# ODBC Configuration and Connection Parameters¶

The Snowflake ODBC driver utilizes both configuration and connection parameters. The methods for setting the parameters are different depending on the environment in which the driver is installed.

In this Topic:

## Setting Parameters in Windows¶

In Windows:

• Configuration parameters are set in the Windows registry using regedit and the following registry path:

[HKEY_LOCAL_MACHINE\SOFTWARE\Snowflake\Driver]

• Connection parameters are set in Data Source Names (DSNs):

• DSNs are typically created and edited using the Windows Data Source Administration tool.

• If you wish, the registry keys for DSNs can be edited directly in the Windows registry using regedit. The registry path to the keys is different depending on whether you’re using 64-bit and 32-bit Windows and whether you’re editing a user or system DSN:

• 64-bit Windows:

[HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\<DSN_NAME>]

[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\<DSN_NAME>]

• 32-bit Windows:

[HKEY_CURRENT_USER\SOFTWARE\WOW6432NODE\ODBC\ODBC.INI\<DSN_NAME>]

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\ODBC\ODBC.INI\<DSN_NAME>]


To add a connection parameter using regedit, add a new String Value, double-click on the value you created, then enter the ODBC parameter as the Value name and the parameter value as the Value data.

## Setting Parameters in macOS or Linux¶

In macOS or Linux:

• Configuration parameters are set in the configuration file (simba.snowflake.ini).

• Connection parameters are set in the data source name (DSN) file (odbc.ini).

## Configuration Parameters¶

LogLevel

Specifies the level of detail logged for clients that use the ODBC driver:

0 = Off
1 = Fatal
2 = Error
3 = Warning
4 = Info
5 = Debug
6 = Trace

LogPath

Specifies the location of the Snowflake log files for clients that use the ODBC driver.

CURLVerboseMode

Set to true to enable cURL verbose logging. The log file snowflake_odbc_curl.dmp is created and updated. The Snowflake ODBC driver uses cURL as the HTTP and SSL library. This parameter is useful for diagnosing network issues.

Proxy

Specifies a proxy server in the form of <host>:<port> for clients that use the ODBC driver.

Note

In Windows, entries for LogLevel and LogPath are created and populated with default values when the ODBC driver is installed; however, an entry for Proxy is not created during install. To specify a proxy to use with the driver, you must manually add the entry to the driver registry key.

To bypass the proxy for one or more IP addresses or URLs, add the NoProxy parameter.

NoProxy

Specifies the hostname patterns to bypass the proxy server (e.g. .amazonaws.com to bypass Amazon S3 access).

Note

The Snowflake ODBC driver passes the NoProxy value to the curl option CURLOPT_NOPROXY. The format of the NoProxy value can be found here.

CABundleFile

Set the location of the Certificate Authority (CA) bundle file. Must reference a file that includes a valid list of CA certificates.

For Linux, the RPM and DEB installers automatically copy the file and set this parameter.

For Mac, the PKG installer copies the file and sets this parameter.

For Windows, the MSI installer copies the file and sets this parameter.

A manual installation requires you to download the file from https://curl.haxx.se/docs/caextract.html and set the location of the file.

DisableOCSPCheck

Set to true to disable the TLS/SSL certificate revocation status check by the Online Certificate Status Protocol (OCSP). In normal circumstances, this flag should not set. But if the OCSP availability problem persists, the application might temporarily set this parameter in order to unblock connectivity issues and remove it when the OCSP availability problem is addressed.

KeepLeadingTrailingZeros

Determines how leading or trailing zeros in numbers formatted as string values are handled. By default, the parameter is set to true, which means the driver retains any leading or trailing zeros. Set the parameter to false to remove leading or trailing zeros, for example:

• 0.23 is changed to .23

• 7.00 is changed to 7

NoExecuteInSQLPrepare

Set to true to configure the ODBC Driver to use the standard ODBC behavior when passing DDL statements (such as CREATE and DROP) to SQLPrepare() and SQLExecute().

In Snowflake, by default, when you pass a DDL statement to SQLPrepare(), the ODBC Driver sends the statement to the data source for execution (not preparation). When you pass a DDL statement to SQLExecute(), the ODBC Driver does not send the statement to the data source.

If you set NoExecuteInSQLPrepare to true, the ODBC Driver follows the standard ODBC behavior. Calling SQLPrepare() sends the statement to the data source for preparation (not execution). Calling SQLExecute() sends the statement to the data source for execution.

