【故障處理】ORA-28040: No matching authentication protocol

1.1 BLOG文件結構圖

1.2 前言部分

1.2.1 導讀和注意事項

各位技術愛好者，看完本文後，你可以掌握如下的技能，也可以學到一些其它你所不知道的知識，~O(∩_∩)O~：

① 告警日誌中頻繁出現Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter、ORA-28040: No matching authentication protocol錯誤，9i的客戶端連線到12c高版本的解決方案

② Windows下使用oerr命令

Tips：

① 本文在itpub（http://blog.itpub.net/26736162）、部落格園(http://www.cnblogs.com/lhrbest)和微信公眾號（xiaomaimiaolhr）上有同步更新。

② 文章中用到的所有程式碼、相關軟體、相關資料及本文的pdf版本都請前往小麥苗的雲盤下載，小麥苗的雲盤地址見：http://blog.itpub.net/26736162/viewspace-1624453/。

③ 若網頁文章程式碼格式有錯亂，請下載pdf格式的文件來閱讀。

④ 在本篇BLOG中，程式碼輸出部分一般放在一行一列的表格中。

本文如有錯誤或不完善的地方請大家多多指正，ITPUB留言或QQ皆可，您的批評指正是我寫作的最大動力。

1.3 故障分析及解決過程

1.3.1 故障環境介紹

專案	source db
db 型別	RAC
db version	12.1.0.2.0
db 儲存	ASM
OS版本及kernel版本	SuSE Linux Enterprise Server（SLES 11） 64位

1.3.2 故障發生現象及報錯資訊

告警日誌中頻繁出現Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter。

或JDBC連線Oracle12c報如下錯誤：

Caused by: java.sql.SQLException: ORA-28040: No matching authentication protocol

at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:112)

at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331)

at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:283)

at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:278)

at oracle.jdbc.driver.T4CTTIoauthenticate.receiveOsesskey(T4CTTIoauthenticate.java:294)

at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:357)

at oracle.jdbc.driver.PhysicalConnection.(PhysicalConnection.java:441)

at oracle.jdbc.driver.T4CConnection.(T4CConnection.java:165)

at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:35)

at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:801)

at java.sql.DriverManager.getConnection(DriverManager.java:582)

at java.sql.DriverManager.getConnection(DriverManager.java:154)

或者使用9i的客戶端去連線12c的資料庫就會報ORA-28040: No matching authentication protocol這個錯誤。

1.3.3 故障分析及解決過程

使用oerr命令來檢視，在Oracle 11g下：

[oracle@orcltest ~]$ oerr ora 28040

28040, 0000, "No matching authentication protocol"

// *Cause: No acceptible authentication protocol for both client and server

// *Action: Administrator should set SQLNET_ALLOWED_LOGON_VERSION parameter

// on both client and servers to values that matches the minimum

// version supported in the system.

[oracle@orcltest ~]$

12c下：

oracle@HQsPSL-PSCV-R02:/oracle/app/oracle> oerr ora 28040

28040, 0000, "No matching authentication protocol"

// *Cause: There was no acceptable authentication protocol for

// either client or server.

// *Action: The administrator should set the values of the

// SQLNET.ALLOWED_LOGON_VERSION_SERVER and

// SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameters, on both the

// client and on the server, to values that match the minimum

// version software supported in the system.

// This error is also raised when the client is authenticating to

// a user account which was created without a verifier suitable for

// the client software version. In this situation, that account's

// password must be reset, in order for the required verifier to

可以看到，該引數在11g和12c下的解決方案是不同的。

查詢了一下引數SQLNET.ALLOWED_LOGON_VERSION，發現該引數在12c中以廢棄，而是採用SQLNET.ALLOWED_LOGON_VERSION_CLIENT和SQLNET.ALLOWED_LOGON_VERSION_SERVER代替。

客戶說是之前碰到了ORA-28040: No matching authentication protocol的錯誤才加上該引數的。

解決：在Oracle使用者（不是grid使用者）下，將$ORACLE_HOME/network/admin/sqlnet.ora檔案原來的SQLNET.ALLOWED_LOGON_VERSION=8註釋掉（如果沒有sqlnet.ora檔案，那麼就建立一個），修改為如下的行：

SQLNET.ALLOWED_LOGON_VERSION_SERVER=8

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8

不用重啟資料庫或者監聽，也不用重啟應用。

區別如下：

SQLNET.ALLOWED_LOGON_VERSION_SERVER：控制可以連線到12c資料庫的客戶端版本（client --->orace 12c db ）

SQLNET.ALLOWED_LOGON_VERSION_CLIENT：控制12c資料庫可以連到哪些版本的資料庫（orace 12c db --->其它版本的oracle db），例如：控制透過DB LINK可連線到哪些版本的oracle庫。

所以，該案例中主要起作用的是需要配置SQLNET.ALLOWED_LOGON_VERSION_SERVER。

特別需要注意：

（1）如果是RAC，因為RAC是使用grid的監聽器，因此很多人以為是在“/u02/app/12.1.0/grid/network/admin/sqlnet.ora” 加“SQLNET.ALLOWED_LOGON_VERSION_SERVER=8”，其實這是錯的，而是仍然在$ORACLE_HOME/network/admin/sqlnet.ora加“SQLNET.ALLOWED_LOGON_VERSION_SERVER=8”

