【故障处理】ORA-28040: No matching authentication protocol
【故障处理】ORA-28040: No matching authentication protocol
1.1 BLOG文档结构图
1.2 前言部分
1.2.1 导读和注意事项
各位技术爱好者,看完本文后,你可以掌握如下的技能,也可以学到一些其它你所不知道的知识,~O(∩_∩)O~:
① 告警日志中频繁出现Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter、ORA-28040: No matching authentication protocol错误,9i的客户端连接到12c高版本的解决方案
② Windows下使用oerr命令
Tips:
① 本文在itpub(http://blog.itpub.net/26736162)、博客园(http://www.cnblogs.com/lhrbest)和微信公众号(xiaomaimiaolhr)上有同步更新。
② 文章中用到的所有代码、相关软件、相关资料及本文的pdf版本都请前往小麦苗的云盘下载,小麦苗的云盘地址见:http://blog.itpub.net/26736162/viewspace-1624453/。
③ 若网页文章代码格式有错乱,请下载pdf格式的文档来阅读。
④ 在本篇BLOG中,代码输出部分一般放在一行一列的表格中。
本文如有错误或不完善的地方请大家多多指正,ITPUB留言或QQ皆可,您的批评指正是我写作的最大动力。
1.3 故障分析及解决过程
1.3.1 故障环境介绍
|
项目 |
source db |
|
db 类型 |
RAC |
|
db version |
12.1.0.2.0 |
|
db 存储 |
ASM |
|
OS版本及kernel版本 |
SuSE Linux Enterprise Server(SLES 11) 64位 |
1.3.2 故障发生现象及报错信息
告警日志中频繁出现Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter。
或JDBC连接Oracle12c报如下错误:
|
Caused by: java.sql.SQLException: ORA-28040: No matching authentication protocol at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:112) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:283) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:278) at oracle.jdbc.driver.T4CTTIoauthenticate.receiveOsesskey(T4CTTIoauthenticate.java:294) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:357) at oracle.jdbc.driver.PhysicalConnection.(PhysicalConnection.java:441) at oracle.jdbc.driver.T4CConnection.(T4CConnection.java:165) at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:35) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:801) at java.sql.DriverManager.getConnection(DriverManager.java:582) at java.sql.DriverManager.getConnection(DriverManager.java:154) |
或者使用9i的客户端去连接12c的数据库就会报ORA-28040: No matching authentication protocol这个错误。
1.3.3 故障分析及解决过程
使用oerr命令来查看,在Oracle 11g下:
|
[oracle@orcltest ~]$ oerr ora 28040 28040, 0000, "No matching authentication protocol" // *Cause: No acceptible authentication protocol for both client and server // *Action: Administrator should set SQLNET_ALLOWED_LOGON_VERSION parameter // on both client and servers to values that matches the minimum // version supported in the system. [oracle@orcltest ~]$ |
12c下:
|
oracle@HQsPSL-PSCV-R02:/oracle/app/oracle> oerr ora 28040 28040, 0000, "No matching authentication protocol" // *Cause: There was no acceptable authentication protocol for // either client or server. // *Action: The administrator should set the values of the // SQLNET.ALLOWED_LOGON_VERSION_SERVER and // SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameters, on both the // client and on the server, to values that match the minimum // version software supported in the system. // This error is also raised when the client is authenticating to // a user account which was created without a verifier suitable for // the client software version. In this situation, that account's // password must be reset, in order for the required verifier to |
可以看到,该参数在11g和12c下的解决方案是不同的。
查询了一下参数SQLNET.ALLOWED_LOGON_VERSION,发现该参数在12c中以废弃,而是采用SQLNET.ALLOWED_LOGON_VERSION_CLIENT和SQLNET.ALLOWED_LOGON_VERSION_SERVER代替。
客户说是之前碰到了ORA-28040: No matching authentication protocol的错误才加上该参数的。
解决:在Oracle用户(不是grid用户)下,将$ORACLE_HOME/network/admin/sqlnet.ora文件原来的SQLNET.ALLOWED_LOGON_VERSION=8注释掉(如果没有sqlnet.ora文件,那么就创建一个),修改为如下的行:
|
SQLNET.ALLOWED_LOGON_VERSION_SERVER=8 SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8 |
不用重启数据库或者监听,也不用重启应用。
区别如下:
SQLNET.ALLOWED_LOGON_VERSION_SERVER:控制可以连接到12c数据库的客户端版本(client --->orace 12c db )
SQLNET.ALLOWED_LOGON_VERSION_CLIENT:控制12c数据库可以连到哪些版本的数据库(orace 12c db --->其它版本的oracle db),例如:控制通过DB LINK可连接到哪些版本的oracle库。
所以,该案例中主要起作用的是需要配置SQLNET.ALLOWED_LOGON_VERSION_SERVER。
特别需要注意:
(1)如果是RAC,因为RAC是使用grid的监听器,因此很多人以为是在“/u02/app/12.1.0/grid/network/admin/sqlnet.ora” 加“SQLNET.ALLOWED_LOGON_VERSION_SERVER=8”,其实这是错的,而是仍然在$ORACLE_HOME/network/admin/sqlnet.ora加“SQLNET.ALLOWED_LOGON_VERSION_SERVER=8”
(2)上面所说的版本,是指dba_users.password_versions的版本。
在Oracle 12c中,虽然在sqlnet.ora加SQLNET.ALLOWED_LOGON_VERSION=8可以解决问题,但由于这个参数在12c已经废弃了,而是用SQLNET.ALLOWED_LOGON_VERSION_CLIENT和SQLNET.ALLOWED_LOGON_VERSION_SERVER代替。如果继续使用该参数,会在告警日志中无穷无尽的报“Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter.”,如下所示:
另外,对于JDBC的报错也可以下载支持oracle12c的jdbc驱动jar包。链接:http://www.oracle.com/technetwork/database/features/jdbc/jdbc-drivers-12c-download-1958347.html
注:本地jdk版本为1.6,则下载ojdbc6.jar;jdk版本为1.7,则下载ojdbc7.jar
如下图所示:
也可以在在ORACLE安装目录lib库目录下载ojdbc7.jar包,然后把这个ojdbc7.jar加载到开发环境中。
|
[oracle@orcltest dbhome_1]$ ll $ORACLE_HOME/jdbc/lib/ojdbc* -rw-r--r-- 1 oracle oinstall 3447295 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc5dms_g.jar -rw-r--r-- 1 oracle oinstall 2617019 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc5dms.jar -rw-r--r-- 1 oracle oinstall 3425922 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc5_g.jar -rw-r--r-- 1 oracle oinstall 2095661 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc5.jar -rw-r--r-- 1 oracle oinstall 4486070 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6dms_g.jar -rw-r--r-- 1 oracle oinstall 3327656 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6dms.jar -rw-r--r-- 1 oracle oinstall 4462913 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6_g.jar -rw-r--r-- 1 oracle oinstall 2714016 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6.jar [oracle@orcltest dbhome_1]$ |
1.3.4 官方文档及MOS的解释
有关该问题,MOS上有很多文档可以供参考。
http://docs.oracle.com/database/121/UPGRD/deprecated.htm#UPGRD60010
12c Database Alert.log File Shows The Message: Using Deprecated SQLNET.ALLOWED_LOGON_VERSION Parameter (文档 ID 2111876.1)
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |
APPLIES TO:
Oracle Configuration Controls Governor - Version 5.5.1 and later
Information in this document applies to any platform.
SYMPTOMS
On 12c database, the alert.log file shows the following message:
"Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter".
CHANGES
Customer upgraded to 12c database and added the following parameter in sqlnet.ora file based on the latest CCG Install Guide (CCG_Install_Guide_20150824_E25675_04.pdf).
SQLNET.ALLOWED_LOGON_VERSION
=================
SAMPLE sqlnet.ora FILE:
$ cat sqlnet.ora
# SQLNET.ORA Network Configuration File
" "
#TRACE_LEVEL_SERVER=user
SQLNET.ALLOWED_LOGON_VERSION=8
------------------------------------------
CAUSE
The Database is reporting these messages because the "SQLNET.ALLOWED_LOGON_VERSION" parameter is no longer valid (with 12c).
However, this is "required" by CCG application: CCG_Install_Guide_20150824_E25675_04.pdf
The SQLNET.ALLOWED_LOGON_VERSION parameter is deprecated in Oracle Database 12c.
This parameter has been replaced with two new Oracle Net Services parameters:
SQLNET.ALLOWED_LOGON_VERSION_SERVER
SQLNET.ALLOWED_LOGON_VERSION_CLIENT
SOLUTION
In order to suppress these messages in the alert log of the database, you need to use the new parameters for the 12c database.
STEPS:
1. Edit the sqlnet.ora file of the 12c database. (This needs be done on each database on 12c). So for example if both your EBS and CCG databases are on 12c, you need to do this on each sqlnet.ora file. Typically, the sqlnet.ora file that would be referenced by the database is located in RDBMS_HOME/network/admin
2. Remove or comment the following entry.
SQLNET.ALLOWED_LOGON_VERSION
3.You need to follow the instructions below:
3a. Add the following two new Oracle Net Services parameters:
SQLNET.ALLOWED_LOGON_VERSION_SERVER = n
SQLNET.ALLOWED_LOGON_VERSION_CLIENT = n
Specify the value for 'n' based on your own environment. The default setting for the new parameters is 11. Any client that attempts to connect must be at version 11 or higher unless these parameters are explicitly set in the server side sqlnet.ora file.
3b. For example: Set these parameters at the lowest version level that is required in your environment.
The example shpow below shows the following: All clients at version 10 or higher would require this setting:
SQLNET.ALLOWED_LOGON_VERSION_SERVER=10
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10
3c. Note that SQLNET.ALLOWED_LOGON_VERSION_CLIENT would be necessary on the server when the database is 'acting' as a client. Such as the case of a database link as in the case of CCG applications.
