6 Ensuring Application Continuity
Application Continuity is a feature that enables the replay, in a non-disruptive and rapid manner, of a request against the database after a recoverable error that makes the database session unavailable so an outage appears to the user as no more than a delayed execution of the request.
The request can contain transactional and non-transactional work. After a successful replay, the application can continue where that database session left off, instead of having users left in doubt, not knowing what happened to their funds transfers, flight bookings, and so on, and avoiding the need to reboot mid-tier servers to recover from an overload of log ins when the application comes back online. With Application Continuity, the end-user experience is improved by masking many outages, planned and unplanned, without the application developer needing to attempt to recover the request.
Without Application Continuity, it can be almost impossible for an application to mask outages in a safe way, for reasons that include the following:
-
The state at the client remains at present time, with entered data, returned data, and variables cached.
-
If a
COMMIT
has been issued, then theCOMMIT
failure message cannot be retrieved if it is not received by the client or the application. -
Checking the status of an in-doubt tansaction at a point in time is no guarantee that it will not
COMMIT
later. -
Non-transactional database session state that the application needs to operate is lost.
-
If the request can continue, the database and the database session must be in the right state.
With Application Continuity, however, Oracle Database, the Oracle drivers, and the Oracle connection pools all collaborate to mask many outages in a safe and reliable way.
Application Continuity improves developer productivity by attempting to mask outages that can be masked. However, applications still must include error handling for these cases:
-
Nonrecoverable errors, such as invalid input data. (Application Continuity applies only to recoverable errors.)
-
Recoverable errors when replay has encountered a restriction, such as use of concrete classes in the application, or when replay has not been able to restore the client-visible state to that on which the client may have made decisions so far.
Introduced in Oracle Database 12c Release 1 (12.1.0.1), Application Continuity strengthens the fault tolerance of systems and applications that use an Oracle database.
This chapter assumes that you are familiar with the major relevant concepts and techniques of the technology or product environment in which you are using Application Continuity, such as Oracle WebLogic Server, Oracle RAC, or Oracle Active Data Guard (Oracle ADG).
This chapter includes the following topics:
6.1 Fast Application Notification
The Oracle RAC high availability framework monitors a database and its services and sends event notifications using Fast Application Notification (FAN).
Oracle Database focuses on maintaining the highest possible service availability. In Oracle RAC, services are designed to be continuously available with loads shared across one or more instances. The Oracle RAC high-availability framework maintains service availability by using Oracle Clusterware and resource profiles. Oracle Clusterware recovers and balances services according to business rules and the service attributes.
This includes the following topics:
Related Topics
6.1.1 Overview of Fast Application Notification
FAN provides immediate interrupt of clients following outages related to the database, nodes, and networks.
FAN is essential to break clients out of TCP/IP timeouts immediately following failures. FAN notifies clients immediately when resources become available and initiates draining of database sessions so clients experience no outages during planned maintenance. FAN also includes notifying configuration- and service-level information that includes changes in service status.
Note:
FAN is supported from Oracle Database 10g release 2 (10.2), on.Oracle connection pools, for example, use FAN to receive very fast notification of failures, to balance connections following failures, and to balance connections again after the failed components are repaired. So, when a service at an instance starts, the connection pool uses the FAN event to route work to that resource, immediately. When a service at an instance or node fails, the connection pool uses the FAN event to immediately interrupt applications to recover. FAN is essential to prevent applications from hanging on TCP/IP timeouts.
Importance of FAN
Applications can waste time in many critical ways:
-
Waiting for TCP/IP timeouts when a node fails without closing sockets, and for every subsequent connection while that IP address is down.
-
Attempting to connect when services are down.
-
Not connecting when services resume.
-
Processing the last result at the client when the server goes down.
-
Attempting to execute work on sub-optimal nodes.
When a node fails without closing sockets, all sessions that are blocked in an I/O wait (read or write) wait for tcp_keepalive
. This wait status is the typical condition for an application connected by a socket. Sessions processing the last result are even worse off, not receiving an interrupt until the next data is requested. Using FAN events eliminates applications waiting on TCP timeouts, time wasted processing the last result at the client after a failure has occurred, and time wasted executing work on slow, hung, or dead nodes.
For cluster configuration changes, the Oracle RAC high availability framework publishes a FAN event immediately when a state change occurs in the cluster. Instead of waiting for the application to time out against the database and detect a problem, applications can receive FAN events and react immediately. With FAN, in-flight transactions are immediately terminated and the client notified when the instance fails.
FAN also publishes load balancing advisory events. Applications can take advantage of the load balancing advisory FAN events to direct work requests to the instance in the cluster that is currently providing the best service quality.
Oracle Database 12c release 2 (12.2) client drivers are FAN-aware, and FAN is enabled, by default. This includes the JDBC Thin driver (12.2.0.1) and Oracle Data Provider for Net (ODP.NET) drivers. A client driver can detect planned and unplanned FAN events and take action beneath the application.
For planned maintenance and applications using OCI or Pro* (and not using the OCI session pool or Tuxedo), an application must check OCI_ATTR_SERVER_STATUS
. Add this check when sessions are returned to your own connection pool, and for idle connections, regularly.
Following a FAN down event with planned maintenance, this attribute is set to OCI_SERVER_NOT_CONNECTED
. The application closes the connection after reading this disconnected status. The session remains open for draining of active work until the application closes, providing error-free failover.
You can take advantage of FAN events in the following ways:
-
Applications can use FAN without programmatic changes if you use an integrated Oracle client. The integrated clients for FAN events include Oracle JDBC Universal Connection Pool, ODP.NET connection pool, OCI session pool, Oracle WebLogic Server Active Gridlink for Oracle RAC, and OCI and ODP.NET clients. The integrated Oracle clients must be Oracle Database 10g release 2 (10.2) or later to take advantage of the FAN high-availability events. The pooled clients can also take advantage of the load balancing advisory FAN events.
-
You can configure third-party application containers, such as those provided by Apache Tomcat and WebSphere, to use the built-in FAN support offered by using the Universal Connection Pool in place of the default pool, which is certified as a connection pool for third-party Java application servers including Apache Tomcat and WebSphere.
-
Use the FAN-aware capability of the Oracle drivers by using standard interfaces to test connections on get or release from the third-party connection pools in use by third-party application servers or custom applications.
-
This solution applies to standard Java applications through the use of the standard TNS connect string and ensures that the
ons.jar
andsimpleFAN.jar
files are available on the application CLASSPATH. -
For the OCI/OCCI driver, the OCI_ATTR_SERVER_STATUS server context handle attribute is sensitive to FAN events and will return
OCI_SERVER_NOT_CONNECTED
if the connection has been affected by a FAN event.
-
-
You can implement FAN with server-side callouts on your database tier.
-
Applications can use FAN programmatically by using the JDBC and Oracle RAC FAN application programming interface (API) or by using callbacks with OCI and ODP.NET to subscribe to FAN events and to run event handling actions upon the receipt of an event.
If you use one of the integrated clients listed in the first item of the preceding list, then, for DOWN events, the disruption to the application is minimized because the FAN-aware client terminates the connections to the failed instance or node before they are reused. Active work can be allowed to complete and, if there is a surviving instance, then continuous service can be maintained for ongoing work. Any sessions active when the instance or service stops are terminated and the application user is immediately notified. Incomplete transactions can be protected by Application Continuity, if it is enabled. Application users who request connections are directed to available instances, only.
For UP
events, when services and instances are started, new connections are created so that the application can immediately take advantage of the extra hardware resources or additional capacity.
-
For the thin Java driver, beginning with release 12.2, FAN is automatically enabled by placing the
ons.jar
andsimpleFAN.jar
files on the CLASSPATH, and by using the recommended TNS format (as shown in Example 6-1). Using the recommended TNS format automatically configures ONS. Also with the Java thin driver, FAN is supported for both planned and unplanned events. For unplanned outages, the FAN interrupt is immediate. For planned maintenance, configure the Java application servers or custom pools using standard interfaces to test connections on get or release from third-party connection pools. For example,TestConnectionsOnReserve
,TestOnBorrow
, orPreTest
connections, depending on the application server.With this approach, when a FAN event is received during planned maintenance, Fast Connection Failover closes sessions when they are tested, because the application does not have a connection to the database at this time, and can retry for a new connection. The connection tests may use
isValid
,isClosed
,isUsable
,PingDatabase
, or a SQL statement that is preceded by the hint/*+ CLIENT_CONNECTION_VALIDATION */
. -
For a SQL test, the SQL syntax must begin with the hint
/*+ CLIENT_CONNECTION_VALIDATION */
. At the time the SQL command runs, the driver will drain the connection, if it is affected by the upcoming planned maintenance. Connection pools, data sources, and, in the programmatic case, customer applications, must all be ready to manage the recoverable error that occurs when the SQL command runs, which usually closes the physical connection.Note:
The SQL hint must be placed as the first non-comment token within the SQL string to avoid changing current, driver-based SQL parsing. For example:/*+ CLIENT_CONNECTION_VALIDATION */ SELECT 1 FROM DUAL;
-
Third-party Java application servers and Java applications can use the
PooledConnection
standard interface when developing connection pools. -
Beginning with the 11.2.0.3 release of the OCI/OCCI driver, when the OCI_ATTR_SERVER_STATUS server context handle attribute returns
OCI_SERVER_NOT_CONNECTED
, the application must terminate the connection. Work will be drained for planned maintenance. The 12.2 release of the driver can also detectOCISessionRelease
andOCIRequestEnd
when it receives a planned DOWN event.