（2）上面所說的版本，是指dba_users.password_versions的版本。

在Oracle 12c中，雖然在sqlnet.ora加SQLNET.ALLOWED_LOGON_VERSION=8可以解決問題，但由於這個引數在12c已經廢棄了，而是用SQLNET.ALLOWED_LOGON_VERSION_CLIENT和SQLNET.ALLOWED_LOGON_VERSION_SERVER代替。如果繼續使用該引數，會在告警日誌中無窮無盡的報“Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter.”，如下所示：

另外，對於JDBC的報錯也可以下載支援oracle12c的jdbc驅動jar包。連結：

注：本地jdk版本為1.6，則下載ojdbc6.jar；jdk版本為1.7，則下載ojdbc7.jar

如下圖所示：

也可以在在ORACLE安裝目錄lib庫目錄下載ojdbc7.jar包，然後把這個ojdbc7.jar載入到開發環境中。

[oracle@orcltest dbhome_1]$ ll $ORACLE_HOME/jdbc/lib/ojdbc*

-rw-r--r-- 1 oracle oinstall 3447295 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc5dms_g.jar

-rw-r--r-- 1 oracle oinstall 2617019 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc5dms.jar

-rw-r--r-- 1 oracle oinstall 3425922 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc5_g.jar

-rw-r--r-- 1 oracle oinstall 2095661 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc5.jar

-rw-r--r-- 1 oracle oinstall 4486070 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6dms_g.jar

-rw-r--r-- 1 oracle oinstall 3327656 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6dms.jar

-rw-r--r-- 1 oracle oinstall 4462913 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6_g.jar

-rw-r--r-- 1 oracle oinstall 2714016 Aug 23 2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6.jar

[oracle@orcltest dbhome_1]$

1.3.4 官方文件及MOS的解釋

有關該問題，MOS上有很多文件可以供參考。

12c Database Alert.log File Shows The Message: Using Deprecated SQLNET.ALLOWED_LOGON_VERSION Parameter (文件 ID 2111876.1)

In this Document

Symptoms

Changes

Cause

Solution

References

APPLIES TO:

Oracle Configuration Controls Governor - Version 5.5.1 and later
Information in this document applies to any platform.

SYMPTOMS

On 12c database, the alert.log file shows the following message:

"Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter".

CHANGES

Customer upgraded to 12c database and added the following parameter in sqlnet.ora file based on the latest CCG Install Guide (CCG_Install_Guide_20150824_E25675_04.pdf).

SQLNET.ALLOWED_LOGON_VERSION

=================

SAMPLE sqlnet.ora FILE:

$ cat sqlnet.ora
# SQLNET.ORA Network Configuration File

" "

#TRACE_LEVEL_SERVER=user
SQLNET.ALLOWED_LOGON_VERSION=8

------------------------------------------

CAUSE

The Database is reporting these messages because the "SQLNET.ALLOWED_LOGON_VERSION" parameter is no longer valid (with 12c).
However, this is "required" by CCG application: CCG_Install_Guide_20150824_E25675_04.pdf

The SQLNET.ALLOWED_LOGON_VERSION parameter is deprecated in Oracle Database 12c.
This parameter has been replaced with two new Oracle Net Services parameters:

SQLNET.ALLOWED_LOGON_VERSION_SERVER
SQLNET.ALLOWED_LOGON_VERSION_CLIENT

SOLUTION

In order to suppress these messages in the alert log of the database, you need to use the new parameters for the 12c database.

STEPS:

1. Edit the sqlnet.ora file of the 12c database. (This needs be done on each database on 12c). So for example if both your EBS and CCG databases are on 12c, you need to do this on each sqlnet.ora file. Typically, the sqlnet.ora file that would be referenced by the database is located in RDBMS_HOME/network/admin

2. Remove or comment the following entry.

SQLNET.ALLOWED_LOGON_VERSION

3.You need to follow the instructions below:

3a. Add the following two new Oracle Net Services parameters:

SQLNET.ALLOWED_LOGON_VERSION_SERVER = n
SQLNET.ALLOWED_LOGON_VERSION_CLIENT = n

Specify the value for 'n' based on your own environment. The default setting for the new parameters is 11. Any client that attempts to connect must be at version 11 or higher unless these parameters are explicitly set in the server side sqlnet.ora file.

3b. For example: Set these parameters at the lowest version level that is required in your environment.
The example shpow below shows the following: All clients at version 10 or higher would require this setting:

SQLNET.ALLOWED_LOGON_VERSION_SERVER=10
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10

3c. Note that SQLNET.ALLOWED_LOGON_VERSION_CLIENT would be necessary on the server when the database is 'acting' as a client. Such as the case of a database link as in the case of CCG applications.

3d. Even though the parameter value implies Oracle version 10 the internal check is really against the authentication protocol 'SHA-1'

3e. For CCG, you can just set the parameter value to 10, since SHA-2 is currently not certified with CCG.

3e. See the following reference for more information about these settings.

