Oracle Net Service Name Resolution

Oracle Net Service Name
Resolution
Getting Rid of the TNSNAMES.ORA File!
Simon Pane – Oracle Database Principal Consultant
March 19, 2015
ABOUT ME
• Working with the Oracle DB since version 6
• Oracle Certified Expert
• Oracle Certified Professional
– Oracle Database 8, 8i, 9i, 10g, 11g and 12c
• Oracle Certified Partner Specialist
• Oracle ACE Associate
• MOS Communities: Simon_DBA – Level: “Expert”
ABOUT PYTHIAN
10,000
Pythian currently manages
more than 10,000 systems.
385
Pythian currently employs
more than 385 people in 30
countries worldwide.
• Global leader in data consulting and managed services.
• Unparalleled expertise
• Top 5% in databases, applications, infrastructure, Big Data, Cloud, Data Science, and DevOps
• Unmatched certifications
• 8 Oracle ACEs, 2 Oracle ACE Directors, 2 Oracle ACE Associates, 2 Oracle Certified Masters,
• 5 Microsoft MVPs, 1 Microsoft Certified Master
1997
Pythian was founded in 1997
• 1 Cloudera Champion of Big Data
• Broad technical experience
• Oracle, Microsoft, MySQL, Oracle EBS, Hadoop, Cassandra, MongoDB, virtualization,
configuration management, monitoring, trending, and more.
TARGET AUDIENCE
• This presentation is for
– Not Sys Admins
– Not Network Admins
– Not LDAP Admins
NET SERVICE NAME RESOLUTION
A Quick Refresher
WHAT ARE WE TALKING ABOUT?
• Net Service Name
– “A simple name for a service that resolves to a connect descriptor”
• Connect Descriptor
– “A specially formatted description of the destination for a network
connection. A connect descriptor contains destination service and
network route information.”
• The TNSNAMES.ORA file
– “The tnsnames.ora file is a configuration file that contains net
service names mapped to connect descriptors for the local naming
method, or net service names mapped to listener protocol
addresses.”
• Source: https://docs.oracle.com/database/121/NTDBI/glossary.htm
THE BASICS: THE CONNECT DESCRIPTOR
• Everything could be specified at the prompt
• Good for testing the string/troubleshooting
THE BASICS: EZCONNECT
• 10g added EZCONNECT
– shortened command line specification
THE BASICS: NET SERVICE NAME SEARCH
• Net Service Name can be found in multiple
locations
– TNSNAMES.ORA files, external service, directory
server
– Oracle Net stops searching when it finds the first one
STORING AS UNSTRUCTURED DATA
• “Unstructured” – not in a database
• DNS is somewhat similar yet DNS entries aren’t
stored in host files
• In the TNSNAMES.ORA the “Connect
Descriptors” aren’t consistent in structure or
layout
MANAGEMENT TECHNIQUES
• Scripts that run nightly to “push” out new files to
all servers and desktops
• Centralized files using the TNS_ADMIN
environment variable or soft links
– Storing on a network share or NFS mount
• Centralized using the IFILE parameter
– Can be used up to four times
PROBLEMS WITH THIS APPROACH
• One typo can corrupt the current and all subsequent
entries
• Cumbersome to work with/edit with a large number
of entries
• If centralized, problems affect all users
• If localized, may take time to propagate changes
• Multiple copies can get out of sync – changes
clobbered
“BUT WE'VE ALWAYS DONE IT THAT WAY”
• “Old way” doesn't mean it's the “best way”
WHAT ARE THE OPTIONS
How can we make things better?
ALTERNATIVES
• Store in an “LDAP compatible Directory Server”
–
–
–
–
Oracle Internet Directory (OID)
Microsoft Active Directory (AD)
OpenLDAP
Others (IBM Tivoli Directory Server, Sun Java System
Directory Server, Red Hat Directory Server, Apache
Directory Server)
• EZCONNECT
• A hybrid approach using all methods
STRUCTURE IN A “DIRECTORY SERVER”
• Published “LDAP Schema for Oracle Net Services”
• “Structural LDAP Classes” for Oracle Net:
orclDBServer
orclNetService
orclNetServiceAlias
orclNetDescription
orclNetDescriptionList
orclNetAddress
orclNetAddressList
orclNetDescriptionAux1
orclNetAddressAux1
CHOOSING A DIRECTORY SERVER
•
•
•
•
•
•
•
•
•
•
•
•
•
Easy to install and setup?
Supported platforms?
Additional software required?
Additional hardware required?
Additional licenses required?
Bulk load existing entries?
Easy additions?
Easy modifications and removals?
Ability to export to a TNSNAMES.ORA file?
Supports advanced entries (i.e. TAF, RAC, other options)?
Supports aliases?
High availability and protection (backup options)?