The following table describes the standard tests available for several of the more common application servers:
Table 6-1 Standard Tests for Some Common Application Servers
Application Server | Connection Test to Database |
---|---|
Oracle WebLogic Server |
The tests offered include:
|
Oracle WebLogic Server Active Gridlink |
The test is embedded:
|
IBM WebSphere |
PreTest connections (SQL syntax):
|
RedHat JBoss |
check-valid-connection-sql (SQL syntax):
|
Apache Tomcat |
There are two tests available—
testOnBorrow and testOnReturn —and they both use SQL syntax to test the connection to the database:
|
Oracle recommends that you use the following format for supporting automatic configuration of FAN:
Example 6-1 Automatic Configuration of FAN
alias =(DESCRIPTION =
(CONNECT_TIMEOUT=90)(RETRY_COUNT=20)(RETRY_DELAY=3)(TRANSPORT_CONNECT_TIMEOUT=3)
(ADDRESS_LIST =
(LOAD_BALANCE=on)
( ADDRESS = (PROTOCOL = TCP)(HOST=primary-scan)(PORT=1521)))
(ADDRESS_LIST =
(LOAD_BALANCE=on)
( ADDRESS = (PROTOCOL = TCP)(HOST=secondary-scan)(PORT=1521)))
(CONNECT_DATA=(SERVICE_NAME = gold-cloud)))
FAN callouts are server-side scripts or executables that run whenever a FAN event is generated. You can design and build callouts to do many things. For example:
-
Log status information
-
Page DBAs or to open support tickets when resources fail to start
-
Automatically start dependent external applications that must be co-located with a service
-
Change resource plans or shut down services when the number of available instances for a policy-managed database decreases, for example, if nodes fail
-
Automate the fail back of a service to preferred instances for administrator-managed databases, if needed
FAN events are published using Oracle Notification Service and Oracle Streams Advanced Queuing, the latter being continued for backward compatibility to previous Oracle Database releases. The publication mechanisms are automatically configured as part of your Oracle RAC installation. If you are using thin Java JDBC connections, then the client can be automatically configured for Oracle Notification Service, by obtaining the database-server Oracle Notification Service configuration from the database connection. It is not necessary to configure Oracle Notification Service on the client.
Oracle Net Services listeners and Global Data Services (GDS) are integrated with FAN events, enabling the listener and GDS to immediately de-register services provided by the failed instance and to avoid erroneously sending connection requests to failed instances.
If you specify the connection load balancing goal CLB_GOAL_SHORT
for the service, then the listener uses the load balancing advisory when the listener balances the connection loads. When load balancing advisory is enabled, the metrics used for the listener are finer grained.
6.1.2 Managing Unplanned Outages
You can assign services to one or more instances in an administrator-managed Oracle RAC database or to server pools in a policy-managed database.
If Oracle RAC detects an outage, then Oracle Clusterware isolates the failed component and recovers the dependent components. For services, if the failed component is an instance, then Oracle Clusterware attempts to maintain the cardinality of the service. If the service definition allows for failover and that is necessary to maintain cardinality, then failover occurs.
FAN events can occur at various levels within the Oracle Database architecture and are published through Oracle Notification Service and Oracle Streams Advanced Queuing for backward compatibility with previous OCI clients. FAN callouts can also be written to execute on the database server in response to FAN events.
Note:
Oracle Database does not run Oracle RAC callouts with guaranteed ordering. Callouts are run asynchronously and they are subject to scheduling variability.
FAN is published from a surviving node when the failed node is out of service. The location and number of instances in an Oracle RAC environment that provide a service are transparent to applications. Restart and recovery are automatic, including the restarting of the subsystems, such as the listener and the Oracle Automatic Storage Management (Oracle ASM) processes, not just the database. You can use FAN callouts to report faults to your fault management system and to initiate repair jobs.
It is a complex task for application developers to mask outages of a database session (instance, node, storage or network, or any other related component) and, as a result, errors and timeouts are often exposed to the end users leading to user frustration, lost productivity, and lost opportunities. Together, FAN and Application Continuity mask outages from users and applications by recovering the in-flight work for impacted database sessions following outages. Application Continuity performs this recovery beneath the application so that the outage appears to the application as a slightly delayed execution of the request.
6.1.3 Managing Planned Maintenance
For repairs, upgrades, and changes that require you to isolate one or more instances or nodes, Oracle RAC provides interfaces that relocate, disable, and enable services to minimize service disruption to application users.
When you relocate a service, you indicate the service should run on another instance temporarily. If you forcibly disable a service, then the service is stopped on all database instances and is no longer available. Disabled services are not restarted automatically. When a service is stopped or relocated, FAN is published with a planned reason code, typically reason=user
. Once you complete the operation, you can return the service to normal operation or enable the service and then restart it. When a service restarts, FAN is published with UP
status codes.
Due to dependencies, if you manually shut down your database, then all of your services for that database automatically stop. If you want your services to automatically start when you manually restart the database, then you must set the management policy of the service to automatic. If you want to shut down only one instance of the database and you want the service to remain offered, then you can either relocate the service using srvctl relocate service
or stop the instance using srvctl stop instance
, which enables the service to automatically failover according to its failover policy.
In either case, Oracle recommends that work running under the service drain at request boundaries. The drain interval is specified as an attribute of the service or you can provide a drain interval on the SRVCTL command line.
This section includes the following topics:
Related Topics
6.1.3.1 Managing Planned Maintenance Without User Interruption
You may have to stop database instances for maintenance, such as upgrading the Oracle software, patching, and replacing hardware.
The steps in this section result in the least impact to users and requests are not interrupted.
For planned maintenance, Oracle recommends that you drain requests over a controlled time period from FAN-enabled Oracle connection pools. The service attributes -drain_timeout
and -stopoption
control the drain time period, and then how the service manages sessions that have not completed once this time period expires. Requests that complete and then check back in to the pool or close, can be directed to a new location that is not affected by the planned maintenance.
When using the Oracle Universal Connection Pool, sessions gradually drain, according to the value of the -drain_timeout parameter, so there is minimal impact to other work at the target instances. This also prevents overwhelming numbers of logins when the service becomes available again.
Application Continuity provides additional cover, giving continuous service for those requests that do not complete within the allotted drain time.
Using any FAN-aware pool with Fast Connection Failover configured (such as OCI session pools, Oracle Universal Connection Pool, Oracle WebLogic Server Active GridLink for Oracle RAC, or ODP.NET) allows sessions to drain at request boundaries after receipt of the FAN planned DOWN
event.
Requests are far more important than transactions because they enable the issued work to complete. For draining requests, the Oracle Universal Connection Pool uses the drain timeout to gradually drain, which prevents an overload of logins on the instances drained, by slowly releasing the original sessions across the time period rather than all at once. Gradual draining has the benefit of not disturbing the other work ongoing at the target instances.
Both DRAIN_TIMEOUT
and STOP_OPTION
are service attributes that you can define when you add the service or modify it after creation. You can also specify these attributes using SRVCTL, which will take precedence over what is defined on the service. You can specify the -drain_timeout
and -stopoption
parameters when using the following SRVCTL commands:
-
srvctl add service
-
srvctl modify service
-
srvctl relocate service
-
srvctl stop service
-
srvctl stop database
-
srvctl stop instance
To manage planned maintenance without user interruption:
Related Topics
6.1.3.2 Managing a Group of Services for Maintenance
Many enterprises run a large number of services, whether it be many services offered by a single database or instance, or many databases offering a few services running on the same node.
This section includes the following topics:
6.1.3.2.1 Starting Services
You can use the srvctl start service
command to start all services on a node, all services offered by a database, all services offered by a pluggable database, or all services offered on an instance or within a given server pool.
srvctl start service
command that you want to start. Additionally, you can provide a node restriction, used in conjunction with the database option, for all services that can be started on a particular node. You can restrict the srvctl start service
command to start only the parallel query service by specifying the -pq
parameter.
6.1.3.2.2 Pluggable Database-Level Operations
You can use SRVCTL to manage services on pluggable databases.
6.1.3.2.3 Relocating Services
You can use the srvctl relocate service
command to relocate services to a target destination, which can be an instance, a node, a database, or a pluggable database.
-drain_timeout
and -stopoption
parameters override the service attributes.
6.1.3.2.4 Stopping Services
You can use the srvctl stop service
command to stop all services on a node, all services offered by a database, all services offered by a pluggable database, or all services offered on an instance or within a given server pool.
srvctl stop service
command, and you can also restrict the srvctl stop service
command to stop only the parallel query service by specifying the -pq
parameter.
6.1.4 Fast Application Notification High Availability Events
This section describes the information delivered in the FAN event to a callout program.
FAN event types are listed following the example, and Table 6-2 describes name-value pairs for the event parameters. The event type is always the first entry when you receive FAN information through a callout, as in the following example:
SERVICEMEMBER VERSION=1.0
service=test.company.com database=ractest
instance=ractest11 host=ractest1_host0343_1 status=up reason=FAILURE
timestamp=2012-02-01 22:06:02 timezone=-07:00 db_domain=company.com
Note that the preceding example displays as one line.
FAN event types include:
DATABASE
INSTANCE
NODE
SERVICE
SERVICEMEMBER
SRV_PRECONNECT
SERVICEMETRICS
The DATABASE
and INSTANCE
types list the default database service as DB_UNIQUE_NAME
.
All events except for NODE
events include a db_domain
field.
Events of SERVICEMETRICS
type are load balancing advisory events.
See Also: Table 5-1 for more information about load balancing events
Table 6-2 Event Parameter Name-Value Pairs and Descriptions
Parameter | Description |
---|---|
VERSION |
Version of the event record. Used to identify release changes. |
database |
The unique name of the database supporting the service; matches the initialization parameter value for |
instance |
The name of the instance that supports the service; matches the |
host |
The name of the node that supports the service or the node that has stopped; matches the node name known to Cluster Synchronization Services (CSS). |
service |
The service name; matches the name of the service as listed in
|
status |
Values are Notes:
|
reason |
Notes:
|
cardinality |
The number of service members that are currently active; included in all Following is an example of
|
incarnation |
For Following is an example of a
|
timestamp |
The time according to Oracle Clusterware that an event occurs. |
timezone |
The time zone of Oracle Clusterware where the event occurred, given as GMT +/-hh:mm. |
Some of the FAN event record parameters have values that correspond to values returned by the SYS_CONTEXT
function using the default namespace USERENV
, as shown in Table 6-3.
Table 6-3 FAN Parameters and Matching Session Information
FAN Parameter | Matching Session Information |
---|---|
SERVICE |
sys_context('userenv', 'service_name') |
DATABASE_UNIQUE_NAME |
sys_context('userenv', 'db_unique_name') |
INSTANCE |
sys_context('userenv', 'instance_name') |
CLUSTER_NODE_NAME |
sys_context('userenv', 'server_host') |
6.1.5 Subscription to High Availability Events
Oracle RAC uses FAN to notify applications about configuration changes and the current service level that is provided by each instance where the service is enabled. If you are using an OCI client or an ODP.NET client to receive FAN events, then you must enable the service used by that client to access the alert notification queue by using SRVCTL with the -notification
parameter.
6.1.6 Using Fast Application Notification Callouts
FAN callouts are server-side executables that Oracle RAC executes immediately when high availability events occur.