4. For setting up the values for step 3, you can also refer to the additional info section at the end of the note.

4. Bounce the database.

5. Bounce the application server.

=================

ADDITIONAL INFO:

SQLNET.ALLOWED_LOGON_VERSION_CLIENT

Purpose

To set the minimum authentication protocol allowed for clients, and when a server is acting as a client, such as connecting over a database link, when connecting to Oracle Database instances.

Usage Notes

The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.

If the version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error.

See Also:
Oracle Database Security Guide

Values

12a for Oracle Database 12c Release 1 (12.1) release 12.1.0.2 or later

12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)

11 for Oracle Database 11g authentication protocols (default)

10 for Oracle Database 10g authentication protocols

8 for Oracle8i authentication protocol

Default

11

Example

If an Oracle Database 12c database hosts a database link to an Oracle Database 10g database, then the SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameter should be set as follows in order for the database link connection to proceed:

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10

SQLNET.ALLOWED_LOGON_VERSION_SERVER

Purpose

To set the minimum authentication protocol allowed when connecting to Oracle Database instances.

Usage Notes

The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.

If the client version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error or an ORA-03134: Connections to this server version are no longer supported error.

See Also:
Oracle Database Security Guide

A setting of 8 permits most password versions, and allows any combination of the DBA_USERS.PASSWORD_VERSIONS values 10G, 11G, and 12C.

A SQLNET.ALLOWED_LOGON_VERSION_SERVER setting of 12a permits only the 12C password version.

A greater value means the server is less compatible in terms of the protocol that clients must understand in order to authenticate. The server is also more restrictive in terms of the password version that must exist to authenticate any specific account. The ability for a client to authenticate depends on the DBA_USERS.PASSWORD_VERSIONS value on the server for that account.

Note the following implications of setting the value to 12 or 12a:

The setting SEC_CASE_SENSITIVE_LOGON=FALSE must not be used because case insensitivity requires the use of the 10G password version. If it is set as FALSE, then user accounts and secure roles become unusable because Exclusive Mode excludes the use of the 10G password version. The SEC_CASE_SENSITIVE_LOGON initialization parameter enables or disables case sensitivity for passwords.

Note:
The use of the Oracle instance initialization parameter SEC_CASE_SENSITIVE_LOGON is deprecated in favor of setting the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter to 12 or 12a to ensure that passwords are treated in a case-sensitive fashion.

To take advantage of the password protections introduced in Oracle Database 11g, users must change their passwords. The new passwords are case sensitive. When an account password is changed, the earlier 10G case-insensitive password version is automatically removed.

Releases of OCI clients earlier than Oracle Database 10g and all versions of JDBC thin clients cannot authenticate to the Oracle database using password-based authentication.

If the client uses Oracle9i Database, then the client will receive an ORA-03134 error message. To allow the connection, set the SQLNET.ALLOWED_LOGON_VERSION_SERVER value to 8. Ensure the DBA_USERS.PASSWORD_VERSIONS value for the account contains the value 10G. It may be necessary to reset the password for that account.

Note the following implication of setting the value to 12a:

When an account password is changed, the earlier 10G case-insensitive password version and the 11G password version are both automatically removed.

The client must support certain abilities of an authentication protocol before the server will authenticate. If the client does not support a specified authentication ability, then the server rejects the connection with an ORA-28040: No matching authentication protocol error message.

The following is the list of all client abilities. Some clients do not have all abilities. Clients that are more recent have all the capabilities of the older clients, but older clients tend to have less abilities than more recent clients.

O7L_MR: The ability to perform the Oracle Database 10g authentication protocol using the 12C password version.

O5L_NP: The ability to perform the Oracle Database 10g authentication protocol using the 11G password version, and generating a session key encrypted for critical patch update CPUOct2012.

O5L: The ability to perform the Oracle Database 10g authentication protocol using the 10G password version.

O4L: The ability to perform the Oracle9i database authentication protocol using the 10G password version.

O3L: The ability to perform the Oracle8i database authentication protocol using the 10G password version.

A higher ability is more recent and secure than a lower ability. Clients that are more recent have all the capabilities of the older clients.

The following table describes the allowed values, password versions, and descriptions:
Value of the ALLOWED_LOGON_VERSION_SERVER Parameter Generated Password Version Ability Required of the Client Meaning for Clients
12aFoot 1 12C O7L_MR Only Oracle Database 12c release 12.1.0.2 or later clients can connect to the server.
12Foot 2 11G, 12C O5L_NP Only clients which have applied critical patch update CPUOct2012 or later, or release 11.2.0.3 clients with an equivalent update can connect to the server.
11 10G, 11G, 12C O5L Clients using Oracle Database 10g and later can connect to the server.

Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10G password version.
10 10G, 11G, 12C O5L Clients using Oracle Database 10g and later can connect to the server.

Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10G password version.
9 10G, 11G, 12C O4L Oracle9i Database or later clients can connect to the server.
8 10G, 11G, 12C O3L Oracle8i Database and later clients can connect to the server.

Footnote 1 This is considered "Exclusive Mode" because it excludes the use of both 10G and 11G password versions.

Footnote 2 This is considered "Exclusive Mode" because it excludes the use of the 10G password version.

