integrity recovery
TRANSCRIPT
-
7/30/2019 Integrity Recovery
1/64
RECOVERY
DAY 3
-
7/30/2019 Integrity Recovery
2/64
Objectives
Integrity concepts.
- locking
- VSAM sharing- logging
- forward recovery
Controlling the unit of the work.
Resource serialization ENQ/DEQ.
Protecting data across multiple tasks.
User journaling.
-
7/30/2019 Integrity Recovery
3/64
INTEGRITY AND RECOVERY
-
7/30/2019 Integrity Recovery
4/64
CICS Integrity Services
UnscheduledInterruptions Resource Protection
CICSFile
By backing outuncommitted changes
By locking resourcesduring change
-
7/30/2019 Integrity Recovery
5/64
Notes
CICS provides:
Protection from unscheduled interruptions
- Program abends- Physical factors (water damage, fire and
power failure)
- Operation errors
Resource protection when multiple users updatethe same resource.
-
7/30/2019 Integrity Recovery
6/64
Recoverable Resources
CICS
AuxiliaryTemporary
Storage
User Files
InterpartitionTransient
Data
Data-bases
-
7/30/2019 Integrity Recovery
7/64
Notes
You can ask CICS to provide recovery supportfor the types of resources shown here.
-
7/30/2019 Integrity Recovery
8/64
Protection and COnsistency
SAVINGS
CHECKING
CICS PROGRAMUpdate SAVINGS fileby subtracting $300.
Update CHECKING fileby adding $300.
Unit of work completeor backed out.
-
7/30/2019 Integrity Recovery
9/64
Notes:
In this example, a customer wants to transfer fundssavings to checking. If CICS did not provide intrgrity, atransaction abend or system failure could result in thecustomer losing $300.
Since CICS is a multiuser system, protection is necessary
to ensure that a program which changes a resource is infact the only one making a change.
CICS ensures consistency by backing out all updatesunless the entire proces completes.
- For a task failure, CICS cancels the failing task only,
then backs out (rolls back) any changes.
- For a system failure, the next time you restart, CICS
will back out changes for tasks that were in process.
-
7/30/2019 Integrity Recovery
10/64
Unit of Works
ChangeRequest
RecoverableResource
UOW
In-Flight Task
Syncpoint(Task End
orSYNCPOINT
Command)
-
7/30/2019 Integrity Recovery
11/64
NOTES :
Abbbreviations used in the Affinity column
R/W - afffinity is caused if the storage area isRead/Write.
L affinity is caused if the resource is local to one
application region,thus not universally accessably.
-
7/30/2019 Integrity Recovery
12/64
Notes
CICS treats all changes activitywithin a unit of work
(UOW) as one recoverable unit. For recovery purposes, a UOW starts when you make
the first request that could changes a recoverableresource, and ends when a SYNCPOINT command isissued.
You can back out all change activity within the currentUOW using SYNCPOINT ROLLBACK.
CICS automatically syncpoints when a task terminates.All updates are then considered committed.
You can also issue syncpoint commands yourself, sothat application program logic determines how manychange requests are contained within a single UOW.
-
7/30/2019 Integrity Recovery
13/64
How CICS Provides Integrity
Locking or enqueueing resources during update
Logging records
- Before update
- After update
Notifying other resources managers when the
UOW completes or abends.- database managers
- partner CICS regions.
-
7/30/2019 Integrity Recovery
14/64
Notes
Siginificant changes were made to Recovery in
CICS transaction Server.
MVS and DFSMS handle many of these
requirements in CICS TS.
CICS cooperates with recovery of DB2 andDBCTL databases by using a 2-phase commitprotocol.