You can use FAN callouts to automate activities when events occur in a cluster configuration, such as:
-
Opening fault tracking tickets
-
Sending messages to pagers
-
Sending e-mail
-
Starting and stopping server-side applications
-
Maintaining an uptime log by logging each event as it occurs
-
Relocating low-priority services when high priority services come online
To use FAN callouts, place an executable in the Grid_home/racg/usrco
directory on every node that runs Oracle Clusterware. The executable must be able to run standalone when called, with optional arguments, from another program. The following is an example of the Grid_home/racg/usrco/callout.sh
callout:
#! /bin/bash
FAN_LOGFILE= [your_path_name]/admin/log/'hostname'_uptime'.log
echo $* "reported="'date' >> $FAN_LOGFILE &
The previous example produces output similar to the following:
NODE VERSION=1.0 host=sun880-2 incarn=23 status=nodedown reason=public_nw_down
timestamp=08-Oct-2012 04:02:14 timezone=-08:00 reported=Fri Oct 8 04:02:14 PDT 2012
The contents of a FAN event record matches the current session of the user logged on to the database, as shown in Table 6-3. The user environment (USERENV
) information is also available using OCI connection handle and descriptor attributes (using OCIAttrGet()
). Use this information to take actions on sessions that match the FAN event data.
See Also:
Table 6-2 for information about the callout and event details
In general, events are only posted to user callouts on the node from which the event originated. For example, if the database on node1
goes down, then the callout is posted to node1
, only. The only exceptions to this are node down and VIP down events—these events are posted to all nodes, regardless of from where they originated.
Related Topics
6.2 About Application Continuity
Application Continuity masks many recoverable database outages (when replay is successful) from applications and users by restoring the database session: the full session, including all states, cursors, variables, and the last transaction if there is one.
Application Continuity addresses the problem that arises when an application is trying to access the database and the database instance becomes unavailable due to an unplanned or planned outage (timeout, network outage, instance failure, repair, configuration change, patch apply, and so on). Without Application Continuity in place, database recovery does not mask outages to applications and end users. In such scenarios, developers and users must cope with exception conditions, and users can be left not knowing what happened to their funds transfers, time sheets, orders, bill payments, and so on. Users might lose screens of uncommitted data, and must log in again and reenter that data. In the worst cases, the administrator might be forced to restart the middle tier to recover from an overwhelming number of logins.
With Application Continuity, if the database instance became unavailable, then Application Continuity attempts to rebuild the session and any open transactions using the correct states; and if the transaction committed and need not be resubmitted, then the successful return status is returned to the application. If replay is successful, then the request can continue safely without risk of duplication. If replay cannot restore data that the application has already processed and potentially made decisions on, then the database rejects the replay and the application receives the original error.
Application Continuity performs the recovery of in-flight transactions and database session state, while ensuring the transaction idempotence provided by Transaction Guard. Each database session is tagged with a logical transaction ID (LTXID), so the database recognizes whether each replay committed any transactions, and if it did commit any transactions, whether the work also ran to completion. While Application Continuity attempts to replay, the replay appears to the application as a delayed execution, or the application receives the commit response for the original transaction (if the last transaction had completed before the outage).
Application Continuity is supported for Oracle RAC and Oracle Active Data Guard. It is supported for both non-consolidated databases and Multitenant databases (with failover at the pluggable database level). It is not currently supported for Golden Gate, Logical Standby, third-party replication solutions, or DML redirection if using Oracle Active Data Guard.
Related Topics
6.2.1 Key Concepts for Application Continuity
This section describes several terms and concepts that you must understand to use Application Continuity.
The following terms are used throughout this chapter:
request
A request is a unit of work submitted from the application, such as a transaction. A request typically corresponds to the SQL and PL/SQL, and other database calls, of a single web request on a single database connection, and it is generally demarcated by the calls made to check-out and check-in the database connection from a connection pool.
recoverable error
A recoverable error is an error that arises due to an external system failure, independent of the application session logic that is executing, such as a lost or invalid connection. Recoverable errors occur following planned and unplanned outages of foregrounds, networks, nodes, storage, and databases. The application receives an error code that can leave the application not knowing the status of the last operation submitted. Application Continuity reestablishes database sessions and resubmits the pending work for the class of recoverable errors.
Application Continuity does not resubmit work following call failures due to nonrecoverable errors. An example of a nonrecoverable error that would not be replayed is submission of invalid data values.
commit outcome
A transaction is committed by updating its entry in the transaction table. Oracle Database generates a redo-log record corresponding to this update and writes out this redo-log record. Once this redo-log record is written out to the redo log on disk, the transaction is considered committed at the database. From the client perspective, the transaction is considered committed when an Oracle message (called the commit outcome), generated after that redo is written, is received by the client. However, if a COMMIT
has been issued, then the COMMIT
failure message cannot be retrieved if it is not received by the client or the application.
mutable functions
Mutable fuctions are non-deterministic functions that can obtain a new value every time they are called, and thus their results can change frequently. Mutable functions cause a problem for replay because the results can change at replay. Consider sequence.NEXTVAL
and SYSDATE
, often used in key values. If a primary key is built with values from these function calls, and is used in later foreign keys or other binds, at replay the same function result must be returned.
Application Continuity provides mutable object value replacement at replay for granted Oracle function calls to provide opaque bind-variable consistency. If the call uses database functions that are mutable, including sequence.NEXTVAL
, SYSDATE
, SYSTIMESTAMP
, and SYSGUID
, the original values returned from the function execution are saved and are reapplied at replay.
session state consistency
After a COMMIT
statement has executed, if state was changed in that transaction, it is not possible to replay the transaction to reestablish that state if the session is lost. When configuring Application Continuity, the applications are categorized depending on whether the session state after the initial setup is static or dynamic, and thus whether it is correct to continue past a COMMIT
operation within a request.
-
A session has dynamic state if the session state changes are not fully encapsulated by the initialization, and cannot be fully captured by FAILOVER_RESTORE or in a callback at failover. After the first transaction completes, failover is internally disabled until the next request begins. Session state may change during the course of the request.
-
A session has a static state if all session state changes (for example, NLS settings and PL/SQL package state) occur as part of initialization, and can be encapsulated by FAILOVER_RESTORE or in a callback at failover. Static applications are those that were able to use Transparent Application Failover (TAF) before Application Continuity. Session state does not change during the course of the request.
6.3 Application Continuity Operation and Usage
This section explains how Application Continuity works, and how you can use it in applications.
This section includes the following topics:
6.3.1 How Application Continuity Works for Applications
If a recoverable error occurs and if you enabled replay, then Application Continuity attempts recovery of the database session.
The following figure is a graphical representation of how Application Continuity works.
Note:
The steps to recover a database session apply for both unplanned and planned outages, although specific steps vary depending on the type of outage.-
The client application makes a request, which is passed to a middle tier (such as the Universal Connection Pool (UCP), ODP.NET, WebLogic Server, OCI session pool, Tuxedo, JDBC and OCI drivers, or third-party pool using UCP), or directly to the database using the JDBC replay driver or OCI driver.
-
The JDBC replay driver or OCI driver issues each call in the request.
-
A FAN unplanned or planned down interrupt or recoverable error occurs. FAN/FCF then aborts the dead physical session.
-
Application Continuity begins the replay and does the following:
-
Replaces the dead physical session with a new clean session.
-
Prepares for replay by using Transaction Guard to determine the outcome of the in-flight transaction, if one was open.
-
FAILOVER_RESTORE=LEVEL1
restores the common initial session states. Application Continuity uses a labeling callback or reconnect callback if an application also sets initial session states that are not provided by FAILOVER_RESTORE. -
Rebuilds the database session, recovering the transactional and non-transactional states, and validating at each step that the data and messages seen by the client driver are the same as those that the client may have seen and used to make a decision.
-
Ends the replay and returns to runtime mode.
-
Submits the last queued call.
This is the last call made when the outage was discovered. During replay, only this call can execute a
COMMIT
. ACOMMIT
midway through rebuilding the session aborts replay (excluding autonomous transactions).
-
-
The response is returned to the application.
If replay succeeded, then the application can continue with the problem masked. If not, then the application must handle the original error.
The behavior of Application Continuity after a communication failure depends on the Oracle products and technologies involved. For example:
-
If you use Oracle RAC or an Oracle Active Data Guard farm, then, after the connection is reestablished on another running instance, Application Continuity attempts to rebuild the session and replay the last transaction if there is one in flight.
-
If you use Oracle Active Data Guard and fail over to a standby site, then Application Continuity connects to the failover instance and attempts to rebuild the session and replay the last transaction there, if a transaction was in-flight. (Application Continuity does not replay if the Oracle Active Data Guard switchover or failover has lost data, and if this is not an Oracle Active Data Guard reader farm with approved lags.)
-
If you are using Oracle RAC or Oracle RAC One Node and not using Oracle Active Data Guard, and if an outage causes a break in all public networks or causes the database or database session to shut down briefly, then Application Continuity attempts to rebuild the session and replay the last transaction (if a transaction was in flight) against the database after connectivity is restored.
Related Topics
6.3.2 Actions for Using Application Continuity
Application Continuity masks outages with few or no application changes when you use the Oracle integrated stack.
Application Continuity is available for general use with the following Oracle technologies:
-
ODP.NET, Unmanaged Driver
-
OCI Session Pool
-
Universal Connection Pool
-
WebLogic Server
-
JDBC Thin Oracle replay driver
-
Oracle Tuxedo
-
SQL*Plus
Application Continuity for Java is embedded in the Universal Connection Pool, WebLogic data sources, including non-XA and XA data sources, and is available with the thin JDBC replay driver, standalone (which is a JDBC replay driver without Oracle connection pools, such as Apache Tomcat or a custom Java connection pool). Application Continuity for OCI is embedded in SQL*Plus, OCI Session Pool. Oracle Tuxedo for non XA data sources, and ODP.NET, Unmanaged Provider.
Application Continuity is embedded in Oracle connection pools. When you use the Oracle connection pools, request boundaries are implicitly marked at check-out and check-in, delimiting the size of each replay. When using third-party connection pools, use UCP if Java, or you can add request boundaries, which are included on the JDK9 standard.
Support for Application Continuity is integrated into many Oracle applications, so the features in such applications are used automatically if you set the Application Continuity-related service attributes. For all applications, follow the steps described in this section.
