Sunday, May 1, 2016

Changing SCAN Setting

The post lists steps for changing the SCAN setting in a cluster. This is a test system where the SCAN is currently resolved via the /etc/hosts file with a single IP.
$ srvctl config scan
SCAN name: rhel6m-scan, Network: 1/192.168.0.0/255.255.255.0/eth0
SCAN VIP name: scan1, IP: /rhel6m-scan/192.168.0.91

$ srvctl config scan_listener
SCAN Listener MYSCANLISTENER_SCAN1 exists. Port: TCP:9120
It uses a non-default scan listener name and non-default port.
This setup will be changed so that a new SCAN setting that resolves SCAN through DNS is used by the cluster. Ideally the scan name should remain the same so that application connecting doesn't have to change any connection strings after the change but in this case the new SCAN name is different to the currently used scan name.
1. Make the changes to /etc/resovle.conf and /etc/nsswitch.conf so that new SCAN look up works on all cluster nodes. Below shows nslookup working on one of the nodes
[grid@rhel6m1 admin]$ nslookup rac-scan.domain.net
Server:         192.168.0.66
Address:        192.168.0.66#53

Name:   rac-scan.domain.net
Address: 192.168.0.93
Name:   rac-scan.domain.net
Address: 192.168.0.94
Name:   rac-scan.domain.net
Address: 192.168.0.92

[grid@rhel6m1 admin]$ nslookup rac-scan.domain.net
Server:         192.168.0.66
Address:        192.168.0.66#53

Name:   rac-scan.domain.net
Address: 192.168.0.92
Name:   rac-scan.domain.net
Address: 192.168.0.93
Name:   rac-scan.domain.net
Address: 192.168.0.94

[grid@rhel6m1 admin]$ nslookup rac-scan.domain.net
Server:         192.168.0.66
Address:        192.168.0.66#53

Name:   rac-scan.domain.net
Address: 192.168.0.94
Name:   rac-scan.domain.net
Address: 192.168.0.92
Name:   rac-scan.domain.net
Address: 192.168.0.93
2. Stop the scan and scan listeners
$ srvctl stop scan_listener
$ srvctl stop scan
3. Modify the scan setting by specifying the new SCAN name.
# srvctl modify scan -n rac-scan.domain.net

# srvctl config scan
SCAN name: rac-scan.domain.net, Network: 1/192.168.0.0/255.255.255.0/eth0
SCAN VIP name: scan1, IP: /rac-scan.domain.net/192.168.0.93
SCAN VIP name: scan2, IP: /rac-scan.domain.net/192.168.0.94
SCAN VIP name: scan3, IP: /rac-scan.domain.net/192.168.0.92


4. Change the remote_listener parameter to reflect the new SCAN
SQL> alter system set remote_listener='rac-scan.domain.net:9120' scope=both sid='*';
5. Update the scan listener
$ srvctl modify scan_listener -u

$ srvctl config scan_listener
SCAN Listener MYSCANLISTENER_SCAN1 exists. Port: TCP:9120
SCAN Listener MYSCANLISTENER_SCAN2 exists. Port: TCP:9120
SCAN Listener MYSCANLISTENER_SCAN3 exists. Port: TCP:9120
6. Finally start the scan listener
$ srvctl start scan_listener
Useful metalink notes
How to Modify SCAN Setting or SCAN Listener Port after Installation [ID 972500.1]
How To Convert an 11gR2 GNS Configuration To A Standard Configuration Using DNS Only [ID 1489121.1]
How to Modify Public Network Information including VIP in Oracle Clusterware [ID 276434.1]

Related Posts
Changing Listener and SCAN Listener Port in 11gR2 RAC
Changing Listener and SCAN Listener Name in 11gR2 RAC
GNS Setup for RAC
SCAN (Single Client Access Name) Set Up Using DNS

Monday, April 18, 2016

Valid Node Checking For Registration (VNCR)

Valid Node Checking for Registration (VNCR) allows restriction of instance registration to come only from know servers. This has replaced the use of COST (setting up COST for 11gR1 SE and 11gR2 SE) for protecting against TNS Listener Poison Attack. COST could be still used if it is used for reasons other than listener restriction (for more read 1340831.1).
VNCR is available on 11.2.0.4 and 12c so if the DB is 11.2.0.3 then COST is still the only option available against this attack. Below is an example of setting VNCR on a single instance database. For RAC with SCAN listeners refer the MOS listed at the end of the post.
The listener runs on server with IP 192.168.0.66 (hpc1.domain.net). Currently no DB is registered.
lsnrctl status

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 22-FEB-2016 13:06:44

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hpc1.domain.net)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date                22-FEB-2016 13:06:41
Uptime                    0 days 0 hr. 0 min. 3 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /opt/app/oracle/product/11.2.0/std4/network/admin/listener.ora
Listener Log File         /opt/app/oracle/diag/tnslsnr/hpc1/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hpc1.domain.net)(PORT=1521)))
The listener supports no services
The command completed successfully
The DB (something to register with this listener) runs on server with IP 192.168.0.99. To register with the listener on 192.168.0.66 add a remote listener entry on tnsnames.ora and register the database
cat tnsnames.ora
listener_name =
  (DESCRIPTION=
    (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.0.66)(PORT=1521))
  )

SQL> alter system set remote_listener='listener_name' scope=both;
System altered.

