SlideShare a Scribd company logo

Long live to CMAN!

Ludovico Caldara
Ludovico Caldara

... or why Oracle still cares about CMAN and why you should do it too The Oracle Connection Manager (CMAN) is the Swiss-army knife for database connections. It can be used for security, routing, high availability, single-point of contact... Starting with Oracle 18c, it has been extended with the new Traffic Director Mode (CMAN TDM), that allows transparent failover for applications that do not implement it natively. In this session I will introduce briefly what CMAN is capable of, how to configure it in a high availability environment, and how the new release achieves a higher protection level.

1 of 53
Download to read offline
Long live to CMAN! Or why Oracle still cares about CMAN and why you should do it too Ludovico Caldara - Computing Engineer @CERN, Oracle ACE Director
■ http://www.ludovicocaldara.net ■ @ludodba ■ ludovicocaldara ■ Two decades of DBA experience (Not Only Oracle) ■ ITOUG co-founder ■ OCP (11g, 12c, MySQL) & OCE ■ Italian living in Switzerland Ludovico Caldara
3 The Large Hadron Collider (LHC) Largest machine in the world 27km, 6000+ superconducting magnets Emptiest place in the solar system High vacuum inside the magnets Hottest spot in the galaxy During Lead ion collisions create temperatures 100 000x hotter than the heart of the sun Fastest racetrack on Earth Protons circulate 11245 times/s (99.9999991% the speed of light)
SQL> select sum(bytes/power(1024,5)) as "PetaBytes" > from dba_data_files; PetaBytes -------------- 1.052794738695 Large databases
Or complex ones
oracle.com/gbtour New Free Tier Always Free Oracle Cloud Infrastructure Services you can use for unlimited time 30-Day Free Trial Free credits you can use for more services +
Very short introduction of CMAN
A multipurpose networking solution CMANCMAN
For security CMANCMAN
For tunneling CMANCMAN
For protocol conversion CMANCMAN IPv6 IPv4
For protocol conversion CMANCMAN TCPS TCP
For Session multiplexing CMANCMAN
Oracle Connection Manager 1-0-1
Connection manager fact sheet • For Enterprise Edition databases only • CMAN version >= DB version • Part of the Oracle Client binaries
Install: Oracle Client with cman option $ cat cman.rsp oracle.install.responseFileVersion=/oracle/install/rspfmt_clientinstall_response_schema_v19.0.0 ORACLE_HOSTNAME=$(hostname) UNIX_GROUP_NAME=oinstall INVENTORY_LOCATION=/u01/app/oraInventory SELECTED_LANGUAGES=en ORACLE_HOME=/u01/app/oracle/product/cman1940 ORACLE_BASE=/u01/app/oracle oracle.install.client.installType=Custom oracle.install.client.customComponents="oracle.sqlplus:19.0.0.0.0","oracle.network.client:19.0.0.0. 0","oracle.network.cman:19.0.0.0.0","oracle.network.listener:19.0.0.0.0" $ ./runInstaller -silent -responseFile cman.rsp ORACLE_HOME_NAME=cman1940
Config: cman.ora $ cat cman.ora cman-test = (configuration= (address=(protocol=tcp)(host=ocf-cman-1)(port=1521)) (parameter_list = (log_level=ADMIN) (trace_level=USER) (registration_invited_nodes = *) ) (rule_list= (rule= (src=*)(dst=*)(srv=*)(act=accept) )) ) Listen Address(es) Configuration properties Rules (see later)
