To configure the public/private key pair:
From the command line in a terminal window, generate a private key:
$ openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8
OpenSSL prompts for a passphrase used to encrypt the private key file. Record this passphrase. You will input it when connecting to Snowflake.
From the command line, generate the public key by referencing the private key:
$ openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
Copy the public and private key files to a local directory for storage. Record the path to the files.
*Note that the private key is stored using the PKCS#8 (Public Key Cryptography Standards) format and is encrypted using the passphrase you specified in the previous step; however, the file should still be protected from unauthorized access using the file permission mechanism provided by your operating system. It is your responsibility to secure the file when it is not being used.
PK Protect will then apply AES encryption layer above this encrypted private key and store it on the IDP side:
DBMS Detection Agent (\dgDiscoverAgent\WEB-INF\classes\com\dataguise\discoverAgent\keystore\<username>.txt);
DBMS Masking Agent (\dgAgent\WEB-INF\classes\com\dataguise\Worker\Masker\PrerequisiteFiles\keystore\<username>.txt)
Assign the public key to the Snowflake user using ALTER USER. For example:
alter user jsmith set rsa_public_key='MIIBIjANBgkqh...';
Authentication Type: Username-Password
Authentication Type: Key-Pair
Private Key path and passphrase are required to authenticate.
*Note: Private Key should be placed on IDP side.
Case A: Private Key path contains the private key
IDP looks into the specified location for the private key. If found, IDP uses it and stores it in AES encrypted format (location above-mentioned).
*Note: Supreme priority is given to the ‘Key Path’ such that IDP always stores the updated private key as provided by the user.
Case B: Private Key path does not hold the private key
IDP is unable to fetch the private key from the specified location. IDP looks for the private key on its side (<username>.txt) and tries to authenticate using it.
‘Test Connection’ and running of (Detection or Masking) task demands establishing a connection with the specified database using the mentioned credentials. This forces the encrypted private key storage in AES encrypted format on IDP side.