Finding the origin of failed login attempts

This guide is intended to aid in establishing the origin of failed database login attempts. Most of the time these failed attempts are due to typos or outdated application configurations and are therefore not malicious, however due to default password management policies setting a limit on failed login attempts this often causes accounts to become locked out for legitimate users.

Note: An ACCOUNT_STATUS of "LOCKED" (in DBA_USERS) means the account was locked manually by the DBA, whereas "LOCKED(TIMED)" indicates the account was locked due to the number of failed login attempts being exceeded (as defined by FAILED_LOGIN_ATTEMPTS in the profile in effect for the user).

The following options are available for collecting information on the origin of failed connection attempts (in order of simplicity):

1. Using database auditing (if already enabled)

Caveat: This is the simplest method to determine the source of failed login attempts providing that auditing is already enabled on your database as the information has (probably) already been captured. However, if auditing is not enabled then doing so will require that the database be restarted, in which case this option is no longer the simplest!

Firstly, check to see whether auditing is enabled and set to "DB" (meaning the audit trail is written to a database table).

show parameter audit_trail

If not set, then you will need to enable auditing, restart the database and then enable auditing of unsucessful logins as follows:

audit session whenever not successful;

The audit records for unsuccessful logon attempts can then be found as follows:

col ntimestamp# for a30 heading "Timestamp"
col userid for a20 heading "Username"
col userhost for a15 heading "Machine"
col spare1 for a15 heading "OS User"
col comment$text for a80 heading "Details" wrap

select ntimestamp#, userid, userhost, spare1, comment$text from sys.aud$ where returncode=1017 order by 1;

Sample output:

Timestamp Username Machine OS User
------------------------------ -------------------- --------------- ---------------
Details
--------------------------------------------------------------------------------
08-DEC-14 12.39.42.945635 PM APPUSER unix_app_001 orafrms
Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.218.
64.44)(PORT=42293))

08-DEC-14 12.42.10.170957 PM APPUSER unix_app_001 orafrms
Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.218.
64.44)(PORT=48541))

Note: the USERHOST column is only populated with the Client Host machine name as of 10G, in earlier versions this was the Numeric instance ID for the Oracle instance from which the user is accessing the database in a RAC environment.

2. Use a trigger to capture additional information

The following trigger code can be used to gather additional information about unsuccessful login attempts and write them to the database alert log, it is recommended to integrate this code into an existing trigger if you already have a trigger for this triggering event.

CREATE OR REPLACE TRIGGER logon_denied_write_alertlog AFTER SERVERERROR ON DATABASE
DECLARE
 l_message varchar2(2000);
BEGIN
 -- ORA-1017: invalid username/password; logon denied
 IF (IS_SERVERERROR(1017)) THEN
 select 'Failed login attempt to the "'|| sys_context('USERENV' ,'AUTHENTICATED_IDENTITY') ||'" schema'
 || ' using ' || sys_context ('USERENV', 'AUTHENTICATION_TYPE') ||' authentication'
 || ' at ' || to_char(logon_time,'dd-MON-yy hh24:mi:ss' )
 || ' from ' || osuser ||'@'||machine ||' ['||nvl(sys_context ('USERENV', 'IP_ADDRESS'),'Unknown IP')||']'
 || ' via the "' ||program||'" program.'
 into l_message
 from sys .v_$session
 where sid = to_number(substr(dbms_session.unique_session_id,1 ,4), 'xxxx')
 and serial# = to_number(substr(dbms_session.unique_session_id,5 ,4), 'xxxx');
 
 -- write to alert log
 sys.dbms_system .ksdwrt( 2,l_message );
 END IF;
END;
/

Some sample output from the alert.log looks like:

Tue Jan 06 09:45:36 2015
Failed login attempt to the "appuser" schema using DATABASE authentication at 06-JAN-15 09:45:35 from orafrms@unix_app_001 [10.218.64.44] via the "frmweb@unix_app_001 (TNS V1-V3)" program.

3. Setting an event to generate trace files on unsuccessful login.

You can instruct the database to write a trace file whenever an unsuccessful login attempt is made by setting the following event (the example below will only set the event until the next time the database is restarted. Update your pfile or spfile accordingly if you want this to be permanent).

alter system set events '1017 trace name errorstack level 10';

Trace files will be generated in user_dump_dest whenever someone attempts to login using an invalid username / password. As the trace is requested at level 10 it will include a section labeled PROCESS STATE that includes trace information such as :

O/S info: user:orafrms, term: pts/15, ospid: 29959, machine:unix_app_001
program: frmweb@unix_app_001 (TNS V1-V3)
application name: frmweb@unix_app_001 (TNS V1-V3), hash value=0
last wait for 'SQL*Net message from client' blocking sess=0x0 seq=2 wait_time=5570 seconds since wait started=0

In this case it was an 'frmweb' client running as OS user 'orafrms' that started the client session. The section "Call Stack Trace" may aid support in further diagnosing the issue.

Note: If the OS user or program is 'oracle' the connection may originate from a Database Link.

4. Using SQL*Net tracing to gather information

A sqlnet trace can provide you with even more details about the connection attempt but use this only if none of the above are successful in determining the origin of the failed login as it will be hard to find what you are looking for if you enable sqlnet tracing (and it can potentially consume large amounts of disk space).

To enable SQL*Net tracing create or edit the server side sqlnet.ora file and add the following parameters:

# server side sqlnet trace parameters
trace_level_server = 16
trace_file_server=server
trace_directory_server = 

Implementing a Reverse Proxy Alone in a DMZ Configuration - 11i

In this Document
Abstract
History
Details
  Setting up the Virtually External 11i Node
  Step 1: Create a Home for the Virtually External 11i Tier
  Step 2: Create a new Context File for the Virtually External 11i Tier
  Step 3: Verify and Edit the Newly Created Context File
  Step 4: Instantiate the New Configuration Files Based on the New Context File
  Step 5: Finishing Steps
  Touring the New Environment
  Outstanding Issues
Summary
References
APPLIES TO:

Oracle Applications Technology Stack - Version 11.5.9 to 11.5.10.0 [Release 11.5]
Information in this document applies to any platform.
Checked for relevance on 28-SEP-2013
ABSTRACT

In the spirit of Note:364439.1, this whitepaper covers an example of an actual implementation of the complex "Reverse Proxy with No External Web Tier" configuration as described in Note:287176.1, sections 2.4 and 5.5.3.

