开发者社区> 小麦苗> 正文
阿里云
为了无法计算的价值
打开APP
阿里云APP内打开

【故障处理】ORA-28040: No matching authentication protocol

简介: 【故障处理】ORA-28040: No matching authentication protocol 1.1  BLOG文档结构图   1.
+关注继续查看

【故障处理】ORA-28040: No matching authentication protocol

1.1  BLOG文档结构图

wpsA5A2.tmp[4] 

1.2  前言部分

1.2.1  导读和注意事项

各位技术爱好者,看完本文后,你可以掌握如下的技能,也可以学到一些其它你所不知道的知识,~O(∩_∩)O~

告警日志中频繁出现Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameterORA-28040: No matching authentication protocol错误,9i的客户端连接到12c高版本的解决方案

Windows下使用oerr命令

Tips

本文在itpubhttp://blog.itpub.net/26736162)、博客园(http://www.cnblogs.com/lhrbest)和微信公众号(xiaomaimiaolhr有同步更新

文章中用到的所有代码相关软件相关资料及本文的pdf版本都请前往小麦苗的云盘下载小麦苗的云盘地址见:http://blog.itpub.net/26736162/viewspace-1624453/

若网页文章代码格式有错乱,下载pdf格式的文档来阅读

本篇BLOG,代码输出部分一般放在一行一列的表格中。

本文如有错误或不完善的地方请大家多多指正,ITPUB留言或QQ皆可,您的批评指正是我写作的最大动力。

1.3  故障分析及解决过程

1.3.1  故障环境介绍

 

项目

source db

db 类型

RAC

db version

12.1.0.2.0

db 存储

ASM

OS版本及kernel版本

SuSE Linux Enterprise Server(SLES 1164

 

1.3.2  故障发生现象及报错信息

告警日志中频繁出现Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter

JDBC连接Oracle12c报如下错误:

Caused by: java.sql.SQLException: ORA-28040: No matching authentication protocol

        at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:112)

        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331)

        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:283)

        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:278)

        at oracle.jdbc.driver.T4CTTIoauthenticate.receiveOsesskey(T4CTTIoauthenticate.java:294)

        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:357)

        at oracle.jdbc.driver.PhysicalConnection.(PhysicalConnection.java:441)

        at oracle.jdbc.driver.T4CConnection.(T4CConnection.java:165)

        at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:35)

        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:801)

        at java.sql.DriverManager.getConnection(DriverManager.java:582)

        at java.sql.DriverManager.getConnection(DriverManager.java:154)

 

 

或者使用9i的客户端去连接12c的数据库就会报ORA-28040: No matching authentication protocol这个错误。

1.3.3  故障分析及解决过程

使用oerr命令来查看,在Oracle 11g下:

[oracle@orcltest ~]$ oerr ora 28040

28040, 0000, "No matching authentication protocol"

// *Cause:  No acceptible authentication protocol for both client and server

// *Action: Administrator should set SQLNET_ALLOWED_LOGON_VERSION parameter

//          on both client and servers to values that matches the minimum

//          version supported in the system.

[oracle@orcltest ~]$

 

12c下:

oracle@HQsPSL-PSCV-R02:/oracle/app/oracle> oerr ora 28040

28040, 0000, "No matching authentication protocol"

// *Cause:  There was no acceptable authentication protocol for

//          either client or server.

// *Action: The administrator should set the values of the

//          SQLNET.ALLOWED_LOGON_VERSION_SERVER and

//          SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameters, on both the

//          client and on the server, to values that match the minimum

//          version software supported in the system.

