Additional configuration is required in order to use the Teradata JDBC Driver when WebSphere Java 2 security is enforced. For reference, instructions are provided to enable WebSphere Java2 security.
The Teradata JDBC Driver provides the same Communication Processor (COP) discovery behavior as Network CLIv2. The Teradata JDBC Driver first finds all defined COPs. Starting with "COP1", which is appended to the database hostname, and then proceeds with "COP2", "COP3", ..., "COPn" until an undefined name is reached.
The COP discovery approach used by Teradata JDBC Driver requires security permissions to be defined in WebSphere dynamic policy files, including app.policy and was.policy. The permission definitions in these dynamic policy files will be described below.
The app.policy file is located in the following WebSphere directory location for WebSphere 5.1:
<WebSphere-Installation-Root>/config/cells/<cell-name>/nodes/<node-name>
The app.policy file is located in the following WebSphere directory location for WebSphere 6.0 and later:
<WebSphere-Installation-Root>/profiles/<profile-name>/config/cells/<cell-name>/nodes/<node-name>
The app.policy file contains default permissions for all of the enterprise applications in the cell. If security permissions are required for all of the enterprise applications in the cell, these permissions can be defined in app.policy, however, if some security permissions only apply to some specific WebSphere Application Server enterprise application, those permissions must be defined in was.policy, which will be described in the following section.
WebSphere Application Server has the following default permission defined in the app.policy file:
permission java.net.SocketPermission "*", "connect";
This permission is included in the following segment in app.policy:
grant codeBase "file:${webComponent}" {
permission java.io.FilePermission "${was.module.path}${/}-", "read, write";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};
The Teradata JDBC Driver's COP discovery technique is compatible with the default permission in the default app.policy file. However, when a site removes that default permission in order to tighten security, then additional specific permissions are required to support the Teradata JDBC Driver's COP discovery.
Assume there are n nodes of the database system, then the following permissions are required:
permission java.net.SocketPermission "hostnameCOP1", "connect";
permission java.net.SocketPermission "hostnameCOP2", "connect";
......
permission java.net.SocketPermission "hostnameCOPn", "connect";
These permissions must be inserted into app.policy like:
grant codeBase "file:${webComponent}" {
permission java.io.FilePermission "${was.module.path}${/}-", "read, write";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "hostnameCOP1", "connect";
permission java.net.SocketPermission "hostnameCOP2", "connect";
......
permission java.net.SocketPermission "hostnameCOPn", "connect";
permission java.util.PropertyPermission "*", "read";
};
NOTE: If these permissions apply to a specific application only, they should not be defined in app.policy and instead they must be defined in was.policy. The permission definition in was.policy is described below.
The was.policy file is packaged in an enterprise archive (EAR) file. The was.policy file contains application-specific permissions for an WebSphere Application Server enterprise application.
The following permissions will be required in was.policy to meet the requirements for the COP discovery approach of Teradata JDBC Driver. It should be noted that these permissions in was.policy are for the specific application only where it is packaged.
Assume there are n nodes of the database system, then following permissions must be defined:
permission java.net.SocketPermission "hostnameCOP1", "connect";
permission java.net.SocketPermission "hostnameCOP2", "connect";
......
permission java.net.SocketPermission "hostnameCOPn", "connect";
These permissions must be inserted into was.policy like:
grant codeBase "file:${webComponent}" {
permission java.net.SocketPermission "hostnameCOP1", "connect";
permission java.net.SocketPermission "hostnameCOP2", "connect";
......
permission java.net.SocketPermission "hostnameCOPn", "connect";
};
grant codeBase "file:${application}" {
permission java.net.SocketPermission "hostnameCOP1", "connect";
permission java.net.SocketPermission "hostnameCOP2", "connect";
......
permission java.net.SocketPermission "hostnameCOPn", "connect";
};
Note: When more nodes are added to the database system, for example, m more nodes, the following additional permissions must be added to was.policy (if these permissions need to apply to all the applications in the cell, then they must be defined in the app.policy file):
permission java.net.SocketPermission "hostnameCOP1", "connect";
permission java.net.SocketPermission "hostnameCOP2", "connect";
......
permission java.net.SocketPermission "hostnameCOPn", "connect";
permission java.net.SocketPermission "hostnameCOPn+1", "connect";
......
permission java.net.SocketPermission "hostnameCOPn+m", "connect";
Besides the above SocketPermissions, RuntimePermission and FilePermission may also be needed. Depending upon WebSphere application server configurations and the enterprise application structures, the following permissions may be required in was.policy (if these permissions need to apply to all the applications in the cell, then they must be defined in the app.policy file).
