1

<Insert Picture Here>

Oracle Net Services: Performance, Scalability, HA and Security Best Practices

Kant C Patel Director of Development Oracle Net Kuassi Mensah Group Product Manager Oracle Net and JDBC Viswanath Ravishankhar Technical Product Manager Intel Corporation

Program

Overview of Oracle Net Why Optimize Oracle Net? 11g New Features Best Practices
Operating System and Network Database Client Net Listener Database Server

<Insert Picture Here>

Intel Case C S Study Q/A

Oracle Net Overview

Primary Communication Foundation for DB Formerly known as SQL*Net Oracles Family of Networking Features:
Oracle Net Oracle Net Listener Connection Manager Configuration Tools Net Manager NetCA

Why Optimize Oracle Net?

System Performance
Increase Network bandwidth utilization Lower database CPU utilization

High Availability
Better respond to database/host/network failures

Network Scalability
Scale better with more client connections Load-balance to improve application experience

Network Manageability
Simplify deployment and configuration

Network Security
Protect and recover from Denial of Service attacks

Net Configuration Files

sqlnet.ora
Main Oracle O Net configuration f file f On both Client and Server

listener.ora
Configuration C fi ti f for th the N Net t Li Listener t On Server only

tnsnames.ora
Contains Connect Name to Descriptor mappings Used by the TNSNames Naming adapter On both Client and Server

ldap.ora ldap ora

Contains LDAP configuration information Used the LDAP Naming adapter On both Client and Server

Oracle Net 11g New Features

Performance & Scalability
Support pp for large g SDU ( (11.2.0.2) ) Optimized networking stacks for various data transfer needs Network Fast Path for SQL operations Zero Copy I/O Path for bulk data transfers Support for Database Resident Connection Pools Support for Scalable Operating System Event Models

High Hi h Availability A il bilit & M Manageability bilit

IP address list traversal for each hostname during connect (11.2.0.1) Efficient dead-node detection for failover (11.2.0.1) Option to enable connection retries (11 (11.2.0.1) 2 0 1) Easy Connect Naming enhancements Integration with Automatic Diagnostic Repository Option for Default Service in Listener

Oracle Net 11g New Features

Network Security
CIDR and wildcard support for valid node checking (11.2.0.1) Authenticated LDAP name lookup - OID and Active Directory Protocol level access control for Listener administration

IPv6 (11.2.0.1)
Support for all features and components in single-instance mode Support for single listener address across all IP(v4/v6) interfaces
IPv4-only Server IPv4-only y Client Dual-stack Client IPv6-only IPv6 only Client Supported pp ( (v4) ) Supported (v4) Not Supported Dual-stack Server Supported pp ( (v4) ) Supported (v4,v6) Supported (v6) IPv6-only Server Not Supported pp Supported (v6) Supported (v6)

O Operating ti System S t
Tuning

Why is OS tuning critical? Key role in data transmission! Some default OS configurations cannot handle modern Ethernet speeds Bandwidth x Delay Product (BDP)
Amount of data on the wire wire at any given point in time Default OS buffers not large enough to handle this data For example, with 40 Mbits/sec bandwidth, 25 msec delay, BDP = (40 1000 8 Kb Kbytes/sec) t / ) (0.025 (0 025 sec) ) ~ 128 Kb Kbytes t

TCP a benevolent algorithm one size fits all

Slow-start Exponential back-off Small Window Sizes TCP performance features may not be enabled by default

10

TCP Optimization - Linux

Use TCP auto-tuning in kernel (2.4.27, 2.6.7)

/proc/sys/net/ipv4/tcp_moderate_rcvbuf (1=on) /proc/sys/net/ipv4/tcp p y p p_rmem and tcp p_wmem 4096 87380 174760 Tune this to 2xBDP /p /proc/sys/net/core/rmem / y / / / _max Set this to 2xBDP and wmem_max

Tune TCP Max Memory Tune the socket buffer sizes Ensure that TCP Performance features are enabled
/proc/sys/net/ipv4/tcp_sack /proc/sys/net/ipv4/tcp sack /proc/sys/net/ipv4/tcp_window_scaling /proc/sys/net/ipv4/tcp_timestamps