//          This error is also raised when the client is authenticating to

//          a user account which was created without a verifier suitable for

//          the client software version. In this situation, that account's

//          password must be reset, in order for the required verifier to

 

可以看到,该参数在11g和12c下的解决方案是不同的。

查询了一下参数SQLNET.ALLOWED_LOGON_VERSION发现该参数在12c中以废弃,而是采用SQLNET.ALLOWED_LOGON_VERSION_CLIENT和SQLNET.ALLOWED_LOGON_VERSION_SERVER代替

客户说是之前碰到了ORA-28040: No matching authentication protocol的错误才加上该参数的。

解决:在Oracle用户(不是grid用户)下,将$ORACLE_HOME/network/admin/sqlnet.ora文件原来的SQLNET.ALLOWED_LOGON_VERSION=8注释掉(如果没有sqlnet.ora文件,那么就创建一个),修改为如下的行:

SQLNET.ALLOWED_LOGON_VERSION_SERVER=8

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8

不用重启数据库或者监听,也不用重启应用

区别如下:

SQLNET.ALLOWED_LOGON_VERSION_SERVER:控制可以连接到12c数据库的客户端版本(client --->orace 12c db

SQLNET.ALLOWED_LOGON_VERSION_CLIENT:控制12c数据库可以连到哪些版本的数据库(orace 12c db  --->其它版本的oracle db),例如:控制通过DB LINK可连接到哪些版本的oracle库。

所以,该案例中主要起作用的是需要配置SQLNET.ALLOWED_LOGON_VERSION_SERVER

特别需要注意:

1)如果是RAC,因为RAC是使用grid的监听器,因此很多人以为是在“/u02/app/12.1.0/grid/network/admin/sqlnet.ora” 加“SQLNET.ALLOWED_LOGON_VERSION_SERVER=8”,其实这是错的,而是仍然在$ORACLE_HOME/network/admin/sqlnet.ora加“SQLNET.ALLOWED_LOGON_VERSION_SERVER=8

2上面所说的版本,是指dba_users.password_versions的版本。

 

Oracle 12c中,虽然在sqlnet.ora加SQLNET.ALLOWED_LOGON_VERSION=8可以解决问题,但由于这个参数在12c已经废弃了,而是用SQLNET.ALLOWED_LOGON_VERSION_CLIENTSQLNET.ALLOWED_LOGON_VERSION_SERVER代替。如果继续使用该参数,会在告警日志中无穷无尽的报“Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter.如下所示:

wpsA5B2.tmp[4] 

 

另外,对于JDBC的报错也可以下载支持oracle12c的jdbc驱动jar链接:http://www.oracle.com/technetwork/database/features/jdbc/jdbc-drivers-12c-download-1958347.html

注:本地jdk版本为1.6,则下载ojdbc6.jarjdk版本为1.7,则下载ojdbc7.jar

如下图所示:

wpsA5B3.tmp[4] 

也可以在在ORACLE安装目录lib库目录下载ojdbc7.jar包,然后把这个ojdbc7.jar加载到开发环境中

[oracle@orcltest dbhome_1]$ ll $ORACLE_HOME/jdbc/lib/ojdbc*

-rw-r--r-- 1 oracle oinstall 3447295 Aug 23  2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc5dms_g.jar

-rw-r--r-- 1 oracle oinstall 2617019 Aug 23  2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc5dms.jar

-rw-r--r-- 1 oracle oinstall 3425922 Aug 23  2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc5_g.jar

-rw-r--r-- 1 oracle oinstall 2095661 Aug 23  2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc5.jar

-rw-r--r-- 1 oracle oinstall 4486070 Aug 23  2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6dms_g.jar

-rw-r--r-- 1 oracle oinstall 3327656 Aug 23  2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6dms.jar

-rw-r--r-- 1 oracle oinstall 4462913 Aug 23  2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6_g.jar

-rw-r--r-- 1 oracle oinstall 2714016 Aug 23  2011 /u02/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6.jar

[oracle@orcltest dbhome_1]$

 

 

1.3.4  官方文档及MOS的解释

有关该问题,MOS上有很多文档可以供参考。

http://docs.oracle.com/database/121/UPGRD/deprecated.htm#UPGRD60010

wpsA5B4.tmp[4]wpsA5B5.tmp[4]



12c Database Alert.log File Shows The Message: Using Deprecated SQLNET.ALLOWED_LOGON_VERSION Parameter (文档 ID 2111876.1)


In this Document

Symptoms
Changes
Cause
Solution
References


APPLIES TO:

Oracle Configuration Controls Governor - Version 5.5.1 and later
Information in this document applies to any platform.

SYMPTOMS

On 12c database, the alert.log file shows the following message:

"Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter".