Note that you need to substitute the actual directory where the Teradata JDBC Driver is located for "C:/teradatajdbcdriver" shown in the examples below.
grant codeBase "file:${application}" {
permission java.lang.RuntimePermission "getClassLoader";
};
grant codeBase "file:${application}" {
permission java.io.FilePermission
"C:/teradatajdbcdriver/terajdbc4.jar", "read";
};
Beginning with Teradata JDBC Driver 16.20.00.11, tdgssconfig.jar is no longer used.
With older versions of the Teradata JDBC Driver, an additional permission must be granted for tdgssconfig.jar.
grant codeBase "file:${application}" {
permission java.io.FilePermission
"C:/teradatajdbcdriver/tdgssconfig.jar", "read";
};
In WebSphere Application Server 6.0 and later, applications must have the appropriate thread permissions specified in the was.policy or app.policy file. Without the thread permissions specified, the application cannot manipulate threads and WebSphere Application Server throws a java.security.AccessControlException. Therefore, the following code must be added to was.policy or app.policy file for an application to manipulate threads:
grant codeBase "file:${application}" {
permission java.lang.RuntimePermission "stopThread";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
};
The COP discovery approach used by Teradata JDBC Driver first finds all defined COPs. Starting with "COP1", which is appended to the database hostname, and then proceeds with "COP2", "COP3", "..., COPn" until an undefined name is reached. When this undefined name is encountered, a java.security.AccessControlException is thrown by WebSphere Java 2 security permission configuration. The Teradata JDBC Driver handles this Java 2 security exception properly so the COP discovery process will be completed successfully and the application will be able to use the data source without any issues.
However, the above Java 2 security exception will still be logged into WebSphere SystemOut.log file since this AccessControlException is generated by WebSphere Java 2 security configuration and the Teradata JDBC Driver has no control over WebSphere Java 2 security configuration.
Assume there are 4 nodes of the database system, and the following permissions have been defined in was.policy:
grant codeBase "file:${webComponent}" {
permission java.net.SocketPermission "hostnameCOP1", "connect";
permission java.net.SocketPermission "hostnameCOP2", "connect";
permission java.net.SocketPermission "hostnameCOP3", "connect";
permission java.net.SocketPermission "hostnameCOP4", "connect";
};
The WebSphere Java 2 security exception similar to the following contents will be logged into SystemOut.log file:
[11/13/06 14:15:20:836 PST] c6cf176 SecurityManag W SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to Problem Determination Guide for further information.
Permission:
hostnameCOP5 : access denied (java.net.SocketPermission hostnameCOP5 resolve)
Code:
com.teradata.jdbc.jdbc_4.io.TDNetworkIO1_3Impl in {file:/C:/teradatajdbcdriver/terajdbc4.jar}
Stack Trace:
java.security.AccessControlException: access denied (java.net.SocketPermission ginghamCOP5 resolve)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java(Compiled Code))
at java.security.AccessController.checkPermission(AccessController.java(Compiled Code))
at java.lang.SecurityManager.checkPermission(SecurityManager.java(Compiled Code))
at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java(Compiled Code))
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1054)
at java.net.InetAddress.getAllByName0(InetAddress.java:1009)
at java.net.InetAddress.getAllByName0(InetAddress.java:990)
at java.net.InetAddress.getAllByName(InetAddress.java:984)
NOTE: Since the Teradata JDBC Driver COP discovery logic handles this Java 2 security exception properly so the application will be able to use the data source without any issues.