Values

12a for Oracle Database 12c release 12.1.0.2 or later authentication protocols (strongest protection)

12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)

11 for Oracle Database 11g authentication protocols (default)

10 for Oracle Database 10g authentication protocols

9 for Oracle9i Database authentication protocol

8 for Oracle8i Database authentication protocol

Default

11

Example

SQLNET.ALLOWED_LOGON_VERSION_SERVER=11

=======================

IMPORTANT NOTES:
1) The sqlnet.ora file that is referenced by the database is located in RDBMS_HOME/network/admin. This is by default. It will not read the sqlnet.ora file in GRID_HOME/network/admin unless TNS_ADMIN is explicitly set to point there.

2) While the version 12 documentation shows settings for this parameter as low as 8, this does not override the rules of Interoperability or Certification. See the following: Note 207303.1 Client / Server Interoperability Support Matrix for Different Oracle Versions.
In other words, setting the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter to 8, 9 or 10 does not mean that version of client is going to be fully supported by Oracle Support.

REFERENCES

NOTE:1304142.1 - 11g and Older: How To Use the Parameter SQLNET.ALLOWED_LOGON_VERSION Correctly

- SQLNET.ALLOWED_LOGON_VERSION NEEDS CLEARER DOCUMENTATION
NOTE:402193.1 - How to Allow Login to Database Based on the Client Version

Error "ORA-28040: No matching authentication protocol" When Using SQLNET.ALLOWED_LOGON_VERSION (文件 ID 755605.1)

In this Document

Symptoms

Changes

Cause

Solution

References

APPLIES TO:

JDBC - Version 10.1.0 to 12.1.0.2.0
Information in this document applies to any platform.

SYMPTOMS

When using the property "SQLNET.ALLOWED_LOGON_VERSION=10" set in the file sqlnet.ora on the server side, a 10g JDBC thin driver connecting to this 10g oracle database, fails with following errors:

The Network Adapter could not establish the connection
....
ORA-28040: No matching authentication protocol

.

CHANGES

Configuring SQLNET.ORA on the server side.

CAUSE

- ORA-28040: WHEN LISTENER USES SQLNET.ALLOWED_LOGON_VERSION

A 10.2 thin jdbc driver is identifying itself as 8.1.5 client and hence the connection is failing with error ORA-28040: No matching authentication protocol

SOLUTION

To resolve the above issue you may implement any one of the following :-

- Change the entry in sqlnet.ora file on the server machine:
from:
SQLNET.ALLOWED_LOGON_VERSION=10

to:
SQLNET.ALLOWED_LOGON_VERSION=8

OR

- Use the OCI driver instead of the THIN driver. The OCI driver identifies itself correctly as a 10.2 client and thus the connection succeeds.

OR

- If you are using 10.2.0.4 or 10.2.0.5 version of the driver then, you may download from My Oracle Support.

OR

- If you are using 10.1.0.5.0 version of the driver then, you may download from My Oracle Support.

Note: This is applicable when connecting to 10g or 11g databases. JDBC 10.1 drivers are not certified with 12c databases.

OR

- Use JDBC 11g THIN driver or later.

Note:
If using Oracle Database 12c, please see:

Home / Database / Oracle Database Online Documentation 12c Release 1 (12.1) / Installing and Upgrading
Database Upgrade Guide

8.3.5 Deprecation of SQLNET.ALLOWED_LOGON_VERSION Parameter
If you are upgrading a system that did not have a SQLNET.ALLOWED_LOGON_VERSION parameter setting (that is, it was using the default 8), then you might need to set the value of the SQLNET.ALLOWED_LOGON_VERSION_SERVER to 8 in the upgraded Oracle Database 12c server to maintain compatibility with clients on earlier releases. Otherwise, if no setting for SQLNET.ALLOWED_LOGON_VERSION_SERVER (or the deprecated SQLNET.ALLOWED_LOGON_VERSION) parameter is made in the upgraded Oracle Database 12c server, then the new default value becomes 11 in the new Oracle Database 12c.

REFERENCES

- ORA-28040: WHEN LISTENER USES SQLNET.ALLOWED_LOGON_VERSION

8.3.5 Deprecation of SQLNET.ALLOWED_LOGON_VERSION Parameter

The SQLNET.ALLOWED_LOGON_VERSION parameter is deprecated in Oracle Database 12c. This parameter has been replaced with two new Oracle Net Services parameters:

SQLNET.ALLOWED_LOGON_VERSION_SERVER (See Oracle Database Net Services Reference for information)
SQLNET.ALLOWED_LOGON_VERSION_CLIENT (See Oracle Database Net Services Reference for information)

See Also:

Oracle Database Security Guide for information about this deprecation
"Upgrading a System that Did Not Have SQLNET.ALLOWED_LOGON_VERSION Parameter Setting"
"Check for the SQLNET.ALLOWED_LOGON_VERSION Parameter Behavior"

8.3.5.1 Upgrading a System that Did Not Have SQLNET.ALLOWED_LOGON_VERSION Parameter Setting

If you are upgrading a system that did not have a SQLNET.ALLOWED_LOGON_VERSION parameter setting (that is, it was using the default 8), then you might need to set the value of theSQLNET.ALLOWED_LOGON_VERSION_SERVER to 8 in the upgraded Oracle Database 12c server to maintain compatibility with clients on earlier releases. Otherwise, if no setting forSQLNET.ALLOWED_LOGON_VERSION_SERVER (or the deprecated SQLNET.ALLOWED_LOGON_VERSION) parameter is made in the upgraded Oracle Database 12c server, then the new default value becomes 11 in the new Oracle Database 12c.