11

TCP Optimization - Windows

Vista / Server 2008 supports TCP auto-tuning g For other versions, tuning necessary under RegKey
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters

Turn on Window Scaling and Timestamps

Tcp1323Opts = 3

Set S t TCP Window Wi d Size Si to t 2xBDP 2 BDP

GlobalMaxTcpWindowSize = <2xBDP>

If desired, tune Window Size at the Interface Level

Tcpip\Parameters\Interfaces\<interfaceGUID>\ TcpWindowSize

12

Dont forget the Hardware

Use Jumbo Frames for GigE g networks Use NICs with TCP off-loading capabilities Monitor switches and OS for packet loss
Causes numerous issues

13

D t b Database Client Cli t

Performance

14

Tuning the Socket Buffers

Set send and receive socket buffer sizes in tnsnames.ora or sqlnet.ora using:
SEND_BUF_SIZE OS send buffer size RECV_BUF_SIZE OS receive buffer size

Set this size to accommodate the BDP (2x) Also set on the server Large buffer sizes help
Application queue more data to the OS Have more data on the wire Better utilize available bandwidth In WAN deployments

15

Tuning the Session Data Unit

Controls SQL*Net packet size

11g default 8k, Pre-11g default 2k Max is 64k

Set in
sqlnet.ora: DEFAULT_SDU_SIZE tnsnames.ora: SDU in address

Larger SDU gives

Better Network throughput Fewer system calls to send and receive data Less CPU usage system and user

Side-effect of larger SDU: Network buffers take up more memory

16

SDU Recommendations

Optimal SDU varies with application Increase SDU on both client and server
SDU for a connection negotiated down to the lower of the two p peers

Increase SDU to 8k
Good default value for most users

For bulk data transfer scenarios, scenarios increase to 64k

LOB transfers XML DB

Do not set to MTU value

SDU and MTU are independent

17

D t b Database Client Cli t

Manageability

18

Introduction to Net Naming

Descriptors can be mapped from a Connect Name

sales = Connect Name (DESCRIPTION= (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=sales))) Connect Descriptor

Naming g Adapters p map p Name to Descriptor: p

Local file: tnsnames.ora Hostname based: Easy Connect Directory: Oracle Internet Directory, Directory Active Directory

19

Easy Connect

Simple, easy to use connect syntax for TCP/IP

[//]host[:port][/service_name][:server][/instance_name]

Example:

sqlplus scott/tiger@sales-server/sales

Useful when no connect descriptor customization is necessary No need for any client side configuration files
sales-server/sales

is equivalent to
(DESCRIPTION (DESCRIPTION= (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=sales)))

20

Oracle Net 11g and Easy Connect

Support for IPv6 hostnames and addresses Use URL syntax to specify IPv6 addresses
[2001:fe8::12]:1522/sales.us.example.com:dedicated/inst1

is equivalent to
(DESCRIPTION= (ADDRESS=(PROTOCOL=tcp)(HOST=2001:fe8::12)(PORT=1522)) (CONNECT DATA=(SERVICE (CONNECT_DATA (SERVICE_NAME NAME=sales.us.example.com) sales.us.example.com) (INSTANCE_NAME=inst1) (SERVER=dedicated)))

21

Naming Recommendations

Use Easy y Connect whenever possible If Descriptors do not change often, use tnsnames.ora
Best for small deployments TNS_ADMIN can be on a shared file system

If Descriptors change often or for large deployments, use a directory

O Oracle l Internet I t t Directory Di t Active Directory on Windows Enable authenticated binds if needed

22

D t b Database Client Cli t

High-Availability

23

Connection Establishment Timeouts

Detect dead hosts faster Timeout for TCP connection establishment

TCP.CONNECT_TIMEOUT 11g feature Enabled by default (60 seconds) in 11gR2

Timeout for connection to a DB server process

SQLNET.OUTBOUND_CONNECT_TIMEOUT 10gR2 feature Set if session establishment takes a long time