The main actions for ensuring transparent replay for an application are the following:
-
Only if using Java, determine whether the application uses Oracle JDBC concrete classes. For Application Continuity to be used, the deprecated concrete classes must be replaced.
Use the
-acchk
parameter with the ORAchk utility to verify whether an application has any concrete classes. Use a connection without Application Continuity if there is anything that should not be replayed. (Most applications will be replayable.)See Also:
Oracle Autonomous Health Framework User's Guide for more information about ORAchk -
Ensure that you have the necessary CPU and memory resources.
-
CPU: Application Continuity is managed on the client and server sides and requires minimal CPU overhead to operate.
At the client, CPU is used to build proxy objects and for garbage collection (GC).
At the server, CPU is used for validation. CPU overhead is reduced for platforms with current Intel and Sparc chips where validation is assisted in the hardware.
-
Memory: When using Application Continuity, the replay driver requires more memory than the base driver because the calls are retained until the end of a request. At the end of the request, the calls are released to the garbage collector. This action differs from the base driver that releases closed calls.
The memory consumption of the replay driver depends on the number of calls per request. If this number is small, then the memory consumption of the replay driver is less, and comparable to the base driver.
To obtain the best performance, you must set the same value for both the
-Xmx
and-Xms
parameters on the client. For example, if there is sufficient memory, then allocate 4 to 8 GB (or more) of memory for the Virtual Machine (VM), for example, by setting-Xms4g
for 4 GB. If the-Xms
parameter has a lower value, then the VM also uses a lower value from the operating system, and performance might suffer and garbage collection operations increase.
-
-
Determine whether the application borrows and returns connections from the connection pool, for example WebLogic Server Pool, Universal Connection Pool, OCI Session Pool, Oracle Tuxedo request, or ODP.NET connection pool, for each request, or whether to add
beginRequest
andendRequest
APIs to the application's own connection pool to identify request boundaries for Java, only.Important:
Do not use thebeginRequest
andendRequest
Java API calls anywhere other than at request boundaries (borrow and return connections from your connection pool).endRequest
indicates that the request is complete, and that it is now stateless. Replay starts from the nextbeginRequest
. If there is prior state, it must be reestablished usingFAILOVER_RESTORE
or callback. -
Application Continuity replays your states, all states in a request. If the application sets states before vending connections,
FAILOVER_RESTORE
or a callback is needed. When using Oracle WebLogic Server or the Universal Connection Pool, useFAILOVER_RESTORE
or connection labeling. When using OCI session pool, Oracle Tuxedo or ODP.NET, useFAILOVER_RESTORE
, and only add the TAF callback if it is needed. The labeling is used for both runtime and replay. -
Determine whether the application requires, and therefore needs to configure keeping original values for,
SYSDATE
,SYSTIMESTAMP
, andSYS_GUID
and sequences during failover. -
Assess the application style for the
session_state_consistency
value, and set the appropriate value on the service:-
If
session_state_consistency
isDynamic
, the application changes the environment or settings during the request. Replay is disabled after the firstCOMMIT
until the beginning of the next request.Dynamic
is the default mode, appropriate for most applications. -
If
session_state_consistency
isStatic
, the application never changes the session state after initial setup. This mode is typical for database agnostic applications that do not use PL/SQL state and do not useALTER
part-way through transactions. Use this mode with caution, and only for "static" applications.
-
-
Determine if any requests in the application should not be replayed.
For example, replay may need to be disabled for requests using external PL/SQL actions.
-
Follow these configuration guidelines:
-
Use Oracle Database 12c release 1 (12.1.0.1), or later, for Java. Use Oracle Database 12c release 2 (12.2), or later, for OCI-based applications..
-
For .NET applications, use ODP.NET, Unmanaged Driver 12.2, or later, connecting to an Oracle Database 12c Release 2 (12.2) or later. By default, Application Continuity is enabled for ODP.NET applications in this configuration.
-
For Java-based applications, use Universal Connection Pool 12.1 (or later) or WebLogic Server 12.1.2 (or later) configured with the JDBC Replay data source; or for third party applications, including third party JDBC pools, use JDBC replay driver. For IBM WebSphere, Apache Tomcat, RedHat Spring, and custom Java solutions, the most effective solution is to use UCP as the pooled data source.
Custom Java pools and standalone Java applications can also use the JDBC Replay data source directly. When using custom Java pools and standalone applications, add the
beginRequest
andendRequest
calls. -
If the application does not borrow and return from the Oracle connection pools, explicitly mark request boundaries. For example, if using custom JDBC pools, or other pools, then call
beginRequest
at check-out and callendRequest
at check-in. These APIs can also be used for standalone JDBC applications without a connection pool. -
Enable FAN for fast interrupt on errors. This is essential to eliminate a TCP hang occurring before the failover can start. In 12.2 FAN is built into the JDBC and OCI drivers and is on by default for Java.
-
Use a database service to connect; never use a SID or an instance name, or the administration service that is the
DB_NAME
orDB_UNIQUE_NAME
. -
Use a connection string that sets retries for new incoming connections and a delay between these retries.
Recommended format supporting automatic configuration of FAN:alias =(DESCRIPTION = (CONNECT_TIMEOUT=90) (RETRY_COUNT=20)(RETRY_DELAY=3) (TRANSPORT_CONNECT_TIMEOUT=3) (ADDRESS_LIST = (LOAD_BALANCE=on) ( ADDRESS = (PROTOCOL = TCP)(HOST=primary-scan)(PORT=1521))) (ADDRESS_LIST = (LOAD_BALANCE=on) ( ADDRESS = (PROTOCOL = TCP)(HOST=secondary-scan)(PORT=1521))) (CONNECT_DATA=(SERVICE_NAME = gold-cloud)))
-
For the service, set
FAILOVER_TYPE
toTRANSACTION
,COMMIT_OUTCOME
toTRUE
, andNotification
toTRUE
. Optionally to find the best connections to use, setGOAL
toSERVICE_TIME
andCLB_Goal
toShort
. -
Grant permission on the Transaction Guard package,
DBMS_APP_CONT
, to the database users that fail over using Application Continuity, as follows:GRANT EXECUTE ON DBMS_APP_CONT TO user_name;
-
Use Application Continuity Check Coverage (with the ORAchk utility) to report the percentage of requests that are fully protected by Application Continuity, and the location of those requests that are not fully protected. Use this coverage check before deployment and after application changes. Developers and management will know how well protected an application release is from failures of the underlying infrastructure. If there is a problem, then it can be fixed before the application is released, or waived knowing the level of coverage.
-
See Also:
-
Oracle Data Provider for .NET Developer's Guide for Microsoft Windows for more information about .NET applications development.
-
Oracle Database JDBC Developer’s Guide for more information about developing applications that include Application Continuity for Java
This section includes the following topics:
Related Topics
- Oracle Autonomous Health Framework User's Guide
- Mutable Functions and Application Continuity
- Session State Consistency
- Disabling Replay in Application Continuity
- Oracle Data Provider for .NET Developer's Guide for Microsoft Windows
- Oracle Database JDBC Developer’s Guide
- Oracle Universal Connection Pool Developer’s Guide
- Oracle Database 2 Day + Real Application Clusters Guide
- Oracle ORAchk and EXAchk User’s Guide
6.3.2.1 When Application Continuity is Transparent
Application Continuity is transparent (no application code changes) for ODP.NET applications, OCI applications, Tuxedo applications, and J2EE applications that use standard JDBC, and that use Oracle connection pools (UCP, OCI, or ODP), and SQL*Plus. For applications with external actions (for example, autonomous transactions or using UTL_HTTP
to issue an SOA call), Application Continuity is transparent when the application is satisfied with replaying external actions, such as resending email, auditing, and transferring a file for example.
For non-Oracle pools, including third-party Java containers, in which Application Continuity is not transparent, the following infrastructure changes may be needed:
-
If the connection pool or container does not use an Oracle connection pool, then many third parties fully support replacing the connection pool with the Universal Connection Pool. This includes IBM WebSphere and Apache Tomcat. Alternatively—for Java applications, only—the application can add its own request boundaries.
-
If the application has requests that the application does not want repeated, then the application can explicitly call an API to disable replay for those requests. The simplest way to do this is to use a connection to a service that does not have
FAILOVER_TYPE
set toTRANSACTION
. Such calls are likely to be isolated to one or a few specialized pieces of application code.
6.3.2.2 Configuring Oracle Application Continuity
If you are using Java, then you must use the oracle.jdbc.replay.OracleDataSourceImpl
data source to obtain JDBC connections.
This data source supports all the properties and configuration parameters of all the Oracle JDBC data sources, for example, the oracle.jdbc.pool.OracleDataSource
.
For OCI based applications including SQL*Plus and ODP.NET, the OCI driver 12.2, and later, supports Application Continuity.
You must remember the following points while using the connection URL:
-
If the
REMOTE_LISTENER
setting for the database does not match the addresses in theADDRESS_LIST
at the client, then it does not connect, showingservices cannot be found
. So, theREMOTE_LISTENER
setting for the database must match the addresses in theADDRESS_LIST
at the client:-
If
REMOTE_LISTENER
is set to the SCAN names, then theADDRESS_LIST
must use SCAN VIPs. -
If the connect string uses the SCAN Name, then
REMOTE_LISTENERS
must be set to the SCAN name. -
If the connect string uses an
ADDRESS_LIST
of host VIPs, thenREMOTE_LISTENERS
must be set to an address list that includes all SCAN VIPs and all host VIPs
Note:
Use SCAN for location independence, so that you do not need to reconfigure the client when you add or delete nodes, or when databases change to running on different nodes.
-
-
Set
RETRY_COUNT
,RETRY_DELAY
,CONNECT_TIMEOUT
, andTRANSPORT_CONNECT_TIMEOUT
parameters in the connection string. These settings improve acquiring new connections at runtime, at replay, and during work drains for planned outages.The
CONNECT_TIMEOUT
parameter is equivalent to theSQLNET.OUTBOUND_CONNECT_TIMEOUT
parameter in thesqlnet.ora
file and applies to the full connection. TheTRANSPORT_CONNECT_TIMEOUT
parameter applies per address.Set
CONNECT_TIMEOUT
to a high value to prevent an overabundance of log ins. Low values can result in log in storms to the application or server pool cancelling and retrying. Do not set(RETRY_COUNT+1)*RETRY_DELAY
orCONNECT_TIMEOUT
larger than your response time SLA. The application must either connect or receive an error within the response time SLA.These are general recommendations for configuring the connections for high availability. Do not use Easy*Connect because this has no high-availability capabilities.
