ORA-28040: No matching authentication protocol – SQLNET.ALLOWED_LOGON_VERSION_SERVER

Ah, an old client is trying to connect to Oracle 12c (presumably)… ;)
Also “ORA-03134: Connections to this server version are no longer supported” can occur.

This actually implies that the authentication protocols use between client and server do not match. In Oracle 12c, the authentication protocol uses SHA-2 encryption algorithm by default, where older clients use SHA-1. So when an older client is used with defaults, the server will not accept the connection.

The best option would be upgrading the client, but when older dll’s are used (like ojdbc14.jar and you can not change this), this is a problem. The database instance can be told to accept older clients and use the older SHA-1 encryption algorithm.

SQLNET.ALLOWED_LOGON_VERSION_SERVER

Continue reading

Oracle Grid 12c and Linux 7: PRVE-0421 : No entry exists in /etc/fstab for mounting /dev/shm

When you run Oracle Grid 12c ‘cluvfy stage -pre crsinst’ on Linux 7 (Oracle Enterprise Linux 7.2 in my case) you will get the following error:

Starting check for /dev/shm mounted as temporary file system ...

ERROR:

PRVE-0421 : No entry exists in /etc/fstab for mounting /dev/shm
PRVE-0421 : No entry exists in /etc/fstab for mounting /dev/shm
PRVE-0421 : No entry exists in /etc/fstab for mounting /dev/shm
PRVE-0421 : No entry exists in /etc/fstab for mounting /dev/shm

Check for /dev/shm mounted as temporary file system failed

When you do a ‘df -h’ you will see that ‘/dev/shm’ actually is mounted:

Filesystem Size Used Avail Use% Mounted on
devtmpfs 24G 0 24G 0% /dev
tmpfs    24G 0 24G 0% /dev/shm

This is due to a bug (Doc ID 2065603.1) which comes from the case that the cluvfy check does not check the actual mount of the file system, but looks for the persistence line of this mount in ‘/etc/fstab’ like it did in Linux 6. In Linux 7 you get this tmpfs mount by default.

Continue reading

Measuring MREADTIM system statistic, alternative way

[Why this post: GATHER_SYSTEM_STATS does not gather MREADTIM information from Direct Path Reads]

Oracle can be tuned in a lot of parts and places. One of these is when Oracle is going to choose between reading an index or doing a full table scan.

In this blog I’m not going into depth about all this, but one of the ‘parameters’ here is setting the MREADTIM system statistic to a ‘real life’ value. This value will tell Oracle how fast reading multiple blocks from disk is with all the overhead in between. How many multiple blocks is, is defined by the multi block read count (MBRC) setting. Together with SREADTIM, IOSEEKTIM and MBRC this will have influence in the execution path Oracle will choose.

Continue reading

When using SCAN, is LOAD_BALANCE still necessary?

Short answer, for balancing to the SCAN listeners from a single client, yes it does (a little).

When you look at a connection string with only a single SCAN ‘host’ there, it seems logical that the LOAD_BALANCE option is unnecessary, but  the Oracle client will replace (expand) this with an ADDRESS_LIST, containing the IP addresses it gets from the DNS server. It seems this order can not be trusted to be random. The DNS client can cache this until the TTL expires and/or the DNS server might give them in the order configured and not do this is a round-robin fashion (Round-robin DNS). Nothing will guarantee it will be returned randomly. It might look random when you do a nslookup of the SCAN address, but tracing the Oracle client it shows not to be.

“There is no standard procedure for deciding which address will be used by the requesting application, a few resolvers attempt to re-order the list to give priority to numerically “closer” networks. Some desktop clients do try alternate addresses after a connection timeout of 30–45 seconds.”

Furthermore (in 11.2), the LOAD_BALANCE option is only on by default in the DESCRIPTION_LIST, not the ADDRESS_LIST: Local Naming Parameters (tnsnames.ora).

