integrity recovery

7/30/2019 Integrity Recovery

1/64

RECOVERY

DAY 3


2/64

Objectives

Integrity concepts.

- locking

- VSAM sharing- logging

- forward recovery

Controlling the unit of the work.

Resource serialization ENQ/DEQ.

Protecting data across multiple tasks.

User journaling.


3/64

INTEGRITY AND RECOVERY


4/64

CICS Integrity Services

UnscheduledInterruptions Resource Protection

CICSFile

By backing outuncommitted changes

By locking resourcesduring change


5/64

Notes

CICS provides:

Protection from unscheduled interruptions

- Program abends- Physical factors (water damage, fire and

power failure)

- Operation errors

Resource protection when multiple users updatethe same resource.


6/64

Recoverable Resources

CICS

AuxiliaryTemporary

Storage

User Files

InterpartitionTransient

Data

Data-bases


7/64

Notes

You can ask CICS to provide recovery supportfor the types of resources shown here.


8/64

Protection and COnsistency

SAVINGS

CHECKING

CICS PROGRAMUpdate SAVINGS fileby subtracting $300.

Update CHECKING fileby adding $300.

Unit of work completeor backed out.


9/64

Notes:

In this example, a customer wants to transfer fundssavings to checking. If CICS did not provide intrgrity, atransaction abend or system failure could result in thecustomer losing $300.

Since CICS is a multiuser system, protection is necessary

to ensure that a program which changes a resource is infact the only one making a change.

CICS ensures consistency by backing out all updatesunless the entire proces completes.

- For a task failure, CICS cancels the failing task only,

then backs out (rolls back) any changes.

- For a system failure, the next time you restart, CICS

will back out changes for tasks that were in process.


10/64

Unit of Works

ChangeRequest

RecoverableResource

UOW

In-Flight Task

Syncpoint(Task End

orSYNCPOINT

Command)


11/64

NOTES :

Abbbreviations used in the Affinity column

R/W - afffinity is caused if the storage area isRead/Write.

L affinity is caused if the resource is local to one

application region,thus not universally accessably.


12/64

Notes

CICS treats all changes activitywithin a unit of work

(UOW) as one recoverable unit. For recovery purposes, a UOW starts when you make

the first request that could changes a recoverableresource, and ends when a SYNCPOINT command isissued.

You can back out all change activity within the currentUOW using SYNCPOINT ROLLBACK.

CICS automatically syncpoints when a task terminates.All updates are then considered committed.

You can also issue syncpoint commands yourself, sothat application program logic determines how manychange requests are contained within a single UOW.


13/64

How CICS Provides Integrity

Locking or enqueueing resources during update

Logging records

- Before update

- After update

Notifying other resources managers when the

UOW completes or abends.- database managers

- partner CICS regions.


14/64

Notes

Siginificant changes were made to Recovery in

CICS transaction Server.

MVS and DFSMS handle many of these

requirements in CICS TS.

CICS cooperates with recovery of DB2 andDBCTL databases by using a 2-phase commitprotocol.


15/64

VSAM SHARING

SHARE OPTIONS(Cross-region, Cross-system)

Cross-Region Sharing Cross-System Sharing

SYS1

VSAM Data VSAM Data

SYSA SYSBSYS1

AS1 AS2AS3 AS4


16/64

Notes

You can use DISP=OLD in job control to restrict VSAM

file access to a single region. More likely, you will useDISP=SHR and VSAM share options to providingsharing across regions:

SHR (1) Any number of readers, or one updater(read integrity).

SHR (2) any number of readers, and one updater

(update interity).

SHR (3) any number of readers and updaters

(no integrity).

SHR (4) any number of readers and updaters,withbuffer refresh for each request.


17/64

CICS VSAM Sharing

MVS1 MVS2

CICSAOR

CICSAOR

CICSFOR

VSAM

CICSAOR

CICSAOR

VASMData Set


18/64

Notes

CICS regions can share VSAM files using functionshopping. The file is owned by one region, and allrequests for access to the files are passed to thatregion based on the file definition. This addressintegrity considerations but has limitations:

performance overhead for fucnction shipping.

