ORA-01017: invalid username/password; logon denied
- The wallet wallet containing the ORACLE.SECURITY.DN and ORACLE.SECURITY.PASSWORD entries does not exist
$ ls -al $ORACLE_BASE/admin/$ORACLE_SID/wallet
- The wallet containing the ORACLE.SECURITY.DN and ORACLE.SECURITY.PASSWORD exists but is empty or has missing or incorrect values including case sensitive passwords. To troubleshoot, retrieve the values from the wallet with:
$ $ORACLE_HOME/bin/mkstore -wrl $ORACLE_BASE/admin/$ORACLE_SID/wallet -list -viewEntry ORACLE.SECURITY.DN -viewEntry ORACLE.SECURITY.PASSWORD <<EOF
YourWalletPassword
EOF
- If Oracle database was upgraded from earlier version to 18c or newer, the mappings may need to be re-created. See Doc ID 2611300.1
- The EUS configuration (e.g. Sample in /<oud_install/oud/config/EUS/modifyRealm.ldif) has not yet been applied or is mis-configured. See Doc ID 2118421.1
- The Certificate Authority (CA) certificate chain or OUD self-signed certificate is not loaded into the wallet. To troubleshoot this issue, confirm the presence of the certificate in the wallet with:
$ORACLE_HOME/bin/orapki wallet display -wallet $ORACLE_BASE/admin/$ORACLE_SID/wallet -pwd YourWalletPassword
- Encoded Kerberos ticket is too large. See Doc ID 1956558.1
- Database start fails with ORA-01017. In this case grid user's group needs to be a member of the OSRACDBA group. See Doc ID 2313555.1
- Get ORA-01017 with RAC database. This can be caused by the having inconsistent wallets on each RAC node or by using the same wallet via NFS share on all three nodes but where auto_login only works for the node on which it was set.
- May have specified the wrong ORACLE_SID environment variable value and the authentication fails because you are attempting to connect to the wrong database.
- If using tnsnames.ora, the connect string may be pointing to the wrong database for which the user or user/password combination are not valid.
$ $ORACLE_HOME/bin/sqlplus / as sysdba
SQL> alter system set events '28033 trace name context forever, level 9';
Step 2: Perform authentication attempt that fails with ORA-01017
$ $ORACLE_HOME/bin/sqlplus -S -L <eus_user_id>/YourUsersPassword@$ORACLE_SID
ERROR: ORA-01017: invalid username/password; logon denied
Step 3: Disable Oracle database tracing with:
$ $ORACLE_HOME/bin/sqlplus / as sysdba
SQL> alter system set events '28033 trace name context off';
$ $ORACLE_HOME/bin/sqlplus / as sysdba
SQL> sho param dbug;
- Authentication attempt by <eus_user_id> fails because user does not exist (err=32)
- Authentication attempt by <eus_user_id> fails because the wrong password is used (err=49)
- Connection to the OUD instances fails because of inability to come to agreement on the LDAPS cryptographic negotiation. Typically see error "no cipher suites in common". See Doc ID 2397791.1 for OUD 12c and Doc ID 2304757.1 for OUD 11g. Note that this can happen if you've upgraded the JDK 8 to a version that has deprecated use of anonymous and NULL cipher suites. In this case, you will need to update the jre/lib/security/java.security of the JDK implementation used by OUD to remove anon from jdk.tls.disabledAlgorithms. Here is a sample java.security for jdk1.8.0_361:
jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \brainpoolP320r1, brainpoolP384r1, brainpoolP512r1jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, NULL, \include jdk.disabled.namedCurvesjdk.tls.legacyAlgorithms= \K_NULL, C_NULL, M_NULL, \DH_anon, ECDH_anon, \RC4_128, RC4_40, DES_CBC, DES40_CBC, \3DES_EDE_CBC
No comments:
Post a Comment