IBM Support

Derby database creation fails with an Access Denied message

Technote (troubleshooting)


Problem(Abstract)

When starting the TDI Server, the Server fails to create (or access) the TDISysStore directory and throws error CTGDIS809E.

Symptom

The following error message is shown:

CTGDIS809E handleException - cannot handle exception , script
java.sql.SQLException: DERBY SQL error: SQLCODE: -1, SQLSTATE: XJ041, SQLERRMC: Failed to create database '/opt/IBM/TDI/V7.1/TDISysStore', see the next exception for details.::SQLSTATE: XBM0HDirectory /opt/IBM/TDI/V7.1/TDISysStore cannot be created.::SQLSTATE: XJ001Java exception: 'Access denied (java.io.FilePermission /opt/IBM/TDI/V7.1/TDISysStore write): java.security.AccessControlException'.
at org.apache.derby.client.am.SQLExceptionFactory40.getSQLException(Unknown Source)
at org.apache.derby.client.am.SqlException.getSQLException(Unknown Source)


Resolving the problem

1. Stop ALL running processes of the Derby instance which are associated with TDI.
By default the Derby instance runs on port 1527

  • Stop the TDI Config Editor (ibmditk), and/or the TDI Server (ibmdisrv)
  • Shutdown the Derby database
    • Prior to TDI 7.1.1, use the script documented at https://ibm.biz/BdRAaD
    • For TDI 7.1.1 and later, use the command: <TDI_Install_Dir>/ibmdisrv -Y
  • Verify the Derby database is shutdown. (This option forces the Derby shutdown if the previous command was unsuccessful.)
    • On unix/linux:
      netstat -anp | grep 1527
      kill -9 <process id>
    • On Windows:
      netstat -ano | findstr 1527

      Use 'Task Manager' to find the PID
      kill the 'java' process associated with process id.

2. Locate the TDISysStore Directory Path:

  • Open the <TDI_Solution_Directory>/solution.properties file.
  • Locate the 'com.ibm.di.store.database' parameter

    Example:
    com.ibm.di.store.database=jdbc:derby://localhost:1527//opt/IBM/TDI/V7.1.1/TDISysStore;create=true

    ** If the value of the directory = $soldir$, then use actual directory defined by <TDI_Solution_Directory>


3. Modify the 'derby.properties' file to include the path:
  • Locate the <TDI_Install_Dir>/etc/derby.properties and <TDI_Solution_Directory>/etc/derby.properties files
  • Add the following parameter to both files:
        derby.system.home=<Path found in Step #2>

      e.g. derby.system.home=/opt/IBM/TDI/V7.1.1

4. Verify.

Start the TDI Config Editor and use the 'Browse Server Stores' push button to test the connection to the SystemStore.

If the above process fails, continue to Step #5.

5. Adjust the java.policy file to allow Derby access.


    ** Best practice: Backup java.policy file prior to editing


    Add a policy for the Derby files by editing the java.policy file with the jvm policytool

    • Stop ALL TDI Java processes as noted in Step #1 above.
    • Start the utility: <TDI_Install_Dir>/jvm/jre/bin/policytool
    • Within the Policytool, open file <TDI_Install_Dir>/jvm/jre/lib/security/java.policy
    • Click the 'Add Policy Entry' button
      • On a Linux/Unix system, in the CodeBase field, enter:
        file:/opt/IBM/TDI/V7.1.1/jars/3rdparty/IBM/derby*

      • On a Windows system, in the CodeBase field, enter:
        file:/C:/Program Files/IBM/TDI/V7.1.1/jars/3rdparty/IBM/derby*
    • Click the 'Add Permission' button, and select 'AllPermission' from the Permission drop-down menu
    • Select Ok > Done > File > Save, then close the policytool.


    NOTE: If a GUI environment is not available to start the policytool, then using a text editor, append the appropriate text to the java.policy file. For example, on Windows:

    grant codeBase "file:/opt/IBM/TDI/V7.1.1/jars/3rdparty/IBM/derby*" {
      permission java.security.AllPermission;
    };

6. Repeat Step #4 above to test the connection.

Document information

More support for: IBM Security Directory Integrator
General

Software version: 7.0, 7.1, 7.1.1, 7.2

Operating system(s): Platform Independent

Reference #: 1450475

Modified date: 07 July 2014