No sharing with batch regions for concurrent update.


19/64

Enqueing

s

RecoverableVSAM Data Set

Frees activeenqueue

Task 2READ (FILEA)UPDATERID (5)

Task 1REWRITE(FILEA)RID (5)

Track 1 UOWCompletes andtakes SYNC PT

Grants activequeue enqueue

Key 5


Hold activeenqueue until

SYNC PT

Queues requestfor activeenqueue

Time


20/64

Notes

CICS enqueues on records during update. In this

scenario:

What happens to task 2 when to read for

update?

If neither task intends to update, what happens?

If task 2 does not intend to update, whathappens?


21/64

VSAM Record level sharing ( 1 of 2)

Supported in CICS TS for files managed by

DFSMS.

VSAM data shared with integrity within a sysplex

- across CICS regions and MVS images

- with batch read-only jobs.

Levels of read integrity

- uncommited (dirty read)

- consistent

- repeatable

Update during browse

Eliminates need for file-owning regions

:


22/64

:

VSAM RLS support is provided primarily byDFSMS and requires a coupling facility.

Full read/write data sharing is supported

between CICS regions in a parallel sysplex.

Read integrity can be specified as a command

option, but usually would be part of the filedefinition in CICS.


23/64

VSAM Record-Level Sharing (2 of 2)

MVS 1 MVS 2

2 GBDATA

SPACESMSVSAM

CICSB

BATCH

2 GB

DATASPACE

SMSVSAM

(CACHE)(LOCKS)

CICSB

CICSA

BATCH

SMS Mana ed


24/64

Notes

VSAM RLS exploits the locking and cachingfunctions of the coupling facility. It is designed toenable VSAM data to be shared with full updatecapability between applications running in many

CICS regions.


25/64

VSAM RLS Locking

Exclusive Locks

- Active

- Retained

Shared Locks

RecoverableVSAM Data Set

Frees activeenqueue


Task 1REWRITE(FILEA)RID (5)

Track 1 UOWCompletes andtakes SYNC PT

Grants activequeue enqueue

Key 5


Hold activeenqueue until

SYNC PT

Queues requestfor activeenqueue

Time

CICS

VSAM

N


26/64

Notes

VSAM support two lock structures:

Exclusive

- Used to protect updates to data sets.

Shared

- Used to support read integrity. They insure

that record is not in the process of being

updated during a read-only request.

shared locks can be owned by several

transactions at a time.


27/64

Read Integrity with RLS

s

NO READ INTEGRITY - UNCOMMITED

Record Y

CONSISTENT READ

Record Y

REPEATABLE READ CICS ONLY

Record TRecord CRecord A

Update- (No Lock)

READ

- Update- Then EOT or sync

- (Shared Lock)

- READ - WAITS

- Read shared lock held until end of UOW- Update waits

N


28/64

Notes

CICS support three new options to provide full readintegrity with Rls files. These options can be specified onthe file control API, or on the file definition.

No read integritylets you see the record as it is. This maymean looking at uncommitted data, or that the record is

subsequently backed out and therefore never existed. This ishow CICS and VSAM work today.

With consistent readintegrity, you will always see committeddata. A request to read a record would be queued if the

record is being updated by another task, if this option is used. With repeatable readintegrity, processing of the record

request is the same as for consistent read requests. But theshared lock is held until syncpoint, ensuring that a record readin a UOW cannot be modified while the task makes further

read requests.

L i d J li CICS/ESA


29/64

Logging and Journaling CICS/ESAs

CICS A

Application

Programming

SystemServices

Journal Control

Dynamic Log

System LogDFHJ01A

DFHJ01B

Forward

Recovery LogDFHJ02ADFHJ02B

AutojournalDFHJ03A

DFHJ03B

User JournalsDFHJ04ADFHJ04B

ArchieveProcess

N t


30/64

Notes

CICS/ESA uses Journal Control System and dynamiclogs.

The dynamic Log, kept in storage, cotains recordsneeded to backout a unit of work when a task abends.