Command Line # [ oracle@slv4474v:/ccv/app/oracle/admin/network [15:00:47] [CMAN] 0 ] # # cmctl CMCTL for Linux: Version 12.1.0.2.0 - Production on 09-NOV-2017 15:02:47 Copyright (c) 1996, 2014, Oracle. All rights reserved. Welcome to CMCTL, type "help" for information. CMCTL> administer TNS-04077: WARNING: No password set for the Oracle Connection Manager instance. Current instance CMAN_slv4474v.etat-de-vaud.ch is already started Connections refer to (address=(protocol=tcp)(host=slv4474v.etat-de-vaud.ch)(port=1521)). The command completed successfully. CMCTL:CMAN_slv4474v.etat-de-vaud.ch> help The following operations are available An asterisk (*) denotes a modifier or extended command: administer close* exit quit reload resume* save_passwd set* show* shutdown sleep startup suspend* CMCTL:CMAN_slv4474v.etat-de-vaud.ch> # [ oracle@ocf-cman-1:/u01/app/oracle/network/admin [20:07:33] [19.3.0.0.0 [CLIENT] SID="not set"] 0 ] # # cmctl CMCTL for Linux: Version 19.0.0.0.0 - Production on 15-AUG-2019 20:12:40 Copyright (c) 1996, 2019, Oracle. All rights reserved. Welcome to CMCTL, type "help" for information. CMCTL> administer cman-test Current instance cman-test is already started Connections refer to (DESCRIPTION=(address=(protocol=tcp)(host=ocf-cman-1)(port=1521))). The command completed successfully. CMCTL:cman-test> help The following operations are available An asterisk (*) denotes a modifier or extended command: administer close* exit quit reload resume* save_passwd set* show* shutdown sleep startup suspend* CMCTL:cman-test>
Stop / start CMCTL:cman-test> shutdown The command completed successfully. CMCTL:cman-test> startup Starting Oracle Connection Manager instance cman-test. Please wait... CMAN for Linux: Version 19.0.0.0.0 - Production Status of the Instance ---------------------- Instance name cman-test Version CMAN for Linux: Version 19.0.0.0.0 - Production Start date 15-AUG-2019 20:15:01 Uptime 0 days 0 hr. 0 min. 9 sec Num of gateways started 2 Average Load level 0 Log Level ADMIN Trace Level OFF Instance Config file /u01/app/oracle/network/admin/cman.ora Instance Log directory /u01/app/oracle/diag/netcman/ocf-cman-1/cman-test/alert Instance Trace directory /u01/app/oracle/diag/netcman/ocf-cman-1/cman-test/trace The command completed successfully. CMCTL:cman-test>
Database registration host1 DB1 scan listener Cman1 Local_listener Alter system set local_listener=host-vip:1521; SVC1->DB1 SVC1
Database registration host1 DB1 scan listener Cman1 Remote_listener Alter system set remote_listener=scan:1521,cman1:1521; SVC1->DB1 SVC1 SVC1->host-vip:1521
Database registration host1 DB1 scan listener Cman1 Remote_listener cman1:1521/SVC1 SVC1->DB1 SVC1 SVC1->host-vip:1521
Database registration host1 DB1 scan listener Cman1 Remote_listener Sure ! SVC1->DB1 SVC1 SVC1->host-vip:1521
Oracle Connection Manager for Security
Without CMAN appserver1 APP1 host1 DB1 s c a n l i s t e n e r OPEN FIREWALL appserver2 APP2 DB2 appserver1 -> DB1 V appserver1 -> DB2 V appserver2 -> DB1 V appserver2 -> DB2 V
With CMAN appserver1 APP1 host1 DB1 s c a n l i s t e n e r appserver2 APP2 DB2 appserver1 -> DB1 V appserver1 -> DB2 X appserver2 -> DB1 X appserver2 -> DB2 V Cman1 (rule list) F I R E W A L L Firewall blocks SCAN and allows CMAN Only CMAN filters connections depending on target Service
White lists, black lists? (rule_list= (rule=(src=10.10.143.47/32)(dst=*)(srv=test-app-rw)(act=accept)) (rule=(src=10.10.150.0/24 )(dst=*)(srv=* )(act=accept)) (rule=(src=0.0.0.0/0 )(dst=*)(srv=* )(act=reject)) ) src=10.10.143.47/32 srv=test-app-rw src=10.10.150.0/24 srv= * src= * srv= * 10.10.150.15 SRV=test-2 10.10.143.47 SRV=test-2 10.10.143.47 SRV=test-app-rw V X V Rule order is honored
SSH Tunneling (and LDAP/Kerberos?) RACB1 s c a n s c a n lsnr RACB2 lsnr RACC1 lsnr RACC2 lsnr RACA1 lsnr RACA2 lsnr s c a n F I R E W A L L
SSH Tunneling (and LDAP/Kerberos?) RACB1 s c a n s c a n lsnr RACB2 lsnr RACC1 lsnr RACC2 lsnr RACA1 lsnr RACA2 lsnr s c a n F I R E W A L L Cman1 Jump Host sqlplus user@localhost:1521/service ssh me@jumphost -L 1521:cman1:1521 sshd + krb5
Demo?
