Oracle® Application Server High Availability Guide
10g Release 2 (10.1.2) B14003-03 |
|
Previous |
Next |
Whereas Chapter 1 provided an overview of high availability in general, this chapter introduces you to the specific sets of features, services, and environments that Oracle Application Server provides to ensure high availability for all its components and services. It contains the following sections:
Oracle Application Server provides redundancy by offering support for multiple instances supporting the same workload. These redundant configurations provide increased availability either through a distributed workload, through a failover setup, or both.
From the entry point to an Oracle Application Server system (content cache) to the back end layer (data sources), all the tiers that are crossed by a request can be configured in a redundant manner with Oracle Application Server. The configuration can be an active-active configuration using OracleAS Cluster or an active-passive configuration using OracleAS Cold Failover Cluster.
In the following sections, we describe the basics of these configurations:
Oracle Application Server provides an active-active redundant model for all its components with OracleAS Clusters. In an OracleAS Cluster, two or more Oracle Application Server instances are configured to serve the same application workload. These instances can reside on the same machine or on different machines.The active instances may be front-ended by an external load balancer, which can redirect requests to any of the active instances, or by some other application-level configuration, such as address lists, to distribute the requests.
The most common properties of an OracleAS Cluster configuration include:
Identical instance configuration
The instances are meant to serve the same workload or application. Their configuration guarantees that they deliver the same exact reply to the same request. Some configuration properties may be identical and others may be instance-specific, such as local host name information.
Managed collectively
Changes made to one system will usually need to be propagated to the other systems in an active-active configuration.
Operate independently
In order to provide maximum availability, the loss of one Oracle Application Server instance in an active-active configuration should not affect the ability of the other instances to continue to serve requests.
The advantages of an OracleAS Cluster configuration include:
Increased availability
An active-active configuration is a redundant configuration. Loss of one instance can be tolerated because other instance can continue to serve the same requests.
Increased scalability and performance
Multiple identically-configured instances provide the capability to have a distributed workload shared among different machines and processes. If configured correctly, new instances can also be added as the demand of the application grows.
In general, the term OracleAS Cluster describes clustering at the Oracle Application Server instance level. However, if it is necessary to call out the specific type of instances being clustered, this document will use OracleAS Cluster (type) to characterize the cluster solution. For example:
Oracle Application Server provides an active-passive model for all its components using OracleAS Cold Failover Clusters. In an OracleAS Cold Failover Cluster configuration, two or more application server instances are configured to serve the same application workload but only one is active at any particular time. These instances can reside on the same machine or on different machines.
The most common properties of an OracleAS Cold Failover Cluster configuration include:
The passive Oracle Application Server instance in an active-passive configuration has access to the same Oracle binaries, configuration files, and data as the active instance.
Virtual hostname
During OracleAS Infrastructure installation, you can specify a virtual hostname in the Specify Virtual Hostname screen. This OracleAS Infrastructure virtual hostname can be managed by a hardware cluster or a load balancer and is used by the middle-tier and OracleAS Infrastructure components to access the OracleAS Infrastructure. This is regardless of whether the OracleAS Infrastructure is in a single node installation, in the OracleAS Cold Failover Cluster solution, or in the OracleAS Cluster solution.
The virtual hostname is the hostname associated with the virtual IP. This is the name that is chosen to give the Oracle Application Server middle-tier a single system view of the OracleAS Infrastructure with the help of a hardware cluster or load balancer. This name-IP entry must be added to the DNS that the site uses, so that the middle-tier nodes can associate with the OracleAS Infrastructure without having to add this entry into their local /etc/hosts
(or equivalent) file. For example, if the two physical hostnames of the hardware cluster are node1.mycompany.com
and node2.mycompany.com
, the single view of this cluster can be provided by the name selfservice.mycompany.com
. In the DNS, selfservice
maps to the virtual IP address of the OracleAS Infrastructure, which either floats between node1
and node2
via a hardware cluster or maps to node1 and node2
by a load balancer, all without the middle tier knowing which physical node is active and actually servicing a particular request.
You cannot specify a virtual hostname during Oracle Application Server middle-tier installation, but you can still use a virtual hostname via a hardware cluster or load balancer by following the post-installation configuration steps for cold failover cluster middle tiers. See the Oracle Application Server Installation Guide.
Failover procedure
An active-passive configuration also includes a set of scripts and procedures to detect failure of the Active instance and to failover to the Passive instance while minimizing downtime.
The advantages of an OracleAS Cold Failover Cluster configuration include:
Increased availability
If the active instance fails for any reason or must be taken offline, an identically configured passive instance is prepared to take over at any time.
Reduced operating costs
In an active-passive configuration only one set of processes is up and serving requests. Management of the active instance is generally less than managing an array of active instances.
