How to generate a private-public key pair using OpenSSL

Overview

Key-based authentication involves generating a pair of cryptographic key files. These files consist of a private key and a public key, which uniquely identifies the user. Key pair authentication provides an enhanced level of security for authentication when compared to basic methods such as using a username and password. This authentication method requires a 2048-bit RSA key pair. The private-public key pair for Privacy Enhanced Mail (PEM) can be generated using OpenSSL.

Note: Key pair authentication is currently supported in Database connector only for the Snowflake database.

Steps to generate a private and public key pair using OpenSSL

Note: To explain the following steps, the key pair authentication process between the Database connector and the Snowflake database is considered.

  1. Install OpenSSL on your system.

  2. Open a terminal or command prompt to use OpenSSL commands to generate the key pair.

  3. Generate a private key and certificate using the following command:

    openssl req -x509 -newkey rsa:2048 -keyout -out -sha256 -days 730 -nodes -subj “/C=/ST=/L=/O=/OU=/CN= Example: openssl req -x509 -newkey rsa:2048 -keyout privatekey.pem -out my_cert.pem -sha256 -days 730 -nodes -subj "/C=US/ST=Ohio/L=Columbus/O=Software Co/OU=Adapters/CN=soco

    This command will generate a 2048-bit RSA private key in PEM format, for example:

    -----BEGIN PRIVATE KEY----- MIIE6T... -----END PRIVATE KEY-----

  4. Once you have the private key, you can generate the corresponding public key using the following command:

    openssl rsa -in -pubout -out Example: openssl rsa -in privatekey.pem -pubout -out pubkey.pub

    This command will extract the public key from the private key in PEM format, for example:

    -----BEGIN PUBLIC KEY----- MIIBIj... -----END PUBLIC KEY-----

    Securely store both the private and public keys in a local directory and record the path to the files. Note that the private key is saved in the PKCS#12 format and encrypted using the passphrase.

  5. Next generate a keystore file in either pkc12 or jks format using the following command:

    openssl pkcs12 -export -name -in -inkey -out Example: openssl pkcs12 -export -name privatekey -in my_cert.pem -inkey privatekey.pem -out mykeystore.p12

    • Set your public key to your Snowflake user to use key-pair authentication. Note that you must have the ACCOUNTADMIN role to make edits to a user.

    • Alter the user to use key pair authentication using the following command:

      alter user <your_username> set rsa_public_key='MIIBIjAN.....’ Example: ALTER USER JOHN SET RSA_PUBLIC_KEY='MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtD7m97G2h

      9sNdkWeDBeyFhgUPLu2wbccYXT3vXwDudL2qFm7W6PxVaEj/k1bFeKcOHDI2jVVeHzU1awg1wx

      BJ3Jd2GJ9dYNmjGhovLSrthbKbGMavlwU +QIDAQAB'

    • Replace RSA_PUBLIC_KEY with the content from your public key file generated. Use this command in the Snowflake.

  6. Add the keystore file generated in step 5 in IBM® webMethods Integration by clicking Projects > Select a Project > Configurations > General > Certificates > New Certificate > Keystore.

  7. Navigate to Connectors tab and select the Database connector. Add the Basic configuration, Advanced configuration and select the Keystore file. Also set the Other properties as required in Snowflake.

  8. Test connection to verify the database connection. A success message appears if the connectivity is successful.

  9. Test key pair authentication by connecting to Snowflake using your Snowflake client. You should be able to log in without entering a password.