Configurable at connect string level Can be used individually y or at the same time
Outbound Connect Timeout must be greater than TCP Timeout

Option to enable connection retries

24

Address and Description Lists

Use client side load-balancing when using RAC

(DESCRIPTION=(ADDRESS_LIST= (LOAD_BALANCE=on) (ADDRESS=(PROTOCOL=tcp)(HOST=sales-1)(PORT=1521)) (ADDRESS=(PROTOCOL=tcp)(HOST=sales-2)(PORT=1521))))

Address to use picked at random

Use Failover when using Dataguard

(DESCRIPTION_LIST = (LOAD_BALANCE=off)(FAILOVER=on) (DESCRIPTION = ) (DESCRIPTION = )) ( ))

Usage not limited to RAC and Dataguard

25

RAC + Data Guard Example

Primary y

Standby

RAC sales-1 sales-2 backup-1

RAC backup-2

sales-scan=(sales-1,sales-2)

backup-scan=(backup-1,backup-2)

26

The Optimal Connect Descriptor would be

(DESCRIPTION_LIST = (LOAD BALANCE ff)(FAILOVER (LOAD_BALANCE=off)(FAILOVER=on) ) (DESCRIPTION = (LOAD_BALANCE=on) (ADDRESS (PROTOCOL tcp)(HOST sales scan)(PORT 1521)) (ADDRESS=(PROTOCOL=tcp)(HOST=sales-scan)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=sales.example.com))) (DESCRIPTION = (LOAD_BALANCE=on) (ADDRESS=(PROTOCOL=tcp)(HOST=backup-scan)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=sales.example.com))))

27

The Connect Descriptor internally expands to

(DESCRIPTION_LIST = (LOAD BALANCE ff)(FAILOVER (LOAD_BALANCE=off)(FAILOVER=on) ) (DESCRIPTION = (ADDRESS_LIST= (LOAD BALANCE=on) (LOAD_BALANCE on) (ADDRESS=(PROTOCOL=tcp)(HOST=sales-1)(PORT=1521)) (ADDRESS=(PROTOCOL=tcp)(HOST=sales-2)(PORT=1521))) (CONNECT_DATA=(SERVICE_NAME=sales.example.com))) (DESCRIPTION = (ADDRESS_LIST= (LOAD_BALANCE=on) (ADDRESS (PROTOCOL t )(HOST b k (ADDRESS=(PROTOCOL=tcp)(HOST=backup-1)(PORT=1521)) 1)(PORT 1521)) (ADDRESS=(PROTOCOL=tcp)(HOST=backup-2)(PORT=1521))) (CONNECT_DATA=(SERVICE_NAME=sales.example.com))))

28

Fail-over for Connected Sessions

Established client connections could hang g when

Database host crashes Remote Networks fail

Detection of such failures could take a while

TCP behavior - timeouts in minutes Depends on what the client does

To catch such failures

Set a Receive Timeout If your application is active and does not use long long-running running queries Use Fast Application Notification (FAN)

29

Thin-JDBC Tuning

SDU passed through g the connect string g

jdbc:oracle:thin:@(DESCRIPTION.(SDU=))

Connect Timeout set through property

oracle net CONNECT TIMEOUT oracle.net.CONNECT_TIMEOUT

Read Timeout set through

oracle.net.READ_TIMEOUT

Note: Do not use as a query-timeout.

For Query Timeout, use

State e t.ca ce o Statement.cancel or Statement.setQueryTimeout

30

N t Li Net Listener t
Scalability. HA. Security.

31

What is the Net Listener?