Recommended prerequisites:
   Note:287176.1 provides a technical overview of supported DMZ topologies
   Note:364439.1 provides troubleshooting scripts, tips, and technical background information




HISTORY

Author : Dan Collier
Create Date 08-MAY-2007
Update Date 16-JUL-2008
Expire Date distant future

DETAILS

Setting up the Virtually External 11i Node

Upgrading from a simple single-tier or even multiple tier environment to a DMZ or other advanced topology is extremely difficult without some sort of preconceived plan in writing. When requesting support for an advanced configuration, customers should expect that a request for a topology diagram will be made before any advice beyond the generic can be offered. The "Reverse Proxy Alone in the DMZ" topology is no exception.

As always, the drawing should show each machine that is part of the instance, to include each server, firewall, and hardware load balancer (if any) with each described by their name, alias (if any), IP address, and the type of node installed (database, apache, forms, etc.) with appropriate version information. In general, the drawing should look something like those featured in Note:287176.1 and the top of 364439.1 with appropriate labels specific to the customer configuration. The problems most often faced are configuration related and it is not possible to know from the traces and configuration files where the functionality goes awry without a previous understanding of what it should look like. When troubleshooting, we start with the drawing and confirm that the various configuration parameters match the drawing.

In the above conceptual drawing, the classic DMZ configuration is split. Within the DMZ there is only the reverse proxy server, while within the internal network a single server makes use of the shared APPL_TOP and shared ORACLE_HOME technology to host and effectively perform the functions of both the internal as well as the external web tier.

The internal web tier should already have an entry in the fnd_nodes table with the IP address of the server itself. The virtually external web tier will be registered in the fnd_nodes table with the IP address of the reverse proxy server by using the new autoconfig variable s_server_ip_address. In this case, the term "virtually external" is used to denote the fact that the external web node, in common DMZ nomenclature, is physically located on the internal server within the internal network while appearing to Internet users to be a standalone, external server in the DMZ.

For background information on the use of shared ORACLE_HOME and shared APPL_TOP technology beyond this special case, see the following notes:

Note 233428.1 - Sharing the Application Tier File System in Oracle E-Business Suite 11i
Note 243880.1 - Frequently Asked Questions Sharing the Application Tier File System in Oracle Applications 11i

The virtually external 11i tier will still be run as the same applmgr user as the internal tier on this same server. Attempting to do this as another operating system user is difficult. Normally a shared APPL_TOP gets its permissions via an NFS share rule, but we won't be sharing via NFS in this case; the shared architecture of Note:287176.1/Section 2.4 is a clever derivation of this. For this virtually external 11i tier I created a config directory ahead of time. In a normal, shared environment this would be on a separate server, but in this case, it is on this same server. Second, my "reverse proxy" is generically named "external" for this exercise.

Step 1: Create a Home for the Virtually External 11i Tier

When using a shared filesystem, as covered by the referenced notes, not everything is shared. For example, the new node will need to have its own autoconfig context file, environment files, and configuration files. Where you choose to put these is a matter of personal choice; just keep it tidy. For example, when using Rapid Install to install an application node with a shared APPL_TOP, the node specific files install into $COMMON_TOP/conf by default. In my case, the config directory I created and specified is: /space/virtualext

Step 2: Create a new Context File for the Virtually External 11i Tier

Using the cloning script adclonectx.pl and my example of a config directory, the command syntax is simply (all on one line):

perl adclonectx.pl contextfile=/space/v115cu2/viscappl/admin/VISC_dcollierpc8.xml outfile=/space/virtualext/VISC_external.xml

 In my case, the key questions from adclonectx.pl and my answers were:

Provide the values required for creation of the new APPL_TOP Context file.
Do you want to use a virtual hostname for the target node (y/n) [n] ?:y
Target hostname [dcollierpc8]:external

I took the default for essentially all of the other questions. This is important to do since this is not a normal clone. In this case, you definitely do want to use the same port pool as prompted by the adclonectx.pl script. Unlike a typical clone, you are not going to clone the database. You will be using the same database as the existing web tier.

When adclonectx.pl finished, it said:

The new APPL_TOP context file has been created :
/space/virtualext/VISC_external.xml


Step 3: Verify and Edit the Newly Created Context File

In my case, I found that all of the s_isXXX variables were NO, and therefore changed them appropriately:

For example:

YES
YES

These variables indicate that this new tier will be a Web node. Optionally, I could also specify "YES" for "s_isForms" and "s_isFormsDev" if I wanted this to be a forms node as well.

Then, in the section, pick new ports that don't conflict with the existing web server and specify them with the following variables:

s_webport
s_webport_pls
s_oprocmgr_port

Having to change these variables manually is a side effect of keeping the port pool in step 2. If you had chosen a different port pool, then you'd have to change close to a dozen variables to point back to the existing database.

Please note that the Java Object Cache Port value must remain same on all application context files.
Then, much like 287176.1 says, set:

3a. s_webentryhost - to the reverse proxy server hostname

3b. s_webentrydomain - to the domain name of the reverse proxy server

3c. s_active_webport - to the reverse proxy listener port

3d. s_webentryurlprotocol - to the reverse proxy's protocol e.g. "http" or "https"

3e. s_login_page - to the values you specified above for
://.: 

For example: https://external.somecompany.com:443

3f. s_fnd_secure - confirm that this does not point to the same directory as the existing web node. This variable specifies the location of the node's DBC file.

For example: /space/v115cu2/viscappl/fnd/11/5/0/secure/VISC_external

3g. s_server_ip_address - to the IP address of the reverse proxy server. This is critical because this will be used to register this virtually external 11i tier in the fnd_nodes table. You need this node to be in the fnd_nodes table so that you can later select it when specifying node_trust_level in the remainder of the DMZ configuration.

Step 4: Instantiate the New Configuration Files Based on the New Context File

Execute the shared oracle home configuration script ( txkSOHM.pl ) to instantiate the required http server configuration files into the configuration home directory you created in step 1:

cd $FND_TOP/patch/115/bin
perl -I $AU_TOP/perl txkSOHM.pl

The "8.0.6 Shared Oracle Home" is just "$ORACLE_HOME" of the applmgr environment. Similarly, the "iAS Shared Oracle Home" is just "$IAS_ORACLE_HOME". Here's how I answered the questions txkSOHM.pl asked:

Absolute path of Application's Context XML file : /space/virtualext/VISC_external.xml

Type of Instance [primary/secondary] : secondary

Absolute path of 8.0.6 Shared Oracle Home : /space/v115cu2/viscora/8.0.6

Absolute path of iAS Shared Oracle Home : /space/v115cu2/viscora/iAS

Absolute path of config top : /space/virtualext



Step 5: Finishing Steps

The script txkSOHM.pl ends with a run of autoconfig. This creates a new scripts directory under the $COMMON_TOP such as the following:

appv512:dcpc8:/space/v115cu2/visccomn/admin/scripts> ls -l

drwxr-xr-x 2 appv512 dba 4096 Mar 30 18:39 VISC_dcollierpc8
drwxr-xr-x 2 appv512 dba 4096 Mar 30 18:35 VISC_external

In this example, VISC_dcollierpc8 is from my original, internal tier. VISC_external is the newly created directory for the virtually external 11i tier. You can start this new tier with the included adapcctl.sh script and it will listen on the port you told it to listen on. This port should be the same port that your reverse proxy server proxies to.