Traffic Director Mode CMAN with an Oracle Client “brain”
From the Oracle website
Classic vs TDM CLIENT DB cman CLIENT DB cman SQLNet is redirected transparently CMAN is the end point of client connections CMAN opens its own connection to the DB
TDM Setup: Proxy User SQL> connect sys/manager@mypdb as sysdba Connected. SQL> CREATE USER tdm IDENTIFIED BY 'MyPassword'; User Created. SQL> GRANT CONNECT TO tdm; Grant succeeded. SQL> ALTER USER appuser GRANT CONNECT THROUGH tdm; User altered. SQL> connect tdm[appuser]/MyPassword@mypdb Connected.
TDM Setup: Proxy User SQL> connect sys/manager@mypdb as sysdba Connected. SQL> CREATE USER tdm IDENTIFIED BY 'MyPassword'; User Created. SQL> GRANT CONNECT TO tdm; Grant succeeded. SQL> ALTER USER appuser GRANT CONNECT THROUGH tdm; User altered. SQL> connect tdm[appuser]/MyPassword@mypdb Connected. Not documented but important!
TDM Setup: cman.ora $ cat cman.ora cman-tdm = (configuration= (address=(protocol=tcp)(host=ocf-cman-1)(port=1521)) (parameter_list = (TDM=YES) (registration_invited_nodes = *) ) (rule_list= (rule=(src=*)(dst=*)(srv=*)(act=accept)) )) wallet_location = (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=/u01/app/oracle/network/admin/WALLET-cman-tdm) ) ) SQLNET.WALLET_OVERRIDE = TRUE Parameter + Wallet
TDM Setup: Wallet $ mkstore -wrl /u01/app/oracle/network/admin/WALLET-cman-tdm –create Oracle Secret Store Tool Release 19.0.0.0.0 - Production Version 19.3.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter password: Enter password again: $ mkstore -wrl /u01/app/oracle/network/admin/WALLET-cman-tdm -createCredential myservice.mysubdomain.ocfnetwork.oraclevcn.com tdm MyPassword Oracle Secret Store Tool Release 19.0.0.0.0 - Production Version 19.3.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter wallet password:
TDM Setup: Wallet $ mkstore -wrl /u01/app/oracle/network/admin/WALLET-cman-tdm –create Oracle Secret Store Tool Release 19.0.0.0.0 - Production Version 19.3.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter password: Enter password again: $ mkstore -wrl /u01/app/oracle/network/admin/WALLET-cman-tdm -createCredential myservice.mysubdomain.ocfnetwork.oraclevcn.com tdm MyPassword Oracle Secret Store Tool Release 19.0.0.0.0 - Production Version 19.3.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter wallet password: IMPORTANT: one credential per service. New service new credential wallet modified CMAN needs restart
My first try… $ sqlplus appuser/password@std_not_pooled SQL*Plus: Release 19.0.0.0.0 - Production on Sat Aug 24 18:36:31 2019 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. ERROR: ORA-03135: connection lost contact Process ID: 0 Session ID: 0 Serial number: 0 Enter user-name:
My first try… $ sqlplus appuser/password@std_not_pooled SQL*Plus: Release 19.0.0.0.0 - Production on Sat Aug 24 18:36:31 2019 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. ERROR: ORA-03135: connection lost contact Process ID: 0 Session ID: 0 Serial number: 0 Enter user-name: Trace at CMAN level... 2019-08-26 08:47:48.161 : nsbasic_brc:00 00 41 4F 52 41 2D 30 |..AORA-0| 2019-08-26 08:47:48.161 : nsbasic_brc:31 30 34 35 3A 20 75 73 |1045:.us| 2019-08-26 08:47:48.161 : nsbasic_brc:65 72 20 54 44 4D 20 6C |er.TDM.l| 2019-08-26 08:47:48.161 : nsbasic_brc:61 63 6B 73 20 43 52 45 |acks.CRE| 2019-08-26 08:47:48.161 : nsbasic_brc:41 54 45 20 53 45 53 53 |ATE.SESS| 2019-08-26 08:47:48.161 : nsbasic_brc:49 4F 4E 20 70 72 69 76 |ION.priv| 2019-08-26 08:47:48.161 : nsbasic_brc:69 6C 65 67 65 3B 20 6C |ilege;.l| 2019-08-26 08:47:48.161 : nsbasic_brc:6F 67 6F 6E 20 64 65 6E |ogon.den| 2019-08-26 08:47:48.161 : nsbasic_brc:69 65 64 0A |ied. |
