对于JDBCthinclient连接，ORA-28040andSQLNET.ALLOWED_LOGON_VERSION_CLIENT
对于JDBC thin client连接，ORA-28040 and SQLNET.ALLOWED_LOGON_VERSION_CLIENT的问题
ORA-28040 and SQLNET.ALLOWED_LOGON_VERSION_CLIENT for JDBC Thin Clients (文档 ID )
对于JDBC THIN clients来说，SQLNET.ALLOWED_LOGON_VERSION_CLIENT有等价物么？
当使用JDBC THIN driver时，怎么解决ORA-28040: No matching authentication protocol error问题？
解决方案：
当使用JDBC Thin client时，The property &oracle.jdbc.allowedLogonVersion&可以被设置来配置 client需要的最低的authentication protocol。
该参数值为12a，12,11,10等等，与SQLNET.ALLOWED_LOGON_VERSION_CLIENT的取值一样。JDBC属性是在12.1 版本中引入的。
请注意：SQLNET.ALLOWED_LOGON_VERSION_CLIENT 仅仅对OCI client生效。
使用 PBKDF2的密码验证器需要JDK8（Also the latest password verifier which uses PBKDF2 requires JDK8.）
ALLOWED_LOGON_VERSION_SERVER 是一个server端的参数，它指定了server端需要的最低的authentication protocol，因此适用于连接到db的任何的client（including JDBC Thin and OCI）
OracleDataSource ods = new OracleDataSource();
ods.setURL(jdbcURL);
ods.setUser(&scott&);
ods.setPassword(&tiger&);
Properties props = new Properties();
props.put(&oracle.jdbc.allowedLogonVersion&, 12);
ods.setConnectionProperties(props);
Connection con = ods.getConnection();
(window.slotbydup=window.slotbydup || []).push({
id: '2467140',
container: s,
size: '1000,90',
display: 'inlay-fix'
(window.slotbydup=window.slotbydup || []).push({
id: '2467141',
container: s,
size: '1000,90',
display: 'inlay-fix'
(window.slotbydup=window.slotbydup || []).push({
id: '2467142',
container: s,
size: '1000,90',
display: 'inlay-fix'
(window.slotbydup=window.slotbydup || []).push({
id: '2467143',
container: s,
size: '1000,90',
display: 'inlay-fix'
(window.slotbydup=window.slotbydup || []).push({
id: '2467148',
container: s,
size: '1000,90',
display: 'inlay-fix'oracle - SQLNET.ALLOWED_LOGON_VERSION=12 and JDBC thin client - Database Administrators Stack Exchange
to customize your list.
Database Administrators Stack Exchange is a question and answer site for database professionals who wish to improve their database skills and learn from others in the community. J it only takes a minute:
Here's how it works:
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
To fix password security issues we need to set SQLNET.ALLOWED_LOGON_VERSION=12.
According to the :
Note the following implications of setting the value to 12:
Releases of OCI clients before Oracle Database 10g and all versions of JDBC thin clients cannot authenticate to the Oracle database using password-based authentication.
That statement looks really bad to me.
I don't want to choose between decent password security and the recommended JDBC driver.
The good news is that the manual might be wrong.
I can connect withSQLNET.ALLOWED_LOGON_VERSION=12 and a JDBC thin client.
I did have to upgrade ojdbc.jar from 11.2.0.1.0 to Oracle 11.2.0.3.0, but that is expected and also proves that the setting is truly taking affect on my server.
What's going on here:
Is the manual wrong?
Am I reading the manual wrong?
Is it only working in my simple test case as some undocumented feature, but will fail with other configurations?
We have thousands of users with many different configurations, I cannot rely on just my simple test.
Does anyone else have experience with both SQLNET.ALLOWED_LOGON_VERSION=12 and JDBC thin clients?
I just tested it too, and found that I can connect with 11.2.0.3/11.2.0.4 JDBC thin clients without error, but when using older thin clients like 10.2.0.4, then I get the expected ORA-28040: No matching authentication protocol.
In my opinion, the most logical explanation is that Oracle updated this document many times since 2011 and the particular line you quoted is in fact incorrect today.
It might have been correct pre-11.0.2.3.
Oracle doesn't maintain a change log (such as you would find on FOSS projects, a Wikipedia article, or even the StackExchange questions). However, you can get lucky sometimes if the page was crawled by the Internet Archive Wayback Machine. Turns out this Oracle doc was, so we're in luck, and they have snapshots of it dating back to 2011, preceding the CPUOct2012 by a year.
Curiously, if you look at the Dec 2011 version of the doc above, the paragraph you cited actually said (back then):
... following implications of setting the value to 11 [not 12] ...
It would seem to me that someone at Oracle updated the number from 11 to 12 without researching the implications.
I vote for answer #1, the manual is wrong.
ADDENDUM: The above criticism aside, you probably want to either submit a "Reader Comment" on the bottom of the Oracle doc, or submit an SR, or both.
If you have an Oracle customer relationship, you're probably paying a lot of money, so might as well make use of it and file the SR. Either way Oracle responds your a$$ is covered. i would very much like to see Oracle's response to this question.
Your Answer
Sign up or
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Post as a guest
By posting your answer, you agree to the
Not the answer you're looking for?
Browse other questions tagged
rev .25579
Database Administrators Stack Exchange works best with JavaScript enabled