This parameter was introduced in version 2.21.6 of the ODBC Driver.

## Connection Parameters¶

### Required Connection Parameters¶

<name> (Data Source)

Specifies the name of your DSN.

uid (User)

Specifies the login name of the Snowflake user to authenticate.

pwd (Password)

A password is required to connect to Snowflake; however, for security and authentication reasons, Snowflake strongly discourages storing password credentials directly within any DSN definition.

Typically, the credentials are passed to the driver programmatically by the client application that is attempting to connect to Snowflake.

Note

In Windows, the ODBC driver displays a Password field in the Data Source Administration tool; however, the driver does not store any values entered in the field. Instead, the driver requires login credentials to be provided at connection time.

server (Server)

Specifies the hostname for your account in the following format:

account_name.snowflakecomputing.com

However, note that your full account name might include additional segments that identify the region and cloud platform where your account is hosted.

Account name examples by region

If your account name is xy12345:

Cloud Platform / Region

Full Account Name

AWS

US West (Oregon)

xy12345

US East (Ohio)

xy12345.us-east-2.aws

US East (N. Virginia)

xy12345.us-east-1

US East (Commercial Gov - N. Virginia)

xy12345.us-east-1-gov.aws

xy12345.ca-central-1.aws

EU (Ireland)

xy12345.eu-west-1

EU (Frankfurt)

xy12345.eu-central-1

Asia Pacific (Tokyo)

xy12345.ap-northeast-1.aws

Asia Pacific (Mumbai)

xy12345.ap-south-1.aws

Asia Pacific (Singapore)

xy12345.ap-southeast-1

Asia Pacific (Sydney)

xy12345.ap-southeast-2

GCP

US Central1 (Iowa)

xy12345.us-central1.gcp

Europe West2 (London)

xy12345.europe-west2.gcp

Europe West4 (Netherlands)

xy12345.europe-west4.gcp

Azure

West US 2 (Washington)

xy12345.west-us-2.azure

East US 2 (Virginia)

xy12345.east-us-2.azure

US Gov Virginia

xy12345.us-gov-virginia.azure

xy12345.canada-central.azure

West Europe (Netherlands)

xy12345.west-europe.azure

Switzerland North (Zurich)

xy12345.switzerland-north.azure

Southeast Asia (Singapore)

xy12345.southeast-asia.azure

Australia East (New South Wales)

xy12345.australia-east.azure

Important

If either of the following conditions is true, your account name is different than the structure described in this example:

• If AWS PrivateLink is enabled for your account, your account name requires an additional privatelink segment. For more details, see AWS PrivateLink & Snowflake.

port (Port)

Specifies the port on which the driver listens for Snowflake communication.

Note

You do not need to change the default Port value of 443.

### Optional Connection Parameters¶

database (Database)

Specifies the default database to use for sessions initiated by the driver.

schema (Schema)

Specifies the default schema to use for sessions initiated by the driver.

Default is public.

warehouse (Warehouse)

Specifies the default warehouse to use for sessions initiated by the driver.

role (Role)

Specifies the default role to use for sessions initiated by the driver. The specified role should be a role that has been assigned to the specified user for the driver. If the specified role does not match any of the roles assigned to the user, sessions initiated by the driver have no role initially; however, a role can always be specified from within the session.

tracing (Tracing)

The level of detail to be logged in the driver trace files:

0 = Disable tracing

1 = Fatal only error tracing

2 = Error tracing

3 = Warning tracing

4 = Info tracing

5 = Debug tracing

6 = Detailed tracing

Note

In Windows, these additional connection parameters can be set in the Windows Registry using regedit.

In macOS or Linux, they are set in the odbc.ini file, similar to the rest of the connection parameters.

application

Snowflake partner use only: Specifies the name of a partner application to connect through ODBC.

This parameter can also be set by calling the SQLSetConnectAttr() function. For more details, see Snowflake-specific behavior of the SQLSetConnectAttr function.

authenticator

Specifies the authenticator to use for verifying user login credentials:

• snowflake (Default) to use the internal Snowflake authenticator.

• externalbrowser to use your web browser to authenticate with Okta, ADFS, or any other SAML 2.0-compliant identity provider (IdP) that has been defined for your account.

• https://<your_okta_account_name>.okta.com (i.e. the URL endpoint for Okta) to authenticate through native Okta (only supported if your IdP is Okta).

• oauth to authenticate using OAuth. When OAuth is specified as the authenticator, you must also set the token parameter to specify the OAuth token (see below).

