Applies to:
Oracle Net Services - Version 12.1.0.1 to 12.2.1.2.0 [Release 12.1 to 12.2]Oracle Database - Enterprise Edition - Version 12.2.0.1 to 12.2.0.1 [Release 12.2]
Oracle Database - Enterprise Edition - Version 12.1.0.2 to 12.1.0.2 [Release 12.1]
Oracle Database - Standard Edition - Version 12.2.0.1 to 12.2.0.1 [Release 12.2]
Information in this document applies to any platform.
Symptoms
Following an upgrade to the version 12c database, the following errors are thrown when attempting to connect from remote
clients:
ORA-28040: No matching authentication protocol exception
Changes
This is a new installation of the version 12 database.
Cause
This issue is caused by the default setting for allowed logon version in the 12 database.
Note that the SQLNET.ALLOWED_LOGON_VERSION parameter has been deprecated in 12c.
That parameter has been replaced by these:
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=n
Version 12.1:
The default setting for the new parameters is 11. Any client that attempts to connect must
be at version 11 or higher unless these parameters are explicitly set in the server side sqlnet.ora file.
Version 12.2 note:
The default for the SQLNET.ALLOWED_LOGON_VERSION_SERVER setting has changed in 12.2 from 11 to 12.
See: https://docs.oracle.com/database/122/DBSEG/configuring-authentication.htm#DBSEG33223
Important note for 12.2: If your client is not at least 11.2.0.3 or includes the CPUOCT2012 patch you will not be able
to use the 12 setting.
Typically, the sqlnet.ora file that would be referenced by the database is located in RDBMS_HOME/network/admin.
Solution
Set these parameters at the lowest version level that is required in your environment.
For example: All clients at version 10 or higher would require this setting:
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10
Note that SQLNET.ALLOWED_LOGON_VERSION_CLIENT would be necessary on the server when the database is 'acting' as a client. Such as the case of a database link.
There is no need to restart either the listener or the database after this change. See additional notes below.
See the following reference for more information about these settings.
https://docs.oracle.com/database/121/NETRF/sqlnet.htm#NETRF2010
1) The sqlnet.ora file that is referenced by the database is located in RDBMS_HOME/network/admin. This is by default. It will not read the sqlnet.ora file in GRID_HOME/network/admin unless TNS_ADMIN is explicitly set to point there.
2) While the version 12 documentation shows settings for this parameter as low as 8, this does not override the rules of Interoperability or Certification. See the following: Note 207303.1 Client / Server Interoperability Support Matrix for Different Oracle Versions.
In other words, setting the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter to 8, 9 or 10 does not mean that version of client is going to be fully supported by Oracle Support.
3) Occasionally, we find it is necessary to restart the cluster in a RAC environment. This is atypical but may be necessary. Check the ENV at srvctl and confirm if $TNS_ADMIN is set.
Important change in version 12.2:
The default value is 12 or 12a. Note the following implications of setting the value to 11or 12:
The setting SEC_CASE_SENSITIVE_LOGON=FALSE must not be used. If it is set as FALSE, then user accounts and secure roles become unusable. The SEC_CASE_SENSITIVE_LOGON initialization parameter enables or disables case sensitivity for passwords.
To take advantage of the password protections introduced in Oracle Database 11g, users must change their passwords.
See also:
Note 2075401.1 The new Exclusive Mode default for password-based authentication in Oracle 12.2 conflicts with case-insensitive password configurations. All user login fails with ORA-1017 after upgrade to 12.2
https://docs.oracle.com/database/122/NETAG/configuring-profiles.htm#NETAG091
7406
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