When the connect string uses host VIPs, then
REMOTE_LISTENERS
must include host VIPs. When the connect string uses the SCAN name, thenREMOTE_LISTENERS
must be set to the SCAN name, or include the SCAN VIPs and the host VIPs. Therefore,REMOTE_LISTENERS
must be set to the SCAN name unless any clients use host VIPs in their connect strings, in which caseREMOTE_LISTENERS
must be set to anADDRESS_LIST
of all SCAN VIPs and all host VIPs.Following is an example of TNS entry. This is the required TNS format for ONS (the transport system for FAN) to be auto configured. FAN is recommended with Application Continuity to provide the immediate detection.
alias =(DESCRIPTION = (CONNECT_TIMEOUT=120) (RETRY_COUNT=20)(RETRY_DELAY=3) (TRANSPORT_CONNECT_TIMEOUT=3) (ADDRESS_LIST = (LOAD_BALANCE=on) ( ADDRESS = (PROTOCOL = TCP)(HOST=primary-scan)(PORT=1521))) (ADDRESS_LIST = (LOAD_BALANCE=on) ( ADDRESS = (PROTOCOL = TCP)(HOST=secondary-scan)(PORT=1521))) (CONNECT_DATA=(SERVICE_NAME = gold-cloud)))
6.3.2.3 Configuring Oracle Database for Application Continuity
Your Oracle Database configuration must include the following to use Application Continuity:
-
If you are using Oracle Real Application Clusters (Oracle RAC) or Oracle RAC One Node, Oracle Data Guard, or Oracle Active Data Guard, then ensure that FAN is configured with Oracle Notification System (ONS) to communicate with Oracle Database 12c pools and drivers.
-
Set the required properties on the service for replay and load balancing. For example, set:
-
FAILOVER_TYPE = TRANSACTION
: For using Application Continuity -
REPLAY_INITIATION_TIMEOUT = n
: For setting the duration, in seconds, to allow replay to start (where the value ofn
can be, for example, 60, 300, 900, or 1800, depending on your needs) -
FAILOVER_RETRIES = 30
: For specifying the number of connection retries for each replay -
FAILOVER_DELAY = 10
: For specifying the delay in seconds between connection retries -
GOAL = SERVICE_TIME
: If you are using Oracle RAC or Oracle Global Data Services, then this is a recommended setting -
CLB_GOAL = SHORT
: If you are using Oracle RAC or Oracle Global Data Services, then this is a recommended setting -
COMMIT_OUTCOME = TRUE
: For using Transaction Guard -
FAILOVER_RESTORE = LEVEL1
: To automatically restore the states that are preset on the connection pool before the application uses it—including AUTOCOMMIT state (for Java and SQL*Plus), NLS states, and TAGS (Module, action, client id, esid) states.
-
-
Grant permission on the Transaction Guard package,
DBMS_APP_CONT
, to the database users that fail over using Application Continuity, as follows:GRANT EXECUTE ON DBMS_APP_CONT TO user_name;
-
Do not use the default database service corresponding to the
DB_NAME
orDB_UNIQUE_NAME
. Also, do not use the database service for high availability, because this service cannot be enabled and disabled, and cannot be relocated on Oracle RAC or switched over to Oracle Data Guard. This service is reserved for Oracle Enterprise Manager Cloud Control (Cloud Control) and for DBAs.
6.3.2.4 Establishing the Initial State Before Application Continuity Replays
Some applications set an initial state for the connection before allowing applications to use the connection.
Application Continuity must establish this initial state before replay starts. For these applications, FAILOVER_RESTORE
restores common states listed here. If the states that the application presets are not listed here, and the application needs initial states, then an additional callback needs to be added.
Examples of states that can be preset include:
-
PL/SQL package state
-
NLS Setting
-
Optimizer setting
During a request, Application Continuity reestablishes the entire state for the request. This pre-requisite is for the initial state before Application Continuity starts replaying.
A callback is not required if FAILOVER_RESTORE
restores all required states, which is the case for almost all applications.
For applications that set state only at the beginning of a request, or for stateful applications that gain performance benefits from using connections with a preset state, choose one of these options:
6.3.2.4.1 FAILOVER_RESTORE = LEVEL1
Setting FAILOVER_RESTORE
to LEVEL1
automatically restores common state initial settings before replaying the request.
The states restored include the following:
-
NLS_CALENDAR
-
NLS_CURRENCY
-
NLS_DATE_FORMAT
-
NLS_DATE_LANGUAGE
-
NLS_DUAL_CURRENCY
-
NLS_ISO_CURRENCY
-
NLS_LANGUAGE
-
NLS_LENGTH_SEMANTICS
-
NLS_NCHAR_CONV_EXCP
-
NLS_NUMERIC_CHARACTER
-
NLS_SORT
-
NLS_TERRITORY
-
NLS_TIME_FORMAT
-
NLS_TIME_TZ_FORMAT
-
TIME_ZONE (OCI, ODP.NET 12201)
-
NLS_TIMESTAMP_FORMAT
-
NLS_TIMESTAMP_TZ_FORMAT
-
CURRENT_SCHEMA
-
MODULE
-
ACTION
-
CLIENT_ID
-
ECONTEXT_ID
-
ECONTEXT_SEQ
-
DB_OP
-
AUTOCOMMIT states (for Java and SQL*Plus)
-
CONTAINER (PDB) and SERVICE for OCI and ODP.NET
The following are not supported by the THIN driver, so are excluded from the auto-restoration option:
-
NLS_COMP
-
CALL_COLLECT_TIME
-
CLIENT_INFO
6.3.2.4.2 FAILOVER_RESTORE = NONE and No Callback
In this scenario, the application does not assume any state when borrowing a connection from a pool, or uses UCP or WebLogic labels to reestablish the initial state.
6.3.2.4.3 Connection Labeling
Connection Labeling is a generic pool feature that is recommended for its excellent performance. When Connection Labeling is present, Application Continuity uses it. Since the Connection Labeling is recreating the state, FAILOVER_RESTORE can be set to NONE.
This scenario is applicable to Universal Connection Pool (UCP) and Oracle WebLogic server. The application can be modified to take advantage of the preset state on connections. Connection Labeling APIs determine how well a connection matches, and use a callback to populate the gap when a connection is borrowed.
Related Topics
6.3.2.4.4 Connection Initialization Callback
In this scenario, the replaying driver (JDBC or OCI) uses an application callback to set the initial state of the session during runtime and replay. The JDBC replay driver provides a connection initialization callback interface and methods to register and unregister connection initialization callbacks in the oracle.jdbc.replay.OracleDataSource
interface. For OCI and ODP.NET, register the TAF callback.
When registered, the initialization callback is executed at each successful reconnection following a recoverable error. An application is responsible for ensuring that the initialization actions are the same as that on the original connection before failover. If the callback invocation fails, then replay is disabled on that connection. Use the connection initialization callback only when the application has not implemented UCP and WebLogic Connection Labeling and the state cannot be restored automatically by setting FAILOVER_RESTORE=LEVEL1
.
6.3.2.5 Delaying the Reconnection in Application Continuity
By default, when Application Continuity initiates a failover, the driver attempts to recover the in-flight work at an instance where the service is available.
For recovering the work, the driver must establish a good connection with the instance. This reconnection can take some time if the database or the instance must be restarted before the service is relocated and published. So, the failover must be delayed until the service is available from another instance or database.
You must use the FAILOVER_RETRIES
and FAILOVER_DELAY
parameters to manage connecting and reconnecting. These parameters can work well in conjunction with a planned outage, for example, an outage that may make a service unavailable for several minutes. While setting the FAILOVER_DELAY
and FAILOVER_RETRIES
parameters, check the value of the REPLAY_INITIAITION_TIMEOUT
parameter first. The default value for this parameter is 900 seconds. A high value for the FAILOVER_DELAY
parameter can cause replay to be canceled.
Parameter Name | Possible Value | Default Value |
---|---|---|
|
Positive integer zero or above |
30 |
|
Time in seconds |
3 |
The following examples show various failover scenarios:
6.3.2.5.1 Creating Services on Oracle RAC with Application Continuity
You can create services on Oracle RAC that utilize Application Continuity.
If you are using Oracle RAC or Oracle RAC One Node, then use SRVCTL to create services, as follows:
For policy-managed databases:
$ srvctl add service -db codedb -service GOLD -serverpool ora.Srvpool -clbgoal SHORT -rlbgoal SERVICE_TIME
-failover_restore LEVEL1 -failoverretry 30 -failoverdelay 10 -commit_outcome TRUE -failovertype TRANSACTION
-replay_init_time 1800 -retention 86400 -notification TRUE
For administrator-managed databases:
$ srvctl add service -db codedb -service GOLD -preferred serv1 -available serv2 -clbgoal SHORT
-rlbgoal SERVICE_TIME -failover_restore LEVEL1 -failoverretry 30 -failoverdelay 10 -commit_outcome TRUE
-failovertype TRANSACTION -replay_init_time 1800 -retention 86400 -notification TRUE
6.3.2.5.2 Modifying Services on Single-instance Databases to use Application Continuity
If you are using a single-instance database, then use the DBMS_SERVICE
package to modify services as follows:
DECLARE
params dbms_service.svc_parameter_array;
BEGIN
params('FAILOVER_TYPE'):='TRANSACTION';
params('REPLAY_INITIATION_TIMEOUT'):=1800;
params('RETENTION_TIMEOUT'):=86400;
params('FAILOVER_DELAY'):=10;
params('FAILOVER_RETRIES'):=30;
params('FAILOVER_RESTORE'):='LEVEL1';
params('commit_outcome'):='true';
params('aq_ha_notifications'):='true';
dbms_service.modify_service('[your service]',params);
END;
/
6.3.2.6 Using Application Continuity with SQL*Plus
Use the -ac
flag for SQL*Plus applications.
-ac
flag uses the standard Dynamic
mode for session state, and disables at COMMIT. Static
mode is available only for static applications.
6.3.2.7 Using Application Continuity for Planned Maintenance
For planned maintenance, the recommended approach is to drain requests from Oracle connection pools in combination with Application Continuity for those requests that do not complete. Instances do need to be stopped to switch over to the patched software.
This has the least impact when there is minimal recovery to complete.