The system Log(DFHJ01)contains backout data foruse in emergency restart of the region.

Forward Recovery Logs(DFHJxx)provide after-image copies of records in case you need toreconstruct files and repeat updates since the last

backup. Autojournalfiles also contain forward recovery data,

but in a format required by older recovery programs.

Each journal is a separate sequential file and can be

allocated to only one region.


31/64

MVS System Logger CICS TS Monoplex

CICSA

CICS

B

I

XGLOGR

MVS A

CF

Staging Dataset

DFHSMStorage

Teritory storage

Secondary Storage


32/64

Notes

CICS TS replaces the journal Control of CICS/ESAwith a log manager which uses the MVS system

logger.

All journal and log activity for all CICS regions in asingle MVS image(monoplex) is directed to thelogger. Logged records may be stored in a couplingfacility or DASD.

Log records can be migrated to secondary storagefrom the CF, and to tertiary storage by DFHSM.


33/64

MVS System Logger CICS TS Sysplex

CICSA

CICS

B

I

XGLOGR

MVS A

CICSA

CICS

B

IXGLOGR

MVS A

CICS A system logstream

CICS B system logstream

CICS C system logstream

CICS D system logstream

CF Structure

CF

CICS merged logstreamForward recovery log for

VSAM RLS


34/64

Notes

With CICS transaction server a coupling facility, the MVSlogger provides a comon log for backout and forwardrecovery across multiple MVS images as well as CICSregions. Records may be migrated to secondary or teritorystorage, as shown previously, but the CF provides several

benefits that are not possible with DASD-only logging:

- VSAM Record-level sharing (RLS).

- sharing log streams across MVS images.

- Temporary storage data sharing across CICS and MVS

images.


35/64

Multiple CICS TS Regions

App prog

File A

App prog

CICS A CICS B

Resource mgr

Recovery mgr

System svcs

VSAM

File B

File C

FC

LG

FC

LG

Resource mgr

Recovery mgr

System svcs

CICS A system log DFHLOG

CICS B system log DFHLOGCICS A system log DFHSHUT

CICS B system log DFHSHUT

File A/FileB forward recovery log DFHJ06File C forward recovery log DFHJ08

CICS A user journal 6 MYJNL6

CICS B user journal 6 MYJNL6

CICS A/CICS B journal 6 MYJNL7

CICS A/CICS B Log of Logs DFHLGLOG


36/64

The MVS logger uses CICS definitions to map CICS journalsto MVS log streams. The main difference to applications isthat the names of somes journals have changed, and newjournals are added:

Each CICS region has its own system log (DFHLOG).

Records for units of work whose outcome (commited orbacked out) is in-doubt are shunted to DFHSHUNT.Programs do not access this journal.

Forward recovery logs automatically provided by CICS

(DFHJ06 and DFHJ08 above) are shared across all CICSregions.

User journals can be given any name provided by the systemprogrammer and may be shared.

In a sysplex environment, a log-of-logs, shared by all regions

is used by CICSVR to provide information that relates CICS

Notes


37/64

Transaction Backout

TASK1 TASK1TASK2

System Log

UOWRecords

TASK 1Update Update

ABEND

BACKOUT and COMMIT


38/64

CICS uses the system log to backout records for UOWsthat fail to reach a commit point.

CICS/ESA writes backout records to both a dynamic login memory and the system log on disk.

- The dynamic log is uesd for backout of failing

Transactions.

- The system log, DFHJ01, handles backout of

incomplete UOWs when you emergency restart

CICS. CICS TS needs no dynamic log because all records can

be accessed directly from DFHLOG. Once a UOWcompletes, its backout information is deleted from the

log.

Notes


39/64

Distributed UOW

END TASK

Initiator

(Subordinate)

Agent

(Coordinator)

AOR FORCommit(1)

Commited(2)

In-doubt

window

FILE A


40/64

Notes When you run in a multi-region environment, you may have a

unit of work that involves update activity in more than oneCICS region. In that case, CICS coordinates commit andbackout processing across all affected regions.

