... or why Oracle still cares about CMAN and why you should do it too
The Oracle Connection Manager (CMAN) is the Swiss-army knife for database connections. It can be used for security, routing, high availability, single-point of contact... Starting with Oracle 18c, it has been extended with the new Traffic Director Mode (CMAN TDM), that allows transparent failover for applications that do not implement it natively.
In this session I will introduce briefly what CMAN is capable of, how to configure it in a high availability environment, and how the new release achieves a higher protection level.
Report
Share
Report
Share
1 of 53
Download to read offline
More Related Content
Long live to CMAN!
1. Long live to CMAN!
Or why Oracle still cares about CMAN and why you should do it too
Ludovico Caldara - Computing Engineer @CERN, Oracle ACE Director
2. ■ http://www.ludovicocaldara.net
■ @ludodba
■ ludovicocaldara
■ Two decades of DBA experience (Not Only Oracle)
■ ITOUG co-founder
■ OCP (11g, 12c, MySQL) & OCE
■ Italian living in Switzerland
Ludovico Caldara
3. 3
The Large Hadron Collider (LHC)
Largest machine in the world
27km, 6000+ superconducting magnets
Emptiest place in the solar system
High vacuum inside the magnets
Hottest spot in the galaxy
During Lead ion collisions create temperatures 100 000x hotter than the heart of the sun
Fastest racetrack on Earth
Protons circulate 11245 times/s (99.9999991% the speed of light)
6. oracle.com/gbtour
New Free Tier
Always Free
Oracle Cloud Infrastructure
Services you can use for unlimited time
30-Day Free Trial
Free credits you can use for more services
+
18. Command Line
# [ oracle@slv4474v:/ccv/app/oracle/admin/network [15:00:47] [CMAN] 0 ] #
# cmctl
CMCTL for Linux: Version 12.1.0.2.0 - Production on 09-NOV-2017 15:02:47
Copyright (c) 1996, 2014, Oracle. All rights reserved.
Welcome to CMCTL, type "help" for information.
CMCTL> administer
TNS-04077: WARNING: No password set for the Oracle Connection Manager instance.
Current instance CMAN_slv4474v.etat-de-vaud.ch is already started
Connections refer to (address=(protocol=tcp)(host=slv4474v.etat-de-vaud.ch)(port=1521)).
The command completed successfully.
CMCTL:CMAN_slv4474v.etat-de-vaud.ch> help
The following operations are available
An asterisk (*) denotes a modifier or extended command:
administer close* exit quit
reload resume* save_passwd set*
show* shutdown sleep startup
suspend*
CMCTL:CMAN_slv4474v.etat-de-vaud.ch>
# [ oracle@ocf-cman-1:/u01/app/oracle/network/admin [20:07:33] [19.3.0.0.0 [CLIENT] SID="not set"] 0 ] #
# cmctl
CMCTL for Linux: Version 19.0.0.0.0 - Production on 15-AUG-2019 20:12:40
Copyright (c) 1996, 2019, Oracle. All rights reserved.
Welcome to CMCTL, type "help" for information.
CMCTL> administer cman-test
Current instance cman-test is already started
Connections refer to (DESCRIPTION=(address=(protocol=tcp)(host=ocf-cman-1)(port=1521))).
The command completed successfully.
CMCTL:cman-test> help
The following operations are available
An asterisk (*) denotes a modifier or extended command:
administer close* exit quit
reload resume* save_passwd set*
show* shutdown sleep startup
suspend*
CMCTL:cman-test>
19. Stop / start
CMCTL:cman-test> shutdown
The command completed successfully.
CMCTL:cman-test> startup
Starting Oracle Connection Manager instance cman-test. Please wait...
CMAN for Linux: Version 19.0.0.0.0 - Production
Status of the Instance
----------------------
Instance name cman-test
Version CMAN for Linux: Version 19.0.0.0.0 - Production
Start date 15-AUG-2019 20:15:01
Uptime 0 days 0 hr. 0 min. 9 sec
Num of gateways started 2
Average Load level 0
Log Level ADMIN
Trace Level OFF
Instance Config file /u01/app/oracle/network/admin/cman.ora
Instance Log directory /u01/app/oracle/diag/netcman/ocf-cman-1/cman-test/alert
Instance Trace directory /u01/app/oracle/diag/netcman/ocf-cman-1/cman-test/trace
The command completed successfully.
CMCTL:cman-test>
27. White lists, black lists?
(rule_list=
(rule=(src=10.10.143.47/32)(dst=*)(srv=test-app-rw)(act=accept))
(rule=(src=10.10.150.0/24 )(dst=*)(srv=* )(act=accept))
(rule=(src=0.0.0.0/0 )(dst=*)(srv=* )(act=reject))
)
src=10.10.143.47/32 srv=test-app-rw
src=10.10.150.0/24 srv= *
src= * srv= *
10.10.150.15 SRV=test-2
10.10.143.47 SRV=test-2
10.10.143.47 SRV=test-app-rw
V
X
V
Rule order
is honored
28. SSH Tunneling (and LDAP/Kerberos?)
RACB1
s
c
a
n
s
c
a
n
lsnr
RACB2
lsnr
RACC1
lsnr
RACC2
lsnr
RACA1
lsnr
RACA2
lsnr
s
c
a
n
F
I
R
E
W
A
L
L
29. SSH Tunneling (and LDAP/Kerberos?)
RACB1
s
c
a
n
s
c
a
n
lsnr
RACB2
lsnr
RACC1
lsnr
RACC2
lsnr
RACA1
lsnr
RACA2
lsnr
s
c
a
n
F
I
R
E
W
A
L
L
Cman1
Jump
Host
sqlplus user@localhost:1521/service
ssh me@jumphost -L 1521:cman1:1521
sshd + krb5
34. TDM Setup: Proxy User
SQL> connect sys/manager@mypdb as sysdba
Connected.