Touring the New Environment

In the existing, now shared, APPL_TOP/admin we have new environment files (Jun30):

appv512:dcpc8:/space/v115cu2/viscappl> cd $APPL_TOP
appv512:dcpc8:/space/v115cu2/viscappl> ls -lrt *.env
-rw-r--r-- 1 appv512 dba  1025 Jun 16 14:03 APPSVISC_dcollierpc8.env
-rw-r--r-- 1 appv512 dba 10674 Jun 16 14:03 VISC_dcollierpc8.env
-rw-r--r-- 1 appv512 dba  1008 Jun 30 13:53 APPSVISC_external.env
-rw-r--r-- 1 appv512 dba  1008 Jun 30 13:53 APPSORA.env
-rw-r--r-- 1 appv512 dba 10614 Jun 30 13:53 VISC_external.env
-rw-r--r-- 1 appv512 dba 10614 Jun 30 13:53 VISC.env

Sourcing the sid_server env file sets the environment for the virtually external tier so that we can wander around. This is otherwise unnecessary since the new scripts in the new scripts directory source them automatically.

appv512:dcpc8:/space/v115cu2/viscappl> . ./VISC_external.env

After this, a simple grep of the environment shows a number of useful environment variables (edited for content):

appv512:dcpc8:/space/v115cu2/viscappl> env | grep ext
APPLOUT=out/VISC_external
APPLLOG=log/VISC_external
APPLRGF=/space/v115cu2/visccomn/rgf/VISC_external
IAS_CONFIG_HOME=/space/virtualext/iAS
TOOLS_CONFIG_HOME=/space/virtualext/8.0.6
FND_SECURE=/space/v115cu2/viscappl/fnd/11.5.0/secure/VISC_external
CONTEXT_NAME=VISC_external
FORMS60_RTI_DIR=/space/v115cu2/visccomn/admin/log/VISC_external
APPLFENV=VISC_external.env
CONTEXT_FILE=/space/virtualext/VISC_external.xml

In the new configuration directory we indeed have the directories indicated by IAS_CONFIG_HOME and TOOLS_CONFIG_HOME:

appv512:dcpc8:/space/virtualext> ls -l
total 364
drwxr-xr-x 7 appv512 dba  4096 Jun 8  19:10 8.0.6
drwxr-xr-x 6 appv512 dba  4096 Jun 8  19:10 iAS
-rw-r--r-- 1 appv512 dba 82812 Jun 30 13:58 VISC_external.xml

Beneath the iAS directory (aka IAS_CONFIG_HOME) are the Apache and Jserv log files of the now running virtually external tier. For example:

appv512:dcpc8:.../visccomn/admin/scripts/VISC_external> cd $IAS_CONFIG_HOME
appv512:dcpc8:/space/virtualext/iAS> cd Apache/Apache/logs
appv512:dcpc8:/space/virtualext/iAS/Apache/Apache/logs> ls -l

-rw-r--r-- 1 appv512 dba 657 Jul 5 18:25 access_log.1183680000
-rw-r--r-- 1 appv512 dba 205 Jul 5 18:25 error_log
-rw-r--r-- 1 appv512 dba 205 Jul 5 18:25 error_log_pls
-rw-r--r-- 1 appv512 dba 5   Jul 5 18:25 httpd.pid
-rw-r--r-- 1 appv512 dba 5   Jul 5 18:25 httpd_pls.pid
-rwxr-xr-x 1 appv512 dba 0   Jul 5 18:25 opm_sys_mtx.pid.8606
-rw-r--r-- 1 appv512 dba 0   Jul 5 18:25 rewrite.lock
-rw-r--r-- 1 appv512 dba 0   Jul 5 18:25 rewrite.log
-rw------- 1 appv512 dba 0   Jul 5 18:25 sec_audit.log
-rw------- 1 appv512 dba 0   Jul 5 18:25 sec_debug.log

For more information on troubleshooting Apache/Jserv, see Note 230688.1.

Outstanding Issues

1. ORA-1422 During Login and Certain Other Navigations Due to Duplicate Webhost Entries

While most customers will not have this problem, I have personally encountered three instances where the login (in two cases) or the navigation to a particular responsibility (in one case) results in an error message that is best detailed in the access_log entry like the following:

10.1.2.3 - - [31/Oct/2007:12:09:07 -0400]
             "GET /OA_HTML/AppsLocalLogin.jsp?
              requestUrl=APPSHOMEPAGE
              &cancelUrl=http%3A%2F%2Fsomeserver.domain.com
              %3A8000%2Foa_servlets
              %2Foracle.apps.fnd.sso.AppsLogin
              &langCode=US
              &errText=Please+contact+the+Web+Master+or+System+Administrator.
              +ORA-01422%3A+exact+fetch+returns+more+than+requested+number+of+rows%0A
              &username=SYSADMIN
              &s1=....
              HTTP/1.1" 200 6189

In this case, the ORA-1422 of the errText is thrown because the fnd_nodes.webhost column has the same value for both the internal tier and the virtually external tier. The immediate workaround is to update the fnd_nodes.webhost column to equal the fnd_nodes.node_name + the fnd_nodes.domain.

The fnd_nodes query from Note 364439.1 illustrates this clearly, below. Notice that the external server (literally named EXTERNAL) has the same webhost value as the internal server (DCOLLIERPC8):

NODE_NAME       DOMAIN        WEBHOST
--------------- ------------- ---------------
DCOLLIER10G     oracle.com    dcollier10g.oracle.com
AUTHENTICATION  SECURE *
DCOLLIERPC8     oracle.com    dcollierpc8.oracle.com
EXTERNAL        oracle.com    dcollierpc8.oracle.com

The current workaround is to update the table, as in the following example, from sqlplus as apps:

update fnd_nodes
set webhost = 'external.oracle.com'
where upper(node_name) = 'EXTERNAL';

2. The OACoreGroup JVM Fails to Bind to Port xxx Because it is on Another Server

This too is a very rare occurance, but some customers are reporting that their s_webhost AutoConfig variable, after running adclonectx.pl, has the name of their reverse proxy server when it should have the proper hostname of the internal web node. Left alone, this leads to the following problem in the jserv.log when starting apache and prevents logins by preventing the JVMs from starting:

Excerpt of jserv.log with debug enabled as described in Note 230688.1:

[05/10/2007 17:44:59:619 PKT] ApacheJServ/1.1.2 is starting... 
[05/10/2007 17:44:59:619 PKT] using confFile /apps11i/external/iAS/Apache/Jserv/etc/jserv.properties 
[05/10/2007 17:44:59:745 PKT] Connection authentication enabled 
[05/10/2007 17:44:59:775 PKT] Connection allowed from /127.0.0.1 
[05/10/2007 17:44:59:778 PKT] Connection allowed from someserver.domain.com/10.1.2.3 
[05/10/2007 17:44:59:779 PKT] port 16000 is specified in properties file 
[05/10/2007 17:44:59:780 PKT] port 16001 is specified in properties file 
...
[05/10/2007 17:44:59:786 PKT] try to start on port 16000 
[05/10/2007 17:44:59:791 PKT] cannot create socket on 16000 
[05/10/2007 17:44:59:792 PKT] try to start on port 16001 
[05/10/2007 17:44:59:795 PKT] cannot create socket on 16001 
...
[05/10/2007 17:44:59:807 PKT]  
ApacheJServ/1.1.2: Failed to bind to port(s) specified in /apps11i/external/iAS/Apache/Jserv/etc/jserv.properties. Please check /apps11i/external/iAS/Apache/Jserv/etc/jserv.properties and jserv.conf file, and make sure number of JServ process specified in jserv.conf is less than number of ports specified in /apps11i/external/iAS/Apache/Jserv/etc/jserv.properties. and the ports are not used by other processes.

The typical solution for this type of problem is to use tools such as lsof and netstat to determine if the ports are free, but in this case the problem is that the autoconfig variable s_webhost refers to the reverse proxy server and this causes the BindAddress specified in the jserv.properties to also indicate the name of the reverse proxy server. This is clearly wrong because it results in the Apache mod_jserv on the web tier to try and bind to ports on the reverse proxy machine and quickly fail.

The solution is simply to set the AutoConfig variable s_webhost, in the context file for the virtually external tier, to the same s_webhost used in the internal web node's context file on this same machine. Then, run AutoConfig for the virtually external tier.



SUMMARY

This note is the second of a currently three part series of DMZ troubleshooting notes and provides a crisp walkthrough of an actual implementation of the complex "Reverse Proxy with No External Web Tier" configuration as described in Note 287176.1, sections 2.4 and 5.5.3.

High Redo Log Generation

 output of below. Upload the file /tmp/logswitch.html 

spool /tmp/logswitch.html 
set markup html on 
set echo on 
set pagesize 30; 

select systimestamp from dual; 
select * from v$version; 
select * from v$instance_recovery; 
select OPTIMAL_LOGFILE_SIZE from v$instance_recovery; 


show parameter log_buffer; 
show parameter log_checkpoint_interval; 
show parameter log_checkpoint_timeout; 
show parameter fast_start_mttr_target; 
show parameter archive_lag_target; 
select name,LOG_MODE,FORCE_LOGGING,SUPPLEMENTAL_LOG_DATA_MIN from v$database; 

select name from v$controlfile; 
Select * from v$log; 
Select * from v$logfile; 

select lg.group#,lg.bytes/1024/1024 mb, lg.status, lg.archived,lf.member 
from v$logfile lf, v$log lg 
where lg.group# = lf.group# 
order by 1, 2; 

select to_char(first_time,'YYYY-MON-DD') "Date", to_char(first_time,'DY') day, 
to_char(sum(decode(to_char(first_time,'HH24'),'00',1,0)),'999') "00", 
to_char(sum(decode(to_char(first_time,'HH24'),'01',1,0)),'999') "01", 
to_char(sum(decode(to_char(first_time,'HH24'),'02',1,0)),'999') "02", 
to_char(sum(decode(to_char(first_time,'HH24'),'03',1,0)),'999') "03", 
to_char(sum(decode(to_char(first_time,'HH24'),'04',1,0)),'999') "04", 
to_char(sum(decode(to_char(first_time,'HH24'),'05',1,0)),'999') "05", 
to_char(sum(decode(to_char(first_time,'HH24'),'06',1,0)),'999') "06", 
to_char(sum(decode(to_char(first_time,'HH24'),'07',1,0)),'999') "07", 
to_char(sum(decode(to_char(first_time,'HH24'),'08',1,0)),'999') "08", 
to_char(sum(decode(to_char(first_time,'HH24'),'09',1,0)),'999') "09", 
to_char(sum(decode(to_char(first_time,'HH24'),'10',1,0)),'999') "10", 
to_char(sum(decode(to_char(first_time,'HH24'),'11',1,0)),'999') "11", 
to_char(sum(decode(to_char(first_time,'HH24'),'12',1,0)),'999') "12", 
to_char(sum(decode(to_char(first_time,'HH24'),'13',1,0)),'999') "13", 
to_char(sum(decode(to_char(first_time,'HH24'),'14',1,0)),'999') "14", 
to_char(sum(decode(to_char(first_time,'HH24'),'15',1,0)),'999') "15", 
to_char(sum(decode(to_char(first_time,'HH24'),'16',1,0)),'999') "16", 
to_char(sum(decode(to_char(first_time,'HH24'),'17',1,0)),'999') "17", 
to_char(sum(decode(to_char(first_time,'HH24'),'18',1,0)),'999') "18", 
to_char(sum(decode(to_char(first_time,'HH24'),'19',1,0)),'999') "19", 
to_char(sum(decode(to_char(first_time,'HH24'),'20',1,0)),'999') "20", 
to_char(sum(decode(to_char(first_time,'HH24'),'21',1,0)),'999') "21", 
to_char(sum(decode(to_char(first_time,'HH24'),'22',1,0)),'999') "22", 
to_char(sum(decode(to_char(first_time,'HH24'),'23',1,0)),'999') "23" , 
count(*) Total 
from v$log_history 
group by to_char(first_time,'YYYY-MON-DD'), to_char(first_time,'DY') 
order by to_date(to_char(first_time,'YYYY-MON-DD'),'YYYY-MON-DD') 
/ 
select to_char(COMPLETION_TIME,'DD/MON/YYYY') Day, 
trunc(sum(blocks*block_size)/1048576/1024,2) "Size(GB)",count(sequence#) "Total Archives" 
from 
(select distinct sequence#,thread#,COMPLETION_TIME,blocks,block_size from v$archived_log) 
group by to_char(COMPLETION_TIME,'DD/MON/YYYY') 
order by to_date(to_char(COMPLETION_TIME,'DD/MON/YYYY'),'DD/MON/YYYY') 
; 

set markup html off 
spool off

ENABLE ARCHIVE LOG - RAC

Enable archive

Step1 : disable rac cluster
alter system set cluster_database=false scope=spfile

Step :2 : Stop the databse
srvctl stop database -d prod

Step :3 : disable the archive logs
sqlplus "/as sysdba"

