Copyright (c) 2020, Oracle. All rights reserved. Oracle Confidential.

Oracle RDBMS 11g Standard Edition: Various Errors After Implementing Kerberos, Native Encryption, TCPS/SSL, or RADIUS (Doc ID 1930944.1)

In this Document

Symptoms
Cause
Solution

Oracle Native Network Encryption:

SSL:
RADIUS, Kerberos:
References

APPLIES TO:

Oracle Database Cloud Schema Service - Version N/A and later

Oracle Cloud Infrastructure - Database Service - Version N/A and later
Oracle Database Backup Service - Version N/A and later
Oracle Database Cloud Service - Version N/A and later
Oracle Database - Standard Edition - Version 11.2.0.1 to 11.2.0.4 [Release 11.2]
Information in this document applies to any platform.

SYMPTOMS

Using Oracle Database Server 11gR2 Standard Edition,

after implementing various legacy Advanced Security Option (ASO) features (e.g. Kerberos, Native Encryption, TCPS/SSL, RADIUS),
various errors are received when connecting via the listener:

ORA-12660: Encryption or crypto-checksumming parameters incompatible

ORA-12657: No algorithms installed
ORA-12649: Unknown encryption or data integrity algorithm
ORA-12637: Packet receive failed
TNS-12557: TNS:protocol adapter not loadable
TNS-12560: TNS:protocol adapter error
TNS-00527: Protocol Adapter not loadable

The Oracle documentation specifies:

"Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all
supported releases of the Oracle database."
This is true from a licensing point of view. Technically, the 11gR2 Standard Edition (SE) binaries are not linked with SSL, Kerberos and Radius adapters; these adapters are not enabled out-of-the-box on 11gR2 Standard Edition.

To compare, here is the output from an 11gR2 Standard Edition installation running on Linux:

Installed Oracle Net transport protocols are:

IPC
BEQ
TCP/IP
SSL
RAW
SDP/IB

Installed Oracle Net naming methods are:

Local Naming (tnsnames.ora)

Oracle Directory Naming
Oracle Host Naming
Oracle Names Server Naming

Installed Oracle Advanced Security options are:

RC4 40-bit encryption

RC4 56-bit encryption
RC4 128-bit encryption
RC4 256-bit encryption
DES40 40-bit encryption
DES 56-bit encryption
3DES 112-bit encryption
3DES 168-bit encryption
AES 128-bit encryption
AES 192-bit encryption
AES 256-bit encryption
MD5 crypto-checksumming
SHA-1 crypto-checksumming

In contrast, here is the output from an 11gR2 Enterprise Edition installation:

Installed Oracle Net transport protocols are:

IPC
BEQ
TCP/IP
SSL
RAW
SDP/IB

Installed Oracle Net naming methods are:

Local Naming (tnsnames.ora)

Oracle Directory Naming
Oracle Host Naming
Error!!! Oracle Names Server Naming is not completely installed!
 Installed Oracle Advanced Security options are:

RC4 40-bit encryption

RC4 56-bit encryption
RC4 128-bit encryption
RC4 256-bit encryption
DES40 40-bit encryption
DES 56-bit encryption
3DES 112-bit encryption
3DES 168-bit encryption
AES 128-bit encryption
AES 192-bit encryption
AES 256-bit encryption
MD5 crypto-checksumming
SHA-1 crypto-checksumming
Kerberos v5 authentication
RADIUS authentication

(Note the lines reading "Kerberos v5 authentication" and "RADIUS authentication", which do not appear in the Standard Edition output.)

CAUSE

An 11gR2 Standard Edition Oracle home's binaries are not initially configured to allow these features to work out of the box. It is necessary to manually enable these features on 11gR2. On 12c, it is not necessary to manually
enable the functionality.

(From a licensing point of view, it is allowed to use these features on Oracle Standard Edition.)

SOLUTION

In order to use ASO (network encryption, Kerberos, SSL, Radius) services on Oracle Standard Edition 11gR2, use the following workarounds:

Oracle Native Network Encryption:

On Linux/Unix, Native Network Encryption works without any changes needed.

On Windows environments:

Replace %ORACLE_HOME%\BIN\orancrypt11.dll with orancrypt11_ee.dll.dbl manually:

1) Copy orancrypt11.dll to orancrypt11.dll.bak

2) Copy orancrypt11_ee.dll.dbl to orancrypt11.dll
3) Restart the Oracle Service

SSL:

Refer to: Note 1457854.1 - How To Enable TCPS Support For Oracle Standard Edition
RADIUS, Kerberos:

Refer to: Note 2145731.1 - How To Enable Radius and Kerberos Adapters In Oracle Database 11g Standard Edition

On 12c environments, no action is necessary.

REFERENCES

NOTE:1457854.1 - How To Enable TCPS Support For Oracle Standard Edition

NOTE:2145731.1 - How To Enable Radius and Kerberos Adapters In Oracle Database 11g Standard Edition

NOTE:205888.1 - Trying to Connect with SQL*Plus Errors with TNS/ORA-12657

Didn't find what you are looking for?