Default is snowflake.

For more information on authentication, see Managing/Using Federated Authentication and OAuth with Clients, Drivers, and Connectors.

token=<string>

Specifies the OAuth token to use for authentication, where <string> is the token. This parameter is required only when the authenticator=oauth parameter is set.

Default is none.

passcode

Specifies the passcode to use for multi-factor authentication.

passcodeInPassword

Specifies whether the passcode for multi-factor authentication is appended to the password:

• on (or true) specifies the passcode is appended.

• off (or false) or any other value specifies the passcode is not appended.

The default value is off.

login_timeout

Specifies how long to wait for a response when connecting to the Snowflake service before returning a login failure error.

Default is 60 seconds.

network_timeout

Specifies how long to wait for a response when interacting with the Snowflake service before returning an error. Zero (0) indicates no network timeout is set.

Default is 0 seconds.

query_timeout

Specifies how long to wait for a query to complete before returning an error. Zero (0) indicates to wait indefinitely.

Default is 0 seconds.

odbc_use_standard_timestamp_columnsize

This boolean parameter affects the column size (in characters) returned for SQL_TYPE_TIMESTAMP. When this parameter is set to true, the driver returns 29, following the ODBC standard. When this parameter is set to false, the driver returns 35, which allows room for the timezone offset (e.g. “-08:00”).

This value can be set via not only the odbc.ini file (Linux or macOS) or the MS-Windows registry, but also the connection string.

Default is false.

proxy

Specifies the proxy server URL in the format http://<hostname>:<port>/ or <hostname>:<port_number> so that all communications from ODBC use the proxy server.

Note

This parameter is applied to the process. If another connection shares the same process, the proxy setting must be identical or the behavior is not predictable.

no_proxy

Specifies which hostname endings should be allowed to bypass the proxy server (e.g. no_proxy=.amazonaws.com means that Amazon S3 access does not need to go through the proxy).

This parameter does not support wildcards. Each value specified should be one of the following:

• The end of a hostname (or a complete hostname), for example:

• .amazonaws.com

• xy12345.snowflakecomputing.com

• An IP address, for example:

• 192.196.1.15

If more than one value is specified, values should be separated by commas, for example:

no_proxy=localhost,.my_company.com,xy12345.snowflakecomputing.com,192.168.1.15,192.168.1.16


Note

This parameter is applied to the process. If another connection shares the same process, the proxy setting must be identical or the behavior is not predictable.

## Verifying the Network Connection to Snowflake with SnowCD¶

After configuring your driver, you can evaluate and troubleshoot your network connectivity to Snowflake using SnowCD.

You can use SnowCD during the initial configuration process and on-demand at any time to evaluate and troubleshoot your network connection to Snowflake.

## Connecting Through a Proxy Server¶

The instructions for configuring a proxy server connection depend on your operating system and driver version:

Operating System

Driver Version

Supported Instructions

Linux

2.16.0 (released May 3, 2018) or higher

2.13.18 (released February 7, 2018) - 2.15.0 (released April 30, 2018)

Using Environment Variables

2.13.17 or lower

Using Configuration Parameters

macOS

2.16.0 (released May 3, 2018) or higher

2.14.0 (released March 28, 2018) - 2.15.0 (released April 30, 2018)

Using Environment Variables

2.13.21 or lower

Using Configuration Parameters

Windows

2.16.0 (released May 3, 2018) or higher

2.15.0 (released April 30, 2018)

Using Environment Variables

2.14.0 or lower

Using Configuration Parameters

Note

The latest versions of ODBC driver, indicated above, support any of the listed configuration options. The options are listed in the order of precedence. If more than one option is defined, the setting with the highest precedence is applied.

### Using Connection Parameters¶

To connect through a proxy server, add the following connection parameters to the DSN:

• proxy

• no_proxy

For example:

[connection]
Description = SnowflakeDB
Driver      = SnowflakeDSIIDriver
Locale      = en-US
server      = account.snowflakecomputing.com
proxy       = http://proxyserver.company:80
no_proxy    = .amazonaws.com


See Connection Parameters for parameter descriptions.

### Using Configuration Parameters¶

Note

These parameters are obsoleted (i.e. no longer supported) in recent ODBC driver versions. See the table of supported options in Connecting Through a Proxy Server. As you upgrade your driver, configure your proxy server settings using the environment variables or connection parameters.