Step :4: Startup the database mount mode manually
startup mount

alter database archivelog;

Step :5 : Enable RAC cluster
alter system set cluster_database=true scope=spfile

Step :6 : check archive log disable
archive log list

it should as

Database log mode              No Archive Mode
Automatic archival             Disabled

Step :7 : Shutdown database Manually
Shutdown immediate

Step :8 : Start the database with crs command
srvctl start database -d prod

RMAN Hot backp script

rman target / log /backup/prod/hot_bkp_12sep16/db/hot_bkp_12Sep2016.log
run{
ALLOCATE CHANNEL ch00 TYPE DISK;
ALLOCATE CHANNEL ch01 TYPE DISK;
ALLOCATE CHANNEL ch02 TYPE DISK;
ALLOCATE CHANNEL ch03 TYPE DISK;
ALLOCATE CHANNEL ch04 TYPE DISK;
ALLOCATE CHANNEL ch05 TYPE DISK;
ALLOCATE CHANNEL ch06 TYPE DISK;
ALLOCATE CHANNEL ch07 TYPE DISK;
ALLOCATE CHANNEL ch08 TYPE DISK;
ALLOCATE CHANNEL ch09 TYPE DISK;
BACKUP AS COMPRESSED BACKUPSET
   FORMAT '/backup/prod/hot_bkp_12sep16/db/%d_db_u%u_s%s_p%p_t%t_db'    
  FILESPERSET 10
   TAG 'prod_HOT'
   DATABASE;
RELEASE CHANNEL ch00;
RELEASE CHANNEL ch01;
RELEASE CHANNEL ch02;
RELEASE CHANNEL ch03;
RELEASE CHANNEL ch04;
RELEASE CHANNEL ch05;
RELEASE CHANNEL ch06;
RELEASE CHANNEL ch07;
RELEASE CHANNEL ch08;
RELEASE CHANNEL ch09;
}
run{
ALLOCATE CHANNEL ch00 TYPE DISK;
BACKUP FORMAT '/backup/prod/hot_bkp_12sep16/db/%d_db_u%u_s%s_p%p_t%t_db_ctrlfile' TAG 'prod_ctrl' CURRENT CONTROLFILE;
RELEASE CHANNEL ch00;
}
exit;

RMAN-06059: expected archived log not found

RMAN-06059: expected archived log not found, loss of archived log compromises recoverability
Published 2 years ago by Jignesh Jethwa
Oracle 11g Logo
While RMAN full backup, today i have encountered “RMAN-06059: expected archived log not found, loss of archived log compromises recoverability”



RMAN error.
Solution for the mentioned error is to Crosscheck your archive logs from RMAN prompt and delete those expired logs who are not needed anymore.

While crosscheck archivelogs, RMAN will marked archives as Expired in his repository (i.e. controlfile or catalog) those who are not physically present there. So we can easily delete expired archives from controlfile or catalog repository.

Error log:

RMAN> RUN
 2> {
 3> ALLOCATE CHANNEL backup1 DEVICE TYPE DISK FORMAT 'Z:\RMAN\%U';
 4> BACKUP DATABASE PLUS ARCHIVELOG;
 5> }
using target database control file instead of recovery catalog
 allocated channel: backup1
 channel backup1: SID=70 device type=DISK
Starting backup at 10-SEP-14
 current log archived
 released channel: backup1
 RMAN-00571: ===========================================================
 RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
 RMAN-00571: ===========================================================
 RMAN-03002: failure of backup plus archivelog command at 09/10/2014 18:22:35
 RMAN-06059: expected archived log not found, loss of archived log compromises recoverability
 ORA-19625: error identifying file E:\ORACLE\--ORACLE_SID--\ORAARCH\1_35338_778192583.DBF
 ORA-27041: unable to open file
 OSD-04002: unable to open file
 O/S-Error: (OS 2) The system cannot find the file specified.


SOlution


RMAN> CROSSCHECK ARCHIVELOG ALL;
Above command will give information of expired RMAN repository after verification. (i.e. in catalog or controlfile)
Above will marked archives as Expired who are not available physically and who are not required for any kind of recovery..

RMAN> DELETE EXPIRED ARCHIVELOG ALL;
Above command will delete all archive logs who are marked as expired while crosscheck.

Enabling Archive Logs in a RAC Environment

1. Login to one of the nodes (i.e. racnode1) and disable the cluster instance parameter by setting cluster_database to FALSE from the current instance:

   $ sqlplus "/ as sysdba" SQL> alter system set cluster_database=false scope=spfile sid='racdb1';

2. Shutdown all instances accessing the clustered database:

   $ srvctl stop database -d racdb

3. Using the local instance, MOUNT the database:

   $ sqlplus "/ as sysdba" SQL> startup mount

4. Enable archiving:

   SQL> alter database archivelog;

5. Re-enable support for clustering by modifying the instance parameter cluster_database to TRUE from the current instance:

   SQL> alter system set cluster_database=true scope=spfile sid='racdb1';

6. Shutdown the local instance:

   SQL> shutdown immediate

7. Bring all instance back up using srvctl:

   $ srvctl start database -d racdb

8. (Optional) Bring any services (i.e. TAF) back up using srvctl:

   $ srvctl start service -d racdb

9. Login to the local instance and verify Archive Log Mode is enabled:

   $ sqlplus "/ as sysdba" SQL> archive log list Database log mode Archive Mode Automatic archival Enabled Archive destination USE_DB_RECOVERY_FILE_DEST Oldest online log sequence 83 Next log sequence to archive 84 Current log sequence 84

After enabling Archive Log Mode, each instance in the RAC configuration can automatically archive redologs!

oradism not set up correctly", When Setting SGA_MAX_SIZE

WARNING: "oradism not set up correctly", When Setting SGA_MAX_SIZE (Doc ID 374367.1) To BottomTo Bottom

Oracle Database - Enterprise Edition - Version 9.2.0.4 and later
Oracle Solaris on SPARC (64-bit)
Oracle Solaris on x86-64 (64-bit)
***Checked for relevance on 07-Apr-2015***
SYMPTOMS

On Solaris platform, after enabling Automatic SGA Management (ASMM) and setting SGA_MAX_SIZE, when restarting the database, an oradism warning appears in the alert log.
The instance starts and the shared_pool_size can be changed with an alter system command.

WARNING: oradism not set up correctly.
Dynamic ISM can not be locked. Please
setup oradism, or unset sga_max_size.
[diagnostic 0, 16, 1001]
Symptoms can also include higher kernel cpu usage.

