1.5 口令文件修改案例一则

某客户的ORACLE两节点集群数据库,为保证在RAC环境备份归档日志的方便性,归档日志除分别在两节点进行本地归档外,在进行本地归档的同时,通过配置 log_archive_dest_2向另一节点传送归档日志,在通过 orapwd 工具在节点一更改 SYS 密码后,造成归档 log_archive_dest_2向另一节点无法传送归档日志。

从数据库中查询到相关错误信息如下:

Error 1017 received logging on to the standby

------------------------------------------------------------

Check that the primary and standby are using a password file

and remote_login_passwordfile is set to SHARED or EXCLUSIVE,

and that the SYS password is same in the password files.

returning error ORA-16191

------------------------------------------------------------

Errors in file /oracle/app/diag/rdbms/orac/orac1/trace/orac1_arc1_1208404.trc:

ORA-16191: 主日志传送客户机没有登录到备用数据库

PING[ARC1]: Heartbeat failed to connect to standby 'orac2'. Error is 16191.

DEST_NAME ERROR STATUS

---------------------- --------------------------------------- -----------

LOG_ARCHIVE_DEST_1  VALID

LOG_ARCHIVE_DEST_2 ORA-16191: Primary log shipping

client not logged on standby ERROR

LOG_ARCHIVE_DEST_3 INACTIVE

LOG_ARCHIVE_DEST_4 INACTIVE

LOG_ARCHIVE_DEST_5 INACTIVE

LOG_ARCHIVE_DEST_6 INACTIVE

LOG_ARCHIVE_DEST_7 INACTIVE

LOG_ARCHIVE_DEST_8 INACTIVE

LOG_ARCHIVE_DEST_9 INACTIVE

LOG_ARCHIVE_DEST_10 INACTIVE

在Oracle RAC或DG环境中,出现ORA-16191错误,通常是由于两节点密码文件不一致或 remote_login_passwordfile 参数设置不当导致。而本次故障原因并非以上原因所致,客户经过口令文件的重建仍然无法解决问题,在经过分析后确认问题的原因为Oracle 11g的口令安全增强。

Oracle 11g中对于密码安全验证的增强(即Strong Authentification Framework),该增强由初始化参数SEC_CASE_SENSITIVE_LOGON决定,当该参数设置为true时,启用Strong Authentification Framework,false则关闭该增强验证。

当启用强口令认证时,Oracle区分密码大小写,在创建口令文件时,即便口令相同也会在两节点产生不同的HASH值,需要指定ignorecase参数强制忽略大小写才能够保证DG的正常认证(或者在数据库级取消大小写强口令验证)。

在Oracle数据库两节点分别执行如下命令。

节点一:

orapwd file=orapworac1 password=oracle1 ignorecase=y force=y

节点二:

orapwd file=orapworac2 password=oracle1 ignorecase=y force=y

分别查看两节点归档路径信息,log_archive_dest_2状态即恢复正常。

DEST_NAME STATUS ERROR

-------------------------------- ----------------- ------

LOG_ARCHIVE_DEST_1  VALID

LOG_ARCHIVE_DEST_2  VALID

LOG_ARCHIVE_DEST_3  INACTIVE

LOG_ARCHIVE_DEST_4  INACTIVE

LOG_ARCHIVE_DEST_5  INACTIVE

LOG_ARCHIVE_DEST_6  INACTIVE

LOG_ARCHIVE_DEST_7  INACTIVE

LOG_ARCHIVE_DEST_8  INACTIVE

LOG_ARCHIVE_DEST_9  INACTIVE

LOG_ARCHIVE_DEST_10  INACTIVE

在两节点通过多次手动触发日志切换,查看日志归档状态恢复正常,告警日志未再出现由于远程日志传送导致的相关错误信息。

Fri Feb 01 18:15:47 2013

RFS[7]: Archived Log: '/archivelog/rac2/2_83_802962309.dbf'

Fri Feb 01 18:16:17 2013

RFS[7]: Archived Log: '/archivelog/rac2/2_84_802962309.dbf'

Fri Feb 01 18:16:46 2013

RFS[7]: Archived Log: '/archivelog/rac2/2_85_802962309.dbf'

Fri Feb 01 18:16:48 2013

Thread 1 advanced to log sequence 98

Current log# 2 seq# 98 mem# 0: /dev/rlv_redo12

Fri Feb 01 18:17:03 2013

RFS[7]: Archived Log: '/archivelog/rac2/2_86_802962309.dbf'

RFS[7]: Archived Log: '/archivelog/rac2/2_87_802962309.dbf'

Fri Feb 01 18:17:14 2013

Redo Shipping Client Connected as PUBLIC

-- Connected User is Valid

RFS[8]: Assigned to RFS process 1438620

RFS[8]: Identified database type as 'primary cross instance archival'

Fri Feb 01 18:17:14 2013

RFS[7]: Archived Log: '/archivelog/rac2/2_88_802962309.dbf'

RFS[8]: Archived Log: '/archivelog/rac2/2_88_802962309.dbf'

Fri Feb 01 18:17:15 2013

Thread 1 advanced to log sequence 99

Current log# 5 seq# 99 mem# 0: /dev/rlv_redo13

Fri Feb 01 18:17:27 2013

RFS[7]: Archived Log: '/archivelog/rac2/2_89_802962309.dbf'

这个案例给我们的经验是:即便是一个简单的口令文件修改操作,也要考虑到备库等集联因素,避免因为考虑不周导致的数据库故障。