We are actually trying to connect to snowflake from Liquibase using Key pair authetication( using a key file and password). There seems to be an error like “PBE parameter parsing error: expecting the object identifier for AES cipher”.
I see that the same file and file password is working when I tried connecting from snowsql. Also the connection to snowflake is working as we tried with username and password along with jdbc url.
Does Liquibase not support jdbc conectivity with key pair authentication. If anyone is successful in using it, could you please help with what might be missing in our case.
Some more details on the error:
ERROR: Private key provided is invalid or not supported: LIQUIBASE_key.p8: PBE parameter parsing error: expecting the object identifier for AES cipher
Then you have to get the oauth token from Azure and provide it with the 2 new parms (authenticator and token) in the jdbc string. Don’t provide username and password.
Does that mean, OAUTH token should be generated outside of liquibase & passed as input to Liquibase as part of JDBC?
If yes, as I understand, OAUTH security integration in snowflake requires re-direct URL. Could you share your sample OAuth security integration, and how we can generate the OAUTH tokens?
Adding more context to my earlier question: we wanted to connect to liquibase during gitlab pipeline run to deploy the scripts onto snowflake. We don’t want to pass username and password as part of jdbc url and we thought to use key pair based authentication.
oauth configuration is on the Snowflake side, it has nothing to do with Liquibase.
Yes, you need to generate the oauth token outside of Liquibase and snowflake, and then use it to connect to the database via jdbc.
There is no redirect URL, all of the required parameters are in the jdbc string, as I provided above.
Username and password are no longer used when you use oauth authenitcation, but you do have to provide the token as part of the jdbc string. See my example string above.
The error message “PBE parameter parsing error: expecting the object identifier for AES cipher” indicates an issue with the format or encryption of the private key file you’re using. Here are some steps to troubleshoot and potentially resolve this issue:
Validate Key Format and Encryption
Ensure your private key file (LIQUIBASE_key.p8) is in the correct format and uses the correct encryption method. Snowflake supports private keys in PEM or DER formats. Here’s how you can generate a compatible key:
Generating a Private Key
Configure Liquibase Correctly
Ensure you have configured Liquibase to use the correct JDBC URL and specified the location of the key file correctly.
Check JDBC Driver Compatibility
Ensure you are using a compatible version of the Snowflake JDBC driver that supports key pair authentication. Check the Snowflake documentation for the latest information on driver versions and key pair authentication support.
Testing Key with SnowSQL
Since you mentioned that the same key and password work with SnowSQL, it indicates the key itself is probably fine, but the way it is being processed by Liquibase might be different.
Use Environment Variables
Sometimes passing sensitive data directly in files or command lines can be problematic.
Detailed Logging
Enable detailed logging for Liquibase to get more insights into what might be going wrong.
Verify Key Permissions
If you continue to face issues, alternatively, you can contact experts in software development, they may be able to help you out https://tech-stack.com/