Security implications?
OID BENEFITS
• Complete Oracle stack – full Oracle Support
• Data stored in the Oracle Database
– DBAs know how to manage / backup
• High availability options
• Easy TNSNAMES.ORA file generation
• Easy to handle multiple “contexts”
– (i.e. .world, .example.com)
OID ISSUES
• Requires a WebLogic domain
– Cumbersome, likely difficult for most DBAs
• May require additional hardware
– For Oracle database repository and/or WLS
• Upgrades and patching (WLS & DB)
• Overkill for just Net Service Name lookup?
ACTIVE DIRECTORY BENEFITS
• Register databases via Oracle Tools (optional)
– DBCA or Oracle Net Manager
• SA handles:
– Replication, HA, Patches, Updates, Backups, etc
• Critical part of the network infrastructure
– Typically high performance
ACTIVE DIRECTORY SETUP
• Very easy to setup (Demo later)
– Requires access to the AD on a DC
– Need Domain Administrator privileges
– Implement using “Oracle Net Configuration Assistant”
and “Oracle Net Manager”
• Follow Oracle Implementation PDF guides
– Follow step-by-step guides:
• Configuring Microsoft Active Directory for Net Naming (Doc ID 1587824.1)
ACTIVE DIRECTORY ISSUES
• Will need cooperation from Domain Admins to
install / configure
• Extra AD permissions may be required to query
• 11g Clients:
– NAMES.LDAP_AUTHENTICATE_BIND = YES
• Anonymous query may be required for UNIX
clients
OPENLDAP BENEFITS
• Free (open-source) Directory Server software
available on a variety of platforms
– Linux, Solaris, MacOS X, Windows, etc
• Master-slave replication options
– Including multiple slaves, cross-platform, crossendian
• Easy updates (i.e. yum for Linux deployments)
OPENLDAP INSTALLATION
• Install additional RPMs
– openldap-servers , openldap-clients
• slapd = “stand-alone LDAP directory server”
• Simple initial setup (Demo later)
– Customize some text files; run commands; etc
– Requires some basic Linux skills
– Will need root access
OPENLDAP ISSUES
• No GUI included
– Using with Oracle Net Manager is difficult
• Apache Directory Studio
– Free for Windows, Mac & Linux
COMMON FUNCTIONALITY
• All have (in some form or another)
– Bulk load ability: ldapadd –f <file>
– Command line searching: ldapsearch
– Extraction to a TNSNAMES.ORA file via tool or
command
TOOLS ARE ALREADY INSTALLED!
• LDAP tools in every Database and Client home
WHAT’S THE DOWNSIDE?
Risks, Concerns, Supportability,
Troubleshooting?
WHAT ABOUT SUPPORT?
• With OID the whole stack is supported
• Resolution via AD also supported
• Net Service Name resolution from other
Directory Services not fully supported
– But is that really an issue?
SUPPORT RISKS?
• If using an unsupported Directory Server, DBAs
must know how to investigate/resolve some
problems
– Oracle Support will be limited when investigating
TNS-03505 via SR when not using AD or OID
FAILOVER PERFORMANCE?
• Test failover times from an unresponsive master
server!
• Related MOS notes:
– Slow LDAP Naming Resolution when Primary LDAP server unavailable. (Doc ID
1193853.1)
– Performance problem with Oracle*Net Failover when TCP Network down (no IP
address) (Doc ID 249213.1)
– How to Setup LDAP Client Naming Resolution Failover Timeout Against OID - If
OID1 is Busy, Quickly Try OID2. (Doc ID 1671486.1)
BUT REMEMBER…
• Used for initial connection lookup only
– Listener sends back a new socket
• Not used again for persistent connections
• Not used for RAC interconnect
• Data Guard & DB Links
– Optionally configure with EZCONNECT if support is a
concern
OTHER RISKS?
• Slow / no response from the Directory Servers?
– All options offer redundancy or high availability
– Worst case, switch back to TNSNAMES.ORA
• Some applications may not support it
– Might need some one-off TNSNAMES.ORA files
FUNCTIONALITY RISKS?