CAUSE

The real problem was with the oradism executable itself.

The oradism executable cannot have 755 (rwx-r-x-r-x) permissions, and should be owned by root like other executables in the $ORACLE_HOME/bin directory.

The permissions for oradism must be 4750 with the SetUID bit for the owner, e.g. for 11.2:

-rwsr-x--- 1 root root 1340408 Nov 17 23:05 oradism*


SOLUTION

The preferred method to set the proper permissions is to run the root.sh script as root user. This is typically done at installation time.

However, you can change the permissions as described below.

Note that some customers reported problems with the below steps. Check that you have sufficient swap configured. If swap is not sufficient, the oradism configuration can cause a crash on the box.

cd $ORACLE_HOME/bin
chown root oradism
chmod 4750 oradism
bounce the database
The oradism warning does not appear in the alert log after the permissions are changed.

Please note that this problem is restricted to Solaris only. This is not generic issue

How to recover Physical Standby database if it goes out of sync J

 How to recover Physical Standby database if it goes out of sync J
 (Missing log Archive log flies)

 

 

When you are using Data guard, there are several scenarios when physical standby can go out of sync with the primary database.

 

Before doing anything to correct the problem, we need to verify that why standby is not in sync with the primary. In this particular article, we are covering the scenario where a log is missing from the standby but apart from the missing log, all logs are available.

Verify from v$archived_log that there is a gap in the sequence number. All the logs up to that gap should have APPLIED=YES and all the sequence# after the missing log sequence# are APPLIED=NO. This means that due to the missing log, MRP is not applying the logs on standby but the logs are still being transmitted to the standby and are available.

SQL> SELECT SEQUENCE#, APPLIED FROM V$ARCHIVED_LOG;

So for example, if the missing log sequence# is 400, then the above query should show that up to sequence#399, all have APPLIED=YES and starting from 401, all are APPLIED=NO.

There are few steps to be performed when the standby is not in sync with the primary because there is a gap of logs on standby.

These steps are:

STEP #1: Take an incremental backup of primary from the SCN where standby is lagging behind and apply on the standby server

STEP #2: If step#1 is not able to sync up, then re-create the controlfile of standby database from the primary….

STEP #3: If after step#2, you still find that logs are not being applied on the standby, check the alert log and you may need to re-register the logs with the standby    .

STEP#1

1. On STANDBY database query the v$database view and record the current SCN of the standby database:

SQL> SELECT CURRENT_SCN FROM V$DATABASE;

CURRENT_SCN
-----------
1.3945E+10

SQL> SELECT TO_CHAR (CURRENT_SCN) FROM V$DATABASE;

----------------------------------------
13945141914

2. Stop Redo Apply on the standby database:

SQL> ALTER DATABASE RECOVER MANAGED STANDBY DATABASE CANCEL;

ALTER DATABASE RECOVER MANAGED STANDBY DATABASE CANCEL

*

ERROR at line 1:

ORA-16136: Managed Standby Recovery not active

If you see the above error, it means Managed Recovery is already off

You can also confirm from the view v$managed_standby to see if the MRP is running or not

SQL> SELECT PROCESS, STATUS FROM V$MANAGED_STANDBY;

3. Connect to the primary database as the RMAN target and create an incremental backup from the current SCN of the standby database that was recorded in step 1:

For example,

BACKUP INCREMENTAL FROM SCN 13945141914 DATABASE FORMAT '/tmp/ForStandby_%U' tag 'FOR STANDBY'

You can choose a location other than /tmp also.

4. Do a recovery of the standby database using the incremental backup of primary taken above:

On the Standby server, without connecting to recovery catalog, catalog the backupset of the incremental backup taken above. Before this, of course you need to copy the backup piece of the incremental backup taken above to a location accessible to standby serve

$ rman nocatalog target /

RMAN> CATALOG BACKUPPIECE '/dump/proddb/inc_bkup/ForStandby_1qjm8jn2_1_1';

Now in the same session, start the recovery

RMAN> RECOVER DATABASE NOREDO;

You should see something like:

Starting recover at 2008-09-17 04:59:57
allocated channel: ORA_DISK_1
channel ORA_DISK_1: sid=309 devtype=DISK
channel ORA_DISK_1: starting incremental datafile backupset restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
....
..
..
.
channel ORA_DISK_1: reading from backup piece /dump/proddb/inc_bkup/ForStandby_1qjm8jn2_1_1
channel ORA_DISK_1: restored backup piece 1
piece handle=/dump/proddb/inc_bkup/ForStandby_1qjm8jn2_1_1 tag=FOR STANDBY
channel ORA_DISK_1: restore complete, elapsed time: 01:53:08
Finished recover at 2008-07-25 05:20:3

Delete the backup set from standby:

RMAN> DELETE BACKUP TAG 'FOR STANDBY';

using channel ORA_DISK_1
List of Backup Pieces

BP Key  BS Key  Pc# Cp# Status      Device Type Piece Name
------- ------- --- --- ----------- ----------- ----------
17713   17713   1   1   AVAILABLE   DISK        /dump/proddb/inc_bkup/ForStandby_1qjm8jn2_1_1

Do you really want to delete the above objects (enter YES or NO)? YE

deleted backup piece

backup piece handle=/dump/proddb/inc_bkup/ForStandby_1qjm8jn2_1_1 recid=17713 stamp=660972421

Deleted 1 objects

5. Try to start the managed recovery.

ALTER DATABASE RECOVER MANAGED STANDBY DATABASE USING CURRENT LOGFILE DISCONNECT FROM SESSION;

If you get an error here, you need to go to STEP#2 for bringing standby in sync.

If no error, then using the view v$managed_standby, verify that MRP process is started and has the status APPLYING_LOGS.

6. After this, check whether the logs are being applied on the standby or not:

SQL> SELECT SEQUENCE#, APPLIED FROM V$ARCHIVED_LOG;

After doing a recovery using the incremental backup, you will not see the sequence#'s which were visible earlier with APPLIED=NO because they have been absorbed as part of the incremental backup and applied on standby during recovery.

The APPLIED column starts showing YES for the logs which are being transmitted now, this means logs are being applied.

Check the status of MRP process in the view v$managed_standby. The status should be APPLYING_LOGS for the duration that available logs are being applied and once all available logs have been applied, the status should be WAITING_FOR_LOGS

7. Another check to verify that primary and standby are in sync. Run the following query on both standby and primary:

SQL> select max (sequence#) from v$log_history.

Output should be same on both databases.

