Certificate authentication in Anaplan is a great way to ensure that your OneCloud Chains run smoothly without interruption from authentication errors due to various factors such as password resets and mandatory password updates. At OneCloud, just like you, we need to integrate with Anaplan and this guide will walk you through how we procured and configured our certificates.

📓 System Requirements

All of the command-line instructions in this guide are compatible with either Linux/Unix/macOS. This requires that you have the latest OpenSSL package installed. These requirements are only necessary if you are going to create your own CSR (Certificate Signing Request) and private key on Linux/Unix/macOS based systems.


Designated integration user(s) in Anaplan
You do not need to have an integration user (aka "service account"), but for every user that you want to use certificate authentication, you will need to go through this process. Please note that a designated service account is preferable so that the connection details are not tied to any given person.

Designated CA (Certificate Authority) that will sign the CSR (Certificate Signing Request)
You send your CSR to a CA and they will sign the request and return to you a valid certificate CA Signed certificate.

Anaplan References to Create a Certificate

Anaplan has provided the following references to assist with creating a certificate.

  1. How to Use Third-Party Certificates With Anaplan

  2. A Guide to CA Certificates in Anaplan Integrations

  3. Supported Root CA Certificates with Anaplan

The following steps compliment the previous references as well as provides additional steps to create the required Java Key Store (JKS). We will be using the computer's command-line interface to create your own CSR and private key.

Step #1 - Procure your CA Certificate from Sectigo

Navigate to Sectigo and purchase a Personal Authentication Certificate. The following link has been preconfigured to support Anaplan's certificate requirements:
URL: https://secure.trust-provider.com/products/!PlaceOrder?ap=Anaplan&product=506

  1. Under User Details, complete the fields to specify Email Address, Forename, Surname.

  2. Under Advanced Security Options, accept the pre-populated default values.

  3. Under Login Credentials, set a Username, and Password.

  4. Confirm the password.

  5. Click Place Order.

📓 Get a 3-year certificate

It is recommended that a 3-year certificate is purchased to streamline this process.

Once the certificate fee is paid, Sectigo sends an email to the specified email address with instructions to install the certificate to either Firefox or Internet Explorer. In the email, there will be a URL link (see sample below). Ensure that this link is opened in either Firefox or Internet Explorer.

📓 .p12 vs pfx files

Certificates can be exported from Firefox or Internet Explorer. When exported from Firefox, the certificate will be in a ".p12" format versus exporting from Internet Explorer, it will be in a ".pfx" format.

Once this step is complete, proceed to Step #2.

Step #2 - Extract the Sectigo Certificate to a .p12 format

These instructions use Firefox to export the newly installed certificate in .p12 format.

  1. Navigate to Tools > Options > Privacy & Security (alternatively, on a macOS Firefox > Preferences > Privacy & Security)

  2. Scroll down to Certificates and click View Certificates

  3. Click the Your Certificates tab

  4. Select your certificate

  5. Click Backup and save your certificate as a memorable name in PKCS12 Files format.

  6. Define a password for the private key. For additional instructions for both Firefox and Internet Explorer, please see Anaplan's helpful guide.

  7. With the certificate in a .p12 format, proceed to Step #3.

Step #3 - Extract the certificate

  1. If using macOS or Linux, open a terminal window and navigate to the directory where the certificate in the .p12 format was downloaded and saved.Open SSLIf using a Windows system, please install OpenSSL to complete the following steps.

  2. Extract the certificate with the following syntax. Be sure to replace the - PATH TO EXPORTED P12 FILE - with the name of the saved certificate. Note: this step will require the password that was established in the last step.

  3. When prompted, enter the password for the certificate

  4. Confirm the certificate was extracted by verifying the client_certificate.pem file is located in the output directory.

Extract Public Certificate - Linux/Unix

openssl pkcs12 -in <PATH TO EXPORTED P12 FILE> -nokeys -out client_certificates.pem

Windows requires the paths to the input (.p12) and output (.pem) files to be surrounded by double quotes ("). The sample Windows syntax is below.