3d. Even though the parameter value implies Oracle version 10 the internal check is really against the authentication protocol 'SHA-1'
3e. For CCG, you can just set the parameter value to 10, since SHA-2 is currently not certified with CCG.
3e. See the following reference for more information about these settings.
https://docs.oracle.com/database/121/NETRF/sqlnet.htm#NETRF2010
4. For setting up the values for step 3, you can also refer to the additional info section at the end of the note.
4. Bounce the database.
5. Bounce the application server.
=================
SQLNET.ALLOWED_LOGON_VERSION_CLIENT
Purpose
To set the minimum authentication protocol allowed for clients, and when a server is acting as a client, such as connecting over a database link, when connecting to Oracle Database instances.
Usage Notes
The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.
If the version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error.
See Also:
Oracle Database Security Guide
Values
12a for Oracle Database 12c Release 1 (12.1) release 12.1.0.2 or later
12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)
11 for Oracle Database 11g authentication protocols (default)
10 for Oracle Database 10g authentication protocols
8 for Oracle8i authentication protocol
Default
11
Example
If an Oracle Database 12c database hosts a database link to an Oracle Database 10g database, then the SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameter should be set as follows in order for the database link connection to proceed:
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10
SQLNET.ALLOWED_LOGON_VERSION_SERVER
Purpose
To set the minimum authentication protocol allowed when connecting to Oracle Database instances.
Usage Notes
The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.
If the client version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error or an ORA-03134: Connections to this server version are no longer supported error.
See Also:
Oracle Database Security Guide
A setting of 8 permits most password versions, and allows any combination of the DBA_USERS.PASSWORD_VERSIONS values 10G, 11G, and 12C.
A SQLNET.ALLOWED_LOGON_VERSION_SERVER setting of 12a permits only the 12C password version.
A greater value means the server is less compatible in terms of the protocol that clients must understand in order to authenticate. The server is also more restrictive in terms of the password version that must exist to authenticate any specific account. The ability for a client to authenticate depends on the DBA_USERS.PASSWORD_VERSIONS value on the server for that account.
Note the following implications of setting the value to 12 or 12a:
The setting SEC_CASE_SENSITIVE_LOGON=FALSE must not be used because case insensitivity requires the use of the 10G password version. If it is set as FALSE, then user accounts and secure roles become unusable because Exclusive Mode excludes the use of the 10G password version. The SEC_CASE_SENSITIVE_LOGON initialization parameter enables or disables case sensitivity for passwords.
Note:
The use of the Oracle instance initialization parameter SEC_CASE_SENSITIVE_LOGON is deprecated in favor of setting the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter to 12 or 12a to ensure that passwords are treated in a case-sensitive fashion.
To take advantage of the password protections introduced in Oracle Database 11g, users must change their passwords. The new passwords are case sensitive. When an account password is changed, the earlier 10G case-insensitive password version is automatically removed.
Releases of OCI clients earlier than Oracle Database 10g and all versions of JDBC thin clients cannot authenticate to the Oracle database using password-based authentication.
If the client uses Oracle9i Database, then the client will receive an ORA-03134 error message. To allow the connection, set the SQLNET.ALLOWED_LOGON_VERSION_SERVER value to 8. Ensure the DBA_USERS.PASSWORD_VERSIONS value for the account contains the value 10G. It may be necessary to reset the password for that account.
Note the following implication of setting the value to 12a:
When an account password is changed, the earlier 10G case-insensitive password version and the 11G password version are both automatically removed.
The client must support certain abilities of an authentication protocol before the server will authenticate. If the client does not support a specified authentication ability, then the server rejects the connection with an ORA-28040: No matching authentication protocol error message.
The following is the list of all client abilities. Some clients do not have all abilities. Clients that are more recent have all the capabilities of the older clients, but older clients tend to have less abilities than more recent clients.
O7L_MR: The ability to perform the Oracle Database 10g authentication protocol using the 12C password version.
O5L_NP: The ability to perform the Oracle Database 10g authentication protocol using the 11G password version, and generating a session key encrypted for critical patch update CPUOct2012.
O5L: The ability to perform the Oracle Database 10g authentication protocol using the 10G password version.
O4L: The ability to perform the Oracle9i database authentication protocol using the 10G password version.
O3L: The ability to perform the Oracle8i database authentication protocol using the 10G password version.
A higher ability is more recent and secure than a lower ability. Clients that are more recent have all the capabilities of the older clients.
The following table describes the allowed values, password versions, and descriptions:
Value of the ALLOWED_LOGON_VERSION_SERVER Parameter Generated Password Version Ability Required of the Client Meaning for Clients
12aFoot 1 12C O7L_MR Only Oracle Database 12c release 12.1.0.2 or later clients can connect to the server.
12Foot 2 11G, 12C O5L_NP Only clients which have applied critical patch update CPUOct2012 or later, or release 11.2.0.3 clients with an equivalent update can connect to the server.
11 10G, 11G, 12C O5L Clients using Oracle Database 10g and later can connect to the server.
Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10G password version.