-
7/30/2019 Integrity Recovery
15/64
VSAM SHARING
SHARE OPTIONS(Cross-region, Cross-system)
Cross-Region Sharing Cross-System Sharing
SYS1
VSAM Data VSAM Data
SYSA SYSBSYS1
AS1 AS2AS3 AS4
-
7/30/2019 Integrity Recovery
16/64
Notes
You can use DISP=OLD in job control to restrict VSAM
file access to a single region. More likely, you will useDISP=SHR and VSAM share options to providingsharing across regions:
SHR (1) Any number of readers, or one updater(read integrity).
SHR (2) any number of readers, and one updater
(update interity).
SHR (3) any number of readers and updaters
(no integrity).
SHR (4) any number of readers and updaters,withbuffer refresh for each request.
-
7/30/2019 Integrity Recovery
17/64
CICS VSAM Sharing
MVS1 MVS2
CICSAOR
CICSAOR
CICSFOR
VSAM
CICSAOR
CICSAOR
VASMData Set
-
7/30/2019 Integrity Recovery
18/64
Notes
CICS regions can share VSAM files using functionshopping. The file is owned by one region, and allrequests for access to the files are passed to thatregion based on the file definition. This addressintegrity considerations but has limitations:
performance overhead for fucnction shipping.
No sharing with batch regions for concurrent update.
-
7/30/2019 Integrity Recovery
19/64
Enqueing
s
RecoverableVSAM Data Set
Frees activeenqueue
Task 2READ (FILEA)UPDATERID (5)
Task 1REWRITE(FILEA)RID (5)
Track 1 UOWCompletes andtakes SYNC PT
Grants activequeue enqueue
Key 5
Task 1READ (FILEA)UPDATERID (5)
Hold activeenqueue until
SYNC PT
Queues requestfor activeenqueue
Time
-
7/30/2019 Integrity Recovery
20/64
Notes
CICS enqueues on records during update. In this
scenario:
What happens to task 2 when to read for
update?
If neither task intends to update, what happens?
If task 2 does not intend to update, whathappens?
-
7/30/2019 Integrity Recovery
21/64
VSAM Record level sharing ( 1 of 2)
Supported in CICS TS for files managed by
DFSMS.
VSAM data shared with integrity within a sysplex
- across CICS regions and MVS images
- with batch read-only jobs.
Levels of read integrity
- uncommited (dirty read)
- consistent
- repeatable
Update during browse
Eliminates need for file-owning regions
:
-
7/30/2019 Integrity Recovery
22/64
:
VSAM RLS support is provided primarily byDFSMS and requires a coupling facility.
Full read/write data sharing is supported
between CICS regions in a parallel sysplex.
Read integrity can be specified as a command
option, but usually would be part of the filedefinition in CICS.
-
7/30/2019 Integrity Recovery
23/64
VSAM Record-Level Sharing (2 of 2)
MVS 1 MVS 2
2 GBDATA
SPACESMSVSAM
CICSB
BATCH
2 GB
DATASPACE
SMSVSAM
(CACHE)(LOCKS)
CICSB
CICSA
BATCH
SMS Mana ed
-
7/30/2019 Integrity Recovery
24/64
Notes
VSAM RLS exploits the locking and cachingfunctions of the coupling facility. It is designed toenable VSAM data to be shared with full updatecapability between applications running in many
CICS regions.
-
7/30/2019 Integrity Recovery
25/64
VSAM RLS Locking
Exclusive Locks
- Active
- Retained
Shared Locks
RecoverableVSAM Data Set
Frees activeenqueue
Task 2READ (FILEA)UPDATERID (5)
Task 1REWRITE(FILEA)RID (5)
Track 1 UOWCompletes andtakes SYNC PT
Grants activequeue enqueue
Key 5
Task 1READ (FILEA)UPDATERID (5)
Hold activeenqueue until
SYNC PT
Queues requestfor activeenqueue
Time
CICS
VSAM
N
-
7/30/2019 Integrity Recovery
26/64
Notes
VSAM support two lock structures:
Exclusive
- Used to protect updates to data sets.
Shared
- Used to support read integrity. They insure
that record is not in the process of being
updated during a read-only request.
shared locks can be owned by several
transactions at a time.
