How to Enable VNCR on RAC Database to Register only Local Instances (Doc ID 1914282.1)

VNCR is supported for the cluster. Use MOS note 1914282.1 to ensure you've done all the required steps

===============================
How to Enable VNCR on RAC Database to Register only Local Instances (Doc ID 1914282.1)

Oracle Net Services - Version 11.2.0.4 to 12.1.0.2 [Release 11.2 to 12.1]
Oracle Database - Enterprise Edition - Version 11.2.0.4 to 12.1.0.2 [Release 11.2 to 12.1]
Information in this document applies to any platform.
GOAL

Starting with 11.2.0.4 we have the option of using VNCR to protect the listener from having remote/unknown instances registering to it.

See Note 1600630.1 Valid Node Checking For Registration (VNCR)


On 12.1 RAC databases, the parameter VALID_NODE_CHECKING_REGISTRATION_listener_name for both local and scan listeners is set by default to SUBNET/2 i.e. all machines in the subnet are allowed registration. This is done in order to allow registration to the local listeners and scan listeners from the instances on the other nodes of the RAC.

On 11.2.0.4 RAC databases, the parameter VALID_NODE_CHECKING_REGISTRATION_listener_name is set to off.

However, sometimes this allows other instances in the same subnet to register against these listeners. We want to prevent that and allow only local instances to that RAC database to be regsitered with these listeners.

SOLUTION

On 11.2.0.4:

To accomplish only local registration of the instances to local and scan listeners, the following settings will need to be made in listener.ora on all nodes:

VALID_NODE_CHECKING_REGISTRATION_LISTENER=1

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(<list of public ip's of all nodes>)

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(<list of public ip's of all nodes>)

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN3=(<list of public ip's of all nodes>)



For example, for a two node rac with two scan listeners, we will have on both nodes:

VALID_NODE_CHECKING_REGISTRATION_LISTENER=1

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(node1,node2)

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(node1,node2)



Having VALID_NODE_CHECKING_REGISTRATION_LISTENER and VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCANX set to 1 will allow local instances on that node to be registered. REGISTRATION_INVITED_NODES_LISTENER_SCANX parameter will add to the invited nodes all the instances on the other nodes. We will need to use public ip's of the nodes, even if the local listeners run only on VIP's (and not on both as ot is default in 11.2 and higher).



On 12c:

Starting with 12c, we can no longer set VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCANx=1 / REGISTRATION_INVITED_NODES_LISTENER_SCANx in listener.ora, as it will be overwritten by the agent. If we set 'invitednodes'/'invitedsubnets' using the srvctl utility, like below, then the agent will automatically set in listener.ora VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCANx to value 'SUBNET' and REGISTRATION_INVITED_NODES_LISTENER_SCANx to the specific list.

srvctl modify scan_listener {-update | -endpoints [TCP:]port[/IPC:key] [/NMP:pipe_name][/TCPS:s_port][/SDP:port] } [-invitednodes node_list] [-invitedsubnets subnet_list]

Note that in: In 11.2.0.4 '-invitednodes'/'-invitedsubnets' option for srvctl command is not available



Starting with 12c a new parameter is available, REMOTE_REGISTRATION_ADDRESS_<listener_name>. This parameter is configured internally in the SCAN listener to restrict registrations to the private network. The registration endpoint is on a private network within the cluster. All remote registration requests coming in on normal listening endpoints are redirected to the registration endpoint. Any system which is not a part of the cluster cannot connect to the endpoint.

The value of this parameter should not be modified or specified explicitly. The only supported explicit setting is for turning this feature off by setting the value to OFF. The value is OFF in non-SCAN listeners.


You can check its value by running:

lsnrctl show remote_registration_address <listener_name>

Example:

LSNRCTL>set current_listener LISTENER_SCAN1

LSNRCTL>show remote_registration_address


All the instances registration requests will be redirected to this private endpoint and only the instances from the same cluster will be able to register with the scan listeners. This is the alternative for VNCR settings on local listeners.

NOTE: In 12.1.0.2, the GI agent sets the remote_registration_address to HAIP or the private IP address by default. This is true for both local listener and scan_listener.
The agent turns the remote_registration_address to off if invited_nodes or invited_subnet (VNCR) is set using srvctl.
The agent also turns the remote_registration_address to off if invited_nodes or invited_subnet (VNCR) information is found in the listener.ora file.

Both database and the GRID home must be at version 12. If the database is pre 12 OR upgraded from 11g, the REMOTE_REGISTRATION_ADDRESS will not be set to HAIP. VNCR will not be enabled by default for those instances that have been upgraded from 11g.


As of 12.1.0.2 Grid Infrastructure, VCNR is enabled by default (since REMOTE_REGISTRATION_ADDRESS points only to internal IP address) and there is no additional step required.

If one wants to relax this default VCNR in 12.1.0.2, he can use srvctl modify invited_node or invited_subnet commands
================================

posted @ 2021-06-25 21:55  耀阳居士  阅读(205)  评论(0编辑  收藏  举报