First process that clients talk to Brokers client requests, handing them off to service handlers
Dispatchers Dedicated servers Connection Broker DRCP (11g)

Receives R i l load d updates d t f from th the d database t b Does server side load-balancing across instances in RAC Does server side failover across nodes in RAC Can listen on multiple end-points or protocol addresses Also supports other presentations HTTP, FTP

32

Database Registration with Listener

Use Dynamic y Registration g

PMON updates the listener about
Offered services and available service handlers Load statistics frequently updated

To configure, set in init.ora

LOCAL_LISTENER: Address of listeners on local host REMOTE_LISTENER: REMOTE LISTENER: Address of listeners on remote hosts

By default PMON connects to listener on port 1521 Automatically A t ti ll setup t with ith RAC

Remove static SID_LIST configuration in listener.ora

Keep p only y if y you want to remotely y start the database

33

Server-side Load Balancing

Change behavior by setting Connection Load Balancing Goal

Long for applications with long-lived connections (default) Short for applications with short-lived connections

34

Listener Logon Storm Handler

Logon storm
Sudden spike in incoming connection rate Normal middle-tier reboot Abnormal DoS attack Storms cause CPU starvation for existing sessions

Enable the Connection Rate Limiter feature

Configure in LISTENER.ORA LISTENER ORA Provides end-point level control of throttling
LISTENER=(ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcp)(HOST=sales)(PORT=1521)(RATE_LIMIT=3)) (ADDRESS (PROTOCOL t )(HOST l (ADDRESS=(PROTOCOL=tcp)(HOST=lmgmt)(PORT=1522)(RATE_LIMIT=no))) t)(PORT 1522)(RATE LIMIT )))

Set the Rate Limit to a value that matches your machine capabilities

35

Logon Storm Comparison

150 concurrent connections

RATE_LIMIT = no
Sessions s

RATE_LIMIT = 3/sec

CPU U Usage %

36

Other Best Practices

Increase the maximum concurrent requests per end-point

QUEUESIZE parameter in listener.ora Set to your expected Connection Request rate Definitely set on Windows Do not set a listener password Listener administration secure by default OS User Authentication

Optimize Environment variables for the oracle account

Longer g the PATH, longer g it takes to fork off the Oracle p process Ensure that PATH is small Does not include any network shares Cut down the number of environment variables

37

D t b Database Server S
Scalability

38

Oracle Server Architecture Overview

Choosing g the right g server architecture is critical to meeting scalability requirements Oracle O l Database D t b S Server supports t three th architectures hit t
Dedicated Server (default) Shared Server aka MTS Database Resident Connection Pool (11g)

39

Dedicated Servers

Each client connection has its own process (thread on Windows) Dedicated process ensures lower latencies Have to start a new process on connect Have to tear down a process on disconnect Scalability limits
Memory Number of Processes

40

Shared Servers (aka MTS)

Each server handles multiple clients Dispatchers relay requests and responses between clients and servers Idle connections will not consume much memory Good for large number of connections with many idle Latency increase due to manin-the-middle

41

Database Resident Connection Pool (11g)

Pooled dedicated servers shared h d across client li t systems and processes Low connect/disconnect costs t Server locked on connect Server released on disconnect Low-latency performance of dedicated servers Extreme scalability with a DRCP-capable client driver

42

Dedicated vs. Shared vs. DRCP

Use dedicated for:

High-performance f connections Active, long-running, data transfer intensive operations

Use shared for:

Sessions that may be idle for some time Clients that frequently connect and disconnect

Use DRCP (11g):

When you have thousands of clients which need access to a period of time database server session for a short p Applications mostly use same database credentials, and have identical session settings PHP (OCI8 extension), Python (cx_Oracle), Perl (DBI)

43

Using Shared Servers

Enable shared servers with init.ora parameters

Becomes new default

To force server type, specify server type during connect

Dedicated:
sales-server/sales.us.example.com:dedicated

Shared:
sales-server/sales.us.example.com:shared

Rough guidelines:
20 or 30 Shared Servers per 500 sessions, then tune from there 1 dispatcher p for every y 50-100 sessions

Significant performance improvements in 11g

44

Using DRCP

Pooling is enabled by the DBA using

EXECUTE DBMS_CONNECTION_POOL.START_POOL ('SYS_DEFAULT_CONNECTION_POOL');

Change connect string on client in tnsnames.ora:

(DESCRIPTION= (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=sales)(SERVER=pooled)))