In those rare cases where one of the regions fails to confirmthat it has completed its commit processing, the UOW is said

to be in doubt. In the example above:- your program issues a RETURN, causing task

termination and a syncpoint.

- if you have updated a file in a remote CICS region, the

AOR will ask the FOR to commit its updates.

- when the FOR reports that it has commited, the AOR

can commit its updates as well.

- from the time the AOR initiates a commit until it receives

I d b UOW R l i


41/64

CICS/ESA forces immediate decision based on transactiondefinition.

- when doubt, back it out, or....

- Go ahed and commit the UOW

CICS TS allows task to wait on partner to resync

- All non-essential resources freed

- Log records diverted to DFHSHUNT

- Locks converted from active to retained- Access to locked resources receive LOCKED response.

In-doubt UOW Resolution

Notes


42/64

Notes

CICS/ESA favours performance over consistency of data

because the alternative was to suspend the task untilthe in-doubt unit of work is resolved.

Improvements in logging and recovery management allowCICS TS to wait for the partner to be restarted, for example,and resync.

- Log records are shuted form DFHLOG to

DFHSHUNT for in-doubt UOWs.

- CICS can then free most task resources and

unlock the terminal.

- To allow backout later, CICS will retain locks and

log records.

- Until resolution either by waiting, backout, or commit

any API call to resources having retained locks will raise

the Locked exce tion condition.

API Enhancements with CICS TS


43/64

Read integrity options on commands or file definition.

UPDATE support during browse. Read for update with TOKEN for remote files.

LOCKED response raised

- on read commands for recoverable files

or queues.

- when requested resource owned by waiting,

in-doubt task.

RECOVERY response raised.- When record is locked by another task.

- and file is using VSAM RLS.

SeveralACFx

abends for VSAM RLS errors.

API Enhancements with CICS TS

N t


44/64

CICS TS removes some restrictions on the file operations:

- Reads commands or file definition properties can

request consistent or repeatable read integrity.

- You can use UPDATE on the READNEXT or

PREADPREV commands and then REWRITE or

DELETE the record.- The TOKEN option, which allows multiple active

updates to the same file from one task, has been

extended to included files owned by remote regions.

if you use NOSUSPEND, you can test for the LOCKED orRECORDBUSY response. The default action is to suspend

the task.

Notes

Recovery Committed Changes


45/64

Recovery Committed Changes

1000 TransactionsUpdate File

Transaction 1001 FindsFile Destroyed

CICS Initialization CICS Termination

File File

Notes


46/64

Notes

So far we have considered the process of backing outuncommitted updates. What happens if an updated file isdestroyed?

Users make 1000 changes to a file successfully.

Then the file destroyed, and all changes are lost.

Either the operators must re-enter the changes, or wemust provide some automated form of reapplying theirupdates.

Changes Are Journaled


47/64

Changes Are Journaled

s

StartTask

Read

Update

Rewrite

AfterImages

Journal

Note


48/64

Note

To provide a way to recover committed updates,

the system programmer can request that CICSrecord after images (the way the record looksafter update) to a journal dataset.

If you are a CICS TS user, your journal may be alog stream in your coupling facility.

Forward Recovery CICS/ESA


49/64

Forward Recovery CICS/ESA

Restore

CurrentFile

Journal(ChangesSince LastBackup

ForwardRecoveryProgram

FileBackup

InterimFile

Notes


50/64

Notes

To bring the file up to date, you need three things:

- A backup copy of the file- All changes to the file since the backup was taken

- A program to perform forward recovery.

CICS provides the first two items. You must provide theprogram. One such program, CICS MVS/ESA (CICS VSAMFile Recovery MVS/ESA 5695- 010), is available from IBMas a program product.

Forward Recovery CICS TS


51/64

Forward Recovery CICS TSs

RCDSCICSVR

ISPF

CICS

CICS And CICSVRManaged Files

MVS LOG Streams

[SMS/HSM]

Backed UPData SetsCICS Recovery, Back out

, and BWO

Notes


52/64

Notes

IBM CICS VSAM recovery MVS/ESA version 2 release 3recovers yours lost or damaged CICS VSAM data. CICSVR

is for the organizations where the availability and integrity ofCICS VSAM data is vital.