My first try… after granting connect # sqlplus appuser/password@std_not_pooled SQL*Plus: Release 19.0.0.0.0 - Production on Thu Aug 29 09:19:56 2019 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. Last Successful login time: Thu Aug 29 2019 08:23:38 +00:00 Connected to: Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 - Production Version 19.3.0.0.0 connected via Oracle Connection Manager in Traffic Director mode 19.3.0.0.0 SQL> show user USER is "APPUSER" SQL> select sys_context('USERENV','PROXY_USER') from dual; SYS_CONTEXT('USERENV','PROXY_USER') -------------------------------------------------------------------------------- TDM
P O O L TDM PRCP(Proxy Resident Connection Pooling) CLIENT cman CDBA PDB1 CLIENT CLIENT CLIENT Similar to DRCP, but at CMAN level
TDM PRCP: $TNS_ADMIN/oraaccess.xml <oraaccess xmlns="http://xmlns.oracle.com/oci/oraaccess" xmlns:oci="http://xmlns.oracle.com/oci/oraaccess" schemaLocation="http://xmlns.oracle.com/oci/oraaccess http://xmlns.oracle.com/oci/oraaccess.xsd"> <default_parameters> </default_parameters> <config_descriptions> <config_description> <config_alias> std_pooled </config_alias> <parameters> <session_pool> <enable>true</enable> <min_size> 5 </min_size> <max_size> 20 </max_size> <increment> 1 </increment> </session_pool> </parameters> </config_description> </config_descriptions> <connection_configs> <connection_config> <connection_string>std_pooled.subxx.ocfnetwork.oraclevcn.com</connection_string> <config_alias>std_pooled</config_alias> </connection_config> </connection_configs> </oraaccess>
TDM PRCP: Client Requirements • OCI and Open Source Drivers (11.2.0.4 and later) • JDBC (12.1 and later) • ODP.NET (12.2 and later) std_pooled = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = cman)(PORT = 1521)) (CONNECT_DATA = (SERVICE_NAME = std_pooled.subxx.ocfnetwork.oraclevcn.com) (SERVER=POOLED) ) )
Demo?
TDM Planned Outage CLIENT cman CDBA PDB1 • Client connects to cman:1521/pdb1 CDBA
TDM Planned Outage CLIENT cman CDBA PDB1 • Client connects to cman:1521/pdb1 • Cman opens a connection to pdb1 CDBA
TDM Planned Outage CLIENT cman CDBA PDB1 • Client connects to cman:1521/pdb1 • Cman opens a connection to pdb1 • Upon PDB/service relocate, cman detects the stop and closes the connections at transaction boundaries CDBA
TDM Planned Outage CLIENT cman CDBA • Client connects to cman:1521/pdb1 • Cman opens a connection to pdb1 • Upon PDB/service relocate, cman detects the stop and closes the connections at transaction boundaries • The next request is executed on the surviving instance CDBA PDB1
TDM Planned Outage CLIENT cman CDBA • Client connects to cman:1521/pdb1 • Cman opens a connection to pdb1 • Upon PDB/service relocate, cman detects the stop and closes the connections at transaction boundaries • The next request is executed on the surviving instance • The connection client-cman is intact, the client does not experience a disconnection CDBA PDB1
Demo?