Application independence
Some applications may not be suited to an active-active configuration. This may include applications which rely heavily on application state or on information stored locally. An active-passive configuration has only one instance serving requests at any particular time.
In general, the term OracleAS Cold Failover Cluster describes clustering at the Oracle Application Server instance level. However, if it is necessary to call out the specific type of instances being clustered, this document will use OracleAS Cold Failover Cluster (type) to characterize the cluster solution. For example
OracleAS Cold Failover Cluster (Identity Management)
OracleAS Cold Failover Cluster (Middle-Tier)
From the entry point of an Oracle Application Server system (content cache) to the back end layer (data sources), all the tiers that are crossed by a client request can be configured in a redundant manner either in an active-active configuration using OracleAS Clusters or in an active-passive configuration using OracleAS Cold Failover Clusters.
Oracle Application Server provides different features and topologies to support high availability across its stack. This includes solutions that extend across both the OracleAS middle-tier and the OracleAS Infrastructure tier.
This section describes the following high availability services in Oracle Application Server:
An Oracle Application Server instance consists of many different running processes to serve client requests. Ensuring high availability means ensuring that all these processes run smoothly, fulfill requests, and do not experience any unexpected hangs or failures.
The interdependency of these processes must also be managed so that they are brought up in the proper sequence, with processes starting up only after the processes that they are dependent on have started successfully.
Oracle Application Server provides high availability and management services at the process level with Oracle Process Manager and Notification Server (OPMN)
OPMN has the following capabilities:
Provides automatic death detection of Oracle Application Server processes.
Provides an integrated way to operate Oracle Application Server components.
Provides automatic restart of Oracle Application Server processes when they become unresponsive, terminate unexpectedly, or become unreachable as determined by ping and notification operations.
Channels all events from different Oracle Application Server component instances to all Oracle Application Server components that can utilize them.
Enables gathering of host and Oracle Application Server process statistics and tasks.
Does not depend on any other Oracle Application Server component being up and running before it can be started and used.
OPMN can be used to explicitly manage the following Oracle Application Server processes:
Oracle HTTP Server
Oracle Application Server Containers for J2EE
Distributed Configuration Management daemon
OracleAS Log Loader
OracleAS Guard (for disaster recovery)
Oracle Internet Directory
OracleAS Port Tunnel
OracleAS Web Cache
Oracle Business Intelligence Discoverer
OracleAS Wireless
In addition, OPMN implicitly manages any applications that rely on the above components. For example, any J2EE applications that run under OC4J are managed by OPMN.
OPMN is also extensible, providing the capability to add information about custom processes including load environment information, stopping procedures, and methods for death detection and restart.
Although OPMN can manage processes on a local Oracle Application Server instance, OPMN daemons running on different instances can also work together to provide distributed process management and control.
For example, a command issued on one machine can be used to start all processes or a specific process type across all local and remote Oracle Application Server instances.
OPMN consists of two major components:
Oracle Notification Server (ONS)
The ONS is the transport mechanism for failure, recovery, startup, and other related notifications between components in Oracle Application Server. It operates according to a publish-subscribe model: an Oracle Application Server component receives a notification of a certain type per its subscription to ONS. When such a notification is published, ONS sends it to the appropriate subscribers.
Oracle Process Manager (PM)
The PM is the centralized process management mechanism in Oracle Application Server and is used to manage Oracle Application Server processes. It is responsible for starting, restarting, stopping, and monitoring every process it manages. The PM handles all requests sent to OPMN associated with controlling a process or obtaining status about a process. The PM is also responsible for performing death-detection and automatic restart of the processes it manages. The Oracle Application Server processes that the PM is configured to manage are specified in a file named opmn.xml
. The PM waits for a user command to start specific or all processes. When a specific process or all processes are to be stopped, the PM receives a request as specified by the request parameters.
Managing and ensuring component high availability involves not only managing processes but also the configuration information for those processes both locally and across a set of Oracle Application Server instances.
Distributed Configuration Management (DCM) is a management framework that enables you to create and manage multiple Oracle Application Server instances as one. Multiple instances enable Oracle Application Server to handle large volumes of traffic reliably since the workload is distributed among the instances.
DCM enables you to:
keep a configuration synchronized across multiple Oracle Application Server instances
archive and restore versions of configurations
export and import configurations between Oracle Application Server instances and clusters
DCM enables you to archive, import and export, and synchronize the configurations of multiple OracleAS instances as if they were a single Oracle Application Server instance. To provide this management functionality, DCM keeps information about an Oracle Application Server instance's configuration in either a file-based or an Oracle database-based repository known as the OracleAS Metadata Repository.
