Oracle® Fail Safe Concepts and Administration Guide
Release 3.3.1 for Windows
Part No. A96684-01
The unique advantage offered by Oracle Fail Safe is its ability to help you easily configure resources in a Windows cluster environment. This chapter discusses the following topics:
|What Does It Mean to Configure Failover?||Section 4.1|
|How Does Oracle Fail Safe Use the Wizard Input?||Section 4.2|
|Managing Cluster Security||Section 4.3|
|Discovering Standalone Resources||Section 4.4|
|Renaming Resources||Section 4.5|
|Using Oracle Fail Safe in a Multiple Oracle Homes Environment||Section 4.6|
|Configurations Using Multiple Virtual Addresses||Section 4.7|
|Adding a Node to an Existing Cluster||Section 4.8|
For the step-by-step procedures to configure standalone resources into groups, and for information on managing those resources once they are in groups, refer to Chapters 7 through 14 in this manual and to the Oracle Fail Safe Tutorial and online help.
Because of the numerous hardware and software components involved, configuring failover in a cluster can be a complex process. However, using Oracle Fail Safe Manager wizards, you can easily configure failover automatically and with minimal work by a network manager. Oracle Fail Safe Manager helps you to configure resources into groups so that when one node in a cluster fails, another cluster node immediately takes over the resources in the failed node's groups.
The wizards minimize the risk of introducing configuration problems during implementation. They also reduce the level of expertise required to configure resources for high availability. Most policies that you set with the wizards can be modified later with Oracle Fail Safe Manager.
The following list summarizes the basic tasks that you perform to implement failover for resources. Except for the first task, you perform all of these tasks using Oracle Fail Safe Manager:
Ensure that you have properly installed the products you plan to configure with Oracle Fail Safe. (This is described in the Oracle Fail Safe Installation Guide.)
Invoke Oracle Fail Safe Manager.
Verify the cluster.
Create a group.
Add one or more virtual addresses to the group.
Add resources to the group.
Verify the group.
Update any Oracle Net files (such as the tnsnames.ora file) on client systems.
The list summarizes only the basic tasks. Depending on the type of resource you are configuring, there might be additional steps or considerations.
Refer to the tutorial and online help in Oracle Fail Safe Manager for step-by-step guidance on using the Oracle Fail Safe Manager wizards.
Based on the information that you provide with the wizards, Oracle Fail Safe derives any additional information it requires to configure the environment.
Most resources are configured by Oracle Fail Safe using a similar series of steps. The following list describes the specific steps Oracle Fail Safe performs to configure a highly available Oracle database:
Configures access to the database using a virtual address:
Configures Oracle Net to use the virtual address or addresses associated with the database on all nodes listed in the possible owner nodes list for the database. (On a two-node cluster, this is both cluster nodes. On clusters that consist of more than two nodes, you are asked to specify the possible owner nodes for a resource as a step in the Add Resource to Group Wizard.)
Duplicates the network configuration information on all nodes in the possible owner nodes list.
Verify that all data files used by the database resource are on cluster disks and are not currently used by applications in other groups. If the cluster disks are in another group, but not used by applications in that group, Oracle Fail Safe moves the disks into the same group with the database resource.
Create the failback policy for the database resources based on choices you made in the wizard.
After failover has been tested on all nodes in the possible owner nodes list, shuts down the Oracle database and brings it back online on the preferred owner node. If the preferred owner node list is empty, then the group remains on the last node to which it was failed over as part of the configuration process.
By performing these steps, Oracle Fail Safe ensures that the resource is correctly configured and capable of failing over and failing back to all possible owner nodes of the group to which it has been added.
Figure 4-1 shows a two-node active/active cluster configuration in which each node hosts a group with an application server and a group with a database server.
Figure 4-1 Virtual Servers and Addressing in an Oracle Fail Safe Environment
The virtual servers (A, B, C, and D) and their network addresses are known by all clients and cluster nodes. The listener.ora file on each cluster node and the tnsnames.ora file on each client workstation contain the network name and address information for each virtual server.