The effect of the new default value of 11 for SQLNET.ALLOWED_LOGON_VERSION_SERVER in Oracle Database 12c is that clients using Oracle Database release 10g and later can connect to the Oracle Database 12c server. Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10g password version.

Using a setting of 12 is most secure. However, this setting only permits Oracle Database 12c clients to connect.

See Also:

Oracle Database Readme for the topic "Protection Against Password-Guessing Attacks" and Oracle Database Net Services Reference for information aboutSQLNET.ALLOWED_LOGON_VERSION_SERVER

SQLNET.ALLOWED_LOGON_VERSION_CLIENT

Purpose

To set the minimum authentication protocol allowed for clients, and when a server is acting as a client, such as connecting over a database link, when connecting to Oracle Database instances.

Usage Notes

The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.

If the version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error.

See Also:

Oracle Database Security Guide

Values

12a for Oracle Database 12c Release 1 (12.1) release 12.1.0.2 or later
12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)
11 for Oracle Database 11g authentication protocols (default)
10 for Oracle Database 10g authentication protocols
8 for Oracle8i authentication protocol

Default

11

Example

If an Oracle Database 12c database hosts a database link to an Oracle Database 10g database, then the SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameter should be set as follows in order for the database link connection to proceed:

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10

SQLNET.ALLOWED_LOGON_VERSION_SERVER

Purpose

To set the minimum authentication protocol allowed when connecting to Oracle Database instances.

Usage Notes

The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.

If the client version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error or an ORA-03134: Connections to this server version are no longer supported error.

See Also:

Oracle Database Security Guide

A setting of 8 permits most password versions, and allows any combination of the DBA_USERS.PASSWORD_VERSIONS values 10G, 11G, and 12C.

A SQLNET.ALLOWED_LOGON_VERSION_SERVER setting of 12a permits only the 12C password version.

A greater value means the server is less compatible in terms of the protocol that clients must understand in order to authenticate. The server is also more restrictive in terms of the password version that must exist to authenticate any specific account. The ability for a client to authenticate depends on the DBA_USERS.PASSWORD_VERSIONS value on the server for that account.

Note the following implications of setting the value to 12 or 12a:

The setting SEC_CASE_SENSITIVE_LOGON=FALSE must not be used because case insensitivity requires the use of the 10G password version. If it is set as FALSE, then user accounts and secure roles become unusable because Exclusive Mode excludes the use of the 10G password version. The SEC_CASE_SENSITIVE_LOGON initialization parameter enables or disables case sensitivity for passwords.

Note:
The use of the Oracle instance initialization parameter SEC_CASE_SENSITIVE_LOGON is deprecated in favor of setting theSQLNET.ALLOWED_LOGON_VERSION_SERVER parameter to12 or 12a to ensure that passwords are treated in a case-sensitive fashion.
To take advantage of the password protections introduced in Oracle Database 11g, users must change their passwords. The new passwords are case sensitive. When an account password is changed, the earlier 10G case-insensitive password version is automatically removed.
Releases of OCI clients earlier than Oracle Database 10g and all versions of JDBC thin clients cannot authenticate to the Oracle database using password-based authentication.
If the client uses Oracle9i Database, then the client will receive an ORA-03134 error message. To allow the connection, set the SQLNET.ALLOWED_LOGON_VERSION_SERVERvalue to8. Ensure the DBA_USERS.PASSWORD_VERSIONS value for the account contains the value 10G. It may be necessary to reset the password for that account.

Note the following implication of setting the value to 12a:

When an account password is changed, the earlier 10G case-insensitive password version and the 11G password version are both automatically removed.

The client must support certain abilities of an authentication protocol before the server will authenticate. If the client does not support a specified authentication ability, then the server rejects the connection with an ORA-28040: No matching authentication protocol error message.

The following is the list of all client abilities. Some clients do not have all abilities. Clients that are more recent have all the capabilities of the older clients, but older clients tend to have less abilities than more recent clients.

O7L_MR: The ability to perform the Oracle Database 10g authentication protocol using the 12C password version.
O5L_NP: The ability to perform the Oracle Database 10g authentication protocol using the 11G password version, and generating a session key encrypted for critical patch update CPUOct2012.
O5L: The ability to perform the Oracle Database 10g authentication protocol using the 10G password version.
O4L: The ability to perform the Oracle9i database authentication protocol using the 10G password version.
O3L: The ability to perform the Oracle8i database authentication protocol using the 10G password version.

A higher ability is more recent and secure than a lower ability. Clients that are more recent have all the capabilities of the older clients.