TDM Unplanned Outage • Similar to planned outage • Leverages TAF/AC/TAC at client side • App Continuity Integrated in CMAN is planned for 20c
Thank you! Ludovico Caldara - Computing Engineer @CERN, Oracle ACE Director

More Related Content

Long live to CMAN!

  • 1. Long live to CMAN! Or why Oracle still cares about CMAN and why you should do it too Ludovico Caldara - Computing Engineer @CERN, Oracle ACE Director
  • 2. ■ http://www.ludovicocaldara.net ■ @ludodba ■ ludovicocaldara ■ Two decades of DBA experience (Not Only Oracle) ■ ITOUG co-founder ■ OCP (11g, 12c, MySQL) & OCE ■ Italian living in Switzerland Ludovico Caldara
  • 3. 3 The Large Hadron Collider (LHC) Largest machine in the world 27km, 6000+ superconducting magnets Emptiest place in the solar system High vacuum inside the magnets Hottest spot in the galaxy During Lead ion collisions create temperatures 100 000x hotter than the heart of the sun Fastest racetrack on Earth Protons circulate 11245 times/s (99.9999991% the speed of light)
  • 4. SQL> select sum(bytes/power(1024,5)) as "PetaBytes" > from dba_data_files; PetaBytes -------------- 1.052794738695 Large databases
  • 6. oracle.com/gbtour New Free Tier Always Free Oracle Cloud Infrastructure Services you can use for unlimited time 30-Day Free Trial Free credits you can use for more services +
  • 8. A multipurpose networking solution CMANCMAN
  • 15. Connection manager fact sheet • For Enterprise Edition databases only • CMAN version >= DB version • Part of the Oracle Client binaries
  • 16. Install: Oracle Client with cman option $ cat cman.rsp oracle.install.responseFileVersion=/oracle/install/rspfmt_clientinstall_response_schema_v19.0.0 ORACLE_HOSTNAME=$(hostname) UNIX_GROUP_NAME=oinstall INVENTORY_LOCATION=/u01/app/oraInventory SELECTED_LANGUAGES=en ORACLE_HOME=/u01/app/oracle/product/cman1940 ORACLE_BASE=/u01/app/oracle oracle.install.client.installType=Custom oracle.install.client.customComponents="oracle.sqlplus:19.0.0.0.0","oracle.network.client:19.0.0.0. 0","oracle.network.cman:19.0.0.0.0","oracle.network.listener:19.0.0.0.0" $ ./runInstaller -silent -responseFile cman.rsp ORACLE_HOME_NAME=cman1940
  • 17. Config: cman.ora $ cat cman.ora cman-test = (configuration= (address=(protocol=tcp)(host=ocf-cman-1)(port=1521)) (parameter_list = (log_level=ADMIN) (trace_level=USER) (registration_invited_nodes = *) ) (rule_list= (rule= (src=*)(dst=*)(srv=*)(act=accept) )) ) Listen Address(es) Configuration properties Rules (see later)
  • 18. Command Line # [ oracle@slv4474v:/ccv/app/oracle/admin/network [15:00:47] [CMAN] 0 ] # # cmctl CMCTL for Linux: Version 12.1.0.2.0 - Production on 09-NOV-2017 15:02:47 Copyright (c) 1996, 2014, Oracle. All rights reserved. Welcome to CMCTL, type "help" for information. CMCTL> administer TNS-04077: WARNING: No password set for the Oracle Connection Manager instance. Current instance CMAN_slv4474v.etat-de-vaud.ch is already started Connections refer to (address=(protocol=tcp)(host=slv4474v.etat-de-vaud.ch)(port=1521)). The command completed