3 Configuring Required Connections
Connectivity must be set up between the Zero Downtime Migration service host and the source and target database servers.
Configuring Connectivity From the Zero Downtime Migration Service Host to the Source and Target Database Servers
Note:
These steps are applicable for physical migrations and logical migrations where both the source and target are accessed using SSH keys (co-managed databases).These steps are not applicable for logical migration where the target is Autonomous Database.
Complete the following procedure to ensure the required connectivity between the Zero Downtime Migration service host and the source and target database servers.
Configuring SUDO Access
You may need to grant certain users authority to perform operations using
sudo
on the source and target database servers.
Note:
These steps are applicable for physical migrations and logical migrations where both the source and target are accessed using SSH keys (co-managed databases).These steps are not applicable for logical migration where the target is Autonomous Database.
For source database servers:
-
If the source database server is accessed with the
root
user, then there is no need to configure Sudo operations. -
If the source database server is accessed through SSH, then configure Sudo operations to run without prompting for a password for the database installed user and the
root
user.For example, if database installed user is
oracle
, then runsudo su - oracle
.For the
root
user runsudo su -
.
For target database servers:
-
Because the target database server is on the cloud only, any Sudo operations are configured already. Otherwise, configure all Sudo operations to run without prompting for a password for the database installed user and the
root
user.For example, if database installed user is
oracle
, then runsudo su - oracle
.For the
root
user runsudo su -
.
Note, for example, if the login user is opc
, then you
can enable Sudo operations for the opc
user.
Configuring Connectivity Between the Source and Target Database Servers
You have two options for configuring connectivity between the source and target database servers: SQL*Net connectivity using SCAN or SSH.
Configure connectivity using one of the following options.
Option 1: SQL*Net Connectivity Using SCAN
To use this option, the SCAN of the target should be resolvable from the source database server, and the SCAN of the source should be resolvable from the target server.
The specified source database server in the ZDMCLI migrate
database
command -sourcenode
parameter can connect to
the target database instance over target SCAN through the respective SCAN port and
vice versa.
With SCAN connectivity from both sides, the source database and target
databases can synchronize from either direction. If the source database server SCAN
cannot be resolved from the target database server, then the
SKIP_FALLBACK
parameter in the response file must be set to
TRUE
, and the target database and source database cannot
synchronize after switchover.
Test Connectivity
To test connectivity from the source to the target environment, add the TNS entry of
the target database to the source database server
$ORACLE_HOME/network/admin/tnsnames.ora
file.
[oracle@sourcedb ~] tnsping target-tns-string
To test connectivity from the target to the source environment, add the TNS entry of
the source database to the target database server
$ORACLE_HOME/network/admin/tnsnames.ora
file
[oracle@targetdb ~] tnsping source-tns-string
Note:
Database migration to Exadata Cloud at Customer using the Zero Data Loss Recovery Appliance requires mandatory SQL*Net connectivity from the target database server to the source database server.Option 2: Set up an SSH Tunnel
If connectivity using SCAN and the SCAN port is not possible between the source and target database servers, set up an SSH tunnel from the source database server to the target database server.
The following procedure sets up an SSH tunnel on the source database servers for the root user. Note that this procedure amounts to setting up what may be considered a temporary channel. Using this connectivity option, you will not be able to synchronize between the target database and source database after switchover, and with this configuration you cannot fall back to the original source database.
Note:
The following steps refer to Oracle Cloud Infrastructure, but are also applicable to Exadata Cloud at Customer and Exadata Cloud Service.Additional Connectivity Prerequisites for Oracle GoldenGate Hub
To perform online logical migrations with Oracle GoldenGate, in addition to the connectivity between the Zero Downtime Migration service host and the source and target database servers, you must also ensure connectivity between the Oracle GoldenGate hub and the source and target database servers.
Ensure that the OCI network security rules allow the following connections.
Table 3-1 Prerequisite Connections for Online Logical Migration
Initiator | Target | Protocol | Port | Purpose |
---|---|---|---|---|
GoldenGate hub | Source database | TCP
TCPS |
1521
User-defined |
SQL*Net |
GoldenGate hub | Target database | TCP
TCPS |
1521
1522 for ADB-Serverless, port 2484 for ADB-Dedicated, or user-defined for non-ADB |
SQL*Net |
ZDM server | GoldenGate hub | HTTPS | 443 | Oracle GoldenGate Microservice REST API calls |
The Zero Downtime Migration server should be allowed to make HTTPS over port 443 calls to an OCI REST endpoint.
Validating Connections to and from the Oracle GoldenGate Marketplace Instance
-
From Zero Downtime Migration server to Oracle GoldenGate server.
On Zero Downtime Migration server, run
curl -v --insecure -u oggadmin_username https://ogg_instance_fqdn_or_ip/services/v2/deployments
Oracle GoldenGate server credentials can be found in /home/opc/ogg-credentials.json on the GoldenGate server.
-
From Oracle GoldenGate server to source database server.
Assuming that the source database listener is not TLS/SSL enabled, on the Oracle GoldenGate server, run
export ORACLE_HOME=/u01/app/client/oracle19 $ORACLE_HOME/bin/sqlplus username@'source_listener_hostname_or_ip:source_listener_port/source_db_service_name'
-
From Oracle GoldenGate server to target database server
If the target database is an Autonomous Database, refer to "Online Migration Additional Prerequisites" at Additional Logical Migration Prerequisites, and ensure that the Autonomous Database wallet containing certificates for TLS authentication exists in the correct location on the Oracle GoldenGate instance.