10 10G, 11G, 12C O5L Clients using Oracle Database 10g and later can connect to the server.
Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10G password version.
9 10G, 11G, 12C O4L Oracle9i Database or later clients can connect to the server.
8 10G, 11G, 12C O3L Oracle8i Database and later clients can connect to the server.
Footnote 1 This is considered "Exclusive Mode" because it excludes the use of both 10G and 11G password versions.
Footnote 2 This is considered "Exclusive Mode" because it excludes the use of the 10G password version.
Values
12a for Oracle Database 12c release 12.1.0.2 or later authentication protocols (strongest protection)
12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)
11 for Oracle Database 11g authentication protocols (default)
10 for Oracle Database 10g authentication protocols
9 for Oracle9i Database authentication protocol
8 for Oracle8i Database authentication protocol
Default
11
Example
SQLNET.ALLOWED_LOGON_VERSION_SERVER=11
=======================
1) The sqlnet.ora file that is referenced by the database is located in RDBMS_HOME/network/admin. This is by default. It will not read the sqlnet.ora file in GRID_HOME/network/admin unless TNS_ADMIN is explicitly set to point there.
2) While the version 12 documentation shows settings for this parameter as low as 8, this does not override the rules of Interoperability or Certification. See the following: Note 207303.1 Client / Server Interoperability Support Matrix for Different Oracle Versions.
In other words, setting the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter to 8, 9 or 10 does not mean that version of client is going to be fully supported by Oracle Support.
REFERENCES
NOTE:1304142.1 - 11g and Older: How To Use the Parameter SQLNET.ALLOWED_LOGON_VERSION Correctly
BUG:11845659 - SQLNET.ALLOWED_LOGON_VERSION NEEDS CLEARER DOCUMENTATION
NOTE:402193.1 - How to Allow Login to Database Based on the Client Version
Error "ORA-28040: No matching authentication protocol" When Using SQLNET.ALLOWED_LOGON_VERSION (文档 ID 755605.1)
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |
APPLIES TO:
JDBC - Version 10.1.0 to 12.1.0.2.0
Information in this document applies to any platform.
SYMPTOMS
When using the property "SQLNET.ALLOWED_LOGON_VERSION=10" set in the file sqlnet.ora on the server side, a 10g JDBC thin driver connecting to this 10g oracle database, fails with following errors:
The Network Adapter could not establish the connection
....
ORA-28040: No matching authentication protocol
.
CHANGES
Configuring SQLNET.ORA on the server side.
CAUSE
BUG 6051243 - ORA-28040: WHEN LISTENER USES SQLNET.ALLOWED_LOGON_VERSION
A 10.2 thin jdbc driver is identifying itself as 8.1.5 client and hence the connection is failing with error ORA-28040: No matching authentication protocol
SOLUTION
To resolve the above issue you may implement any one of the following :-
- Change the entry in sqlnet.ora file on the server machine:
from:
SQLNET.ALLOWED_LOGON_VERSION=10
to:
SQLNET.ALLOWED_LOGON_VERSION=8
OR
- Use the OCI driver instead of the THIN driver. The OCI driver identifies itself correctly as a 10.2 client and thus the connection succeeds.
OR
- If you are using 10.2.0.4 or 10.2.0.5 version of the driver then, you may download Patch:6779501 from My Oracle Support.
OR
- If you are using 10.1.0.5.0 version of the driver then, you may download Patch:6505927 from My Oracle Support.
OR
- Use JDBC 11g THIN driver or later.
Note:
If using Oracle Database 12c, please see:
Home / Database / Oracle Database Online Documentation 12c Release 1 (12.1) / Installing and Upgrading
Database Upgrade Guide
8 Deprecated and Desupported Features for Oracle Database 12c
8.3.5 Deprecation of SQLNET.ALLOWED_LOGON_VERSION Parameter
If you are upgrading a system that did not have a SQLNET.ALLOWED_LOGON_VERSION parameter setting (that is, it was using the default 8), then you might need to set the value of the SQLNET.ALLOWED_LOGON_VERSION_SERVER to 8 in the upgraded Oracle Database 12c server to maintain compatibility with clients on earlier releases. Otherwise, if no setting for SQLNET.ALLOWED_LOGON_VERSION_SERVER (or the deprecated SQLNET.ALLOWED_LOGON_VERSION) parameter is made in the upgraded Oracle Database 12c server, then the new default value becomes 11 in the new Oracle Database 12c.