Extract Public Certificate - Windows

openssl pkcs12 -in "<PATH TO EXPORTED P12 FILE>" -nokeys -out "<PATH TO .PEM FILE>\client_certificates.pem

Step #4 - Isolate the Public Certificate

The client_certificates.pem file created in the previous step contains three certificates:

  1. Root certificate

  2. Intermediate certificate

  3. Public certificate.

To Isolate the Public Certificate follow these steps:

  1. Open the client_certificate.pem file in a text editor (not rich text editor like Microsoft Word)

  2. Delete the first two certificates (the Root and Intermediate certificate) by scrolling down to the third instance of "-----BEGIN CERTIFICATE----- " and removing all text above that entry. NOTE: Do not remove the certificate content between the "-----BEGIN CERTIFICATE----- " or after "-----END CERTIFICATE-----".

  3. Save the file as ca_certificate.pem. This file will be uploaded to Anaplan by the Tenant Administrator.

📓 ca_certificate.pem

The ca_certificate.pem file will be used in Step 6 that follows below. Be sure to make a note of the fully qualified path to this file.

To register your Certificate follow the Anaplan Documentation on how to manage your Certificate.

Step #5 - Create a Private Key

Create a private key to be used in combination with the public certificate created in the previous two steps. Note: this step will require the password that was established in step #2.

From the terminal window or using OpenSSL, execute the following command. Be sure to replace them with the name of the saved certificate. Note: this step will require the password that was established in step #2.

Create an Unencrypted Private Key - Linux/Unix

openssl pkcs12 -in <PATH TO EXPORTED P12 FILE> -nocerts -out private_key.pem -nodes

Create an Unencrypted Private Key - Windows

openssl pkcs12 -in "<PATH TO EXPORTED P12 FILE>" -nocerts -out "<PATH to PRIVATE KEY>\private_key.pem" -nodes

📓 private_key.pem

The private_key.pem file will be used in Step 6 that follows below. Be sure to make a note of the fully qualified path to this file.

Step #6 - Create a Java Key Store

A Java Key Store (JKS) needs to be created to house the private key. The JKS is created by using the public key, ca_certificate.pem, created in step #4 and the private key, private_key.pem, created in step #5. Run the following commands to create your keystore file.

📓 Remember your inputs!

When running the following command, you will be prompted for a password. Make sure you keep this password safe and in a place that you can refer back to it. If you forget your password, you will need to repeat these steps. Also, be sure to remember the alias you set. Replace your_alias with an alias that you will remember and also keep it in a safe place! You will need both the password created and the alias to use this certificate and keystore in OneCloud.

The first step is to create a keystore bundle in the .p12 format. Please provide an alias denoted by <PROVIDE ALIAS>. Note: this step will require establishing and verifying a new password for the keystore bundle.

Create a keystore in the P12 format - Linux/Unix

openssl pkcs12 -export -in ca_certificate.pem -inkey private_key.pem -out keystore_bundle.p12 -name <PROVIDE ALIAS> -CAfile ca_certificate.pem -caname root

Create a keystore in the P12 format - Windows

openssl pkcs12 -export -in "<PATH>\ca_certificate.pem" -inkey "<PATH>\private_key.pem" -out "<PATH>\keystore_bundle.p12" -name <PROVIDE ALIAS> -CAfile "<PATH>\ca_certificate.pem" -caname root

The second step is to create the actual Java Key Store (JKS), keystore.jks. In the area denoted by <PROVIDE JKS PASSWORD>, please use the same password from the previous step. Note: this step will require the JKS password from the previous step to create the keystore bundle.

📓 Keytool

Keytool requires that the Java SDK is installed. The SDK can be downloaded from the Oracle website.

Create a JKS - Linux/Unix

keytool -importkeystore -deststorepass <PROVIDE JKS PASSWORD> -destkeystore keystore.jks -srckeystore keystore_bundle.p12 -srcstoretype PKCS12

Create a JKS - Windows

keytool -importkeystore -deststorepass <PROVIDE JKS PASSWORD> -destkeystore keystore.jks -srckeystore "<PATH>\keystore_bundle.p12" -srcstoretype PKCS12

Step #7 - Create an Anaplan Connection supporting CA-Certificates

Using the OneCloud Connection Manager, please create a new connection for Anaplan. Pay special attention to the areas highlighted in red. At this point, it is possible to use the OneCloud for Anaplan BizApp.

Did this answer your question?