successfully. CMCTL:CMAN_slv4474v.etat-de-vaud.ch> help The following operations are available An asterisk (*) denotes a modifier or extended command: administer close* exit quit reload resume* save_passwd set* show* shutdown sleep startup suspend* CMCTL:CMAN_slv4474v.etat-de-vaud.ch> # [ oracle@ocf-cman-1:/u01/app/oracle/network/admin [20:07:33] [19.3.0.0.0 [CLIENT] SID="not set"] 0 ] # # cmctl CMCTL for Linux: Version 19.0.0.0.0 - Production on 15-AUG-2019 20:12:40 Copyright (c) 1996, 2019, Oracle. All rights reserved. Welcome to CMCTL, type "help" for information. CMCTL> administer cman-test Current instance cman-test is already started Connections refer to (DESCRIPTION=(address=(protocol=tcp)(host=ocf-cman-1)(port=1521))). The command completed successfully. CMCTL:cman-test> help The following operations are available An asterisk (*) denotes a modifier or extended command: administer close* exit quit reload resume* save_passwd set* show* shutdown sleep startup suspend* CMCTL:cman-test>
  • 19. Stop / start CMCTL:cman-test> shutdown The command completed successfully. CMCTL:cman-test> startup Starting Oracle Connection Manager instance cman-test. Please wait... CMAN for Linux: Version 19.0.0.0.0 - Production Status of the Instance ---------------------- Instance name cman-test Version CMAN for Linux: Version 19.0.0.0.0 - Production Start date 15-AUG-2019 20:15:01 Uptime 0 days 0 hr. 0 min. 9 sec Num of gateways started 2 Average Load level 0 Log Level ADMIN Trace Level OFF Instance Config file /u01/app/oracle/network/admin/cman.ora Instance Log directory /u01/app/oracle/diag/netcman/ocf-cman-1/cman-test/alert Instance Trace directory /u01/app/oracle/diag/netcman/ocf-cman-1/cman-test/trace The command completed successfully. CMCTL:cman-test>
  • 21. Database registration host1 DB1 scan listener Cman1 Remote_listener Alter system set remote_listener=scan:1521,cman1:1521; SVC1->DB1 SVC1 SVC1->host-vip:1521
  • 26. With CMAN appserver1 APP1 host1 DB1 s c a n l i s t e n e r appserver2 APP2 DB2 appserver1 -> DB1 V appserver1 -> DB2 X appserver2 -> DB1 X appserver2 -> DB2 V Cman1 (rule list) F I R E W A L L Firewall blocks SCAN and allows CMAN Only CMAN filters connections depending on target Service
  • 27. White lists, black lists? (rule_list= (rule=(src=10.10.143.47/32)(dst=*)(srv=test-app-rw)(act=accept)) (rule=(src=10.10.150.0/24 )(dst=*)(srv=* )(act=accept)) (rule=(src=0.0.0.0/0 )(dst=*)(srv=* )(act=reject)) ) src=10.10.143.47/32 srv=test-app-rw src=10.10.150.0/24 srv= * src= * srv= * 10.10.150.15 SRV=test-2 10.10.143.47 SRV=test-2 10.10.143.47 SRV=test-app-rw V X V Rule order is honored
  • 28. SSH Tunneling (and LDAP/Kerberos?) RACB1 s c a n s c a n lsnr RACB2 lsnr RACC1 lsnr RACC2 lsnr RACA1 lsnr RACA2 lsnr s c a n F I R E W A L L
  • 29. SSH Tunneling (and LDAP/Kerberos?) RACB1 s c a n s c a n lsnr RACB2 lsnr RACC1 lsnr RACC2 lsnr RACA1 lsnr RACA2 lsnr s c a n F I R E W A L L Cman1 Jump Host sqlplus user@localhost:1521/service ssh me@jumphost -L 1521:cman1:1521 sshd + krb5
  • 30. Demo?