Continue reading

Data Guard 12c: Warning: standby redo logs not configured for thread 1, Insufficient SRLs

Well, I have configured some 30 ‘Data Guards’ by now, but I never came across this warning, it seems it’s new in 12c:

DGMGRL> validate database cdb1dgsara

  Database Role:     Physical standby database
  Primary Database:  cdb1dgkara

  Ready for Switchover:  Yes
  Ready for Failover:    Yes (Primary Running)

  Future Log File Groups Configuration:
    Thread #  Online Redo Log Groups  Standby Redo Log Groups Status
              (cdb1dgkara)            (cdb1dgsara)
    1         3                       2                       Insufficient SRLs
    Warning: standby redo logs not configured for thread 1 on cdb1dgsara

Hang on, standby redo logs not configured? I have 4 groups! Continue reading

Oracle 12c installation will fail: Error in invoking target ‘irman ioracle’

During the installation of Oracle 12c (12.1) I encountered the following error:

Error in invoking target 'irman ioracle' of makefile
    '/u01/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/ins_rdbms.mk'.
See '/u01/app/oraInventory/logs/installActions2015(...).log' for details.

Inside the logfile the following error is encountered:

INFO: collect2: ld terminated with signal 9 [Killed]

According to metalink doc 2040972.1 this is due to less memory available (in a VM environment). Continue reading

*ALL* Oracle database patches… Linux and Windows… (on Metalink)

Linux and Windows…

Quick Reference To Patch Numbers For Database PSU, SPU(CPU) And Bundle Patches [ID 1454618.1]
https://support.oracle.com/epmos/faces/DocumentDisplay?id=1454618.1

This document is getting replaced by Note 2118136.2:
Download Reference for Oracle Database/GI PSU, SPU(CPU), Bundle Patches, Patchsets and Base Releases [ID 2118136.2]
https://support.oracle.com/epmos/faces/DocumentDisplay?id=2118136.2

…more Windows

Oracle Database, Networking and Grid Agent Patches for Microsoft Platforms [ID 161549.1]
https://support.oracle.com/epmos/faces/DocumentDisplay?id=161549.1

THATS IT!

Happy patching!

ORA-28547 with Instant Client and Amazon Cloud Web Services

Connecting with the Oracle Instant Client 11g to Amazon Cloud Web Services (amazonaws.com) can result in the next error:

ORA-28547: connection to server failed, probable Oracle Net admin error

I found that while pinging the host, it was not able to resolve it, but connecting with SQL Developer (4.1.0.17) was possible! Strange…

I downloaded the Oracle Instant Client 12c (12.1.0.2) and that works. It seems the Oracle Instant Client 11g (11.2.0.4) is not able to connect to Amazon Web Services…

Happy connecting!

Booting Oracle VM / Linux (ISOs) with UEFI ‘bios’ does not work

It seems Oracle VM (<=3.3.1 *) and Oracle Linux (<= 5.10/6.6 *) both install ISOs and installed OS’s are not capable of booting when UEFI on the bare-metal hardware is used. I have seen two configurations now where this happened, one using a USB HDD drive capable providing a ISO to boot from as CD/DVD (Zalman ZM-VE300)  and one HP iLO4 (http and local ISO) ‘remote’ booting. Continue reading

OpenSSL Heartbleed Oracle fixed version is 1.0.1e-16.el6_5.7

When one is looking for the OpenSSL fix 1.0.1g for Oracle (Red Hat) Linux 6, the fixed package version is ‘1.0.1e-16.el6_5.7’. I think this a bit misleading, because OpenSSL 1.0.1e is subject to the bug (CVE-2014-0160). But from the Red Hat site: and Orcale MetaLink (MOS Note 1663998.1): “Version openssl-1.0.1e-16.el6_5.7 included a fix backported from openssl-1.0.1g.

Some simple OS tests can produce a false-positive to heartbleed tests, becasue it could look only for text other than 1.0.1g.

Update…

To update to the ‘latest’ OpenSSL version, enable the [OL6_latest] repository en ‘yum update openssl’:

Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-15.el6 will be updated
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update
--> Finished Dependency Resolution
(etc...)

Testing for processes using OpenSSL

One can test if processes are using OpenSSL (not a heartbleed vulnerability test), by issuing one of these two following commands:

$ lsof | awk 'NR==1 || $0~/libssl.so.1.0.1e/'
$ grep libssl.so.1.0.1 /proc/*/maps |cut -d/ -f3 |sort -u |xargs -r -- ps uf

More info

OpenSSL Security Bug – Heartbleed / CVE-2014-0160

Document written at April the 18th, 2014…

Happy blee, uh, testing and patching!