SQLNET.ALLOWED_LOGON_VERSION=12 and JDBC thin client

Posted on

Question :

To fix password security issues we need to set SQLNET.ALLOWED_LOGON_VERSION=12. According to the Oracle Database Net Services Reference:

Note the following implications of setting the value to 12:

Releases of OCI clients before Oracle Database 10g and all versions of JDBC thin clients cannot authenticate to the Oracle database using password-based authentication.

That statement looks really bad to me. I don’t want to choose between decent password security and the recommended JDBC driver.

The good news is that the manual might be wrong. I can connect withSQLNET.ALLOWED_LOGON_VERSION=12 and a JDBC thin client. I did have to upgrade ojdbc.jar from 11.2.0.1.0 to Oracle 11.2.0.3.0, but that is expected and also proves that the setting is truly taking affect on my server.

What’s going on here:

  1. Is the manual wrong?
  2. Am I reading the manual wrong?
  3. Is it only working in my simple test case as some undocumented feature, but will fail with other configurations?

We have thousands of users with many different configurations, I cannot rely on just my simple test. Does anyone else have experience with both SQLNET.ALLOWED_LOGON_VERSION=12 and JDBC thin clients?

Answer :

I just tested it too, and found that I can connect with 11.2.0.3/11.2.0.4 JDBC thin clients without error, but when using older thin clients like 10.2.0.4, then I get the expected ORA-28040: No matching authentication protocol.

In my opinion, the most logical explanation is that Oracle updated this document many times since 2011 and the particular line you quoted is in fact incorrect today. It might have been correct pre-11.0.2.3.

Oracle doesn’t maintain a change log (such as you would find on FOSS projects, a Wikipedia article, or even the StackExchange questions). However, you can get lucky sometimes if the page was crawled by the Internet Archive Wayback Machine. Turns out this Oracle doc was, so we’re in luck, and they have snapshots of it dating back to 2011, preceding the CPUOct2012 by a year.
https://web.archive.org/web/20110715000000*/http://docs.oracle.com/cd/E11882_01/network.112/e10835/sqlnet.htm

Curiously, if you look at the Dec 2011 version of the doc above, the paragraph you cited actually said (back then):

… following implications of setting the value to 11 [not 12] …

It would seem to me that someone at Oracle updated the number from 11 to 12 without researching the implications.

I vote for answer #1, the manual is wrong.

ADDENDUM: The above criticism aside, you probably want to either submit a “Reader Comment” on the bottom of the Oracle doc, or submit an SR, or both. If you have an Oracle customer relationship, you’re probably paying a lot of money, so might as well make use of it and file the SR. Either way Oracle responds your a$$ is covered. i would very much like to see Oracle’s response to this question.

Leave a Reply

Your email address will not be published.