STEP #2:  Steps to recreate the standby controlfile and start the managed

                recover on standby

Since Managed recovery failed after applying the incremental backup, we need to recreate the controlfile of standby. The reason for recreating the controlfile is that the state of the database was same because the database_scn was not updated in the control file after applying the incremental backup while the scn for datafiles were updated. Consequently, the standby database was still looking for the old file to apply.

A good MOSC note for re-creating the controlfile in such a scenario is 734862.1.

1. Take the backup of controlfile from primary

rman target sys/oracle@proddb catalog rman/cat@emrep

rman> backup current controlfile for standby;

2. Copy the controlfile backup to the standby system (or if it is on the common NFS mount, no need to transfer or copy) and restore the controlfile onto the standby database

Shutdown all instances (If standby is RAC) of the standby.

sqlplus / as sysdba
shutdown immediate
exit

Startup nomount, one instance.

sqlplus / as sysdba

startup nomount

exit

Restore the standby control file.

rman nocatalog target /

restore standby controlfile from '/tmp/o1_mf_TAG20070220T151030_.bkp';

exit

3. Startup the standby with the new control file.

sqlplus / as sysdba

shutdown immediate

startup mount

exit

4.  Restart managed recovery in one instance (if standby is RAC) of the standby database:

sqlplus / as sysdba

SQL > ALTER DATABASE RECOVER MANAGED STANDBY DATABASE DISCONNECT;

The above statement may succeed without errors but the MRP process will still not start. The reason is that since the controlfile has been restored from the primary, it is looking for datafiles at the same location as are in primary instead of standby. For example, if the primary datafiles are located at '+DATA/proddb_1/DATAFILE' and standby datafiles are at '+DATA/proddb_2/DATAFILE', the new controlfile will show the datafile’s location as '+DATA/proddb_1/DATAFILE'. This can be verified from the query "select name from v$datafile" on the standby instance. We need to rename all the datafiles to reflect the correct location.

There are two ways to rename the datafiles:

1. Without using RMAN

Change the parameter standby_file_management=manual in standby’s parameter file.

ALTER DATABASE RENAME FILE '+DATA/proddb_1/datafile/users.310.620229743' TO '+DATA/proddb_2/datafile/USERS.1216.648429765';

2. Using RMAN

rman nocatalog target /

Catalog the files, the string specified should refer to the diskgroup/filesystem destination of the standby data files.

RMAN> catalog start with '+diskgroup//datafile/';

e.g.:

RMAN> catalog start with '+DATA/proddb_2/datafile/';

This will give the user a list of files and ask if they should all be cataloged. The user should review and say YES if all the datafiles are properly listed.

Once that is done, then commit the changes to the controlfile

RMAN> switch database to copy;

Now start the managed recovery as:

SQL > ALTER DATABASE RECOVER MANAGED STANDBY DATABASE DISCONNECT

and check for processes in the view v$managed_standby.  MRP process should be there. It will also start applying all the archived logs that were missing since last applied log.  This process might take hours.

5. Another check to verify that primary and standby are in sync:

Run the following query on both standby and primary after all logs in v$archived_log show APPLIED=YES:

SQL> select max(sequence#) from v$log_history.

Output should be same on both databases.

STEP #3    Register all the redo logs to standby database.

After recreating the controlfile, you still find that logs are being transmitted but not being applied on the standby. Check the alert log of standby. For example, see if you find something similar to below snippet:

Fetching gap sequence in thread 1, gap sequence 74069-74095

Wed Sep 17 06:45:47 2008

RFS[1]: Archived Log: '+DATA/ipwp_sac1/archivelog/2008_09_17/thread_1_seq_74093.259.665649929'

Wed Sep 17 06:45:55 2008

Fetching gap sequence in thread 1, gap sequence 74069-74092

Wed Sep 17 06:45:57 2008

RFS[1]: Archived Log: '+DATA/proddb_2/archivelog/2008_09_17/thread_1_seq_74094.258.665649947'

Wed Sep 17 06:46:16 2008

RFS[1]: Archived Log: '+DATA/proddb_2/archivelog/2008_09_17/thread_1_seq_74095.256.665649957'

Wed Sep 17 06:46:26 2008

FAL[client]: Failed to request gap sequence

 GAP - thread 1 sequence 74069-74092

The contents of alert log shows that logs sequence# from 74069 to 74092 may have been transmitted but not applied. The view v$archived_log shows the sequence# starting from 74093 and APPLIED=NO.

So this situation means that logs up to 74068 were applied as part of the incremental backup and from 74069 to 74093 have been transferred to standby server but they must have failed to register with standby database. Try the following steps:    

1. Locate the log sequence# shown in alert log (for example 74069 to 74092). For example,

 +DATA/proddb_2/archivelog/2008_09_17/thread_1_seq_74069.995.665630861

2. Register all these archived logs with the standby database.

alter database register logfile '+DATA/proddb_2/archivelog/2008_09_17/thread_1_seq_74069.995.665630861';

alter database register logfile '+DATA/proddb_2/archivelog/2008_09_17/thread_1_seq_74070.998.665631405';

alter database register logfile '+DATA/proddb_2/archivelog/2008_09_17/thread_1_seq_74071.792.665633755';

alter database register logfile '+DATA/proddb_2/archivelog/2008_09_17/thread_1_seq_74072.263.665633713';

……..

….and so on till the last one.

3. Now check the view v$archived_log and finally should see the logs being applied. The status of MRP should change from ARCHIVE_LOG_GAP to APPLYING_LOGS and eventually WAITING_FOR_LOGS.

Oracle 10g Dataguard – Sync Standby database

One of the major problems being faced by DBAs managing Physical Standby Databases is to keep the standby database in sync with Primary Database.
At times, standby database will go out of sync and there will be hundreds of archive logs to be applied.
It takes huge amount of data transfer and also large amount of archive log apply activity in the standby database.
Also, there is a potential chance of archive log non-availability, which may lead to rebuild of standby database.
The above situation can be tacked, without rebuild in Oracle 10g environment.
Steps to bring the standby database in sync with Primary Database are listed below.
1. Find the current SCN of standby database.
select current_scn from v$database;
CURRENT_SCN
———–
4793543
2. On the primary database – create the needed incremental backup from the above SCN
rman target /
RMAN> BACKUP DEVICE TYPE DISK INCREMENTAL FROM SCN 4793543 DATABASE FORMAT ‘C:\temp\bkup_%U’;
3. create a new standby controlfile from production
sqlplus> alter database create standby crontrolfile ‘blah’;
4. Cancel managed recovery on standby

sqlplus> recover managed standby database cancel;
5. Move your incremental backup from (2) to the standby server (empty folder) and catalog it
rman target /
rman> catalog start with ‘c:\temp\backup\’;
6. recover your standby from the incremental backup
     rman> recover database noredo;
7. shutdown the standby and replace the controlfile with the one you backup in (3)
8. startup the standby and put it back into managed recovery mode
    sqlplus> startup mount
    sqlplus> recover managed standby database disconnect;

  J Steps to failover to physical standby database if your Production Database Stops J

                   In this document we will see the steps to failover to a physical standby database.

