In Part 1 of this blog series, we presented “under the hood” details on how CA Certs are used to authenticate to Anaplan. Let’s recap what we learned inPart 1.
Anaplan Integration APIs requests require an authentication token (AnaplanAuthToken)in its headers. Anaplan authentication service API is used to generate this token.
Authentication API request requires following header and body to generate the token:
{
"encodedData" : "2wiKPoVqz0ZheVU8T+CqoR82WsVfDIb3bc1I/MIxXD9OQ76js+Qjlh8y5lfzb0lpx8jyZiM+lKMA8Ku5oKyOh0nJN2nk6tloTkL8TKJ6nUm9pVT1+dbCsJZhAi",
"encodedSignedData" : "hnbAWqqOob5RrAlqMyLbuUvkpK0Bfe9hm3MlZwI7Q2tbu4SRUMqeivIKvvjenzkDo+8mdS0jQUuCfjgVyZhg4Uj3rk3KENbyFj7dV7H3f3T2QDnxU+7T0aIuw17PwkRKx0Rg9IpwBkOMXxoSMTQuN30Dem5SIGDYpHCQ0Y6KVo1tmynp4+6XKha/sD3BMZtHlQ=="
}
How do we generate these strings for header & body?
You could use sample Java code provided by Anaplan on Anapedia. There are, however, other simpler alternatives:
Table below summarizes advantages and disadvantages of each utility listed above.
Pros |
Cons |
|
certAuthGenerator |
|
|
vEncrypt_0_4.jar |
|
|
Python Script |
|
|
In this section, we will present step-by-step instructions on how to use utilities listed above to generate authentication strings.
Using instructions provided in this communityarticle, you can build a script that not only generates authentication strings but also authentication token you will need for integration APIs. A sample python script (getAuthStringsCACert.py) is provided with this article for your reference. This script is NOT supported by Anaplan. It is intended to provide you an example of how Python scripting can be used in Anaplan integrations.
This article assumes you have met following requirements:
ExecutegetAuthStringsCACert.pyon your system. The script will output two strings: Header String and Body String (JSON) to be used in your authentication services API requests to generate authentication token.
vEncrypt_0_4.jar is a custom Java utility that provides following functionality:
We will first look at how to generate authentication strings for Authentication service request using a CA Certificate in .pfx format followed by a sample python script that generates an authentication token using this java utility.
Before we get started, let’s recall the disclaimer.This utility is provided “as is”. It is intended for illustration purposes only. There is no support provided for this utility.
Use following syntax on the command line to generate authentication strings from a CA Certificate (.pfx).
java -jar vEncrypt_0_4.jar SIGNEDDATA {path}/{certificate} {cert passphrase}
Output from the utility is a string that contains three fields, delimited by “*++*”:
Encoded String & Encoded Signed String can be used to build a JSON structure that’s passed in the body of Anaplan Authentication services API request.
Public Certificate string is passed in the header of API request. Details were presented in earlier sections of this article.
Any scripting language can be used to parse these fields from the result of this Java Utility. In the next section, we will present how a sample Python script can be used to execute the java utility, generate required authentication strings, and generate authentication token.
This sample python script generates authentication token directly from a CA Certificate in pfx format. The script performs following tasks to generate Anaplan authentication token:
The python script takes 5 input arguments:
Syntax:
python getAuthTokenCACertvEncrypt.py {path_to_jar} vEncrypt_0_4.jar {path_to_cert} {cert_name} {cert_password}
Authentication Token can, now, be used in any Anaplan integration APIs (Bulk API, Transactional API, CloudWorks API, ALM API, etc…).
Anaplan Connect scripts can authenticate to Anaplan Platform via Basic authentication (username & password), CA certificates (Public Key, Private Key), and Java Keystore. With each of these authentication methods, passwords are exposed as ASCII text. Anaplan Connect, by default, doesn’t offer ways to encrypt or hide this information, posing potential security risk. In this section, we will present howvEncrypt_0_4.jarutility helps solve for this by providing encryption functionality and enhancing security for authentication credentials.
This utility provides following functionality:
This java utility requires following pre-requisites:
Next, we will walk through steps on how to encrypt/decrypt sensitive password information in Anaplan Connect scripts using vEncrypt_0_4.jar utility. Below is a list of steps we will follow.
java -jar vEncrypt_0_4.jar generate 128
Encrypt Anaplan credentials (username:password for Basic Authentication), Private Key pass phrase (CA Certificate authentication), or Java Keystore (keystore pass phrase) using generated key from step 2.
java -jar vEncrypt_0_4.jar encrypt {yourcredentials} {generatedkey}
Execute Anaplan connect script using vEncrypt_0_4.jar, encryptedCredentials.txt, and generated key. Use following syntax.
Java -jar vEncrypt_0_4.jar {path/AC script} {path/encrypted_cred.txt} {generated key}
Summary:With this utility, you were able to successfully encrypt sensitive password information in your script and use encrypted information to run Anaplan Connect script. You were also able to add enhanced security by restricting file permissions on encrypted credentials so only authorized users or service accounts are able to read encrypted data.
Got feedback on this content? Let us know in the comments below.