ORA-28040: No matching authentication protocol
Posted chendian0
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ORA-28040: No matching authentication protocol相关的知识,希望对你有一定的参考价值。
1.2 前言部分
1.2.1 导读和注意事项
各位技术爱好者,看完本文后,你可以掌握如下的技能,也可以学到一些其它你所不知道的知识,~O(∩_∩)O~:
① 告警日志中频繁出现Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter、ORA-28040: No matching authentication protocol错误,9i的客户端连接到12c高版本的解决方案
② Windows下使用oerr命令
Tips:
① 本文在itpub(http://blog.itpub.net/26736162)、博客园(http://www.cnblogs.com/lhrbest)和微信公众号(xiaomaimiaolhr)上有同步更新。
② 文章中用到的所有代码、相关软件、相关资料及本文的pdf版本都请前往小麦苗的云盘下载,小麦苗的云盘地址见:http://blog.itpub.net/26736162/viewspace-1624453/。
③ 若网页文章代码格式有错乱,请下载pdf格式的文档来阅读。
④ 在本篇BLOG中,代码输出部分一般放在一行一列的表格中。
本文如有错误或不完善的地方请大家多多指正,ITPUB留言或QQ皆可,您的批评指正是我写作的最大动力。
1.3 故障分析及解决过程
1.3.1 故障环境介绍
项目 |
source db |
db 类型 |
RAC |
db version |
12.1.0.2.0 |
db 存储 |
ASM |
OS版本及kernel版本 |
SuSE Linux Enterprise Server(SLES 11) 64位 |
1.3.2 故障发生现象及报错信息
告警日志中频繁出现Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter。
或JDBC连接Oracle12c报如下错误:
Caused by: java.sql.SQLException: ORA-28040: No matching authentication protocol at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:112) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:283) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:278) at oracle.jdbc.driver.T4CTTIoauthenticate.receiveOsesskey(T4CTTIoauthenticate.java:294) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:357) at oracle.jdbc.driver.PhysicalConnection.(PhysicalConnection.java:441) at oracle.jdbc.driver.T4CConnection.(T4CConnection.java:165) at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:35) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:801) at java.sql.DriverManager.getConnection(DriverManager.java:582) at java.sql.DriverManager.getConnection(DriverManager.java:154)
|
或者使用9i的客户端去连接12c的数据库就会报ORA-28040: No matching authentication protocol这个错误。
1.3.3 故障分析及解决过程
使用oerr命令来查看,在Oracle 11g下:
[[email protected] ~]$ oerr ora 28040 28040, 0000, "No matching authentication protocol" // *Cause: No acceptible authentication protocol for both client and server // *Action: Administrator should set SQLNET_ALLOWED_LOGON_VERSION parameter // on both client and servers to values that matches the minimum // version supported in the system. [[email protected] ~]$
|
12c下:
[email protected]:/oracle/app/oracle> oerr ora 28040 28040, 0000, "No matching authentication protocol" // *Cause: There was no acceptable authentication protocol for // either client or server. // *Action: The administrator should set the values of the // SQLNET.ALLOWED_LOGON_VERSION_SERVER and // SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameters, on both the // client and on the server, to values that match the minimum // version software supported in the system. // This error is also raised when the client is authenticating to // a user account which was created without a verifier suitable for // the client software version. In this situation, that account‘s // password must be reset, in order for the required verifier to
|
可以看到,该参数在11g和12c下的解决方案是不同的。
查询了一下参数SQLNET.ALLOWED_LOGON_VERSION,发现该参数在12c中以废弃,而是采用SQLNET.ALLOWED_LOGON_VERSION_CLIENT和SQLNET.ALLOWED_LOGON_VERSION_SERVER代替。
客户说是之前碰到了ORA-28040: No matching authentication protocol的错误才加上该参数的。
解决:在Oracle用户(不是grid用户)下,将$ORACLE_HOME/network/admin/sqlnet.ora文件原来的SQLNET.ALLOWED_LOGON_VERSION=8注释掉(如果没有sqlnet.ora文件,那么就创建一个),修改为如下的行:
SQLNET.ALLOWED_LOGON_VERSION_SERVER=8 SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8 |
不用重启数据库或者监听,也不用重启应用。
区别如下:
SQLNET.ALLOWED_LOGON_VERSION_SERVER:控制可以连接到12c数据库的客户端版本(client --->orace 12c db)
