Oracle DB - 从 19c 客户端连接 11gR2 DB - ORA-12650：没有通用加密或数据完整性算法

Question

We have Oracle 19c Client installed in our application Unix server.

When we connect to a 19c Database server from our application Unix server, it is working as expected.

But when we try Connecting 11gR2 Database schema using sqlplus from our application server, getting the error ORA-12650: No Common Encryption or data integrity algorithm

From our application Unix server, we did a tnsping with the connect descriptor we had used. TNSPING is working fine from our application server.

etladm@myappserver992[DEV][admin] $ tnsping MYOLD_DB_DEV

TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 15-MAR-2021 01:36:00

Copyright (c) 1997, 2019, Oracle.  All rights reserved.

Used parameter files:
/u01/app/oracle/product/client/19c/network/admin/sqlnet.ora


Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST =my11gr2dbserverdaas)(PORT = 1622))) (CONNECT_DATA = (SERVICE_NAME = DEV.hk.myorg.com)))
OK (450 msec)
etladm@myappserver992[DEV][admin] $

Note: In our application server we have both Oracle 11gR2 Oracle client as well as 19c Oracle client are installed due to other module's dependencies. But Unix PATH variable is set to point Oracle 19c Oracle home path

etladm@myappserver992[DEV][~] $ echo $ORACLE_HOME
/u01/app/oracle/product/client/19c
etladm@myappserver992[DEV][~] $

sqlnet.ora found in our 19c Client admin directory:

# Forces Network Data Encryption during Transit

NAMES.DIRECTORY_PATH=(EZCONNECT,TNSNAMES)
SQLNET.ENCRYPTION_CLIENT = REQUIRED
SQLNET.ENCRYPTION_TYPES_CLIENT = AES256
SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = SHA256
SQLNET.ALLOWED_LOGON_VERSION_SERVER=8
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8
# SQLNET.ALLOWED_LOGON_VERSION_CLIENT=12

We are unable to upgrade our 11gR2 DB currently. So looking for any settings at sqlnet.ora or somewhere.

Edit #1: We are able to connect to 12c Oracle DB server from our application server using 19c sqlplus.

etladm@myappserver992[DEV][admin] $ sqlplus username/password@my12cdbserversilos:1624/DEV.uk.myorg.com

SQL*Plus: Release 19.0.0.0.0 - Production on Mon Mar 15 01:48:17 2021
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Mon Mar 15 2021 01:46:36 +08:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> select * from v$version;

BANNER                                                                   CON_ID
--------------------------------------------------------------------------------
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production  0
PL/SQL Release 12.2.0.1.0 - Production         0
CORE    12.2.0.1.0      Production         0
TNS for Linux: Version 12.2.0.1.0 - Production       0
NLSRTL Version 12.2.0.1.0 - Production               0

SQL>

Edit #2 : 11g Server Version :

select * from v$version;
BANNER
----------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
"CORE   11.2.0.4.0  Production"
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production

SQLNET.ORA in 11g Server :

NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP, EZCONNECT)
SQLNET.ENCRYPTION_SERVER=REQUESTED
SEC_USER_AUDIT_ACTION_BANNER=/u01/app/oracle/global/scripts/BANNER/dbbanner.txt

Answer 1

Your 19c client sqlnet.ora requires a SHA256 checksum:

 SQLNET.ENCRYPTION_CLIENT = REQUIRED SQLNET.ENCRYPTION_TYPES_CLIENT = AES256 SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUIRED SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = SHA256

Oracle 11gR2 only supports the SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER value SHA1 . See documentation here: https://docs.oracle.com/cd/E11882_01/network.112/e40393/asoappa.htm#ASOAG9780 .

If you want to make a TCPS connection to the 11.2 database, you're going to have to include SHA1 in the list of SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT values on your 19c client, and see that the server sqlnet.ora is similarly configured. Note that use of SHA1 has been considered insecure since at least 2016.

client sqlnet.ora:

SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (SHA256, SHA1)

11gR2 server sqlnet.ora:

SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER = AES256
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = SHA1

Also note that per Oracle Support Doc ID 207303.1 your 11gR2 database must be at least version 11.2.0.3 or 11.2.0.4 to support a 19c client. Previous releases (eg 11.2.0.1) do not support the 19c client at all.

Answer 2

Finally my DBAs pitch in. Client sqlnet.ora is updated as below and no change to 11gR2 server sqlnet.ora:

NAMES.DIRECTORY_PATH=(EZCONNECT,TNSNAMES)
SQLNET.ENCRYPTION_CLIENT = REQUIRED
SQLNET.ENCRYPTION_TYPES_CLIENT = (AES256,RC4_256,AES192,3DES168,AES128,RC4_128,3DES112,RC4_56,DES,RC4_40,DES40)
SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT =(SHA256,MD5)
SQLNET.ALLOWED_LOGON_VERSION_SERVER=8
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8

Thank you @pmdba for your guidance.