Traffic Director Mode (TDM) is an intelligent layer introduced in Oracle Client 18c and beyond, designed to enhance CMAN. TDM introduces additional dimensions to the system, including transparent High Availability (HA) with outage support, advanced security features for cloud environments (protection against DoS and fuzzing attacks, tenant isolation, etc.), and capabilities for optimizing performance.
In summary, CMAN-TDM allows any client application to establish a connection with an Oracle database, whether it's on-premises or in the cloud, without revealing the underlying database details to the client. An important aspect worth highlighting is the interoperability of CMAN-TDM with various versions of Oracle databases.
Sample CMAN-TDM Architecture
HA with Dedicated Connections in CMAN-TDM
I will not use the remote_listener to cman, so that cman will be used as a listener
Some documents may recommend to set the instance's REMOTE_LISTENER parameter to both the SCAN address and the CMAN address. However, in doing so, you never connect to the database via the SCAN listeners - you simply connect to CMAN and then are redirected directly to a database instance.
CONFIGURATION OF CMAN-TDM - DEDICATED CONNECTIONS
- DATABASE PROXY USER CREATION
- THE CLIENT USER
- DATABASE PROXY USER WALLET CREATION
- CMAN.ORA CONFIGURATION
- RUNNING CMAN-TDM
- TESTING CMAN_TDM
- Validation van de CMAN and DATABASE via netstat and logfiles
Step 1. DATABASE PROXY USER CREATION
CMAN-TDM uses a database proxy user, usually named TDM, to create proxy connections for all users accessing the database through CMAN-TDM. The DBA needs to create this user and grant CREATE SESSION privilege, as shown in the example below:
SQL> CREATE USER TDM IDENTIFIED BY TDM_PASSWORD;
SQL> GRANT CREATE SESSION TO TDM;Step 2. THE CLIENT USER
The client application should have already created an application user on the database. Grant the CREATE SESSION privilege to the application user through the database proxy user by using the CONNECT THROUGH keyword:
SQL> CREATE USER joords IDENTIFIED BY joords_PASSWORD
default tablespace users
temporary tablespace temp
account unlock quota unlimited on users;
SQL> GRANT connect, resource TO joords;
SQL> GRANT create session, create table, create procedure,
create sequence,create trigger, create view,
create synonym, alter session,
create type to joords;
SQL> ALTER USER JOORDS GRANT CONNECT THROUGH TDM;Step 3. DATABASE PROXY USER WALLET CREATION
[oracle@ol8-21-rac1 scripts]$ echo $ORACLE_HOME
/u01/app/oracle/product/21.0.0/client_1
[oracle@ol8-21-rac1 scripts]$ echo $ORACLE_BASE
/u01/app/oracle
[oracle@ol8-21-rac1 scripts]$ export TNS_ADMIN=/u01/app/oracle/product/21.0.0/client_1/network/admin
[oracle@ol8-21-rac1 scripts]$ export WLLT_CMAN=$ORACLE_BASE/cman
[oracle@ol8-21-rac1 scripts]$ mkdir -p $WLLT_CMAN
[oracle@ol8-21-rac1 scripts]$ mkstore -wrl $WLLT_CMAN -create
[oracle@ol8-21-rac1 scripts]$ echo cmanwllt01 | mkstore -wrl $WLLT_CMAN -createCredential pdb_tacservice TDM 'TDM_PASSWORD'
[oracle@ol8-21-rac1 scripts]$ echo cmanwllt01 | mkstore -wrl $WLLT_CMAN -listCredential
List credential (index: connect_string username) 1: pdb_tacservice TDMStep 4. CMAN.ORA CONFIGURATION
[oracle@ol8-21-rac1 scripts]$ cat <<EOF > $TNS_ADMIN/cman-tdm.ora
cman-tdm = (configuration=
(address=(protocol=tcp)(host=ol8-21-rac1)(port=1888))
(parameter_list =
(tdm=true)
(tdm_threading_mode=dedicated)
(log_level=ADMIN)
(max_connections=50)
(idle_timeout=0)
(inbound_connect_timeout=0)
(session_timeout=0)
(outbound_connect_timeout=0)
(max_gateway_processes=16)
(min_gateway_processes=2)
(remote_admin=on)
(trace_level=off)
(max_cmctl_sessions=4)
(event_group=init_and_term,memory_ops)
)
(NEXT_HOP=(ADDRESS_LIST=(LOAD_BALANCE=ON)(ADDRESS=(PROTOCOL=tcp)(HOST=ol8-21-scan.joordsdomain)(PORT=1521))))
(rule_list=
(rule=
(src=*)(dst=*)(srv=*)(act=accept)
(action_list=(aut=off)(moct=0)(mct=0)(mit=0)(conn_stats=on))
)
)
)
wallet_location=(source=(method=file)(method_data=(directory="/u01/app/oracle/cman")))
sqlnet.wallet_override=true
EOF
[oracle@ol8-21-rac1 scripts]$ echo "IFILE=$TNS_ADMIN/cman-tdm.ora" >> $TNS_ADMIN/cman.ora
When we use the IFILE parameter inside cman.ora, multiple CMAN and CMAN-TDM configurations can be managed in the same host without editing cman.ora directly. Multiple CMAN-TDM config files for different instances can be referred to within the cman.ora file using the IFILE parameter.