  • 31. Traffic Director Mode CMAN with an Oracle Client “brain”
  • 32. From the Oracle website
  • 33. Classic vs TDM CLIENT DB cman CLIENT DB cman SQLNet is redirected transparently CMAN is the end point of client connections CMAN opens its own connection to the DB
  • 34. TDM Setup: Proxy User SQL> connect sys/manager@mypdb as sysdba Connected. SQL> CREATE USER tdm IDENTIFIED BY 'MyPassword'; User Created. SQL> GRANT CONNECT TO tdm; Grant succeeded. SQL> ALTER USER appuser GRANT CONNECT THROUGH tdm; User altered. SQL> connect tdm[appuser]/MyPassword@mypdb Connected.
  • 35. TDM Setup: Proxy User SQL> connect sys/manager@mypdb as sysdba Connected. SQL> CREATE USER tdm IDENTIFIED BY 'MyPassword'; User Created. SQL> GRANT CONNECT TO tdm; Grant succeeded. SQL> ALTER USER appuser GRANT CONNECT THROUGH tdm; User altered. SQL> connect tdm[appuser]/MyPassword@mypdb Connected. Not documented but important!
  • 36. TDM Setup: cman.ora $ cat cman.ora cman-tdm = (configuration= (address=(protocol=tcp)(host=ocf-cman-1)(port=1521)) (parameter_list = (TDM=YES) (registration_invited_nodes = *) ) (rule_list= (rule=(src=*)(dst=*)(srv=*)(act=accept)) )) wallet_location = (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=/u01/app/oracle/network/admin/WALLET-cman-tdm) ) ) SQLNET.WALLET_OVERRIDE = TRUE Parameter + Wallet
  • 37. TDM Setup: Wallet $ mkstore -wrl /u01/app/oracle/network/admin/WALLET-cman-tdm –create Oracle Secret Store Tool Release 19.0.0.0.0 - Production Version 19.3.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter password: Enter password again: $ mkstore -wrl /u01/app/oracle/network/admin/WALLET-cman-tdm -createCredential myservice.mysubdomain.ocfnetwork.oraclevcn.com tdm MyPassword Oracle Secret Store Tool Release 19.0.0.0.0 - Production Version 19.3.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter wallet password:
  • 38. TDM Setup: Wallet $ mkstore -wrl /u01/app/oracle/network/admin/WALLET-cman-tdm –create Oracle Secret Store Tool Release 19.0.0.0.0 - Production Version 19.3.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter password: Enter password again: $ mkstore -wrl /u01/app/oracle/network/admin/WALLET-cman-tdm -createCredential myservice.mysubdomain.ocfnetwork.oraclevcn.com tdm MyPassword Oracle Secret Store Tool Release 19.0.0.0.0 - Production Version 19.3.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Enter wallet password: IMPORTANT: one credential per service. New service new credential wallet modified CMAN needs restart
  • 39. My first try… $ sqlplus appuser/password@std_not_pooled SQL*Plus: Release 19.0.0.0.0 - Production on Sat Aug 24 18:36:31 2019 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. ERROR: ORA-03135: connection lost contact Process ID: 0 Session ID: 0 Serial number: 0 Enter user-name:
  • 40. My first try… $ sqlplus appuser/password@std_not_pooled SQL*Plus: Release 19.0.0.0.0 - Production on Sat Aug 24 18:36:31 2019 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. ERROR: ORA-03135: connection lost contact Process ID: 0 Session ID: 0 Serial number: 0 Enter user-name: Trace at CMAN level... 2019-08-26 08:47:48.161 : nsbasic_brc:00 00 41 4F 52 41 2D 30 |..AORA-0| 2019-08-26 08:47:48.161 : nsbasic_brc:31 30 34 35 3A 20 75 73 |1045:.us| 2019-08-26 08:47:48.161 : nsbasic_brc:65 72 20 54 44 4D 20 6C |er.TDM.l| 2019-08-26 08:47:48.161 : nsbasic_brc:61 63 6B 73 20 43 52 45 |acks.CRE| 2019-08-26 08:47:48.161 : nsbasic_brc:41 54 45 20 53 45 53 53 |ATE.SESS| 2019-08-26 08:47:48.161 : nsbasic_brc:49 4F 4E 20 70 72 69 76 |ION.priv| 2019-08-26 08:47:48.161 : nsbasic_brc:69 6C 65 67 65 3B 20 6C |ilege;.l| 2019-08-26 08:47:48.161 : nsbasic_brc:6F 67 6F 6E 20 64 65 6E |ogon.den| 2019-08-26 08:47:48.161 : nsbasic_brc:69 65 64 0A |ied. |