• Extra complexity with advanced options
– TAF entries, RAC entries, global_name
– Oracle Net aliases
• Oracle7 and Oracle8.0 clients
– Still can be done but requires extra/different steps
DEBUGGING TECHNIQUES: TRACING
• Oracle Net (SQL*Net) Tracing
– HOWTO : Use sqlnet tracing to track down which tnsnames.ora file is used
in the connection? (Doc ID 846822.1)
– How to Enable Oracle SQLNet Client , Server , Listener , Kerberos and
External procedure Tracing from Net Manager (Doc ID 395525.1)
• Oracle whitepaper on interpreting the result
– Examining Oracle Net, Net8, SQL*Net Trace Files (Doc ID 156485.1)
• Trace Assistant
– Example of Using Trace Assistant (TRCASST) to Work an Oracle Net issue (Doc
ID 1336069.1)
DEBUGGING TECHNIQUES: TRCROUTE
• Oracle Trace Route utility
– Reports on TNS entries on route to the “server”
– https://docs.oracle.com/database/121/NETAG/connect.htm#NETAG383
DEBUGGING TECHNIQUES: OS TOOLS
• Linux
– Strace:
• $ strace tnsping ORCL
• Windows
– Windows Sysinternals Process Monitor:
• Run in batch file with command line switches
– NtTrace:
• http://www.howzatt.demon.co.uk/NtTrace
THINGS TO WATCH OUT FOR
• NAMES.DIRECTORY_PATH
– Methods not specified are excluded
– Also determines search order
– Must keep EZCONNECT for RAC cluster interconnect
• Files searched
– Remember: /etc/tnsnames.ora
– Hidden file: ~/.tnsnames.ora
• Windows
– Different search order rules (cwd vs. home dir)
– Different search orders if %ORACLE_HOME% is set
VIRTUAL DEMO 1
OpenLDAP setup on OL6.5
In 10 simple steps!
DEMO1: OpenLDAP SETUP
• STEP 1: Install the required RPMs
DEMO1: OpenLDAP SETUP
• STEP 2: Some basic initial setup
• STEP 3: Set the LDAP admin password
– Record the hash for use later
DEMO1: OpenLDAP SETUP
• STEP 4: Create a default configuration file
• STEP 5: Create the OID schema files
DEMO1: OpenLDAP SETUP
• STEP 6: Edit /etc/openldap/slapd.conf
– Add new OID schema files
– Update all occurrences of “my-domain”
– Add rootpw hash value (could use plain text as well)
DEMO1: OpenLDAP SETUP
• STEP 7: Start and register slapd service
• STEP 8: Manually add the OU to the root
DEMO1: OpenLDAP SETUP
• STEP 9: Add the orclContext and the first
entry
DEMO1: OpenLDAP SETUP
• STEP 10: Adjust SQLNET.ORA & LDAP.ORA
DEMO1: OpenLDAP SETUP
• Additional optional steps
–
–
–
–
–
Add master and slave(s) replication (HA)
Secure with TLS and a certificate
Configure Apache Directory Studio
Script simplified additions using ldapadd
Script TNSNAMES.ORA generation using ldapsearch
VIRTUAL DEMO 2
Active Directory Setup
In < 10 simple steps!
DEMO 2: ACTIVE DIRECTORY SETUP
• STEP 1: Follow steps provided in Oracle PDF
•
Configuring Microsoft Active Directory for Net Naming (Doc ID 1587824.1)
DEMO 2: ACTIVE DIRECTORY SETUP
• STEP 2: Adjust SQLNET.ORA & LDAP.ORA
DEMO 2: ACTIVE DIRECTORY SETUP
• STEP 3: Add an entry
– Using the Oracle Net Manager utility on the DC
– Under the “Directory” tab
DEMO 2: ACTIVE DIRECTORY SETUP
• STEP 4: Verify the entry
– Using “Active Directory Users and Computers”
DEMO 2: ACTIVE DIRECTORY SETUP
• STEP 5: Verify that the entry can be modified
– Using “Active Directory Explorer” (Sysinternals)
DEMO 2: ACTIVE DIRECTORY SETUP
• STEP 6: Test that data can be extracted
– Using “ldapsearch”
DEMO 2: ACTIVE DIRECTORY SETUP
• STEP 7: Test resolution from Windows
DEMO 2: ACTIVE DIRECTORY SETUP
• STEP 8: Test resolution from Linux
WRAP UP!
SUMMARY 1
• OID, Active Directory, and OpenLDAP are all just
three out of many possible LDAP Directory
Servers software products
• Oracle “Connect Descriptors” can be stored and
accessed from any LDAP Directory Server
• Active Directory and OpenLDAP are the easiest
to setup
SUMMARY 2
• Initial data can be bulk loaded
• Data can be extracted to a TNSNAMES.ORA
• Simple scripts can be used to automate:
– Creation of new entries
– Extraction into a TNSNAMES.ORA
• LDAP utilities are already in every $OH
SUMMARY 3
• Cost is typically a few days of initial setup work
– Include setup and procedural documentation!!!!
• Deployment risk is minimal
– As hybrid approach can be used
• Lower risk of issues if stored in a proper
Directory Service
– Reduced propagation time for additions/changes
– Lower chance of introducing a widespread error
– Higher availability
THANKS AND Q&A
pane@pythian.com
1-877-PYTHIAN
http://www.Pythian.com/blog
http://is.gd/PythianFacebook
@Pythian
http://linkedin.com/company/Pythian