To use Application Continuity for planned maintenance:
-
Use any FAN-aware pool, such as OCI, UCP, WebLogic Server, or ODP.NET Managed and Unmanaged Drivers.
The FAN planned event drains at request boundaries.Note:
ODP.NET Managed Driver does not support Application Continuity. -
Use the
srvctl relocate service
command to relocate the service from the instance without disrupting the sessions (do not use the-force
parameter), or, for a uniform service, use thesrvctl stop service
command on the instance (again, do not use the-force
parameter).-
For Oracle RAC One Node, use the
srvctl relocate database
command with the-force
parameter.
The FAN planned event clears the idle sessions immediately and marks the active sessions to be released at check-in (end of request). This drains the sessions from the instance without disrupting work.
-
-
If not all sessions have checked in and the time to stop the instance has been reached, then stop the instance (abort).
For Application Continuity-enabled pools (UCP, WebLogic, Tuxedo, ODP.NET, and OCI), and any Java pool that adds
beginRequest
/endRequest
, Application Continuity attempts to recover those remaining sessions. -
Restart the instance and service.
Runtime load balancing, when enabled, balances the sessions back to the restored instance at the next request boundaries.
6.3.2.8 Running Without Application Continuity
Sometimes Application Continuity is not in effect, through deliberate choice, error, or oversight.
Application Continuity is not in effect when it has not been started or when it has been disabled. If it has been disabled, it remains so through to the endRequest
call.
Application Continuity is not started when the service property FAILOVER_TYPE
does not have the value set to TRANSACTION
. For planned maintenance, set the FAILOVER_TYPE
value to TRANSACTION
, beforehand; the setting applies to new connections, and existing connections retain their original service value.
Application Continuity is disabled for the current request when any of the following occurs:
-
The application runs a statement that is restricted for Application Continuity (for example,
ALTER SYSTEM
). -
Application Continuity is explicitly disabled using
disableReplay
. -
A
COMMIT
statement is issued when the service parametersession_state_consistency
is set toDynamic
(the default). -
An
endRequest
statement is issued until the nextbeginRequest
is issued. -
The session is terminated or disconnected and the
NOREPLAY
keyword is specified.
6.3.2.9 Disabling Replay in Application Continuity
By default, replay occurs following a recoverable error.
If the application has requests that the application does not want repeated, the application can take a connection to a service that does not have Application Continuity enabled, or can explicitly call an API to disable replay for those requests. For example, if the application uses UTL_SMTP
and does not want messages repeated, use a connection to a different service, or use the disableReplay
API on Java, or OCIRequestDisableReplay
API for OCI. All other requests continue to be replayed.
For applications with external actions (for example, autonomous transactions or using UTL_HTTP
to issue an SOA call), Application Continuity remains transparent if the application's correctness is preserved when these external actions are replayed after a failure.
The following rules are generic. They apply to all applications that replay work, including Application Continuity, and TAF (release 12.2 and after).
6.3.2.9.1 Application Calls Autonomous Transactions, External PL/SQL, or Java Actions that Should Not Be Repeated
Autonomous transactions, external PL/SQL calls, and Java callouts can have side effects that are separate from the main transaction, and these side effects are replayed unless you specify otherwise.
Examples of side effects separate from the main transaction include writing to an external table, sending email, forking sessions out of PL/SQL (including calls to UTL_HTTP, UTL_URL, UTL_FILE, UTL_FILE_TRANSFER, UTL_SMPT, UTL_TCP, UTL_MAIL, DBMS_PIPE, or DBMS_ALERT) or Java (including executing a shell script in the form Process proc = rt.exec(command);), transferring files, and accessing external URLs. Actions such as these leave persistent side effects. PL/SQL messaging and Java callouts can leave persistent results behind. For example, if a user walks away part way through some work without committing and the session times out or the user issues Ctrl+C, the foreground or a component fails; the main transaction rolls back while the side effects may have been applied. (For more information about side effects, see Potential Side Effects of Application Continuity.)
Application developers decide whether to allow replay for external actions. Examples include using UTL_HTTP
to issue an SOA call, or UTL_SMTP
to send a message, or UTL_URL
to access a website. If such external actions must not be replayed, use a connection without AC, or use one of the disable Replay APIs.
6.3.2.9.2 Application Synchronizes Independent Sessions
You must not configure an application for replay if the application synchronizes independent sessions using volatile entities that are held until COMMIT
, ROLLBACK
, or session loss. For example, the application might synchronize multiple sessions connected to several data sources that are otherwise inter-dependent using resources such as a database lock. This synchronization may be acceptable if the application is only serializing these sessions and understands that any session may fail. However, if the application assumes that a lock or any other volatile resource held by one data source implies exclusive access to data on the same or a separate data source from other connections, then this assumption may be invalidated when replaying.
During replay, the client driver is not aware that the sessions are dependent on one session holding a lock or other volatile resource. You can also use pipes, buffered queues, stored procedures taking a resource (such as a semaphore, device, or socket) to implement the synchronization that are lost by failures.
6.3.2.9.3 Application Uses Time at the Middle Tier in the Execution Logic
You must not configure an application for replay if the application uses the wall clock at the middle tier as part of the execution logic. The client driver does not repeat the middle-tier time logic, but uses the database calls that execute as part of this logic. For example, an application using middle-tier time might assume that a statement executed at Time T1 is not reexecuted at Time T2, unless the application explicitly does so.
6.3.2.9.4 Application Assumes that ROWIds Do Not Change
If an application caches ROWIDs, then access to these ROWIDs might be invalidated due to database changes. Although a ROWID uniquely identifies a row in a table, a ROWID might change its value in the following situations:
-
The underlying table is reorganized.
-
An index is created on the table.
-
The underlying table is partitioned.
-
The underlying table is migrated.
-
The underlying table is exported and imported using EXP/IMP/DUL.
-
The underlying table is rebuilt using Golden Gate or Logical Standby or other replication technology.
-
The database of the underlying table is flashed back or restored.
Oracle does not recommend, in general, that an application store ROWIDs for later use because the corresponding row might either not exist or contain completely different data. Note that ROWIDs do not prevent using Application Continuity. Replays can be rejected.
6.3.2.9.5 Application Assumes that Location Values Do Not Change
SYSCONTEXT
options comprise a location-independent set such as National Language Support (NLS) settings, ISDBA
, CLIENT_IDENTIFIER
, MODULE
, and ACTION
, and a location-dependent set that uses physical locators. Typically, an application does not use the physical identifiers, except in testing environments. If physical locators are used in mainline code, then the replay finds the mismatch and rejects it. However, it is acceptable to use physical locators between requests (before beginRequest
) or in callbacks. A common issue is for QA to modify test applications to select V$INSTANCE
. As V$INSTANCE
can change, only put this check in the callback or select the instance locally at the client and not from the database.
Example
select sys_context('USERENV','DB_NAME') ,sys_context('USERENV','HOST') ,sys_context('USERENV','INSTANCE') ,sys_context('USERENV','IP_ADDRESS') ,sys_context('USERENV','ISDBA') ,sys_context('USERENV','SESSIONID') ,sys_context('USERENV','TERMINAL') ,sys_context('USERENV','SID') from dual;
6.3.2.10 Terminating or Disconnecting a Session Without Replay
If Application Continuity is configured and if a DBA terminates or disconnects a session by using the ALTER SYSTEM KILL SESSION
or ALTER SYSTEM DISCONNECT SESSION
statement, then Application Continuity, by default attempts, to recover the session. However, if you do not want the session to be replayed, then use the NOREPLAY
keyword, as follows:
alter system kill session 'sid, serial#, @inst' noreplay;
alter system disconnect session 'sid, serial#, @inst' noreplay
$ srvctl stop service -db orcl -instance orcl2 –drain_timeout 60 -stopoption immediate -force -noreplay
$ srvctl stop service -db orcl -node myode3 –noreplay -drain_timeout 60 -stopoption immediate -force
$ srvctl stop instance -node mynode3 -drain_timeout 60 -stopoption immediate -force –noreplay
To terminate all sessions running on the local instance (rather that only one session) and not have the sessions replayed, you can also use the DBMS_SERVICE.DISCONNECT_SESSION
PL/SQL procedure and specify NOREPLAY
for the disconnect_option
parameter.
6.3.3 Mutable Functions and Application Continuity
When a request is replayed, the default and desired treatment of mutable objects can vary.
A mutable function is a nondeterministic function that can obtain a new value every time it is called. An example of a mutable function is a call to the SYSTIMESTAMP
function. Client applications using Application Continuity can determine whether to keep the original value for mutable functions if the request is replayed.
Support for keeping mutable fucntion values is currently provided for SYSDATE
, SYSTIMESTAMP
, SYS_GUID
, and sequence
.NEXTVAL
. If the original values are not kept and if different values for these mutable objects are returned to the client, then replay is rejected because the client observes different results. If the application can use original values, then configure mutable functions using the KEEP
clause for owned sequences and GRANT KEEP
for other users. (Most applications need sequence values to be kept at replay, for bind variable consistency.)
Note:
Keeping SYS_GUID
values is supported only for serial execution plans. When parallel query is used, Application Continuity is not able to restore original values for SYS_GUID
.
Table 6-4 shows examples of the treatment of mutable functions by products during replay. (Actual implementation depends on specific products and releases.)
Table 6-4 Example Treatment of Mutable Objects by Products During Replay
Mutable Function | Product 1 | Product 2 | Product 3 |
---|---|---|---|
|
Original |
Original |
Current |
Sequence |
Original |
Original |
(Not applicable) |
|
Original |
(Not applicable) |
(Not applicable) |
To allow Application Continuity to keep and use original function results at replay:
-
The database user running the application might have the
KEEP DATE TIME
andKEEP SYSGUID
privileges granted, and theKEEP SEQUENCE
object privilege on each sequence whose value is to be kept. For example:grant KEEP DATE TIME to user2; grant KEEP SYSGUID to user2; grant KEEP SEQUENCE on sales.seq1 to user2;
Notes:
-
GRANT ALL ON object
does not include (that is, does not grant the access provided by) theKEEP DATE TIME
andKEEP SYSGUID
privileges, and theKEEP SEQUENCE
object privilege. -
Grant privileges related to mutable function support only to application users, and to each application user grant only the necessary privileges.
-
Do not grant DBA privileges to database users running applications for which you want replay to be enabled.