  • 41. My first try… after granting connect # sqlplus appuser/password@std_not_pooled SQL*Plus: Release 19.0.0.0.0 - Production on Thu Aug 29 09:19:56 2019 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. Last Successful login time: Thu Aug 29 2019 08:23:38 +00:00 Connected to: Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 - Production Version 19.3.0.0.0 connected via Oracle Connection Manager in Traffic Director mode 19.3.0.0.0 SQL> show user USER is "APPUSER" SQL> select sys_context('USERENV','PROXY_USER') from dual; SYS_CONTEXT('USERENV','PROXY_USER') -------------------------------------------------------------------------------- TDM
  • 42. P O O L TDM PRCP(Proxy Resident Connection Pooling) CLIENT cman CDBA PDB1 CLIENT CLIENT CLIENT Similar to DRCP, but at CMAN level
  • 43. TDM PRCP: $TNS_ADMIN/oraaccess.xml <oraaccess xmlns="http://xmlns.oracle.com/oci/oraaccess" xmlns:oci="http://xmlns.oracle.com/oci/oraaccess" schemaLocation="http://xmlns.oracle.com/oci/oraaccess http://xmlns.oracle.com/oci/oraaccess.xsd"> <default_parameters> </default_parameters> <config_descriptions> <config_description> <config_alias> std_pooled </config_alias> <parameters> <session_pool> <enable>true</enable> <min_size> 5 </min_size> <max_size> 20 </max_size> <increment> 1 </increment> </session_pool> </parameters> </config_description> </config_descriptions> <connection_configs> <connection_config> <connection_string>std_pooled.subxx.ocfnetwork.oraclevcn.com</connection_string> <config_alias>std_pooled</config_alias> </connection_config> </connection_configs> </oraaccess>
  • 44. TDM PRCP: Client Requirements • OCI and Open Source Drivers (11.2.0.4 and later) • JDBC (12.1 and later) • ODP.NET (12.2 and later) std_pooled = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = cman)(PORT = 1521)) (CONNECT_DATA = (SERVICE_NAME = std_pooled.subxx.ocfnetwork.oraclevcn.com) (SERVER=POOLED) ) )
  • 45. Demo?
  • 46. TDM Planned Outage CLIENT cman CDBA PDB1 • Client connects to cman:1521/pdb1 CDBA
  • 47. TDM Planned Outage CLIENT cman CDBA PDB1 • Client connects to cman:1521/pdb1 • Cman opens a connection to pdb1 CDBA
  • 48. TDM Planned Outage CLIENT cman CDBA PDB1 • Client connects to cman:1521/pdb1 • Cman opens a connection to pdb1 • Upon PDB/service relocate, cman detects the stop and closes the connections at transaction boundaries CDBA
  • 49. TDM Planned Outage CLIENT cman CDBA • Client connects to cman:1521/pdb1 • Cman opens a connection to pdb1 • Upon PDB/service relocate, cman detects the stop and closes the connections at transaction boundaries • The next request is executed on the surviving instance CDBA PDB1
  • 50. TDM Planned Outage CLIENT cman CDBA • Client connects to cman:1521/pdb1 • Cman opens a connection to pdb1 • Upon PDB/service relocate, cman detects the stop and closes the connections at transaction boundaries • The next request is executed on the surviving instance • The connection client-cman is intact, the client does not experience a disconnection CDBA PDB1
  • 51. Demo?
  • 52. TDM Unplanned Outage • Similar to planned outage • Leverages TAF/AC/TAC at client side • App Continuity Integrated in CMAN is planned for 20c
  • 53. Thank you! Ludovico Caldara - Computing Engineer @CERN, Oracle ACE Director