The OracleAS Metadata Repository contains:
configuration files for Oracle HTTP Server, OC4J, OPMN, and OracleAS JAAS Provider components
deployed J2EE applications
information about the OPMN instance or OracleAS Cluster
With DCM, you can manage configuration information for the following Oracle Application Server components and applications:
Oracle HTTP Server
Oracle Application Server Containers for J2EE
Oracle Process Manager and Notification Server
Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider
J2EE applications
The configuration information for each of these components is stored in the metadata repository for each OracleAS instance. Once an OracleAS instance is managed by DCM, configuration information can then be:
archived for future use
restored locally from a previous archive
replicated to another OracleAS instance to provide configuration synchronization across a cluster of OracleAS instances
Oracle's Distributed Configuration Management tool, dcmctl
, enables synchronization of configuration information across a cluster of OracleAS instances. This includes the ability to deploy new J2EE applications on one instance of the cluster and then have the same application automatically deployed by each member of the cluster.
Once an application has been deployed in this way, any instance in the cluster can then receive and serve requests for that application.
One of the advantages of a distributed application is the ability to set up multiple redundant processes that can all serve the same requests. In the event that one of these application processes becomes unavailable, another application process can service the request.
Some applications may require Oracle Application Server to maintain stateful information across consecutive requests. In order to provide transparent failover of these requests, it is necessary to recreate this application state across multiple processes. Oracle Application Server enables the replication of state in J2EE applications through OracleAS Cluster (OC4J). In an OracleAS Cluster (OC4J), several processes work together to deliver the same J2EE application and replicate the state created by it. This enables the transparent failover of requests between the participants in the cluster. Two different types of state are typically maintained in a J2EE application: HTTP session state (updated by servlets and JSPs) and stateful session EJB state (updated by stateful session EJB instances). OracleAS Cluster (OC4J) enables the replication of both.
See Also: The OC4J Clustering chapter in the Oracle Application Server Containers for J2EE User's Guide. |
Load balancing involves the ability to distribute requests among two or more processes.
Features of a software or hardware external load balancer includes:
load balancing algorithm
A rule or set of rules for how to allocate requests across the different instances. The most common load balancing algorithms include simple round-robin or assignment based on some weighted property of the instance such as the response time or capacity of that instance relative to other instances.
death detection
The ability to recognize failed requests to one or more instances, and additionally, the ability to mark those instances as inactive so that no further requests will be forwarded to them.
Different load balancing mechanisms are provided to communicate the components in an Oracle Application Server system. Load balancing takes place:
from Oracle Application Server Web Cache to Oracle HTTP Servers
from Oracle HTTP Servers to OC4J processes for J2EE applications
from Oracle HTTP Servers to the database for PLSQL applications
intra OC4J processes from the presentation layer components (servlets and JSPs) to the business layer components (EJBs)
from OC4J processes to databases
All sub-tiers in Oracle Application Server are enabled to manage failures in the connections that they establish with the next tier as follows:
Connections established from OracleAS Web Cache to Oracle HTTP Servers: OracleAS Web Cache detects failures in the replies returned by Oracle HTTP Servers and routes the new requests to the available Oracle HTTP Servers.
Connections established from Oracle HTTP Servers to OC4J processes: Oracle HTTP Server maintains a routing table of available OC4J processes and routes new requests only to those OC4J processes that are up an running.
Connections established from Oracle HTTP Servers to databases: mod_plsql detects failures in the database and routes requests to the available database nodes.
Connections established between OC4J processes: OC4J detects failures in the RMI invocations to the EJB tier and fails communication over to available EJB nodes.
Connections established between OC4J processes and databases: OC4J drivers are enabled to detect failures of database nodes and re-route requests to available nodes.
To load balance requests among many Oracle Application Server instances in an active-active configuration, Oracle recommends the use of an external load balancer.
When several Oracle Application Server instances are grouped to work together, they present themselves as a single virtual entry point to the system, which hides the multiple instance configuration. External load balancers can send requests to any application server instance in a cluster, as any instance can service any request. An administrator can raise the capacity of the system by introducing additional application server instances. These instances can be installed on separate nodes to allow for redundancy in case of node failure.
There are different types of external load balancers you can use with Oracle Application Server instances. Table 2-1 summarizes the different types.
Table 2-1 Types of External Load Balancers
External Load Balancer Requirements
Oracle does not provide external load balancers. You can get external load balancers from other companies.
To ensure that your external load balancer can work with Oracle Application Server, check that your external load balancer meets the requirements listed in Table 2-2.
Note that you may not need all the requirements listed in the table. The requirements for an external load balancer depend on the topology being considered, and on the Oracle Application Server components that are being load balanced.
