Connector to Anaplan (Standard)

With the Anaplan® (Standard) connector, you can use commands to perform standard Anaplan functions as part of a chain. To use a chain to automate security settings through robotic process automation (RPA), such as to upload a new data source, use the Anaplan (RPA) connector instead.

For example, with this connector, you can:

• Download and upload files in Anaplan
• Manage imports, exports, and other Anaplan actions
• Manage files, views, and processes in Anaplan

Note: This connector is built by Workiva and connects to a third-party system. While our Support team can help configure this connector within your workspace, we are unable to troubleshoot or otherwise assist with any issues that originate outside of the Workiva platform.

Requirements

To perform its commands, the Anaplan (Standard) connector uses the Anaplan REST API. To secure the connection to Anaplan, the connector can authenticate via:

• Basic username and password authentication
• A Certificate Authority (CA)-signed certificate 
• 0Auth 2.0 using an Anaplan OAuth2 Authorization Code

To set up the connection, you'll need:

• The base URI for the Anaplan API, such as the default https://api.anaplan.com
• A designated integration user or service account created in Anaplan
• The authentication credentials of the integration user or service account:
  • For basic authentication, the username and password
  • For a certificate:
    • The CA-signed certificate as a PEM file
    • The private key and—If encrypted—its password
  • For OAuth 2.0, the Client ID and Secret. Additionally, the "Refresh Token Behavior" setting in Anaplan must be set to non-rotatable.
• If using a proxy server, its URI, username, and password

For certificate authentication, you can manually create the files required or automatically generate them for macOS or Linux via a shell script. 

Setting up an 0Auth2 token within Anaplan

To authenticate using 0Auth 2.0, you must create an OAuth 2.0 client within Anaplan by following the instructions at this link: 

• https://help.anaplan.com/create-an-oauth-20-client-0984a799-a667-4e70-8759-a134be32f48c

When setting up your token, the "Refresh Token Behavior" setting in Anaplan must be set to non-rotatable. Only non-rotatable refresh tokens are supported — a rotatable token will expire and cause the connection to fail. Learn more about using the Anaplan OAuth2 Service.

 

Automatically create files for certificate authentication on macOS or Linux

To enable certificate authentication for macOS® or Linux, you can run the create-cert.sh shell script to automatically create the files the connection requires to authenticate via a CA-signed certificate:

• ca_certificate.pem, a public certificate to upload and register with Anaplan
• unencrypted_private_key.pem or encrypted_private_key_pkcs8.pem, a private key to also use with Anaplan Connect®
• An optional keystore.jks, the Java KeyStore that houses the certificate's private key

To generate these files, update these parameters, and then run the shell script in a Terminal window:

• CertP12Format
• CertP12Password
• PemPassPhrase
• KeyStoreAlias
• KeyStorePassword
• CreateUnencryptedPrivateKey (true or false)
• EncryptedPrivateKey (true or false)
• CreateJks (true or false)

create-cert.sh

#!/bin/sh
# For MAC OS : This script will create a CA Certificate that is compatible with Anaplan Connect
# Update the variables below with your particular settings. 


# Provide the path and file name of the exported certificate in .p12 format
CertP12Format="PATH TO CERTIFICATE IN P12 FORMAT"
CertP12Password="PASSWORD FOR CERTIFICATE IN P12 FORMAT"
CertPEMFormat="ca_certificate.pem"

# Set the line number where the public key starts
StripLinesUpUntil=82

# Provide the path and file name of the unencrypted export key.
# This file is required for creating a Java Key Store
CreateUnencryptedPrivateKey="true"
UnencryptedPrivateKey="unencrypted_private_key.pem"


# Provide the path and file name of the encrypted export key.
# This is only required if opting to not use a Java Key Store
CreateEncryptedPrivateKey="true"
EncryptedPrivateKey="encrypted_private_key_pkcs8.pem"
PemPassPhrase="pem-password"

# Provide the path and file name of the Java Key Store
CreateJks="true"
JavaKeyStore="keystore.jks"
KeyStoreAlias="PROVIDE ALIAS"
KeyStorePassword="jks-password"

