How to Fix PBES2 SecretKeyFactory Errors in Snowflake

When connecting to Snowflake using the “private_key_file” and “private_key_file_pwd” parameters, Copystorm may report an error with the text:

  • PBES2 SecretKeyFactory not available

This error indicates that the certificate file is encrypted, and that the Java installation used by CopyStorm does not support the encryption used to secure the certificate file.

This is a known issue in the Snowflake driver (details can be found here) – with multiple possible solutions.

The simplest solutions are to:

  • Update the CopyStorm Java version to version 21 or later – Java 21 includes the required libraries.
  • Modifying the Private Key File to be unencrypted. While this is not advised due to security concerns, it will resolve the issue by bypassing the problem encryption logic.

A more complex solution is to:

  • Update CopyStorm with an encryption library that adds support for the encryption type.

The remainder of this article details the “complex solution” – integrating a third-party library with CopyStorm to enable the missing encryption algorithm. Instructions in this document are for the BouncyCastle security provider.

Adding BouncyCastle to CopyStorm

BouncyCastle is an open-source standard cryptographic library. It can be added to CopyStorm to enable support for additional encryption functions, including the PBES2 function that is missing in Java versions 20 and earlier. For more information about Bouncy Castle, please see here.

To add the BouncyCastle PKIX library to CopyStorm, there are three steps:

  1. Add the library JAR files to the CopyStorm lib/ directory.
  2. Add a JVM argument in the CopyStorm.bat or CopyStorm.sh launch script.
  3. Update the Java installation’s java.security file to enable BouncyCastle.

Step 1: Add BouncyCastle JAR files to CopyStorm

BouncyCastle jars can be downloaded here:

You will need to download two JAR files:

  • bcprov-jdk18on-[version].jar
  • bcpkix-jdk18on-[version].jar

To add the JARs to CopyStorm, copy them into the [CopyStorm]/lib/ directory.

Step 2: Add JVM Argument to CopyStorm

The following JVM argument is added to the CopyStorm.bat or CopyStorm.sh script:

  • -Dnet.snowflake.jdbc.enableBouncycastle=TRUE

To add the parameter in Linux:

  • Modify this line of CopyStorm.sh:
    • “$JAVA” -Dcsapp.class=CopyStorm -jar “$MYROOT/lib/CapstormAppLoader.jar”  “$@”
  • Adding the parameter:
    • “$JAVA” -Dnet.snowflake.jdbc.enableBouncycastle=TRUE -Dcsapp.class=CopyStorm -jar “$MYROOT/lib/CapstormAppLoader.jar”  “$@”

To add the parameter in Windows:

  • Modify this line of CopyStorm.bat:
    • SET JVM_ARGS=
  • Adding the parameter:
    • SET JVM_ARGS=-Dnet.snowflake.jdbc.enableBouncycastle=TRUE

Step 3: Add BouncyCastle to Java

This step requires modifying the java.security file to add BouncyCastle support to Java.

The java.security file is located in the Java installation directory. For example, in the Windows release of CopyStorm, it can be found at:

  • [CopyStorm]/jre/conf/security/java.security

To add BouncyCastle:

  • Open the java.security file.
  • Find the lines that begin with “security.provider.”.
  • Add a new line to the end of the list.
  • The new line will look like:
    • security.provider.N=org.bouncycastle.jce.provider.BouncyCastleProvider
  • Where N is the next sequential number.

Step 4: Restart CopyStorm

Changes will take effect the next time CopyStorm is launched.

  • Close any running instances of CopyStorm.
  • Start a new CopyStorm instance by running the CopyStorm.bat or CopyStorm.sh script.