Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2025! Join us in Orlando join us for 3 days of immersive learning: REGISTER TODAY

Qlik Talend Product: How to set up Key Pair Authentication for Snowflake in Talend Studio

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Amar_Belgacem_Qlik
Support
Support

Qlik Talend Product: How to set up Key Pair Authentication for Snowflake in Talend Studio

Last Update:

May 5, 2025 9:44:55 PM

Updated By:

Shicong_Hong

Created date:

Apr 28, 2025 3:44:43 AM

This guide briefly offers a step-by-step process on how to set up key-pair authentication for Snowflake in Talend Studio at Job level

The process can be summarized in three steps:

  1. Creating the .p12 file with Open SSL
  2. Configuring Snowflake
  3. Configuring Talend Studio at Job Level

 

Creating the .p12 File with Open SSL

The .p12 file contains both the private and public keys, along with the owner's details (such as name, email address, etc.), all certified by a trusted third party. With this certificate, a user can authenticate and identify themselves to any organization that recognizes the third-party certification. 

 

Talend tSetKeyStore component itself can only take in .jks or .p12/.pfx format. If you are using PKCS8 format, you need to convert your p8 certs into a supported format. 

  1. Generate the key with the following command line prompt:

    openssl genpkey -algorithm RSA -out private.key -aes256
    This will generate a private key (private.key) using the RSA algorithm with AES-256 encryption. You'll be prompted to enter a passphrase to protect the private key.

    pic1.png

    pic2.png

  2. Generate a self-signed certificate using the following command line prompt:
    openssl req -new -x509 -key private.key -out certificate.crt -days 1825
    This command generates a self-signed certificate (certificate.crt) that is valid for 5 years. You will be prompted to enter details like country, state, and organization when generating the certificate.

    self-signedcertificate.png

  3. Once you have both the private key (private.key) and certificate (certificate.crt), please create the .p12 file using the following command line and name your key alias.
    openssl  pkcs12 -export -out keystore.p12 -inkey private.key -in certificate.crt  -name "abe"
    And check the  created  .p12 file information with below command:
    openssl pkcs12 -info -in keystore.p12 or keytool -v -list -keystore keystore.p12
    pic4.png

    pic5.png

  4. Generate a public key with the following command line:
    openssl x509 -pubkey -noout -in certificate.crt > public.key
    pic6.png

Configuring Snowflake : 

The USERADMIN role is required to perform the Snowflake configuration. Open your Snowflake environment and ensure you have a worksheet or query editor ready to execute the following SQL statements. .
  1. For this step, you will create the necessary Snowflake components—database, warehouse, user, and role for testing purposes. If you already have an existing setup or example, feel free to re-use it 
    -- Drop existing objects if they exist
DROP DATABASE IF EXISTS ABE_TALEND_DB;           -- Drop the test database
DROP WAREHOUSE IF EXISTS ABE_TALEND_WH;          -- Drop the test warehouse
DROP ROLE IF EXISTS ABE_TALEND_ROLE;             -- Drop the test role
DROP USER IF EXISTS ABE_TALEND_USER;             -- Drop the test user

-- Create necessary objects
CREATE WAREHOUSE ABE_TALEND_WH;                  -- Create the warehouse
CREATE DATABASE ABE_TALEND_DB;                   -- Create the test database
CREATE SCHEMA ABE_TALEND_DB.ABE;                 -- Create the schema "ABE" in the test database

-- Create the test user
CREATE OR REPLACE USER ABE_TALEND_USER
    PASSWORD = 'pwd!'                            -- Replace with a secure password
    LOGIN_NAME = 'ABE_TALEND_USER'
    FIRST_NAME = 't'
    LAST_NAME = 'tt'
    EMAIL = 't.tt@qlik.com'                      -- Replace with a valid email
    MUST_CHANGE_PASSWORD = FALSE
    DEFAULT_WAREHOUSE = ABE_TALEND_WH;

-- Grant necessary permissions
GRANT USAGE ON WAREHOUSE ABE_TALEND_WH TO ROLE SYSADMIN;   -- Grant warehouse access to SYSADMIN

CREATE ROLE IF NOT EXISTS ABE_TALEND_ROLE;                  -- Create the custom role
GRANT ROLE ABE_TALEND_ROLE TO USER ABE_TALEND_USER;         -- Assign the role to the user

GRANT ALL PRIVILEGES ON DATABASE ABE_TALEND_DB TO ROLE ABE_TALEND_ROLE;                -- Full access to the database
GRANT ALL PRIVILEGES ON ALL SCHEMAS IN DATABASE ABE_TALEND_DB TO ROLE ABE_TALEND_ROLE; -- Full access to all schemas
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ABE_TALEND_DB.ABE TO ROLE ABE_TALEND_ROLE;-- Full access to all tables in schema
GRANT USAGE ON WAREHOUSE ABE_TALEND_WH TO ROLE ABE_TALEND_ROLE;                        -- Grant warehouse usage to custom role