CHANGES

 Customer upgraded to 12c database and added the following parameter in sqlnet.ora file based on the latest CCG Install Guide (CCG_Install_Guide_20150824_E25675_04.pdf).

 SQLNET.ALLOWED_LOGON_VERSION

 =================

SAMPLE sqlnet.ora FILE:

$ cat sqlnet.ora
# SQLNET.ORA Network Configuration File

" "

#TRACE_LEVEL_SERVER=user
SQLNET.ALLOWED_LOGON_VERSION=8

------------------------------------------

CAUSE

 
The Database is reporting these messages because the "SQLNET.ALLOWED_LOGON_VERSION" parameter is no longer valid (with 12c).
However, this is  "required" by CCG application: CCG_Install_Guide_20150824_E25675_04.pdf

The SQLNET.ALLOWED_LOGON_VERSION parameter is deprecated in Oracle Database 12c.
This parameter has been replaced with two new Oracle Net Services parameters:

SQLNET.ALLOWED_LOGON_VERSION_SERVER
SQLNET.ALLOWED_LOGON_VERSION_CLIENT

SOLUTION

 In order to suppress these messages in the alert log of the database, you need to use the new parameters for the 12c database.

 STEPS:

 1. Edit the sqlnet.ora file of the 12c database. (This needs be done on each database on 12c). So for example if both your EBS and CCG databases are on 12c, you need to do this on each sqlnet.ora file. Typically, the sqlnet.ora file that would be referenced by the database is located in RDBMS_HOME/network/admin

 2. Remove or comment the following entry.

    SQLNET.ALLOWED_LOGON_VERSION

 3.You need to follow the instructions below:

 3a. Add the following two new Oracle Net Services parameters:

    SQLNET.ALLOWED_LOGON_VERSION_SERVER = n
    SQLNET.ALLOWED_LOGON_VERSION_CLIENT = n

    Specify the value for 'n' based on your own environment. The default setting for the new parameters is 11. Any client that attempts to connect must be at version 11 or higher unless these   parameters are explicitly set in the server side sqlnet.ora file.       

   3b. For example: Set these parameters at the lowest version level that is required in your environment.
        The example shpow below shows the following: All clients at version 10 or higher would require this setting:

       SQLNET.ALLOWED_LOGON_VERSION_SERVER=10
       SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10

    3c. Note that SQLNET.ALLOWED_LOGON_VERSION_CLIENT would be necessary on the server when the database is 'acting' as a client. Such as the case of a database link as in the case of CCG applications.

    3d. Even though the parameter value implies Oracle version 10 the internal check is really against the authentication protocol 'SHA-1'

    3e. For CCG, you can just set the parameter value to 10, since SHA-2 is currently not certified with CCG.

    3e. See the following reference for more information about these settings.
         https://docs.oracle.com/database/121/NETRF/sqlnet.htm#NETRF2010

4. For setting up the values for step 3, you can also refer to the additional info section at the end of the note.

4. Bounce the database.

5. Bounce the application server.

=================

ADDITIONAL INFO:

SQLNET.ALLOWED_LOGON_VERSION_CLIENT

Purpose

To set the minimum authentication protocol allowed for clients, and when a server is acting as a client, such as connecting over a database link, when connecting to Oracle Database instances.

Usage Notes

The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.

If the version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error.

See Also:
Oracle Database Security Guide

Values

12a for Oracle Database 12c Release 1 (12.1) release 12.1.0.2 or later

12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)

11 for Oracle Database 11g authentication protocols (default)

10 for Oracle Database 10g authentication protocols

8 for Oracle8i authentication protocol

Default

11

Example

If an Oracle Database 12c database hosts a database link to an Oracle Database 10g database, then the SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameter should be set as follows in order for the database link connection to proceed:

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10

SQLNET.ALLOWED_LOGON_VERSION_SERVER

Purpose

To set the minimum authentication protocol allowed when connecting to Oracle Database instances.

Usage Notes

The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.

If the client version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error or an ORA-03134: Connections to this server version are no longer supported error.