SQL> alter system register;
System altered.
Check the listener status
lsnrctl status

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 22-FEB-2016 13:08:51

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hpc1.domain.net)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date                22-FEB-2016 13:06:41
Uptime                    0 days 0 hr. 2 min. 10 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /opt/app/oracle/product/11.2.0/std4/network/admin/listener.ora
Listener Log File         /opt/app/oracle/diag/tnslsnr/hpc1/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hpc1.domain.net)(PORT=1521)))
Services Summary...
Service "fgacdb" has 1 instance(s).
  Instance "fgacdb", status READY, has 1 handler(s) for this service...
Service "fgacdbXDB" has 1 instance(s).
  Instance "fgacdb", status READY, has 1 handler(s) for this service...
The command completed successfully
Above shows that remote database has registered with the listener.



In order to prevent this type of remote registrations enable valid node checking on the listener. To enable VNCR on 11.2.0.4 add following entry to listener.ora file In this case the listener name is "LISTENER".
VALID_NODE_CHECKING_REGISTRATION_LISTENER=1
Reload the listener and check the status. The remote listener registration is blocked.
$ lsnrctl reload
$ lsnrctl status

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 22-FEB-2016 13:24:17

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hpc1.domain.net)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date                22-FEB-2016 13:06:41
Uptime                    0 days 0 hr. 17 min. 35 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /opt/app/oracle/product/11.2.0/std4/network/admin/listener.ora
Listener Log File         /opt/app/oracle/diag/tnslsnr/hpc1/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hpc1.domain.net)(PORT=1521)))
The listener supports no services
Any attempt to register with the listener is blocked and the listener.log will have an entry similar to following
Listener(VNCR option 1) rejected Registration request from destination 192.168.0.99
22-FEB-2016 13:31:47 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service ""
On 12c is VNCR is enabled by default and any attempt for remote registration is rejected and listener log will have an entry as above.

Useful metalink notes
Valid Node Checking For Registration (VNCR) [ID 1600630.1]
How to Enable VNCR on RAC Database to Register only Local Instances [ID 1914282.1]

Related Posts
Implementing Class of Secure Transport (COST) to Restrict Instance Registration in Oracle 11gR2 SE RAC (Solution mentioned in Oracle Security Alert for CVE-2012-1675)
Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle SE RAC Fails (Solution mentioned in Oracle Security Alert for CVE-2012-1675)

Friday, April 1, 2016

Upgrading RHEL 7 OS in a 11gR2 (11.2.0.4) and 12cR1 (12.1.0.2) Oracle Restart Environments

As per Oracle documentation "You must relink the Oracle Clusterware and Oracle ASM binaries every time you apply an operating system patch or after an operating system upgrade." There are two earlier posts which shows upgrading of RHEL5 and RHEL6 OS in a 11gR2 RAC environment. This post shows relinking of GI and Oracle homes after upgrading of RHEL 7 in 11.2.0.4 and 12.1.0.2 single instance (Oracle restart) environments.
1. The current RHEL version is 7.1 and the kernel is
uname -r
3.10.0-123.el7.x86_64
2. Before the OS upgrade stop the HAS and disable the auto start on reboot.
crsctl stop has
crsctl disable has
CRS-4621: Oracle High Availability Services autostart is disabled.
3. Comment the entries in oracle-ohasd.service
cat /etc/systemd/system/oracle-ohasd.service
# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
#
# Oracle OHASD startup

[Unit]
#Description=Oracle High Availability Services
#After=syslog.target

[Service]
#ExecStart=/etc/init.d/init.ohasd run >/dev/null 2>&1 </dev/null
#Type=simple
#Restart=always

[Install]
#WantedBy=multi-user.target graphical.target
4. Upgrade the RHEL 7 OS. Kernel and RHEL7 version after the upgrade are
uname -r
3.10.0-327.el7.x86_64
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)
5. Uncomment the entires in oracle-ohasd.service file and enable auto start of HAS
crsctl enable has
CRS-4622: Oracle High Availability Services autostart is enabled.
Until this point the steps are common for both 11.2.0.4 and 12.1.0.2.