-- Verify user creation
SHOW USERS;

-- Create a test table and validate setup
CREATE TABLE ABE_TALEND_DB.ABE.ABETABLE (
    NAME VARCHAR(100)
);

-- Test data retrieval
SELECT * FROM ABE_TALEND_DB.ABE.ABETABLE;
  2. For this step, please assign the public key to the Snowflake test user created earlier. To do this, you'll need do the following:
    • Locate public.key and open it in an editor (such as Notepad++)
    • Copy the public key displayed between BEGIN PUBLIC KEY and END PUBLIC KEY

      pic7.png

    • In the Snowflake environment, open a worksheet or query editor to run the following SQL statements. You will add the previously generated public key to our user and be sure to replace it with your own key.  
      DESCRIBE USER
      And to verify that the key was successfully added.  
      ALTER USER ABE_TALEND_USER SET RSA_PUBLIC_KEY=public key ';
DESCRIBE USER ABE_TALEND_USER;

      pic8.png

  3. Now we’ll verify that the configuration is correct. In your Snowflake environment, open a worksheet or query editor, run the following SQL statements, and copy the results (an sha256 hash of our public key ) into a Notepad or any text editor for reference. 

    DESC USER ABE_TALEND_USER;
SELECT SUBSTR((SELECT "value" FROM TABLE(RESULT_SCAN(LAST_QUERY_ID()))  WHERE "property" = 'RSA_PUBLIC_KEY_FP'), LEN('SHA256:') + 1);


    pic9.png

    Using OpenSSL, we will calculate the SHA-256 hash of the public key and compare it with the one previously generated by Snowflake to ensure they are matched.
    To do that use the following OpenSSL command: 
    openssl rsa -pubin -in public.key -outform DER | openssl dgst -sha256 -binary | openssl enc -base64


    hashmatch.png

    If the hash matches, proceed to Talend Studio configuration.

 

Configuring Talend Studio at Job Level : 

  1. Launch your Talend Studio and drag both tSetKeyStore and tDBConnection(Snowflake) components from Palette to Designer Tab

    ConfigStudio.png

  2. In the Basic settings of tSetKeyStore component, enter the path to the  keystore .p12 file in double quotation marks in the KeyStore file field :



    ConfigTalend.png
  3. Use the Key Alias set in the keystore. p12 file before for Snowflake DB Connection ("abe", for this example) : 


    pic13.png

     

  4. Please test the connection to see if the key-pair authentication you set up works

    pic14.png

 

Related Content

Talend-Job-using-key-pair-authentication-for-Snowflake-fails

 

Environment

Talend Studio 8.0.1

 
 
Talend Studio
Talend Studio
Labels (1)
Labels:
767 Views
Was this article helpful? Yes No
Comments
anthonyoctil1
Partner - Contributor
Partner - Contributor
2 weeks ago

Hi @Amar_Belgacem_Qlik some images are not displayed. This is a screenshot example. There are more in the article

Capture d’écran 2025-04-28 095151.png

 

 
Sonja_Bauernfeind
Digital Support
Digital Support
2 weeks ago

@anthonyoctil1 We're looking into it!

 

 
Xiaodi_Shi
Support
Support
2 weeks ago

Hello @anthonyoctil1 
Sorry for late response!
Thanks for letting us know the "images are missing" issue and we've fixed it. Feel free to let us know if there is anything in question. 

Best regards

Sabrina

 

 

 

 
marksouzacosta
MVP
MVP
2 weeks ago

Great article team.

I do a very similar approach but converting from P8 all the way to P12.

Questions:

1. Are you planning to add P8 support in Talend Studio? That would be very much appreciated.

2. Can I use a P12 file as a Resource in an Artifact/Task in Talend Cloud?
I have a Talend Studio Job where I set my P12 file as a Context Resource File - context.resource_file_keystore_encrypted. It works fine in Talend Studio but when I publish it to Talend Cloud things don't go as I expect.

When I create a Task based on the Artifact, I have to upload the P12 file to be used in the tSetKeystore block. However, when executing the task, I have the following error:
tSetKeystore_1 (SnowflakeKeyPair) java.lang.NullPointerException

My complete diagram:
marksouzacosta_0-1746059621259.png

 

Below the Task Configuration with the P12 and Password Resources highlighted - note that I'm using the Cloud / Cloud exclusive engines. I must not use a Remote Engine (this is a requirement):
marksouzacosta_2-1746060211771.png

 

And the error message:
marksouzacosta_3-1746060253488.png

 

Regards,

Mark Costa

 

Version history
Last update:
a week ago
Updated by:
Support