On Oracle GoldenGate server, run
export ORACLE_HOME=/u01/app/client/oracle19 $ORACLE_HOME/bin/sqlplus username@'tcps://abd_listener_hostname_or_ip:adb_listener_port/adb_service_name?wallet_location=dir_path&ssl_server_cert_dn=cert_dn'
Refer to Connect SQL*Plus with TLS Authentication for more details about connecting to an Autonomous Database using SQL*Plus.
If the target database is not an Autonomous Database and is not TLS/SSL enabled, on the Oracle GoldenGate server, run
export ORACLE_HOME=/u01/app/client/oracle19 $ORACLE_HOME/bin/sqlplus username@'target_listener_hostname_or_ip:target_listener_port/target_db_service_name'
Zero Downtime Migration Port Requirements
The ports required for communication between the Zero Downtime Migration service host, the source and target database servers, and Oracle Cloud Object Store Service are described in the following table.
Table 3-2 Zero Downtime Migration Communication Ports
Initiator | Target | Protocol | Port | Purpose | Description |
---|---|---|---|---|---|
Zero Downtime Migration service host | Source and target database servers | TCP | 22 | SSH | Authentication-based operations to run Zero Downtime Migration operational
phases
Source and target database servers should accept incoming connections from the Zero Downtime Migration service host. Not applicable to Autonomous Database targets |
Zero Downtime Migration service host | Source and target database servers | TCP | 1521, 2484, or a database SCAN Listener port applicable for job | SQL*Net | For logical migrations |
Zero Downtime Migration service host or GoldenGate Hub | Target ADB | TCPS | 1522, or a database SCAN Listener secure port applicable for job in case of TCPS enabled on source or target | ADB-S uses port 1522 so you should allow incoming connections on the ADB tenancy from GoldeGate or ZDM, or from the target if the source listens on 1522, and transfer medium is DBLINK over TCPS | |
Zero Downtime Migration service host | Oracle Cloud Interface REST endpoint | SSL | 443 | OCI REST endpoint | Target discovery for logical migrations |
Source database servers | Target database servers | TCP | 1521 or database SCAN Listener port applicable for the job | SQL*Net | Should allow Oracle client connections to the database over Oracle's
SQL*Net protocol
Perform database queries, Data Guard sync, and configuration Note: If you are using a non-default port number (that is, something other than port 1521) for the local listener address, then the non-default port should allow connections. |
Target database servers | Source database servers | TCP | 1521 or a database SCAN Listener port applicable | SQL*Net | Should allow Oracle client connections to the database over Oracle's
SQL*Net protocol
Allows redo log shipping if source database needs to be in
sync with the new primary on Oracle Cloud after switchover. If there is no communication
possible from Oracle Cloud to source database server then set Note: If you are using a non-default port number (that is, something other than port 1521) for the local listener address, then the non-default port should allow connections. |
Source database servers | Oracle Cloud Object Store Service | SSL | 443 | Database backup store. Create a backup of the source database to the specified Oracle Cloud Object store container. | If the chosen backup method uses Oracle Cloud Object Store Service as the backup medium, then access ports as documented Oracle Cloud Object Store Service applies. |
Target database servers | Oracle Cloud Object Store Service | SSL | 443 | Database backup store. Restore backup of the source database from the specified Oracle Cloud Object store container to the target database. | If the chosen backup method uses Oracle Cloud Object Store Service as the backup medium, then access ports as documented Oracle Cloud Object Store Service applies. |
Note:
If there is no SSH access to the source database, the following actions are skipped as part of the Zero Downtime Migration work flow.- Dumps will not be uploaded or transferred from source node to Object Store or to the target server
- Zero Downtime Migration will not validate the source export path, if it is writable for the database user
- Zero Downtime Migration will not validate whether the source database server can successfully access the Oracle Cloud Object Store
Note:
When performing a migration with root credentials (migrate database -scroot
), during the setup phase, Zero
Downtime Migration uses six ports chosen from the ephemeral range, or six ports from the
range of ports set in TRANSFERPORT_RANGE
in zdmbase/crsdata/zdm_service_host/rhp/conf/rhp.pref
. The specified ports must be
allowed to accept incoming connections from the Zero Downtime Migration service host on the
source or target database server.
Generate SSH Keys Without a Passphrase
You can generate a new SSH key without a passphrase if on the Zero Downtime Migration service host the authentication key pairs are not available without a passphrase for the Zero Downtime Migration software installed user.
Note:
Currently, only the RSA key format is supported for configuring SSH
connectivity, so use the ssh-keygen
command, which generates both
of the authentication key pairs (public and private).
The following example shows you how to generate an SSH key pair for the Zero
Downtime Migration software installed user. You can also use this command to generate
the SSH key pair for the opc
user.
Run the following command on the Zero Downtime Migration service host.
zdmuser> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/zdmuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/zdmuser/.ssh/id_rsa.
Your public key has been saved in /home/zdmuser/.ssh/id_rsa.pub.
The key fingerprint is:
c7:ed:fa:2c:5b:bb:91:4b:73:93:c1:33:3f:23:3b:30 zdmuser@zdm_service_host
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| |
| . . . |
| S o . = |
| . E . * |
| X.+o.|
| .= Bo.o|
| o+*o. |
+-----------------+
This command generates the id_rsa
and id_rsa.pub
files in the zdmuser
home, for example,
/home/zdmuser/.ssh
.