Oracle Net Service Name Resolution
Transcription
Oracle Net Service Name Resolution
Oracle Net Service Name Resolution Getting Rid of the TNSNAMES.ORA File! Simon Pane – Oracle Database Principal Consultant March 19, 2015 ABOUT ME • Working with the Oracle DB since version 6 • Oracle Certified Expert • Oracle Certified Professional – Oracle Database 8, 8i, 9i, 10g, 11g and 12c • Oracle Certified Partner Specialist • Oracle ACE Associate • MOS Communities: Simon_DBA – Level: “Expert” ABOUT PYTHIAN 10,000 Pythian currently manages more than 10,000 systems. 385 Pythian currently employs more than 385 people in 30 countries worldwide. • Global leader in data consulting and managed services. • Unparalleled expertise • Top 5% in databases, applications, infrastructure, Big Data, Cloud, Data Science, and DevOps • Unmatched certifications • 8 Oracle ACEs, 2 Oracle ACE Directors, 2 Oracle ACE Associates, 2 Oracle Certified Masters, • 5 Microsoft MVPs, 1 Microsoft Certified Master 1997 Pythian was founded in 1997 • 1 Cloudera Champion of Big Data • Broad technical experience • Oracle, Microsoft, MySQL, Oracle EBS, Hadoop, Cassandra, MongoDB, virtualization, configuration management, monitoring, trending, and more. TARGET AUDIENCE • This presentation is for – Not Sys Admins – Not Network Admins – Not LDAP Admins NET SERVICE NAME RESOLUTION A Quick Refresher WHAT ARE WE TALKING ABOUT? • Net Service Name – “A simple name for a service that resolves to a connect descriptor” • Connect Descriptor – “A specially formatted description of the destination for a network connection. A connect descriptor contains destination service and network route information.” • The TNSNAMES.ORA file – “The tnsnames.ora file is a configuration file that contains net service names mapped to connect descriptors for the local naming method, or net service names mapped to listener protocol addresses.” • Source: https://docs.oracle.com/database/121/NTDBI/glossary.htm THE BASICS: THE CONNECT DESCRIPTOR • Everything could be specified at the prompt • Good for testing the string/troubleshooting THE BASICS: EZCONNECT • 10g added EZCONNECT – shortened command line specification THE BASICS: NET SERVICE NAME SEARCH • Net Service Name can be found in multiple locations – TNSNAMES.ORA files, external service, directory server – Oracle Net stops searching when it finds the first one STORING AS UNSTRUCTURED DATA • “Unstructured” – not in a database • DNS is somewhat similar yet DNS entries aren’t stored in host files • In the TNSNAMES.ORA the “Connect Descriptors” aren’t consistent in structure or layout MANAGEMENT TECHNIQUES • Scripts that run nightly to “push” out new files to all servers and desktops • Centralized files using the TNS_ADMIN environment variable or soft links – Storing on a network share or NFS mount • Centralized using the IFILE parameter – Can be used up to four times PROBLEMS WITH THIS APPROACH • One typo can corrupt the current and all subsequent entries • Cumbersome to work with/edit with a large number of entries • If centralized, problems affect all users • If localized, may take time to propagate changes • Multiple copies can get out of sync – changes clobbered “BUT WE'VE ALWAYS DONE IT THAT WAY” • “Old way” doesn't mean it's the “best way” WHAT ARE THE OPTIONS How can we make things better? ALTERNATIVES • Store in an “LDAP compatible Directory Server” – – – – Oracle Internet Directory (OID) Microsoft Active Directory (AD) OpenLDAP Others (IBM Tivoli Directory Server, Sun Java System Directory Server, Red Hat Directory Server, Apache Directory Server) • EZCONNECT • A hybrid approach using all methods STRUCTURE IN A “DIRECTORY SERVER” • Published “LDAP Schema for Oracle Net Services” • “Structural LDAP Classes” for Oracle Net: orclDBServer orclNetService orclNetServiceAlias orclNetDescription orclNetDescriptionList orclNetAddress orclNetAddressList orclNetDescriptionAux1 orclNetAddressAux1 CHOOSING A DIRECTORY SERVER • • • • • • • • • • • • • Easy to install and setup? Supported platforms? Additional software required? Additional hardware required? Additional licenses required? Bulk load existing entries? Easy additions? Easy