For failover to work properly, the host name (virtual address), database instance, SID entry, and protocol information in each tnsnames.ora and listener.ora file must match on each server node that is a possible owner of the resources in the group and the client system.
For example, during normal operations, Virtual Server B is active on Node A. Node B is the failover node for Virtual Server B. The cluster disks are connected to both nodes so that resources can run on either node in the cluster, but service for the resources in each group is provided by only one cluster node at a time.
If a system failure occurs on Node A, Groups 1 and 2 become active on Node B using the same virtual address and port number as they had on Node A. Node B takes over the workloads from Node A transparently to clients, which continue to access Group 1 using Virtual Server A and Group 2 using Virtual Server B. Clients continue to access the resources in a group using the same virtual server name and address, without regard for which physical node is serving the group.
To accomplish administrative tasks associated with Oracle Fail Safe, you need the appropriate privileges to manage Oracle resources and applications and to perform operations through Oracle Fail Safe Manager.
Table 4-1 provides a quick reference for the privileges required for the services you use in an Oracle Fail Safe environment. For more information, refer to the sections listed in the last column.
Table 4-1 Permissions and Privileges
|Oracle Services for MSCS||Domain user account that has Administrator privileges on all cluster nodes||Section 4.3.1|
|Oracle Fail Safe Manager||Domain user account that has Administrator privileges on all cluster nodes||Section 4.3.2|
|Oracle database||Database administrator account with SYSDBA privileges||Section 7.5|
|Oracle Forms Load Balancer Server, Oracle Forms Server, and Oracle Reports Server||Do not require privileges (Oracle Reports Server requires a Windows domain user account that has access to printers.)||Section 8.4, Section 9.4 and Section 10.3.3.6|
|Oracle Applications concurrent manager||Windows Administrator account||Section 12.4|
|Oracle HTTP Server||None||Not Applicable|
|Oracle MTS Service||
The account that the Oracle MTS Service uses to log on to the system must be the system account or a domain user account.
The account that the Oracle MTS Service uses to connect to the database must have the following database roles, privileges, and rights:
|Generic services||By default, a generic service runs under the local system account. If you specify that the generic service should run under a user account, it must have the "Log on as a service" privilege.||Section 14.4|
To ensure that only users who have the correct privileges can manage resources in a cluster, Oracle Fail Safe implements a security component.
Oracle Services for MSCS runs as a Windows service that must run under a domain user account (not the system account) that has Administrator privileges on all cluster nodes. You specified this user account for Oracle Services for MSCS when you installed Oracle Fail Safe. (See the Oracle Fail Safe Installation Guide for more information about this part of the installation.)
Oracle Fail Safe also has its own security component. Therefore, if you make changes to the Windows user account (user name, password, or domain) used by Oracle Services for MSCS, you must also update the security settings for both the Windows service and Oracle Fail Safe. Oracle Fail Safe provides a Security Setup tool to update this security information.
Oracle Fail Safe provides a Security Setup tool that you can use to update the information for the account under which Oracle Services for MSCS runs. The Oracle Services for MSCS Security Setup tool is installed when you install Oracle Services for MSCS.
-> Oracle Services for MSCS Security Setup
Note:Be sure that you use the Oracle Services for MSCS Security Setup tool to update the security information on all cluster nodes, and that you use the same account on all cluster nodes.
Figure 4-2 shows the setup for user account Administrator in the domain NEDCDOMAIN.
Figure 4-2 Windows User Account Settings for the Oracle Services for MSCS
Oracle Services for MSCS automatically discovers (locates) and displays standalone resources in the Oracle Fail Safe Manager tree view. Figure 4-3 shows an example of discovery occurring in Oracle Fail Safe Manager. Chapters 7 through 14 contain information on how Oracle Fail Safe discovers each type of component that you can configure for high availability with Oracle Fail Safe.
Figure 4-3 Discovery of Standalone Resources
Once a resource is added to a group, you should not change the resource name. If the resource name must be changed, then use Oracle Fail Safe Manager to remove the resource from the group. Then, add it back to the group using the new name.
