Forum Stats

  • 3,839,356 Users
  • 2,262,486 Discussions
  • 7,900,947 Comments

Discussions

11.2.0.2.0 client connecting to 19c gets ORA-01017 unless it has a 10G password

David Balažic
David Balažic Member Posts: 204 Blue Ribbon
edited Feb 3, 2020 11:02AM in Database Security - General

Hi!

We upgraded a 11.2.0.4 server to 19.4  and encountered this problem with older clients:

Clients using version 11.2.0.2.0 (like sqlplus and ojdbc) can only connect when setting on server SQLNET.ALLOWED_LOGON_VERSION to 11.

After that they get another problem: If the used account has only 11G and 12C version passwords, they get a ORA-01017: invalid username/password; logon denied

If they try an account that has "10G 11G" password, it works.

This is confusing me. Why is 10G required, if the client is version 11.x ? Shouldn't it just go with the 11G password?

Details:

SQLNET.ALLOWED_LOGON_VERSION = 11

SQL>  SELECT USERNAME,PASSWORD_VERSIONS FROM DBA_USERS where USERNAME like '%TEST%';USERNAME               PASSWORD_VERSIONS------------------------- -----------------A_TEST                    11G 12CB_TEST                    10G 11G

sqlplus version 11.2.0.4 can connect using either account

sqlplus version 11.2.0.2 can connect only with B_TEST, while trying A_TEST gives the mentioned ORA-01017

Note: the password we try is correct 100%

(the A_TEST users password was changed by a newer client, that is why it has 11G 12C password versions)

PS: Exact server version is : Database Release Update : 19.4.0.0.190716 (29834717)

Message was edited by: David Balažic - added server version

Answers

  • Emad Al-Mousa
    Emad Al-Mousa Member Posts: 716 Bronze Trophy
    edited Feb 3, 2020 11:02AM

    Hi,

    This is expected when you start upgrading to 12cR2,18c,19c releases....Oracle by default strengthens the authentication.

    Now, you are facing what other's will face with old upgraded databases over the years: CLIENT release + Hash Passwords versions.

    its painful, but you need to perform the following assuming applications connecting to the database are flexible with database driver's upgrade:

    1.remove this entry from sqlnet.ora : SQLNET.ALLOWED_LOGON_VERSION to 11 and keep the high default authentication

    2. reset the database accounts passwords, you will see the hash version is updated after reset

    3. update the database client, drivers to the latest to be compatible

    Regarding your question: sqlplus version 11.2.0.2 can connect only with B_TEST, while trying A_TEST gives the mentioned ORA-01017

    based on Oracle Note 207303.1 11.2.0.3 or 11.2.0.4 are compatible with 19c

    I hope this helps

    Regards,

    Emad