modifications and removals? Ability to export to a TNSNAMES.ORA file? Supports advanced entries (i.e. TAF, RAC, other options)? Supports aliases? High availability and protection (backup options)? Security implications? OID BENEFITS • Complete Oracle stack – full Oracle Support • Data stored in the Oracle Database – DBAs know how to manage / backup • High availability options • Easy TNSNAMES.ORA file generation • Easy to handle multiple “contexts” – (i.e. .world, .example.com) OID ISSUES • Requires a WebLogic domain – Cumbersome, likely difficult for most DBAs • May require additional hardware – For Oracle database repository and/or WLS • Upgrades and patching (WLS & DB) • Overkill for just Net Service Name lookup? ACTIVE DIRECTORY BENEFITS • Register databases via Oracle Tools (optional) – DBCA or Oracle Net Manager • SA handles: – Replication, HA, Patches, Updates, Backups, etc • Critical part of the network infrastructure – Typically high performance ACTIVE DIRECTORY SETUP • Very easy to setup (Demo later) – Requires access to the AD on a DC – Need Domain Administrator privileges – Implement using “Oracle Net Configuration Assistant” and “Oracle Net Manager” • Follow Oracle Implementation PDF guides – Follow step-by-step guides: • Configuring Microsoft Active Directory for Net Naming (Doc ID 1587824.1) ACTIVE DIRECTORY ISSUES • Will need cooperation from Domain Admins to install / configure • Extra AD permissions may be required to query • 11g Clients: – NAMES.LDAP_AUTHENTICATE_BIND = YES • Anonymous query may be required for UNIX clients OPENLDAP BENEFITS • Free (open-source) Directory Server software available on a variety of platforms – Linux, Solaris, MacOS X, Windows, etc • Master-slave replication options – Including multiple slaves, cross-platform, crossendian • Easy updates (i.e. yum for Linux deployments) OPENLDAP INSTALLATION • Install additional RPMs – openldap-servers , openldap-clients • slapd = “stand-alone LDAP directory server” • Simple initial setup (Demo later) – Customize some text files; run commands; etc – Requires some basic Linux skills – Will need root access OPENLDAP ISSUES • No GUI included – Using with Oracle Net Manager is difficult • Apache Directory Studio – Free for Windows, Mac & Linux COMMON FUNCTIONALITY • All have (in some form or another) – Bulk load ability: ldapadd –f <file> – Command line searching: ldapsearch – Extraction to a TNSNAMES.ORA file via tool or command TOOLS ARE ALREADY INSTALLED! • LDAP tools in every Database and Client home WHAT’S THE DOWNSIDE? Risks, Concerns, Supportability, Troubleshooting? WHAT ABOUT SUPPORT? • With OID the whole stack is supported • Resolution via AD also supported • Net Service Name resolution from other Directory Services not fully supported – But is that really an issue? SUPPORT RISKS? • If using an unsupported Directory Server, DBAs must know how to investigate/resolve some problems – Oracle Support will be limited when investigating TNS-03505 via SR when not using AD or OID FAILOVER PERFORMANCE? • Test failover times from an unresponsive master server! • Related MOS notes: – Slow LDAP Naming Resolution when Primary LDAP server unavailable. (Doc ID 1193853.1) – Performance problem with Oracle*Net Failover when TCP Network down (no IP address) (Doc ID 249213.1) – How to Setup LDAP Client Naming Resolution Failover Timeout Against OID - If OID1 is Busy, Quickly Try OID2. (Doc ID 1671486.1) BUT REMEMBER… • Used for initial connection lookup only – Listener sends back a new socket • Not used again for persistent connections • Not used for RAC interconnect • Data Guard & DB Links – Optionally configure with EZCONNECT if support is a concern OTHER RISKS? • Slow / no response from the Directory Servers? – All options offer redundancy or high availability – Worst case, switch back to TNSNAMES.ORA • Some applications may not support it – Might need some one-off TNSNAMES.ORA files FUNCTIONALITY RISKS? • Extra complexity with advanced options – TAF entries, RAC entries, global_name – Oracle Net aliases • Oracle7 and Oracle8.0 clients – Still can be done but requires extra/different steps DEBUGGING TECHNIQUES: TRACING • Oracle