REFERENCES
BUG:6051243 - ORA-28040: WHEN LISTENER USES SQLNET.ALLOWED_LOGON_VERSION
8.3.5 Deprecation of SQLNET.ALLOWED_LOGON_VERSION Parameter
The SQLNET.ALLOWED_LOGON_VERSION parameter is deprecated in Oracle Database 12c. This parameter has been replaced with two new Oracle Net Services parameters:
SQLNET.ALLOWED_LOGON_VERSION_SERVER(See Oracle Database Net Services Reference for information)SQLNET.ALLOWED_LOGON_VERSION_CLIENT(See Oracle Database Net Services Reference for information)
See Also:
8.3.5.1 Upgrading a System that Did Not Have SQLNET.ALLOWED_LOGON_VERSION Parameter Setting
If you are upgrading a system that did not have a SQLNET.ALLOWED_LOGON_VERSION parameter setting (that is, it was using the default 8), then you might need to set the value of theSQLNET.ALLOWED_LOGON_VERSION_SERVER to 8 in the upgraded Oracle Database 12c server to maintain compatibility with clients on earlier releases. Otherwise, if no setting forSQLNET.ALLOWED_LOGON_VERSION_SERVER (or the deprecated SQLNET.ALLOWED_LOGON_VERSION) parameter is made in the upgraded Oracle Database 12c server, then the new default value becomes 11 in the new Oracle Database 12c.
The effect of the new default value of 11 for SQLNET.ALLOWED_LOGON_VERSION_SERVER in Oracle Database 12c is that clients using Oracle Database release 10g and later can connect to the Oracle Database 12c server. Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10g password version.
Using a setting of 12 is most secure. However, this setting only permits Oracle Database 12c clients to connect.
See Also:
Oracle Database Readme for the topic "Protection Against Password-Guessing Attacks" and Oracle Database Net Services Reference for information aboutSQLNET.ALLOWED_LOGON_VERSION_SERVER
SQLNET.ALLOWED_LOGON_VERSION_CLIENT
Purpose
To set the minimum authentication protocol allowed for clients, and when a server is acting as a client, such as connecting over a database link, when connecting to Oracle Database instances.
Usage Notes
The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.
If the version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error.
See Also:
Values
12afor Oracle Database 12c Release 1 (12.1) release 12.1.0.2 or later12for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)11for Oracle Database 11g authentication protocols (default)10for Oracle Database 10g authentication protocols8for Oracle8i authentication protocol
Default
11
Example
If an Oracle Database 12c database hosts a database link to an Oracle Database 10g database, then the SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameter should be set as follows in order for the database link connection to proceed:
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10
SQLNET.ALLOWED_LOGON_VERSION_SERVER
Purpose
To set the minimum authentication protocol allowed when connecting to Oracle Database instances.
Usage Notes
The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.
If the client version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error or an ORA-03134: Connections to this server version are no longer supported error.
See Also:
A setting of 8 permits most password versions, and allows any combination of the DBA_USERS.PASSWORD_VERSIONS values 10G, 11G, and 12C.
A SQLNET.ALLOWED_LOGON_VERSION_SERVER setting of 12a permits only the 12C password version.
A greater value means the server is less compatible in terms of the protocol that clients must understand in order to authenticate. The server is also more restrictive in terms of the password version that must exist to authenticate any specific account. The ability for a client to authenticate depends on the DBA_USERS.PASSWORD_VERSIONS value on the server for that account.
Note the following implications of setting the value to 12 or 12a:
The setting
SEC_CASE_SENSITIVE_LOGON=FALSEmust not be used because case insensitivity requires the use of the10Gpassword version. If it is set asFALSE, then user accounts and secure roles become unusable because Exclusive Mode excludes the use of the10Gpassword version. TheSEC_CASE_SENSITIVE_LOGONinitialization parameter enables or disables case sensitivity for passwords.Note:
The use of the Oracle instance initialization parameter
SEC_CASE_SENSITIVE_LOGONis deprecated in favor of setting theSQLNET.ALLOWED_LOGON_VERSION_SERVERparameter to12or12ato ensure that passwords are treated in a case-sensitive fashion.To take advantage of the password protections introduced in Oracle Database 11g, users must change their passwords. The new passwords are case sensitive. When an account password is changed, the earlier
10Gcase-insensitive password version is automatically removed.Releases of OCI clients earlier than Oracle Database 10g and all versions of JDBC thin clients cannot authenticate to the Oracle database using password-based authentication.
If the client uses Oracle9i Database, then the client will receive an
ORA-03134error message. To allow the connection, set theSQLNET.ALLOWED_LOGON_VERSION_SERVERvalue to8. Ensure theDBA_USERS.PASSWORD_VERSIONSvalue for the account contains the value10G. It may be necessary to reset the password for that account.
Note the following implication of setting the value to 12a:
When an account password is changed, the earlier
10Gcase-insensitive password version and the11Gpassword version are both automatically removed.
The client must support certain abilities of an authentication protocol before the server will authenticate. If the client does not support a specified authentication ability, then the server rejects the connection with an ORA-28040: No matching authentication protocol error message.
The following is the list of all client abilities. Some clients do not have all abilities. Clients that are more recent have all the capabilities of the older clients, but older clients tend to have less abilities than more recent clients.
O7L_MR: The ability to perform the Oracle Database 10g authentication protocol using the12Cpassword version.O5L_NP: The ability to perform the Oracle Database 10g authentication protocol using the11Gpassword version, and generating a session key encrypted for critical patch update CPUOct2012.O5L: The ability to perform the Oracle Database 10g authentication protocol using the10Gpassword version.O4L: The ability to perform the Oracle9i database authentication protocol using the10Gpassword version.O3L: The ability to perform the Oracle8i database authentication protocol using the10Gpassword version.