-
-
Sequences in the application can use the
KEEP
attribute, which keeps the original values ofsequence
.NEXTVAL
for the sequence owner, so that the keys match during replay. Most applications need sequence values to be kept at replay. The following example sets theKEEP
attribute for a sequence (in this case, one owned by the user executing the statement; for others, useGRANT KEEP SEQUENCE
):SQL> CREATE SEQUENCE my_seq KEEP; SQL> -- Or, if the sequence already exists but without KEEP: SQL> ALTER SEQUENCE my_seq KEEP;
Note:
Specifying
ALTER SEQUENCE
...KEEP/NOKEEP
applies to the owner of the sequence. It does not affect other users (not the owner) that have theKEEP SEQUENCE
object privileges. If you wantNOKEEP
for all users, then be sure not to grant theKEEP SEQUENCE
object privilege to these users (or to revoke it from each user if the privilege has been granted). -
To keep function results (for named functions) at replay, the DBA must grant
KEEP
privileges to the user invoking the function. This security restriction ensures that it is valid for replay to save and restore function results for code that is not owned by that user.
The following additional considerations apply to granting privileges on mutable functions:
-
If a user has the
KEEP
privilege granted on mutable function values, then the objects inherit mutable access when theSYS_GUID
,SYSDATE
, andSYSTIMESTAMP
functions are called. -
If the
KEEP
privilege is revoked on mutable values on a sequence object, then SQL or PL/SQL blocks using that object do not allow mutable collection or application for that sequence. -
If granted privileges are revoked between runtime and failover, then the mutable values that are collected are not applied for replay.
-
If new privileges are granted between runtime and failover, then mutable values are not collected and these values are not applied for replay.
6.3.4 Administering Mutable Values
To keep function results at replay, you must grant KEEP
privileges to the user invoking the function.
Grant and Revoke Interface
To grant and revoke permission to keep mutables for Oracle Dates and SYS_GUID
:
GRANT [KEEP DATE_TIME | KEEP SYS_GUID]...[to USER]
REVOKE [KEEP DATE_TIME | KEEP SYS_GUID]...[from USER]
For example, for possible Oracle E-Business Suite usage with original dates:
GRANT KEEP DATE_TIME, KEEP SYS_GUID to [custom user];
GRANT KEEP DATE_TIME, KEEP SYS_GUID to [apps user];
Granting Permission to Keep Mutables for Oracle Sequences
To grant permission to the owner of the sequence:
CREATE SEQUENCE [sequence object] [KEEP|NOKEEP];
ALTER SEQUENCE [sequence object] [KEEP|NOKEEP];
The preceding commands keep the original values of sequence.nextval
for replaying so that keys match.
To grant and revoke permission for others using the sequence:
GRANT KEEP SEQUENCES...[to USER] on [sequence object];
REVOKE KEEP SEQUENCES...[from USER] on [sequence object];
For example, for possible Oracle E-Business Suite usage with original sequence values:
GRANT KEEP SEQUENCES to [apps user] on [sequence object];
GRANT KEEP SEQUENCES to [custom user] on [sequence object];
Rules for Grants on Mutables
-
If you grant all on an object for a user, then mutables are excluded. Mutables require explicit grants. Oracle does not support granting mutables to the users supplied or created by Oracle Database, such as SYS, AUDSYS, GSMUSER, and SYSTEM.
-
The DBA role includes mutable permission.
-
If a user has mutables granted, then the objects inherit mutable access when the mutable functions are called (in
SYS_GUID
,SYSDATE
andSYSTIMESTAMP
). -
If keeping mutables on a sequence object is revoked, then SQL or PL/SQL commands using that object does not allow mutable collection or application for that sequence.
-
If grants are revoked between run time and failover, then the mutables that were collected are not applied.
-
If grants are granted between run time and failover, then mutables are not collected and so none are applied.
6.3.5 Session State Consistency
Session state consistency describes how non-transactional state is changed during a request.
Examples of session state are NLS settings, optimizer preferences, event settings, PL/SQL global variables, temporary tables, advanced queues, LOBs, and result cache. If non-transactional values change in committed transactions, then use the default value, Dynamic
(session_state_consistency
is a service level attribute, the default value of which is Dynamic
).
Using Dynamic
mode, after a COMMIT
has executed, if the state was changed in that transaction, then it is not possible to replay the transaction to reestablish that state if the session is lost. Applications can be categorized depending on whether the session state after the initial setup is static or dynamic, and hence whether it is correct to continue past a COMMIT
operation.
Dynamic
mode is appropriate for almost all applications. If you are unsure, then use Dynamic
mode. If your customers or users can modify your application, then you must use Dynamic
mode.
This section includes the following topics:
6.3.5.1 Dynamic Session State Consistency
A session has dynamic state if the session state values are not fully restored by FAILOVER_RESTORE, or by adding the initialization callback.
Once the first transaction completes, failover is internally disabled until the next request starts. In Dynamic
session state consistency mode, state changes occur during the request and replay is enabled at the beginning of the next request.
Set the session state consistency mode to Dynamic
if the nontransactional session state changes while transactions are executing. Examples of nontransactional session state that can change at runtime are ALTER
SESSION
, PL/SQL global variables, SYS_CONTEXT
, and temporary table contents. If the application changes nontransactional state inside transactions and commits, this state cannot be replayed and the state setting must be Dynamic
. When using Dynamic
mode for Application Continuity, replay is disabled at COMMIT
until the next request begins. Dynamic
is the default value.
The nontransactional session state (NTSS) changes during a request when the session state consistency mode is Dynamic
.
beginRequest
call, and is disabled on a COMMIT
, an endRequest
call, or a restricted call. Following is the step logic for three application scenarios:
-
No transaction
-
A transaction with
COMMIT
as the last statement -
A transaction with an embedded
COMMIT
statement
For the request with no transaction, the logical steps are as follows:
-
Check out.
-
Begin request and enable replay.
-
Issue one or more
SELECT
statements and perhaps other PL/SQL statements. -
Other actions.
-
Check in.
-
End request and disable replay.
Replay is disabled at endRequest
, at a restricted call, and for an explicit disableReplay
or OCIRequestDisableReplay
call.
For the request with a transaction with COMMIT as the last statement, the logical steps are as follows:
-
Check out.
-
Begin request and enable replay.
-
Issue one or more
SELECT
statements and perhaps other PL/SQL statements. -
The transaction begins.
-
Other actions.
-
Commit (which disables replay).
-
Check in.
-
End request.
Replay is disabled at endRequest
, at a restricted call, and for an explicit disableReplay
or OCIRequestDisableReplay
call.
For the request with a transaction with an embedded COMMIT statement, the logical steps are as follows:
-
Check out.
-
Begin request and enable replay.
-
Issue one or more
SELECT
statements and perhaps other PL/SQL statements. -
The transaction begins.
-
Other actions.
-
Commit (which disables replay).
-
Other actions, during which Application Continuity is not covering the application.
-
Check in.
-
End request.
Replay is disabled at endRequest
, at a restricted call, and for an explicit disableReplay
or OCIRequestDisableReplay
call.
6.3.5.2 Static Session State Consistency
Static
mode is used for long running stateless applications. Do not use Static
mode for applications that are not stateless.
Set the session state consistency mode to Static
, only if all non-transactional state changes, such as NLS settings, SYS_CONTEXT
, PL/SQL variables, and optimizer preferences, are set as part of the initialization once per request, and if this session state does not change during transactions. The settings can be established once per connection at connection establishment when using FAILOVER_RESTORE=LEVEL1
, a callback, or labels, for example, or at each checkout from a pool.
When using Static
mode for Application Continuity, transactional failover continues beyond the first transaction of a request. This is useful for applications that set beginRequest
once and run long processing operations such as batch jobs, and long reports.
Static mode is not supported for applications that use calls that change non-transactional state in transactions. Specific examples of such calls include:
-
PL/SQL subprograms
-
SYS_CONTEXT
-
ALTER
SESSION
Specify static mode with caution. Use static mode only when the application does not change the non-transactional session state inside transactions. Declaring the session state consistency mode as Static
indicates that it is safe to continue beyond the first COMMIT
in a request. Dynamic mode is appropriate for most applications. Do not use static mode if users or customers can modify or customize the application.
The non-transactional session state remaining constant (that is, not changing) during a request when the session state consistency mode is Static
.
Replay (that is, Application Continuity) is enabled at the beginRequest
call, and is disabled on a restricted call, on a disableReplay
or OCIRequestDisableReplay
call, or on an endRequest
call.
-
No transaction
-
One or more transactions each ending with
COMMIT
as the last statement -
A transaction with a
COMMIT
statement followed by a transaction with a restricted call that disables Application Continuity
For the request with no transaction, the logical steps are as follows:
-
Check out.
-
Begin request and enable replay.
-
Issue one or more
SELECT
statements and perhaps other PL/SQL statements. -
Other actions.
-
Check in.
-
End request and disable replay.
Replay is disabled at endRequest
, at a restricted call, and for an explicit disableReplay
or OCIRequestDisableReplay
call.
For the request with one or more transactions (each with COMMIT as the last statement), the logical steps are as follows:
-
Check out.
-
Begin request and enable replay.
-
Issue one or more
SELECT
statements and perhaps other PL/SQL statements. -
The transaction begins.
-
The transaction commits.
-
The transaction is purged.
(For each additional transaction, steps 4 through 6 occur.)
-
Other actions.
-
Check in.
-
End request.
Replay is disabled at endRequest
, at a restricted call, and for an explicit disableReplay
or OCIRequestDisableReplay
call.
For the request with a transaction with a COMMIT followed by a transaction with a restricted call, the logical steps are as follows:
-
Check out.
-
Begin request and enable replay.
-
Issue one or more
SELECT
statements and perhaps other PL/SQL statements. -
The transaction begins.
-
The transaction commits.
-
The transaction is purged.
-
The second transaction begins.
-
The transaction makes a restricted call, which causes Application Continuity to be disabled.
-
The transaction is purged.
-
Other actions
-
Check in.
-
End request.
Replay is disabled at endRequest
, at a restricted call, and for an explicit disableReplay
or OCIRequestDisableReplay
call.
Related Topics
6.4 Potential Side Effects of Application Continuity
When a session is rebuilt, all states are rebuilt, including rerunning statements that leave side effects.
These side effects might be exactly what is required, such as writing a report or completing some auditing.