See Also:
Oracle Database Security Guide

A setting of 8 permits most password versions, and allows any combination of the DBA_USERS.PASSWORD_VERSIONS values 10G, 11G, and 12C.

A SQLNET.ALLOWED_LOGON_VERSION_SERVER setting of 12a permits only the 12C password version.

A greater value means the server is less compatible in terms of the protocol that clients must understand in order to authenticate. The server is also more restrictive in terms of the password version that must exist to authenticate any specific account. The ability for a client to authenticate depends on the DBA_USERS.PASSWORD_VERSIONS value on the server for that account.

Note the following implications of setting the value to 12 or 12a:

The setting SEC_CASE_SENSITIVE_LOGON=FALSE must not be used because case insensitivity requires the use of the 10G password version. If it is set as FALSE, then user accounts and secure roles become unusable because Exclusive Mode excludes the use of the 10G password version. The SEC_CASE_SENSITIVE_LOGON initialization parameter enables or disables case sensitivity for passwords.

Note:
The use of the Oracle instance initialization parameter SEC_CASE_SENSITIVE_LOGON is deprecated in favor of setting the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter to 12 or 12a to ensure that passwords are treated in a case-sensitive fashion.

To take advantage of the password protections introduced in Oracle Database 11g, users must change their passwords. The new passwords are case sensitive. When an account password is changed, the earlier 10G case-insensitive password version is automatically removed.

Releases of OCI clients earlier than Oracle Database 10g and all versions of JDBC thin clients cannot authenticate to the Oracle database using password-based authentication.

If the client uses Oracle9i Database, then the client will receive an ORA-03134 error message. To allow the connection, set the SQLNET.ALLOWED_LOGON_VERSION_SERVER value to 8. Ensure the DBA_USERS.PASSWORD_VERSIONS value for the account contains the value 10G. It may be necessary to reset the password for that account.

Note the following implication of setting the value to 12a:

When an account password is changed, the earlier 10G case-insensitive password version and the 11G password version are both automatically removed.

The client must support certain abilities of an authentication protocol before the server will authenticate. If the client does not support a specified authentication ability, then the server rejects the connection with an ORA-28040: No matching authentication protocol error message.

The following is the list of all client abilities. Some clients do not have all abilities. Clients that are more recent have all the capabilities of the older clients, but older clients tend to have less abilities than more recent clients.

O7L_MR: The ability to perform the Oracle Database 10g authentication protocol using the 12C password version.

O5L_NP: The ability to perform the Oracle Database 10g authentication protocol using the 11G password version, and generating a session key encrypted for critical patch update CPUOct2012.

O5L: The ability to perform the Oracle Database 10g authentication protocol using the 10G password version.

O4L: The ability to perform the Oracle9i database authentication protocol using the 10G password version.

O3L: The ability to perform the Oracle8i database authentication protocol using the 10G password version.

A higher ability is more recent and secure than a lower ability. Clients that are more recent have all the capabilities of the older clients.

The following table describes the allowed values, password versions, and descriptions:
Value of the ALLOWED_LOGON_VERSION_SERVER Parameter Generated Password Version Ability Required of the Client Meaning for Clients
12aFoot 1 12C O7L_MR Only Oracle Database 12c release 12.1.0.2 or later clients can connect to the server.
12Foot 2 11G, 12C O5L_NP Only clients which have applied critical patch update CPUOct2012 or later, or release 11.2.0.3 clients with an equivalent update can connect to the server.
11 10G, 11G, 12C O5L Clients using Oracle Database 10g and later can connect to the server.

Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10G password version.
10 10G, 11G, 12C O5L Clients using Oracle Database 10g and later can connect to the server.

Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10G password version.
9 10G, 11G, 12C O4L Oracle9i Database or later clients can connect to the server.
8 10G, 11G, 12C O3L Oracle8i Database and later clients can connect to the server.

Footnote 1 This is considered "Exclusive Mode" because it excludes the use of both 10G and 11G password versions.

Footnote 2 This is considered "Exclusive Mode" because it excludes the use of the 10G password version.

