receive a success message when running the example script after setting the variables to reflect your Anaplan Workspace, Model, and Import Action.
If you would like to test authentication success without affecting any of your models, you can replace the "set Operation" line with the following example: set Operation=-debug -imports
Example Windows batch script:
@echo off
set CertPath»"C: Anaplan_Connect\Certs\Public Certificate.pem" set PrivateKey="C-VAnaplan_Connect\Certs\Private Key.pem:" set Workspaceld:"workspaceGUID* set Modelld="modelGUID* set ServiceUrishttps://api.anaplan.com*
set AuthUrl="https://auth.anaplan.com*
set FileNames"Employee.bd" set FilePath=*C:VAnaplan_ConnectVimports|Employee.txt* set ImportName»"New Hire from Employee.tet" set DumoNames®C-VAnaplan._Connect|Errors My Errors. txt" set Chunksize=15
set Operation=-debug -chunksize %Chunksize% -file %FileName% -put %FilePath% -import %ImportName% -execute
-output %DumpName%
set Credentials=-certificate %CertPath%-pkey %PrivateKey%
rem *** End of settings - Do not edit below this line ***
setlocal enableextensions enabledelayedexpansion | | exit /b 1
cd %~dp0
set Command=. AnaplanClient.bat %Credentials% -service %ServiceUrl% -auth %AuthUrl% -workspace %Workspaceld%-model %Modelld% %Operation% @echo %Command% cmd /c %Command% pause
2. Set up and use a Java KeyStore
Create a PKCS12 bundle called "keystore bundle.p12" from the CA Certificate & Private Key (Public Certificate.pem):
1. OpenSSL commands to create a Java keystore
Be sure to use a suitable keystore alias to uniquely identify the entry as this name is required for the -keystorealias operator within your script.
2. Enter the following command in your OpenSSL Command Prompt instance:
pcs12 -export -in "path to Public Certificate.pem" -inkey "path to encrypted Private Key.pem"-out "path to keystore_bundle.p12" -name KEYSTORE_ALIAS
Note: This command will prompt for the private key password. It will then prompt for a new password for the Bundle. It will also ask to confirm that password.
3. Add the following command to Java Keystore (jks):
keytool -importkeystore -destkeystore "path to Java KeyStore.jks" -srckeystore
Note: That command below will prompt for a new password for the entry into the keystore. It will also ask to confirm that password. It will then prompt for the bundle password from the step above.
keytool -importkeystore -destkeystore "path to Java KeyStore.jks" -srckeystore "path to keystore_bundle.p12" -srestoretype PKC512
KeyStore Wizard for Anaplan Connect:
Alternatively, you can use the KeyStore Wizard tool to create a Java Keystore: KeyStore Wizard
Note: The KeyStore Wizard tool is not supported by Anaplan. Anaplan does not assume any responsibility for issues arising from its download and use.
4. Once you have successfully built your Java KeyStore you can move on to implementing this into your Anaplan Connect scripts.
Use KeyStore with Anaplan Connect:
1. Use the Java KeyStore with Anaplan Connect by providing the -keystore, -keystorepass and keystorealias operators with the values used when building the KeyStore.
An example Windows batch import script with Certificate Authentication using a Java KeyStore is provided below.
2. If you have set up your Java KeyStore correctly and have implemented the correct CA Certificate, you will receive a success message when running the example script after setting the variables to reflect your Anaplan Workspace, Model, and Import Action.
If you would like to test authentication success without affecting any of your models, you can replace the "set Operation" line with the following example: set Operation=-debug -imports
Example Windows batch script
@echo off
set KeyStore="C: VAnaplan_Connect\ Certs Anaplan_Jntegrations_Keystore.jks"
set KeyStoreAlias="keystorealias"
set KeyStorePassword="keystorepass"
set Workspaceld="workspaceGUID"
set Modelld="modelGUID"
set ServiceUr|="https://api.anaplan.com"
set AuthUrl="https://auth.anaplan.com
set FileName="Employee.txt" set FilePath="C:VAnaplan_Connect\/mports\Employee.txt"
set ImportName="New Hire from Employee.txt"
set DumpName="C: VAnaplan_Connect\Errors \My Errors.txt"
set Chunksize=15
set Operation=-debug -chunksize %Chunksize%-file %FileName%-put %FilePath% -import %ImportName% -execute-output %DumpName%
set Credentials=-keystore %KeyStore% -keystorepass %KeyStorePassword% -keystoreallas %KeyStoreAllas%
rem *** End of settings - Do not edit below this line ***
setlocal enableextensions enabledelayedexpansion || exit /b 1
cd %~dpo
set Command=. \AnaplanClient.bat %Credentials% -service %ServiceUr1% -auth %AuthUrl% -workspace %Workspaceld%-model %Modelid% %Operation%
@echo %Command%
cmd /c %Command%
pause
Additional API/ETL tool resources
The following links will take you to information about how to implement your CA certificate into the tool of your choice: