ORA-28040: No matching authentication protocol

Posted chendian0

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ORA-28040: No matching authentication protocol相关的知识,希望对你有一定的参考价值。

1.2  前言部分

1.2.1  导读和注意事项

各位技术爱好者,看完本文后,你可以掌握如下的技能,也可以学到一些其它你所不知道的知识,~O(∩_∩)O~:

① 告警日志中频繁出现Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter、ORA-28040: No matching authentication protocol错误,9i的客户端连接到12c高版本的解决方案

② Windows下使用oerr命令

Tips:

① 本文在itpub(http://blog.itpub.net/26736162)、博客园(http://www.cnblogs.com/lhrbest)和微信公众号(xiaomaimiaolhr)上有同步更新。

② 文章中用到的所有代码、相关软件、相关资料及本文的pdf版本都请前往小麦苗的云盘下载,小麦苗的云盘地址见:http://blog.itpub.net/26736162/viewspace-1624453/。

③ 若网页文章代码格式有错乱,请下载pdf格式的文档来阅读。

④ 在本篇BLOG中,代码输出部分一般放在一行一列的表格中。

本文如有错误或不完善的地方请大家多多指正,ITPUB留言或QQ皆可,您的批评指正是我写作的最大动力。

1.3  故障分析及解决过程

1.3.1  故障环境介绍

 

项目

source db

db 类型

RAC

db version

12.1.0.2.0

db 存储

ASM

OS版本及kernel版本

SuSE Linux Enterprise Server(SLES 11) 64位

 

1.3.2  故障发生现象及报错信息

告警日志中频繁出现Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter。

或JDBC连接Oracle12c报如下错误:

Caused by: java.sql.SQLException: ORA-28040: No matching authentication protocol

        at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:112)

        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331)

        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:283)

        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:278)

        at oracle.jdbc.driver.T4CTTIoauthenticate.receiveOsesskey(T4CTTIoauthenticate.java:294)

        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:357)

        at oracle.jdbc.driver.PhysicalConnection.(PhysicalConnection.java:441)

        at oracle.jdbc.driver.T4CConnection.(T4CConnection.java:165)

        at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:35)

        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:801)

        at java.sql.DriverManager.getConnection(DriverManager.java:582)

        at java.sql.DriverManager.getConnection(DriverManager.java:154)

 

 

或者使用9i的客户端去连接12c的数据库就会报ORA-28040: No matching authentication protocol这个错误。

1.3.3  故障分析及解决过程

使用oerr命令来查看,在Oracle 11g下:

[[email protected] ~]$ oerr ora 28040

28040, 0000, "No matching authentication protocol"

// *Cause:  No acceptible authentication protocol for both client and server

// *Action: Administrator should set SQLNET_ALLOWED_LOGON_VERSION parameter

//          on both client and servers to values that matches the minimum

//          version supported in the system.

[[email protected] ~]$

 

12c下:

[email protected]:/oracle/app/oracle> oerr ora 28040

28040, 0000, "No matching authentication protocol"

// *Cause:  There was no acceptable authentication protocol for

//          either client or server.

// *Action: The administrator should set the values of the

//          SQLNET.ALLOWED_LOGON_VERSION_SERVER and

//          SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameters, on both the

//          client and on the server, to values that match the minimum

//          version software supported in the system.

//          This error is also raised when the client is authenticating to

//          a user account which was created without a verifier suitable for

//          the client software version. In this situation, that account‘s

//          password must be reset, in order for the required verifier to

 

可以看到,该参数在11g和12c下的解决方案是不同的。

查询了一下参数SQLNET.ALLOWED_LOGON_VERSION,发现该参数在12c中以废弃,而是采用SQLNET.ALLOWED_LOGON_VERSION_CLIENT和SQLNET.ALLOWED_LOGON_VERSION_SERVER代替。

客户说是之前碰到了ORA-28040: No matching authentication protocol的错误才加上该参数的。

解决:在Oracle用户(不是grid用户)下,将$ORACLE_HOME/network/admin/sqlnet.ora文件原来的SQLNET.ALLOWED_LOGON_VERSION=8注释掉(如果没有sqlnet.ora文件,那么就创建一个),修改为如下的行:

SQLNET.ALLOWED_LOGON_VERSION_SERVER=8

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8

不用重启数据库或者监听,也不用重启应用。

区别如下:

SQLNET.ALLOWED_LOGON_VERSION_SERVER:控制可以连接到12c数据库的客户端版本(client --->orace 12c db)

SQLNET.ALLOWED_LOGON_VERSION_CLIENT:控制12c数据库可以连到哪些版本的数据库(orace 12c db  --->其它版本的oracle db),例如:控制通过DB LINK可连接到哪些版本的oracle库。