The following table describes the allowed values, password versions, and descriptions:

Value of the ALLOWED_LOGON_VERSION_SERVER Parameter	Generated Password Version	Ability Required of the Client	Meaning for Clients
12aFoot 1	12C	O7L_MR	Only Oracle Database 12c release 12.1.0.2 or later clients can connect to the server.
12Foot 2	11G, 12C	O5L_NP	Only clients which have applied critical patch update CPUOct2012 or later, or release 11.2.0.3 clients with an equivalent update can connect to the server.
11	10G, 11G, 12C	O5L	Clients using Oracle Database 10g and later can connect to the server. Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10G password version.
10	10G, 11G, 12C	O5L	Clients using Oracle Database 10g and later can connect to the server. Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10G password version.
9	10G, 11G, 12C	O4L	Oracle9i Database or later clients can connect to the server.
8	10G, 11G, 12C	O3L	Oracle8i Database and later clients can connect to the server.

Footnote 1 This is considered "Exclusive Mode" because it excludes the use of both 10G and 11G password versions.

Footnote 2 This is considered "Exclusive Mode" because it excludes the use of the 10G password version.

Values

12a for Oracle Database 12c release 12.1.0.2 or later authentication protocols (strongest protection)
12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)
11 for Oracle Database 11g authentication protocols (default)
10 for Oracle Database 10g authentication protocols
9 for Oracle9i Database authentication protocol
8 for Oracle8i Database authentication protocol

Default

11

Example

SQLNET.ALLOWED_LOGON_VERSION_SERVER=11

1.3.4.1 12c中棄用和不支援的特性

1.4 ORA-28040故障模擬

小麥苗有7、8、9、10、11、12c的資料庫，所以順便模擬一下這個錯誤。

服務端為12c的資料庫，客戶端為9i，我們在客戶端嘗試連線12c的資料庫：

Microsoft Windows [版本 10.0.10240]

D:\Users\xiaomaimiao>set ORACLE_HOME=D:\Program_files\u01\app\oracle\product\ora92

D:\Users\xiaomaimiao>set ora

ORACLE10G=D:\Program files\app\oracle\product\10.2.0\db_1

ORACLE11G=D:\Program_files\u01\app\oracle\product\11.2.0.1\dbhome_1

ORACLE8I=D:\Program files\app\oracle\product\ora8i

ORACLE_HOME=D:\Program_files\u01\app\oracle\product\ora92

D:\Users\xiaomaimiao>cd %ORACLE_HOME%/bin

D:\Program_files\u01\app\oracle\product\ora92\bin>sqlplus -v

SQL*Plus: Release 9.2.0.1.0 - Production

D:\Program_files\u01\app\oracle\product\ora92\bin>tnsping ora12c

TNS Ping Utility for 32-bit Windows: Version 9.2.0.1.0 - Production on 19-DEC-2016 17:44:59

Used parameter files:

D:\Program_files\u01\app\oracle\product\ora92\network\admin\sqlnet.ora

Used TNSNAMES adapter to resolve the alias

Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.59.128)(PORT = 1521))) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = lhrdb12c)))

OK (10 msec)

D:\Program_files\u01\app\oracle\product\ora92\bin>sqlplus lhr/lhr@ora12c

SQL*Plus: Release 9.2.0.1.0 - Production on Mon Dec 19 17:45:07 2016

ERROR:

ORA-28040: No matching authentication protocol

Enter user-name:

可以看到報ORA-28040: No matching authentication protocol的錯誤。

我們在服務端的$ORACLE_HOME/network/admin/sqlnet.ora新增如下的行：

SQLNET.ALLOWED_LOGON_VERSION_SERVER=8

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8

重新嘗試連線：

D:\Program_files\u01\app\oracle\product\ora92\bin>sqlplus lhr/lhr@ora12c

SQL*Plus: Release 9.2.0.1.0 - Production on Mon Dec 19 17:51:54 2016

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL>

可以看到已經正常連線了。

如果將服務端的$ORACLE_HOME/network/admin/sqlnet.ora中的SQLNET.ALLOWED_LOGON_VERSION_SERVER=8和SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8註釋掉，而換成SQLNET.ALLOWED_LOGON_VERSION=8，如下：

SQLNET.ALLOWED_LOGON_VERSION=8

# SQLNET.ALLOWED_LOGON_VERSION_SERVER=8

# SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8

嘗試連線資料庫：

D:\Program_files\u01\app\oracle\product\ora92\bin>sqlplus lhr/lhr@ora12c

SQL*Plus: Release 9.2.0.1.0 - Production on Mon Dec 19 17:56:29 2016

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL>

可以正常連線，但是檢視告警日誌的時候有如下的輸出：Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter. 而且，每連線一次資料庫就輸出一行該資料，和我們之前分析的問題是一致的。

1.5 Windows下使用oerr命令

由於客戶的環境是12c Linux的，而自己沒有12c的Linux環境，安裝較為麻煩，索性就安裝了一個Windows版本的。結果執行oerr ora 的時候報錯了：

C:\Users\xiaomaimiao>oerr ora 10041

oerr: Cannot access the message file E:\app\oracle\product\12.1.0\dbhome_1\rdbms\mesg\oraus.msg

No such file or directory

C:\Users\xiaomaimiao>oerr ora 01555

oerr: Cannot access the message file E:\app\oracle\product\12.1.0\dbhome_1\rdbms\mesg\oraus.msg