#____________________________ Do not edit below this line ______________________________

echo "************* Creating CA Certificate (PEM Format) *************"
echo "You will be prompted to enter a few passwords. Be sure to enter the Import Certificate password: \"${CertP12Password}\""
read -p "Press any key to continue... " -n1 -s
openssl pkcs12 -in $CertP12Format -nokeys -out ./temp_cert
sed -e "1,${StripLinesUpUntil}d" < ./temp_cert > ${CertPEMFormat}
### https://www.computing.net/answers/programming/delete-all-lines-afterbefore-line-number-with-dos-batch/29963.html
cat ${CertPEMFormat}
rm ./temp_cert

echo "CA Certificate (PEM Format) created: $CertPEMFormat" 

if [ $CreateUnencryptedPrivateKey == "true" ]
then
    echo "************ Creating Unencrypted Private Key ******************"
    echo "You will be prompted to enter the Import Certificate password. Be sure to enter the password: \"${CertP12Password}\""
    openssl pkcs12 -in $CertP12Format -nocerts -out $UnencryptedPrivateKey -nodes
    echo "Unencrypted Private Key created: $UnencryptedPrivateKey" 
else 
    echo "************** Unencrypted Key was NOT created *****************"
fi

if [ $CreateEncryptedPrivateKey == "true" ]
then
    echo "************ Creating Encrypted Private Key ******************"
    echo "You will be prompted to enter the Import Certificate password. Be sure to enter the password: \"${CertP12Password}\""
    echo "You will also be prompted to enter the pem passphrase. Be sure to enter the passphrase: \"${PemPassPhrase}\""
    read -p "Press any key to continue... " -n1 -s
    openssl pkcs12 -in $CertP12Format -nocerts -out ./temp_cert
    openssl pkcs8 -inform PEM -in ./temp_cert -outform PEM -out $EncryptedPrivateKey -passout pass:$PemPassPhrase
    rm ./temp_cert
    echo "Encrypted Private Key created: $EncryptedPrivateKey" 
else 
    echo "************** Encrypted Key was NOT created *****************"
fi

if [ $CreateJks == "true" ]
then
    echo "************ Creating Java Key Store ******************"
    echo "You will be prompted to enter a password. Be sure to enter \"${KeyStorePassword}\" (3x)"
    read -p "Press any key to continue... " -n1 -s
    openssl pkcs12 -export -in ${CertPEMFormat} -inkey $UnencryptedPrivateKey -out ./keystore_bundle.p12 -name $KeyStoreAlias -CAfile $CertPEMFormat -caname root 
    keytool -importkeystore -deststorepass $KeyStorePassword -destkeystore $JavaKeyStore -srckeystore ./keystore_bundle.p12 -srcstoretype PKCS12
    rm ./keystore_bundle.p12
    echo "Java Key Store created: $JavaKeyStore" 
else 
    echo "********* Java Key Store was NOT created **************"
fi
  

 

Manually create files for certificate authentication 

To enable certificate authentication, you can manually create a CA-signed certificate for the connection's integration user or service account. To manually create these files, you'll need:

• Mozilla Firefox®
• For macOS or Linux, a Terminal window; for Microsoft Windows®, OpenSSL
• Tenant Administrator rights in Anaplan

Note: A Java KeyStore can be used, but it is optional and not included in these steps.

 

Step 1. Order a Personal Email Security (S/MIME) authentication certificate

Order a (S/MIME) authentication certificate for Anaplan from Sectigo®.

To ease connector maintenance, we recommend a three-year certificate. When completing the order, leave the values under "Advanced Security Options" set to their default. 

Step 2. Create a Certificate Signing Request (CSR)

The following example configuration can be used for your CSR, but you will need to fill out the blank fields with your business information. 

Make sure to save the config in the following format (using your own name): firstname_lastname_openssl.cnf

[ req ]
default_md = sha512
default_bits = 4096
utf8 = yes
string_mask = utf8only
distinguished_name = req_distinguished_name
req_extensions = v3_user_req

[ req_distinguished_name ]
countryName = US
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName =
stateOrProvinceName_default =
localityName = 
localityName_default = 
0.organizationName = 
0.organizationName_default = 
organizationalUnitName = 
organizationalUnitName_default = 
commonName = 
commonName_default = 
commonName_max = 64
emailAddress = 
emailAddress_default = 
emailAddress_max =40

[ v3_user_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature
nsCertType = client
extendedKeyUsage = clientAuth

 

Step 3. Use OpenSSL to create your CSR and private key in PEM format

Replace the firstname_lastname text in the following command with your own certificate name from the previous step:

openssl req -config firstname_lastname_openssl.cnf -new -out firstname_lastname_csr-4096.pem -keyout firstname_lastname_private-key-4096.pem

Using OpenSSL, run the command.