step 5. RUNNING CMAN-TDM
Startup CMAN for cman-tdm:
$ORACLE_HOME/bin/cmctl startup -c cman-tdm
Shutdown CMAN for cman-tdm:
$ORACLE_HOME/bin/cmctl shutdown -c cman-tdm
Reload CMAN for cman-tdm:
$ORACLE_HOME/bin/cmctl reload -c cman-tdm
Start the CMAN-TDM
[oracle@ol8-21-rac1 admin] $ $ORACLE_HOME/bin/cmctl startup -c cman-tdm
CMCTL for Linux: Version 21.0.0.0.0 - Production on 23-JAN-2024 09:22:24
Copyright (c) 1996, 2021, Oracle. All rights reserved.
Current instance cman-tdm is not yet started
Connecting to (DESCRIPTION=(address=(protocol=tcp)(host=ol8-21-rac1)(port=1888)))
Starting Oracle Connection Manager instance cman-tdm. Please wait...
CMAN for Linux: Version 21.0.0.0.0 - Production
Status of the Instance
----------------------
Instance name cman-tdm
Version CMAN for Linux: Version 21.0.0.0.0 - Production
Start date 23-JAN-2024 09:22:24
Uptime 0 days 0 hr. 0 min. 9 sec
Num of gateways started 2
Average Load level 0
Log Level ADMIN
Trace Level OFF
Instance Config file /u01/app/oracle/product/21.0.0/client_1/network/admin/cman.ora
Instance Log directory /u01/app/oracle/diag/netcman/ol8-21-rac1/cman-tdm/alert
Instance Trace directory /u01/app/oracle/diag/netcman/ol8-21-rac1/cman-tdm/trace
The command completed successfully.Step 6. TESTING CMAN-TDM
A weird issue:
Be careful if populating the cman tnsnames.ora!
You do not need to have it at all and you may find weird issues if you have a tnsnames entry
with the same name of the database service you want to connect to:
When I had the pdb_tacservice service used for testing the SEPS and was added to the as a tns entry in its tnsnames.ora ,
I got a generic “ORA-28725: Invalid CMAN in Traffic Director mode configuration” error.
This error is really generic and made me waste quite a lot of time!==> no sqlnet and tnsnames provided for the CMAN configuration - This solved the problem
Testing
[oracle@ol8-21-rac1 ~]$ srvctl status service -db $ORACLE_UNQNAME
Service pdb_tacservice is running on instance(s) cdbrac1,cdbrac2
[oracle@ol8-21-rac1 ~]$ cat <<EOF> /u01/app/oracle/homes/OraDB21Home1/network/admin/tnsnames.ora
pdb_tactdm =
(DESCRIPTION =
(CONNECT_TIMEOUT=90)(RETRY_COUNT=50)(RETRY_DELAY=3)
(TRANSPRRT_CONNECT_TIMEOUT=3)
(ADDRESS_LIST=
(LOAD_BALANCE=ON)
(ADDRESS =
(PROTOCOL = TCP)
(HOST= ol8-21-rac1.joordsdomain)
(PORT=1888)
)
)
(CONNECT_DATA=
(SERVICE_NAME = pdb_tacservice)
)
)
EOF
[oracle@ol8-21-rac1 admin]$ tnsping pdb_tactdm
TNS Ping Utility for Linux: Version 21.0.0.0.0 - Production on 23-JAN-2024 09:36:38
Copyright (c) 1997, 2021, Oracle. All rights reserved.
Used parameter files:
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (CONNECT_TIMEOUT=90)(RETRY_COUNT=50)(RETRY_DELAY=3)(TRANSPRRT_CONNECT_TIMEOUT=3) (ADDRESS_LIST= (LOAD_BALANCE=ON) (ADDRESS = (PROTOCOL = TCP)(HOST= ol8-21-rac1.joordsdomain)(PORT=1888))) (CONNECT_DATA= (SERVICE_NAME = pdb_tacservice) (COLOCATION_TAG=abc)))
OK (0 msec)
[oracle@ol8-21-rac1 admin]$ sqlplus joords/joords_PASSWORD@pdb_tactdm
SQL*Plus: Release 21.0.0.0.0 - Production on Tue Jan 23 09:37:44 2024
Version 21.3.0.0.0
Copyright (c) 1982, 2021, Oracle. All rights reserved.