-
7/30/2019 Integrity Recovery
27/64
Read Integrity with RLS
s
NO READ INTEGRITY - UNCOMMITED
Record Y
CONSISTENT READ
Record Y
REPEATABLE READ CICS ONLY
Record TRecord CRecord A
Update- (No Lock)
READ
- Update- Then EOT or sync
- (Shared Lock)
- READ - WAITS
- Read shared lock held until end of UOW- Update waits
N
-
7/30/2019 Integrity Recovery
28/64
Notes
CICS support three new options to provide full readintegrity with Rls files. These options can be specified onthe file control API, or on the file definition.
No read integritylets you see the record as it is. This maymean looking at uncommitted data, or that the record is
subsequently backed out and therefore never existed. This ishow CICS and VSAM work today.
With consistent readintegrity, you will always see committeddata. A request to read a record would be queued if the
record is being updated by another task, if this option is used. With repeatable readintegrity, processing of the record
request is the same as for consistent read requests. But theshared lock is held until syncpoint, ensuring that a record readin a UOW cannot be modified while the task makes further
read requests.
L i d J li CICS/ESA
-
7/30/2019 Integrity Recovery
29/64
Logging and Journaling CICS/ESAs
CICS A
Application
Programming
SystemServices
Journal Control
Dynamic Log
System LogDFHJ01A
DFHJ01B
Forward
Recovery LogDFHJ02ADFHJ02B
AutojournalDFHJ03A
DFHJ03B
User JournalsDFHJ04ADFHJ04B
ArchieveProcess
N t
-
7/30/2019 Integrity Recovery
30/64
Notes
CICS/ESA uses Journal Control System and dynamiclogs.
The dynamic Log, kept in storage, cotains recordsneeded to backout a unit of work when a task abends.
The system Log(DFHJ01)contains backout data foruse in emergency restart of the region.
Forward Recovery Logs(DFHJxx)provide after-image copies of records in case you need toreconstruct files and repeat updates since the last
backup. Autojournalfiles also contain forward recovery data,
but in a format required by older recovery programs.
Each journal is a separate sequential file and can be
allocated to only one region.
-
7/30/2019 Integrity Recovery
31/64
MVS System Logger CICS TS Monoplex
CICSA
CICS
B
I
XGLOGR
MVS A
CF
Staging Dataset
DFHSMStorage
Teritory storage
Secondary Storage
-
7/30/2019 Integrity Recovery
32/64
Notes
CICS TS replaces the journal Control of CICS/ESAwith a log manager which uses the MVS system
logger.
All journal and log activity for all CICS regions in asingle MVS image(monoplex) is directed to thelogger. Logged records may be stored in a couplingfacility or DASD.
Log records can be migrated to secondary storagefrom the CF, and to tertiary storage by DFHSM.
-
7/30/2019 Integrity Recovery
33/64
MVS System Logger CICS TS Sysplex
CICSA
CICS
B
I
XGLOGR
MVS A
CICSA
CICS
B
IXGLOGR
MVS A
CICS A system logstream
CICS B system logstream
CICS C system logstream
CICS D system logstream
CF Structure
CF
CICS merged logstreamForward recovery log for
VSAM RLS
-
7/30/2019 Integrity Recovery
34/64
Notes
With CICS transaction server a coupling facility, the MVSlogger provides a comon log for backout and forwardrecovery across multiple MVS images as well as CICSregions. Records may be migrated to secondary or teritorystorage, as shown previously, but the CF provides several
benefits that are not possible with DASD-only logging:
- VSAM Record-level sharing (RLS).
- sharing log streams across MVS images.
- Temporary storage data sharing across CICS and MVS
images.