A higher ability is more recent and secure than a lower ability. Clients that are more recent have all the capabilities of the older clients.
The following table describes the allowed values, password versions, and descriptions:
| Value of the ALLOWED_LOGON_VERSION_SERVER Parameter | Generated Password Version | Ability Required of the Client | Meaning for Clients |
|---|---|---|---|
12aFoot 1 |
12C |
O7L_MR |
Only Oracle Database 12c release 12.1.0.2 or later clients can connect to the server. |
12Foot 2 |
11G, 12C |
O5L_NP |
Only clients which have applied critical patch update CPUOct2012 or later, or release 11.2.0.3 clients with an equivalent update can connect to the server. |
11 |
10G, 11G, 12C |
O5L |
Clients using Oracle Database 10g and later can connect to the server.
Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the |
10 |
10G, 11G, 12C |
O5L |
Clients using Oracle Database 10g and later can connect to the server.
Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the |
9 |
10G, 11G, 12C |
O4L |
Oracle9i Database or later clients can connect to the server. |
8 |
10G, 11G, 12C |
O3L |
Oracle8i Database and later clients can connect to the server. |
Footnote 1 This is considered "Exclusive Mode" because it excludes the use of both 10G and 11G password versions.
Footnote 2 This is considered "Exclusive Mode" because it excludes the use of the 10G password version.
Values
12afor Oracle Database 12c release 12.1.0.2 or later authentication protocols (strongest protection)12for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)11for Oracle Database 11g authentication protocols (default)10for Oracle Database 10g authentication protocols9for Oracle9i Database authentication protocol8for Oracle8i Database authentication protocol
Default
11
Example
SQLNET.ALLOWED_LOGON_VERSION_SERVER=11
1.3.4.1 12c中弃用和不支持的特性
https://docs.oracle.com/database/121/UPGRD/deprecated.htm#BABEDDGA
1.4 ORA-28040故障模拟
小麦苗有7、8、9、10、11、12c的数据库,所以顺便模拟一下这个错误。
服务端为12c的数据库,客户端为9i,我们在客户端尝试连接12c的数据库:
|
Microsoft Windows [版本 10.0.10240] (c) 2015 Microsoft Corporation. All rights reserved. D:\Users\xiaomaimiao>set ORACLE_HOME=D:\Program_files\u01\app\oracle\product\ora92 D:\Users\xiaomaimiao>set ora ORACLE10G=D:\Program files\app\oracle\product\10.2.0\db_1 ORACLE11G=D:\Program_files\u01\app\oracle\product\11.2.0.1\dbhome_1 ORACLE8I=D:\Program files\app\oracle\product\ora8i ORACLE_HOME=D:\Program_files\u01\app\oracle\product\ora92 D:\Users\xiaomaimiao>cd %ORACLE_HOME%/bin D:\Program_files\u01\app\oracle\product\ora92\bin>sqlplus -v SQL*Plus: Release 9.2.0.1.0 - Production D:\Program_files\u01\app\oracle\product\ora92\bin>tnsping ora12c TNS Ping Utility for 32-bit Windows: Version 9.2.0.1.0 - Production on 19-DEC-2016 17:44:59 Copyright (c) 1997 Oracle Corporation. All rights reserved. Used parameter files: D:\Program_files\u01\app\oracle\product\ora92\network\admin\sqlnet.ora Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.59.128)(PORT = 1521))) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = lhrdb12c))) OK (10 msec) D:\Program_files\u01\app\oracle\product\ora92\bin>sqlplus lhr/lhr@ora12c SQL*Plus: Release 9.2.0.1.0 - Production on Mon Dec 19 17:45:07 2016 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. ERROR: ORA-28040: No matching authentication protocol Enter user-name: |
可以看到报ORA-28040: No matching authentication protocol的错误。
我们在服务端的$ORACLE_HOME/network/admin/sqlnet.ora添加如下的行:
|
SQLNET.ALLOWED_LOGON_VERSION_SERVER=8 SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8 |
重新尝试连接:
|
D:\Program_files\u01\app\oracle\product\ora92\bin>sqlplus lhr/lhr@ora12c SQL*Plus: Release 9.2.0.1.0 - Production on Mon Dec 19 17:51:54 2016 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options SQL> |
可以看到已经正常连接了。
如果将服务端的$ORACLE_HOME/network/admin/sqlnet.ora中的SQLNET.ALLOWED_LOGON_VERSION_SERVER=8和SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8注释掉,而换成SQLNET.ALLOWED_LOGON_VERSION=8,如下:
|
SQLNET.ALLOWED_LOGON_VERSION=8 # SQLNET.ALLOWED_LOGON_VERSION_SERVER=8 # SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8 |
尝试连接数据库:
|
D:\Program_files\u01\app\oracle\product\ora92\bin>sqlplus lhr/lhr@ora12c SQL*Plus: Release 9.2.0.1.0 - Production on Mon Dec 19 17:56:29 2016 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options SQL> |
可以正常连接,但是查看告警日志的时候有如下的输出:Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter. 而且,每连接一次数据库就输出一行该数据,和我们之前分析的问题是一致的。
1.5 Windows下使用oerr命令
由于客户的环境是12c Linux的,而自己没有12c的Linux环境,安装较为麻烦,索性就安装了一个Windows版本的。结果执行oerr ora 的时候报错了:
|
C:\Users\xiaomaimiao>oerr ora 10041 oerr: Cannot access the message file E:\app\oracle\product\12.1.0\dbhome_1\rdbms\mesg\oraus.msg No such file or directory C:\Users\xiaomaimiao>oerr ora 01555 oerr: Cannot access the message file E:\app\oracle\product\12.1.0\dbhome_1\rdbms\mesg\oraus.msg No such file or directory |
经查看报错的文件(E:\app\oracle\product\12.1.0\dbhome_1\rdbms\mesg\oraus.msg)的确没有,而且任何*.msg文件都不存在,那就从12c的Linux下把相关的$ORACLE_HOME/rdbms/mesg/*.msg文件都拷贝到Windows的环境下:
|
[oracle@orcltest mesg]$ pwd /u02/app/oracle/product/11.2.0/dbhome_1/rdbms/mesg [oracle@orcltest mesg]$ ll *.msg -rw-r--r-- 1 oracle oinstall 4070 Jul 25 2008 amduus.msg -rw-r--r-- 1 oracle oinstall 6298 Apr 14 2011 asmcmdus.msg -rw-r--r-- 1 oracle oinstall 5886 Aug 3 2007 dbvus.msg -rw-r--r-- 1 oracle oinstall 23309 Jan 28 2010 dgmus.msg -rw-r--r-- 1 oracle oinstall 175881 May 11 2011 diaus.msg -rw-r--r-- 1 oracle oinstall 49483 Jan 28 2010 expus.msg -rw-r--r-- 1 oracle oinstall 15148 Nov 8 2009 gimus.msg -rw-r--r-- 1 oracle oinstall 47609 Feb 18 2009 impus.msg -rw-r--r-- 1 oracle oinstall 3585 Nov 3 2009 kfedus.msg -rw-r--r-- 1 oracle oinstall 3457 Nov 6 2008 kfodus.msg -rw-r--r-- 1 oracle oinstall 1792 Mar 1 2009 kfsgus.msg -rw-r--r-- 1 oracle oinstall 26775 Nov 1 1999 kgpus.msg -rw-r--r-- 1 oracle oinstall 3113 Sep 3 1997 kopus.msg -rw-r--r-- 1 oracle oinstall 72528 Sep 17 2011 kupus.msg -rw-r--r-- 1 oracle oinstall 4651 Sep 3 1997 lcdus.msg -rw-r--r-- 1 oracle oinstall 22043 Nov 27 2006 nidus.msg -rw-r--r-- 1 oracle oinstall 129827 May 5 2011 ocius.msg -rw-r--r-- 1 oracle oinstall 734 Mar 8 2010 opwus.msg -rw-r--r-- 1 oracle oinstall 4922454 Sep 17 2011 oraus.msg -rw-r--r-- 1 oracle oinstall 178311 Aug 25 2009 qsmus.msg -rw-r--r-- 1 oracle oinstall 391272 Sep 17 2011 rmanus.msg -rw-r--r-- 1 oracle oinstall 40078 Jul 30 2001 sbtus.msg -rw-r--r-- 1 oracle oinstall 123863 May 22 2010 smgus.msg -rw-r--r-- 1 oracle oinstall 20433 Jan 13 2010 udeus.msg -rw-r--r-- 1 oracle oinstall 20572 Jan 13 2010 udius.msg -rw-r--r-- 1 oracle oinstall 143025 Jul 27 2009 ulus.msg [oracle@orcltest mesg]$ |
然后执行就OK了。
|
C:\Users\xiaomaimiao>oerr ora 01555 01555, 00000, "snapshot too old: rollback segment number %s with name \"%s\" too small" // *Cause: rollback records needed by a reader for consistent read are // overwritten by other writers // *Action: If in Automatic Undo Management mode, increase undo_retention // setting. Otherwise, use larger rollback segments |
About Me
...............................................................................................................................
● 本文作者:小麦苗,只专注于数据库的技术,更注重技术的运用
● 本文在itpub(http://blog.itpub.net/26736162)、博客园(http://www.cnblogs.com/lhrbest)和个人微信公众号(xiaomaimiaolhr)上有同步更新
● 本文itpub地址:http://blog.itpub.net/26736162/viewspace-2131338/
● 本文博客园地址:http://www.cnblogs.com/lhrbest/p/6219687.html
● 本文pdf版及小麦苗云盘地址:http://blog.itpub.net/26736162/viewspace-1624453/
● QQ群:230161599 微信群:私聊
● 联系我请加QQ好友(642808185),注明添加缘由
● 于 2016-12-19 15:00 ~ 2016-12-25 19:00 在农行完成
● 文章内容来源于小麦苗的学习笔记,部分整理自网络,若有侵权或不当之处还请谅解
● 版权所有,欢迎分享本文,转载请保留出处
...............................................................................................................................