Last Successful login time: Thu Jan 18 2024 14:42:02 +00:00
Connected to:
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0
connected via Oracle Connection Manager in Traffic Director mode 21.3.0.0.0
SQL> show user
USER is "JOORDS"
SQL> set linesize 200
col DB_UNIQUE_NAME format a20
col INSTANCE_NAME format a20
col HOST format a20
col SERVICE_NAME format a20
col AUTH_METHOD format a20
col PROXY_USER format a20
select sys_context('USERENV','DB_UNIQUE_NAME') as DB_UNIQUE_NAME
, sys_context('USERENV','INSTANCE_NAME') as INSTANCE_NAME
, sys_context('USERENV','SERVER_HOST') as HOST
, sys_context('USERENV','SERVICE_NAME') as SERVICE_NAME
, sys_context('USERENV','AUTHENTICATION_METHOD') as AUTH_METHOD
, sys_context('USERENV','PROXY_USER') as PROXY_USER
from dual;
DB_UNIQUE_NAME INSTANCE_NAME HOST SERVICE_NAME AUTH_METHOD PROXY_USER
-------------------- -------------------- -------------------- -------------------- -------------------- --------------------
cdbrac cdbrac2 ol8-21-rac2 PDB_TACSERVICE NONE TDM
[oracle@ol8-21-rac1 admin]$ sqlplus joords/joords_PASSWORD@ol8-21-rac1:1888/PDB_TACSERVICE
SQL*Plus: Release 21.0.0.0.0 - Production on Tue Jan 23 09:42:02 2024
Version 21.3.0.0.0
Copyright (c) 1982, 2021, Oracle. All rights reserved.
Last Successful login time: Tue Jan 23 2024 09:40:38 +00:00
Connected to:
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0
connected via Oracle Connection Manager in Traffic Director mode 21.3.0.0.0
SQL> set linesize 200
col DB_UNIQUE_NAME format a20
col INSTANCE_NAME format a20
col HOST format a20
col SERVICE_NAME format a20
col AUTH_METHOD format a20
col PROXY_USER format a20
select sys_context('USERENV','DB_UNIQUE_NAME') as DB_UNIQUE_NAME
, sys_context('USERENV','INSTANCE_NAME') as INSTANCE_NAME
, sys_context('USERENV','SERVER_HOST') as HOST
, sys_context('USERENV','SERVICE_NAME') as SERVICE_NAME
, sys_context('USERENV','AUTHENTICATION_METHOD') as AUTH_METHOD
, sys_context('USERENV','PROXY_USER') as PROXY_USER
from dual;
DB_UNIQUE_NAME INSTANCE_NAME HOST SERVICE_NAME AUTH_METHOD PROXY_USER
-------------------- -------------------- -------------------- -------------------- -------------------- --------------------
cdbrac cdbrac1 ol8-21-rac1 PDB_TACSERVICE NONE TDM
Connect as sysdba and validate the user JOORDS on the database
[oracle@ol8-21-rac1 ~]$ sqlplus / as sysdba
SQL*Plus: Release 21.0.0.0.0 - Production on Tue Jan 23 09:44:41 2024
Version 21.3.0.0.0
Copyright (c) 1982, 2021, Oracle. All rights reserved.
Connected to:
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0
SQL> alter session set container=PDB1:
SQL> col service_name format a20
col username format a30
select inst_id
, sid,username
, service_name
, failover_type
, failover_method
, failed_over
, PROGRAM
from gv$session where username='JOORDS';
INST_ID SID USERNAME SERVICE_NAME FAILOVER_TYPE FAILOVER_M FAI PROGRAM
---------- ---------- ------------------------------ -------------------- ------------- ---------- --- ------------------------------------------------------------------------------------
1 161 JOORDS PDB_TACSERVICE AUTO BASIC NO cmop@ol8-21-rac1 (TNS V1-V3)
The program is a cmop@ol8-21-rac instead of sqlplus.
CMAN has mapped the sqlplus session to a cman session dedicated and the cman will login as a proxy to the database
CMAN has mapped the sqlplus session to a cman session dedicated and the cman will login as a proxy to the database
Global overview of the CMAN PRCP
Below a global overview of the CMAN PRCP which act as a streaming service between the Client connections and the Database access.