-
7/30/2019 Integrity Recovery
35/64
Multiple CICS TS Regions
App prog
File A
App prog
CICS A CICS B
Resource mgr
Recovery mgr
System svcs
VSAM
File B
File C
FC
LG
FC
LG
Resource mgr
Recovery mgr
System svcs
CICS A system log DFHLOG
CICS B system log DFHLOGCICS A system log DFHSHUT
CICS B system log DFHSHUT
File A/FileB forward recovery log DFHJ06File C forward recovery log DFHJ08
CICS A user journal 6 MYJNL6
CICS B user journal 6 MYJNL6
CICS A/CICS B journal 6 MYJNL7
CICS A/CICS B Log of Logs DFHLGLOG
-
7/30/2019 Integrity Recovery
36/64
The MVS logger uses CICS definitions to map CICS journalsto MVS log streams. The main difference to applications isthat the names of somes journals have changed, and newjournals are added:
Each CICS region has its own system log (DFHLOG).
Records for units of work whose outcome (commited orbacked out) is in-doubt are shunted to DFHSHUNT.Programs do not access this journal.
Forward recovery logs automatically provided by CICS
(DFHJ06 and DFHJ08 above) are shared across all CICSregions.
User journals can be given any name provided by the systemprogrammer and may be shared.
In a sysplex environment, a log-of-logs, shared by all regions
is used by CICSVR to provide information that relates CICS
Notes
-
7/30/2019 Integrity Recovery
37/64
Transaction Backout
TASK1 TASK1TASK2
System Log
UOWRecords
TASK 1Update Update
ABEND
BACKOUT and COMMIT
-
7/30/2019 Integrity Recovery
38/64
CICS uses the system log to backout records for UOWsthat fail to reach a commit point.
CICS/ESA writes backout records to both a dynamic login memory and the system log on disk.
- The dynamic log is uesd for backout of failing
Transactions.
- The system log, DFHJ01, handles backout of
incomplete UOWs when you emergency restart
CICS. CICS TS needs no dynamic log because all records can
be accessed directly from DFHLOG. Once a UOWcompletes, its backout information is deleted from the
log.
Notes
-
7/30/2019 Integrity Recovery
39/64
Distributed UOW
END TASK
Initiator
(Subordinate)
Agent
(Coordinator)
AOR FORCommit(1)
Commited(2)
In-doubt
window
FILE A
-
7/30/2019 Integrity Recovery
40/64
Notes When you run in a multi-region environment, you may have a
unit of work that involves update activity in more than oneCICS region. In that case, CICS coordinates commit andbackout processing across all affected regions.
In those rare cases where one of the regions fails to confirmthat it has completed its commit processing, the UOW is said
to be in doubt. In the example above:- your program issues a RETURN, causing task
termination and a syncpoint.
- if you have updated a file in a remote CICS region, the
AOR will ask the FOR to commit its updates.
- when the FOR reports that it has commited, the AOR
can commit its updates as well.
- from the time the AOR initiates a commit until it receives
I d b UOW R l i
-
7/30/2019 Integrity Recovery
41/64
CICS/ESA forces immediate decision based on transactiondefinition.
- when doubt, back it out, or....
- Go ahed and commit the UOW
CICS TS allows task to wait on partner to resync
- All non-essential resources freed
- Log records diverted to DFHSHUNT
- Locks converted from active to retained- Access to locked resources receive LOCKED response.
In-doubt UOW Resolution
Notes
-
7/30/2019 Integrity Recovery
42/64
Notes
CICS/ESA favours performance over consistency of data
because the alternative was to suspend the task untilthe in-doubt unit of work is resolved.
Improvements in logging and recovery management allowCICS TS to wait for the partner to be restarted, for example,and resync.
- Log records are shuted form DFHLOG to
DFHSHUNT for in-doubt UOWs.
- CICS can then free most task resources and
unlock the terminal.
- To allow backout later, CICS will retain locks and
log records.
- Until resolution either by waiting, backout, or commit
any API call to resources having retained locks will raise
the Locked exce tion condition.