No such file or directory

經檢視報錯的檔案（E:\app\oracle\product\12.1.0\dbhome_1\rdbms\mesg\oraus.msg）的確沒有，而且任何*.msg檔案都不存在，那就從12c的Linux下把相關的$ORACLE_HOME/rdbms/mesg/*.msg檔案都複製到Windows的環境下：

[oracle@orcltest mesg]$ pwd

/u02/app/oracle/product/11.2.0/dbhome_1/rdbms/mesg

[oracle@orcltest mesg]$ ll *.msg

-rw-r--r-- 1 oracle oinstall 4070 Jul 25 2008 amduus.msg

-rw-r--r-- 1 oracle oinstall 6298 Apr 14 2011 asmcmdus.msg

-rw-r--r-- 1 oracle oinstall 5886 Aug 3 2007 dbvus.msg

-rw-r--r-- 1 oracle oinstall 23309 Jan 28 2010 dgmus.msg

-rw-r--r-- 1 oracle oinstall 175881 May 11 2011 diaus.msg

-rw-r--r-- 1 oracle oinstall 49483 Jan 28 2010 expus.msg

-rw-r--r-- 1 oracle oinstall 15148 Nov 8 2009 gimus.msg

-rw-r--r-- 1 oracle oinstall 47609 Feb 18 2009 impus.msg

-rw-r--r-- 1 oracle oinstall 3585 Nov 3 2009 kfedus.msg

-rw-r--r-- 1 oracle oinstall 3457 Nov 6 2008 kfodus.msg

-rw-r--r-- 1 oracle oinstall 1792 Mar 1 2009 kfsgus.msg

-rw-r--r-- 1 oracle oinstall 26775 Nov 1 1999 kgpus.msg

-rw-r--r-- 1 oracle oinstall 3113 Sep 3 1997 kopus.msg

-rw-r--r-- 1 oracle oinstall 72528 Sep 17 2011 kupus.msg

-rw-r--r-- 1 oracle oinstall 4651 Sep 3 1997 lcdus.msg

-rw-r--r-- 1 oracle oinstall 22043 Nov 27 2006 nidus.msg

-rw-r--r-- 1 oracle oinstall 129827 May 5 2011 ocius.msg

-rw-r--r-- 1 oracle oinstall 734 Mar 8 2010 opwus.msg

-rw-r--r-- 1 oracle oinstall 4922454 Sep 17 2011 oraus.msg

-rw-r--r-- 1 oracle oinstall 178311 Aug 25 2009 qsmus.msg

-rw-r--r-- 1 oracle oinstall 391272 Sep 17 2011 rmanus.msg

-rw-r--r-- 1 oracle oinstall 40078 Jul 30 2001 sbtus.msg

-rw-r--r-- 1 oracle oinstall 123863 May 22 2010 smgus.msg

-rw-r--r-- 1 oracle oinstall 20433 Jan 13 2010 udeus.msg

-rw-r--r-- 1 oracle oinstall 20572 Jan 13 2010 udius.msg

-rw-r--r-- 1 oracle oinstall 143025 Jul 27 2009 ulus.msg

[oracle@orcltest mesg]$

然後執行就OK了。

C:\Users\xiaomaimiao>oerr ora 01555

01555, 00000, "snapshot too old: rollback segment number %s with name \"%s\" too small"

// *Cause: rollback records needed by a reader for consistent read are

// overwritten by other writers

// *Action: If in Automatic Undo Management mode, increase undo_retention

// setting. Otherwise, use larger rollback segments

Oracle 12.2的ORA-01017/ORA-28040解惑

最近安裝了一套RHEL 7.2 x86-86的Oracle12.2.0.1單機測試庫，導完資料交給業務後，業務反饋使用PL/SQL Developer連線時報如下錯誤：

【故障處理】ORA-28040: No matching authentication protocol

趕緊查了查MOS，原來在預設情況下Oracle 12.2對客戶端版本有限制，主要是由sqlnet.ora中的以下兩個引數控制：

SQLNET.ALLOWED_LOGON_VERSION_SERVER=n

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=n

這兩個引數預設是11，表明預設只允許11g的客戶端進行連線，考慮到很多PC端 plsql developer用的客戶端都是10g，把這兩個引數改為10：

SQLNET.ALLOWED_LOGON_VERSION_SERVER=10

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10

SQLNET.ALLOWED_LOGON_VERSION_CLIENT引數主要是當資料庫作為dblink的客戶端時使用，設定後無需重啟監聽和資料庫就可以生效。對於RAC，Oracle讀取的這兩個引數是在RDBMS的ORACLE_HOME裡，而不是GRID的ORACLE_HOME裡。

解決完這個問題，有些客戶端可以連線了，但是有些客戶端報：ORA-01017: invalidusername/password。於是我做了一些測試，發現在10.2.0.4版本的客戶端連線會報ORA-01017，而10.2.0.5的版本可以正常連線，11.2.0.3、11.2.0.4和12.2.0.1的客戶端也都沒有問題，其它版本沒有找到相關客戶端，也就沒有測試。

