RDF System Management Manual for J-series and H-series RVUs (RDF Update 13)
If you lose your primary system due to an unplanned outage, you connect the remote mirrors to
the standby system, and then initiate a takeover operation on the backup system. Before performing
the takeover, RDF reads the remaining audit records from the remote mirrors, and processes those
audit records. Thus, RDF can read absolutely all of the audit records that were generated on the
primary system prior to the system failure, and no committed data is lost.
NOTE: You must connect the remote mirrors to the standby system before starting the RDF takeover
operation; otherwise, the takeover aborts because RDF cannot find the disks you configured in
RDF for remote mirroring. In such a case, you should connect the disks and then restart the RDF
takeover operation.
If you lose the primary system to a disaster and that disaster does not affect the standby and backup
systems, no committed transactions are lost because RDF on the backup system can fetch all missing
audit records from the remote mirrors. If a regional disaster takes down both the primary and the
standby systems, however, you can still resume business on the backup system but without the ZLT
guarantee. Some transactions committed on the primary system might be lost.
Using CommitHoldMode
If you want absolute ZLT protection, you must configure your audit trails with the
COMMITHOLDMODE attribute set to on. Doing so causes each write to the audit trail to be directed
to the remote audit trail disk first. If that write fails for any reason, TMF activates commit-hold mode.
If CommitHoldMode mode is activated, TMF stops all further commit operations. Because transactions
on the primary system cannot commit or abort while the remote mirror is unavailable, you achieve
ZLT protection if you should lose your primary system while commit-hold mode is activated. When
such an event occurs, however, transaction processing on the primary system effectively stops.
TMF provides another configuration attribute associated with CommitHoldMode:
COMMITHOLDTIMER. If CommitHoldMode is activated, the COMMITHOLDTIMER value specifies
how long you want CommitHoldMode to remain activated and what to do when that time is
reached. The parameters are:
COMMITHOLDTIMER {timeout [ON TIMEOUT {SUSPEND|CRASH}] | -1 }
If timeout is set to a positive value (from 5 seconds to 24 hours) and CommitHoldMode becomes
activated, all commit processing stops until either you correct the problem that caused activation
of COMMITHOLDMODE or the timeout value is reached. If the timeout value is reached, TMF
performs the action specified by the ON TIMEOUT option (SUSPEND or failure).
CommitHoldMode affects transaction processing on your primary system dramatically when a
remote mirror becomes unavailable. If a remote mirror becomes unavailable, you must choose
whether you want ZLT protection or the resumption of transaction processing.
If ZLT protection is critical to your disaster recovery plan, specify ON TIMEOUT CRASH. Crashing
TMF under these circumstances provides ZLT protection.
If it is important to resume transaction processing on the primary system, specify ON TIMEOUT
SUSPEND. Suspending commit-hold mode under these circumstances, however, deprives you of
ZLT protection should you lose the primary system to some unplanned outage.
If you set timeout to -1, TMF maintains an activated commit-hold state indefinitely until you correct
the issue causing the activation, you manually suspend commit-hold mode, or you turn off
commit-hold mode.
The default timeout value is 60 seconds and the default action upon reaching the timeout value is
SUSPEND (which means loss of ZLT protection).
Hardware Setup
To set up RDF for ZLT with remote mirror capability you must have established your hardware setup
first. That is, you must set up remote mirroring for every audit trail volume that relates to the RDF
environment before you configure RDF.
332 Zero Lost Transactions (ZLT)