Can use Easy Connect syntax too

sqlplus joeuser@sales-server:1521/sales:POOLED

In test environment, we were able to support more than 20,000 connections to a 2 GB Database Server

http://www.oracle.com/technology/tech/php/ http://www oracle com/technology/tech/php/

45

Scalable Event Models

Oracle uses the poll system call on most platforms

Poll does not scale well for more than 1000 connections

Newer, more efficient polling methods now supported on some platforms

epoll on Linux Kernel 2.6 /dev/poll on Solaris and HP-UX (11.2.0.1) pollset ll t on AIX (11.2.0.2) (11 2 0 2) other platforms (in the works)

Excellent scalability y for Shared servers and DRCP Enabled by default for DRCP To enable, set in server sqlnet.ora
USE_ENHANCED_POLL = on
46

D t b Database Server S
Security

47

Inbound Connect Timeouts

Limits the time taken for a client to connect and authenticate SQLNET.INBOUND_CONNECT_TIMEOUT SQLNET INBOUND CONNECT TIMEOUT
Controls timeout for Database server processes

INBOUND_CONNECT_TIMEOUT_listener_name
Controls C t l ti timeout tf for the th listener li t

Available from 10gR1 onwards Default value of 60 seconds in 10gR2 and above Independent of client-side timeouts

48

TCP Valid Node Checks Use TCP Invited Nodes

List Li t of f IPs IP or hostnames h t that th t are permitted itt d to t connect t

Use TCP Excluded Nodes

List of IPs or hostnames that are NOT p permitted to connect

Use CIDR notation and wildcard format for ease of configuration whenever possible Invited I i d nodes d takes k precedence d over excluded l d d To enable, set in sqlnet.ora
VALIDNODE O _C CHECKING C G = YES S TCP.INVITED_NODES = (hostname1, hostname2) TCP.EXCLUDED_NODES = (hostname3, hostname4)

49

Intel Case Study

50

Advanced Query Performance Tuning A Case Study from Intel Corporation

Viswanath Ravishankhar (viswanath.b.ravishankhar@intel.com)

Intel Mfg Decision Support Challenges

Data Size (MB) 250 1000 Data Rate Seen (mbps) ~1 ~1 Time Taken (min) 33 135
Very Slow

Challenge: Low throughputs on Intercontinental WAN due to:

Long distances (5K, 10K, or more) Countries with weak infrastructure B d id h is Bandwidth i expensive i Used for or other IT functions also

Opportunity: Make software more effective and efficient by:

Inline compression to reduce data size Tune Oracle + TCP Stack for higher throughput real value proposition

H How do d we tune the h Oracle O l + TCP Stack? S k?

Tuning for WAN Environments

Tuning Parameter DOE Parameters

Determine appropriate send and receive socket buffer sizes (in sqlnet.ora) Determine appropriate array size (i SQL*Pl (in SQL*Plus) ) Increase SDU Size (in sqlnet.ora) Increase TCP Window Size beyond 64KB (OS function) Use Bandwidth Delay Product (BDP) Use IPERF to get a benchmark for TCP performance between WAN endpoints

Socket Buffer Array Size SDU Size TCP Window Size Bandwidth Delay Product IPERF Max TCP WAN Throughput

8KB-1MB 3000 for SQL*Plus 50000 for OCI Client 8KB,16KB,32KB,64KB* 64KB-2MB 312KB 4 mbps

* Special S i lP Patch h from f Oracle O l

Oracle + TCP Tuning is an exercise in M l V Multi-Variate A l Analysis

What we discovered and learned

Client SQL*Pl SQL*Plus OCI Client 50MB Query Time (Sec) 32K SDU 43 39 64K SDU 26 24 Delta 40% 39%

Larger SDU gave big performance boost after tuning other parameters to optimal p p values Array size level analysis shows that 64KB SDU yields:

Query Performance at Array Level

Improvement I ti in overall ll performance f Improvement in consistency of performance

Summary:

Overall performance tuning gave the best performance boost for large data extracts More opportunities exist to improve query performance at network level

55

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, development release release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.

56