API Enhancements with CICS TS
-
7/30/2019 Integrity Recovery
43/64
Read integrity options on commands or file definition.
UPDATE support during browse. Read for update with TOKEN for remote files.
LOCKED response raised
- on read commands for recoverable files
or queues.
- when requested resource owned by waiting,
in-doubt task.
RECOVERY response raised.- When record is locked by another task.
- and file is using VSAM RLS.
SeveralACFx
abends for VSAM RLS errors.
API Enhancements with CICS TS
N t
-
7/30/2019 Integrity Recovery
44/64
CICS TS removes some restrictions on the file operations:
- Reads commands or file definition properties can
request consistent or repeatable read integrity.
- You can use UPDATE on the READNEXT or
PREADPREV commands and then REWRITE or
DELETE the record.- The TOKEN option, which allows multiple active
updates to the same file from one task, has been
extended to included files owned by remote regions.
if you use NOSUSPEND, you can test for the LOCKED orRECORDBUSY response. The default action is to suspend
the task.
Notes
Recovery Committed Changes
-
7/30/2019 Integrity Recovery
45/64
Recovery Committed Changes
1000 TransactionsUpdate File
Transaction 1001 FindsFile Destroyed
CICS Initialization CICS Termination
File File
Notes
-
7/30/2019 Integrity Recovery
46/64
Notes
So far we have considered the process of backing outuncommitted updates. What happens if an updated file isdestroyed?
Users make 1000 changes to a file successfully.
Then the file destroyed, and all changes are lost.
Either the operators must re-enter the changes, or wemust provide some automated form of reapplying theirupdates.
Changes Are Journaled
-
7/30/2019 Integrity Recovery
47/64
Changes Are Journaled
s
StartTask
Read
Update
Rewrite
AfterImages
Journal
Note
-
7/30/2019 Integrity Recovery
48/64
Note
To provide a way to recover committed updates,
the system programmer can request that CICSrecord after images (the way the record looksafter update) to a journal dataset.
If you are a CICS TS user, your journal may be alog stream in your coupling facility.
Forward Recovery CICS/ESA
-
7/30/2019 Integrity Recovery
49/64
Forward Recovery CICS/ESA
Restore
CurrentFile
Journal(ChangesSince LastBackup
ForwardRecoveryProgram
FileBackup
InterimFile
Notes
-
7/30/2019 Integrity Recovery
50/64
Notes
To bring the file up to date, you need three things:
- A backup copy of the file- All changes to the file since the backup was taken
- A program to perform forward recovery.
CICS provides the first two items. You must provide theprogram. One such program, CICS MVS/ESA (CICS VSAMFile Recovery MVS/ESA 5695- 010), is available from IBMas a program product.
Forward Recovery CICS TS
-
7/30/2019 Integrity Recovery
51/64
Forward Recovery CICS TSs
RCDSCICSVR
ISPF
CICS
CICS And CICSVRManaged Files
MVS LOG Streams
[SMS/HSM]
Backed UPData SetsCICS Recovery, Back out
, and BWO
Notes
-
7/30/2019 Integrity Recovery
52/64
Notes
IBM CICS VSAM recovery MVS/ESA version 2 release 3recovers yours lost or damaged CICS VSAM data. CICSVR
is for the organizations where the availability and integrity ofCICS VSAM data is vital.
RCDS Recovery Control Data sets. One of three identical
linear VSAM data sets that contain information about thecontents of archived and the ISPF dialog interface defaultvalues. CICSVR uses this stored information to constructrecovery jobs.
Long-Running UOW
-
7/30/2019 Integrity Recovery
53/64
Long Running UOW
s
READ UPDATE
READ UPDATE
REWRITE
REWRITE
READ UPDATE
REWRITE
UOW
TASK
LOG RECORDS
Notes
-
7/30/2019 Integrity Recovery
54/64
Notes
This example shows a task updating several
recoverable resources in a single UOW, althoughthe application may have reasons for such adesign, there are potential performance problemswith long-running UOWs.