Step 7. Validation CMAN and DATABASE via netstat and logfiles
View /u01/app/oracle/diag/netcman/ol8-21-rac1/cman-tdm/trace/cman-tdm.log
2024-01-23T09:42:02.797365+00:00
23-JAN-2024 09:42:02 * (CONNECT_DATA=(SERVICE_NAME=PDB_TACSERVICE)(CID=(PROGRAM=sqlplus)(HOST=ol8-21-rac1)(USER=oracle))(CONNECTION_ID=D5rCMuGqELDgY2U4qMDJxw==)) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.56.101)(PORT=27002)) * establish * PDB_TACSERVICE * 0
View /u01/app/grid/diag/tnslsnr/ol8-21-rac1/listener/trace/listener.log
23-JAN-2024 09:42:02 * (CONNECT_DATA=(SERVICE_NAME=PDB_TACSERVICE)(CONNECTION_ID=D5p8DXU09EjgY2U4qMD2wg==)(USE_DBROUTER=YES)(CID=(PROGRAM=cmop)(HOST=ol8-21-rac1)(USER=oracle))(SERVER=dedicated)(INSTANCE_NAME=cdbrac1)) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.56.101)(PORT=22814)) * establish * PDB_TACSERVICE * 0
Netstat commands:
[oracle@ol8-21-rac1 ~]$ netstat -anp | grep sqlplus|grep 1888
tcp 0 0 192.168.56.101:27002 192.168.56.101:1888 ESTABLISHED 69808/sqlplus
[oracle@ol8-21-rac1 ~]$ netstat -anp | grep 27002
tcp 0 0 192.168.56.101:27002 192.168.56.101:1888 ESTABLISHED 69808/sqlplus
tcp6 0 0 192.168.56.101:1888 192.168.56.101:27002 ESTABLISHED 62536/cmop
CMAN information:
[oracle@ol8-21-rac1 admin]$ $ORACLE_HOME/bin/cmctl
CMCTL for Linux: Version 21.0.0.0.0 - Production on 23-JAN-2024 11:32:07
Copyright (c) 1996, 2021, Oracle. All rights reserved.
Welcome to CMCTL, type "help" for information.
CMCTL> administer cman-tdm
Current instance cman-tdm is already started
Connections refer to (DESCRIPTION=(address=(protocol=tcp)(host=ol8-21-rac1)(port=1888))).
The command completed successfully.
CMCTL:cman-tdm> show all
listener_address | (DESCRIPTION=(address=(protocol=tcp)(host=ol8-21-rac1)(port=1888)))
aso_authentication_filter | OFF
connection_statistics | OFF
event_group | (init_and_term, memory_ops)
log_directory | /u01/app/oracle/diag/netcman/ol8-21-rac1/cman-tdm/alert
log_level | ADMIN
max_connections | 50
idle_timeout | 0
inbound_connect_timeout | 0
session_timeout | 0
outbound_connect_timeout | 0
max_gateway_processes | 16
min_gateway_processes | 2
max_cmctl_sessions | 4
password | OFF
remote_admin | ON
trace_directory | /u01/app/oracle/diag/netcman/ol8-21-rac1/cman-tdm/trace
trace_level | OFF
trace_timestamp | ON
trace_filelen | 0
trace_fileno | 0
service_rate | 0
connection_rate | 0
max_all_connections | 0
max_reg_connections | 0
compression | OFF
sdu | 8192
expire_time | 0
non_tunnel_gateways | 1000
use_sid_as_service | OFF
valid_node_checking_registration | OFF
Number of filtering rules currently in effect: 1
(rule_list=
(rule=
(src=*)
(dst=*)
(srv=*)
(act=accept)
(action_list=(aut=off)(moct=0)(mct=0)(mit=0)(conn_stats=on))
)
)
The command completed successfully.
CMCTL:cman-tdm> show defaults
listener_address | (ADDRESS=(PROTOCOL=TCP)(HOST=ol8-21-rac1)(PORT=1521))
aso_authentication_filter | OFF
connection_statistics | OFF
event_group | OFF
log_directory | /u01/app/oracle/product/21.0.0/client_1/network/log/
log_level | SUPPORT
max_connections | 256
idle_timeout | 0
inbound_connect_timeout | 60
session_timeout | 0
outbound_connect_timeout | 0
max_gateway_processes | 16
min_gateway_processes | 2
max_cmctl_sessions | 4
password | OFF
remote_admin | OFF
trace_directory | /u01/app/oracle/product/21.0.0/client_1/network/trace/
trace_level | OFF
trace_timestamp | OFF
trace_filelen | 0
trace_fileno | 0
The command completed successfully.
CMCTL:cman-tdm> show connections detail
Connection ID 5
Gateway ID 0
Source 192.168.56.101
Source Hostname ol8-21-rac1
Source Process Id 115863
Source Program Name sqlplus@ol8-21-rac1 (TNS V1-V3)
Destination 192.168.56.103
Destination Hostname ol8-21-rac1
Service PDB_TACSERVICE
Idle time 19916243
Thread Wait time 0
Active time 445070
State IDLE
PRCP Wait time 0
PRCP Checked-out time 0
PRCP Active time 0
PRCP State NO STATE
Total Session Gets 1
Session Get Hits 0
The command completed successfully.
No comments:
Post a Comment