Maica connects to the Australian Government PRODA and NDIA CIAM gateways using a PRODA B2B device. Each device authenticates with an RSA key pair. This article explains how those keys are created, where they are stored, and how to rotate them.
Salesforce cannot generate RSA key pairs natively, so Maica generates them through the Maica Integration proxy. When you activate or refresh a PRODA device from Maica Settings → PRODA Integration, Maica calls the proxy, which generates a fresh RSA-2048 key pair. The proxy encrypts the private key with AES-256 before it is returned to Salesforce, so the value written to the PRODA Setting record (Private_Key__c) is ciphertext, not a readable key.
The public key is registered with PRODA / CIAM during device activation.
The private key is stored on the PRODA Setting record as AES-256 ciphertext. The key needed to decrypt it lives only inside the Maica proxy environment; it is not stored in Salesforce, in metadata, or in any export. Reading the field directly returns ciphertext that cannot be decrypted from within Salesforce.
The private key is only ever decrypted inside the proxy, in memory, at the moment a PRODA/CIAM access token is requested. It is never sent back to Salesforce in readable form.
Access to PRODA Setting records and the Private_Key__c / Public_Key__c fields is controlled by standard object permissions and Field-Level Security. Only administrators with the relevant Maica Permission Set should be granted access.
Do not expose these fields on page layouts available to non-administrators.
Please note & be aware
Never paste a raw private key into the field manually. Always use the activate/refresh actions so the value is generated and encrypted correctly.
If device authentication starts failing after an org refresh or sandbox copy, re-run Refresh Device Keys to re-establish a valid key pair.
Last updated
Was this helpful?
Was this helpful?