Storage overhead for the Dynamic TransactionsBackout buffer, which must contain all log activityfor the entire UOW.
Backout time. Resources locks, since they are held until
syncpoint.
Greater user effort to reenter data after a restart.
Sh t R i UOW
-
7/30/2019 Integrity Recovery
55/64
Short Running UOW
s
UOW
UOW
UOW
TASK
LOG RECORDS
READ UPDATEREWRITESYNCPOINT
READ UPDATEREWRITESYNCPOINT
READ UPDATEREWRITESYNCPOINT
Notes
-
7/30/2019 Integrity Recovery
56/64
Notes
This program shows the same program with the
broken into multiple short UOWs, each perhapsoriented around a single operator interaction.The performance advantages:
- reduced Dynamic Transaction Backoutbuffer size and backout time for the UOW.
- resource locks are related at syncpoint.
For long running tasks, consider adding userSYNCPOINT commands.
Syncpoint Planning Considerations
-
7/30/2019 Integrity Recovery
57/64
Syncpoint Planning Considerations
Syncpoints should occur at logical breaks inexecution
- RECEIVE/SEND sequence
- SEND PAGE if using cumulative mapping
- updates that must be performed together
Syncpoints are automatic at:
- end of task
- DL/I TERM CALL
- RETURN from a DPL server program if
SYNCONRETURN s ecified on link.
Notes
-
7/30/2019 Integrity Recovery
58/64
Notes
If you code explicit SYNCPOINTs, do so at points wherethe execution flow makes it natural, such as when theprogram
Is between terminal interactions
Ends a BMS logical message via SEND PAGE
There is no need to code a SYNCPOINT in these cases,because CICS does it for you:
End of task (RETURN from the highest level)
DL/I TERM CALL
If the client program specifies SYNCONRETURN in adistributed program Link command, CICS does asyncpoint to commit the server programs resources. SeeRecovery Coding in Application Programs in Recovery
and Restart Guide.
Controlling Unit of Work
-
7/30/2019 Integrity Recovery
59/64
Controlling Unit of Work
Ending the UOW
- EXEC CICS SYNCPOINT
Backing out the UOW
- EXEC CICS SYNCPOINT ROLLBACK
Notes
-
7/30/2019 Integrity Recovery
60/64
otes
SYNCPOINT commits updates and ends the UOW.Exception conditions.
INVERQ the request was issued by a remote serverprogram linked without SYNCPOINTRETURN.
ROLLBACK backs out all changes since the last
syncpoint. This is sometimes helpful in a routine thatgets control in case of a transaction abend. Exceptionconditions:
INVERQ same as above.
ENQ Guidelines
-
7/30/2019 Integrity Recovery
61/64
Q Gu de es
Purpose: Exclusive control while changing a shared resources.
TAX RATE
ENDREAD TAXRATEUpdate Rate Table
DEQ or RETURN
RATE TABLE
Notes
-
7/30/2019 Integrity Recovery
62/64
Your program or a CICS program can use the ENQ
command to serialize access to a resource. Any subsequent task that enqueues on the same
resource is normally suspended until the owner issues aDEQ.
You should never enqueue:- if CICS already does it for you
- if your program is changing a resource and issues
no CICS commands during the process, since
since tasks only lose control when a CICS
command is executed.
Since the enquened resources is known only to oneCICs region, all transactions using the resource must run
in the same region.
CICS Implicit ENQ
-
7/30/2019 Integrity Recovery
63/64
p
Resource Command ENQ Argument
VSAM File READ UPDATE
WRITEDELETE
Logical
Record
Intrapartition
Transient
Data Queue
WRITEQ
READQ
DELETEQ
Destination
TemporaryStorage
Queue
WRITEQDELETEQ Queue name
Local DL/I
Database
ISRT
REPL
DLET
Segment
-
7/30/2019 Integrity Recovery
64/64
THANKING YOU!