Relinking 11.2.0.4 GI and Oracle Homes
1.Relinking Oracle Home as oracle user. Make sure the relink binary in the PATH is from Oracle home
which relink
/opt/app/oracle/product/11.2.0/dbhome_4/bin/relink
Run relink all
cd $ORACLE_HOME/bin
./relink all
writing relink log to: /opt/app/oracle/product/11.2.0/dbhome_4/install/relink.log
At the end of the relink the log file have the following
test ! -f /opt/app/oracle/product/11.2.0/dbhome_4/bin/oracle ||\
   mv -f /opt/app/oracle/product/11.2.0/dbhome_4/bin/oracle /opt/app/oracle/product/11.2.0/dbhome_4/bin/oracleO
mv /opt/app/oracle/product/11.2.0/dbhome_4/rdbms/lib/oracle /opt/app/oracle/product/11.2.0/dbhome_4/bin/oracle
chmod 6751 /opt/app/oracle/product/11.2.0/dbhome_4/bin/oracle
2. Relinkning GI Home
Set ORACLE_HOME=$GI_HOME
As root unlock the GI Home. Using the RHEL 7 provided perl version will result in following error
# perl $ORACLE_HOME/crs/install/roothas.pl -unlock
Can't locate Env.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . /opt/app/oracle/product/11.2.0/grid/crs/install) at /opt/app/oracle/product/11.2.0/grid/crs/install/crsconfig_lib.pm line 710.
BEGIN failed--compilation aborted at /opt/app/oracle/product/11.2.0/grid/crs/install/crsconfig_lib.pm line 710.
Compilation failed in require at /opt/app/oracle/product/11.2.0/grid/crs/install/roothas.pl line 171.
BEGIN failed--compilation aborted at /opt/app/oracle/product/11.2.0/grid/crs/install/roothas.pl line 171.
Solution for this was mentioned on the changing of hostname post which is to use oracle provided perl
# $ORACLE_HOME/perl/bin/perl $ORACLE_HOME/crs/install/roothas.pl -unlock
Using configuration parameter file: /opt/app/oracle/product/11.2.0/grid/crs/install/crsconfig_params
Successfully unlock /opt/app/oracle/product/11.2.0/grid
3. As grid user run the relink
$ORACLE_HOME/bin/relink
writing relink log to: /opt/app/oracle/product/11.2.0/grid/install/relink.log
The log file will have the following entry at the end
tail /opt/app/oracle/product/11.2.0/grid/install/relink.log

log tail
test ! -f /opt/app/oracle/product/11.2.0/grid/bin/oracle ||\
   mv -f /opt/app/oracle/product/11.2.0/grid/bin/oracle /opt/app/oracle/product/11.2.0/grid/bin/oracleO
mv /opt/app/oracle/product/11.2.0/grid/rdbms/lib/oracle /opt/app/oracle/product/11.2.0/grid/bin/oracle
chmod 6751 /opt/app/oracle/product/11.2.0/grid/bin/oracle
4. As root patch the GI Home
# cd $ORACLE_HOME/rdbms/install
# ./rootadd_rdbms.sh

$ORACLE_HOME/perl/bin/perl $ORACLE_HOME/crs/install/roothas.pl -patch
Using configuration parameter file: /opt/app/oracle/product/11.2.0/grid/crs/install/crsconfig_params
Broadcast message from systemd-journald@rhel7s.codegen.net (Thu 2016-02-18 16:50:14 GMT):
dracut[16456]: dracut: creation of /boot/initramfs-3.10.0-327.el7.x86_64.tmp failed

Message from syslogd@rhel7s at Feb 18 16:50:14 ...
 dracut:dracut: creation of /boot/initramfs-3.10.0-327.el7.x86_64.tmp failed
ACFS driver install actions failed
CRS-4124: Oracle High Availability Services startup failed.
CRS-4000: Command Start failed, or completed with errors.
Timed out waiting for ohasd to start.
During the patching the HAS stack start will fail, this is expected.
5. Reboot the host and HAS stack will be up and running as before
Resource Name                       Type                           Target             State              Host
-------------                       ------                         -------            --------           ----------
ora.DATA.dg                         ora.diskgroup.type             ONLINE             ONLINE             rhel7s
ora.FRA.dg                          ora.diskgroup.type             ONLINE             ONLINE             rhel7s
ora.LISTENER.lsnr                   ora.listener.type              ONLINE             ONLINE             rhel7s
ora.asm                             ora.asm.type                   ONLINE             ONLINE             rhel7s
ora.cssd                            ora.cssd.type                  ONLINE             ONLINE             rhel7s
ora.diskmon                         ora.diskmon.type               OFFLINE            OFFLINE
ora.evmd                            ora.evm.type                   ONLINE             ONLINE             rhel7s
ora.ons                             ora.ons.type                   OFFLINE            OFFLINE
ora.std11g2.db                      ora.database.type              ONLINE             ONLINE             rhel7s