所以,该案例中主要起作用的是需要配置SQLNET.ALLOWED_LOGON_VERSION_SERVER。

特别需要注意:

(1)如果是RAC,因为RAC是使用grid的监听器,因此很多人以为是在“/u02/app/12.1.0/grid/network/admin/sqlnet.ora” 加“SQLNET.ALLOWED_LOGON_VERSION_SERVER=8”,其实这是错的,而是仍然在$ORACLE_HOME/network/admin/sqlnet.ora加“SQLNET.ALLOWED_LOGON_VERSION_SERVER=8”

(2)上面所说的版本,是指dba_users.password_versions的版本。

 

在Oracle 12c中,虽然在sqlnet.ora加SQLNET.ALLOWED_LOGON_VERSION=8可以解决问题,但由于这个参数在12c已经废弃了,而是用SQLNET.ALLOWED_LOGON_VERSION_CLIENT和SQLNET.ALLOWED_LOGON_VERSION_SERVER代替。如果继续使用该参数,会在告警日志中无穷无尽的报“Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter.”,如下所示:

技术图片

 

 

 

 

===================================================================================================================

 

 

 

Error "ORA-28040: No matching authentication protocol" When Using SQLNET.ALLOWED_LOGON_VERSION (文档 ID 755605.1)


In this Document

  Symptoms
  Changes
  Cause
  Solution
  References

 

APPLIES TO:

JDBC - Version 10.1.0 to 12.1.0.2.0
Information in this document applies to any platform.

SYMPTOMS

When using the property "SQLNET.ALLOWED_LOGON_VERSION=10" set in the file sqlnet.ora on the server side, a 10g JDBC thin driver connecting to this 10g oracle database, fails with following errors:

The Network Adapter could not establish the connection 
.... 
ORA-28040: No matching authentication protocol





.

CHANGES

Configuring SQLNET.ORA on the server side.

CAUSE

BUG 6051243 - ORA-28040: WHEN LISTENER USES SQLNET.ALLOWED_LOGON_VERSION

A 10.2 thin jdbc driver is identifying itself as 8.1.5 client and hence the connection is failing with error ORA-28040: No matching authentication protocol

SOLUTION

To resolve the above issue you may implement any one of the following :- 

- Change the entry in sqlnet.ora file on the server machine: 
from: 
SQLNET.ALLOWED_LOGON_VERSION=10 

to: 
SQLNET.ALLOWED_LOGON_VERSION=8 

OR 

- Use the OCI driver instead of the THIN driver. The OCI driver identifies itself correctly as a 10.2 client and thus the connection succeeds. 

OR 

- If you are using 10.2.0.4 or 10.2.0.5 version of the driver then, you may download Patch:6779501 from My Oracle Support. 

OR 

- If you are using 10.1.0.5.0 version of the driver then, you may download Patch:6505927 from My Oracle Support.

Note: This is applicable when connecting to 10g or 11g databases. JDBC 10.1 drivers are not certified with 12c databases.


OR 

- Use JDBC 11g THIN driver or later.

 

Note:
If using Oracle Database 12c, please see:

Home / Database / Oracle Database Online Documentation 12c Release 1 (12.1) / Installing and Upgrading
Database Upgrade Guide
8 Deprecated and Desupported Features for Oracle Database 12c
8.3.5 Deprecation of SQLNET.ALLOWED_LOGON_VERSION Parameter
If you are upgrading a system that did not have a SQLNET.ALLOWED_LOGON_VERSION parameter setting (that is, it was using the default 8), then you might need to set the value of the SQLNET.ALLOWED_LOGON_VERSION_SERVER to 8 in the upgraded Oracle Database 12c server to maintain compatibility with clients on earlier releases. Otherwise, if no setting for SQLNET.ALLOWED_LOGON_VERSION_SERVER (or the deprecated SQLNET.ALLOWED_LOGON_VERSION) parameter is made in the upgraded Oracle Database 12c server, then the new default value becomes 11 in the new Oracle Database 12c.

 

REFERENCES

BUG:6051243 - ORA-28040: WHEN LISTENER USES SQLNET.ALLOWED_LOGON_VERSION

以上是关于ORA-28040: No matching authentication protocol的主要内容,如果未能解决你的问题,请参考以下文章

ORA-28040: No matching authentication protocol

ORA-28040: No matching authentication protocol

ORA-28040: No matching authentication protocol

ORA-28040: No matching authentication protocol

故障处理ORA-28040: No matching authentication protocol

故障处理ORA-28040: No matching authentication protocol