Values

12a for Oracle Database 12c release 12.1.0.2 or later authentication protocols (strongest protection)

12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)

11 for Oracle Database 11g authentication protocols (default)

10 for Oracle Database 10g authentication protocols

9 for Oracle9i Database authentication protocol

8 for Oracle8i Database authentication protocol

Default

11

Example

SQLNET.ALLOWED_LOGON_VERSION_SERVER=11

=======================

 

IMPORTANT NOTES: 
1) The sqlnet.ora file that is referenced by the database is located in RDBMS_HOME/network/admin. This is by default. It will not read the sqlnet.ora file in GRID_HOME/network/admin unless TNS_ADMIN is explicitly set to point there.

2) While the version 12 documentation shows settings for this parameter as low as 8, this does not override the rules of Interoperability or Certification. See the following: Note 207303.1 Client / Server Interoperability Support Matrix for Different Oracle Versions.
In other words, setting the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter to 8, 9 or 10 does not mean that version of client is going to be fully supported by Oracle Support.

 

REFERENCES

NOTE:1304142.1 - 11g and Older: How To Use the Parameter SQLNET.ALLOWED_LOGON_VERSION Correctly



BUG:11845659 - SQLNET.ALLOWED_LOGON_VERSION NEEDS CLEARER DOCUMENTATION
NOTE:402193.1 - How to Allow Login to Database Based on the Client Version













  

 
 





 

 

 
 
 

 
 

 

 

 

   

 

  


 

 






 

 



 

  

  •    

  •    

  •  

 

                

        

   

   

  

  

  •   

  •   

  •   

  •   

  •   

    


  

    

       

      

  

   

  •          

          
  •   

  •  

  •        

 

  •     

  

 

  •    

  •    

  •    

  •    

  •    

 
 
    

  

    

  

    
    

     

   

  •   

  •   

  •   

  •   

  •   

  •   





 

 

wpsA5B6.tmp[4]

 

 

 

>

 

>

 

>

 

>

 

 

 

>

 

 

 

 

 

 

 

>

 

 

 

 

 

 

 

 

>

 

 

 

 

 

 

>

 

 

>

 

 

 

 

 

 

>

 

 

>

 

>

 

 

          

    

    

     

   

  

   

    

   

     

     

     

    

     

   

     

   

   

      

 

  

  

   

  

   

   

  

 

>

        

         

 


640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=









>   

>         


             

                          


 


>   

>         

 

             

                           








 

    

wpsF8C8.tmp

 

img_e3029f287d989cd04bd75432ecc1c172.png

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
struts Caused by: no protocol dtd - Class: java.net.URL
情景:<br> 项目使用了struts2 框架,部署到tomcat中,而tomcat所在机器没有联网(处于公司安全方面的原因),所以启动tomcat时,报错:<br> tomcat Unable to load configuration. - Class: java.net.SocketInputStream<br> 因为struts配置文件如下:<br><span style="
1021 0
centos 7.4 使用 pgxc_ctl 安装与使用
centos 7.4 使用 pgxc_ctl 安装与使用 os: centos 7.4 pgxl:pg.version '10.3 (Postgres-XL 10alpha2) pgxl 是一款非常实用的横向扩展的开源软件,继承了很多pgxc的功能,在replication 和sharding 方面有着非常棒的用处。
1499 0
mac上安装Homebrew及一些报错的处理
mac上安装Homebrew及一些报错的处理
0 0
mac安装homebrew及异常处理
mac安装homebrew及异常处理
0 0
mac上安装Homebrew及一些报错的处理
mac上安装Homebrew及一些报错的处理
0 0
+关注
小麦苗
小麦苗,专注于数据库,Oracle OCM,PostgreSQL PGCM,PostgreSQL ACE,中国PG分会官方认证讲师,PGfans签约作者,PGfans年度MVP;微信公众号: DB宝,个人网站:www.xmmup.com
文章
问答
文章排行榜
最热
最新
相关电子书
更多
Network-Automation-Isn\'t-Your-Safe-Haven-Protocol-Analysis-And-Vulnerabilities-Of-Autonomic-Network
立即下载
低代码开发师(初级)实战教程
立即下载
阿里巴巴DevOps 最佳实践手册
立即下载