SQLNET.ALLOWED_LOGON_VERSION_CLIENT:控制12c数据库可以连到哪些版本的数据库(orace 12c db --->其它版本的oracle db),例如:控制通过DB LINK可连接到哪些版本的oracle库。
所以,该案例中主要起作用的是需要配置SQLNET.ALLOWED_LOGON_VERSION_SERVER。
特别需要注意:
(1)如果是RAC,因为RAC是使用grid的监听器,因此很多人以为是在“/u02/app/12.1.0/grid/network/admin/sqlnet.ora” 加“SQLNET.ALLOWED_LOGON_VERSION_SERVER=8”,其实这是错的,而是仍然在$ORACLE_HOME/network/admin/sqlnet.ora加“SQLNET.ALLOWED_LOGON_VERSION_SERVER=8”
(2)上面所说的版本,是指dba_users.password_versions的版本。
在Oracle 12c中,虽然在sqlnet.ora加SQLNET.ALLOWED_LOGON_VERSION=8可以解决问题,但由于这个参数在12c已经废弃了,而是用SQLNET.ALLOWED_LOGON_VERSION_CLIENT和SQLNET.ALLOWED_LOGON_VERSION_SERVER代替。如果继续使用该参数,会在告警日志中无穷无尽的报“Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter.”,如下所示:
===================================================================================================================
Error "ORA-28040: No matching authentication protocol" When Using SQLNET.ALLOWED_LOGON_VERSION (文档 ID 755605.1)
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |
APPLIES TO:
JDBC - Version 10.1.0 to 12.1.0.2.0
Information in this document applies to any platform.
SYMPTOMS
When using the property "SQLNET.ALLOWED_LOGON_VERSION=10" set in the file sqlnet.ora on the server side, a 10g JDBC thin driver connecting to this 10g oracle database, fails with following errors:
The Network Adapter could not establish the connection
....
ORA-28040: No matching authentication protocol
.
CHANGES
Configuring SQLNET.ORA on the server side.
CAUSE
BUG 6051243 - ORA-28040: WHEN LISTENER USES SQLNET.ALLOWED_LOGON_VERSION
A 10.2 thin jdbc driver is identifying itself as 8.1.5 client and hence the connection is failing with error ORA-28040: No matching authentication protocol
SOLUTION
To resolve the above issue you may implement any one of the following :-
- Change the entry in sqlnet.ora file on the server machine:
from:
SQLNET.ALLOWED_LOGON_VERSION=10
to:
SQLNET.ALLOWED_LOGON_VERSION=8
OR
- Use the OCI driver instead of the THIN driver. The OCI driver identifies itself correctly as a 10.2 client and thus the connection succeeds.
OR
- If you are using 10.2.0.4 or 10.2.0.5 version of the driver then, you may download Patch:6779501 from My Oracle Support.
OR
- If you are using 10.1.0.5.0 version of the driver then, you may download Patch:6505927 from My Oracle Support.
OR
- Use JDBC 11g THIN driver or later.
Note:
If using Oracle Database 12c, please see:
Home / Database / Oracle Database Online Documentation 12c Release 1 (12.1) / Installing and Upgrading
Database Upgrade Guide
8 Deprecated and Desupported Features for Oracle Database 12c
8.3.5 Deprecation of SQLNET.ALLOWED_LOGON_VERSION Parameter
If you are upgrading a system that did not have a SQLNET.ALLOWED_LOGON_VERSION parameter setting (that is, it was using the default 8), then you might need to set the value of the SQLNET.ALLOWED_LOGON_VERSION_SERVER to 8 in the upgraded Oracle Database 12c server to maintain compatibility with clients on earlier releases. Otherwise, if no setting for SQLNET.ALLOWED_LOGON_VERSION_SERVER (or the deprecated SQLNET.ALLOWED_LOGON_VERSION) parameter is made in the upgraded Oracle Database 12c server, then the new default value becomes 11 in the new Oracle Database 12c.
REFERENCES
BUG:6051243 - ORA-28040: WHEN LISTENER USES SQLNET.ALLOWED_LOGON_VERSION
以上是关于ORA-28040: No matching authentication protocol的主要内容,如果未能解决你的问题,请参考以下文章
ORA-28040: No matching authentication protocol
ORA-28040: No matching authentication protocol
ORA-28040: No matching authentication protocol
ORA-28040: No matching authentication protocol