 1.  Stop Redo Apply.

        Issue the following SQL statement on the target standby database:

        SQL> ALTER DATABASE RECOVER MANAGED STANDBY DATABASE CANCEL;

2.  Finish applying all received redo data.

       By this we are giving indication to the standby database that primary database is no more.

      SQL> ALTER DATABASE RECOVER MANAGED STANDBY DATABASE FINISH;

                               Once the FINISH command has completed, the protection mode of the primary database

                               is lowered to Maximum Performance, regardless of its original protection mode.

                               This is done because the new primary can be activated without an standby

     

      SQL > select protection mode, protection level from  v$database

     

      Protection Mode   Protection Level

     ——————–   ——————–

      MAXIMUM PERFORMANCE   UNPROTECTED

3.     Verify that the target standby database is ready to become a

      Primary database.

   Query the SWITCHOVER_STATUS column of the V$DATABASE view on the target  

    Standby database.

   SQL > select SWITCHOVER_STATUS from   v$database

              4.   Switch the physical standby database to the primary role.

   SQL> ALTER DATABASE COMMIT TO SWITCHOVER TO PRIMARY WITH SESSION SHUTDOWN;

             5.   Open the new primary database

  SQL> ALTER DATABASE OPEN;

                            At this stage the protection level is changed to Max Performance from ‘Unprotected’

            6.  Backup the new primary database.

     J Manual Switchover to Standby and Primary  J

      On the PRIMARY Database: (Open stage)

1.   Query V$DATABASE to check the role of Primary Database.

      SQL> Select Database_role from v$Database;

      It will return “PRIMARY”

2.   Now check the Switchover Status of the Primary Database.

      SQL> Select switchover_status from v$Database;

      It will return “SESSIONS ACTIVE”.

3.  Now you are ready to perform a manual switchover. Execute the following command using

     WITH SESSION SHUTDOWN” option.

    SQL> Alter Database Commit to Switchover to Physical Standby with session Shutdown;

     Database Altered.

4   Now your PRIMARY Database has become Physical Standby. To verify this change,

     again query the Database_role column of V$DATABASE. Now it will return

    “PHYSICAL STANDBY”.

     SQL > Select database_role from v$database;

5.  Shutdown the database and again Start it to mount stage.
  

     SQL >Shutdown immediate

     SQL > Startup mount;

     On the PHYSICAL STANDBY Database: (Mount stage)

6.  Query V$DATABASE to check the role of Standby Database.

     SQL> Select Database_role from v$Database;

      It will return “PHYSICAL STANDBY”,

 

8.   Now check the Switchover Status of the Standby Database.

  .   SQL> Select switchover_status from v$Database;

      It will return “SESSIONS ACTIVE”.

9.   Now cancel the MRP which is running in the background of the Standby Database.

      Execute the following command:

      SQL> Alter database Recover Managed Standby Database Cancel;

      Database Altered.

10.  Now you are ready to perform a manual switchover from Physical Standby to Primary.

       Execute the following command using “WITH SESSION SHUTDOWN” option.

       SQL> Alter Database Commit to Switchover to PRIMARY with session Shutdown;

       Database Altered.

       Now your PHYSICAL STANDBY Database has become PRIMARY.

       Verify this change, again query the Database role column of V$DATABASE.

       Now it will return “PRIMARY”.

11.  Shutdown the database and again Start it to Open stage.

       SQL > Shutdown immediate;

       SQL > Startup Mount;

       SQL > Alter database open;

              J Manual Switchover without Data guard in Oracle J

Switchover can be done without dataguard. Using switchover operation we can convert physical standby database to primary and primary database to physical standby database in Oracle. Switchover operation can perform without dataguard and with dataguard. Here we can see how to perform switchover operation without dataguard configuration. In following example we assume that our primary database and physical standby database are working properly. Standby database is up with managed recovery mode and there is no archive log gap found in physical standby database. In short we can say that our standby database is synchronize with primary database. Find out step by step switchover operation. This switchover calls as manual switchover.

Primary Database: First we should need to check our job queue processes and aq processes parameters. Check the value of both parameter and save in your log book. These value should need to restore while standby switchover finished. After get value of both parameters disable those parameter with value 0. Execute log switch forcefully for all recent changes also reflect to standby database. After finishing both tasks, execute switchover command in primary database. Once successfully execution of switchover command bring database down. Detail commands have been given below with exact steps by steps.

SQL> show parameter aq_tm_processes

SQL> show parameter job_queue_processes

SQL> alter system set aq_tm_processes=0;

 SQL> alter system set job_queue_processes=0;

SQL>alter system switch logfile;

SQL>select switchover_status from v$database;

SQL>alter database commit to switchover to physical standby with session shutdown;

SQL>shutdown immediate;

Physical Standby Database:

First check archive sequence applied in standby database. Because Physical Standby database needs to synchronize with primary database. Disable log archive destination which contains service of Primary database. Execute switchover command and wait for finishing. After successfully completion of switchover command, shutdown database.

SQL>startup nomount

SQL>alter database mount standby database;

SQL>alter system set log_archive_dest_state_2=defer scope=both;

SQL>select switchover_status from v$database;

SQL>alter database commit to switchover to primary;

SQL>shutdown immediate

Now switchover operation is almost finished. We should need to start both Primary (switched from physical standby) database and Physical standby (switched from primary) database carefully.

Now start NEW PRIMARY database (it was previous physical standby database).

           

SQL>startup

SQL> select switchover_status from v$database;

Now start NEW PHYSICAL STANDBY database (It was previous primary database).

SQL>startup nomount

SQL>alter database mount standby database;

SQL> select switchover_status from v$database;

SQL>recover managed standby database disconnect from session;

In NEW Primary Database:

Enable archive log destination which contains service of standby database. Add tempfile in new primary database because before it was physical standby. Restore all processes parameters which we got in first step. Switch log forcefully to monitor archive shipping to physical standby database.

SQL>alter system set log_archive_dest_state_2=enable scope=both;

SQL> alter tablespace TEMP add tempfile '/u01/orcl/oradata/temp/temp01.dbf' size 1000M;

SQL> alter system set job_queue_Processes=10;

SQL> alter system set aq_tm_processes=5;

SQL>alter system switch logfile;

Check connectivity from new physical standby to new primary database. Also monitor archive log shipping from primary database to physical standby database. Post check for switchover_status of v$database from both new databases. Manual switchover without dataguard is finished.