Oracle Fail Safe supports the multiple Oracle homes feature (multiple Oracle homes became available beginning with Oracle8 release 8.0.4). The following list describes the requirements for using Oracle Fail Safe in a multiple Oracle homes environment:
You can install Oracle Services for MSCS in any one Oracle home on all cluster nodes. Only one version of Oracle Services for MSCS can be installed and running on a node.
You can use the latest release of Oracle Fail Safe Manager to manage multiple clusters. Oracle Fail Safe Manager release 3.3.1 can be used with Oracle Fail Safe release 3.3.1, 3.2.1, and 3.1.2. For releases of Oracle Fail Safe prior to 3.1.2, you must use a matching Oracle Fail Safe Manager release.
You can install multiple versions of Oracle Fail Safe Manager on a system.
Note:If you install multiple versions of Oracle Fail Safe Manager, each version must be installed in a different Oracle home, and the latest release of Oracle Fail Safe Manager must be installed last.
Each resource to be configured for high availability must be installed in the same Oracle home on all cluster nodes that are possible owners. The Verify Cluster operation will validate this symmetry. See Section 6.1.1 for information on the Verify Cluster operation.
When you add a database to a group, an Oracle Net listener resource is added to the group also. (Optionally, you can add an Oracle Intelligent Agent resource to the group. See Section 7.7.1 for more information.)
The listener is created in the same Oracle home where the database resides. The Oracle Intelligent Agent does not have to be in the same Oracle home where the database resides.
Before any resources (other than generic services) can be added to a group using Oracle Fail Safe Manager, one or more virtual addresses must be added to the group. Client applications connect to the resources in a group using one of the virtual addresses in the group.
You can add up to 32 virtual addresses to a group (prior to adding resources) by invoking the Add Resource to Group Wizard. (In Oracle Fail Safe Manager, on the Resources menu, select Add to Group.)
Note the following restrictions:
At least one virtual address must be added to a group before you can add another resource to the group. Only generic services can be added to a group that does not already contain a virtual address.
If the group will contain one or more Oracle databases:
All virtual addresses that you plan to configure with one or more databases in a group must be added to the group before you can add any databases to the group.
All databases in a group must use the same set of virtual addresses that you specify for the first database that you add to the group. (The set of virtual addresses can contain as few as one address.)
(See Section 18.104.22.168 for more information about configuring multiple virtual addresses with Oracle databases.)
Multiple virtual addresses in a group provide flexible configuration options. For example, you might have users access a database over the public network while you perform a database backup operation over the private network. Or you might allocate different virtual addresses on different network segments to control security, with administrators accessing the database on one segment, while users access the database on another segment.
When you add more than one virtual address to a group, Oracle Fail Safe Manager asks you to specify which address clients can use to access the resources in that group. If you add more than one resource to a group (for example, a database and an Oracle Reports Server), you might dedicate one virtual address for users to access the database directly and another for users to access the Oracle Reports Server. Alternatively, if there are many database users, you might have some users access the database using one virtual address and the others use the other virtual address, to balance the network traffic.
See the online help in Oracle Fail Safe Manager for information about adding a virtual address to a group.
Instructions for installing the software to add a new node to an existing cluster are described in the Oracle Fail Safe Installation Guide. Once that task is completed, there is one final step. You need to run the Verify Group command on each group on the cluster for which the new node will be a possible owner.
Assume you add a new node to the cluster and install Oracle Fail Safe on that node along with the DLLs for the resources you intend to run on that node. The new node becomes a possible owner for these resources. If these resources have not yet been configured to run on the new node, when the group or groups containing them fail over to that node, these resources cannot be restarted on that new node.
However, if you run the Verify Group command, Oracle Fail Safe checks that the resources in the verified groups are configured to run on each node that is a possible owner for the group. If it finds a possible owner node where the resources in the group are not configured to run, then Oracle Fail Safe configures them for you.
Therefore, Oracle Corporation strongly recommends you run the Verify Group command for each group for which the new node is listed as a possible owner. Section 6.1.2 describes the Verify Group command. You can also verify groups using the FSCMD command, as described in Chapter 5.