RCDS Recovery Control Data sets. One of three identical

linear VSAM data sets that contain information about thecontents of archived and the ISPF dialog interface defaultvalues. CICSVR uses this stored information to constructrecovery jobs.

Long-Running UOW


53/64

Long Running UOW

s

READ UPDATE

READ UPDATE

REWRITE

REWRITE

READ UPDATE

REWRITE

UOW

TASK

LOG RECORDS

Notes


54/64

Notes

This example shows a task updating several

recoverable resources in a single UOW, althoughthe application may have reasons for such adesign, there are potential performance problemswith long-running UOWs.

Storage overhead for the Dynamic TransactionsBackout buffer, which must contain all log activityfor the entire UOW.

Backout time. Resources locks, since they are held until

syncpoint.

Greater user effort to reenter data after a restart.

Sh t R i UOW


55/64

Short Running UOW

s

UOW

UOW

UOW

TASK

LOG RECORDS

READ UPDATEREWRITESYNCPOINT



Notes


56/64

Notes

This program shows the same program with the

broken into multiple short UOWs, each perhapsoriented around a single operator interaction.The performance advantages:

- reduced Dynamic Transaction Backoutbuffer size and backout time for the UOW.

- resource locks are related at syncpoint.

For long running tasks, consider adding userSYNCPOINT commands.

Syncpoint Planning Considerations


57/64

Syncpoint Planning Considerations

Syncpoints should occur at logical breaks inexecution

- RECEIVE/SEND sequence

- SEND PAGE if using cumulative mapping

- updates that must be performed together

Syncpoints are automatic at:

- end of task

- DL/I TERM CALL

- RETURN from a DPL server program if

SYNCONRETURN s ecified on link.

Notes


58/64

Notes

If you code explicit SYNCPOINTs, do so at points wherethe execution flow makes it natural, such as when theprogram

Is between terminal interactions

Ends a BMS logical message via SEND PAGE

There is no need to code a SYNCPOINT in these cases,because CICS does it for you:

End of task (RETURN from the highest level)

DL/I TERM CALL

If the client program specifies SYNCONRETURN in adistributed program Link command, CICS does asyncpoint to commit the server programs resources. SeeRecovery Coding in Application Programs in Recovery

and Restart Guide.

Controlling Unit of Work


59/64

Controlling Unit of Work

Ending the UOW

- EXEC CICS SYNCPOINT

Backing out the UOW

- EXEC CICS SYNCPOINT ROLLBACK

Notes


60/64

otes

SYNCPOINT commits updates and ends the UOW.Exception conditions.

INVERQ the request was issued by a remote serverprogram linked without SYNCPOINTRETURN.

ROLLBACK backs out all changes since the last

syncpoint. This is sometimes helpful in a routine thatgets control in case of a transaction abend. Exceptionconditions:

INVERQ same as above.

ENQ Guidelines


61/64

Q Gu de es

Purpose: Exclusive control while changing a shared resources.

TAX RATE

ENDREAD TAXRATEUpdate Rate Table

DEQ or RETURN

RATE TABLE

Notes


62/64

Your program or a CICS program can use the ENQ

command to serialize access to a resource. Any subsequent task that enqueues on the same

resource is normally suspended until the owner issues aDEQ.

You should never enqueue:- if CICS already does it for you

- if your program is changing a resource and issues

no CICS commands during the process, since

since tasks only lose control when a CICS

command is executed.

Since the enquened resources is known only to oneCICs region, all transactions using the resource must run

in the same region.

CICS Implicit ENQ


63/64

p

Resource Command ENQ Argument

VSAM File READ UPDATE

WRITEDELETE

Logical

Record

Intrapartition

Transient

Data Queue

WRITEQ

READQ

DELETEQ

Destination

TemporaryStorage

Queue

WRITEQDELETEQ Queue name

Local DL/I

Database

ISRT

REPL

DLET

Segment


64/64

THANKING YOU!

integrity recovery

Documents