Net (SQL*Net) Tracing – HOWTO : Use sqlnet tracing to track down which tnsnames.ora file is used in the connection? (Doc ID 846822.1) – How to Enable Oracle SQLNet Client , Server , Listener , Kerberos and External procedure Tracing from Net Manager (Doc ID 395525.1) • Oracle whitepaper on interpreting the result – Examining Oracle Net, Net8, SQL*Net Trace Files (Doc ID 156485.1) • Trace Assistant – Example of Using Trace Assistant (TRCASST) to Work an Oracle Net issue (Doc ID 1336069.1) DEBUGGING TECHNIQUES: TRCROUTE • Oracle Trace Route utility – Reports on TNS entries on route to the “server” – https://docs.oracle.com/database/121/NETAG/connect.htm#NETAG383 DEBUGGING TECHNIQUES: OS TOOLS • Linux – Strace: • $ strace tnsping ORCL • Windows – Windows Sysinternals Process Monitor: • Run in batch file with command line switches – NtTrace: • http://www.howzatt.demon.co.uk/NtTrace THINGS TO WATCH OUT FOR • NAMES.DIRECTORY_PATH – Methods not specified are excluded – Also determines search order – Must keep EZCONNECT for RAC cluster interconnect • Files searched – Remember: /etc/tnsnames.ora – Hidden file: ~/.tnsnames.ora • Windows – Different search order rules (cwd vs. home dir) – Different search orders if %ORACLE_HOME% is set VIRTUAL DEMO 1 OpenLDAP setup on OL6.5 In 10 simple steps! DEMO1: OpenLDAP SETUP • STEP 1: Install the required RPMs DEMO1: OpenLDAP SETUP • STEP 2: Some basic initial setup • STEP 3: Set the LDAP admin password – Record the hash for use later DEMO1: OpenLDAP SETUP • STEP 4: Create a default configuration file • STEP 5: Create the OID schema files DEMO1: OpenLDAP SETUP • STEP 6: Edit /etc/openldap/slapd.conf – Add new OID schema files – Update all occurrences of “my-domain” – Add rootpw hash value (could use plain text as well) DEMO1: OpenLDAP SETUP • STEP 7: Start and register slapd service • STEP 8: Manually add the OU to the root DEMO1: OpenLDAP SETUP • STEP 9: Add the orclContext and the first entry DEMO1: OpenLDAP SETUP • STEP 10: Adjust SQLNET.ORA & LDAP.ORA DEMO1: OpenLDAP SETUP • Additional optional steps – – – – – Add master and slave(s) replication (HA) Secure with TLS and a certificate Configure Apache Directory Studio Script simplified additions using ldapadd Script TNSNAMES.ORA generation using ldapsearch VIRTUAL DEMO 2 Active Directory Setup In < 10 simple steps! DEMO 2: ACTIVE DIRECTORY SETUP • STEP 1: Follow steps provided in Oracle PDF • Configuring Microsoft Active Directory for Net Naming (Doc ID 1587824.1) DEMO 2: ACTIVE DIRECTORY SETUP • STEP 2: Adjust SQLNET.ORA & LDAP.ORA DEMO 2: ACTIVE DIRECTORY SETUP • STEP 3: Add an entry – Using the Oracle Net Manager utility on the DC – Under the “Directory” tab DEMO 2: ACTIVE DIRECTORY SETUP • STEP 4: Verify the entry – Using “Active Directory Users and Computers” DEMO 2: ACTIVE DIRECTORY SETUP • STEP 5: Verify that the entry can be modified – Using “Active Directory Explorer” (Sysinternals) DEMO 2: ACTIVE DIRECTORY SETUP • STEP 6: Test that data can be extracted – Using “ldapsearch” DEMO 2: ACTIVE DIRECTORY SETUP • STEP 7: Test resolution from Windows DEMO 2: ACTIVE DIRECTORY SETUP • STEP 8: Test resolution from Linux WRAP UP! SUMMARY 1 • OID, Active Directory, and OpenLDAP are all just three out of many possible LDAP Directory Servers software products • Oracle “Connect Descriptors” can be stored and accessed from any LDAP Directory Server • Active Directory and OpenLDAP are the easiest to setup SUMMARY 2 • Initial data can be bulk loaded • Data can be extracted to a TNSNAMES.ORA • Simple scripts can be used to automate: – Creation of new entries – Extraction into a TNSNAMES.ORA • LDAP utilities are already in every $OH SUMMARY 3 • Cost is typically a few days of initial setup work – Include setup and procedural documentation!!!! • Deployment risk is minimal – As hybrid approach can be used • Lower risk of issues if stored in a proper Directory Service – Reduced propagation time for additions/changes – Lower chance of introducing a widespread error – Higher availability THANKS AND Q&A [email protected] 1-877-PYTHIAN http://www.Pythian.com/blog http://is.gd/PythianFacebook @Pythian http://linkedin.com/company/Pythian