To connect through a proxy server, add the following configuration parameters:

• Proxy

• NoProxy

See Configuration Parameters for parameter descriptions.

### Using Environment Variables¶

To connect through a proxy server, configure the following environment variables:

• http_proxy

• https_proxy

• no_proxy

Note

These environment variables are case-sensitive for Linux and macOS, and must be set in lowercase. For Windows, the environment variables are case-insensitive.

For example:

• Linux or macOS:

export http_proxy=http://proxyserver.company.com:80
export https_proxy=http://proxyserver.company.com:80


If the proxy server requires a user name and password, include the credentials, for example:

export https_proxy=http://username:password@proxyserver.company.com:80

• Windows:

set http_proxy=http://proxyserver.company.com:80
set https_proxy=http://proxyserver.company.com:80


If the proxy server requires a user name and password, include the credentials, for example:

set https_proxy=http://username:password@proxyserver.company.com:80


Optionally, you can set no_proxy to bypass the proxy for specific communications (e.g. no_proxy=.amazonaws.com to bypass Amazon S3 access).

## Using Single Sign-on (SSO) For Authentication¶

If you have configured Snowflake to use single sign-on (SSO), you can configure your client application to use SSO for authentication. See Using SSO with Client Applications That Connect to Snowflake for details.

## Using Key Pair Authentication¶

Snowflake supports using key pair authentication rather than the typical username/password authentication. This authentication method requires a 2048-bit (minimum) RSA key pair. Generate the public-private key pair using OpenSSL. The public key is assigned to the Snowflake user who will use the Snowflake client.

Tip

Snowflake recommends using a long and complex password based on PCI DSS standards to protect the locally generated private key.

Follow these steps to generate a long and complex password based on PCI DSS standards:

1. Access the PCI Security Standards Document Library.

3. Complete the form to access the document.

4. Search for Passwords/passphrases must meet the following: and follow the recommendations for password/passphrase requirements, testing, and guidance.

• Depending on the document version, you will likely find this phrase in a section called Requirement 8: Identify and authenticate access to system components (or similar name).

To configure the public/private key pair:

1. From the command line in a terminal window, generate a private key.

You can generate either an encrypted version of the private key or an unencrypted version of the private key.

To generate an unencrypted version, use the following command:

$openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt  To generate an encrypted version, use the following command (which omits “-nocrypt”): $ openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8


It is typically safer to generate an encrypted version.

If you use the second command to encrypt the private key, then OpenSSL prompts for a passphrase used to encrypt the private key file. We recommend using a strong passphrase to protect the private key. Record this passphrase in a secure location. You will input it when connecting to Snowflake. Note that the passphrase is only used for protecting the private key and will never be sent to Snowflake.

Sample PEM private key

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIE6TAbBgkqhkiG9w0BBQMwDgQILYPyCppzOwECAggABIIEyLiGSpeeGSe3xHP1
wHLjfCYycUPennlX2bd8yX8xOxGSGfvB+99+PmSlex0FmY9ov1J8H1H9Y3lMWXbL
...
-----END ENCRYPTED PRIVATE KEY-----

2. From the command line, generate the public key by referencing the private key:

Assuming the private key is encrypted and contained in the file named “rsa_key.p8”, use the following command:

\$ openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub


Sample PEM public key

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+Fw2qv4Roud3l6tjPH4
zxybHjmZ5rhtCz9jppCV8UTWvEXxa88IGRIHbJ/PwKW/mR8LXdfI7l/9vCMXX4mk
...
-----END PUBLIC KEY-----

3. Copy the public and private key files to a local directory for storage. Record the path to the files. Note that the private key is stored using the PKCS#8 (Public Key Cryptography Standards) format and is encrypted using the passphrase you specified in the previous step; however, the file should still be protected from unauthorized access using the file permission mechanism provided by your operating system. It is your responsibility to secure the file when it is not being used.

4. Assign the public key to the Snowflake user using ALTER USER. For example:

ALTER USER jsmith SET RSA_PUBLIC_KEY='MIIBIjANBgkqh...';


Note

• Only security administrators (i.e. users with the SECURITYADMIN role) or higher can alter a user.

• Exclude the public key header and footer in the SQL statement.