You will be asked for a passphrase at this point — make sure to record it, as it's required for Anaplan REST API requests.

Step 4. Submit the certificate request, and download your public key

1. Log into Sectigo.
2. Go to the Setup page.
3. When asked to provide contact information, enter an email address that is tied to an active Anaplan account. This is usually your Anaplan service account.
4. Copy and paste the CSR created in the previous step. This should begin and end with the following:

   ----BEGIN CERTIFICATE REQUEST-----
   
   ----END CERTIFICATE REQUEST-----

5. Submit the request.

Check your email for confirmation from Sectigo, and follow their provided steps to download the certificate.

 

Step 5. Upload the public key to Anaplan

The certificate downloaded from Sectigo will appear in the following format: cert_12345.crt. This is your public key.

Rename the key to something like firstname_lastname_public-key-4096.pem and upload it to Anaplan.

 

Set up the Anaplan (Standard) connector

Note: To make the connector available for use in your organization's chains, an org security administrator first enables it from Configuration.

1. From Chain Builder, click Connections  compare_arrows, and then Create at the top right.
2. Under Connector Connection, select Anaplan (Standard) and the default CloudRunner.
   
3. Enter a unique name and description to help identify the connection.
4. If using certificate authentication, under Resources, upload the public certificate and its private key file (or JKS).
5. Under Properties, enter the connector's details.
   

   Property	Details
   API base URI	Enter the base URI for the Anaplan API. By default, http://api.anaplan.com.
   Proxy URI	If using a proxy server, enter its URI.
   Proxy username	If using a proxy server, enter its username.
   Proxy password	If using a proxy server, enter the password for the Proxy username property.
   Debug	Select whether to display additional information when troubleshooting.

6. Under Authentication, enter the authentication details
   

   Property	Details
   Authentication type	Select how to secure the connection: Basic/Certificate Auth for username/password or a CA-signed certificate Anaplan OAuth2 Authorization Code for OAuth 2.0 Depending on the authentication type selected, only the relevant properties detailed below will appear. Learn more: Create an OAuth 2.0 client Anaplan OAuth2 Service Note: When using an Anaplan OAuth2 Authorization Code, the "Refresh Token Behavior" setting in Anaplan must be set to non-rotatable.
   Client ID (OAuth 2.0 only)	Enter the ID for the integration users' OAuth grant.
   Client secret (OAuth 2.0 only)	Enter the secret for the ID property.
   Authentication method (Basic/Certificate Auth only)	Select an authentication method: For username and password, select Basic. For a CA-signed certificate, select Certificate.
   Authentication URI (Basic/Certificate Auth only)	Enter an Authentication URI. Defaults to https://auth.anaplan.com
   Username (Basic/Certificate Auth only)	For basic authentication, enter the username of the connector's Anaplan integration user or service account.
   Password (Basic/Certificate Auth only)	For basic authentication, enter the password for the Username property.
   Certificate path (Basic/Certificate Auth only)	For certificate authentication by private key, enter the filename of the public certificate uploaded under Resources.
   KeyStore path (Basic/Certificate Auth only)	For certificate authentication, enter the filename of the JKS uploaded under Resources.
   KeyStore alias (Basic/Certificate Auth only)	For certificate authentication, enter the alias of the JKS.
   KeyStore password (Basic/Certificate Auth only)	For certificate authentication, enter the password of the JKS.
   Private key (Basic/Certificate Auth only)	For certificate authentication with a private key, enter the filename of the private key uploaded under Resources.
   Private key password (Basic/Certificate Auth only)	For certificate authentication with an encrypted private key, enter the password for the Private key property.

   Note: All sensitive credentials are automatically encrypted and stored at Advanced Encryption Standard (AES)-256 encryption.

7. Select the environments to use with the connection, and click Save.
8. To test the connection, create and run a chain with the connector's List Actions command, and verify it returns a valid output.

Troubleshooting

If the connection to Anaplan fails:

• Verify the authentication credentials are correct.
• If using certificate authentication, verify the certificate hasn't expired, and renew if necessary.