Relinking 12.1.0.2 GI and Oracle Homes
1. Relinking Oracle home as oracle user. Make sure the relink binary in PATH is from Oracle home. Run relink all to relink the oracle home.
relink all
writing relink log to: /opt/app/oracle/product/12.1.0/dbhome_2/install/relink.log
The log file end with the following
tail /opt/app/oracle/product/12.1.0/dbhome_2/install/relink.log
test ! -f /opt/app/oracle/product/12.1.0/dbhome_2/bin/oracle ||\
   mv -f /opt/app/oracle/product/12.1.0/dbhome_2/bin/oracle /opt/app/oracle/product/12.1.0/dbhome_2/bin/oracleO
mv /opt/app/oracle/product/12.1.0/dbhome_2/rdbms/lib/oracle /opt/app/oracle/product/12.1.0/dbhome_2/bin/oracle
chmod 6751 /opt/app/oracle/product/12.1.0/dbhome_2/bin/oracle
2. As root unlock the GI Home by using the $GI_HOME/crs/install/roothas.sh. Unlike 11.2.0.4 there are no issues in unlocking GI home in 12c
./roothas.sh -unlock
Using configuration parameter file: /opt/app/oracle/product/12.1.0/grid/crs/install/crsconfig_params
2016/02/19 18:52:17 CLSRSC-347: Successfully unlock /opt/app/oracle/product/12.1.0/grid
3. As grid user run the relink.
which relink
/opt/app/oracle/product/12.1.0/grid/bin/relink
$ relink
writing relink log to: /opt/app/oracle/product/12.1.0/grid/install/relink.log
The log file will end with the following
tail /opt/app/oracle/product/12.1.0/grid/install/relink.log

test ! -f /opt/app/oracle/product/12.1.0/grid/bin/oracle ||\
   mv -f /opt/app/oracle/product/12.1.0/grid/bin/oracle /opt/app/oracle/product/12.1.0/grid/bin/oracleO
mv /opt/app/oracle/product/12.1.0/grid/rdbms/lib/oracle /opt/app/oracle/product/12.1.0/grid/bin/oracle
chmod 6751 /opt/app/oracle/product/12.1.0/grid/bin/oracle
4. As root patch the GI Home
# $GI_HOME/rdbms/install/rootadd_rdbms.sh

./roothas.sh -patch
Using configuration parameter file: /opt/app/oracle/product/12.1.0/grid/crs/install/crsconfig_params
CRS-4124: Oracle High Availability Services startup failed.
CRS-4000: Command Start failed, or completed with errors.
2016/02/19 18:59:50 CLSRSC-199: Timed out waiting for OHASD to start

The command '/opt/app/oracle/product/12.1.0/grid/perl/bin/perl -I/opt/app/oracle/product/12.1.0/grid/perl/lib -I/opt/app/oracle/product/12.1.0/grid/crs/install /opt/app/oracle/product/12.1.0/grid/crs/install/roothas.pl -patch' execution failed
5. Similar to 11.2.0.4, start of the HAS stack will fail, this is expected. Reboot the host and HAS will be up and running.
Resource Name             Type                      Target             State              Host
-------------             ------                    -------            --------           ----------
ora.DATA.dg               ora.diskgroup.type        ONLINE             ONLINE             rhel7
ora.FRA.dg                ora.diskgroup.type        ONLINE             ONLINE             rhel7
ora.LISTENER.lsnr         ora.listener.type         ONLINE             ONLINE             rhel7
ora.asm                   ora.asm.type              ONLINE             ONLINE             rhel7
ora.cssd                  ora.cssd.type             ONLINE             ONLINE             rhel7
ora.diskmon               ora.diskmon.type          OFFLINE            OFFLINE
ora.evmd                  ora.evm.type              ONLINE             ONLINE             rhel7
ora.ons                   ora.ons.type              OFFLINE            OFFLINE
ora.se2db.db              ora.database.type         ONLINE             ONLINE             rhel7
This concludes the steps for relinking GI and Oracle homes after RHEL 7 OS upgrade.

Related Posts
Upgrading RHEL 6 OS in a 11gR2 RAC Environment
Upgrading OS in 11gR2 RAC Environment
Upgrading ASMLib and OS in 11gR1 RAC Environment