Verify the user’s public key fingerprint using DESCRIBE USER:

DESC USER jsmith;
+-------------------------------+-----------------------------------------------------+---------+-------------------------------------------------------------------------------+
| property                      | value                                               | default | description                                                                   |
|-------------------------------+-----------------------------------------------------+---------+-------------------------------------------------------------------------------|
| NAME                          | JSMITH                                              | null    | Name                                                                          |
...
...
| RSA_PUBLIC_KEY_FP             | SHA256:nvnONUsfiuycCLMXIEWG4eTp4FjhVUZQUQbNpbSHXiA= | null    | Fingerprint of user's RSA public key.                                         |
| RSA_PUBLIC_KEY_2_FP           | null                                                | null    | Fingerprint of user's second RSA public key.                                  |
+-------------------------------+-----------------------------------------------------+---------+-------------------------------------------------------------------------------+


Note

The RSA_PUBLIC_KEY_2_FP property is described in Key Rotation (in this topic).

5. Modify the data source name (DSN) entries for the driver. For information about the DSN entries, see the appropriate topic for your operating system:

AUTHENTICATOR = SNOWFLAKE_JWT

Specifies to authenticate the Snowflake connection using key pair authentication with JSON Web Token (JWT).

JWT_TIME_OUT = integer

Optional. Specifies the length of time Snowflake waits to receive the JWT (in seconds) before timing out. If that happens, authentication fails and the driver returns an Invalid JWT token error. To resolve repeated occurrences of the error, increase the parameter value. Default: 30

PRIV_KEY_FILE = path/rsa_key.p8

Specifies the local path to the private key file you created (i.e. rsa_key.p8).

The value set in DSN can be overridden by calling the SQLSetConnectAttr() function. For more details, see Snowflake-specific behavior of the SQLSetConnectAttr function.

PRIV_KEY_FILE_PWD = <password>

Specifies the passcode to decode the private key file.

This parameter should be set only if the parameter PRIV_KEY_FILE is also set.

The value set in DSN can be overridden by calling the SQLSetConnectAttr() function. For more details, see Snowflake-specific behavior of the SQLSetConnectAttr function.

6. Save the settings.

### Key Rotation¶

Snowflake supports multiple active keys to allow for uninterrupted rotation. Rotate and replace your public and private keys based on the expiration schedule you follow internally.

Currently, you can use the RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2 parameters for ALTER USER to associate up to 2 public keys with a single user.

1. Complete the steps in Using Key Pair Authentication to:

• Generate a new private and public key set.

• Assign the public key to the user. Set the public key value to either RSA_PUBLIC_KEY or RSA_PUBLIC_KEY_2 (whichever key value is not currently in use). For example:

alter user jsmith set rsa_public_key_2='JERUEHtcve...';

2. Update the code to connect to Snowflake. Specify the new private key.

Snowflake verifies the correct active public key for authentication based on the private key submitted with your connection information.

3. Remove the old public key from the user profile. For example:

alter user jsmith unset rsa_public_key;


## Verifying the OCSP Connector or Driver Version¶

Snowflake uses OCSP to evaluate the certificate chain when making a connection to Snowflake. The driver or connector version and its configuration both determine the OCSP behavior. For more information about the driver or connector version, their configuration, and OCSP behavior, see OCSP Configuration.

## OCSP Response Cache Server¶

Note

The OCSP response cache server is currently supported by the Snowflake ODBC Driver 2.15.0 and higher.

Snowflake clients initiate every connection to a Snowflake service endpoint with a “handshake” that establishes a secure connection before actually transferring data. As part of the handshake, a client authenticates the TLS/SSL certificate for the service endpoint. The revocation status of the certificate is checked by sending a client certificate request to one of the OCSP (Online Certificate Status Protocol) servers for the CA (certificate authority).

A connection failure occurs when the response from the OCSP server is delayed beyond a reasonable time. The following caches persist the revocation status, helping alleviate these issues:

• Memory cache, which persists for the life of the process.

• File cache, which persists until the cache directory (e.g. ~/.cache/snowflake or ~/.snowsql/ocsp_response_cache) is purged.

• Snowflake OCSP response cache server, which fetches OCSP responses from the CA’s OCSP servers hourly and stores them for 24 hours. Clients can then request the validation status of a given Snowflake certificate from this server cache.

Important

If your server policy denies access to most or all external IP addresses and web sites, you must whitelist the cache server address to allow normal service operation. The cache server hostname is ocsp*.snowflakecomputing.com:80.

If you need to disable the cache server for any reason, set the SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED environment variable to false. Note that the value is case-sensitive and must be in lowercase.

If none of the cache layers contain the OCSP response, the client then attempts to fetch the validation status directly from the OCSP server for the CA.