Table 2-2 External Load Balancer Requirements
External Load Balancer Requirement | Description |
---|---|
A virtual server is a logical address created in a load balancer. The virtual server maps to a group of resources that are load balanced for a request. You need to be able to create virtual server names and ports on your load balancer, and the virtual server names and ports must meet the following requirements:
|
|
Persistence (sometimes called stickiness) refers to the load balancer's ability to establish an identifier for a connection and, based on that identifier, route all subsequent connections from the same client to the same destination host. Some components of Oracle Application Server use persistence or stickiness in an external load balancer. Here are some examples:
|
|
Resource monitoring / port monitoring / process failure detection |
You need to set up the external load balancer to detect service and node failures (through notification or some other means) and to stop directing non-Oracle Net traffic to the failed node. If your external load balancer has the ability to automatically detect failures, you should use it. For example, for OracleAS Cluster (Identity Management), specific components that the external load balancer should monitor are Oracle Internet Directory, OracleAS Single Sign-On, and Oracle Delegated Administration Services. To monitor these components, set up monitors for the following protocols:
These monitors should use the respective protocols to monitor the services. That is, use LDAP for the LDAP port, LDAP over SSL for the LDAP SSL port, and HTTP/HTTPS for the Oracle HTTP Server port. If your external load balancer does not offer these monitors, consult your external load balancer documentation for the best method of setting up the external load balancer to automatically stop routing incoming requests to a service that is unavailable. |
The load balancer should have the capability to perform network address translation (NAT) for traffic being routed from clients to the Oracle Application Server nodes. This is specifically required for OracleAS Portal deployments, where the load balancer should allow enabling NAT for requests originating from within the OracleAS Portal node to the load balancer virtual server (for example, requests such as Parallel Page Engine (PPE) loopbacks and cache invalidation requests). |
|
It is highly recommended that you configure the load balancer to be in fault-tolerant mode. |
|
Other |
It is highly recommended that you configure the load balancer virtual server to return immediately to the calling client when the backend services to which it forwards traffic are unavailable. This is preferred over the client disconnecting on its own after a timeout based on the TCP/IP settings on the client machine because the timeout may be set to a long period of time. |
Figure 2-1 depicts an example deployment of a hardware load balancing router with Oracle Application Server.
Figure 2-1 Example load balancing router deployment with Oracle Application Server
Load balancing improves scalability by providing an access point through which requests are routed to one of many available instances. Instances can be added to the group that the external load balancer serves to accommodate additional users.Load balancing improves availability by routing requests to the most available instances. If one instance goes down, or is particularly busy, the external load balancer can send requests to another active instance.
Protecting against the data loss of any system components is critical to maintaining a highly available environment. Regular, complete backups of all Oracle Application Server environment is recommended.
A complete Oracle Application Server environment backup includes:
A full backup of all files in the middle-tier Oracle homes (this includes Oracle software files and configuration files).
A full backup of all files in the OracleAS Infrastructure Oracle home (this includes Oracle software files and configuration files).
A complete cold backup of the OracleAS Metadata Repository.
A full backup of the Oracle system files on each host in your environment.
The most frequently changing critical files in an Oracle installation are configuration files and data files. Oracle provides the Oracle Application Server Backup and Recovery Tool (OracleAS Backup and Recovery Tool) to backup these configuration and data files.
The OracleAS Backup and Recovery Tool is a Perl script and associated configuration files. You can use this tool to backup and recover the following types of files:
configuration files in the middle-tier and OracleAS Infrastructure Oracle homes
OracleAS Metadata Repository files
The OracleAS Backup and Recovery Tool is installed by default whenever you install Oracle Application Server. The tool is installed in the $ORACLE_HOME/backup_restore
directory.
The OracleAS Backup and Recovery Tool supports the following installation types:
J2EE and Web Cache
Portal and Wireless
OracleAS Infrastructure (Identity Management and Metadata Repository)
OracleAS Infrastructure (Identity Management only)
OracleAS Infrastructure (Metadata Repository only)
OracleAS TopLink (standalone or installed into a OracleAS middle-tier Oracle home)
Oracle Application Server Integration Business Activity Monitoring
Oracle Content Management Software Development Kit
Disaster recovery refers to how a system can be recovered from catastrophic site failures caused by natural or unnatural disasters. Additionally, disaster recovery can also refer to how a system is managed for planned outages. For most disaster recovery situations, the solution involves replicating an entire site, not just pieces of hardware or subcomponents. This also applies to the Oracle Application Server Disaster Recovery (OracleAS Disaster Recovery) solution.
In the most common configuration, a standby site is created to mirror the production site. Under normal operation, the production site actively services client requests. The standby site is maintained to mirror the applications and content hosted by the production site.
OracleAS Guard automates the restoration of a production site on its corresponding standby site. To protect a complete Oracle Application Server environment from disasters, OracleAS Guard performs the following operations:
Instantiates the standby site: instantiates an Oracle Application Server standby farm that mirrors a primary farm.
Verifies configuration: verifies that a farm meets the requirements to be used as a standby farm for the corresponding primary farm.
Site synchronization: synchronizes the production and the standby sites.