這裡已經設定了10g客戶端可以連線12.2的資料庫，但為什麼10.2.0.4的客戶端還會報ORA-01017口令錯誤，而10.2.0.5客戶端就可以連線。

經過檢查，在Oracle 12c的資料庫中(其實從11g開始就有了)，dba_users檢視上有個欄位是password_versions，該值情況如下：

SQL> set linesize 200

SQL> column username format a15

SQL> column account_status format a18

SQL> column default_tablespace format a25

SQL> column password_versions format a20

SQL> select username, account_status, default_tablespace, created, password_versions from dba_users where username = 'CRM';

USERNAME ACCOUNT_STATUS DEFAULT_TABLESPACE CREATED PASSWORD_VERSIONS

-------- -------------- ------------------ ------------------- --------------------

CRM OPEN TBS_CRM_TS_S1 2017-06-06 21:36:19 11G 12C

password_versions表明當前CRM使用者口令的認證方式是11g和12c，所以10.2.0.4客戶端連線出現了問題。那如何支援10g的認證方式呢，其實很簡單，只要確認sqlnet.ora中的SQLNET.ALLOWED_LOGON_VERSION_SERVER和SQLNET.ALLOWED_LOGON_VERSION_CLIENT已經設定為10，然後使用alert user xxx identified by xxxxxx後，PASSWORD_VERSIONS就支援10g的認證方式了，如下：

SQL> set linesize 200

SQL> column username format a15

SQL> column account_status format a18

SQL> column default_tablespace format a25

SQL> column password_versions format a20

SQL> select username, account_status, default_tablespace, created, password_versions from dba_users where username = 'CRM';

USERNAME ACCOUNT_STATUS DEFAULT_TABLESPACE CREATED PASSWORD_VERSIONS

-------- -------------- ------------------ ------------------- --------------------

CRM OPEN TBS_CRM_TS_S1 2017-06-06 21:36:19 10G 11G 12C

所以整個問題的過程如下：在Oracle 12c上安裝建庫並遷移資料後，由於前期未設定SQLNET.ALLOWED_LOGON_VERSION_SERVER和SQLNET.ALLOWED_LOGON_VERSION_CLIENT為10，導致建立的使用者不支援10g的口令認證方式。而修改這兩個sqlnet引數後，資料庫裡使用者的口令認證方式未發生變化，所以10.2.0.4客戶端連線不上伺服器，報ORA-01017。使用alert user xxx identified byxxxxxx修改口令後，由於sqlnet中的這兩個引數已經修改為支援10g客戶端的連線，所以dba_user中的password_versions也相應地修改為支援10g的認證方式，所以10.2.0.4版本的客戶就可以連線資料庫了。

所以當一些客戶端是10.2.0.4的應用需要注意了，如果資料庫伺服器使用資料遷移的方式升級到Oracle 12c，需要注意在Oracle 12c中使用者口令是否支援10g的認證方式，否則遷移後就報默名其妙的口令錯誤，10.2.0.5版本的客戶端測試沒有問題。

About Me

...............................................................................................................................

● 本文作者：小麥苗，只專注於資料庫的技術，更注重技術的運用

● 本文在itpub（http://blog.itpub.net/26736162）、部落格園（http://www.cnblogs.com/lhrbest）和個人微信公眾號（xiaomaimiaolhr）上有同步更新

● 本文itpub地址：http://blog.itpub.net/26736162/viewspace-2131338/

● 本文部落格園地址：http://www.cnblogs.com/lhrbest/p/6219687.html

● 本文pdf版及小麥苗雲盤地址：http://blog.itpub.net/26736162/viewspace-1624453/

● QQ群：230161599 微信群：私聊

● 聯絡我請加QQ好友(642808185)，註明新增緣由

● 於 2016-12-19 15:00 ~ 2016-12-25 19:00 在農行完成

● 文章內容來源於小麥苗的學習筆記，部分整理自網路，若有侵權或不當之處還請諒解

● 版權所有，歡迎分享本文，轉載請保留出處

...............................................................................................................................

手機長按下圖識別二維碼或微信客戶端掃描下邊的二維碼來關注小麥苗的微信公眾號：xiaomaimiaolhr，免費學習最實用的資料庫技術。

【故障處理】ORA-28040: No matching authentication protocol

1.1 BLOG文件結構圖

1.2 前言部分

1.2.1 導讀和注意事項

1.3 故障分析及解決過程

1.3.1 故障環境介紹

1.3.2 故障發生現象及報錯資訊

1.3.3 故障分析及解決過程

1.3.4 官方文件及MOS的解釋

APPLIES TO:

SYMPTOMS

CHANGES

CAUSE

SOLUTION

REFERENCES

APPLIES TO:

SYMPTOMS

CHANGES

CAUSE

SOLUTION

REFERENCES

8.3.5 Deprecation of SQLNET.ALLOWED_LOGON_VERSION Parameter

8.3.5.1 Upgrading a System that Did Not Have SQLNET.ALLOWED_LOGON_VERSION Parameter Setting

SQLNET.ALLOWED_LOGON_VERSION_CLIENT

SQLNET.ALLOWED_LOGON_VERSION_SERVER

1.3.4.1 12c中棄用和不支援的特性

1.4 ORA-28040故障模擬

1.5 Windows下使用oerr命令

Oracle 12.2的ORA-01017/ORA-28040解惑

相關文章