SQL> CREATE USER tdm IDENTIFIED BY 'MyPassword';
User Created.
SQL> GRANT CONNECT TO tdm;
Grant succeeded.
SQL> ALTER USER appuser GRANT CONNECT THROUGH tdm;
User altered.
SQL> connect tdm[appuser]/MyPassword@mypdb
Connected.
35. TDM Setup: Proxy User
SQL> connect sys/manager@mypdb as sysdba
Connected.
SQL> CREATE USER tdm IDENTIFIED BY 'MyPassword';
User Created.
SQL> GRANT CONNECT TO tdm;
Grant succeeded.
SQL> ALTER USER appuser GRANT CONNECT THROUGH tdm;
User altered.
SQL> connect tdm[appuser]/MyPassword@mypdb
Connected.
Not documented but important!
37. TDM Setup: Wallet
$ mkstore -wrl /u01/app/oracle/network/admin/WALLET-cman-tdm –create
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
$ mkstore -wrl /u01/app/oracle/network/admin/WALLET-cman-tdm
-createCredential myservice.mysubdomain.ocfnetwork.oraclevcn.com tdm MyPassword
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
38. TDM Setup: Wallet
$ mkstore -wrl /u01/app/oracle/network/admin/WALLET-cman-tdm –create
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
$ mkstore -wrl /u01/app/oracle/network/admin/WALLET-cman-tdm
-createCredential myservice.mysubdomain.ocfnetwork.oraclevcn.com tdm MyPassword
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
IMPORTANT: one credential per service.
New service
new credential
wallet modified
CMAN needs restart
39. My first try…
$ sqlplus appuser/password@std_not_pooled
SQL*Plus: Release 19.0.0.0.0 - Production on Sat Aug 24 18:36:31
2019
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
ERROR:
ORA-03135: connection lost contact
Process ID: 0
Session ID: 0 Serial number: 0
Enter user-name:
40. My first try…
$ sqlplus appuser/password@std_not_pooled
SQL*Plus: Release 19.0.0.0.0 - Production on Sat Aug 24 18:36:31
2019
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
ERROR:
ORA-03135: connection lost contact
Process ID: 0
Session ID: 0 Serial number: 0
Enter user-name:
Trace at CMAN level...
2019-08-26 08:47:48.161 : nsbasic_brc:00 00 41 4F 52 41 2D 30 |..AORA-0|
2019-08-26 08:47:48.161 : nsbasic_brc:31 30 34 35 3A 20 75 73 |1045:.us|
2019-08-26 08:47:48.161 : nsbasic_brc:65 72 20 54 44 4D 20 6C |er.TDM.l|
2019-08-26 08:47:48.161 : nsbasic_brc:61 63 6B 73 20 43 52 45 |acks.CRE|
2019-08-26 08:47:48.161 : nsbasic_brc:41 54 45 20 53 45 53 53 |ATE.SESS|
2019-08-26 08:47:48.161 : nsbasic_brc:49 4F 4E 20 70 72 69 76 |ION.priv|
2019-08-26 08:47:48.161 : nsbasic_brc:69 6C 65 67 65 3B 20 6C |ilege;.l|
2019-08-26 08:47:48.161 : nsbasic_brc:6F 67 6F 6E 20 64 65 6E |ogon.den|
2019-08-26 08:47:48.161 : nsbasic_brc:69 65 64 0A |ied. |
41. My first try… after granting connect
# sqlplus appuser/password@std_not_pooled
SQL*Plus: Release 19.0.0.0.0 - Production on Thu Aug 29 09:19:56 2019
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Last Successful login time: Thu Aug 29 2019 08:23:38 +00:00
Connected to:
Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
connected via Oracle Connection Manager in Traffic Director mode 19.3.0.0.0
SQL> show user
USER is "APPUSER"
SQL> select sys_context('USERENV','PROXY_USER') from dual;
SYS_CONTEXT('USERENV','PROXY_USER')
--------------------------------------------------------------------------------
TDM
42. P
O
O
L
TDM PRCP(Proxy Resident Connection Pooling)
CLIENT
cman
CDBA
PDB1
CLIENT
CLIENT
CLIENT
Similar to DRCP, but at CMAN level
48. TDM Planned Outage
CLIENT
cman
CDBA
PDB1
• Client connects to cman:1521/pdb1
• Cman opens a connection to pdb1
• Upon PDB/service relocate, cman detects
the stop and closes the connections at
transaction boundaries
CDBA
49. TDM Planned Outage
CLIENT
cman
CDBA
• Client connects to cman:1521/pdb1
• Cman opens a connection to pdb1
• Upon PDB/service relocate, cman detects
the stop and closes the connections at
transaction boundaries
• The next request is executed on the
surviving instance
CDBA
PDB1
50. TDM Planned Outage
CLIENT
cman
CDBA
• Client connects to cman:1521/pdb1
• Cman opens a connection to pdb1
• Upon PDB/service relocate, cman detects
the stop and closes the connections at
transaction boundaries
• The next request is executed on the
surviving instance
• The connection client-cman is intact, the
client does not experience a
disconnection
CDBA
PDB1