手机长按下图识别二维码或微信客户端扫描下边的二维码来关注小麦苗的微信公众号:xiaomaimiaolhr,免费学习最实用的数据库技术。
【故障处理】ORA-28040: No matching authentication protocol的更多相关文章
- ORA-28040: No matching authentication protocol
1.2 前言部分 1.2.1 导读和注意事项 各位技术爱好者,看完本文后,你可以掌握如下的技能,也可以学到一些其它你所不知道的知识,~O(∩_∩)O~: ① 告警日志中频繁出现Using depr ...
- plsql developer连接oracle 12.2报错 ora-28040 No matching authentication protocol
使用plsql连接时,发现报ora-28040 No matching authentication protocol 赶紧查了查MOS,原来在默认情况下Oracle12.2对客户端版本有限制, 解决 ...
- No matching authentication protocol
java 连接oracle数据库: 之前连接公司的oracle数据库没有问题,但客户提供的是oracle12C版本的,连接就报 :No matching authentication protocol ...
- oracle12c ORA-28040: No matching authentication protocol
出错原因:11G客户端连12C数据库服务端会报这个错 解决方案一:CSDN优质解决方案,大家都说可以,然而我这边操作了不行 转自13楼:http://bbs.csdn.net/topics/39066 ...
- Cannot create PoolableConnectionFactory (ORA-28040: No matching authentication protocol
Oracle 12c 如果java报这个错误,用oracle自带的ojdbc6.jar,可以解决这个问题.
- navicat for mysql 链接时报错:1251-Client does not support authentication protocol requested by serve
navicat for mysql 链接时报错:1251-Client does not support authentication protocol requested by serve 解决方法 ...
- MySQL Server8.0版本时出现Client does not support authentication protocol requested by server
MySQL Server8.0版本时出现Client does not support authentication protocol requested by server 解决方法: 1.roo ...
- Navicat连接Mysql报错:Client does not support authentication protocol requested by server;
Navicat连接Mysql报错:Client does not support authentication protocol requested by server: 刚安装Mysql,想用Nav ...
- [转]The NTLM Authentication Protocol and Security Support Provider
本文转自:http://davenport.sourceforge.net/ntlm.html#ntlmHttpAuthentication The NTLM Authentication Proto ...
随机推荐
- ServletContext中常用方法介绍
一..获取Tomcat的Context的初始化参数.1.获取Tomcat的server.xml中设置Context的初始化参数.例如: <Context path="/testcont ...
- GJM :Unity 使用SqlServer数据库 [原创]
感谢您的阅读.喜欢的.有用的就请大哥大嫂们高抬贵手"推荐一下"吧!你的精神支持是博主强大的写作动力以及转载收藏动力.欢迎转载! 版权声明:本文原创 ,未经作者同意必须保留此段声明! ...
- GJM : Taurus.MVC 2.0 开源发布:WebAPI开发教程 [转载]
Taurus.MVC 2.0 开源发布:WebAPI开发教程 转载自http://www.cnblogs.com/cyq1162/p/6069020.html 因是新手 粘贴时有一个版权问题 本文原 ...
- WebSocket 学习笔记--IE,IOS,Android等设备的兼容性问题与代码实现
一.背景 公司最近准备将一套产品放到Andriod和IOS上面去,为了统一应用的开发方式,决定用各平台APP嵌套一个HTML5浏览器来实现,其中数据通信,准备使用WebSocket的方式.于是,我开始 ...
- Code First :使用Entity. Framework编程(4) ----转发 收藏
第4章 对关系使用默认规则与配置 在第3章,你已经掌握了默认规则与配置对属性以及其在数据库映射的字段的影响.在本章,我们把焦点放在类之间的关系上面.这包括类在内存如何关联,还有数据库中的外键维持等.你 ...
- 【服务器】CentOS下部署运行NodeJs Web App
NodeJs Web App测试完成后,要怎么部署呢?介绍两个不错的方案 已知以下情景: 我要为 「kenniu」这个项目做配置 它的入口文件在 「/path/to/entry.js」 运行的User ...
- js实现标准无缝滚动
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8&quo ...
- Box2D自定义重力
需要给刚体添加一个自定义的属性:m_customGravity,这样就可以动态的修改每一个刚体自定义的重力,查找box2d源码大约在5486行,加上红色的一句代码 b2Island.prototype ...
- 【问题及解决】fonts/fontawesome-webfont.woff2 404 (Not Found)
问题: 虽然网页正常显示和运行,但是有2个字体文件出现404错误.像笔者这种强迫症是接受不了的. 解决: 因为笔者的服务器是虚拟主机,只需要在主机控制器平台添加对应的MIME类型即可. 这样服务器就支 ...
- SAP中日期时间函数总结
1.获得最后一天CALL FUNCTION 'FIMA_DATE_CREATE' EXPORTING I_DATE = I_DATE "输入 ...