Application Continuity replays PL/SQL chronologically to restore database state. This serves to rebuild the session as if the user submission was delayed. Most applications want the full state rebuilt as if the submission was repeated, such as writing a report or completing some auditing. However, the actions that are replayed to build the state might include some for which you want to take action to accommodate or mitigate the effects of the replay. Some applications elect to disable replay for requests that contain calls that they do not want to repeat.
Examples of actions that create side effects include the following:
-
Autonomous transactions (independent transactions that can be called from other transactions)
-
DBMS_ALERT
calls (email or other notifications) -
DBMS_FILE_TRANSFER
calls (copying files) -
DBMS_PIPE
and RPC calls (to external sources) -
UTL_FILE
calls (writing text files) -
UTL_HTTP
calls (making HTTP callouts) -
UTL_MAIL
calls (sending email) -
UTL_SMTP
calls (sending SMTP messages) -
UTL_TCP
calls (sending TCP messages) -
UTL_URL
calls (accessing URLs)
Related Topics
6.5 Restrictions and Other Considerations for Application Continuity
Be aware of these restrictions and considerations when using Application Continuity.
-
Application Continuity excludes :
-
JDBC OCI driver (type 2)
-
ODP.NET, Managed Driver
-
OLE DB
-
ODBC
-
-
For applications using JDBC, there is no support for
oracle.sql
deprecated concrete classes:BLOB
,CLOB
,BFILE
,OPAQUE
,ARRAY
,STRUCT
, orORADATA
. -
For streams arguments, replay is on a "best effort" basis. For example, if the application is using physical addresses, the address has gone with the outage and cannot be repositioned. JDBC stream setters (such as
setBinaryStream
), for example, cause replay to be disabled. -
The replay target database must be in the same database cluster (Oracle RAC, Oracle Data Guard, Oracle Active Data Guard, or Oracle Multitenant) as the source database.
To protect the integrity of business transactions, Application Continuity does not replay if the target is a different database or if it is the same database or same pluggable database but with data loss, such as one flashed back, recovered incompletely by media recovery, or opened by Oracle Data Guard earlier in time.
-
For OCI and ODP.NET, in Oracle Database 12c release 2 (12.2.0.1), Application Continuity on OCI driver excludes ADTs, advance queues, dynamic binds, and some LOB APIs. These exclusions do not apply to Java.
-
If a statement cache at the application server level is enabled (for example, the WebLogic or third-party application server statement cache), this must be disabled when the replay is used. Instead, configure the JDBC statement cache, which performs better because it is optimized for JDBC and Oracle and because it supports Application Continuity. Use
oracle.jdbc.implicitstatementcachesize=nnn
. -
Starting with Oracle Database 12 release 2 (12.2), replay is supported for the XA data source for Java and ODP.NET, Unmanaged Driver. Replay supports local transactions. Replay silently disables when two-phase is used. This enables Application Continuity to work very well with promotable XA and with applications using the XA data source and mostly not using XA.
-
Replay is disabled if a request issues an
ALTER SYSTEM
orALTER DATABASE
statement. -
Replay is disabled at a request level for
ALTER SESSION
statements that are deemed unsafe to rebuild the session. These include statements for setting support-level events, and disabling and enablingCOMMIT IN PROCEDURE
andGUARD
.However,
ALTER SESSION
statements at an application level are supported for replay. These include statements for globalization support (NLS) settings, stored and private outlines, setting the container (CDB/PDB), SQL trace, and PL/SQL warnings. -
Replay is not supported if you are using Oracle Active Data Guard with read/write database links back to the primary database. This is a security restriction from Transaction Guard.
-
Replay does not apply for failure of a parallel query call when this is a statement-level failure. For example, replay would not occur after an
ORA-12805:parallel query server died unexpectedly
error for a call failure encountered during an instance or node failure or memory issue. -
For Java only, replay does not support DRCP. Dedicated and Shared Servers are supported.
-
The request uses 2PC XA. Starting with Oracle Database 12c release 2 (12.2), Application Continuity is supported for promotable XA and using XA data sources, while XA is not in use.
Note:
If you are creating clones of databases by splitting disk images (for example, BCVs) or by cloning so it is a "different" database to make a logical standby or logical copy that is not a physical or Oracle Active Data Guard database, then nid
must be used to change the DBID to differentiate the databases. For information about nid
program usage, see these My Oracle Support notes: How to Change the DBID and the DBNAME by using NID (Doc Id 224266.1) and Changing DBNAME and DBID of Oracle RAC Database Using NID (Doc Id 464922.1).
Related Topics
6.6 Transaction Guard for Improving Client Failover
Transaction Guard prevents a transaction being replayed by Application Continuity from being applied more than once.
Failing to recognize that the last submission has committed, or that it shall commit sometime soon, or that the last submission has not run to completion, is a problem for applications. It can cause users who resubmit or applications that use their own replay to issue duplicate requests, repeating changes that are already committed to the database, and other forms of logical corruption. Transaction Guard can be used to solve this problem.
Application Continuity automatically enables and uses Transaction Guard, but you can also enable Transaction Guard independently. If the application has implemented an application-level replay, then it requires the application to be integrated with Transaction Guard to provide idempotence.
In Oracle Database 12c, Transaction Guard provides a new, fully integrated tool for applications to use to achieve idempotence automatically and transparently, and in a manner that scales. Transaction Guard uses Logical Transaction ID (LTXID) to avoid submitting duplicate transactions. This is referred to as transaction idempotence. The LTXID persists on commit and is reused following a rollback. During normal runtime, a LTXID is automatically held in the session at both the client and server for each database transaction. At commit, the LTXID is persisted as part of committing the transaction and the next LTXID to use is returned to the client.
Transaction Guard for XA Transactions
Transaction Guard also supports XA-based transactions, which are transactions that are an option for transaction managers, such as Oracle WebLogic Server, Oracle Tuxedo, and MicroSoft Transaction Server (exposed to Oracle Database through Oracle ODP.NET).
Transaction Guard support for XA transactions provides safe replay following recoverable outages for XA transactions on Oracle WebLogic Server. With the addition of XA support, Oracle WebLogic Server can provide replay with idempotence enforced using Transaction Guard.
6.6.1 Transaction Guard Configuration Checklist
Before configuring services for Transaction Guard, use the following configuration checklist:
-
Grant permission to the application user who will call
GET_LTXID_OUTCOME
, as follows:GRANT EXECUTE ON DBMS_APP_CONT to user_name;
-
Locate and define the transaction history table for optimal performance.
The transaction history table (
LTXID_HIST
) is created, by default, in the SYSAUX tablespace when you create or upgrade an Oracle Database. New partitions are added when you add instances, using the storage of the last partition. If the location of transaction history table is not optimal for performance, then you can move it to another tablespace and create partitions there. For example, the following statement moves the transaction history table to a tablespace named FastPace:ALTER TABLE LTXID_TRANS move partition LTXID_TRANS_1 tablespace FastPace storage ( initial 10G next 10G minextents 1 maxextents 121 );
-
Set values for the
-commit_outcome
and-retention_timeout
service parameters. -
If you are using Oracle RAC, Oracle Data Guard, or Oracle Active Data Guard, then Oracle recommends that you use FAN for fast notification of an outage.
6.6.2 Configuring Services for Transaction Guard
To configure services to use Transaction Guard, set the following service parameters:
-
-commit_outcome
: Set the-commit_outcome
service parameter toTRUE
. This service parameter determines whether the transaction commit outcome is accessible after the COMMIT has executed and an outage has occurred. While Oracle Database has always made COMMIT durable, Transaction Guard makes the outcome of the COMMIT durable, and is used by applications to enforce the status of the last transaction executed before an outage. -
-retention
: Use the-retention
service parameter with-commit_outcome
. This service parameter determines the amount of time, in seconds, that the COMMIT outcome is retained. Oracle recommends that most installations use the default value.
The following SRVCTL command configures a policy-managed service named sales
for Transaction Guard:
$ srvctl add service -db crm -service sales -serverpool spool_1
-commit_outcome TRUE -retention 86400 -notification TRUE
The following SRVCTL command configures an administrator-managed service named sales
for Transaction Guard:
$ srvctl add service -db crm -service sales -preferred crm_1,crm_2
-available crm_3,crm_4 -commit_outcome TRUE -retention 86400
-notification TRUE
You can also modify an existing service to configure it for Transaction Guard by using the srvctl modify service
command.
Note:
Do not use the default database service, the service which has the name set to the value of db_name
or db_unique_name
. The default service is used for administrative purposes and does not have the same properties as user-created services.
6.7 Failing Over OCI Clients with TAF
When Oracle Net Services establishes a connection to an instance, the connection remains open until the client closes the connection, the instance is shutdown, or a failure occurs.
If you configure transparent application failover (TAF) for the connection, then Oracle Database replays the session at a surviving instance when an outage occurs.
TAF can restart a query after failover has completed but for other types of transactions, such as INSERT
, UPDATE
, or DELETE
, the application must rollback the failed transaction and resubmit the transaction. You must also reexecute any session customizations, in other words, ALTER SESSION
statements, after failover has occurred. However, with TAF, a connection is not moved during normal processing, even if the workload changes over time.
Services simplify the deployment of TAF. You can define a TAF policy for a service, and all connections using this service will automatically have TAF enabled. This does not require any client-side changes. The TAF setting on a service overrides any TAF setting in the client connection definition.
You can define a TAF policy for all users of a service by defining the -failovermethod
and -failovertype
parameters. You can further define the TAF policy by setting the number of times that a failed session attempts to reconnect to the service and how long it should wait between reconnection attempts using the -failoverretry
and -failoverdelay
parameters, respectively.
To define a TAF policy for a service, use SRVCTL as in the following example, where the service name is tafconn.example.com
and the database name is CRM:
$ srvctl modify service -db crm -service tafconn.example.com -failovermethod BASIC
-failovertype SELECT -failoverretry 10 -failoverdelay 30
OCI applications with TAF enabled should use FAN high availability events for fast connection failover.
TAF Supports Transaction Guard and FAILOVER_RESTORE
When you are using Transaction Guard, TAF manages the errors for the developers. When you use both TAF and Transaction Guard, developers can use the TAF errors to roll back and safely resubmit or return uncommitted transactions (for TAF error codes ORA-25402, ORA-25408, ORA-25405).
When you are using FAILOVER_RESTORE
, TAF automatically restores common states, which avoids the need for a callback for most applications.
Related Topics